

reCAPTCHAs are finally readable by normal humans - bgtyhn
http://arstechnica.com/information-technology/2013/10/recaptchas-are-finally-readable-by-normal-humans/

======
hackinthebochs
I have a feeling this won't last very long now that they've publicized the
fact that they profile a users interaction with the system. Things like rate
of hitting captchas, mouse movements, characters typed before pressing send,
etc are all easy to mimic and control if you know they're analyzing that info.

~~~
pfg
Well, since all this information has to be collected client-side, I'm sure
people working on captcha solvers would have figured it out anyway.

Plus, there's a huge difference between them publishing what information
they're collecting and actually knowing how they're using that data, IMO.

------
malbs
I thought maybe I was the only one who struggled with recaptcha captchas. On
some sites I have literally tried 10-15 times before finally becoming too
frustrated and giving up solving the captcha because whatever it was (form to
fill out for a download, fill out a comment on a site), just wasn't worth the
time I was wasting. Hugely irritating.

~~~
akg_67
Initially, I was using reCAPTCHA on my site. But after hearing from irate
users and specially preventing new users from registering, I decided to
disable and use a simplified CAPTCHA. Loosing new potential users to CAPTCHA
wasn't acceptable.

------
BIair
If you own a website and use Recaptcha for human verification you know it's
been broken for years. Whether it's too hard for humans, too easy for bots, or
by-passed using 3rd party labor for pennies per solve.

------
olalonde
I wonder if a Javascript based proof-of-work system could be used as an
alternative to CAPTCHAs. It wouldn't stop spam entirely but it would rate-
limit it and possibly render some forms of spam unprofitable. Aa a bonus, the
proof-of-work could be tied to something useful (Folding@home?) just like
reCAPTCHA's CAPTCHAs are useful for digitizing books.

~~~
nwh
Nope. This was tried with Bitcoin back in the day. JavaScript is far too slow,
and a spammer could just blast out thousands of times the work with a single
CPU running something native. Mobile users would suffer greatly too.

------
cantcatch22
Does this mean that digitizing of books through reCAPTCHAs will be done at a
much slower rate or not at all?

~~~
Larrikin
Are they even digitizing books anymore? I seem to always get a house number.
The house numbers make it really easy to know I don't actually have to type
that part

~~~
hackinthebochs
I figured out a while ago that you only ever need to type the nonsensical
string.

I think its pretty clear the reading books bit was abandoned long ago. I never
get non-test words that are in any way a struggle for a competent OCR system.
And on the occasion that I do, its impossible for me to read either. If they
provided context it would be much more helpful.

As an aside, if you've ever had to solve one of these through TOR and you
happen to be running through some eastern european countries... good god those
are the most frustrating captchas I've ever seen. Long strings of "mnnmrnrmnm"
with contrasting colors and jpeg artifacts... a few attempts at solving those
makes me want to kill someone. I feel bad for people trying to do anything on
the internet from those countries. I wonder what the rationale is for making
captchas nearly impossible to solve in specific regions.

~~~
bcoates
TOR+Eastern Europe has probably triggered the heuristic that you're a probable
bot, and it's giving you a test that will further amplify its confirmation
bias.

Welcome to the preview of the day where all the networked, statistically self-
optimizing IDSes simultaneously turn on us and clean the messy humans out of
their technological world.

------
nekitamo
While it's nice that they're trying to design the captchas to be more user
friendly, these new number captchas are quite easy to crack. This might lead
to an uptick in spam as recaptcha ocrs become easier to create.

~~~
dsl
You are missing the whole point. The new "easier" captchas are shown only to
people that they are sure are humans already. I suspect they are looking at
the number of previous captchas you have solved correctly, are you logged into
gmail, etc.

~~~
nekitamo
You're correct. Refreshing the page a couple of times reverts the captcha to
the old one with letters. So I guess they keep track of how many times they
serve captchas to your ip address in an hour, and if you go over some limit
they start serving you the harder captcha .

Thanks :)

~~~
GhotiFish
That's going to end badly for 4chan, as every post requires you to fill in a
captcha.

The daily routine for a 4chan poster will constitute solving that captcha 20
to 30 times.

------
encno1s3
Google knows your searches, and I am pretty sure google knows every site you
visit, via google analytics, which most sites run.

Combine this with browser fingerprinting (your browser's fingerprint is
incredibly unique), and the fact that you probably have a google account.
There is a high probability they know who you are. From your history they can
determine if you're human or not.

------
pbreit
I cannot believe that in 2013 captchas remain the most effective way to
achieve whatever they are used for. I bet Google could bake something into
Chrome to avoid captchas.

~~~
aquadrop
We should feel lucky that at least captchas can help. In the future, probably,
there will be no chance you could separate humans from computers.

~~~
tempestn
Very true. So we need to find a way to prevent spam that doesn't involve
differentiating between a human and a bot.

------
ginko
Personally I have an easier time typing the letter/word based captchas than
the digit ones.

------
vezzy-fnord
_Perhaps in some glorious future utopian society, humans won 't have to see
CAPTCHAs at all._

They don't. You can implement basic defenses like hidden input forms or
checkboxes that are masked by CSS rules or served on the client side with
JavaScript to weed out bots from human users, among other less intrusive
techniques.

Of course some bots may make use of high-level browser engines (such as those
provided by acceptance testing frameworks) to try and get around this, plus
you'll always have cheap human labor. But ultimately, anti-spam is an arms
race and simple tactics like this will get rid of most unwanted agents.

~~~
kalleboo
We tried a ton of those techniques (hidden fields, fields filled out by
Javascript, anti-replay tokens) and none of them worked - the spammers
appeared to be using botted IE installs.

What worked in the end was a points system for spammy behavior: First post has
URL in it? +1 point. User fills out linkedin field on profile? +1 point
(seriously, none of our legit users did this...). User posts a word on the
blocklist? (viagra, cialis, cvv2, etc) +1 point. User Agent is IE? +1 point
(we're a Mac site). After a certain number of points, the user was banned and
all their generated content deleted. After a certain number of posts without
triggering the ban, they're greenlighted. Spammers quickly noticed their posts
disappeared instantly and left the site.

~~~
tempestn
If only my blogspammers were that quick on the uptake. I've got moderation
turned on, so none of their posts ever see the light of day, and I still get
tens of them every day.

------
promoCode
...and why, pray tell, are they still providing turing tests to humans, if
they already know who the humans are, you ask?

Well! Very obviously, any human can behave just as maliciously as a bot might!
So captchas are there to slow us down. Point blank. They are flood control.
They prevent spam, be it from bot or human.

The real question is, why would Ars Technica be so chicken-shit, that they
can't come out and say that?

~~~
tokenizerrr
If you want to slow someone down you add in a delay. Like many forum software
already does.

