Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How robots and spiders are causing issues, how to stop them. We can also talk about Completely Automated Public Turing Test To Tell Computers And Humans Apart - their use, their compliance issues, porn proxies, PWNtcha and other ways to defeat them. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Return of the Heyes captcha
Posted by: Gareth Heyes
Date: July 12, 2007 02:27PM

Hi all

I've released a new version of my captcha:-
http://www.thespanner.co.uk/2007/07/12/return-of-the-heyes-captcha/

This version works with most likely sentences, for example:- "a creepy forest" not "creepy dog". The idea is to arrange the sentence in the correct order. Sentences would be different each time and at the moment it only displays 1 sentence.

My future plans include display a hint for the sentence but in a way that could only be understood by a human without mentioning the words in the sentence.

It's early days with the prototype but I really think this one could work.

Options: ReplyQuote
Re: Return of the Heyes captcha
Posted by: nEUrOO
Date: July 12, 2007 03:12PM

captcha are becoming too much complicated for human
i keep thinking captcha is not the solution, but well, as long nobody find something way better...

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: Return of the Heyes captcha
Posted by: Gareth Heyes
Date: July 12, 2007 04:15PM

I've just uploaded an update to make it more usable.

Options: ReplyQuote
Re: Return of the Heyes captcha
Posted by: rsnake
Date: July 12, 2007 05:54PM

Okay, where to begin?

Firstly, lots of people will never solve this correctly. Sorry, it's a fact. People just aren't very good at solving things. For instance "Sarah ran through the grassy fields" is proper english, but so is "the Sarah ran through grassy fields" depending on what a "Sarah" is. Clearly the second is non-nonsensical but not everyone is a native English speaker either, or paying enough attention to what they are doing to get it right.

Secondly, you have one of the highest probabilities of brute force solving I've ever seen in a CAPTCHA - 1/720 with six words and 1/5040 with seven words. That's less than a normal CAPTCHA of 4 digit characters. The numbers listed actually makes an assumption that each word is unique - which in several of your examples they were not ("the" is used twice in the sentences more than once). In that case your probability of guessing the correct answer skyrockets to 1/120-1/720). That's worse than a three digit CAPTCHA.

Third, to actually break this would require only a split second with all possible combinations against a grammar checker since there are so few combinations.

Fourthly, I can refresh until I get an old (known/solved) CAPTCHA.

Lastly, since you have to build each sentence you can only have a limited number of sentence structures that are short enough to be easily solvable, making it incredibly easy to build a lookup table of solved CAPTCHAs.

Sorry, this CAPTCHA has serious security implications. I'd never implement this as-is.

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 07/12/2007 05:59PM by rsnake.

Options: ReplyQuote
Re: Return of the Heyes captcha
Posted by: Gareth Heyes
Date: July 12, 2007 06:46PM

Yep I know it has major problems and I wasn't suggesting anyone use it at this stage but I have had a couple of thoughts about this and expect a new release shortly.

Thanks for your great feedback though, the information you provided will be very helpful to me when I create my next release. Stay tuned :)

Options: ReplyQuote
Re: Return of the Heyes captcha
Posted by: rsnake
Date: July 12, 2007 08:08PM

Glad it helped, but I bet a buck I'll be able to break any changes you make. CAPTCHAs are simply flawed. I've looked at hundreds of them and broken every single last one of them. I don't see any technologies that make me think I couldn't do it (unless you also make it unusable in the process).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Return of the Heyes captcha
Posted by: Gareth Heyes
Date: July 12, 2007 08:33PM

I've just updated my CAPTCHA version 3.2

http://www.businessinfo.co.uk/labs/HeyesCaptcha3.2/heyes_captcha_test.php

It's still early stages but it grabs 2 random sentences from a story stored in a table. Then it displays the first sentence and mixes up the second which is related to the first.

There are a few problems with it, at the moment it returns either too long or too short sentences sometimes which I need to fix.

Options: ReplyQuote
Re: Return of the Heyes captcha
Date: July 12, 2007 10:21PM

We all need to realize CAPTCHAS are fruitless. The bots get smarter the CAPTCHA gets harder, the bots get even smarter and the CAPTCHAS get even harder. But in the end a human being just stays dumb. Make it hard for a bot make it even harder for a human, make it very hard for a bot and make it impossible for the average human.

CAPTCHAs should only be used to limited protection. If you run a site which gets 15K views a month and you have a custom built forum, then in reality you will not need to have a hard CAPTCHA if one at all, because the chances of someone pointing a bot at your site to break into your account, post spam would be very unlikely. Now if you were running popular software like phpBB then yeah a bot might be more likely to target you since the bot would likely have the code to break it, but still its lower than if your site was say myspace.com and having CAPTCHA protection would actually be beneficial, but you have to say is it worth it? You are basically turning users away who can't solve them as easily, and the ease of a site determines if a visitor will come back again. Yeah we would all love to shun stupid people, but come on when you want visitors to your site you take all you can get. There are other avenues in protecting a form which will be as effective if not more which would not prohibit the site's use by the average computer illiterate user.

Just my 2 cents.

Options: ReplyQuote
Re: Return of the Heyes captcha
Posted by: rsnake
Date: July 12, 2007 10:46PM

Gareth - now you have actually made it impossible for me to solve it to even tell you what's wrong with it. I think you've failed on two accounts:

1) you haven't changed the problem, making it easy for robots to use grammar checks still (if they encounter one that's too long they can hit refresh and get a new one).
2) you've made it so difficult to solve I can't even figure out what you want me to do anymore.

This proving that it is a failed Turing test. I think it's time for you to stop the madness.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Return of the Heyes captcha
Posted by: FiSh
Date: August 18, 2007 01:44PM

I don't really know what the hope was, but if it was something along the lines of making the user so confused they'll never visit your site again, you have succeeded for sure.

Options: ReplyQuote
Re: Return of the Heyes captcha
Posted by: Spyware
Date: August 24, 2007 05:17PM

You can't make a machine ask a question a machine can't answer. It's plain logic.

Writing information down on a post-it and slap it on your monitor is safer then let it be guarded by a CAPTCHA.

Options: ReplyQuote
Re: Return of the Heyes captcha
Posted by: Gareth Heyes
Date: September 09, 2007 01:59PM

Spyware Wrote:
-------------------------------------------------------
> You can't make a machine ask a question a machine
> can't answer. It's plain logic.

Yeah that's the challenge.

I admit my CAPTCHA wasn't a success, but I haven't given up so expect a new post and I'll expect the backlash :) but hopefully not.

Options: ReplyQuote
Re: Return of the Heyes captcha
Posted by: Spyware
Date: September 10, 2007 04:34AM

Maybe if you implement dynamic answers instead of dynamic questions it could work. But I am still unsure of the whole thing, I dunno if it's possible.

If you think about it, in the end everything isn't 100% secure, mouseclicks, keystrokes, voices, pictures and even IRIS-scans are hackable.

EDIT: typo



Edited 1 time(s). Last edit at 09/10/2007 09:43AM by Spyware.

Options: ReplyQuote
Re: Return of the Heyes captcha
Posted by: Gareth Heyes
Date: September 10, 2007 06:05AM

Yeah I'm gonna try a different technique soon. I know the problems of creating one but I just enjoy trying the impossible :)

Options: ReplyQuote


Sorry, only registered users may post in this forum.