40 comments

[ 3.1 ms ] story [ 75.5 ms ] thread
This (and other creative implementations) works because it's not mainstream. I'd imagine once it becomes big, spammers will find a way to defeat it.

As far as I know, different CAPTCHAs have different degrees of effectiveness. Google's is among one of the best.

Also, if you wanted to particularly target that site's slider for spamming, it isn't hard to do.

"Although a checkbox "check here if you are not a bot" might serve to distinguish between humans and computers, it is not a CAPTCHA because it relies on the fact that an attacker has not spent effort to break that specific form. (Such 'check here' methods are very easy to defeat.) Instead, CAPTCHAs rely on difficult problems in artificial intelligence. In the short term, this has the benefit of distinguishing humans from computers. In the long term, it creates an incentive to advance the state of AI, which the originators of the term view as a benefit in its own right."

(from wikipedia)

Does a question like "If George Washington had 20 white horses, how many grizzly bears did he own?" count? I always like those kind the best.
The answer to that type of question is always zero (or unanswerable with the given information). It's cute, but ineffective.
That type of thing would probably wind up being way too limited. It has to be generated and checked by a computer so it's going to tend towards a pattern and not be arbitrary enough. And as you make it more convoluted you're probably going to piss off the users more than slow down spammers.
I'm not sure it will work at all. Bots don't trigger the submit event by clicking a button. They do so by scripted form submission, so if the slider is tied to a simple submit event, it's pointless.
How can you submit a form that has no URL to submit to?

I haven't tried circumventing their form, and maybe they didn't do this, but the basic idea is to store the submission URL in javascript, and assign it to the form only on the slider event.

All that matters is what goes over the wire. The UI doesn't matter. If the data sent has no dynamic component (i.e. the text of a random word-image), then it can be replayed with different inputs.
surely spammers have javascript-enabled spambots by now. i'm sure some of them embed an actual webkit/mozilla/ie rendering engine and just script the interface.

hell, a regular firefox browser with images disabled (for speed) and the selenium plugin installed could probably accomplish a high rate of automated spamming.

The script just sets a hidden input field to a "magic" value once you've moved the slider all the way. If you can write a trivial regexp, you can circumvent their "captcha".
You guys are misunderstanding me, I was referring to bots that autofill any form they come across on hundreds/thousands of sites, not about preventing a direct attack against this site. If someone wrote a bot specific to this site, yes, they'd easily get by it of course.
If the slider is a true input, all you need to do is validate that input and reject any submissions with the wrong value.
Am I alone in finding Google's CAPTCHAs unreadable a good 25-50% of the time?
You may already be a robot. And me, too -- I'm sometimes stumped by the Google CAPTCHAs.
I find it is much more than that for me, like 75 percent. And for my parents it is pretty much 100% which is extremely annoying.
Yeah I should've clarified, Google's CAPTCHAs is one of the best at keeping bots out (and humans too if necessary)
Nope, usually takes me 3 tries.
This is completely useless as a solution to the captcha problem. It's only a solution if you're not actually tagetted by spammers.

A slider? Really? Yeah, there's no way a script could fake changing the value of a slider.

Spammers are lazy. They like to target lots of sites at once. A post of mine from a few years ago explains the rationale behind one off schemes such as this:

http://www.nextthing.org/archives/2005/07/16/a-few-upgrades

My own has worked fairly well for me since then.

(comment deleted)
"Spammers are lazy" does kinda work for the multitudes of small-traffic sites out there. Put together some unique or custom validation to keep out spambots and odds are that's all you'll ever need.

The thing is, for big sites like Google or Yahoo that won't work. If Google implemented the slider I'd bet a month's salary that it would be flooded with spammers overnight. The CAPTCHA's they use have been put through the ringer and are proven to work against spammers who are focused and resourceful. By lining the two up like that, the post tries to equivocate big site CAPTCHAs with user-friendly client-side-only validation, but the latter is not even in the same league, much less an alternative. It works for the same reasons "Enter the sum of 3 and 5: ____" would work.

  The CAPTCHA's they use have been put through the ringer 
  and are proven to work against spammers who are focused 
  and resourceful.
Not really:

- http://securitylabs.websense.com/content/Blogs/2919.aspx

- http://www.cs.sfu.ca/~mori/research/gimpy/

- http://www.zdnet.co.uk/news/security-management/2004/05/06/s...

- http://caca.zoy.org/wiki/PWNtcha

etc. Most of those articles are from several years ago. The state of the art has improved since then.

Sorry, I should have been clearer on what I meant. Google/etc CAPTCHAs don't work 100% against anti-CAPTCHA. As those articles suggest it's a fluctuating 80% or so, and obviously an ongoing arms race.

My point was more to the fact that the slider solution wouldn't retain anywhere near the same stats if it were put up against the same level of effort and sophistication spent towards breaking it. It would get solved and then bypassed completely.

If you can automate it then by definition it's not a CAPTCHA
I hate to break it to you, but I don't know of any image-based CAPTCHAs which haven't been broken/automated.
Simulating a click and slide is nowhere near as hard as automating, for example, decoding of Google's CAPTCHA. The whole point of a CAPTCHA is to make the automation as hard as possible without making it too hard for a human.
Not if the slider is a swf :)
Even if it was flash you could still script it.
isn't it possible to make a swf not respond to scripting?
Not really; you might have to do it outside the browser (with OS calls, for example), but it can be scripted. You could probably even swap out the swf and just send back the right answer without having to bother with it.
You can automate a web browser. http://seleniumhq.org/
Selenium doesn't work with Flash/Flex (don't I know it...).

You could use something like Eggplant, though. Or you could decompile the Flash file and fake the communications it sends to the server. The latter is probably the easiest and most scalable method.

That wasn't too tough to break: javascript:document.getElementById("UserHuman").value="6).%Y.g-";document.getElementById("UserAddForm").submit();
Even simpler:

javascript:updateSlider1(4);

Nice idea. No captcha would be better. How come Facebook doesn't need a captcha on their create account page? http://img.skitch.com/20100702-g2gt6pxcpyug324yhyay4gsj13.jp...
Because they don't care about a spammer joining fb, they have spam prevention system on the publishing and friendship actions. I see the re-captcha very often while publishing stuff (but I'm connected 24/7 to the fb chat with pigdin), also I've heard that people who try to add too many friends in a short period of time, get a message from the spam prevention.

also: http://blog.facebook.com/blog.php?post=403200567130

What might be interesting is to have the position randomly generated somehow. Or two sliders that you have to line up...