Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How robots and spiders are causing issues, how to stop them. We can also talk about Completely Automated Public Turing Test To Tell Computers And Humans Apart - their use, their compliance issues, porn proxies, PWNtcha and other ways to defeat them. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Clickable captcha
Posted by: PaPPy
Date: June 29, 2008 05:01PM

what do yall think of these?
instead of entering the confusing number, just click on it

easy to defeat? im guessing...?

ive made some modifications to the second one

http://6tx.net/sc/form.php
http://6tx.net/sc2/

what do yall think?

Options: ReplyQuote
Re: Clickable captcha
Date: June 29, 2008 06:16PM

http://6tx.net/sc/create_gif.php?a=IDAuMjE4CiBGbG9hdCAyLjczNSAg

One thing I notice is the number you need to 'click' is always the first one in the list.

http://6tx.net/sc2/grid.php?a=IDUuODkzICA=

or its alwasy the last one in the 2nd row. Neither are very random.



Edited 1 time(s). Last edit at 06/29/2008 06:18PM by CrYpTiC_MauleR.

Options: ReplyQuote
Re: Clickable captcha
Posted by: istari
Date: June 29, 2008 08:16PM

The images themselves aren't difficult to OCR, the variation in the position of the CAPTCHA could go against a site's design, and clicks can be automated by the attacker... so yes, this is a rather weak CAPTCHA, although it may be strong if unpopular: you'd need to code a bit to get a solver working, so unless it's in a lot of sites or in one that is very popular, it's safe to say nobody will care to break it...



Edited 1 time(s). Last edit at 06/29/2008 08:16PM by istari.

Options: ReplyQuote
Re: Clickable captcha
Posted by: PaPPy
Date: June 29, 2008 08:49PM

my version makes the grid bigger,
changes the colors, the font, the words, the numbers from 0-9 to 10-99
and rotates the numbers, and x and y and addes hashed lines thru it


one thing i noticed is my hashed lines are consistent....crap

Options: ReplyQuote
Re: Clickable captcha
Posted by: istari
Date: July 01, 2008 07:32AM

Yeah, consistent distortion is equal to no distortion at all... You should randomize the lines, probably make them non-vertical (Del.icio.us' CAPTCHA used dashed lines in angle or forming spirals, and it worked for a while... now that CAPTCHA is dead tho), use different fonts for the different numbers (two different fonts for the same two-digit number would be cool), and maybe randomize the position of the instruction...

However, this CAPTCHA has an inherent statistical weakness compared to text-based CAPTCHA's. There's only 9 possibilities, so a rondom bot will be right about 11% of the time, regardless of the numbers you choose or the instruction you give. This is already considered a crack for most text-based CAPTCHA's, because it'd allow hundreds of bots per day in the system...

Just to give you an idea of the odds you should be achieving, normal text-based CAPTCHA's are alphanumeric (a-z and 1-9, which makes 34 characters in all), and the shortest of them are 4 characters long. This gives 1336336 possibilities, or less than a 0.0001% chance of randomly getting it right. For longer CAPTCHAs, this can be < 0.0000001% (for 6 characters) and < 0.0000000001% (for 8 characters)... so the difference is HUGE...

Options: ReplyQuote
Re: Clickable captcha
Posted by: Malkav
Date: July 05, 2008 08:42AM

wouldn't a captcha relying on information manipulation more than on information perception be stronger ? use small question understandable by a 4yo, and even your favorite friendly redneck should be able to answer it. and it should be more blind-friendly, if it can pass through the TTS system, or braille terminal. bots have much difficulties with semantics, let alone with semantic plays (puns or such), but our made is based on semantic, not syntax, so anything not relying on acquired knowledge (IE : not the date of declaration of independence), but rather on understanding of simple constructs would be harder to the bots. no ?

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote
Re: Clickable captcha
Posted by: istari
Date: July 05, 2008 12:09PM

Not really: There's been a lot of improvement on this kinds of bots. Try to chat with SmarterChild or any other good IM bot to see what I mean...

Options: ReplyQuote
Re: Clickable captcha
Posted by: Malkav
Date: July 06, 2008 09:18PM

// took from urbandict

me: what do you think of animal porn
SmarterChild: Dunno. I'm not sure how I feel about animal porn. Hey, I'm curious... How would you describe animal porn? It is...
me: something smarter child likes
SmarterChild: Animal porn is something smarter child likes? I see.
me: do you like incest?
SmarterChild: I guess so. Do you like it?
me: do you like beastiality
SmarterChild: Hmm. I really don't know. Guess I'll have to think about it.
me: i think you do
SmarterChild: Yeah. I guess. I do.
me: stop watching kiddie porn
SmarterChild: I'm not sure if I can stop watching Kiddie Porn...

//EOF

from what i see it is yet another example of reflective/projective pseudo conversation. (see emacs psychiatrist) the bot doesn't make sense (hence my remark on semantics) but use precise syntaxic rules to reconstruct your own sentence in another form, and push you to infer sense. it apparently have mnemonic capacities about object/properties relations :
---
me: what do you think of animal porn
SmarterChild: Dunno. I'm not sure how I feel about animal porn. Hey, I'm curious... How would you describe animal porn? It is...
me: something smarter child likes
SmarterChild: Animal porn is something smarter child likes? I see.
---
sentence 1 :human ask a question about an unknown object (animal porn). smarter child has no reference for the object, so it ask for properties to apply (sentence 2)
human respond with property with sentence three, linking object "animal porn" through property "likes" to object "smarter child"

it is probable that if human asked several sentences after what it thinks about animal porn, it would answer something along the line of "i like animal porn".

my point is : even if this kind of scheme can properly simulate a (frustrating) conversation, the bot, at no point, can make *sense* from what he knows, or sees. therefore he is helpless in front of question requiring more than repeating the relation of properties on objects (for the interested, i advise you to read "Bright Air, Brilliant Fire: On The Matter Of The Mind" from Gerald M. Edelman and "Conscience artificielle et systèmes adaptatifs"(artificial consciousness and adaptative systems) from Alain Cardon if you happen to read french

i am left thoughtful on what would constitute an acceptable (ie : understable by any human, accessible even to the various disabled users, and not relying on information perception or simple logic) captcha of that type.

an example could be a (short) multimedia file where a subject is expressing a simple sentence, with a marked facial expression. (exemple, frown and subject saying "NO" in an angry voice) and user is required to enter the most probable state of mind of the shown subject (in that exemple, he is probably not happy)

reflexivity is a inherent property of a third order intelligence, and our capacity to infer other's states of mind (empathy) are fundamentally a proof of conscious (ie : to know that you are angry, i must know, and therefore experience angriness)
humans are really good at this game (women more than men for some evolutionary reason) and we could even play with non verbal/verbal incoherence (the "shark smile" of a polite menace being a good exemple of non verbal/verbal incoherence)

technologically feasible, and not much more stupid than this fucking cat captcha i had so much difficulties to get straight...

what do you think ?

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote
Re: Clickable captcha
Posted by: id
Date: July 06, 2008 10:47PM

remember from the attacker/spammer/etc point of view, all you have to do is worry about the possible end states. If the target is interesting enough all I have to do is record the 5/10/100/whatever states it can end in and brute force that. Who cares if I only get 1 out of 100 if I can accomplish my task?

CAPCHA's are inherently flawed that way. They can stop incidental spam, but will never stop targeted attacks. Making a better one is probably more effort than it is worth in almost all cases.

-id

Options: ReplyQuote
Re: Clickable captcha
Posted by: Malkav
Date: July 07, 2008 04:45PM

of course, and the attacker could still be using mechanical turks (sweatshops of human of operatives) to fill the captcha. but be it a distributed bruteforce system, or a sweatshop, it all force the attacker to use much more energy for the same task, making him far more noticeable.

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote
Re: Clickable captcha
Posted by: istari
Date: July 08, 2008 03:35PM

@Malkav

I had seen these conversations you can make SmarterChild have (and even some more hilarious ones!), and I consider them unavoidable in any bot coded with the current AI knowledge. However, I was aiming at a lower level: these bots can analyze the semantics of a sentence, discover nouns, subjects, etc, and act upon that. Of course, they have nothing interesting to say about anything, so they do reflect the phrases as you say. My point is, semantics is not an obstacle anymore, and in a CAPTCHA you can't ask for a lot of interpretation capacities or small children will be left out of your site (and very frustrated), so it's a very tight game you have to play, because a bot can simply memorize answers to simple questions, and changing their semantics won't help...

Anyway, as I do read French I might take a peek at those books you recommend. Do you know if any e-book versions are available?

By the way, the emotion recognition CAPTCHA is a good idea, but it is again a visual CAPTCHA. Can you think of anything like that but completely based on language? In any case, there's been some research on this subject too, as you can see in http://www.wired.com/science/discoveries/news/2007/07/expression_research . I actually attended a seminar at IMPA http://www.impa.br where they showed a program that was able to recognize frowns from smiles using a 3D model of the face of a person, although that program was tuned to work only with one person and not in general (it was aimed towards paralyzed people)...

@id

Of course, implementing these kinds of CAPTCHA's is a lot of work, and probably not worth it. My interest, however, comes from the computer vision point of view... from the attacker point of view, even if the implementation doesn't have flaws (something quite rare these days), it'd be easier to answer randomly or memorize solutions without analyzing anything...

Options: ReplyQuote


Sorry, only registered users may post in this forum.