HTML Encoded Captchas 177
rangeva writes to tell us about a twist he has developed on the common Captcha technique to discourage spam bots:
HECs encode the Captcha image into HTML, thus presenting an unsolved challenge to the bots' programmers. From the writeup: "The Captcha is no longer an image and therefore not a resource they can download and process. The owner of the site can change the properties of the Captcha's HTML, making it unique,... add[ing] another layer of complication for the bot to crack." HECs are not exactly lightweight — the one on the linked page weighs in at 218K — but this GPL'd project seems like a nice advance on the state of the art.
Bad form (Score:5, Insightful)
Re:I failed to see how this'll help (Score:5, Insightful)
It's not that simple. Since the Captcha is no longer an image that you can download, the bot will first has to locate the position of the Captcha. The owner of the site can modify the layout of the page and Captcha making it unique. By rendering the image into HTML you practically modify to encoding of the image to a new and unique one - making it highly difficult to create a generic bot that will learn to decode all the HTML variations out there.
The problem today is with automated software that download the Captcha images from a pre-defined location (URL) and crack them. HECs makes it much harder to locate this resource.
Oh and everything is Crackable;)
Re:I failed to see how this'll help (Score:4, Insightful)
Yes, I see that they recommend adding in random divs and crap. If it's still a table, it's still very very easy to parse, even without a parser. If they intend for you to replace the table with 'random elements'
Re:What are the gotchas with these captchas (Score:5, Insightful)
Re:What are the gotchas with these captchas (Score:3, Insightful)
Nyh
When bad ideas go live (Score:1, Insightful)
This is what happens when bad ideas are brought to life. This will only waste the site owner's bandwidth, maybe slow down the attacker slightly while the algorithm is modified.. we're talking AT MOST a couple days work. You could achieve the same result by adding a 2-second delay to the CAPTCHA cgi, the same idea as adding a delay to failed logins... if you can't properly defeat the attackers, at least slow them down.
We've reached a point where, with security/copy protection, if it is something than can be done by a human sitting at a computer, the human can be removed from the equation. The greatest shortcoming of any system like CAPTCHA, or even asking "human intelligence" questions like "What do monkeys eat" or other things that computers don't innately "know", is that a human has to computerize those actions in the first place. You have to teach YOUR computer what the answer to the monkey question is, and there are only so many answers you will teach it until you run out of ideas (or exhaust the body of humankind's knowledge). Eventually the attacker will know all the answers to your challenges and you've just wasted a whole lot of time.
A better strategy here is the psychological approach. How do you get rid of a tireless attacker ? What motivates an attacker ? They WANT something of value to them. That something can be email addresses, zombie hosts, or in the case of blog spam they just want eyeballs. There are two ways to demotivate them: get rid of what's luring them, or make your prize harder to get than everyone else's. The first solution might mean crippling your site, even making it totally worthless (think site owners that give up, communities that are abandoned after relentless attacks). The second solution only buys you time, because the more vulnerable sites will ramp up their security, sooner or later, and then you're back at square one.
Actually there is a solution 3: find the attackers and attack THEM. Hey it's not the higher road, but it's damn effective.
Captcha's are annoying (Score:5, Insightful)
While this has little to do with the original post I have a really annoying experience with captchas
I have 20/20 vision and am not color blind. Captchas are becoming so complicated and garbled that I get the code wrong about 40% of the time. Another portion of the time I take to long trying to answer the code question and type in the right characters. I typically get screwed on the number Zero and the letter 'O' and lowercase 'L' and the number 1.
It'b becoming, for me, an entry barrier to signing up and gaining access to websites. It would be much easier to simply use email authentication. What do you do with the people who are color blind? I spent some years dealing with display design and this was a legitimate concern that we addressed at the time for a specialized group of people. In the common population there are a lot more occurrences of people who are color blind.
Are captcha's really worth the effort compared to other more human friendly processes? Is anyone working on what we will be doing next? Considering that there are decades of technology in machine vision technology to pull from I think it will be fairly trivial for the bots to become better at reading captchas than humans.
It might be effective to take the email authentication process and apply everything that mail servers do to authenticate the user. What I mean by this is apply all the mail server rules like FQDN requirements for HELO, fully resolvable email domains, valid email addresses, non-open relays. Much of this would eliminate either the bots or the ISP's who are too stupid to properly configure a mail server. Similarly it might be sufficient to code the HTML/HTTP to expect a properly responding client and not some hacked up bot that can't do most of it right.
Re:I failed to see how this'll help (Score:3, Insightful)
The "HTML renderer" in question will be either Mozilla or IE, both of which offer through Javascript the ability to find the absolute position of an element, and its absolute width and height. So the only "hard" part left is identifying the HTML location of the test, probably with something like XPath, or Mozilla's DOM Inspector which already allows you to just click on the element (and maybe go up in the hierarchy a bit.)
And I'm pretty sure the spammers already have programs to make it easy to have a human do just the hard parts, like identifying the location of the test, because I'm pretty sure that I've seen them have that sort of program to figure out the form field names easily. (Unique blogs, that is, blogs not based on any common software, have gotten blog spam too quickly and thoroughly before for any other explanation to make sense.)
You can try to move the test around, but you're right back to an arms race (which is where we already were, so no progress), and it's one where the spammers have a system that automatically notifies them of when they need to make changes.
The only spam solution is total moderation of the comment queue. If everyone did that there would be no spam anymore. (Somewhat ironically.)
Clever but no cigar. (Score:3, Insightful)
It's a useful tool to slow down script kiddies but it won't stop anyone that could actually write the code to grab the characters in the image in the first place.
Re:Render, PrintScr, OCR? (Score:1, Insightful)
Been done. kittenauth.com It's even nine pictures, so I suspect you're just not giving credit.