Forgot your password?
typodupeerror

Web Users Angered by Anti-Spam 'Captcha' 267

Posted by Zonk
from the web-user-smash dept.
Carl Bialik from WSJ writes "Captchas -- the jumbles of letters that users must type to gain access to some websites -- are a growing irritation, the Wall Street Journal reports. But programmers hope to make new variations that are both easier to decipher and harder to crack. From the article: 'Some captchas have been solved with more than 90% accuracy by scientists specializing in computer vision research at the University of California, Berkeley, and elsewhere. Hobbyists also regularly write code to solve captchas on commercial sites with a high degree of accuracy. ... Henry Baird, a professor of computer science at Lehigh University who studies PC users' responses to the codes, has been working with colleagues to develop new generations of captchas that are designed to be easier on humans but baffling for computers.'"
This discussion has been archived. No new comments can be posted.

Web Users Angered by Anti-Spam 'Captcha'

Comments Filter:
  • What? (Score:5, Funny)

    by Alex P Keaton in da (882660) on Thursday June 01, 2006 @10:37AM (#15444711) Homepage
    I couldn't read the article. They wanted me to type CapTcha. Or was it Cap7cha? Oh well?
  • by LiquidCoooled (634315) on Thursday June 01, 2006 @10:39AM (#15444733) Homepage Journal
    HOT GRITS

    I prefer kitten auth [kittenauth.com].
    • Kitten Auth looks interesting - but I would say that it wouldn't take long to build a database of images, with associated animals and just do a lookup against that.

      Basically, it suffers from the same problem for any non-dynamically generated captcha (and if you add distortions, etc to the images, you're just going to make them harder to identify & remove the point of it).
      • Then we need Live Webcam Kitten Auth(tm)!
      • by Qzukk (229616) on Thursday June 01, 2006 @11:48AM (#15445577) Journal
        Basic image comparison techniques are pretty easy to fool. Change one pixel and the entire image hashes to something else. Some "dupe detectors" reduce the image to a grid of n*m, take the average color of each square, and hash that. This can be defeated by changing the color of a significant block of pixels to a random color, though this would need to be arranged based on the picture itself so you don't hide the kitten.

        That still leaves things like manually capturing every possible unique base kitten image, then doing a pixel-by-pixel comparison and marking everything mostly matching as a kitten. It can be slowed down by changing the brightness or tint of the overall image slightly, but too much would make the image unrecognizable.

        It would be more interesting to combine several ideas. Rather than "click on the kitten" have each picture marked with a random letter, and "enter the letters of the pictures with kittens". Or maybe change it up, pick brown kittens or black kittens or white kittens, kittens playing with a ball, etc.
        • by tepples (727027)

          Basic image comparison techniques are pretty easy to fool. Change one pixel and the entire image hashes to something else.

          Change one pixel and the peaks of the Fourier transform of the image remain mostly the same. It's the same reason one can hear a tone above white noise.

          Some "dupe detectors" reduce the image to a grid of n*m, take the average color of each square, and hash that.

          Which is the same as using only the low-pass parts of the Fourier fingerprint.

          This can be defeated by changing the

    • There's a geographic/cultural/educational problem with KittenAuth -- what if you're not familiar with kittens? Or foxes? What if you've never seen real cattle? These situations are not as rare as you might think, and certainly not invalid. I personally would have had a little trouble identifying the foxes on the KittenAuth page, were they not highlighted with a red border.

      I think it's a step in the right direction, though. It's an interesting insight into what human memes can be considered universal.
      • what if you're not familiar with kittens? Or foxes? What if you've never seen real cattle?

        Then, you are basically at the point where you need to step away from the keyboard and go outside for awhile. I'm aware that maybe not everyone is aware of the difference between a llama and an alpaca, or other exotic things, but really, kittens? I work in international economic development and have worked in Southeast Asia, Latin America, and Africa, and EVERYBODY knows what a kitten is.
        Let's just assume your a
    • Thank you for the link to Kitten Auth -- I hadn't heard of it, and it looks interesting.

      However, as others have pointed out, even image classification is something that (presumably) algorithms will eventually be able to simulate.

      Therefore, I propose that authentication take advantage of the area where we know (through science fiction, of course) computers will never be able to mimic humans: lust and desire.

      Introduce: Hottie Auth: Click on the picture of the hottest person in the following collage of pict

    • If I had to stare at that many fricking cats just to use a website, I'd take my Web 2.0 business elsewhere.

      Of course, this captcha theory is prone to lots of misses. The person has to know the word and what the animal looks like -- all versions of the animal -- and not get it confused with similar animals. Even the test phase requires that people testing the auth don't confuse a wombat with a squirrel. If most people can't tell the difference, but I can, I lose, because LCD determines whether I'm right or n
  • by eldavojohn (898314) * <eldavojohn@gm[ ].com ['ail' in gap]> on Thursday June 01, 2006 @10:40AM (#15444743) Journal
    I had heard once of a very cunning strategy around captchas. I'm not sure if this is true but there is a story of a p0rn site making large sums of cash by selling key sets to the images. Certain sites would not dynamically generate images but instead rely on sets of images with protected keys as a captcha.

    In order to use the p0rn site he ran, you had to either pay money or spend time identifying captchas. He would then store them in a database and match it up with a checksum of the image. When he had completed a site's captcha key set, he would sell these lookup tables to anyone with money.

    All they then had to do was write their program to do a checksum of the image (or the image itself if he had stored it) and then plug the word from the database into the page for verification.

    With the introduction of splashers that spatter the statically stored images with lines or dots, the image is stored and a something like an edit distance is applied to it to find the closest match. Once that is accomplished, it references the keyword out of the database. You turn up the splasher and you risk the user not being able to figure out the word.

    It seems that evil always finds a way. This is why captchas should always be dynamically generated on the fly from a very large dictionary! Check out Securimage for PHP [hotscripts.com].
    • I've heard this, too. And in all my, ...erm... research (yeah, that's it!) I have yet to find a porn site that works this way. An interesting idea, but I think this is turning into an Internet urban legend...
    • I spent some time working on an alternative to captcha, I call AOMIS. http://aomis.net./ [aomis.net.] I haven't had a chance to work on it for a while, but the basic idea was, provide a piece of media, the user must identify the content.

      In most cases, it would be an image. So, I might show you a picture of an elephant, and to submit the form, the user would have to enter 'elephant' into the box. Each image would have a number of correct answers to account for common spelling mistakes, and the most common correct r

      • It sounds as broken as every other similar concept.
        - Use different images: Doesn't matter what it shows or wheter it describes an abstract concept. The time you use to collect and describe images == the time used to add to DB. Add new pictures every now and then? So the hostile script is alerting the user when a new picture is shown.
        - You change a few pixels: The picture is analyzed on the fly instead of using checksums. Code ready to be taken out of ShowImg [jalix.org].
        - Audiofiles? Time to manually create them =
    • by odyaws (943577) on Thursday June 01, 2006 @11:08AM (#15445078)
      In order to use the p0rn site he ran, you had to either pay money or spend time identifying captchas.
      I saw a talk recently by Luis von Ahn, one of the inventors of the captchas. There were two interesting ways he said people were getting around captchas. One was a real-time approach similar to what you describe. Rather than storing a big database of these things, the bot that was signing up for email addresses or whatever would, upon encountering the captcha, sent that image off to someone browing the porn site (posing as a legitimate captcha - "We need to verify you're a person and not some bot stealing our porn for another site"). In order to continue browsing, the user would have to solve the captcha. Naturally they tend to do this very quickly and accurately :)

      The second approach was simply to set up captcha solving sweatshops somewhere in Asia with cheap labor, with people paid a few cents an hour to sit and solve captchas all day. This brought the cost of a new email address up to something like 1/3 cent, which for many spammers is still a viable price. The cost does limit this approach, though, so the captcha still helps.

      The interesting thing about both of these strategies is that they use humans to solve a problem that is difficult for computers, which is von Ahn's research area - he's also one of those behind The ESP Game [espgame.org] (caution - this can be shockingly addictive). There's essentially nothing that can be done to defeat either approach without also making a system a huge pain in the ass for legitimate users. From this point of view, spending time trying to come up with more advanced captchas is kind of pointless.

    • Let's say you have your super-duper captcha generator where no two are ever alike, and thus can't be indexed. Let's say I also want to crap-flood you with automated posts linking to my product, or just site I want brought forward on Google's index. Think you're safe?

      Hell, let's use Slashdot as an example, since everyone has seen the captchas here.

      It works like this: I'll set up a porn site all right. Gets people's interest easier than anything else. I promise some free porn, or heck, even some links to othe
  • How about "shootcha" - it's a reverse approach; you start out trusting, then use the shootcha approach to punish the abusers.

    I have a patent on it, of course...

  • by joshv (13017) on Thursday June 01, 2006 @10:41AM (#15444761)
    "Some captchas have been solved with more than 90% accuracy by scientists specializing in computer vision research at the University of California, Berkeley, and elsewhere."

    Hell, that's better than my average. They are getting so cryptic, it seems I get them wrong about 25% of the time these days.

    -josh
  • ..a script might do better.
    • I often fail those Turing tests

      Perfect! How about, to access content or whatever the captchas are guarding, you have to pass a conversational Turing test first? So you'd spend some time chatting with a dude in India, and if he thinks you're human, you're in!

      Of course, it seems that, for most of the people I've talked to for overseas tech support, I'd have failed them if I had administered a Turing test, maybe it's not such a great idea...
  • by Volante3192 (953645) on Thursday June 01, 2006 @10:42AM (#15444777)
    Just throwing this out, but maybe there should be a very basic question asked instead? Since these already presume literacy, maybe something like:

    Which of these is a number: A 2 R P?

    Seems that regardless of what they come up with there's going to be some part of the population that won't figure it out anyway, and if the whole point is to confuse auto-registerers, then I'd think it'd be harder for those to account for every possible question and answer set.

    (Yea, it's in TFA, but mentioned like an aside...)
    • Any sort of critical thinking question, generated in an image, should be sufficient to foil auto-registers until AI progresses enough to make the entire idea pointless.

      Something non-subjective like your suggestion, as long as it is not done in actual text so that the algos can identify keywords.
    • by 93 Escort Wagon (326346) on Thursday June 01, 2006 @11:20AM (#15445246)
      "Which of these is a number: A 2 R P?"

      Or, even better, put it to music - and add a time limit!

      "One of these things is not like the others,
      one of these things just doesn't belong.
      Can you tell me which thing is not like the others,
      before I finish this song?"
    • The problem with that approach is that you can't autogenerate clever questions, so the computer-client can build a database of known answers. You might be able to reword them, at best. Even with procedural rewording, the question may become muddled, or the computer-client could look for keywords for a similar question in it's database of known answers.
      • I disagree, I think the question domain space (ie. general knowledge, parameteric, etc) is large enough. A few examples have been given in the postings but there are many others and I would think such a system could be maintained over the long run so that as AI+NLP evolves, the questions (or question generating algorithms) could evolve as needed to stay a couple of steps ahead. All the historical & foreseeable future shortcomings of NLP happen to work to this problems advantage. It's kind of a like a sh
    • Which of these is a number: A 2 R P?

      This is slashdot. Everybody counts in HEX.
  • by Speare (84249) on Thursday June 01, 2006 @10:42AM (#15444782) Homepage Journal
    The captcha concept breaks down if the user can't see the image, either through the limitations of their browser (links) or the limitations of their eyes. A US government site would have a hard time justifying captcha in light of their legal and moral responsibilities to the disabled citizenry.
  • There's a crapflooder here on the trolltalk SID who has proven quite nicely that captchas don't, and can't, work.

  • by Sancho (17056) on Thursday June 01, 2006 @10:44AM (#15444799) Homepage
    ...unless you are blind. Some sites have alternate audio versions for the vision-impaired, but it's still a problem.

    And even if you aren't blind, I've run into many a captcha that I couldn't decipher. Poorly designed sites may delete the entire content of your post if you fail the captcha, but I guess that's a design issue for another topic.
    • I think that's a problem. eBay has one that if you don't fill it in quickly enough, they'll say that you entered it incorrectly and you try again. Once, it put me in a loop, making me enter a new one every time and each time, it actually does send the response email, but it doesn't tell me that, so my customer got five copies of the same email.

      Sites should have alternate means, but even the ones that claim to have alternate means never really follow up on anyone.
    • Poorly designed sites may delete the entire content of your post if you fail the captcha

      If it makes you feel any better, most of those women on Yahoo Personals are either Russians looking for American husbands or Bots. So the message you lost wasn't going to that hot, rich, and single girl you thought it was anwyay.

      But thanks to recent advances in Captcha defeating technologies, that Bot will soon be sending you a link to a "Live" Cam-Show. So not all is lost.
    • Audio captchas are relatively weak at the moment. I wrote a small script which 'breaks' (recognizes 75%/33% on microsoft's/google's voice captchas). See http://vorm.net/captchas [vorm.net].

      I suspect that all captchas that are harder to break will also be much more difficult to solve for humans. At least for the field I now relatively well, audio.

      For visual captchas I guess the same applies, the better yahoo and microsoft's visual captchas are sometimes unsolvable by (non-alien ;-)) humans.
  • Something got me thinking about captchas ... what was it? ... oh yes it was that article on automated Spamcop submissions the other day.

    No wonder they're a growing irritation. But websites need to know at least something about you. This site is letting me post now because: 1) I'm not going through a proxy 2) I've enabled cookies 3) I have a login. Now most sites I visit, I can't tick any of those boxes. And yes I'll venture over to bugmenot occasionally as well.

    So sites need them. Especially for those f

    • So sites need them.

      Many sites use them although they don't need them. In particular, forums and blogs wouldn't need them if they would simply discard any post containg an offsite hyperlink; allow plaintext URLs, but ban hyperlinks, and the problem disappears. Forum/blog spams always represent an effort to boost the pagerank of some other page, and thus always contain hyperlinks.

      • You just hit the nail on the head. Why the hell do you need captcha to prevent spammers from downloading files you're offering to download? At DriverGuide -- a necessary evil for folks who fix computers -- you have to register and then fill out a captcha when you want to download a file. I was at a font site with the same thing the other day, you had fill out the captcha for each and every file you wanted to download. It's obviously gotten to the point where webmasters use this for no apparent reason other
  • News for Nerds? (Score:4, Informative)

    by Silver Sloth (770927) on Thursday June 01, 2006 @10:46AM (#15444827)
    There's not much here, it's written in the WSJ which means it's in language that my mum would understand, and has precious little in the way of hard facts. For those who can't be bothered to RTFA,
    1. There are things called 'Captchas'
    2. People don't like them
    3. Computers are getting better at cracking them
    4. Some boffins are trying to make new ones which people like and computers don't
    Really, that's all there is.
    • Re:News for Nerds? (Score:5, Interesting)

      by Red Flayer (890720) on Thursday June 01, 2006 @11:01AM (#15444996) Journal
      And yet, the discussion of the article will prove to be much more illuminating than the article.

      What's wrong with an article being a spark for more in-depth discussion? How else are things rarely discussed in the media and never in depth (like most tech topics) going to be discussed on slashdot?

      Sure, I know this post (and the parent) are off-topic, but it bugs me when people think that the purpose of slashdot is just to accumulate articles... that's what RSS feeds are for.

      The discussion is what keeps me coming back, and typically, no matter how moronic the article is, there are several posts that give the kind of information that I wish was included in the article (but isn't). At the very least, people provide links to more comprehensive information and/or discussion of the issues concerned.
  • spammer bounties (Score:2, Insightful)

    by EllynGeek (824747)
    As usual, the problem is approached from the wrong direction. When the dam bursts and the floodwaters cover the town, it's a waste of time to develop bigger and better waders. The correct thing to do is repair the dam. So instead of developing ever more elaborate ways to handle the spam flood, just shoot spammers. Put a cash bounty on them, dead or... dead. Problem quickly solved.
  • I like the example images from TFA. The only one I have a difficult time making out is the Hotmail one. Scattering things around the captcha that closely resemble letters only causes confusion. For instance, should you include the character that looks like an 'L' under the '8'? And is that 'T' sitting on top of a slightly distorted 'J'?
  • Not the point (Score:3, Interesting)

    by Reality Master 101 (179095) <RealityMaster101.gmail@com> on Thursday June 01, 2006 @10:52AM (#15444893) Homepage Journal
    Just as the point of DRM isn't to be completely bullet proof (there's always the analog hole), the point of a captcha is to be enough of a nuisance that someone doesn't spend the time to crack it. Obviously, for a site like Yahoo and it's zillions of sites, it pays to spend time breaking the captcha. But for your average site, the captcha just has to be "good enough" such that someone won't bother to write a crack to spam a small fish.
    • Re:Not the point (Score:5, Insightful)

      by Rob T Firefly (844560) on Thursday June 01, 2006 @10:57AM (#15444947) Homepage Journal
      But for your average site, the captcha just has to be "good enough" such that someone won't bother to write a crack to spam a small fish.

      The paradox is, if a site has one that works really well for them, other sites will want to use it as well. As other sites use similar or identical systems, it becomes exponentially more beneficial for crackers to crack. So, as soon as something's good enough to use, it becomes good enough to crack.

  • by Rob T Firefly (844560) on Thursday June 01, 2006 @10:53AM (#15444902) Homepage Journal
    I wondered at the possibility of using a system that would require human intervention rather than AI for some simple reason of observation, like "Type the color of this person's eyes" next to a JPEG. The only downside, is you have to trust the average Internet user's ability to type "blue," so of course that plan goes out the window.

    If I wanted to be really sadistic, I could instead present site readers with a sentence, in which they have to fill in either "their," "there," or "they're."

    • by CohibaVancouver (864662) on Thursday June 01, 2006 @10:58AM (#15444968)
      If I wanted to be really sadistic, I could instead present site readers with a sentence, in which they have to fill in either "their," "there," or "they're."

      Your a looser for even sugesting such a thing!

    • If I wanted to be really sadistic, I could instead present site readers with a sentence, in which they have to fill in either "their," "there," or "they're."


      If that was the only thing you did, with rotating sentences, a computer would probably beat most internet users, defeating the purpose.

    • Seriously -- think how the quality of users/poster would improve if we replaced captchas with some sort of basic test.

      Maybe like the one they give as an entrance exam for the Marines:

      The door is:

      A) Open
      B) Closed
      C) Not enough information

      Hey, as an ex-Army guy, I'm allowed to give those gyrenes a hard time :-)
    • If I wanted to be really sadistic, I could instead present site readers with a sentence, in which they have to fill in either "their," "there," or "they're."

      If only forums did that... keep out spammers and peeple taht like 2 post in tahrd-speek.

      http://images.slashdot.org/hc/59/0b4e0bc0ee0a.jpg [slashdot.org] voucher, spammers, voucher (do I get my free pr0n now?)! At least these stupid things on /. a) only bug me when I'm not at home and b) are generally easy enough to read that you don't do it six times.

    • And what would happen when the US President visited that site and had to type in there, their or they're.
    • If I wanted to be really sadistic, I could instead present site readers with a sentence, in which they have to fill in either "their," "there," or "they're."

       
      I heard that's the scheme Microsoft originally used for the installation key for the Vista beta but had to abandon it after the third week of nobody being able to install the thing.
  • Are you listening slashdot?
    • I don't mind captchas at all. In fact, myspace is in DIRE need of captchas in several places on their site to stop(or at least slow down) spammers.

      But you want to know horrible anti-spam measures? look no further than slashdot itself. The numerous ways of obfuscating email addresses require so much effort to deciper it that I don't want to bother mailing them. C'mon backwards text? If it takes longer to decipher it than it is to email a quick question/reply, forget it.
  • 20% error rate (Score:3, Informative)

    by JohnGrahamCumming (684871) * <slashdot@jgc.oELIOTrg minus poet> on Thursday June 01, 2006 @11:00AM (#15444985) Homepage Journal
    One of the things that I'm watching in the error logs of SpamOrHam [spamorham.org] (web site where volunteers sort messages into spam and ham) is the error rate on the CAPTCHA used. Ignoring what appear to be automated attempts bruteforce the CAPTCHA I see an error rate of around 20% of 100,000s of CAPTCHA's.

    That's amazingly high. 1 in 5 CAPTCHA's are incorrectly entered by humans doing their best to do the right thing.

    No wonder people get mad at them.

    John.
  • Instead of bothering users with junmbled letters. How about they show pictures of rabbits, dogs, knives, spoons, cars, trucks, trees, glasses, lakes, etc. There's quite a few advantages to the approach:
    - There are tons of pictures of these things floating around
    - they're easy to modify (blur, detour, cell-shade, rotate, mirror, ...) to fool the databanking approach to deciphering them.
    - Getting computers to guess the difference between a dog and cat, while feasable (don't care to fish the link to the pro
  • Server in the Middle (Score:5, Interesting)

    by Doc Ruby (173196) on Thursday June 01, 2006 @11:01AM (#15445002) Homepage Journal
    Captchas are not hard to crack, now that someone has produced my favorite crack strategy. A "man in the middle" attack server hits pages with captcha challenges. That server advertises a "free porn" website, presenting to its human audience the captchas it hit. The porn seeking humans decode and enter the captchas, get the porn (or not), the server sends their entries to the original captcha page, and gets past them as often as humans seeking porn would. There's so many humans seeking porn that the middleman transactions happen in realtime, indistinguishable from direct human responses to the original captcha.

    This is v1.0 of the Matrix, where human brains are harnessed to solve problems by a more powerful and wise, though less "intelligent" computer network.
    • I sense some new job listings on Amazon's Mturk [amazon.com] in 3...2...1...

  • Say you dynamically create a checkbox the user has to check before they can submit the form. I wouldn't think tools that register on sites wouldn't be able to break this system, say if you were randomly naming the checkbox and having some sort of validation check to see if it is checked.
  • Easiest way to defeat any captcha: put up a free porn site that requires users to fill out captchas to get in.

    Now, come up with a better way of preventing spam than simply proving that someone is human.
  • poorly designed captcha implementations can be circumvented 100% of the time, without having to use OCR. more info regarding this is available here http://puremango.co.uk/cm_breaking_captcha_115.ph p [puremango.co.uk] (shameless self promotion - it's my site..)

    also, it's no wonder that people are annoyed by CAPTCHAs - half the time they don't explain why the user has to enter the text, and almost all CAPTCHAs are developed around making the text hard to read. At the moment, it's only a few geeks who have managed to bulk-OCR
  • by erroneus (253617) on Thursday June 01, 2006 @11:16AM (#15445187) Homepage
    ... it is annoying for users. Sometimes I get it wrong because I can't tell if the captcha technique they are using is case sensitive and I can't always tell the case of the character! Sometimes a lower-case L can be confused for a number 1 or vice-versa. So yeah, it's REALLY annoying.

    HOWEVER. A short and simple multiple-choice or true-false quiz might determine with some level of accuracy if the poster is a person or not. Simple stuff like a random image of a sheep, a lion, a bear or a whale with a radio button selection below it. It's easy to run through, it shouldn't require much skill from the user and has the potential to confuse interpreting software a lot more.

    This approach could also even be ENTERTAINING to the user in that funny pictures could be used in the image interpretation drill. Such questions could be "Is this person having a good day?" and you can put all manner of interesting images in there for a true-false scenario. Being an entertaining method will definitely win fans. Being tedius, stressful and mistakable will lose fans.
    • A short and simple multiple-choice or true-false quiz might determine with some level of accuracy if the poster is a person or not.

      Spiro Agnew is
      a. a form of social disease.
      b. a jazz-fusion rock band.
      c. a former Vice President.
      d. the first woman in Congress.

      Making a "Hole in One" is
      a. every golfer's dream.
      b. too dirty to discuss here.
      c. something carpenters do.
      d. best done with scissors.

      My boss is
      a. a jerk.
      b. a total jerk.
      c. an absolute total jerk.
      d. responsible for my paycheck.

      Whips, chains and handcuffs a
  • Sorry, but the CAPTCHA plug-ins I've used with Word Press etc. are *highly* effective. Where people typically screw up in their implementation is to use the default dictionary word list which ships with them. The majority of CAPTCHA-defeating scripts out there today use a dictionary attack rather than successfully decyphering the CAPTCHA image. If one sets the CAPTCHA to generate a string of random letters rather than a word from the stock word list, the amount of comment spam posted drops dramatically.

  • In my Word Press I avoid Captcha because it is implemented badly in most cases. People shouldn't have to type more than 3 characters, there must be a way to conceal the appearance, and subsequently approve an IP address to always post.

    I use Akismet spam filter instead, and it's blocked 780 so far, and has false positived 4 comments, and missed about 4.
  • In the end, captchas are obnoxious for legitimate end users, while only providing temporary relief from spammers. The spammers can and will find ways around the captchas, which may include more sophisticated OCR algorithms, but also other solutions such as the manually created lookup tables that were mentioned earlier.

    Other ways need to be found to distinguish humans from spammer's bots.

  • I did my undergrad thesis on reverse Turing tests (a family which CAPTCHAs are part of). Here are the main categories I could identify which can be utilized to effectively and (hopefully) easily prevent automation:

    1. Text based passwords
    Pro: People are used to them, quick-n-easy
    Con: Subject to brute force attacks, trivial to automate a login once you have the password
    2. Graphical passwords
    Pro: Can use a larger set of images than characters, easy to remember
    Con: time consuming, can only present a small set o
  • Why not present the user with a "concentration" type puzzle?
  • animated gifs? (Score:3, Interesting)

    by psbrogna (611644) on Thursday June 01, 2006 @12:30PM (#15446052)
    In response to the people asking about animated gifs, I think they could be algorithmically defeated. However, what about something requiring mouse movement? For example, using a mouse gesture as an unlocking code. A text (or audio) cue to the user to do something with the mouse. The above wasn't my first thought after answer the animated gif question. But if follwed from the first thought; instead of animated gifs, what about the Apple Quicktime things that allowed you to move the mouse to view a 3d scene? The entire scene wouldn't be visible and would require mouse movement to view the scene enough to answer the question. Obvious problems- hard to generate. But a mouse gesture based unlocking? Isn't that doable?
    • Re:animated gifs? (Score:3, Interesting)

      by AnalystX (633807)
      'However, what about something requiring mouse movement?'

      I have something like that. In fact, it's a part of a three tier security measure I came up with last year. Having spent a lot of time programming A.I. and automation routines in the past, I realized there was a class of processes that could be guaranteed to work against automated spammers. One tier involves recognizing patterns of movement between fields on a form and data entry patterns. There is usually a very unique pattern to the way a human
      • A bit more technical then I was thinking ... but I get your drift. I'd love to see an error message, "I'm sorry, this site is not convinced you're human. Could you fill the form out a little slower?"

        I was thinking more along the lines "move the mouse in a circle", or "complete the following mouse gesture, L-L-R-U-D" (could even use randomly stylized arrows as a layer of obfuscation)

        • '"I'm sorry, this site is not convinced you're human.'

          That's certainly the general idea. Keeping track of the time taken to fill out a form is one angle, but for registration forms that are generic enough for browser auto-completion, that defeats a useful time saver for users. I prefer having the computer determine through studying the user's input patterns (and yes even browser auto-completed forms will pass the test) whether the user is human or not, rather than instruct the user to do crazy things.

      • I just a horribly comic vision of a new class of biometric (maybe anthropological) authentication... I won't elaborate but I just know I'm not going to be able to the "hokey pokey" tune out of my head for the rest of the day.
  • Create a captcha that relies on a currently unsolved problem of computing (such as interpreting scratchy audio into words) and see what technology is hacked together to get past it.
  • My solution is simple. It also defeats the "porn server in the middle" attack. Assuming the page is in English, just ask a random English language question about the banner ad at the time of the page. You "kill two birds with one stone" by getting people to prove they are human and read the ads at the same time.

    This should work fine for all users that don't block banner ... uh ... never mind.

  • My own weblog was recently hit by comment spam. I was extremely irritated, and initially considered captchas as a potential solution. But several problems with captchas ultimately lead to me seeking alternate solutions.

    The first problem with captchas is the barrier it puts up, however small, between you and the users of your site. Apologies for the corney analogy, but captchas are a speedbump on the information superhighway. People hate running into them.

    The impediment to visually disabled users is also a big one to consider. It's not just fully blind people. People can be shortsighted, colour blind, dyslexic or perhaps simply shortsighted users relying on specialist software to read your website. You're letting these people down by adopting this practice and that's something I would really feel bad about doing.

    But the biggest reason not to use captchas is spammers increasing abilities to interpret them. At even a five percent success rate in interpreting captchas, a spammer can bombard your site with requests and still get something through. They're just using the same model as they did with email, and it will work.

    Instead I chose some other plugins available for Wordpress to help with the spam. Akismet [akismet.com] sounds like it could work as a kind of distributed spam check/blacklist of sorts, though I am wary of the fact that a private company is running the service. I also installed Bad Behaviour [homelandstupidity.us], though it's clear that eventually some spammers will adapt their behaviours to this.

    Ideally what I'd like is a true bayesian comment spam filter plugin for wordpress, but so far I haven't been able to find one. Such filters have done wonders for me in Thunderbird for my email spam, with something like a 99.99% sucess rate and no false positives. Clearly the situation is quite different with comment spam, but all the same it would be nice to have one.

    I envisage that the comment spam situation will get a lot worse as time goes by, regardless of any pagerank type algorithm changes. Comment spam will no doubt become as ubiquitous as regualar spam and I can forsee dozens of "splog" post per day in the not too distant futre. My opinion is that Blog software should come with robust, adaptable and self updating anti-spam software on by default before this problem escalates out of control.
  • by hyperizer (123449) on Thursday June 01, 2006 @04:51PM (#15448574)
    I got one from LinkShare once that said "r A p e." It was pretty disconcerting. I should have taken a screenshot.

Always draw your curves, then plot your reading.

Working...