Google Updates ReCAPTCHA With Easier CAPTCHAs For Humans

An anonymous reader writes "Google today released an update to its reCAPTCHA system that creates different classes of CAPTCHAs for different kinds of users. In short, it makes your life easier if you're a human, and your work much harder if you're a bot. Unsurprisingly, Google wouldn't share too much detail as to how the new system works, aside from saying it uses advanced risk analysis techniques, actively considering the user's entire engagement (before, during and after) with the CAPTCHA. In other words, the distorted letters are not the only test."

Oh Great!

[Anonymous Coward]

I'm having enough trouble posting as an AC on /. as it is. Now I will have to put up with Google. Using Lynx with all these crappy images is getting to be a bitch!

Google can now see the future?

[Anonymous Coward]

The CAPTCHA is influenced by what you do after you exit it?

Re:

[Anonymous Coward]

Google can't see the future, but we can.

It's a future in which Google has added so many barriers to using their services that they have no human users left. Only the bots don't care about having to deal with all the added tedium.

Re:

[BradleyUffner]

The CAPTCHA is influenced by what you do after you exit it?

My guess is that Google watches what you did after the PREVIOUS captcha and uses that to determine how to display upcoming ones.
This could be useful to detect capthca farms where people sit all day and just solve the captcha for spam bots. If you immediately move from one to the next to the next without spending any time looking at content then it's time to serve you something that takes more time to solve. If, on the other hand, you solve only a few captchas a day they can give you something easy.

Re:

[Hentes]

If you have knowledge of every property about everything and enough computational resources, you can simulate the future. Google has both.

Spoiler!

[Anonymous Coward]

They're extending the user categorisation checks. It checks your IP address against a risk and Geo database. You're all smart enough to know what makes certain users riskier (eg: excessive requests, certain countries, is a Tor exit node etc.). They're just doing that properly now.

Re:Spoiler!

[mstefanro]

I can confirm that this happens for Tor exit nodes. They serve their CAPTCHAs to third-party
websites as well, and if it so happens that you want to use a website via Tor that uses their
CAPTCHA on login, the challenges they give you simply cannot be solved. I am not exaggerating,
I have been trying for ten minutes in the past to login on a certain website via Tor and was unable
to. Finally, I found the solution at the time: you have to go to google's login page one time and then
all the CAPTCHA's start becoming readable.

Re:

[Anonymous Coward]

Finally, I found the solution at the time: you have to go to google's login page one time and then
all the CAPTCHA's start becoming readable.

If you mean you have to go there to log in, rather than just load the page, doesn't that rather defeat the purpose of using tor in the first place?

Re:

[mstefanro]

They obviously cannot discern a robot from a human over the wire, that sounds impossible to do currently.
What they can probably do is make an estimate on how likely it is that a certain request comes from a script
rather than a human being and then use that estimate to make a CAPTCHA of difficulty proportional to the likelihood.
I wish there was a good alternative to our current CAPTCHAs, but I can't think of any (refrain from commenting if
you are going to suggest something dumb that will surely not work, suc

Re:

[Anonymous Coward]

(refrain from commenting if you are going to suggest something dumb that will surely not work, such as asking the user to do simple arithmetic)

Indeed, that would exclude about 90% of the human population. But then maybe that's a good thing.

Poor Granny...

[beaverdownunder]

She ends up on a bum IP and ends up getting hopelessly indecipherable gibberish as the verification for paying her electric bill?

Not sure blacklisting is the best way to go about this...

Re:

[InvalidError]

My mother had a run-in with Microsoft's captchas a few times due to failed login attempts and when that happens, she usually asks my sister to unlock her account but even my sister often has trouble with it so she ends up asking me.

Quite ironic that tests designed to tell humans from machines seem to cause humans to fail so much.

Re:

[gmanterry]

I often fail it as well. In some cases, it is just unreadable.

You should try them when you're in your 70s. I have had sites I just gave up on. My kids live 2500 miles away.

Re:

[joelville]

I'm 120 years old and get my cataracts removed daily, neither I, nor any of my contemporaries have a problem reading CAPTCHAs. Only a robot would find them unreadable. #SingularityMuch?

Plus the audio version

[NotSoHeavyD3]

On those ones have you ever tried hitting the button that's supposed to say the captcha out loud just in case you can't read it?(Which is most of the time) I swear it sounds like some sort of inhuman moaning straight from the Necronomicon that would be more appropriate to summon some sort of demon.

Re:

[deains]

On those ones have you ever tried hitting the button that's supposed to say the captcha out loud just in case you can't read it?(Which is most of the time) I swear it sounds like some sort of inhuman moaning straight from the Necronomicon that would be more appropriate to summon some sort of demon.

And thus, Inglip was born.

Re:

[InvalidError]

Yes, I did try their audio captcha... when I couldn't figure out why the image captcha was refusing my answers, I tried audio wondering how much worse it could possibly be and for the most part, I could not even figure out what the heck I was hearing. Instructions said there was supposed to be a dozen words in there but I only managed to catch 3-4 and did not feel like listening to that gibberish again to try finding the others.

That made me feel like captchas are worse than the problems they are attempting

ACK. The MS Captchas...

[WoTG]

This is embarrassing... but also terrible interface design. I once spent 10 minutes trying to solve a Microsoft captcha. It turned out that the page was designed such that pressing "enter" to finish the captcha actually triggered some other form option. I tried multiple browsers. And finally... decided to try clicking the submit button with the mouse.

I wasn't too impressed.

Re:

[Arancaytar]

Where did Google mention IPs?

Re:Poor Granny...

[GuldKalle]

In the CAPTCHA, maybe you couldn't read it.

Re:

[wonkey_monkey]

Why do you (and an AC above) assume it has anything to do with IP addresses? Wasn't that part of a different story on TOR recently?

My first thought was that it might have something to do with capturing timing of keystrokes or mouse movements, perhaps even before the CAPTCHA is displayed (i.e. while reading the story before trying to comment).

FaceTuring aka ChickCaptcha does that, read @ 5m

[raymorris]

I would expect Google to be looking at this those things. FaceTuring from bettercgi does. Then aagain, faceturing is readable from five meters away, so maybe recaptcha hasn't quite caught up to the little guys.

Why test, and only computers help read books?

[Sits]

So it serves up numbers to humans - does this mean that only computer-hard captchas are going to help reading books?

Further it knows you're a computer/human already but gives a test to reaffirm this anyway? Seems wasteful but I guess it acts as a safety net and allows better classification in the future...

Blame Sonny Bono

[tepples]

What it could mean is that Google has caught up with the Copyright Term Extension Act of 1998 and finished all notable books in the English language published before 1923. Google has to set reCAPTCHA to read house numbers for Google Maps to pass the time until 2019 when copyrights will start expiring again barring yet another legislative extension.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mcgrew]

Insightful? Mods, he's going for funny. Google isn't using capchas to decipher books, that's silly. They're using high speed scanners and OCR. I have one of those scanners at work*, it will scan 300 pages in about a minute. And the one I have is getting pretty old.

* We have to send thousands of pages of paper documents to the government on CDs every month.

Re:

[chihowa]

Are you going for funny? reCAPTCHA [google.com] has always been about deciphering books:

reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows.

reCAPTCHA improves the process of digitizing books by sending words that cannot be read by computers to the Web in the form of CAPTCHAs for humans to decipher. More specifically, each word that cannot be read correctly by OCR is placed on an image and used as a CAPTCHA. This is possible because most OCR programs alert you when a word cannot be read correctly.

Re:

[mcgrew]

Are you going for funny?

Apparently I'm just ignorant. Thanks for the link, I hate being ignorant (unless you're talking about fashion or sports or celebrities, don't mind being ignorant about them).

Doesn't that fix the original problem?

[TheRhinoplast]

So if it already knows we're human, why do we still have to fill in a captcha?

Re:

[Anonymous Coward]

That's the human back-end of their OCR service (e.g., translating pictures, etc.)

probabilities. FaceTuring does none for returning

[raymorris]

If the earlier checks suggest it's likely to be a bot, use a harder captcha to double check. If it's likely to be a human, use an easier captcha as confirmation.

If the system is pretty sure it's a returning user, FaceTuring doesn't require a captcha at all. I don't know if recaptcha ever goes as far as not requiring the captcha at all.

Re:

[NoZart]

Because then nobody would do the OCR work for them.

Re:

[Anonymous Coward]

NSA already knows your house, your name, your phone and which sites you get your porn from (it also knows your pet's name, your mother's maiden name and whether you drink Pepsi or Coke).

And does it matter to Google whether they know your house as "70??, Deadend Rd., Podunk, uses WiFi hot-spot called FBISurveillanceVan, 30 40'11''N, 60 21'12''W" or "7001, Deadend Rd., etc."?

This is just a captcha. No need to force an OMGNSAPRISMPRISMPRISM comment just for sake of it.

Re:

[akahige]

Unless they've change it with this update, you can just skip the OCR half of the process, i.e. you only have to type the distorted text half.

How it works ...

[Stephen J Sweeney]

"Google wouldn't share too much detail as to how the new system works"

Easy, it just does a lookup to the NSA, to find out your real name :)

Re:

[lgw]

Oh no, it does a lookup to Google+ to see how much Google+ account activity has occurred from the current device. The more you've used a Google+ account to post to youtube or gmail etc from the device, the more sure it is that you must be a human.

It's just their latest subtle way to push more use of Google+ across their products.

Nah, they could just use their employee database for that, since the only humans who use Goggle+ are Google employees.

Re:

[Kazoo the Clown]

Um, I have a Gmail account, but I hardly ever login to Google directly, preferring to use an email aggregating app instead. I'd not use gmail if I had to regularly deal with a Google UI much, which are nearly universally gawdawful. I used to think the simplicity of the Google search page was brilliance, but after seeing other attempts at user interface, I now can only conclude they must have simply had no clue what to do for an interface so they did as little as possible. Now, all the googling I do is vi

Type reCAPTCHA First -- Only Then Log In

[lmioc]

The Blogspot implementation: http://googleonlinesecurity.blogspot.com/2013/10/recaptcha-just-got-easier-but-only-if.html [blogspot.com] In order to leave a comment on the post you have to do the following three steps. Step One: Decipher that often undecipherable StreetView street number. Step Two: 'OCR' that rarely legible text from Google Books project. Step Three: Sign-in with your Google or OpenID account. As I see it, the first two steps are completely unnecessary torture of end users for the sole benefit of the Googl

Or they could do this

[Impy the Impiuos Imp]

1. Google uses analytics and other techniques to find the IP addresses that are "captcha-busters".
2. Automate their captcha generator to feed into these with honeypot pages to see which ones they can bust.
3. Assemble lists of ones they cannot.
4. Profit!

It's a dynamic, revolving door, but when automated it's great. BTW I wouldn't mind a new job there, hint hint.

New Catacha System

[fast turtle]

uses pictures of Cats that we humans get to vote on - what's funny, who's grumpy, stupid, OMG Kill it! Social experimentation/analysis of the worst kind. Maybe Google will finally be able to profile what is human and will then be able to bear Skynet.

still treating the symptoms and not the disease

[Gravis Zero]

the reason we have these human verification systems is obvious, as small group of people are ruining it for everyone. perhaps if we actually have strict enforcement of catching spammers then we wouldnt need all this annoying bullshit.

right now we are developing stronger armor when what we should be doing is stopping the shooter/spammer.

Re:

[netsentry]

right now we are developing stronger armor when what we should be doing is stopping the shooter/spammer.

Seems easier said than done! I don't have numbers to support this, but I would think most form spam comes from botnets. As long as Oracle (Java), Adobe (Flash), and Microsoft (ActiveX) products (among others) continue to have security issues, malware will continue to thrive. And so will botnets.

On topic, as a web developer I ended up just custom coding a little check box that asks if my users are human and programmatically placing the form submit button the page after that is clicked. Since a bot can't

Re:

[Gravis Zero]

Seems easier said than done! I don't have numbers to support this, but I would think most form spam comes from botnets.

i never said it would be easy but seems it's a very low priority. also, i think punishment should be much higher than it is considering the scale and duration of the spamming. if spammers get sentenced to life in prison, i think there would be a change in how spamming is perceived. it's the risk versus reward issue that keeps spam so prevalent.

Re:

[tlhIngan]

the reason we have these human verification systems is obvious, as small group of people are ruining it for everyone. perhaps if we actually have strict enforcement of catching spammers then we wouldnt need all this annoying bullshit.

right now we are developing stronger armor when what we should be doing is stopping the shooter/spammer.

The problem is that spamming is a social problem - there's no technological solution to social problems. There's a lot of technological solutions that get close, but none act

Wait. . .

[physicsphairy]

Everyone knows CAPTCHA's are supposed to discriminate between humans and robots based on their cognitive capabilities, but I always assumed it was the humans they were trying to keep out. *punches random keys in attempt to match what looks like the last will and testament of a deranged chicken with tourettes*

Wondering ...

[garry_g]

... how long, until the only ones able to correctly solve the captchas are computers ... throughout the last couple modifications to the generated images, it already got to the point where I'd have to reload the images multiple times until I got one that I could get close to being able to read ...but maybe my natural senses are just not up to par with AI ...

Thank-you Google

[Stolzy]

I've been whining about this for years.

Google uses "advanced risk analysis techniques"...

[pongo000]

...no doubt the same techniques used in their excellent spam filter setup on gmail. You know, the one that will repeatedly mark incoming mail as spam even though you have already marked it over and over as "not spam". Or the classic: Google marks as spam incoming mail with a sent-from address that matches an already verified alias in your own account.

Yeah, I know, there's no way I can be right in light of the thousands of PhD's employed by Google. The collective brainpower is staggering, so Google will always be right in everything they do.

Re:Google uses "advanced risk analysis techniques"

[stoploss]

What you describe can happen if the headers in the email appear to be forged. *That* can happen if your email is being routed strangely.

Here's one example: my organization uses hosted gmail for our domain email. However, our *institution* sold out to Microsoft. We were allowed to continue to use our hosted gmail. "Whew, dodged that bullet!", I thought, until email from other gmail users started being marked as "Person X may not have sent this email", and my Amazon.com order/shipping notifications started being sent to the spam folder.

What happened? Our institutional overlords required that our email be routed through MS' outlook.com servers. Thus all our inbound email appeared to have forged headers. GMail legitimately ignored my whitelist filter rules when it appeared that the field values for "from:", etc, were forged.

This may not reflect your situation, but I'm sure there are other weird scenarios where email to/from gmail can appear to be forged.