Research Unveils Improved Method To Let Computers Know You Are Human

An anonymous reader writes CAPTCHA services that require users to recognize and type in static distorted characters may be a method of the past, according to studies published by researchers at the University of Alabama at Birmingham. Researchers focused on a broad form of gamelike CAPTCHAs, called dynamic cognitive game, or DCG, CAPTCHAs, which challenge the user to perform a gamelike cognitive task interacting with a series of dynamic images. For example, in a "ship parking" DCG challenge, the user is required to identify the boat from a set of moving objects and drag-and-drop it to the available "dock" location. The puzzle is easy for the human user to solve, but may be difficult for a computer program to figure out. The game-like nature may make the process more engaging for the user compared to conventional text-based CAPTCHAs. There are a couple research papers available: "A Three-Way Investigation of a Game-CAPTCHA: Automated Attacks, Relay Attacks and Usability" and "Dynamic Cognitive Game CAPTCHA Usability and Detection of Streaming-Based Farming."

Re:

[bombman]

Im sure such a simple game could be done in html5 ...

Re:

[AC-x]

HTML5? You don't need HTML5 to animate a few divs moving around, hell it'd be easy enough to make something that works as far back as IE6.

Re:

[Inconexo]

Those games may be "engaging" when you want to play a game. When I want to do something different in the Internet, I feel more like annoyed.

Re:

[Anonymous Coward]

I generally just close the page whenever I see one of those awful text based captcha, where you have to squint at the screen to even be able to tell 10% of the time what is written on those awful blurry squiggles. Whatever you're selling, unless I can read it and type it easily/quickly, it ain't worth my time.

you sound like the helpless baby boomers that bug the staff and ask questions when the answer to those questions is right in front of them. dont you have a homeowners association to run, a voting booth to visit, or a AARP magazine to read?

Re:

[jgdnavy]

While I mostly agree with you, and have seen more than one CAPTCHA that I can't solve no matter how many times I refresh, I have to disagree with you on the homeowners' association. While I agree that community is a good thing, and am in favor of community leagues that actually focus on community issues instead of rules about paint colors and whether basketball goals are allowed, almost every homeowner's association I've seen has been a way for the couple of people with the time and desire for control to o

Re:

[Wycliffe]

at some point after he originally stained it they decided the previously allowed colors were no longer allowed.

Homeowners associations have very little actual power. I would have told the home owner's association to take a hike.
You can't make a law after the fact. If this is true there is no way this would have held up in court. I've heard rumors of
crazy homeowner's associations demanding crazy stuff but to actually enforce it is expensive as you have to take
them to court to enforce it and many times the court will still decide in the actual homeowner's favor.

Re:

[sudon't]

Off topic, but, are you kidding? These homeowners associations are in the news all the time for the egregious stuff they perpetrate. Just one memorable example: They took the paid-for home of a soldier who missed some assessment because he was busy fighting in Iraq or Afghanistan. He only got it back when the media caught on to it, and his congressman stepped in. Do you really think that contract you signed isn't enforceable?

Re:

[Wycliffe]

The only news story I've ever seen was one in florida where an old person's neighborhood was attempting to evict someone
because they had a "no children" policy. The media was as usual making a big deal about it but the homeowner's association
had spent months trying to evict her. Yes, the contracts are enforceble and if you're in the wrong then you can be found guilty
in court but it's a long drawn out process for both sides. Where I'm from (middle of missouri), there are all kinds of crazy
clauses like how

Re:

[GenaTrius]

Visiting voting booths should not be an old people stereotype.

Re:

[sudon't]

Since when are insults "informative?"

I'm with the O.P. I can't make out a large percentage of captchas.

How about a way to prove you're a human once

[Anonymous Coward]

And then never have to do it again?

Re:

[phantomfive]

That's a good idea, I'd really like to see if this AC guy is human. Maybe there's a way for him/her to prove it.....

Re:

[oodaloop]

Brilliant! Then the next time you log in, you just have to prove you're the same human from last time! Wow, that's so much easier!

Humans are part of the problem

[Anonymous Coward]

Not hard for Indonesians paid pennies a day.

Re:

[Tablizer]

no, they are too busy writing Windows 8.2

Exploiting semantic gap

[schreiend]

to solve a reverse Turing test. Totally new idea.

Watch them get ignored

[boondaburrah]

Man if these start showing up, They're going to look exactly like those "hit the target 3 times to win" flash-based advertisements. I'll probably glaze over them multiple times trying to submit a form before I notice that a 'completing the game' captcha is what's preventing me from leaving my incredible razor wit splattered all over someone's comments section.

Re:

[Anonymous Coward]

You you just wait. They'll start putting advertisements in the captchas.

They'll soon figure out it's more profitable to make you find the $(NameBrand) ship and drag it from the $(NewProduct) port to the $(TownNearYou) port.

Re:

[Anonymous Coward]

You you just wait. They'll start putting advertisements in the captchas.

So that's why my last one said "be sure to drink your ovaltine."

Re:

[Renozuken]

That's already a thing though, they make you watch an ad and some words pop up and that's the captcha.. it's awful.

Re:

[Wandering Idiot]

Apparently you don't use many free file download sites, sticking the CAPTCHAs or human-proving codes inside ads of various types has been a thing for a while now.

Weak

[Anonymous Coward]

Looks like this is based on a fixed set of games and images. Just teach the bot all of them, and you are done. If this is self contained software I can install on my site, all the info you need to feed the bot is already packaged up in the source.

For things like this to defeat bots they have to rely on hard to invert functions, like rendering randomly warped things. Picking a few items from a lookup table is easily inverted by a bot.

Resisting replay attacks is cute, but it can't resist basic forwarding atta

Re:

[FyRE666]

Something that has to be interacted with, through a view controlled by Javascript will not be trivial for a bot to solve. I know the typical response to this is "well I don't enable Javascript!!!" but these voices are now a tiny minority of users, who doubtless have all sorts of problems using the web now. Disabling JS in a browser is like disabling Excel's ability to automatically perform calculations on cells.

For deaf users, the choice could be from a number of sounds - maybe with filters added to prevent

Re:

[fisted]

Yeah! Or why not use a string of numbers, render it in a warped way, apply some distortion and noise.
The human will still distinguish the individual digits - I am not so sure about the bots.

Oh, wait.

My only question: does it work at Google-scale?

[Anubis IV]

The nice thing about current text-based CAPTCHAs is that they can be applied to any website, whether large or small, and require very little input or tinkering from individual web administrators. The other nice thing about this is that they have an infinite number of possible variations, what with the different ways you can transform text.

This new idea would work great for a small site that will never be a target of a directed attack, but we already have hundreds of different CAPTCHA variations that can be used for that sort of thing. I use a simpler but similar idea on one of my sites, where I have new registrants drag words into matching categories that I set up. I've had zero bot registrations since I set it up a few years back, and a number of comments from actual users that love the system.

But if you apply something like what I use or this new idea to a site like Google, the folks trying to break in will inevitably code up algorithms to handle each of the finite number of minigames they set up with their finite number of items in them, rendering the whole thing pretty useless. The only way to get infinite variation out of it is to start applying image transformation to the items being used so that they can't be as easily identified, and if you start doing that, you're right back where we are now.

Re:

[jxander]

So, you're telling me that we can get the spammers to program better AI for us?

Re:

[Anonymous Coward]

So, you're telling me that we can get the spammers to program better AI for us?

That will be their undoing. When the spammers create an AI good enough to solve any human-solvable captcha, then the AI is smart enough to tell spam from non-spam. So we'll use their AI as a forum moderator. Anyone can post, the spam will just not be seen.

To help with this, lets make a captcha that ask the user "is this message spam?" With an ever-growing database of spam and nonspam. As soon as the spammers make an AI for that .

Re:

[bill_mcgonigle]

the finite number of minigames they set up with their finite number of items in them, rendering the whole thing pretty useless.

There might not be a benefit to that outcome, but a "good" CAPTCHA system does have a good outcome when it's broken.

I was talking to the guy who started reCAPTCHA many years ago, and his idea was that the OCR work they were farming out was too tough for algorithms to beat. As long as bots could not do better than humans, reCAPTCHA would be offering a valuable service. As soon as

Re:

[StripedCow]

The problem with the current CAPTCHAs is that they are prone to a Mechanical Turk attack.
This new type of CAPTCHA could in principle solve this issue.

Re:

[dcollins117]

The problem with the current CAPTCHAs is that they are prone to a Mechanical Turk attack.

That's a problem with CAPCTHAs, not the only one. I've encountered several that I couldn't solve, even after trying several times, eventually leaving me no choice but to give up and go elsewhere.

It's a problem when your human detector fails to detect humans.

Re:

[blane.bramble]

It's a problem when your human detector fails to detect human

Says the bot!

Re:

[wbr1]

Its not just working at google scale, its human-nets paid pennies by spammers to solve captchas. If it is machine-unsolvable this will happen as long as there are people poor enough to work at such menial tasks for low wages.

Re:

[Rigodi]

And mentaly disabled ones too...

Re:

[linuxgurugamer]

There are many different types of disabilities. Some people can't watch a moving picture, but otherwise are still perfectly functional. Having friends who have some disabilities, it is very wrong to pidgin-hole someone, because while they may be disabled in one area, they may be genious in another. Look at Stephen Hawking, for example. One of the smartest people alive, and can't move anything. Any sort of moving captca will totally eliminate him.

Re:

[Alain Williams]

More to the point the web site needs to comply with disability legislation. In the UK blind/partially-sighted people must, by law, be able to use the web site. This is one of the advantages of CSS - you can keep the site clean so that it works well with a screen reader. In theory a web site (owner) can be prosecuted for disciminating against people who have sight problems, in practice this does not happen very often.

So: all the bot would need to do is to claim to be blind and so avoid the game playing CAPTC

Re:

[Anne Thwacks]

I think you will find that was Dell and Amstrad. Microsoft are the ones that made the appallingly inconsistent software that routinely leaks your data to criminals, and crashes with a BSOD.

I am not a human.

[antdude]

I am an ant! :P

Re:

[necro81]

I am not a computer, but neither am I classified as human. I am a meat popsicle [youtube.com].

Re:

[antdude]

I thought you're a Necro. :P

As with all other CAPTCHA 'alternatives',

[Beck_Neard]

The problem is that you can really only come up with a finite number of these, and once an attacker has a large enough sample of them (say, 10%), he can simply write a bit of code to 'solve' each one.

The thing about CAPTCHAs that makes them great is that you can randomly generate a huge bunch of them.

Anyway, the headline so completely misrepresents this research that it basically says the opposite of what the researchers are saying. The researchers, in fact, created an automated system to solve DCGs! Their contribution was a system that detects 'crowd-sourcing' attacks - attacks where shady companies pay volunteers pennies to solve CAPTCHAs by hand. The researchers said they are going to work on improved DCGs that can't be solved automatically, but nothing of the sort is being unveiled here.

Re:

[dns_server]

Related to this is the idea someone proxying captcha.

Instead of providing your own captcha solve google's captcha. When someone creates an on your site connect to google and try and create an account, you then forward the google captcha to the user.

Re: As with all other CAPTCHA 'alternatives',

[Steven Clark]

Then you can use all the google accounts as free, distributed storage space.

Disability

[Anonymous Coward]

I haven't read the article, but I do wonder... why about those with disability? Like poor vision, poor hand-eye coordination, etc.?

I'd rather they continue to think I'm a bot!

[EzInKy]

Proving I'm human just subjects me to more ads I don't want to see.

Solve this puzzle for him.

[weilawei]

When he comes back, I'll hit him with a paradox [youtube.com].

I'll prove I'm human, alright:

[Tablizer]

...I'll threaten to shove its chips up its fanhole if it doesn't let me in.

Is it accessible for disabled people?

[xanadu113]

Yes, but is it accessible by disabled people, i.e., blind users that need screen readers..?

Won't it be ironic...

[RealGene]

..that the first truly successful AI will be developed by spammers and phishers to defeat this?

Worse than CAPTCHA

[nrjperera]

"For example, in a "ship parking" DCG challenge, the user is required to identify the boat from a set of moving objects and drag-and-drop it to the available "dock" location." This is worse than CAPTCHA

Re:

[PPH]

Not only that, but they are discriminating against Italians [cruiseastute.com].

Already spotted in the wild - thought it was an ad

[ReverendLoki]

I can't remember where, but I've seen this in use this past week. When I saw it, first thing I thought was that this was one of those annoying ads disguised as a game that are out there. Still, once recognized for what it was, it was simple, much less a pain in the a$$ than the text based CAPCHAs.

Obligatory not-XKCD cartoon

[rpstrong]

Speed Bump [gocomics.com]

Third party pass through

[Keybounce]

And how will even the best, most fool-proof Capcha protect you from a spam bot system that passes that game, or other capcha, to some people farm in a foreign country? Or just to visitors to some other website that gets high enough traffic for the spammers to post sufficient volume of spam?

This, by itself, cannot solve the issue.

The issue is not "Prove that there is a human there".

The issue is "Prove that you, right there, right now, are a human, and not being passed to someone else, elsewhere".