Next-Generation CAPTCHA Exploits the Semantic Gap

captcha_fun writes "Researchers at Penn State have developed a patent-pending image-based CAPTCHA technology for next-generation computer authentication. A user is asked to pass two tests: (1) click the geometric center of an image within a composite image, and (2) annotate an image using a word selected from a list. These images shown to the users have fake colors, textures, and edges, based on a sequence of randomly-generated parameters. Computer vision and recognition algorithms, such as alipr, rely on original colors, textures, and shapes in order to interpret the semantic content of an image. Because of the endowed power of imagination, even without the correct color, texture, and shape information, humans can still pass the tests with ease. Until computers can 'imagine' what is missing from an image, robotic programs will be unable to pass these tests. The system is called IMAGINATION and you can try it out." This sounds promising given how broken current CAPTCHA technology is.

Too hard.

[Whiney Mac Fanboy]

The general public will not know what "geometric" means*.

This Captcha suffers from the same old problem. As Captchas get harder more humans will fail them.

*or annotate... or centre

Blind people?

[tepples]

As Captchas get harder more humans will fail them.

And as the population of the Internet grows, more blind and hard-of-sight people will be using the Internet, and they will fail visual tests deployed by web site operators who don't bother to deploy a decent audio test.

Re:

[Ngarrang]

The blind and hard-of-sight have always been poorly served by what is a very visual medium. I don't think will be changing anytime soon. And for that matter (and this may across harsh), I don't if it should be a concern. Do we lament that the blind and h-o-s cannot drive?

The cost of being all-inclusive can be too high for some budgets.

Re:Blind people?

[Anonymous Coward]

Do we lament that the blind and h-o-s cannot drive?

The difference is that the web consists mainly of textual information that blind people can use.

The cost of being all-inclusive can be too high for some budgets.

The same could be said for supporting minor browsers, such as Safari.

Re:

[gnick]

The same could be said for supporting minor browsers, such as Safari.

I believe that's why many web pages don't bother testing for compatibility with minor browsers, such as Safari.

Some sites (www.google.com, slashdot.org) can be adapted for use by the blind, so the admins need to consider them when incorporating a captcha. Others (images.google.com, www.hotmonkeylove.com) are inherently based for people with normal vision, so these image based captchas should be just fine.

Re:Blind people?

[Bastard of Subhumani]

The difference is that the web consists mainly of textual information that blind people can use.

Only a blind person could be unaware that 99.99% of the intarwebs are composed of pr0n.

Re:Blind people?

[$rtbl_this]

Oh, they're aware. How do you think most of them got to be blind?

Re:Blind people?

[csnydermvpsoft]

The blind are able to use braille displays and screen readers to access well-designed sites. The whole point of CAPTCHAs, however, is to have images that computers are unable to read. Accessible design and CAPTCHAs have exactly opposite goals.

The Internet is becoming much too important to leave a significant amount of the population (pardon the pun) in the dark. We have the technology to help the blind navigate web sites independently. Unfortunately, CAPTCHAs are hindering much of that progress.

Re:Blind people?

[Ngarrang]

csnydermvpsoft wrote, "The Internet is becoming much too important to leave a significant amount of the population (pardon the pun) in the dark. We have the technology to help the blind navigate web sites independently. Unfortunately, CAPTCHAs are hindering much of that progress."

No, spammers are. The root problem of this "solution" is the spammers, who do not care our personal feelings of privacy. They don't care that their messages cause everyone else's costs to rise.

Without CAPTHA technology, none of the web mailers would be usable, as they would all be blocked by every known blacklist.

For this reason, I think the penalties for convicted spammers should be far higher than what they are now. Their actions are subverting the ease of use for a very large group of people.

Re:Blind people?

[jackb_guppy]

CAPTHA are already dumping people with color issues, not blind but do not have the ability to perceive color differences.

Others are using letters / numbers that after distortion could be a,d,9,g for example.

Personal, I give a site two tries before I give up and dump them.

Re:

[CogDissident]

Because, you know, its not as if spammers are from serbia and nigeria, where there are already such tough laws against spamming.

I know I've said this before, but american spammers are the equivalent of the short-bus kids. They think they're doing well, but they are actually being rather ineffective and risking their necks when they don't have to.

Re:Blind people?

[nickos]

I had the same problem, and I was able to solve it in 2 steps.

1. Strip links from messages. The spammers are trying to game Google's (and other search engine's) page ranking, and they can't do this if you don't allow them to post links. The incentive to spam your site has now gone.

2. Insert some primitive captcha. In my case this was just a question asking the user to add 2 small numbers together. The reason this step was necessary was because despite implementing step 1, I was still getting a huge amount of automated spam from spam bots which didn't realise there was no point in spamming my site. Once a human spammer realises you've added captcha he'll come and have a look to see how easy it is to circumvent (very easy in my case). However after running a test personally he'll see there's no point and (hopefully) remove you from his list of sites to spam.

Hope that helps anyone reading this...

Re:

[Maestro4k]

1. Strip links from messages. The spammers are trying to game Google's (and other search engine's) page ranking, and they can't do this if you don't allow them to post links. The incentive to spam your site has now gone.

This is exceedingly wishful thinking on your part. We already see sites that strictly add the nofollow to all links in comments so that any URLs in said comments are completely useless for building page rank and yet the spambots still deluge the sites with spam on a constant basis. (Or at least attempt to.) I've seen the same thing happen on sites that do exactly what you suggest. You see spambots trying to use BBCode to link URLs in places that obviously don't use it, and so on. Spambots are automat

Re:Blind people?

[ultranova]

The blind are able to use braille displays and screen readers to access well-designed sites. The whole point of CAPTCHAs, however, is to have images that computers are unable to read. Accessible design and CAPTCHAs have exactly opposite goals.

No, the point of a CAPTCHA is to have a test which a human can pass easily, but a computer can't. Most current CAPTCHAs are image-based, since that is simple to implement, but this is by no means a requirement.

Re:Blind people?

[Kam Solusar]

According to Wikipedia [wikipedia.org]: In November 2004 article Magnitude and causes of visual impairment, the WHO estimated that in 2002 there were 161 million (about 2.6% of the world population) visually impaired people in the world, of whom 124 million (about 2%) had low vision and 37 million (about 0.6%) were blind.

Re:Blind people?

[iangoldby]

I don't if it should be a concern. Do we lament that the blind and h-o-s cannot drive?

I think that's a pretty outrageous attitude.

Think about it. What is the cost of making a car that a blind person could drive? Prohibitive, I suspect. Given the current state of technology it may not be quite possible even (though we could pay for human chauffeurs if we were really determined).

What's the cost of making a printed newspaper accessible to a blind person? Quite high I suspect. The technology to read shapes on a page and convert them to something the blind person can read or listen to is not straighforward.

What's the cost of a system that allows a blind person to access text stored electronically on a computer? Pretty-much negligible.

The thing is, the web should be a superb medium for making its content accessible to practically everyone. The information is already in a form that computers can manipulate easily.

If you use HTML as it was designed to be used, there is no additional cost in making it accessible.

Come on people, this is not rocket science! Here we have a golden opportunity to make, for practically no additional cost, something that can be accessed by everyone. It's not like designing a driverless car, or backfitting access ramps and lifts to historic buildings. Why on earth wouldn't we do this?

</rant>

Re:Blind people?

[phoenixwade]

I don't if it should be a concern. Do we lament that the blind and h-o-s cannot drive?

I think that's a pretty outrageous attitude.
{SNIPPED}
What's the cost of a system that allows a blind person to access text stored electronically on a computer? Pretty-much negligible.

Here is where you fail to understand the problem.
    First, creating content is not negligible in cost.
    Second, creating an interface to deliver the content is not Negligable in cost.
    Third, Actually delivering the content to the masses isn't negligible in cost either.
    Fourth, as has been pointed out in other comments and in the article, the problem involves the creation of a technology that will allow your audience to access the content/service you are providing, while simultaneously preventing the use of automated systems to exploit your services by appearing to be your audience (i.e. a Human), because the failure to do so means that you may lose the entire technology, or at the very least render it substantially less useful and more expensive. Email, for example, is only being used 5% of the time as intended, the other 95% being spam (As seen on /. recently)

The thing is, the web should be a superb medium for making its content accessible to practically everyone. The information is already in a form that computers can manipulate easily.

If you use HTML as it was designed to be used, there is no additional cost in making it accessible.

AH! Now I understand! You are in the wrong conversation and didn't realize it.

if you are using HTML only, the whole captcha debate is meaningless for you. HTML is designed for PUBLISHING information, captcha applies to web based applications that HTML is only a SMALL part of. After all, the only interactive part of HTML are the form elements. Since YOU aren't actually doing anything with the posted form information, YOU have no need for security and little to no need to verify that the entity on the other end of that pipe is a human, spyder, or spambot.

However, some of us do create applications that need to know this, because we want to provide services for actual humans, but do not want to provide another place for spambots to send out their crap.

Re:

[Richard W.M. Jones]

Email, for example, is only being used 5% of the time as intended, the other 95% being spam

CAPTCHAs are a strange way to solve the problem anyway. A lot of spammy accounts (particularly wiki spam accounts) are signed up by humans.

The thing is though that spammers have to access the net from an IP address. Sure, they use grandma's compromised computer so they effectively have thousands of IPs, but they still access from an IP. So score the IP addresses. When spam comes from them, knock them dow

Re:

[iangoldby]

Here is where you fail to understand the problem.
First, creating content is not negligible in cost.

But the cost is the same whether you are making it accessible or not.

Second, creating an interface to deliver the content is not Negligable in cost.

But the cost is the same whether you are making it accessible or not.

Third, Actually delivering the content to the masses isn't negligible in cost either.

But the cost is the same whether you are making it accessible or not.

In case yo

Regarding your sig

[spun]

I can already see how this is going to go.

"You stole my sig!"
"No I didn't."
"Yes you did, it's exactly the same as mine!"
"No it isn't."
"Yes it is!"
"No it isn't. Look, mine is in two lines."
"That hardly makes a difference."
"Yes it does!"
"No it doesn't."

Re:

[poetmatt]

The few times I've seen a different scenario is where they have an option of listening to an audio version of whatever word they produce in the captcha.

In the defense of many, I've seen some captcha's so distorted that I can't even make out the damn words/letters within it. I welcome a new method like this, but I'm suspecting that it will eventually be beaten as well.

Re:

[Darundal]

Yeah, anyone try to pull anything off of rapidshare recently? I am not hard of sight, blind, or colorblind, but have yet to been able to *LEGITIMATELY* download anything off their service because of their captcha.

Re:

[Yvan256]

You may perceive the Web as a "visual medium", however technically the information is zeros and ones stored in files on a server.

You can see? Fine, your browser renders that information as text that you can read on your screen.

You can't see? Fine, your browser renders that information as speech that you read hear via your speakers/headphones.

Re:

[rapiddescent]

The blind and hard-of-sight have always been poorly served by what is a very visual medium.

This is not true, I once worked for a genius of an architect at a very large organisation - he was blind and told me that the web had opened up whole new avenues of access to research material that was not available as braille from the library etc. he used to clatter away on a braille 'screen' accessing google and so on.

I've said it on slashdot a few times, but I had to change a large banking authentication system in the UK from using CAPTCHA because the RNIB basically said that any large UK company

Re:

[TapeCutter]

"In what sense is driving comparable to web browsing?"

Far to many 'drivers' think they can do whatever they like as long as they don't get caught. As other have pointed out - spammers are the root cause. OTOH: The arms race has created some interesting technology.

Don't forget users of lynx

[Nursie]

It annoyed me mightily the day slashdot introduced captchas for comments when you weren't already logged in. And somehow broke the login process from lynx.

Lynx is the geek slacker's greatest tool, when run in an ssh session from your home server, not only is the traffic unloggable (except for "he's calling home a bit") but it even looks like work to the uninitiated.

Re:

[Nursie]

Well of course that's an option, but it doesn't look much like work, does it? One can only spend so long browsing the web openly during work time...

Re:

[Nursie]

To be completely fair, it's become a non issue of late because something truly weird has happened - I'm atually motivated and not spending so much time trying to get away with doing other things. So I've given up on Lynx too.

My point kinda still stands, I'm sure there are people in the world who still use it. It's good for cutting bandwidth usage down to almost zero too.

Re:Don't forget users of lynx

[mpeg4codec]

FWIW you don't need a dedicated HTTP proxy, as SSH has a built-in SOCKS proxy. Try it out some time: ssh -D 1080 remote.tld and configure your browser of choice to use SOCKS on localhost port 1080. For other apps that don't have native support for proxying, check out proxychains (on Unix). Not only great for browsing at work, but also a godsend for unsecured wireless nets.

Re:

[The Ancients]

The general public will not know what "geometric" means*.

This Captcha suffers from the same old problem. As Captchas get harder more humans will fail them.

*or annotate... or centre

If this is the case, do the captchas have the issue, or does humankind?

Re:Too hard.

[Smidge204]

Definitely the human's problem, although presumably if a human is smart enough to make it then a human is smart enough to figure it out...

To be optimistic, I actually like to think of it the other way around:

CAPTCHAs are providing a valuable evolutionary pressure on machine vision/artificial intelligence development!

=Smidge=

Re:

[cp.tar]

To be optimistic, I actually like to think of it the other way around: CAPTCHAs are providing a valuable evolutionary pressure on machine vision/artificial intelligence development!

... so when the machines decide to exterminate us, camouflage clothing will be of no use to us.

Welcoming our seeing and intelligent machine overlords seems futile. We will be exterminated.

Thanks. Now I'm depressed.

/me goes off to his Computational Linguistics class. Guess the overlords will understand language as well.

Re:

[gnick]

Manatees look a little silly too...

Re:

[T-Bone-T]

I noticed RapidShare has a new CAPTCHA involving writing only the letters and numbers that have a cat in a certain pose and the rest of the letters have a cat in a different pose. The letters were very distorted and the cats were on top of the letters or underneath. It was actually a little bit challenging.

Re:

[A Friendly Troll]

It's just the beginning; it's going to get worse as they become more aggressive. RapidShare wants your money, simple as that, and rest assured that the frustration with discerning those silly cats and dogs _will_ make some people pay.

The only challenge is how to get you to pay. :)

Re:

[makomk]

Exactly. IIRC, if you get the CAPTCHA wrong, they make you go through the entire two-minute waiting period again (and the message displayed tells you that you can skip the CAPTCHA by paying). Then, half the time, they then tell you that you've tried too many times and should try again later - but only after you've waited two minutes. Oh, and I suspect that entering the CAPTCHA too long after it's first displayed counts as a failed attempt for the "tried too many times" logic.

The whole thing is cleverly d

Re:Too hard.

[MichaelSmith]

The general public will not know what "geometric" means*.

This Captcha suffers from the same old problem. As Captchas get harder more humans will fail them.

*or annotate... or centre

Soon we will welcome computers to our online forums for their insightful, informative and interesting comments. The CAPTCHA will be there as an initial filter on the quality of posters. It will exclude stupid computers and stupid people.

Re:

[morgan_greywolf]

The general public will not know what "geometric" means*.

Oh, gimme a freaking break. I am sooooo sick of everyone worrying about pandering to the lowest common denominator. But I have a solution to this particular problem.

Here's my plan: cleanse the gene pool. We'll just eliminate warning labels from everything and when the stupid freaking idiots fry themselves blow-drying their hair in the bathtub because there was no warning label on the hair dryer saying "WARNING: RISK OF DEATH!!! DO NOT USE IN O

Re:

[jo42]

The politicians won't like that one bit - as it would reduce the tax base by about 95%.

Re:

[endersshadow7]

I've used the Asirra Project [microsoft.com] for about a year now on my site with fantastic results. I've had absolutely 0 bot registrations, when I was getting 10-20 a week with the old CAPTCHA. Given all the press CAPTCHA's have been getting lately, it makes me wonder why more people aren't implementing something of this nature.

Re:

[LunaticTippy]

If Asirra became the dominant CAPTCHA the spambots would adapt to it. There is something to be said for using an unpopular CAPTCHA and not telling anyone about it.

Re:

[mdmkolbe]

That is a cool project, but in all fairness that CAPTCHA probably works for the same reason "the Mac has no viruses". That is, it is so little used that spammers have focused their efforts on bigger targets. Thus an inherently less secure system can be less likely to be broken.

As as example, since the Asirra project takes its photos from Petfinder.com, all a spammer has to do is scrape all the Petfinder photos and categorize them by what words (e.g. "cat" vs "dog") are near by in the HTML. Once this d

Re:

[ronanbear]

Half the problem is the over-reliance on Captchas. Most of the cracks work by educated guessing and have large error rates. This fact could be exploited by the webmail companies. Additional Captchas for sending suspicious messages (lots of messages) and early activity.

That a Captcha is the only thing standing between a gmail account and the ability to send large numbers of spam messages is more of the problem. Run the spam filters on outgoing messages and delay some of them to give time for the new address

curses...

[Anonymous Coward]

It's already spotted that I am a computer and it won't even load.

worthless

[tritonman]

who needs to write CAPTCHA exploits when you can just hire 50 chinese kids for 3 cents per day to create email accounts and send spam out for you?

Re:worthless

[Mipoti Gusundar]

you can just hire 50 chinese kids for 3 cents per day

If is really being true that they can be cutting us under by fifety percents then fine hai-tech industry of my dear INDIA is doomed. Ah well, nice while was lasting. Perhaps my medical degree is being useful after all!

This is where it falls apart...

[Joce640k]

Pretty soon they'll just set up a "free porn" site - free access so long as you solve a captcha to get in.

It's been threatened and talked about before, all it needs is something "unbreakable" like this to actually make it happen.

Re:

[xaxa]

Pretty soon they'll just set up a "free porn" site - free access so long as you solve a captcha to get in.

It's been threatened and talked about before, all it needs is something "unbreakable" like this to actually make it happen.

It's already happening: http://news.bbc.co.uk/1/hi/technology/7067962.stm [bbc.co.uk]

Lyrical Response Mechanism

[FurtiveGlancer]

Why don't we take a note from TV and have the user sing the missing lyrics of a classic hit. Even if they don't pass, it will make for much more fun around the computer, especially at the office.

Re:Lyrical Response Mechanism

[CSMatt]

Until the user gets subpoenaed by copyright holders.

Then it will be hilarious.

Re:Lyrical Response Mechanism

[Daimanta]

I'll start. Finish this:

"Never gonna give you up"...

Re:

[jimicus]

"Never gonna give you up"...

Never wanna make you cry
Never gonna give you up
Never gonna say goodbye

Start Talking Love, Magnum

Re:

[19thNervousBreakdown]

I'm never, ever gonna stop
Not the way I feel about you
Girl, I just can't live without you

Re:

[19thNervousBreakdown]

Ain't never gonna let you down babe
Ain't never gonna give you up
Hey hey hey hey
Yea yea yea
Ain't never gonna give you up
Yea yea yea
Ain't never gonna let you down

Re:

[esocid]

I can name that tune in three notes!

It's still trivially crackable.

[Jason1729]

All they need to do is offer free porn to people who solve the captchas and embed the captcha in their site. It doesn't matter how sophisticated the test is or hard it is for a machine to do it, they all have that fatal flaw.

Then there's also the option of paying Warcraft gold farmers to solve captchas and take a break from the game.

Re:

[Arancaytar]

Trivia questions. Most internet communities are dedicated to some kind of specific topic. Even someone who is unfamiliar with the trivia can use Google, which the machine cannot.

(Also, said trivia questions will be applicable only to one specific site, so it would never pay for the spammers to build a database of them.)

Re:

[Jason1729]

If it's easy enough to google for, anyone can find it as easily as a noob who would be a valid forum user. It would also be a major impediment for legitimate users, they would suffer much more than cheap labour with access to google.

Re:It's still trivially crackable.

[apoc.famine]

That was our solution to spambots on our small (12 active people or so) forum. We used very forum-specific questions to allow registration, and only registered users can post. If someone can't answer the questions, they aren't into the subject enough that we would want them there discussing it. Or they're a spammer, and don't know that the proper answer to the "what would you like to do to a spammer" question is the answer which is exceptionally painful.

But really, as long as you have an authentication method which is significantly hard/unique, you'll be safe. Spamming is a "low hanging fruit" operation. Quantity over qualify, 90% of the time. In fact, the answer to killing off spambots might very well be everyone designing their own authentication. Right now, there are a half-dozen major ones. Crack one, and you have access to millions of places. If instead there were thousands, the time required to break one would not necessarily be worth the money you could get from doing it.

Our forums are not worth programming the automated bots to crack, so we're 100% spam free now, for the first time in a few years. It's not a hard authentication - just different from 99.9% of the rest of them. Hell, most people could answer "what color is this page", even if they had to look at the raw html and google the color hex. But for one page, it's not worth programming a bot to do. Unique authentication methods will kill spambots.

Slashdotted

[Icarus1919]

Slashdotted already.

speach synthasis.

[oliverthered]

It should be fairly easy to write an audio CAPTCHA you just have to get someone to read some text. Computers are very poor at speech synthesis at the moment.

Re:

[pipatron]

What about a reversed turing-test. You have to chat with a bot, convincing the bot that you're a human, not a computer.

Re:

[oliverthered]

actually I was thinking of the opposite, do you have speaking difficulties (I realise that hearing and speaking difficulties can often go together)

Re:Illogical

[Matje]

If a computer could recognize the difference between human and computer generated speech, then it would know how to generate human sounding speech.

Bullocks. Why is this modded informative? You don't provide any backup for your claim.

It is imaginable to create a model that describes speech characteristics in general and computer speech characteristics in particular. Any sound sample could compared with the two models. If it fits the wider speech model but not the computer speech model, then you would call it human speech. QED.

The ability to distinquish between two things does not imply that you'll be able to generate them effectively (unless the search space is very narrow). Imagine it this way: you can probably distinguish Chinese from Spanish. That does not imply you speak either language.

Alternative...

[martin_henry]

Alternative URL: http://wang.ist.psu.edu/docs/projects/imagination.html [psu.edu]

Stupid Captcha

[Big Smirk]

Any captcha with multiple choice answers is not a good one. 20 choices? So the computer gets by 1/20 of the time. Hmmm, how many attempts does it take to get 1000 e-mail accounts? As for "geometric center" note that all the images are rectangular. I haven't tried it, but writing a program to pull out all possible rectanges and then sort them on size, and pick the center of the one of the larger rectangles should do it. Why not a captcha that works with google. "Describe in one or two words what is in this picture", then use a google like search to match up the actual description with what the person typed. Person types "Dog" picture is a "Labrador Retriever" match.

20 minutes, test not yet passed..

[PIBM]

They might have a good captcha but it's already broken: they are unable to serve it as fast as required, which prevents legitimate users from accessing a real server content... No user on any site would wait so long just to pass a captcha test.

Test site slashdotted...

[thrill12]

...but some more info here [psu.edu] as well as a (ugh) [a href="http://wang.ist.psu.edu/imagination/imagination.ppt">powerpoint and a user study [psu.edu] with some samples.

Slashdotted

[Rik Sweeney]

The system is called IMAGINATION and you can try it out

That's what you think...

Re:

[PRMan]

That's because you're not using your...imagination.

Halp!

[Bartab]

My imagination is broken!

The real solution to captcha is OpenID.

[Anonymous Coward]

The real solution to captcha is OpenID.

Re:

[garaged]

how so ?

Re:The real solution to captcha is OpenID.

[giafly]

How do you protect the sign-up page to get an OpenID? With a captcha?

Re:

[The Jonas]

I always liked the idea of animated captchas [animierte-captcha.de], but for some reason have not really seen much implementation.

mechanical turk

[192939495969798999]

Just hire out cracking it to a mechanical turk service, and log their results to a database. Before long, you'll have a system capable of monte-carlo guessing at a high rate of accuracy. The computer doesn't need to know much about the image to make an educated guess with a large enough data pool of previous solutions.

CAPTCHA = The terrorists have won.

[v(*_*)vvvv]

Like airport security, CAPTCHA puts a tremendous burden on the innocent people just because they cannot detect the terrorists.

How is CAPTCHA broken and how is it "technology"?

It is not broken because it works as it is suppose to. I would think the correct term would be "solved" or "been overcome".

Technology-wise, CAPTCHA is a workaround, not a solution. The real problem is automated bots manipulating forms where the webmaster only wants humans. Detecting whether or not the visitor is an automaton would be the solution, but because people have apparently given up on this, they have resorted to trying to detect whether or not the visitor is human.

Re:

[eean]

So you want the bots to take a test that a human would fail?

Re:

[gtall]

Hey, you are right. If they would only solve the problem then it would indeed be solved. Maybe you could give them a call and explain it to them.

Gerry

Here's a reference implementation

[gr8dude]

Which of the following would you most prefer?

• A: a puppy,
• B: a pretty flower from your sweety, or
• C: a large properly formatted data file?

I think RapidShare has a good one

[JorDan Clock]

Last time I used RapidShare, they had a CAPTCHA that not only had distorted letters, but dogs and cats behind them. They were very simple, but enough to distinguish between the two. These dogs and cats are blended into the letters and to pass the CAPTCHA, you have to put in the characters with cats.

Re:

[psy]

Only problem was it took me 5-6 goes to understand how to do it.

It says select 4 letters (when there are numbers and letters)..

Then took me a while to realise there were cats and dogs.. i thought it was just random.

Other bad part about it was that there was a 30 second delay inbetween each attempt!

i think its too big

[PJ1216]

the image is huge. plus its two steps. also, the annotation part... i wasn't actually *sure* i was answering correctly. it looked like they were near water... boat was an option... didn't look like a boat... but nothing else really made sense... well, 'cept there was a guy in the picture and "man" was a choice as well... but i went with boat cause the guy didn't seem to be the focus. nonetheless, it required effort to reason it out. i don't want my captcha taking up more than 2 seconds, let alone like 30 seconds.

Sweatshops

[Anonymous Coward]

Spammers will still just pay sweatshop workers to solve these, won't they? What does this solve?

At least a part is Ineffective

[Dracolytch]

Ok, so I was able to do the image analysis one, where they take an image, muck with the color, draw a bunch of black lines over it, and then ask you to annotate it with a word from a list.

This is no better, and may be worse, than what we have now, for two reasons.

1) If you fill in the gaps programmatically, and then make the image grayscale, you probably have something you can use for image matching.

2) Much more severely: The interface reduces the number of possible answers by multiple orders of magnitude. For the one I saw I think there were 10 or 15 answers. Even if you kick image recognition to the curb and randomly choose an answer, you'll be right 1/15 times. It'd be trivial to write a program to harvest hundreds of accounts in a day by just picking random answers. Hand that off to a botnet or similar, and this becomes a minor speedbump.

~D

Email is broken and we need to dump it ASAP

[Yvan256]

Why are we fighting the results instead of trying to fix the cause?

Why do we need CAPTCHA? Because people sign for email accounts to spam people with their crap.

Why is spam possible in the first place? Because the email system wasn't designed with abusers in mind. Email is broken and we need to dump it ASAP and replace it with something else.

Unfortunately I don't have the answer, but that doesn't mean my point is invalid. Surely there has to be a solution, someone somewhere will think of something.

Re:

[Yvan256]

You can't fix people nor can you expect all the ISPs in the world to comply with your solution.

As soon as there is people involved, you have to assume that a lot of them are idiots and a lot of them will abuse your system. Build in consequence.

Email doesn't work (abused), spam is wasting bandwidth world-wide, we need to put a stop to it.

And please, whoever comes up with the solution... choose a better name than "Email 2.0"...

I for one

[mapkinase]

I for one welcome this development. The more complex are CAPTCHA to solve, the less is the number of idiots in the tubes.

Solution: unproven users = limited access

[davidwr]

Wikipedia does this by restricting what new accounts and non-logged-in accounts can do.

If free mail servers put restrictions on what new accounts could do, with an override to anyone who is willing to go to a lot of trouble to prove they are human, it would short-circuit the spammer problem.

If Yahoo, Gmail, etc. all limited you to 10 outgoing mail recipients a day until you had both 1) had the service for 1 day and replied to 10 messages, AND limited you to 100 outgoing mail recipients a day until you signed up to be a "high volume sender," it would cut most spammers off at the knees. Depending on the service, being a "high volume sender" may involve turning over a credit card number and may not be free. Some services may give "loyalty awards" to long-term customers by removing this restriction for people who have had their accounts for 6 months and show a heavy non-spammy ad-revenue-generating usage pattern.

Captcha solution

[foniksonik]

I know this will make a lot of you groan.... but this is a perfect scenario for the use of Flash. It could easily be implemented using one of the open source SWF libraries as well...

What's nice it that there are a few good libraries for speaking flash text as well, so an audio option is possible as well.

http://www.dracon.biz/captcha.php [dracon.biz]

Couldn't figure it out

[noidentity]

SERVICE DOWN TEMPORARILY

Because of the

The answer is "Slashdotting", but where do I type it? I can't figure this CAPTCHA out...

advancing AI

[Thuktun]

Aha, the next AI micro-X-Prize has been announced!

hotcaptcha

[SCHecklerX]

I like this better:

http://www.hotcaptcha.com/ [hotcaptcha.com]

Re:Twofo Ghey Niggers

[CSMatt]

This just reaffirms the article's conviction that the CAPTCHA is broken.

Re:

[lottameez]

Right on! I used my nigerian money to buy boobs and a new, larger, p3n1s. Of course, then I need healthy doses of V1agr@ and other M3ds! to make it all work.

Not just entertaining, also educational!.

[way2trivial]

Let me get my old fart hat on.
I first ever was in contact with a 419 via postal mail.

yes, 419 scams used to be pulled via the postal service.... international stamps the whole bit.

I admit- I was intrigued (and naive) and did nothing.. sounds too good to be true etc,, but I thought about it a whole lot.
Since then, and before the prevalance of 419 emails,
I've seen more than a few news stories about people getting into hot water for believing

now that 419 email is so widespread, and the topic so widely known

Re:

[Ecuador]

Can someone mod this clown down (if banning is not possible)? He keeps posting this site of his that redirects you to all sorts of advertisments...

Re:

[Ecuador]

Hmm I see he automatically redirects only IE, with Firefox I stay on the article page... I guess that's why no other slashdotter noticed the problem!

Re:

[Alzheimers]

You'll have to ask Apple [appleinsider.com]

Re:Can't RTFA. Already /.'ed after just ONE commen

[Yvan256]

How abour color-blind people using CGA monitors?

They became blind after using CGA! I mean, have you ever seen the aweful colors [agidev.com] of CGA? Whoever decided on those colors was on crack or something!