New Developments in Captchas

In the never-ending arms race between systems to prove that you're a human and computers that can fake it, here's a captcha that tests whether you have human feelings.

Instead of your run-of-the-mill alphanumeric gibberish, or random selection of words, the Civil Rights Captcha presents you with a short blurb about a Civil Rights violation and asks you how you feel about it. Ostensibly robots (and trolls) won't make it through because they'll remark that a human rights activist's murder makes them feel "aroused" instead of "upset." And bots will still have to make it past standard Captcha hurdles before they can even pick one of the choices.

The easy way to attack this system is to create a library with all the correct answers.

How soon before Deckard has to come to our house to administer a test?

Posted on October 8, 2012 at 8:12 AM • 60 Comments

Comments

Andrew GumbrellOctober 8, 2012 8:22 AM

Coming round to your house to have a look at you soon won't work because humanoid robots will look just like humans anyway.

João SantosOctober 8, 2012 8:22 AM

If the captcha uses only civil rights violations you could filter bad emotions and use them. Besides some of this phrases make me sad/mad/etc. but elicit positive emotions in other people. For example I got one about the police crackdown of a gay pride parade in Belgrade that makes me mad but would make a far-right Serbian proud.

Peter A.October 8, 2012 8:40 AM

So it presents three words to choose from? LOL!

A random choice will get a 1/3 success rate, which is very fair number for a spambot.

JohnOctober 8, 2012 8:40 AM

I think this discriminates against humans who lack empathy and is therefore illegal.

AdamOctober 8, 2012 8:47 AM

I think the easiest way to defeat bots is to make your site unique. i.e. if you install some forum software, modify the sign up form and php to expect a field that no bot is going to expect.

e.g. an art site might say "click on the paintbrush" graphic which inserts today's random number into some hidden field. Anything without the field gets ignored, perhaps silently so the bot doesn't even think that it has failed.

Most sites simply aren't the worth the effort to justify manual inspection so just this one step would defeat virtually every drive by attack. Probably wouldn't work with the bigger sites, but then one would hope they have the resources to combat it in additional ways.

Tomasz WegrzanowskiOctober 8, 2012 8:52 AM

It's currently even weaker than captcha since you can just check them against dictionary for closest match giving you 1/3 chance, much better than OCRing random gibberish.

Then 100% of scenarios are negative, so you just always use those.

It's a publicity stunt of some sort.

Spaceman SpiffOctober 8, 2012 9:00 AM

C3PO was such a wuss, he had to be human! However, a dyslexic kid would probably fail such a test...

GopiballavaOctober 8, 2012 9:11 AM

Don't forget to look at the article before commenting. I know that I, umm, I always do.

It gives you three single or two word answers as captcha style text, with random squiggles on top of them, and distortions applied. You have to type the words.

I just got one with "truly glad", "upset", "quite elated" as the answers.

I suspect that using plain english words will make OCR easier, and that figuring out which words are negative will be extremely easy.

CraigOctober 8, 2012 9:23 AM

This kind of system discriminates against psychopaths who find the thought of violent death erotic. See J.G. Ballard's novel "Crash" for more on this...

AndrewOctober 8, 2012 9:42 AM

And it's not "completely automated" -- it requires a human to create the questions and selection the answer words.

To be fair, though, I think its purposes is something other than a serious spam-deterrent.

ChristianOOctober 8, 2012 9:51 AM

I am waiting for the peer review captcha where two subjects are put against each other in a turing text and have to review the other person. Preferably using a video+audio connection.

t3z4rOctober 8, 2012 9:52 AM

the right way to do it is displaying a 3D picture that its angle or object placements can change to make too many combinations from same picture which have one answer (it will not much effect human but the bot with that change count it as a different picture) and ask user say what is the picture or in the picture people point to some object or text and ask the user what they pointing too

gomezOctober 8, 2012 10:13 AM

How about extending the reCaptcha "one known and one unknown" method to photos of faces carrying emotions?

Clive RobinsonOctober 8, 2012 10:25 AM

@ ChristianO,

You beat me on the Turing refrence (it's one hundred years since his birth this year).

Mind you my comment is compleatly. different in that I was wondering how long it would be before these AI Bots get to the point where they can pass the Turing test in it's many guises of which this a poor example of one.

And the process begs the question if each Turing test slowly improves from very poor through poor to good then are they actually "educating" the AI Bot algoritm writers in the task of producing a Hard AI machine?

James SutherlandOctober 8, 2012 10:29 AM

One forum I help administer was plagued with spambots. Every morning, I'd wake up to a dozen or so new user registrations from different throwaway Gmail accounts (almost always Gmail, for various reasons). Even banning entire /16s did little to stem the tide, and captchas seemed to pose more of a challenge to human beings than to spambots (presumably that implementation had a known exploit somewhere).

Then I set the signup form to ask the name of the site they were posting on. A simple four-letter word, right in front of the user's nose - but, of course, insurmountable to spambots without manual intervention, so they'd go on to exploit their next target instead.

I agree this 'Civil Rights CAPTCHA' is disability discrimination against psychopaths and abuse-fetishists, though, not to mention residents of certain other countries: as a Slashdot poll might put it, "we don't have civil rights, you insensitive clod"! (After reading of an arrest in England for telling a sick joke in public, I'm coming to suspect the UK may be one of those countries.)

royOctober 8, 2012 11:06 AM

Apparently, worry is not a human emotion. I'm so glad to be corrected on my misunderstanding.

somebodyOctober 8, 2012 11:18 AM

If it asks about a situation where somebody denies civil rights to a sentient AI, does empathy mark you as a human or a bot?

kashmarekOctober 8, 2012 11:38 AM

Great, just great! Now we can expect to see captchas of the liberal/conservative bend, socialist/religious, left/right, and democrat/republican. And, you will be branded forever by your right answer, wrong answer, or clicking the back button. Comes across as discrimination.

Steven HooberOctober 8, 2012 12:28 PM

I'll say it again: I have never had to use a CAPTCHA to prevent bot attacks. Not that I haven't built publicly-accessible sites used 100 million times a day, which in fact were attacked by bots (1000 pings a second).

There is always, so far, in my experience, a better way to solve for human use than this. Often, the solution also prevents paid human drones from exploiting you.

Solutions vary, a lot, but do think hard about design for security before falling into common practice.

Sophia KattOctober 8, 2012 1:01 PM

When the bots can get past Recaptcha and I can't, after eight tries this morning, to comment on a blog, life as we knew it has become impossible...

A Nonny BunnyOctober 8, 2012 2:43 PM

I thought I'd give it a try, so:
(paraphrased) "In 2010 Serbia held its first Gay Pride Parade; how does that make you feel: appalled, joyful, crushed"

Now, personally, I'm kind of "meh" on the whole issue; but suppose I was a neo-conservative republican, then I'd probably be appalled, maybe even crushed if I felt really strongly; on the other hand if I was a emotively liberal I'd probably be joyful.

So, as far as captcha-value is concerned, WTF?

EternalOctober 8, 2012 3:08 PM

@A Nonny Bunny and those mentioning discrimination...
This is made by an activist group, the point is not just the capacha but to spread their opinions. That people can have wrong opionions seem to be a feature rather than a bug, from what I can see.

However if you can read the image the other part is trivial to fix, map emotions to positive or negative and pick the option which only one alternative maps to...

LisaOctober 8, 2012 3:10 PM

Base your Captcha on the Corporate BullShit Generator:

http://cbsg.sourceforge.net/cgi-bin/live

and ask a user to explain a random phase. If they are able to do so, then you know that they are not human.

Note that this strategy would keep out bots, lawyers, and MBA's, so it is a win-win. ;^)

tzOctober 8, 2012 3:31 PM

I'm waiting for a Milgram experiment catchpa. Perhaps they can link with animal control to show a cute kitten or puppy in a Schrödinger's Cat situation...

Impossibly StupidOctober 8, 2012 6:48 PM

Best CAPTCHA in the world: scan their posts for multiple links to Russian or Chinese hosted sites.

Police the content, not the sign up. Besides, just showing that we're human isn't any real guarantee that we're going to be posting anything worth reading . . .

vexorianOctober 8, 2012 7:43 PM

"The easy way to attack this system is to create a library with all the correct answers."

I guess that as long as the question itself is also a captcha image and as long as the answers are various like +50 of them, this wouldn't work that well.

Best CAPTCHA in the world: scan their posts for multiple links to Russian or Chinese hosted sites.
There are sites that deal with different sorts of automated messages, not just links.

Bruce ClementOctober 8, 2012 8:05 PM

@Impossibly stupid
"scan their posts for multiple links to Russian or Chinese hosted sites"


Most of the spam comments I get on my wordpress sites have one link per comment and looking at the last 6 entries in the spam log for one of them, 3 were for .com, 1 each for .org, .ar and .is

For me it would be tempting to simply block everything that isn't .nz (matching what my sites are), but that wouldn't help the majority of site owners.

altjiraOctober 8, 2012 8:33 PM

I've noticed that the spambot posts on the message boards are getting to the point where they might soon be more reasonable and intelligent than humans'. So the "never-ending arms race" might ultimately end up with willful submission.

Karl LembkeOctober 8, 2012 11:02 PM

I tried a new CAPCHA system on my website. It takes advantage of the fact that only humans have ESP. It requires the user to psychically predict the ten-digit number that will appear after hitting "enter".

Unfortunately, it seems all my traffic has been robots.

CarterOctober 8, 2012 11:34 PM

Every human wont be able to pass through the Captchas.

And Bots will pass through by random selection from one of three words.


Still a new thing will make it tougher for sometime on these Bots.

GweihirOctober 8, 2012 11:52 PM

I am missing the "indifferent" choice on these tests. Because that is very much how I feel unless I get a proper story, so I have an idea who was affected.

AC2October 9, 2012 12:05 AM

Whatever happened to the well accepted scientific theory that

"On the Internet, nobody knows you're a dog"

Hunter ScottOctober 9, 2012 2:42 AM

Some people have mentioned that simply finding the negative words would work, but sometimes the answer appears to be positive (ie, "joyful" is the correct answer). Once you OCR each of the 3 words, you'd have to just find the odd one out. I cycled through a bunch of them and almost every time, two of the words were positive and one was negative or vice versa. This is definitely more of a gimmick than an actual attempt at security.

RickyOctober 9, 2012 3:35 AM

Deckard administered the "Voight-Kampff" test to determine if Leon is a replicant.

However, Deckard himself is likely a replicant, making his administration of the test somewhat circular.

mooOctober 9, 2012 4:29 AM

@Impossibly Stupid:
That works for some kinds of blogs, but not others. For example, in the field of data compression, a lot of the interesting links go to russian domains.

But personalizing your site's forms in some way does seem like the best way to fend off drive-by attacks. It won't stop targeted attackers who take the time to write a script for your specific site, unless you're willing to change your scheme every few days (which will probably annoy users).

I remember the c2 wiki used this strategy years ago against human vandals: they had a secret word that you had to type into a field to submit a change to a page. The secret word was not easily found from any of the front pages, but all of the real contributors knew what it was.

RogerOctober 9, 2012 5:13 AM

The Real WTF is that a group that claims to defend civil rights, demonises as sub-human anyone who disagrees with them.

Gee, I think I've heard of that happening before ... now, where did it lead?

MauroSOctober 9, 2012 5:41 AM

The Brazilian registar (registro.br) has an interesting sort of capcha: they show characters and ask what are the odd numbers, what are the vowels etc. Chances of getting it right are usually pretty slim

derpOctober 9, 2012 9:50 AM

This wont affect captcha companies in India with 40 staff who just manually enter it on sites like Ticketmaster. You also can just make up your own ques/jan captcha with most software now. Almost every forum has a plugin for this

HermOctober 9, 2012 10:11 AM

If I have to falsify emotion based upon what I think the recipient 'wants' to hear, I feel dishonest. I get enough of that as a person with autism in everyday conversations; I don't want it from computers too!

Impossibly StupidOctober 9, 2012 10:42 AM

@Bruce Clement
You can certainly adjust the rules if your attacks fit a different profile. The point remains that there is a pattern to both the attacks *and* what the attacker hopes to achieve as the result of the attack. By stopping them right at the point of account registration, people are discarding a lot of useful information when it comes to analyzing intent.

@moo & @derp
That also gets to the heart of how silly it is to make everything hinge on the one act of account registration. Actual people have a pattern of participation in a community and develop an increasing amount of trust over time. Absolutely none of that analysis is getting done, nor will it get done in the future as long CAPTCHA is SOP.

Neil in ChicagoOctober 9, 2012 12:10 PM

But the subtle point was that the replicants were becoming more empathic than the humans . . .

DerekOctober 9, 2012 1:18 PM

The questions are both positive and negative, the choices are emotions, not only positive and negative. You can create a word list and that would make it easier for the OCR to read the choices. An automated semantic analyzer can definitely find the semantics of the question with ease.

However, all these steps will have error margins. And I think the point is that these error margins make up for the relatively low data-set of choices. At the same time making it easier to answer, and at the same time informing about human rights violations. An effective spambot can't have a high error margin, they won't work and they will not be profitable for the spammers.

It does also give excellent protection against the 'captcha readers from india' if you use the captcha in other languages then english?

slyibOctober 9, 2012 1:30 PM

How long before the big data silos start capturing our responses (remember we type them in) and use this data to further profile us?

"Joe Blank is very emphatic in his support for , so start displaying targeted ads on this subject to him on his next page refresh."

ConfusedOctober 9, 2012 3:04 PM

Looks more like an ideology test, not a Turing test.

The exact some question, present on different web sites, or by different users, will result in different correct answers. Imagine the difference in responses if placed on Foxnews.com and msnbc.com . Or if the user was in Canada vs China.

Mix in that not everyone on the globe thinks that "freedom of the press" is a good idea. That's without going near issues like homosexuality and reproductive issues.

Sounds like a "push poll" of sorts to me. More intended to shape politically correct opinion than prevent bots.

curtmackOctober 9, 2012 3:14 PM

@tz

There's an animal adoption agency that produces an animal-based CAPTCHA. It links to their database and produces a set of pictures of cats and dogs. You have to select all of the cats.

Since it's an adoption agency, the pictures are of actual animals they're caring for, and after passing the CAPTCHA the page shows "Adopt me!" links for each one. Quite a clever idea, actually.

AutolykosOctober 10, 2012 5:08 AM

I'm waiting for a Milgram experiment catchpa. Perhaps they can link with animal control to show a cute kitten or puppy in a Schrödinger's Cat situation...
And anyone who fries the kitten must be human? Seriously, I can't imagine machines ever becoming as senselessly cruel as humans are...

gandalfOctober 10, 2012 12:42 PM

@Ricky

Deckard administered the "Voight-Kampff" test to determine if Leon is a replicant. However, Deckard himself is likely a replicant, making his administration of the test somewhat circular.

Deckard might have been a replicant, but he didn't test Leon; Leon killed the guy that did in the middle of the test. So they called in Deckard.
For all you graybeards, why is it that I can't figure out most current captchas? I have to go through a few of them.

VatosOctober 10, 2012 2:46 PM

Steven Hoober.

It is pretty annoying having to solve a captcha when asking about an item in ebay. Can you suggest a way ebay can avoid having to use one?

MarkOctober 12, 2012 2:53 AM

@gandalf,

Leon riddled Holden but didn't kill him - in Bryant's words, "He can breathe OK... as long as nobody unplugs him".

EugeneOctober 13, 2012 7:13 AM

One of my favorite weblogs asks commenters this simple question:

What is the square root of -1?

Just a single keystroke to enter, no captchas, no squinting at blurry squiggles, and it nicely keeps out utter morons :)

HermanOctober 15, 2012 4:35 AM

Sociopaths are human too. They may be inhumane, but that should not disqualify them from using a computer resource.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..