Page 1 of 1
New and better ways to CAPTCHA
PostPosted:Sun May 17, 2009 6:10 pm
by SineSwiper
CAPTCHA is the system used for registration pages to make sure you are an actual human, and not a bot. Most of them rely on text in an image with a bunch of lines and stuff on it. I wanted to do something different.
http://www.tows.cc/temp/eatrandomly/newuser.pl
Test it out and try to break this. Let me know if something doesn't match that should match (or visa-versa). You can reload the page to try out other images.
PostPosted:Sun May 17, 2009 6:24 pm
by Mental
Dude, you're win.
License that technology. Make a database of pictures and answers and sell it to people for captcha purposes. I think you could actually get rich.
PostPosted:Sun May 17, 2009 7:28 pm
by SineSwiper
There's already a company that does CAPTCHA for other web apps. Twitter uses them. They have something like this, but I think they use Google Images, which is mighty dangerous, and comes with sub-par pictures.
Stock Xchange, on the other hand, has some pretty good quality stuff. I think at some point, I'll raid Wiktionary for sound files to match with the images.
The hard part is all of this stuff has to be done manually in order to make sure the stuff works right and works the first time.
PostPosted:Sun May 17, 2009 9:56 pm
by Tessian
interesting... multiple words per image I take it? Is the image name randomized each time? Because I could see someone building a map of what's what.
It's pretty cool, but something tells me it'll still be crackable. I don't know enough about how CAPTCHA is cracked so I can't say.
PostPosted:Sun May 17, 2009 10:19 pm
by Kupek
Neat - I had the same idea a bit ago. Never had the time to implement it.
PostPosted:Sun May 17, 2009 10:24 pm
by Mental
If you wanted to make it harder for someone to database-crack your app, which would be the biggest danger for a system like this that requires a limited number of human-overseen entries, you could write a server-side image postprocessor that changed the saturation, changed the lighting, the luminance, or other options that would make it very hard for a bot to recognize an image against a database but very easy for humans to still see it.
PostPosted:Mon May 18, 2009 12:08 am
by SineSwiper
Tessian wrote:interesting... multiple words per image I take it? Is the image name randomized each time? Because I could see someone building a map of what's what.
It's pretty cool, but something tells me it'll still be crackable. I don't know enough about how CAPTCHA is cracked so I can't say.
Basically, if you can read the source code to figure out the answer, it's crackable. However, I have given the image file a random filename (which changes every time somebody tries to register). The image is actually directly in the database, and the script pulls it out.
Replay wrote:If you wanted to make it harder for someone to database-crack your app, which would be the biggest danger for a system like this that requires a limited number of human-overseen entries, you could write a server-side image postprocessor that changed the saturation, changed the lighting, the luminance, or other options that would make it very hard for a bot to recognize an image against a database but very easy for humans to still see it. :)
Then you run into the problem with the traditional CAPTCHA system. Besides, the reason why they do that is because of OCRs. Nobody is going to try to "OCR" stock images to figure out what it represents.
Actually, the only hole I could see in this system is that there are a limited set of images. A bot could try to brute force its way in over and over again with the same answer. There is a limit on the number of tries (which I turned off for this test), but that expires at some point.
I'm guessing that the settings are reasonable enough to allow any human to answer without being annoying, and strict enough to keep bots out.
PostPosted:Mon May 18, 2009 10:17 pm
by SineSwiper
Replay wrote:If you wanted to make it harder for someone to database-crack your app, which would be the biggest danger for a system like this that requires a limited number of human-overseen entries, you could write a server-side image postprocessor that changed the saturation, changed the lighting, the luminance, or other options that would make it very hard for a bot to recognize an image against a database but very easy for humans to still see it. :)
Done.
I must say that I really like the Imager Perl module, too. The code for this was easy:
Code: Select all my $imager = new Imager;
$imager->read(data => $image);
#$imager->filter(type => 'contrast', intensity => .97 + rand(0.06) );
$imager->filter(type => 'gaussian', stddev => rand(0.5) );
$imager->filter(type => 'noise', amount => rand(5), subtype => 1);
$imager->filter(type => 'unsharpmask', stddev => rand(0.5), scale => rand(0.5));
$imager->write(data => \$image, type => $ext);
Also note that it can read/write all three types of extensions, so I have it randomly pick an extension, too.
PostPosted:Mon May 18, 2009 11:13 pm
by Mental
SineSwiper wrote:Tessian wrote:interesting... multiple words per image I take it? Is the image name randomized each time? Because I could see someone building a map of what's what.
It's pretty cool, but something tells me it'll still be crackable. I don't know enough about how CAPTCHA is cracked so I can't say.
Basically, if you can read the source code to figure out the answer, it's crackable. However, I have given the image file a random filename (which changes every time somebody tries to register). The image is actually directly in the database, and the script pulls it out.
Replay wrote:If you wanted to make it harder for someone to database-crack your app, which would be the biggest danger for a system like this that requires a limited number of human-overseen entries, you could write a server-side image postprocessor that changed the saturation, changed the lighting, the luminance, or other options that would make it very hard for a bot to recognize an image against a database but very easy for humans to still see it.
Then you run into the problem with the traditional CAPTCHA system. Besides, the reason why they do that is because of OCRs. Nobody is going to try to "OCR" stock images to figure out what it represents.
Actually, the only hole I could see in this system is that there are a limited set of images. A bot could try to brute force its way in over and over again with the same answer. There is a limit on the number of tries (which I turned off for this test), but that expires at some point.
I'm guessing that the settings are reasonable enough to allow any human to answer without being annoying, and strict enough to keep bots out.
If you make the database big enough, it won't happen.
I'd be willing to hook you up with some photos from my private collection (own shots, my rights, no IP issues) along with some tags. Do you want to make a simple page where I or others could help you out with some image/tag pairs in our spare time? It should be pretty easy to make a single image upload field and text field hooked into your DB, right?
PostPosted:Mon May 18, 2009 11:16 pm
by Mental
"Private collection" = my nature and texture photography I do with my Sanyo CA6. Leaves, rocks, mountains, hills, trees.
PostPosted:Tue May 19, 2009 7:49 am
by SineSwiper
Well, just give me an CSV file with the image filename on one side and the word on the other side. Multiple rows for the words. The word must not contain spaces or any other non-word character, and must be lowercase. Don't worry about plurals, as the
LED will take care of those. Here's an example:
filename.jpg,pizza
filename.jpg,food
filename.jpg,dinner
filename.jpg,fork
filename.jpg,hand
filename.jpg,tomato
Of course, I also need a ZIP of the pictures, too. Must not be bigger than what I have already, and must not be bigger than 32KB.
PostPosted:Tue May 19, 2009 1:09 pm
by Mental
*sigh* that will take longer. i may not get around to it nearly as fast, just warning you.
PostPosted:Tue May 19, 2009 1:47 pm
by Flip
Dont take his personal pictures.
Didnt you, metal, threaten to file a court injunction one time on the shrine to have it shut down because you thought you owned it?...
I can just see mental thinking he 'owns' your program and throwing a hissy fit down the road.
Nothing good can come of this.
PostPosted:Tue May 19, 2009 1:58 pm
by Mental
I'm going to hold my tongue here.
It's up to you, Sine. Flip, whether or not your point is valid, your civility is nonexistent. If you have objections to something like this, you have a responsibility to relate them in a way that's respectful.
Anyway, it's just more work for me either way. I was trying to be helpful, and I have plenty of work to do on my own projects. So I withdraw the offer.
PostPosted:Tue May 19, 2009 2:07 pm
by Flip
Heh, it might have been a cheap stab and i apologize, dont get all bent out of shape. Its true though, right?... Well, maybe it was a call you threatened to make to the ISP to have the shrine shut down. Remembering it gives me a small chuckle, which was well worth the post.
I've been ignoring every post of yours for months, on purpose, and i suppose i can continue to do so.
PostPosted:Tue May 19, 2009 2:38 pm
by Mental
Thinking about it more, while I think the way he said it was mean-spirited, Flip has a point. We historically don't always get along, Sine, so perhaps it's best that we don't work together on any projects. That being said, I think this is one of the better ideas you've had, and I do encourage you to think about continuing to develop it.
PostPosted:Tue May 19, 2009 2:52 pm
by Eric
wtf, Logic Prevails? What is this madness.
PostPosted:Tue May 19, 2009 3:04 pm
by Zeus
Eric wrote:wtf, Logic Prevails? What is this madness.
Only in a truly insane world does common sense and maturity come off as madness :-)
PostPosted:Tue May 19, 2009 3:11 pm
by Kupek
Madness? ...
PostPosted:Tue May 19, 2009 5:02 pm
by Zeus
Kupek wrote:Madness? ...
Ask Darkness over there. I'm just quoting his term :-)
PostPosted:Tue May 19, 2009 5:19 pm
by Mental
Zeus, you fool...
This is SPARTA!!!!!!!!
PostPosted:Tue May 19, 2009 5:29 pm
by Zeus
Replay wrote:Zeus, you fool...
This is SPARTA!!!!!!!!
Sorry, only seen the movie once. Missed that quote.
Would go perfect with his pic, though :-)