

Typing Free Captcha - mikle
http://www.minteye.com/Products.aspx

======
mikle
Just to be fair - it is less friction than a typing captcha. I still think the
security of it is pretty weak. Possible vulnerabilities include:

* Moving the slider bit by bit and OCRing will solve 90% of the images I've seen.

* If the image selection is small you could just build a DB of all slider positions and just teach it how it is supposed to look once.

* It's not only easier for the users. It is also easier for captcha solvers in India, China, etc. This will improve their productivity immensely and free up their other hand.

~~~
angry-hacker
\+ There are only 29 different variations, so bots can easily just try each
one of them...

~~~
jerf
They don't even have to do that; a 1/29th chance of success is plenty for the
scammers.

This is Yet Another Complete Crap CAPTCHA. It isn't solving the problem of
prevent real spammers from sending you real spam, it's solving the problem of
looking enough like a CAPTCHA to think you're getting somewhere. Or in this
case, selling you something.

Also, at least the spiral one I got is flat-out solvable; run "find edges",
run a search for the characteristic slope relationship of the lines at various
points in the images... would probably take a decent computer vision student
about four hours, tops. That hardly even qualifies as trying.

------
justinvh
Hm, I think an easy way to circumvent this style of captcha with a small
amount of work would be to just send every iteration to Google as a reverse
image search and pick the iteration with the most results.

For example:

\- Distorted image: <http://goo.gl/w2ykx> (bad results, not human)

\- Non-distorted image: <http://goo.gl/R3WnQ> This is the "perfect" choice and
also returns a good amount of search results.

\- Slightly distorted image: <http://goo.gl/G0xQN> This results in a "human"
choice on the picker and picks up a fair number of search-results.

I imagine 15-20 searches per captcha, but if you just pick the best per set
you're probably going to end up with adequate results in circumventing the
system.

------
borplk
Neat and I really like to see innovation in this area.

Although I think because outsourcing captcha to humans is so cheap, methods
like this are not going to win in the long run.

I think a more sustainable strategy is to make it more and more expensive for
those who want to solve captchas in large volumes.

Things like solving a cryptographic challenge using the computing power of
your machine.

i.e. making it cheap/easy enough for legitimate users who may need to submit
the form once a month but such that it becomes too expensive for those who
want to exploit it and solve 100 of them in 5 minutes.

------
tagawa
One of the biggest issues with standard captcha's is their lack of
accessibility, especially for blind or low-vision users. Some provide an audio
alternative but they're generally worse than the visual version.

It's good to see some innovation in captchas but I don't see how this
particular idea can overcome this hurdle.

~~~
cpfohl
The audio alternative for this one is a voice that says, 'Move the slider
right' or 'Move the slider left' and 'using the arrow keys'. The problem is
that it would be _easy_ to use a machine to process that. Especially since the
correct location makes the voice say something completely different from 'move
the slider'

------
quotemstr
Isn't the real purpose of this widget not to deflect bot-spam, but to force
user to pay attention to an advertisement? While the system would be
ineffective against a modestly intelligent spambot author, it's an excellent
way for site owners to prove to advertisers that users have seen an
advertisement.

------
habosa
I like this, but I think there needs to be some additional security placed on
it. It's pretty easy to make a computer tell you when an image is a perfectly
straight advertisement and when it's a jumbled mess (or at least with enough
accuracy to beat this captcha pretty frequently). You have to make the final
image still only human readable. One way I can think of is to have the slider
"twist" two images into each other, and there are two spots on the slider
which reveal a clean image (one spot for each image). Text above the field
says something like "Slide until you see the __________ image" and that way
there would be additional human verification.

Just thinking out loud.

------
narcissus
Can someone explain this to me please? It seems as though it's touting itself
as a CAPTCHA for site owners, but as an interactive ad block for advertisers?

I can't really work out how this works on a site? Is the idea that I use this
type of CAPTCHA for 'human' sign ups, and at the same time, an advertiser gets
a hit? Almost as in, to sign up, you need to see this ad?

Either way, it's interesting: I also like the secondary result of "you don't
get free impressions". ie. you only pay if they click or 'solve', but at the
same time, they can't see the ad, remember the name and look for it elsewhere
without essentially triggering the payment if that makes sense.

------
mikeash
I don't understand how this could possibly work. The original images all
appear to have lots of straight lines. I'm no expert in computer vision, but
surely "does this image contain straight lines?" is a relatively easy
operation to automate. Maximize that and you have a solution.

Even ignoring that, there appear to be only 30 distinct positions on the
slider. Random guessing will net you a 3% success rate with no smarts
whatsoever.

It's relatively easy to make a captcha that stands up to existing bots on when
not widely deployed. For ages, I had a "captcha" on my blog that consisted of
a single text field labeled, "Enter the word 'elbow'". The word didn't even
change, it was hardcoded to "elbow". It kept spam away for _years_ , because
it wasn't worth anybody's time to fix their software to work with my little
blog.

It really doesn't appear to me that much thought went into this thing as far
as making it hard to automate solutions. Maybe I'm horribly wrong, but it
looks like a gimmick, where they made something that _looks_ hard to the naive
due to being different.

~~~
jere
Well, you're comparing apples to oranges. You're comparing a hand coded attack
against a specific captcha (a guess at the position/vertical lines) to no one
making the attempt at all.

Attacking your site, with minimal effort, would have yielded a 100% success
rate. Attacking this site with a guess would have yielded a 3% rate. Some of
the best captchas have been attacked with success rates in the high double
digits:
[http://en.wikipedia.org/wiki/CAPTCHA#Computer_character_reco...](http://en.wikipedia.org/wiki/CAPTCHA#Computer_character_recognition)

So 3% doesn't look too bad after all.

I do, by the way, agree with you that the vertical lines attack would work
really well.

~~~
jwilkins
What do you mean by 'some of the best'? If a CAPTCHA can be solved or guessed
in an automated fashion then attackers can just throw more (likely
compromised) machines at the problem at little cost. 3% is awful.

<http://bitland.net/captcha.pdf>

~~~
jere
In your link, their first attempt at breaking reCaptcha seemed to yield a
17.5% success rate. I was referencing wikipedia, which stated a 60% success
rate against Microsoft's captcha and a 30% success rate against Google's
catpcha:
[http://en.wikipedia.org/wiki/Captcha#Computer_character_reco...](http://en.wikipedia.org/wiki/Captcha#Computer_character_recognition)

Those papers may be a few years old and the state of the art may be different.
But after an initial look I'm missing the reason that, compared to these
captchas, you think that "3% is awful."

>If a CAPTCHA can be solved or guessed in an automated fashion then attackers
can just throw more (likely compromised) machines at the problem at little
cost.

I'm not ready to buy this. I would think _every_ captcha is going to have some
failure rate, even if it is extremely low. If attacks were absolutely free,
then it wouldn't matter what the attack success rate was. Computers are fast,
but not infinitely fast. Bandwidth is cheap, but not infinitesimally cheap.

~~~
jwilkins
CAPTCHA comes from "Completely Automated Public Turing test to tell Computers
and Humans Apart". These tests don't fulfill that requirement.

Random guessing gives you 3%, which is worse than random guessing on either
the MSFT or reCAPTCHA.

This is far worse though. A simple loop over the 30 positions, running the
output through an OCR engine would give you nearly 100%.

FWIW, I wrote the paper and AFAIK was the first person to break reCAPTCHA. I
worked on the original MSFT Passport/Hotmail CAPTCHA system and improved
MySpace's CAPTCHA which took spammer registrations from ~1,000,000/day
(automated) to a few thousand (manual) in late 2007.

------
krajzeg
While this is interesting, it looks simple to beat in the current iteration.
The distort operation blurs the image, so the original is easy to pick out by
simply determining the relative constrast of all the images.

This could be fixed by applying a similar blur operation to the original, but
I'm pretty sure something else could be found. The only advantage (security-
wise) this would have over the OCR-CAPTCHA approach is its relative novelty -
should this approach become popular, many new ways to beat it would come up,
and we would be in an arms-race like with standard CAPTCHAs.

~~~
aaronbasssett
It actually looks easier than this. There appears to be only 30 possible
values for the slider. Send a random number between 0-29 and you have a 1 in
30 chance of being right.

In reality you can probably remove the extreme values as it is unlikely to be
0-2 or 27-29, so you have a 1 in 24 chance. Those are pretty decent odds if
you compare them to a regular 6 letter CAPTCHA where a random guess would have
a 1 in 26^6 chance of being correct.

~~~
stonedyak
It looks like it allows a bit of leeway too - you can submit two stops either
side of the 'correct' value and still be allowed through. So that's a 1 in 6
(5 in 30) chance of a random guess being allowed.

------
rlpb
This seems very sluggish in my browser (Firefox 17.0.1). There's about half a
second of lag, which is far too long.

It also took me a while to realise that I had to drag the handle instead of
just being able to click in the bar where I wanted it and slide from there,
although this is presumably easy to fix.

------
mwexler
I found the experience to be rather annoying, actually. While my eyes aren't
great, my clicking/sliding fine tuning is even worse. I understand the issues
involved, but I prefer to not have something dependent on dexterity.
Otherwise, just have a video game as the captcha and be done with it.

------
Solomoriah
Doesn't work with mobile Firefox, at least not on my tablet. Would be a
dealbreaker for me, obviously.

------
program
The are 30 images so there is a 3.3% success rate using a random pick
approach. Which is enough.

