Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Spam

Making CAPTCHAs Even Harder With 3-D Models 326

Michael G. Kaplan writes "CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) are commonly used to prevent computers from filling out web forms. Computer vision experts have been able to design programs to foil CAPTCHA with a high degree of success. I have designed a CAPTCHA that is based on the identification of attributes contained in an image generated by the grouping of easily recognized 3-D objects. I call this the Virtual Photographic CAPTCHA and it is likely to remain invulnerable to automated attack for many years to come. A novel anti-spam system necessitated its development."
This discussion has been archived. No new comments can be posted.

Making CAPTCHAs Even Harder With 3-D Models

Comments Filter:
  • by Anonymous Coward on Monday January 31, 2005 @07:03PM (#11534855)
    Wow, you're just asking some bored hacker out there to prove you wrong.
  • by shiflett ( 151538 ) on Monday January 31, 2005 @07:03PM (#11534857) Homepage

    PHP developers might find this article useful:

    http://phpsec.org/articles/2005/text-captcha.html [phpsec.org]

  • by tekiegreg ( 674773 ) * <tekieg1-slashdot@yahoo.com> on Monday January 31, 2005 @07:04PM (#11534867) Homepage Journal
    Awhile back on Slashdot (I'm too lazy to find the link) there was an article on Captcha's being attacked by Spammers who would set up a porno site requiring user registration using, the Captcha in mind to crack, then forwarding the results to the anti-captcha bot.

    Vision-recognition systems be dammed, all a spammer needs to do is use the inherent need of apparently most of the male race to look at pictures of naked women to get what he needs. I don't know if a counter was ever found to this method either...
    • by shiflett ( 151538 ) on Monday January 31, 2005 @07:10PM (#11534934) Homepage

      Yes, I first heard this from an engineer at Yahoo. They were, as far as I know, the first site to have to deal with this technique on a major scale. Fortunately, this attack requires that the attacker's system communicate with your server, playing the role of a typical user.

      So, although the "answer" to the CAPTCHA is provided an actual human, you can still pinpoint mass registrations and the like to a single group of IP addresses in most cases, because the users are not the ones interacting with your application. This becomes a network problem rather than an application problem.

      • Well my first thought to counter that was to put my bot on a major ISP (we'll use Earthlink) and keep grabbing different IP's to fool you. Of course you can always ban by MAC addresses and sooner or later Earthlink would be bound to notice.

        Though if I did this on a small scale and didn't get too greedy I might be able to stay off the radar. Couple that with changing hosts frequently and/or finding hosts with badly enforced TOS's and I can give a headache to any Captcha test.

        So the game continues...
        • Yes, you can always get away with such things on a small scale. In the case of Yahoo, the biggest problem (at the time I learned of this technique, which was about two years ago) was massive registrations. If you register less than a thousand users for an email account or something, they probably didn't care.

          I think CAPTCHAs are just another example of a technology that can be effective if used appropriately. Don't depend on it to protect you from anything absolutely, but you can help to prevent automation

        • by kapella ( 3578 ) on Monday January 31, 2005 @07:39PM (#11535235)
          ...for not understanding core principles of Ethernet.

          Although it's tangential to the topic, you can't "ban by MAC addresses". Not unless you're on the same ethernet segment as the attacker. Try it the next time you've got access to a few machines separated by at least one router. Ping from two different machines to a third on another network and run tcpdump to inspect the MAC addresses on the packets. Let me know how it turns out. (hint: they'll have the MAC address of the router)
          • Ethernet has never been a strong point of mine, but if only you could but the originator's MAC address somehow on the packet...actually in hindsight if that were possible, would probably solve a lot of the problems re: Spam in the first place...
            • Re:Heh... (Score:3, Informative)

              by farnz ( 625056 )
              Only works if the originator has a globally unique MAC address. Think dial-up modems, point to point links, private systems using administrator defined addresses (UML hosts for example)...
            • Re:Heh... (Score:3, Insightful)

              by flonker ( 526111 )
              Many cards have a user configurable MAC address.
            • Re:Heh... (Score:3, Insightful)

              by nickco3 ( 220146 )
              Your suggestion involves breaking up the protocol layers. Both Ethernet and TCP/IP owe their success to Keeping It Simple Stupid. If you start overlapping them, introducing MAC addresses into IP headers, you are merging them into a kind of TCP/IP/Ethernet super-protocol. It's no longer Simple, and you can no longer patch, upgrade, change them independently of each other. Different implementations of Ethernet on disconnected networks will now start interfering with each other in unexpected ways, depending ex
      • So, although the "answer" to the CAPTCHA is provided an actual human, you can still pinpoint mass registrations and the like to a single group of IP addresses in most cases, because the users are not the ones interacting with your application. This becomes a network problem rather than an application problem.

        Excellent point, but if they're already setting up a porn site and marshalling captchas back and forth, piping the results through zombies shouldn't be a very big leap.

        What kind of problem is it then?

    • Presumably, you would scramble the letters across items in the picture from iteration to iteration. That would certainly make things much more complicated for any automated system, even with human help to crack it. Also, you can exploit the point-of-view changes (even slight ones) to make it more difficult for a computer to determine which image is which. So even with a good database of what part of the image maps to which phrase, you can make it fairly tough, I think.

      Which isn't to say that no-one is u
    • by Anonymous Coward
      They will design a Captcha that only females can solve. You can ask your mom to solve it, machines can't.
    • I guess something that would help could be to include, in the picture, some little notice like "If you see this picture on a non-yahoo webpage, please report to blah@blah".

      Could perhaps be countered by removing that notice before presenting it to the eager-to-see-porn target. Though it would at least make the entire procedure more trickier.

  • by A beautiful mind ( 821714 ) on Monday January 31, 2005 @07:09PM (#11534928)
    Check the last sentence on his page.

    "Patents pending."

    Tyvm, but no.
    • C'mon slashdot. Informative??
      D'you really expect the man not to take credit for his work?

      Just because its patented doesn't mean it cannot be open sourced .. or freely available for implementation.
      Whether it will be, of course is another issue. Great work by Michael all the same. Hope this works.
  • by Anonymous Coward on Monday January 31, 2005 @07:10PM (#11534933)
    Show them the acronym, CAPTCHA. If they don't cringe, they are obviously non-human.
    • CAPTCHA = Create A Phrase Then Create Humongous Acronym.

      Of course that's not the way it currently is done. Glitzy marketing folks tend to generate the acronym first, and then come up with humongous phrases that retrofits into the acronym.
  • by SJasperson ( 811166 ) on Monday January 31, 2005 @07:10PM (#11534940)
    http://www.brains-n-brawn.com/default.aspx?vDir=ai captcha The developer of an automated breaking bot explains how he did it.
  • by Sanity ( 1431 ) * on Monday January 31, 2005 @07:11PM (#11534942) Homepage Journal
    ...when you can't make out the numbers or letters on one of these things, as has happened to me on a number of occasions.

    The logical conclusion is that I'm not actually human. My girlfriend will be very upset when I tell her.

    • by Anonymous Coward
      " My girlfriend will be very upset when I tell her."
      • Just use your other hand... it's her twin.
    • Exactly.

      "Making CAPTCHAs Even Harder" For Humans to Read "With 3-D Models" should have been the title.

      Seems like a pretty horrid plan. And then that it's patent pending (as mentioned earlier) -- that seals the deal.
    • My cognitive psychology professor started a sentence in class today with, "Now in humans, commonly called people..." It made wonder...
    • I consider it more scary when the numbers can't make you out.

      Because then somehow you have travled half way around the world, and back in time to Soviet Russia.
    • The logical conclusion is that I'm not actually human. My girlfriend will be very upset when I tell her.


      She already knows. :-P

  • Took a long time (Score:5, Insightful)

    by cmclean ( 230069 ) on Monday January 31, 2005 @07:11PM (#11534943) Homepage Journal
    Decoding the 5-letter example in the article took waaay too long when compared to current techniques (i.e. 30 seconds as opposed to 3), regardless of how good it is at eliminating nonhuman respondants.
    It seems a very good idea, but all that flicking back-and-forth of the eyes is to compute-intensive for my grey matter.
    • I agree, it took a long time to figure out what any of the words were (long being relative). But also I thought having to choose three was too much, even though I understood the argument they were making for the probability of successful detection being dramatically reduced...

      I would say from looking at the "hacked" examples it seemed to me that the only thing required to really confound detectors was sufficient skew in the letters. In every case letters with a heavy skew were not recognized correctly.
    • Re:Took a long time (Score:3, Informative)

      by js7a ( 579872 )
      Also, someone should tell the guy that semicolons are not allowed inside email addresses.
  • I was doing a whois with one of the forms the other day and was unable to pass the test. there were thick lines over the text and it was sloppy cursivish text I was supposed to identify.
  • "Your message was blocked, a sub-adress is now required. ...subadress is now required... Please update your records and resend your message with the sub adress below."

    And thus you have effectively blocked that email adress permanently for the 70% of the population who doesn't understand the above, and who - more importantly - doesn't have the time or interest to make the effort to understand (and that would include people like my mother), or who don't read English well enough to understand it, interest or
  • Someone already figured out that if you run a porn site (or other type of legitimate site which could possibly use CAPTCHAs) you can have legitimate users fill out the CAPTCHAs which you scrape from the site you want to crack, and then forward it back to the targetted site. Since there is a surplus of people filling out CAPTCHAs over bots wanting to crack them, there is plenty of room for cracking it...

    In the end, it is only a deterrent. But it is definately not close to foolproof

    (note that this technique
  • Does it scale? (Score:3, Insightful)

    by john_anderson_ii ( 786633 ) on Monday January 31, 2005 @07:15PM (#11534992)
    The novel anit-spam system mentioned in the article seems on the surface to be a great idea. However, I do see one small problem with the seperate username;subaddress@domain.com per correspondent idea. Image an environment where there are 1,000 employees and each employee recieves mail from 100 different users. Doesn't that place 100,000 seperate mailboxes, forwarded to 1000 "internal" mailboxes? That will have an overhead to be sure. Also, if the spammer is able to obtain a traffic sample coming to/from this ficticious corporate mail server, could the spammer then obtain the subaddresses directly? If the spammer then sent a spam email to every subaddress for a user, the user would then end up with 100 copies of the spam letter in their inbox.

    Just some hypotheticals.
  • This system sucks, and nobody will ever use it. Sorry that nobody has been honest with you until now, but it is time to face facts. It is far too complex.
    • It tries to solve a problem in a too complex way, i agree. Why couldn't people just use a different solution?

      Just theoretically, what if the picture would present clearly readable text, but with different parameters, like size, boldness, etc. Then the page would ask you to input the "text on the bottom, on the top, the green text, the bold one" or something like this or the combination of this. It would be more simple than the 3D-wizardry. I guess someone would try to identify the keywords, but it would b
  • Why graphics? (Score:5, Insightful)

    by Skevin ( 16048 ) on Monday January 31, 2005 @07:16PM (#11534997) Journal
    Do you know how many times things like this have required me to use some browser other than Lynx or Links? You're blatantly discriminating against us terminal users. Then we have to find someone running a GUI envoronment. Oh! The insensitivity!

    Solomon Chang
    • Re:Why graphics? (Score:3, Interesting)

      by fname ( 199759 )
      I know this is mostly a joke, but to a large degree it's true. I've seen captchas implemented in blogs for comment posting, and it seems like such overkill. My group-blog has implemented a very simple password scheme to prevent comment spammers. Initially, the thought was to use a captcha, until we realized it would suck to use on our Treos or other cell phones. Then we considered listing the solution in text so that any human could read it. Since it would be a home-grown solution, comment spammers would n
    • Re:Why graphics? (Score:2, Insightful)

      by Xerp ( 768138 )
      Ineed. This is discrimination against those people who are blind and have to use screen readers.
  • by Anonymous Coward on Monday January 31, 2005 @07:16PM (#11535008)
    Deckard: You're reading a magazine... You come across a full page nude photo of a girl...
    Rachael: Is this testing whether I'm a replicant or a lesbian Mr Deckard?
    Deckard: Just answer the questions please.
  • Prediction... (Score:3, Insightful)

    by Mhrmnhrm ( 263196 ) on Monday January 31, 2005 @07:16PM (#11535009)
    This will fail miserably. It requires too much human involvement, the munging of previously easy to remember email addresses (however easy ilovemypoodlexo42@hotmail.com wass to remember anyway), but perhaps most importantly, it generates a bounce. Anytime a typical clueless user sees a bounce message, they don't bother to read it. They see "ERROR" and that's as far as they get before calling their buddy and bitching about the bum email address. Maybe if you're lucky, they'll doublecheck to see if they spelled it right, but that's about it. For any CAPTCHA to work, it has to be a one-time event (like registering a yahoo email address) that does not result in apparent error messages being thrown back at people. For any anti-spam system to work, it must be transparent to the end-user (like these new sender-id verification systems).
  • by SuperBanana ( 662181 ) on Monday January 31, 2005 @07:17PM (#11535025)

    I had a conversation with a senior executive at a former employer.

    He told me that, just as companies were outsourcing tech support to India/China/etc, companies which handled mass-emailing were also outsourcing work to have people sit there and recognize CAPTCHAs as well as respond to those stupid validation things some people try with their email (ie, you have to respond back to some silly email from their server saying "yes, I do ACTUALLY want to email you"). The mass-emailing companies would forward all the responses they got to a mailing to the company, and rooms of people would go through them all.

    Very little training was required for the CAPTCHAs, and only rudimentary English for the email-response things.

    • As the article pointed out, a generic spammer can't respond to a CAPTCHA that comes in an auto-responding email, because the sending addresses are invalid. Moreover, they're going to have to have a CAPTCHA for ever single email, because a good email interface should allow you to de-whitelist a successful CAPTCHA response. Even if a third world worker can spend an entire year decoding CAPTCHAs for $1000/year doing one every 8 seconds, they can still only decode 900,000 CAPTCHAs per year, and that has a cost
      • Even if a third world worker can spend an entire year decoding CAPTCHAs for $1000/year doing one every 8 seconds, they can still only decode 900,000 CAPTCHAs per year, and that has a cost of 1.1 cents per 10 CAPTCHAs. That would mean that emailing 40,000,000 people a piece of spam would cost $44,000. Suffice it to say, spammers do NOT make $.001 per spam sent; not even close.

        ...and not even remotely close to 1%(I'd guess less than .1%) of all email addresses use that stupid auto-responder "reply back to t

  • by Anonymous Coward on Monday January 31, 2005 @07:19PM (#11535042)
    The federal government is considering outlawing this abusive practise. I met with a senator from SC and another from GA in the past month wrt this issue. They, like most people I know, hate it, and hate the artificial barrier it creates for Internet usage.

    I work at a school for the deaf and blind, and captcha's make it impossible for the blind or many of the vision impaired to do many things on the Internet without having help from someone with good vision. Even I, with my cheap LCD monitor and 73 year-old eyes, have trouble reading the Yahoo ones.
    • So what's your suggestion? Just let spammers rule the world? I'm all for universal access when there isn't a compelling reason not to have it, but this sounds like a compelling reason not to have it.

      I suppose we could register certain IP addresses as belonging to a handicapped user and require sites to forgo the captcha when they hear from one of those IPs... but then we have all the problems of centralization, privacy invasion, and verification.
    • Outlaw CAPTCHAs? I agree that they are a hideous usability-breaking kludge, but to outlaw them certainly seems to be overreacting.

      To allow governments to actually control the content of websites on such a fine level seems rather draconian to me. Also, while they're typically buried, some websites provide an audio-based alternative; I know that Hotmail offers this. It seems to me that you should rather lobby websites which offer no alternative for blind or vision-impaired users to change their policies.

      Finally, I'd like to note that with relatively young eyes and a surplus CAD-workstation monitor, I also find the Yahoo CAPTCHAs difficult to see. The problem is not your eyes, it is rather that in trying to make graphics illegible to computers the algorithm has managed to make the graphics illegible to humans as well.

    • The federal government is considering outlawing this abusive practise.

      Nonsense. Maybe they can dictate that on government web sites but your independent web developer or company can do this all they want. Maybe if we made an effort to fix or replace SMTP rather than keep finding more clever ways to treat the symptoms we'd all be better off. I think that spam is a big enough problem now that if something better than SMTP came along most administrators wouldn't hesitate to start making the switch.

    • ...visually impaired people? It should be trivial to have a speech synthesizer create wavs on demand that pronounce the CAPTCHA and then ask the user to type it in.
    • how badly all of you fell for a freaking obvious troll.
    • The solution isn't to outlaw the CAPTCHA, the solution is to make additional alternatives available for people who can't "solve" a CAPTCHA. For the blind the solution would be an audio CAPTCHA, and for the very few who are both deaf and blind, a dialogue with a real person, you fill out a form and a dialogue with a real person ensues, you prove that you are a person by answering like a real person. As long as only few users need this personal assistance it should be doable.
  • In the images from the harder version of Gimpy, http://www.cs.berkeley.edu/~mori/gimpy/hard/ [berkeley.edu], the grey colour of the text is distinctly darker wherever two letters intersect (eg. where the "o" and "s" intersect in "long" and "sharp" in the upper right corner of the first image).

    Now, I'm not suggesting that it is easy for a computer the read these words; but, wouldn't this darker text colour make it easier for a learning algorithm to "dissect" two letters that intersect slightly?

    I can't imagine that re
  • by bremstrong ( 523910 ) on Monday January 31, 2005 @07:19PM (#11535051)
    Use handwritten challenges and let the spammers solve the handwriting recognition problem for us.
  • While I understand the appeal of vision based tests as very easy to automate and simple to implement long term use of these kind of tests, especially in single use contexts like signing up for an account requires a more complex problem.

    Quite simply vision is too simple, or at least the easily automated part of vision that is being used in these type of tests. What needs to be tested is ability to reason and detect patterns in data.

    Basically we need to give people reading interpratation tests like they ha
    • For instance looking at the pdf http://www-2.cs.cmu.edu/~biglou/captcha_crypt.pdf the following procedure suggests itself. Use newly aquired web pages that haven't been added to the search engine yet as seeds and ask the human to compare these to a paragraph generated by automated text generation and answer which makes sense. While the authors of the paper dismiss this approach because it relies on a particular secret (the human created paragraphs) I think they ignore the possibility that this secret can
      • Automatically generate a contract and then force the user to write code which meets that contract when interpreted. This would be a very effective test for humans on the other hand unfortunatly it takes too much training to learn.

        Basically this is the same effect that it is very easy for humans to prove a great many simple theorems but we can't write a good computer theorem prover. I teach logic and it is clear that even the worst student can be made to do better at proofs than computer based theorem pro
  • I wonder when CAPTCHAs will be so hard that an increasing fraction of the human population fails them. Perhaps the true origin of SkyNet will be when some spammer's AI realizes that humans are superfluous in an age of totally automated click-throughs and e-commerce.
  • Comment removed based on user account deletion
  • While I understand the desire to keep people from posting spam in the first place, what I don't understand is why web apps don't use bayesian filtering to moderate posted messages? A hosted service such as blogger could use a central database to implement this, making the system very effective. Sure, you would have to spend some time going through the comments to make sure there aren't any false positives/negatives, but using filtering becomes prevalent enough (all the blogging systems implemented it), it
  • I know it has become a running joke, and rightfully so, but quite honestly, I've failed to prove I'm human to these stupid things on more than one occasion.

    A lot of them do stupid things like start with a serif font, distort the hell out of it, and expect me to be able to tell which is a 1 and which is a 7.

    Also, while we're on the subject.. I didn't know these things (CAPTCHAs) had a name... a really stupid name.
  • About time? (Score:2, Funny)

    by EdwinBoyd ( 810701 )
    Finally 'real' hackers can now join their Hollywood counterparts by eschewing complex algorithms, buffer overruns and good old-fashioned skullduggery. Now secure systems will be protected by spinning multicoloured 3D geometric shapes. Hack the gibson anyone?
  • by Wesley Felter ( 138342 ) <wesley@felter.org> on Monday January 31, 2005 @07:38PM (#11535227) Homepage
    Your post advocates a

    (X) technical ( ) legislative ( ) market-based ( ) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    (X) Mailing lists and other legitimate email uses would be affected
    ( ) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    ( ) It will stop spam for two weeks and then we'll be stuck with it
    (X) Users of email will not put up with it
    ( ) Microsoft will not put up with it
    ( ) The police will not put up with it
    ( ) Requires too much cooperation from spammers
    ( ) Requires immediate total cooperation from everybody at once
    (X) Many email users cannot afford to lose business or alienate potential employers
    ( ) Spammers don't care about invalid addresses in their lists
    ( ) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    ( ) Lack of centrally controlling authority for email
    ( ) Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    ( ) Asshats
    ( ) Jurisdictional problems
    ( ) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    ( ) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    ( ) Armies of worm riddled broadband-connected Windows boxes
    ( ) Eternal arms race involved in all filtering approaches
    ( ) Extreme profitability of spam
    ( ) Joe jobs and/or identity theft
    ( ) Technically illiterate politicians
    ( ) Extreme stupidity on the part of people who do business with spammers
    ( ) Dishonesty on the part of spammers themselves
    ( ) Bandwidth costs that are unaffected by client filtering
    ( ) Outlook

    and the following philosophical objections may also apply:

    (X) Ideas similar to yours are easy to come up with, yet none have ever
    been shown practical
    ( ) Any scheme based on opt-out is unacceptable
    ( ) SMTP headers should not be the subject of legislation
    ( ) Blacklists suck
    (X) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    ( ) Countermeasures should not involve sabotage of public networks
    ( ) Countermeasures must work if phased in gradually
    ( ) Sending email should be free
    ( ) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    ( ) Feel-good measures do nothing to solve the problem
    (X) Temporary/one-time email addresses are cumbersome
    ( ) I don't want the government reading my email
    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about you:

    (X) Sorry dude, but I don't think it would work.
    ( ) This is a stupid idea, and you're a stupid person for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your
    house down!

    (From http://www.craphound.com/spamsolutions.txt)
    • You forgot to check off an item in the "Specifically, your plan fails to account for" section. I believe the elgible one would be "Dishonesty on the part of spammers themselves" (as mentioned by the various people who commented that some spammers have been using pr0n sites to harvest the words used in this form of validation).
    • I was waiting for this, because I wanted to see how you'd attack his idea. It seemed reasonable...Here are my possible defenses.

      (X) Mailing lists and other legitimate email uses would be affected
      You shouldn't sign up for the mailing list with your non-subaddress account.

      (X) Users of email will not put up with it
      Why? It should be automatic. If done on a massive scale (de-facto industry standard), people can believe that it'll take two weeks to convert, and then spam will be gone. They will put up with
  • Respectfully submitted, I'm sorry, but it won't work.

    First, you're dealing with a very small set of 3d models that can be easily duplicated. (Lets face it, the stock set is all that's ever going to be used. If you think that folks have forever to constantly create and install new models, you're mistaken. Also, what's to stop spammers from simply buying the same model's you're using? Nothing.

    The *lighting* of the original is a red herring, the fact that the background is fairly plain and offers a notica
  • Mass automation of CAPTCHA cracking isn't done by computers anymore, people have realised that they can get real humans to do it instead - they just stick the CAPTCHA in another web page such as on warez or porn sites, the user is told to solve the CAPTCHA to enter the site, which they will gladly do..

    Sadly theres no real way to stop this.
  • The methods he describes on the linked page are all for determining words in CAPTCHAs. I've seen some where it just said "type in these letters" (i.e., random letters, not words) which would in general cause his counter-CAPTCHA algo to puke, and in particular make it fail more if it insisted on supplying words when the CAPTCHAs all specifically aren't.
  • Instead of making the actual recognition of something the object of the exercise, how about elevating it to a more abstractive method. My daughter was watching Sesame Street the other day and it came up with the "One of these things is not like the other", she got it right instantly, shouting at the TV, and I got thinking about how it could be implemented to weed out the humans from the computers. You could have a collection of easily recognisable monochrome shapes, maybe a couple of hundred, group them by
  • This sucks. (Score:4, Insightful)

    by Sam H ( 3979 ) <sam@zoy.org> on Monday January 31, 2005 @07:41PM (#11535260) Homepage
    This proposal totally sucks. The goal of a CAPTCHA is not only to be extremely difficult for a computer, you also need to make it simple enough for the user. Most current implementations are considered extremely inaccessible [w3.org], and if you have accessibility in mind, these 3D images are a huge step backwards. The utter vanity of it all is emphasised by its vulnerability to the porn site attack (offering porn to monkeys to crack CAPTCHAs). Be assured that I and other people will devote as much time as possible to eradicate moronic CAPTCHAs [zoy.org] from the Internet.
  • Many companies that do business in the United States of America are subject to regulations [ada.gov] that forbid them from discriminating against people with disabilities; companies that have significant contracts with the United States Government are subject to the stricter guidelines of Section 508 of the Rehabilitation Act [section508.gov]. Anything that discriminates so flagrantly against people with vision or cognitive disabilities may get companies in trouble with the law.

  • The 3-D item just seems like even more of a pain than the existing captchas, which are way overused as it is, and a burden on the vision impaired.

    But the anti-spam system isn't very novel. A number of systems have tried custom subtags to generate unique addresses for other folks to use, they tend to cause more problems than they solve. This is really just a challenge/response system which is harder to use, and worst of all, forces the sender to cut and paste their mail to send it again. No thanks, you p
  • Or "type in the characters" or whatever. I fail those things three times out of five, and I'm about as human as you can get these days. The frigging things to NOT compensate for vision problems.... some have case sensitive input, some don't, etc, etc.

    Much like aggressive spam filtering, any ARE YOU A POOTER? [ Y ] { N } [ ______ } is going to turn up false positives.
  • why? (Score:3, Insightful)

    by sillivalley ( 411349 ) <sillivalleyNO@SPAMcomcast.net> on Monday January 31, 2005 @07:46PM (#11535299)
    Why would I want to view images in an e-mail message?

    Spam is a problem, but for me at least, this ain't the solution! I'm not about to jump through these hoops. If you want to exchange e-mails with me, fine. This system tells me you don't.

    A lot of people won't understand it, and a lot of people who do are going to ignore it and move on to the next message in the inbox.
  • Automatically generate a contract and then force the user to write code which meets that contract when interpreted. This would be a very effective test for humans on the other hand unfortunatly it takes too much training to learn.

    Basically this is the same effect that it is very easy for humans to prove a great many simple theorems but we can't write a good computer theorem prover. I teach logic and it is clear that even the worst student can be made to do better at proofs than computer based theorem prov
  • If I get one of those "you must do this and resend the email" when I send a legitimate email, I delete the email and forget about communicating with that person. It's not worth it. I do not want to encourage the spread of challenge/response email filtering.

    If an ISP can't be bothered to set up a decent virus and spam filter, and relies on bouncing EVERYTHING back to the sender to check for signs of life, it creates two problems for the rest of us:

    1. All the spam sent with my address forged in the FROM fi
  • by MidnightBrewer ( 97195 ) on Monday January 31, 2005 @07:52PM (#11535353)
    1. It uses a whitelist as a means of solving spam. The system claims to allow strangers to effectively email each other, but only after first forcing the user to jump through several hoops. Correspondence will be slowed, and many people may give up in irritation before they bother to send the mail a second time. Imagine a prospective employer who decides that it's not worth tracking down Joe Blow because the email didn't get through, or a university attempting to contact a student by email. This particular method of foiling spam eliminates one of the key benefits of email: easy correspondence with a fast response time.
    2. Users have to maintain a database of trusted senders, as well as another database of recipients who trust them. This means extra data and the possibility of users accidentally falling off of each other's whitelists whenever somebody loses their address book.
    3. It will generate too many bounced messages, thus increasing network overhead to a point where it really may not be much better than spam. It also requires transmission of graphics, which again increase system overhead, as well as extra computational time to generate said images and to register and process the responses.
    4. The system claims it will benefit from server-side cooperation, instead of keeping the method purely client-side. This means that users have to rely on the benevolence of their ISP to keep the system updated and maintained.
    5. The graphical images contain a fixed number of very easily discerned letters that can be combined to form "easily-remembered" words. Once the letters are extracted, they can be recombined into known sequences, first of common English words, then popular web slang, then even transcribed into 1337 for the heck of it. Shouldn't take long to hack that.
    6. Sub-addresses? So you want to explain this one to my parents? "I know you picked out one, simple email address that you really like and will never have to change, but now I want you to pick out a new one. It might be a good idea to change it once every few months or so, too." The whole purpose of an address is to allow someone to have a unique identity that can be easily found.
    Honestly, this particular system sounds like it relies more on sheer grunt work and the wasted time of its users to make it work, rather than any innovative computer programming.
    • Most of your points just aren't valid, and are addressed in the article. While this isn't the most user-friendly system ever, there will never be an "easy for everyone and their grandmother" solution to spam, so learn to compromise a bit. In theory atleast, this system is pretty damn solid. As for your complaints:
      1. If you emailed an employer your resume, he would automatically be whitelisted. His reply would go through to your inbox, and he would be sent a valid subaddress in plaintext that could be automa
  • it is likely to remain invulnerable to automated attack for many years to come.


    'Nuf Said.

  • wow (Score:2, Funny)

    People sure go to a lot of work just avoid creating a robots.txt file!
  • Your post advocates a

    (X) technical ( ) legislative ( ) market-based ( ) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which vary from state to state.)

    ( ) Spammers can easily use it to harvest email addresses
    ( ) Mailing lists and other legitimate email uses would be affected
    ( ) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute for

  • by ezraekman ( 650090 ) on Monday January 31, 2005 @08:46PM (#11535783) Homepage
    The federal government is considering outlawing this abusive practise. I met with a senator from SC and another from GA in the past month wrt this issue. They, like most people I know, hate it, and hate the artificial barrier it creates for Internet usage. I work at a school for the deaf and blind, and captcha's make it impossible for the blind or many of the vision impaired to do many things on the Internet without having help from someone with good vision. Even I, with my cheap LCD monitor and 73 year-old eyes, have trouble reading the Yahoo ones.

    I find the classification of these measures as "abusive" to be flawed at best, and misleading at worst. CAPTCHAS are a desperate response to an immoral group of people who will stop at nothing to make money with absolutely no regard for the problems, cost, and distress they cause their targets, who hide behind the first amendment when possible, or using illegal techniques when not. I hate having to deal with them myself, but I understand the necessity of their existence, however unpleasant, and will continue to deal with them as long as is necessary, as such.

    Below are several problems mentioned with CAPTCHAs, as well as some possible solutions:

    1] Accessibility

    Problem: Blind/visually impaired users cannot reliably read the altered text.

    Solution: Audio file accompanies every graphic, to be read on command. (However, still crackable with speech recognition.)

    2] Referring test to 3rd parties

    Problem: Spammers have other membership-based site users (i.e. porn sites) do the test.

    Solution 1: Image is generated randomly, based on a user session, requiring an actual visit to your site; copying will be less effective unless the images are compared later... which may be quite some time if there are a large number of images and/or if the images are generated live on the server, rather than being stored files.

    Solution 2: Include text imbedded in the image (and audio file) specifically referencing the site it is to be utilized with exclusively, requesting that the user report violations of duplication/unauthorized usage, and possibly offering a small reward for information leading to the arrest/conviction/judgment against the violator.

    3] AI text processing

    Problem: AI can be complex enough to identity letters, no matter how obfuscated, until such characters must be so distorted that even a human cannot decipher them.

    Solution: Ask a logic question, present a photograph, or require another means of challenge/response than simple text recognition.

    Example 1: Present a photograph of an apple or otherwise easily-spelled object, and ask the user to type the name into a field, or allow the user to select from a group of mildly distorted text, to avoid spelling issues. (However, this issue raises the accessibility issue again.)

    Example 2: Present a short list of slightly distorted words (with audio files available for each word), and ask a short logic/history/other question. (One | Two | Three | Four | Orange - Of these words, one does not match. Please type the number of letters in this word, in numeric format. (Example: Apple = 5) This test is to be used exclusively by abc123.org. Please let us know if you see this elsewhere, as this means it was stolen.)

    Until it is financially infeasible for a spammer to continue to do business, we will all be forced to deal with the messes they make. This is a challenge/response system, not an attempt to abuse the users of the internet. If there was a better way to solve this problem than hitting "delete" (which must happen hundreds if not thousands of times per day, for some of use), or using filters (which ALL give false positives, eventually), you can be sure that millions of semi-knowledgeable or better computer users would have chosen this path. To claim that such measures, which attempt to HELP people are abuse... perhaps you would like to re-evaluate your claim.

  • Just show a regular photograph or section of text and ask questions about it. It was mentioned in an earlier /. article how hard it was for AIs to read and understand an arbitrary passage of text.

    Eg: for photos:
    What colour is the carpet?
    How many men are in the picture?
    What colour is the lamp?
    What is the largest shape?
    How many sides does the smallest shape have?

    Short story or article: (can select article/answers for language)
    Who is the name of the protagonist?
    What is his favorite rock?
    What street does Bob
  • by 808140 ( 808140 ) on Monday January 31, 2005 @09:22PM (#11536032)
    This is the most ridiculous an overly complex CAPTCHA system I've ever seen. To make matters worse, it is actually very easy to crack, using current technology.

    Let's look at his "LUCKY" example to see why. So he has a picture of the standing man, the flower, and the sitting man, and all over the picture, he has a series of glyphs. As these glyphs are not distorted, they are easily extracted -- the whole point of this system is that distortion based CAPTCHAs are relatively easy to defeat, so he doesn't bother. In his example, he has 26 glyphs, corresponding to A-Z, but in practice, it isn't important what the set is -- only that it is small and finite.

    Once this set is extracted, we know that the "password" is some permutation of this set. Because the set of possible characters in an e-mail address is much smaller than the set of possible characters in an actual password (in particular, e-mail addresses are case insensitive), brute-force cracking of this password is much simpler than brute force cracking of a UNIX password, for example. But luckily for us, it's even easier than that.

    In the e-mail, he includes this "decoder" list.

    • The Leaf of the Flower
    • The Body of the Sitting Man
    • The Head of the Walking Man
    • The Vase
    • The Left Arm of the Sitting Man

    Of course, it should be clear at this point that this list would be relatively easy to extract from the e-mail, and further, that it tells you the exact length of the password, reducing the number of permutations to check to (in this case) 11,881,376.

    Furthermore, a little bit of extra logic could reduce this number still further by noticing repetitive patterns in the list. So if "The Leaf of the Flower" appears twice, we know that the letters in those two slots are the same. And if the glyph set is unique (ie, no glyph appears twice), then we can reduce the number of permutations to at most 7,893,600.

    Now, that's still a fairly large number of permutations to check, and at one point, it probably would have been enough. However, computational power is free now, at least for spammers. And it doesn't take much. Here's a sample perl (!) program I ran on my Debian GNU/Linux laptop (1.2GHz Pentium M).

    for $i (1 .. 26) {
    for $j (1 .. 26) {
    next if $i == $j;
    for $k (1 .. 26) {
    next if $i == $k || $j == $k;
    for $l (1 .. 26) {
    next if $l == $i || $l == $j || $l == $k;
    for $m (1 .. 26) {
    next if $m == $i || $m == $j || $m == $k || $m == $l;
    print chr(97 + $i) . chr(97 + $j) . chr(97 + $k) . chr(97 + $l) . chr(97 + $m) . "\n";
    } } } } }

    This just prints out all the permutations; of course they still would need to be checked.

    $ time perl -e ' ... program here ... '
    real 0m26.109s
    user 0m25.746s
    sys 0m0.020s

    Not very long on a modern computer, eh? And written in perl, too, not exactly the fastest programming language in the world. Now consider that spammers have access to just about infinite CPU and bandwidth, thanks to their army of zombie bots, and that both CPU power and bandwidth are likely to increase at a rather rapid rate in the next decade. Furthermore, this is a worst case scenario -- success in a brute force attack tends to occur somewhere in the middle, not towards the end, reducing the necessity to actually go through all the permutations.

    You don't think they'd try to crack it?

    Plus, by his own admission, e-mail addresses can be shared. What does this mean in this context? I don't even need to get the e-mail address encoded in the CAPTCHA! If I can get any working e-mail address, even one, I get through! So the more active he is, e-mail wise, the more likely I can randomly strike a hit in the first hundred or so tries.

    On top of

Please go away.

Working...