I think it’s high time that we stop trying to address the symptoms and start addressing the root cause of these sorts of problems.
Spammers should be legal hunting targets, plain and simple. I know I’d pay a hefty license and tag fee to be able to hunt spammers. This ought to be reality TV as well. Think of “Running Man” with Dog the Bounty Hunter as the host.
Enough is enough already. If spammers can’t use the internet for good, then they should lose the privilege to use it (or live, I’d prefer it that way). They’re a waste of humanity. They’re also utterly stupid if they can’t realize I’m not going to buy they’re stupid pills after the 200th e-mail…
Do you know what a PITA CAPTCHA is on a site like JK on the Run? It’s so blurry and grey that sometimes it takes me 3-4 tries to enter the correct combination.
I don’t understand the need for this speedbump with people who use OpenID. WordPress has embraced OpenID and I can use it to comment at many places without having to compile a long list of usernames and passwords.
Why can’t there be a method for sites to compile lists of valid OpenIDs so people like me can skip the CAPTCHA Hell?
The choose cat and dog problem would probably work, but of course, you’d have to do either iteratively (which people would get tired of), or have something like a 5x5 grid, and choose which pictures had cats. A 5x5 grid, with a 50% chance of any given picture containing a cat would result in about a 1 in 8 million chance of a bot getting it right by random guessing. And the server can have a very large number of pictures stored for the purpose (Each picture could conceivably be less than 10 kB in size). The CAPTCHA would have to conduct random modifications to the pictures to prevent an attacker from just storing what picture corresponds with a given answer, however.
I don’t like CAPTCHAs, but I see a major problem (from a web design perspective) with most of the new methods as well: most of them rely on Javascript.
Now, don’t get me wrong, lacking support for non-javascript browsers isn’t a show-stopper, but it does pose a problem for people who browse with javascript disabled. This includes users of the NoScript extension for Firefox, and people with text-based browsers like Lynx.
The website describing the GMail captcha crack was confusing, but it seemed to me that far from inventing a brilliant captcha-reading algorithm, they were just employing people to type in the captcha’s as they come in. No human-vs-machine principle can beat that.
My own blog at http://smokinn.com/blog does similar to the cats vs dogs thing. I make people pick out between fluffy/not fluffy.
I fully expect this to be the new wave in captchas. It’s MUCH more user-friendly and there are so many implementation tricks you can use (mine is very naive but I can already think of 3 improvements I’ll make if ever a spam bot gets through) that it can be very solid.
My knowledge of how CAPTCHA works is very limited but I want to know why CAPTCHAs are always static? Would bots be able to break CAPTCHAs that use kinetic typography? I would think that trying to analyze moving, morphing text/images would be much more difficult to break.
The major web-based email providers - GMail, Hotmail, etc… - should require the user’s browser to perform some calculation in java script for every email that is sent. The time required to perform this calculation would be minimal for normal users, but prohibitive if you’re sending bulk spam.
@JP on March 5, 2008 02:37 AM
Paying $1 for every web registration is a terrible idea. First, I don’t want to give out my credit-card number to everyone. I even feel paranoid about Amazon.com trying to store it. Second, lots of people don’t have credit cards (e.g., kids). Lastly, it would discourage me from posting on almost any discussion board because I’m too cheap to pay for the privilage of providing help or asking questions myself.
Logging into HSBC’s personal internet banking account requires 3 things: user name, password you type in and last - another password where you have to use your mouse to point and click on an on-screen keyboard in order to enter the information.
If it is required to point and click an on-screen keyboard in order to enter information - would that help stop bots?
Actually you forgot a catagory: Social synchronization. If you expect people to pick a word that best represents multiple pictures you are expecting them to think the same way. I frequently fail this type of social sync test, I just don’t seem to think the same way as most people for some reason. Crossword puzzles are perhaps the best example of this.
With bots cracking it 20% of time, I would be intersted in failure rate for flesh and blood. I know that I don’t hit 100% Makes me wonder what the average is.
At a thought, put instructions into a image to complete a task and have the result of that task be the key. Of course, that would exclude the simple and the visually impaired and those of a different language.
I suspect that ultimately we will have to fall back on a third party that could be use used to verify our identity and provide websites a semi-anonymous ya or nay without passing on any of the personal details we provided to the third party to verify our identity.
Wait, I think that’s been done and it failed the paranoia test…
another thought… you could make the instructions an image… so the algorithms would need to get the OCR right… then interpret the directions… then figure out how to follow them.
Any kind of Captcha is useless for determined spammers. If I were I spammer, I would hire a low cost laborer who can, in an hour, manually open tens of new email accounts. Why waste time developing and launching anti captcha bots?
Spammers are like child molesters. They only stop when you put bullets through their heads. I continue to hope that one day society will decide to step up to the plate, instead of endlessly and pointlessly playing Spy-vs-Spy. But (sigh) just like the “War on Terror”, the real point is how much money MegaCorpGov can make out of it, and that is ultimately determined by how long it can be dragged out.
Cute… fluffy is nice.
The biggest issue with these types of captcha is that it is not too complicated to build a pretty thorough library of images used, quite quickly.
A human with malicious intent can correlate the filenames to fluffy/not fluffy and then build automation. To make it even more robust (just in case you decided to use a renaming script to rotate the images around internally) the actual image could be correlated to fluffy/not fluffy. The program can then check the data in each image (rather than the filename itself) and ‘sense’ the matches and thus appropriate selections.
You would need a rather substantial library to make this captcha strong enough… and enough time to manually go through each one noting if it is fluffy or not.
Interested in hearing what improvements you have thought of…
