Forgot your password?
typodupeerror
Security

Research Unveils Improved Method To Let Computers Know You Are Human 91

Posted by Unknown Lamer
from the until-computers-improve dept.
An anonymous reader writes CAPTCHA services that require users to recognize and type in static distorted characters may be a method of the past, according to studies published by researchers at the University of Alabama at Birmingham. Researchers focused on a broad form of gamelike CAPTCHAs, called dynamic cognitive game, or DCG, CAPTCHAs, which challenge the user to perform a gamelike cognitive task interacting with a series of dynamic images. For example, in a "ship parking" DCG challenge, the user is required to identify the boat from a set of moving objects and drag-and-drop it to the available "dock" location. The puzzle is easy for the human user to solve, but may be difficult for a computer program to figure out. The game-like nature may make the process more engaging for the user compared to conventional text-based CAPTCHAs. There are a couple research papers available: "A Three-Way Investigation of a Game-CAPTCHA: Automated Attacks, Relay Attacks and Usability" and "Dynamic Cognitive Game CAPTCHA Usability and Detection of Streaming-Based Farming."
This discussion has been archived. No new comments can be posted.

Research Unveils Improved Method To Let Computers Know You Are Human

Comments Filter:
  • And then never have to do it again?

    • That's a good idea, I'd really like to see if this AC guy is human. Maybe there's a way for him/her to prove it.....
    • by oodaloop (1229816)
      Brilliant! Then the next time you log in, you just have to prove you're the same human from last time! Wow, that's so much easier!
  • by Anonymous Coward

    Not hard for Indonesians paid pennies a day.

  • to solve a reverse Turing test. Totally new idea.
  • by boondaburrah (1748490) on Tuesday August 19, 2014 @12:44AM (#47700937)
    Man if these start showing up, They're going to look exactly like those "hit the target 3 times to win" flash-based advertisements. I'll probably glaze over them multiple times trying to submit a form before I notice that a 'completing the game' captcha is what's preventing me from leaving my incredible razor wit splattered all over someone's comments section.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      You you just wait. They'll start putting advertisements in the captchas.

      They'll soon figure out it's more profitable to make you find the $(NameBrand) ship and drag it from the $(NewProduct) port to the $(TownNearYou) port.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        You you just wait. They'll start putting advertisements in the captchas.

        So that's why my last one said "be sure to drink your ovaltine."

      • That's already a thing though, they make you watch an ad and some words pop up and that's the captcha.. it's awful.
      • Apparently you don't use many free file download sites, sticking the CAPTCHAs or human-proving codes inside ads of various types has been a thing for a while now.
  • by Anonymous Coward

    Looks like this is based on a fixed set of games and images. Just teach the bot all of them, and you are done. If this is self contained software I can install on my site, all the info you need to feed the bot is already packaged up in the source.

    For things like this to defeat bots they have to rely on hard to invert functions, like rendering randomly warped things. Picking a few items from a lookup table is easily inverted by a bot.

    Resisting replay attacks is cute, but it can't resist basic forwarding atta

    • by FyRE666 (263011)

      Something that has to be interacted with, through a view controlled by Javascript will not be trivial for a bot to solve. I know the typical response to this is "well I don't enable Javascript!!!" but these voices are now a tiny minority of users, who doubtless have all sorts of problems using the web now. Disabling JS in a browser is like disabling Excel's ability to automatically perform calculations on cells.

      For deaf users, the choice could be from a number of sounds - maybe with filters added to prevent

  • by Anubis IV (1279820) on Tuesday August 19, 2014 @12:59AM (#47700989)

    The nice thing about current text-based CAPTCHAs is that they can be applied to any website, whether large or small, and require very little input or tinkering from individual web administrators. The other nice thing about this is that they have an infinite number of possible variations, what with the different ways you can transform text.

    This new idea would work great for a small site that will never be a target of a directed attack, but we already have hundreds of different CAPTCHA variations that can be used for that sort of thing. I use a simpler but similar idea on one of my sites, where I have new registrants drag words into matching categories that I set up. I've had zero bot registrations since I set it up a few years back, and a number of comments from actual users that love the system.

    But if you apply something like what I use or this new idea to a site like Google, the folks trying to break in will inevitably code up algorithms to handle each of the finite number of minigames they set up with their finite number of items in them, rendering the whole thing pretty useless. The only way to get infinite variation out of it is to start applying image transformation to the items being used so that they can't be as easily identified, and if you start doing that, you're right back where we are now.

    • by jxander (2605655)

      So, you're telling me that we can get the spammers to program better AI for us?

      • by Anonymous Coward

        So, you're telling me that we can get the spammers to program better AI for us?

        That will be their undoing. When the spammers create an AI good enough to solve any human-solvable captcha, then the AI is smart enough to tell spam from non-spam. So we'll use their AI as a forum moderator. Anyone can post, the spam will just not be seen.

        To help with this, lets make a captcha that ask the user "is this message spam?" With an ever-growing database of spam and nonspam. As soon as the spammers make an AI for that .

    • the finite number of minigames they set up with their finite number of items in them, rendering the whole thing pretty useless.

      There might not be a benefit to that outcome, but a "good" CAPTCHA system does have a good outcome when it's broken.

      I was talking to the guy who started reCAPTCHA many years ago, and his idea was that the OCR work they were farming out was too tough for algorithms to beat. As long as bots could not do better than humans, reCAPTCHA would be offering a valuable service. As soon as

    • The problem with the current CAPTCHAs is that they are prone to a Mechanical Turk attack.
      This new type of CAPTCHA could in principle solve this issue.

      • The problem with the current CAPTCHAs is that they are prone to a Mechanical Turk attack.

        That's a problem with CAPCTHAs, not the only one. I've encountered several that I couldn't solve, even after trying several times, eventually leaving me no choice but to give up and go elsewhere.

        It's a problem when your human detector fails to detect humans.

    • by wbr1 (2538558)
      Its not just working at google scale, its human-nets paid pennies by spammers to solve captchas. If it is machine-unsolvable this will happen as long as there are people poor enough to work at such menial tasks for low wages.
  • I am an ant! :P

  • by Beck_Neard (3612467) on Tuesday August 19, 2014 @01:19AM (#47701067)

    The problem is that you can really only come up with a finite number of these, and once an attacker has a large enough sample of them (say, 10%), he can simply write a bit of code to 'solve' each one.

    The thing about CAPTCHAs that makes them great is that you can randomly generate a huge bunch of them.

    Anyway, the headline so completely misrepresents this research that it basically says the opposite of what the researchers are saying. The researchers, in fact, created an automated system to solve DCGs! Their contribution was a system that detects 'crowd-sourcing' attacks - attacks where shady companies pay volunteers pennies to solve CAPTCHAs by hand. The researchers said they are going to work on improved DCGs that can't be solved automatically, but nothing of the sort is being unveiled here.

  • by Anonymous Coward

    I haven't read the article, but I do wonder... why about those with disability? Like poor vision, poor hand-eye coordination, etc.?

  • by EzInKy (115248) on Tuesday August 19, 2014 @01:36AM (#47701125)

    Proving I'm human just subjects me to more ads I don't want to see.

  • by weilawei (897823) on Tuesday August 19, 2014 @01:45AM (#47701149) Homepage

    When he comes back, I'll hit him with a paradox [youtube.com].

  • ...I'll threaten to shove its chips up its fanhole if it doesn't let me in.

  • Yes, but is it accessible by disabled people, i.e., blind users that need screen readers..?
  • ..that the first truly successful AI will be developed by spammers and phishers to defeat this?
  • "For example, in a "ship parking" DCG challenge, the user is required to identify the boat from a set of moving objects and drag-and-drop it to the available "dock" location." This is worse than CAPTCHA
  • I can't remember where, but I've seen this in use this past week. When I saw it, first thing I thought was that this was one of those annoying ads disguised as a game that are out there. Still, once recognized for what it was, it was simple, much less a pain in the a$$ than the text based CAPCHAs.

  • And how will even the best, most fool-proof Capcha protect you from a spam bot system that passes that game, or other capcha, to some people farm in a foreign country? Or just to visitors to some other website that gets high enough traffic for the spammers to post sufficient volume of spam?

    This, by itself, cannot solve the issue.

    The issue is not "Prove that there is a human there".

    The issue is "Prove that you, right there, right now, are a human, and not being passed to someone else, elsewhere".

New systems generate new problems.

Working...