Just to be fair - it is less friction than a typing captcha. I still think the security of it is pretty weak. Possible vulnerabilities include:
* Moving the slider bit by bit and OCRing will solve 90% of the images I've seen.
* If the image selection is small you could just build a DB of all slider positions and just teach it how it is supposed to look once.
* It's not only easier for the users. It is also easier for captcha solvers in India, China, etc. This will improve their productivity immensely and free up their other hand.
Actually moving slider bit by bit and simply submitting the form after every move would something to try first.
More generally speaking - it's a very nice idea, but basically there are too few invalid answers to make it practical. You changed an open-ended question of a conventional captcha into a multiple choice.
They don't even have to do that; a 1/29th chance of success is plenty for the scammers.
This is Yet Another Complete Crap CAPTCHA. It isn't solving the problem of prevent real spammers from sending you real spam, it's solving the problem of looking enough like a CAPTCHA to think you're getting somewhere. Or in this case, selling you something.
Also, at least the spiral one I got is flat-out solvable; run "find edges", run a search for the characteristic slope relationship of the lines at various points in the images... would probably take a decent computer vision student about four hours, tops. That hardly even qualifies as trying.
Yes, I missed the obvious one :) As someone also mentioned it accepts "close enough" solutions so it basically boils down to 1/6 chance which spammer will consider almost perfect.
>Moving the slider bit by bit and OCRing will solve 90% of the images I've seen.
I'm not sure what you're saying. Good OCR should recognize the text when it's distorted slightly, right? Which would yield false positives, no?
As much as I'd like to pick this apart, I think the slide captcha is actually pretty clever. We can nitpick implementation details all day, but most of those can be fixed. I wish I had thought of it.
To be honest the only reason I didn't add "yet another misguided captcha attempt" to the title is because of the advertising aspect. We can and should nitpick captchas, even just if it is as an intellectual exercise.
About the OCR - what I meant is that most of their images had text meaning I can OCR every step and if I get something with dictionary words I submit. It will work even the OCR is very permissive (recognizes distorted text as you put it) because this implementation accepts not only the perfect straight solution but also "close enough"s.
>About the OCR - what I meant is that most of their images had text meaning I can OCR every step and if I get something with dictionary words I submit. It will work even the OCR is very permissive (recognizes distorted text as you put it) because this implementation accepts not only the perfect straight solution but also "close enough"s.
Again, fair point on this particular implementation. However, there's no reason to have the fudge factor. It's already plenty easy to get the exact answer.
Ignoring that fudge factor, there are at least 6 options on each side of the correct answer that (I would assume) can be OCRed also. So the OCR method only cuts out maybe half of the wrong answers... perhaps better because the correct one will me closer to the middle?
I think a more foolproof attack vector would be too look for vertical and horizontal lines, which are only going to show up in the correct image.
I'm not sure it will be more foolproof since images don't really need to have long horizontal or vertical lines, but it is indeed another great attack path.
If it has non-handwritten text, it will. If it has a banner or button, it will. If the layout contains a rectangle or divider or border, it will. I don't expect to see ads without the previously mentioned items very often.
While this is interesting, it looks simple to beat in the current iteration. The distort operation blurs the image, so the original is easy to pick out by simply determining the relative constrast of all the images.
This could be fixed by applying a similar blur operation to the original, but I'm pretty sure something else could be found. The only advantage (security-wise) this would have over the OCR-CAPTCHA approach is its relative novelty - should this approach become popular, many new ways to beat it would come up, and we would be in an arms-race like with standard CAPTCHAs.
My point exactly. The amount of 'order' in the original image, compared to the distorted ones, must be detectable with a simple algorithm, right? Especially because when the slider goes through the 'correct' position, the transition changes direction, which I expect to show up different image-wide stats/parameters.
It actually looks easier than this. There appears to be only 30 possible values for the slider. Send a random number between 0-29 and you have a 1 in 30 chance of being right.
In reality you can probably remove the extreme values as it is unlikely to be 0-2 or 27-29, so you have a 1 in 24 chance. Those are pretty decent odds if you compare them to a regular 6 letter CAPTCHA where a random guess would have a 1 in 26^6 chance of being correct.
It looks like it allows a bit of leeway too - you can submit two stops either side of the 'correct' value and still be allowed through. So that's a 1 in 6 (5 in 30) chance of a random guess being allowed.
This seems very sluggish in my browser (Firefox 17.0.1). There's about half a second of lag, which is far too long.
It also took me a while to realise that I had to drag the handle instead of just being able to click in the bar where I wanted it and slide from there, although this is presumably easy to fix.
One of the biggest issues with standard captcha's is their lack of accessibility, especially for blind or low-vision users. Some provide an audio alternative but they're generally worse than the visual version.
It's good to see some innovation in captchas but I don't see how this particular idea can overcome this hurdle.
The audio alternative for this one is a voice that says, 'Move the slider right' or 'Move the slider left' and 'using the arrow keys'. The problem is that it would be easy to use a machine to process that. Especially since the correct location makes the voice say something completely different from 'move the slider'
Can someone explain this to me please? It seems as though it's touting itself as a CAPTCHA for site owners, but as an interactive ad block for advertisers?
I can't really work out how this works on a site? Is the idea that I use this type of CAPTCHA for 'human' sign ups, and at the same time, an advertiser gets a hit? Almost as in, to sign up, you need to see this ad?
Either way, it's interesting: I also like the secondary result of "you don't get free impressions". ie. you only pay if they click or 'solve', but at the same time, they can't see the ad, remember the name and look for it elsewhere without essentially triggering the payment if that makes sense.
Neat and I really like to see innovation in this area.
Although I think because outsourcing captcha to humans is so cheap, methods like this are not going to win in the long run.
I think a more sustainable strategy is to make it more and more expensive for those who want to solve captchas in large volumes.
Things like solving a cryptographic challenge using the computing power of your machine.
i.e. making it cheap/easy enough for legitimate users who may need to submit the form once a month but such that it becomes too expensive for those who want to exploit it and solve 100 of them in 5 minutes.
I found the experience to be rather annoying, actually. While my eyes aren't great, my clicking/sliding fine tuning is even worse. I understand the issues involved, but I prefer to not have something dependent on dexterity. Otherwise, just have a video game as the captcha and be done with it.
I don't understand how this could possibly work. The original images all appear to have lots of straight lines. I'm no expert in computer vision, but surely "does this image contain straight lines?" is a relatively easy operation to automate. Maximize that and you have a solution.
Even ignoring that, there appear to be only 30 distinct positions on the slider. Random guessing will net you a 3% success rate with no smarts whatsoever.
It's relatively easy to make a captcha that stands up to existing bots on when not widely deployed. For ages, I had a "captcha" on my blog that consisted of a single text field labeled, "Enter the word 'elbow'". The word didn't even change, it was hardcoded to "elbow". It kept spam away for years, because it wasn't worth anybody's time to fix their software to work with my little blog.
It really doesn't appear to me that much thought went into this thing as far as making it hard to automate solutions. Maybe I'm horribly wrong, but it looks like a gimmick, where they made something that looks hard to the naive due to being different.
You are looking at it the wrong way. This is not designed to stop bots, it's made to force the user to look at the ads, and leave out the possibility of ad-blocking.
From the site:
> minteye breaks through modern advertising blindness with active, engaging advertising products that can’t be ignored!
Well, you're comparing apples to oranges. You're comparing a hand coded attack against a specific captcha (a guess at the position/vertical lines) to no one making the attempt at all.
Attacking your site, with minimal effort, would have yielded a 100% success rate. Attacking this site with a guess would have yielded a 3% rate. Some of the best captchas have been attacked with success rates in the high double digits: http://en.wikipedia.org/wiki/CAPTCHA#Computer_character_reco...
So 3% doesn't look too bad after all.
I do, by the way, agree with you that the vertical lines attack would work really well.
I'm a little confused as to why you spend three paragraphs discussing the random guessing approach and only touch on the more sophisticated method at the end.
I really don't think I'm comparing apples and oranges. I'm simply noting that any novel captcha can look good when attackers can't be bothered to actually attack it.
Well, mainly because I agreed with you and didn't feel like wasting much time saying so. I was also frustrated with so many people in this thread focusing on the guessing method and acting like a 3% success rate was high. That annoyed me since, as I said, first class captchas have been attacked with ~50% success rate in studies.
My experience with an unknown site has differed from yours dramatically. I have a small, custom site that I share with less than 10 friends and I have had to progressively step up the security (none -> captchas -> passwords) because it has been attacked with thousands of spam messages on several occasions.
Odd that your experience has been so different. My progression has been:
1. The "elbow" technique. Worked OK for years, then spam began to rise.
2. A slight variation to defeat generalized bots. I changed the field label to, "Type 'humour' with American spelling." This held on for a few more years.
3. A hashcash-based solution, where a proof of work is generated using JavaScript in the client and required to post a comment. It's calibrated to take 20-30 seconds on typical computers, and doesn't start until you focus the comment fields so it's not burning CPU for people who just view the page. This is still working well for me. I get occasional spams, but from looking at the logs it appears almost certain that these are from real humans who are actually spending the 20-30 seconds waiting for the hashcash to compute. I only have to delete one or two spam comments a month for the moment.
Wonder what caused your site to suffer so much more.
What do you mean by 'some of the best'? If a CAPTCHA can be solved or guessed in an automated fashion then attackers can just throw more (likely compromised) machines at the problem at little cost. 3% is awful.
In your link, their first attempt at breaking reCaptcha seemed to yield a 17.5% success rate. I was referencing wikipedia, which stated a 60% success rate against Microsoft's captcha and a 30% success rate against Google's catpcha: http://en.wikipedia.org/wiki/Captcha#Computer_character_reco...
Those papers may be a few years old and the state of the art may be different. But after an initial look I'm missing the reason that, compared to these captchas, you think that "3% is awful."
>If a CAPTCHA can be solved or guessed in an automated fashion then attackers can just throw more (likely compromised) machines at the problem at little cost.
I'm not ready to buy this. I would think every captcha is going to have some failure rate, even if it is extremely low. If attacks were absolutely free, then it wouldn't matter what the attack success rate was. Computers are fast, but not infinitely fast. Bandwidth is cheap, but not infinitesimally cheap.
CAPTCHA comes from "Completely Automated Public Turing test to tell Computers and Humans Apart". These tests don't fulfill that requirement.
Random guessing gives you 3%, which is worse than random guessing on either the MSFT or reCAPTCHA.
This is far worse though. A simple loop over the 30 positions, running the output through an OCR engine would give you nearly 100%.
FWIW, I wrote the paper and AFAIK was the first person to break reCAPTCHA. I worked on the original MSFT Passport/Hotmail CAPTCHA system and improved MySpace's CAPTCHA which took spammer registrations from ~1,000,000/day (automated) to a few thousand (manual) in late 2007.
Hm, I think an easy way to circumvent this style of captcha with a small amount of work would be to just send every iteration to Google as a reverse image search and pick the iteration with the most results.
- Non-distorted image: http://goo.gl/R3WnQ This is the "perfect" choice and also returns a good amount of search results.
- Slightly distorted image: http://goo.gl/G0xQN This results in a "human" choice on the picker and picks up a fair number of search-results.
I imagine 15-20 searches per captcha, but if you just pick the best per set you're probably going to end up with adequate results in circumventing the system.
I like this, but I think there needs to be some additional security placed on it. It's pretty easy to make a computer tell you when an image is a perfectly straight advertisement and when it's a jumbled mess (or at least with enough accuracy to beat this captcha pretty frequently). You have to make the final image still only human readable. One way I can think of is to have the slider "twist" two images into each other, and there are two spots on the slider which reveal a clean image (one spot for each image). Text above the field says something like "Slide until you see the __________ image" and that way there would be additional human verification.
Isn't the real purpose of this widget not to deflect bot-spam, but to force user to pay attention to an advertisement? While the system would be ineffective against a modestly intelligent spambot author, it's an excellent way for site owners to prove to advertisers that users have seen an advertisement.
36 comments
[ 2.2 ms ] story [ 106 ms ] thread* Moving the slider bit by bit and OCRing will solve 90% of the images I've seen.
* If the image selection is small you could just build a DB of all slider positions and just teach it how it is supposed to look once.
* It's not only easier for the users. It is also easier for captcha solvers in India, China, etc. This will improve their productivity immensely and free up their other hand.
More generally speaking - it's a very nice idea, but basically there are too few invalid answers to make it practical. You changed an open-ended question of a conventional captcha into a multiple choice.
This is Yet Another Complete Crap CAPTCHA. It isn't solving the problem of prevent real spammers from sending you real spam, it's solving the problem of looking enough like a CAPTCHA to think you're getting somewhere. Or in this case, selling you something.
Also, at least the spiral one I got is flat-out solvable; run "find edges", run a search for the characteristic slope relationship of the lines at various points in the images... would probably take a decent computer vision student about four hours, tops. That hardly even qualifies as trying.
I'm not sure what you're saying. Good OCR should recognize the text when it's distorted slightly, right? Which would yield false positives, no?
As much as I'd like to pick this apart, I think the slide captcha is actually pretty clever. We can nitpick implementation details all day, but most of those can be fixed. I wish I had thought of it.
About the OCR - what I meant is that most of their images had text meaning I can OCR every step and if I get something with dictionary words I submit. It will work even the OCR is very permissive (recognizes distorted text as you put it) because this implementation accepts not only the perfect straight solution but also "close enough"s.
Again, fair point on this particular implementation. However, there's no reason to have the fudge factor. It's already plenty easy to get the exact answer.
Ignoring that fudge factor, there are at least 6 options on each side of the correct answer that (I would assume) can be OCRed also. So the OCR method only cuts out maybe half of the wrong answers... perhaps better because the correct one will me closer to the middle?
I think a more foolproof attack vector would be too look for vertical and horizontal lines, which are only going to show up in the correct image.
This could be fixed by applying a similar blur operation to the original, but I'm pretty sure something else could be found. The only advantage (security-wise) this would have over the OCR-CAPTCHA approach is its relative novelty - should this approach become popular, many new ways to beat it would come up, and we would be in an arms-race like with standard CAPTCHAs.
In reality you can probably remove the extreme values as it is unlikely to be 0-2 or 27-29, so you have a 1 in 24 chance. Those are pretty decent odds if you compare them to a regular 6 letter CAPTCHA where a random guess would have a 1 in 26^6 chance of being correct.
It also took me a while to realise that I had to drag the handle instead of just being able to click in the bar where I wanted it and slide from there, although this is presumably easy to fix.
It's good to see some innovation in captchas but I don't see how this particular idea can overcome this hurdle.
I can't really work out how this works on a site? Is the idea that I use this type of CAPTCHA for 'human' sign ups, and at the same time, an advertiser gets a hit? Almost as in, to sign up, you need to see this ad?
Either way, it's interesting: I also like the secondary result of "you don't get free impressions". ie. you only pay if they click or 'solve', but at the same time, they can't see the ad, remember the name and look for it elsewhere without essentially triggering the payment if that makes sense.
Although I think because outsourcing captcha to humans is so cheap, methods like this are not going to win in the long run.
I think a more sustainable strategy is to make it more and more expensive for those who want to solve captchas in large volumes.
Things like solving a cryptographic challenge using the computing power of your machine.
i.e. making it cheap/easy enough for legitimate users who may need to submit the form once a month but such that it becomes too expensive for those who want to exploit it and solve 100 of them in 5 minutes.
Even ignoring that, there appear to be only 30 distinct positions on the slider. Random guessing will net you a 3% success rate with no smarts whatsoever.
It's relatively easy to make a captcha that stands up to existing bots on when not widely deployed. For ages, I had a "captcha" on my blog that consisted of a single text field labeled, "Enter the word 'elbow'". The word didn't even change, it was hardcoded to "elbow". It kept spam away for years, because it wasn't worth anybody's time to fix their software to work with my little blog.
It really doesn't appear to me that much thought went into this thing as far as making it hard to automate solutions. Maybe I'm horribly wrong, but it looks like a gimmick, where they made something that looks hard to the naive due to being different.
From the site:
> minteye breaks through modern advertising blindness with active, engaging advertising products that can’t be ignored!
Attacking your site, with minimal effort, would have yielded a 100% success rate. Attacking this site with a guess would have yielded a 3% rate. Some of the best captchas have been attacked with success rates in the high double digits: http://en.wikipedia.org/wiki/CAPTCHA#Computer_character_reco...
So 3% doesn't look too bad after all.
I do, by the way, agree with you that the vertical lines attack would work really well.
I really don't think I'm comparing apples and oranges. I'm simply noting that any novel captcha can look good when attackers can't be bothered to actually attack it.
My experience with an unknown site has differed from yours dramatically. I have a small, custom site that I share with less than 10 friends and I have had to progressively step up the security (none -> captchas -> passwords) because it has been attacked with thousands of spam messages on several occasions.
1. The "elbow" technique. Worked OK for years, then spam began to rise.
2. A slight variation to defeat generalized bots. I changed the field label to, "Type 'humour' with American spelling." This held on for a few more years.
3. A hashcash-based solution, where a proof of work is generated using JavaScript in the client and required to post a comment. It's calibrated to take 20-30 seconds on typical computers, and doesn't start until you focus the comment fields so it's not burning CPU for people who just view the page. This is still working well for me. I get occasional spams, but from looking at the logs it appears almost certain that these are from real humans who are actually spending the 20-30 seconds waiting for the hashcash to compute. I only have to delete one or two spam comments a month for the moment.
Wonder what caused your site to suffer so much more.
http://bitland.net/captcha.pdf
Those papers may be a few years old and the state of the art may be different. But after an initial look I'm missing the reason that, compared to these captchas, you think that "3% is awful."
>If a CAPTCHA can be solved or guessed in an automated fashion then attackers can just throw more (likely compromised) machines at the problem at little cost.
I'm not ready to buy this. I would think every captcha is going to have some failure rate, even if it is extremely low. If attacks were absolutely free, then it wouldn't matter what the attack success rate was. Computers are fast, but not infinitely fast. Bandwidth is cheap, but not infinitesimally cheap.
Random guessing gives you 3%, which is worse than random guessing on either the MSFT or reCAPTCHA.
This is far worse though. A simple loop over the 30 positions, running the output through an OCR engine would give you nearly 100%.
FWIW, I wrote the paper and AFAIK was the first person to break reCAPTCHA. I worked on the original MSFT Passport/Hotmail CAPTCHA system and improved MySpace's CAPTCHA which took spammer registrations from ~1,000,000/day (automated) to a few thousand (manual) in late 2007.
For example:
- Distorted image: http://goo.gl/w2ykx (bad results, not human)
- Non-distorted image: http://goo.gl/R3WnQ This is the "perfect" choice and also returns a good amount of search results.
- Slightly distorted image: http://goo.gl/G0xQN This results in a "human" choice on the picker and picks up a fair number of search-results.
I imagine 15-20 searches per captcha, but if you just pick the best per set you're probably going to end up with adequate results in circumventing the system.
Just thinking out loud.