Cracking CAPTCHA

[Tormod]

Okay. How about a CAPTCHA with a text below saying "Enter the CAPTCHA code in the first field, and backwards in the second field". :)

[pgrmdave]

I think that anything that doesn't take too much thought can be broken by a bot. However, the trick is to make our security thing different enough from others that it doesn't matter if it could be broken, but that somebody would have to write a bot specificically for Hypography. If we have a unique security system, then it doesn't matter if it's weak, so long as it's different.

[Sheeplet]

Okay. How about a CAPTCHA with a text below saying "Enter the CAPTCHA code in the first field, and backwards in the second field". :)

That's the sort of thing that'd work best actually. Typically, if you were a spammer/whatnot who wanted a CAPTCHA cracking, you would send a CAPTCHA to a user without any text from the webpage it originated on (Can't have the user seeing "To complete your membership at THISISMYWEBSITE" ;)). Therefore, they wouldn't have the information they needed to complete the CAPTCHA and as such, they enter the wrong thing.

 

What I'd really like to see is something that doesn't hassle the user, but cripples the bots. That's why I like the "hidden form" idea. Flawed, but so are CAPTCHAs.

[moo]

However, the trick is to make our security thing different enough from others that it doesn't matter if it could be broken, but that somebody would have to write a bot specificically for Hypography. If we have a unique security system, then it doesn't matter if it's weak, so long as it's different.

I agree. However...

 

If I were running bots, methinks on failures I'd check the number of "active users" to determine if a site had sufficient activity to warrant custom code (assuming it could be used/sold/rented repeatedly in the future). So without a randomized logon layout, popular sites could still be potential targets IMO.

 

Hmmm... new business idea: "Bots R Us" :)

 

moo

[C1ay]

Me thinks the bots like Googlebot and Slurp possibly phone home when they encounter such requests and a human at the other end helps them out. They only need human help for the initial registration then all they need is their username and password for future visits.

 

Just thinking out loud,

 

The price of humans who'll spam blogs is falling to zero

 

The other day, while administering the Free Our Data blog (freeourdata.org.uk/blog if you haven't stopped by yet), I came across an unusual piece of comment spam - a remark left on one of the blog posts. It was advertising a site offering share tips. No surprise there: "pump and dump" spam, as we've pointed out, has become a principal form of email spam, and spammers seem to have found that people are searching for share advice online (a worrying enough thought on its own).

 

The surprise was that despite the automated defences to prevent such junk being posted by a machine, it had got through. The junk filter stops hundreds of such attempted spams daily without a murmur; so far it's stopped 10,000 spams while allowing 377 human comments. So why had this got through? The electronic trail explained: the "captcha" (Completely Automated Public Turing test to tell Computers and Humans Apart) had been filled in....

 

So who had done this? The junk filter had recorded their IP (internet) address. It resolved to somewhere in India. Which rang a bell: earlier this year, I spoke with someone who does blog spamming for a living - a very comfortable living, he claimed. But he said that the one thing that did give him pause was the possibility that rival blog spammers might start paying people in developing countries to fill in captchas: they could always use a bit of western cash, would have the spare time and, increasingly, cheap internet connections to be able to do such tedious (but paid) work.

 

More....

 

Hmmm, people paid to fill in CAPTCHAs.....:eek_big:

[Tormod]

Hmmm, people paid to fill in CAPTCHAs.....:(

 

I'm not surprised. I bet a lot of the signups we see, with 0 posts, are spam accounts which will be used sooner or later.

 

Maybe the best solution is to have massive password resets on occasion.

[CraigD]

I'm not surprised. I bet a lot of the signups we see, with 0 posts, are spam accounts which will be used sooner or later.

I’ve not noticed any 0 post accounts in a quick can of Member List. Does it not show there?

Maybe the best solution is to have massive password resets on occasion.

Or require an introduction post as part of account creation. It would be easy for a spammer to post a generic “hi, I’m interested in science” boilerplate, but would be one more required bit of human interaction, making it less attractive to spammers.

 

To be of any value to a spammer, the account must eventually deliver its spam payload in a post, at which point it’s history as soon as an admin spots it – a “not-very-APTCHA”. As long as the volume of such spam doesn’t overwhelm the admins, all should be well.

[C1ay]

I’ve not noticed any 0 post accounts in a quick can of Member List. Does it not show there?

For some reason it doesn't show members with less than 2 posts. You can scroll to the bootom of the Forum Index page to see new members with 0 posts...

[Jay-qu]

For some reason it doesn't show members with less than 2 posts. You can scroll to the bootom of the Forum Index page to see new members with 0 posts...

Odd.. I thought that it wouldnt show ones with 0 because they are not yet added to the main usergroup until they make a post. Perhaps if they dont make a post within a week delete the account?

[C1ay]

Hmmm, people paid to fill in CAPTCHAs.....:cup:

 

I'm not surprised. I bet a lot of the signups we see, with 0 posts, are spam accounts which will be used sooner or later.

 

Hmm, I wonder if tmobmobfil is one of them? A tmobil ad waiting to happen? :lol:

[anglepose]

I think they are programmed to recognise letter paterns distorted or not the type in the answer and as they are intelligent programs once they have worked out what the letter is and know it works they memorize that shape and create a new set of boundaries if they get stuck they retry till theres one they recognize as long as it is not a human on one end i guess you could do one where you have to input the name of a shape eg

 

"pic of triangle"

 

if input = "triangle" then continue

if not then retry

and if 3 times then reject for 15 mins

that would reduce the number of false signups i think

[C1ay]

Here's a new approach to CAPTCHA that avoids using images...

[Sheeplet]

Here's a new approach to CAPTCHA that avoids using images...

 

An interesting approach, certainly. But it doesn't actually solve any of the issues of a standard 'CAPTCHA', if you ask me.

 

It's still an image-based idea. It's just a more complex way of rendering the image. It's rather like saying that writing it in SVG (w3.org/Graphics/SVG/ - Enter it in the address bar, as I lack the post count to post a link) isn't using images. It's simply a different approach to drawing the same picture.

 

It's still highly obscure to an end user, and possibly even more so. The reason it might be more so is because it now relies on browser rendering to be written in the standardised way. On the counter, both Firefox and IE rendered the image correctly. Both of them, however, will make a Lynx user cry. :P

 

You may argue that it could be harder for a bot to crack. But I would say, probably not. If you saw the image rendered properly, you know there are engines that are capable of putting the "image" together. You also therefore know that it's capable of taking a picture of the result - And upon doing so, you're right back where you started in terms of cracking complexity.

 

It must be said however, that this is certainly an interesting approach to the problem,and I doubt it was designed to get around the limitations of a standard CAPTCHA. Even so, it won't be a method I personally will be employing in my web dev work. ;)

[CraigD]

Here's a new approach to CAPTCHA that avoids using images...

An interesting approach, certainly. But it doesn't actually solve any of the issues of a standard 'CAPTCHA', if you ask me. …

I agree with Sheeplet. As a challenge to a CAPTCHA-cracking program, writing a graphic as an HTML <table> element rather than a <img> isn’t much. The practical effectiveness of Geva’s scheme depends on it remaining so obscure that bot writers don’t know of it, or deem it worth coding for. From a technical perspective, it’s easier to handle than common graphics file formats (.jpg, .gif, etc.)

 

As an addition to my “quick and dirty” library of techniques, it’s the best this year :). It’s very handy when writing a simple http server program to write a table element to your current tcp port, rather than to write a graphics file to a file system and an img element to the port.

 

Most browsers don’t render tables very fast or well – IE7 started behaving clunkily on my weak old box on a 500x120 pixel table, and died on a 700x200 one. The documents are obscenely large – 1.5 M for a little diagram that would be 1/100th that size the same image in jpg format, many times bigger even than a bitmap. Simpler graphics, though, such as diagrams and line drawings, can be compressed considerably by mildly clever use of rowspan and colspan attributes – a simple 2-color checkerboard takes only about 8 K, nearly as compact as jpg.

[Tormod]

I saw a different captcha today - it was an animated gif which had a "static noise" effect and the characters danced. While it appeared to be smart I think most bots would not allow animated gifs and thus just take the first image anyway. However, if that frame was made blank perhaps it could have some merit?

[CraigD]

I saw a different captcha today - it was an animated gif which had a "static noise" effect and the characters danced.

Gotta link?

While it appeared to be smart I think most bots would not allow animated gifs and thus just take the first image anyway. However, if that frame was made blank perhaps it could have some merit?

If it relied on human persistence of vision to trace out characters in pieces, it could be challenging for a OCR bot, even one that looked at all the frames of the animated gif.