
Goodbye (Crummy) CAPTCHAs. Hello Ad Dollars? - jkopelman
http://mediamemo.allthingsd.com/20100920/goodbye-crummy-captchas-hello-ad-dollars/
======
bl4k
here is the challenge I got when I signed up for the service:
<http://imgur.com/x5hoN.png>

for the solution I put in 'stupid', and it worked

this definitely doesn't solve the security considerations that captchas were
designed for.

Update: Ok so it didn't take long to break this thing. These guys have the
plain text of the CAPTCHA in the document DOM. It isn't even an image - the
CAPTCHA is rendered in javascript. See: <http://imgur.com/9VO4J.png>

The 'brand' logos are an image, but they are simple to OCR.

So to break this CAPTCHA, simply hook v8 up to your auto-submit bot and
interpret the JS that is being returned to you. You can't read it from the
client because they serve that IFRAME from a diff domain - so they base their
security on the browser x-domain policy. But that is all moot if you are
building a bot, or if you build a browser extension that solves these things.

~~~
StavrosK
And since this CAPTCHA isn't secure at all, they'll remove the security
element altogether, making it a more annoying version of a banner ad.

------
almost
So you replace the hard to read CAPTCHAs with easy to read ads. Of which
presumably there will be a limited number in circulation at any one time.
Sounds kinda easy to circumvent...

~~~
il
You know, most modern capchas are not solved by bots, but by people in third
world countries solving them for pennies. The current going rate is about
$1/1000 and there are easy to use captcha solving APIs for any platform.
capcha has long provided an illusion of security, nothing more. Any and all
captchas will be broken.

~~~
jfager
Before adding captchas to my stupid personal blog, Akismet was catching ~300
attempted spams a day, and I was manually flagging ~2 a day.

Then I installed reCaptcha, and now Akismet catches ~10 a month, and I've had
to manually flag zero.

I'll take that illusion, thanks.

~~~
there
ok, but how many comments are you losing because people don't want to fill out
a captcha?

i've used defensio.com for filtering comments on my site with no captcha and
rarely ever get a false positive or negative. false negatives are easy to
spot, and users can manually override false positives by supplying an email
address to get a confirmation link (which gets fed back to defensio as a false
positive once clicked).

~~~
jfager
It's a tradeoff, sure. In my case, I'm perfectly happy to trade a few comments
from people who don't want to deal with a captcha for never having to manually
deal with spam. YMMV.

~~~
mike-cardwell
There are better ways of reducing comment spam to near zero without resorting
to captchas. Here's how I did it:

[https://secure.grepular.com/Blocking_Comment_Spam_Using_ModS...](https://secure.grepular.com/Blocking_Comment_Spam_Using_ModSecurity_and_Hidden_Fields)

It's still working now.

~~~
mseebach
That's great, pretty much any home-rolled CAPTCHA will perform great, simply
because it's not worthwhile for spammers to design an attack. If that,
however, was the default anti-spam mechanism on, say, wordpress installs, it'd
be automated against in minutes.

~~~
mike-cardwell
Definitely. If more people rolled their own, the spammers would be screwed.

------
niyazpk
Yeah, this is exactly what I want - remind the user about some other brand in
the exact same signup page where I should actually try hard to win him over.

Not to mention how ridiculously easy it will be to break these limited edition
captchas.

~~~
notahacker
Works just fine for a blogger that doesn't care too much whether you complete
the captcha or not but likes the few extra bucks he makes on a well-commented
blog entry.

~~~
petsos
Not if the well-commented blog entry is 99% viagra comments.

------
msy
I spent a minute trying but no, I cannot think of anything that would make me
go 'well fuck you' and go elsewhere faster then being expected to type out ad
copy like a school child.

~~~
pedalpete
and yet you will gladly type randomized and difficult to read letters or
words?

This is actually attempting to solve two problems at once, and in some ways it
could be more interesting to the user if the ads are well targetted.

Why not help the site owner make a bit of $$??? are you really afraid that
typing in a bit of ad copy is going to turn you into a mindless drone

~~~
melissamiranda
I'd rather type random characters than "Safer Browsing" for an IE ad. You have
to consider the emotional reaction to these ads.

~~~
Ilovepee
What about the refresh button?

------
photon_off
Normally, I refrain from writing such bad things about start-ups and people's
ideas, unless there is something _really_ awful about it. In this case, it's
obvious how terrible this service is, both in terms of how it treats the user
(who wants to do you a favor by signing up) as a cow to be milked, and how the
implementation of it does very little to solve the actual problem of spam.
It's just a greedy and short-sighted idea. I won't write any more about how
stupid it is.

What I will note is that it is somewhat inspiring to see that an idea like
this can get off the ground. I haven't dug into the details of "Solve Media",
but I assume that some people poured a sum of money into this. Maybe there's a
sucker born every minute, or maybe confidence in anything internet-related is
just that high. Hopefully, both things are true, and I think that's a good
thing. I'm not advocating taking suckers' money, but rather believing the
following: If your idea is anything better than this, which it likely is, you
have a shot at it.

~~~
mikemol
Users creating and using free accounts have costs associated with them. Those
costs need to be met in order for the service to continue, either by tying a
revenue model to the users directly, via charity, or by subsidizing their use
of your resources by using something they contribute, such as content.

Selling user content is not a stable net in proportion to user use of the
site; you don't know that the content will continue to sell at a rate keeping
pace with user-incurred costs.

Charity is also not a stable net in proportion to user use of the site;
nothing directly and reliably ties charity income to user-incurred cost, and
nothing can--it's charity.

The _only_ way to meet proportionate cost incurred by user use is by tying a
proportionate revenue to user use. Even if you don't charge a user to use the
service, even if you only ask that they fill out a text box to use the site,
just as they might with reCAPTCHa, it suddenly becomes 'milking the user'.

Sadly, users no longer merely expect services to be free for them, they get
offended if the service provider derives any money at all for their activity.
(I think I sort of understand the mentality--"Why are they getting money for
my work, when I'm not?"--but that logic doesn't hold up if no money was
changing hands while they did the work anyway.)

You're also rather vague about what "the actual problem of spam" is. What
strikes you as a mere symptom, and what strikes you as a cause? Yes, these
peoples' particular implementation of challenge-response is pretty poor. Is
that what you were specifically referring to, or did you have something else
in mind?

~~~
photon_off
Very good points here.

I failed to remember that captchas are indeed used for other things besides
registering as a member to a site. Things like one-time viewing of information
(eg: WHOIS), etc, will probably benefit a lot from this. I showed some
oversight claiming this service was dumb. It's great for things where it's OK
that I get insulted, because I want to see something bad enough anyway.

I was in the mindset of imagining this being on a registration form to become
a user of a website. I think the money lost from the amount of users getting
turned off by this would be greater than the one-time profit incurred whenever
a user registers. That is, unless your site profits from _less_ users. In
equation form:

(amt profit per lifetime of user) x (number of users that won't sign up
because of this) > (amt of users that do sign up with this) x N [where N is
how much you make from this ad captcha].

Notice that the longer you plan on retaining users, the less you should be
willing to risk slowing down your sign-ups, unless this ad captcha offers a
high enough profit. It is my opinion that for sites seeking long-term
relationships with users, that this thing sucks. On the other hand, if you can
afford that the user not continue beyond a point, then it's great. That's why
it'll work for porn and other seedy crappy sites, and probably why I have low
regard for it. I admit this is a foolish mindset.

In regards to "actual problem of spam," I was referring to the answer of the
captcha being in the DOM, and the otherwise flawed implementation of it.

------
cobbal
It seems to me that they're not attempting to prevent spam, they're merely
trying to monetize what has become the standard practice of entering CAPTCHAs.
going with something like this it's trading in spam prevention for cash. The
legitimate users already expect to see a CAPTCHA, but you're using it for a
different purpose

------
dannyr
I had a similar idea a few years ago. I thought my idea was original but when
I did my research, several companies have already thought of it.

Microsoft
[http://www.internetnews.com/webcontent/article.php/3836421/M...](http://www.internetnews.com/webcontent/article.php/3836421/Microsoft-
Seeks-Patent-for-CAPTCHA-Based-Ads.htm)

Yahoo <http://www.faqs.org/patents/app/20090012855>

Ad Captcher <http://adcaptcher.com/>

------
jchonphoenix
I know the professor who created CAPTCHAs fairly well (did research with him)
and I can say that these captcha's are missing the point of captcha's.

The hard to read word is there to prevent spammers. With easy to read words,
you have a limited number of words per a page. In the end, the probability
that a program randomly guessing the assortment of words (O(n^2) combinations
if we assume order) is actually quite high.

------
mikemol
Tried signing up for an account. They eat their own dogfood, for which I'm
thankful.

It looks like the advertisers can force you to click through to get the
security code. (e.g. Catfish's "Click through to see the security code!") I'll
pass.

~~~
CTISN
Funny, I first noticed how they don't eat their own dogfood. They don't have a
captcha on their contact form: <http://www.solvemedia.com/contact.html>. Seems
to me like that would be a good place to have one.

~~~
mikemol
They have (or had; not checking again) one on their sign-up form. That they
don't have one on their contact page suggests they don't know what CATPCHAs
are _for_...

------
mmastrac
I don't often hope for entrepreneurs to fail, but I think this is a place
where they are actually making the world worse. Not only do they completely
fail at what they are trying to do (ie: prevent spam), but they do so in the
most possibly annoying way.

I'll gladly contribute my time towards writing browser extensions to hide and
automatically solve these things if they take off.

------
uptown
I'll be happy with anything other than today's captcha solution. These are
some captchas from my hall of fame:

<http://www.twitpic.com/2qbv0e/full>

~~~
jncraton
Those CAPTCHAs really aren't that bad. If I understand how ReCAPTCHA works,
you only need to get one of the words correct.

~~~
zach
You know that, I know that, but if everybody knows that you only have to enter
the easier-to-read semi-nonsense word then ReCAPTCHA itself doesn't work so
well for its larger purpose.

And if you _don't_ know that, then giving someone a CAPTCHA with Hebrew or a
Rorschach inkblot in it when they're trying to buy Yo Gabba Gabba Live tickets
for their four-year old is a surreal enough experience to make people think
they're living in a situation comedy.

------
mdolon
Their sign up page required me to watch a video in order to get the security
code. While the code came up a couple of seconds into the video, I still
dislike the thought of having to watch and wait for ads to somehow contribute
to a website (be it through comments, sign ups, etc).

------
mikeknoop
How about this for a CAPTCHA, a video ad unit where the questions are akin to
those old SCENEIT questions?

Ie, what color shirt was the man pumping gas wearing?

Bonus points if you tell the user the question after the video so they have to
re-watch.

~~~
metageek
I hate wasting my time on videos even when they're about things I'm interested
in; I'm not going to use a service that forces me to watch one I'm not
interested in.

------
scrrr
If successful this can be copied easily and successfully by anyone. But I hope
it won't succeed. Instead things like openid should be more widespread so I
don't have to enter a captcha in the first place.

------
randomtask
This sounds a lot like what Vidoop tried to do. Their initial idea was to
replace passwords with an authentication mechanism based on selecting a number
of pictures that fit into user-chosen categories. A person would select 3-5
images from a grid of 12 with each image belonging to a distinct category.
Those who picked the images, in the correct order, corresponding to their
chosen categories (selected on sign up to the service) along with their
username was deemed authenticated. As far as I know they hoped to make money
by selling ads within the categories, so if one of the categories displayed
was "pets" you might see ads for petfood for example. They moved into doing
captchas at some point too.

Anyway, it seemed like a promising idea, but they folded last year. Good write
up from a former employee here: <http://factoryjoe.com/blog/2009/06/05/the-
fall-of-vidoop/>

~~~
CTISN
Vidoop was bought up by Confident Technologies, which is still doing the
image-based captcha as well as image-based authentication for Web and mobile:
www.ConfidentTechnologies.com. The free MyVidoop service is still around too.

------
zabraxias
I think the idea is an excellent example of how to think creatively but it
would take me a long time to find the ad version of a captcha since I would
see it as an ad and ignore it.

In any case I'll be watching their progress with this idea.

------
jarin
The article isn't totally accurate, I tried it out and got a trailer for
Devil.

I would probably use this for media views or file downloads, but I wouldn't
use it for signups because I think it would decrease conversions.

------
pacak
IE = Browse safer? I don't think so. Anyway, I am not going to leave comments
on sites, which wants to turn my attention on useless junk like ads.

------
tomjen3
Damn, that is both smart and evil (because the user can't ignore these kind of
ads).

What can we do to make sure this product doesn't catch on?

~~~
hellweaver666
If you don't want them to catch on, refuse to sign up to any service that uses
them. Simple.

~~~
akadruid
In the long term, ugly, hard to use websites will loose. It can be a very long
term in some cases. Just be patient.

------
hkim
Guys, isn't ycombinator all about helping us become good entrepreneurs? Why
tear down a good effort? How is this productive? These guys have serious
supporters and cliemts so they have to be on to something

------
ciupicri
This is not a new idea. <http://adcaptcher.com/> is at least one year old and
it's already being used on a couple of sites.

------
Timmy_C
When I saw the title of this article I thought it was going to be about
removing CAPTCHAs in favor of higher conversion rates . . . even if it means
more SPAM.

------
steilpass
There is a German startup which has been doing this for quite some time:
<http://www.captchaad.com/>

------
Timmy_C
What's going to happen if I'm asked to fill out a CAPTCHA like one of these
while I am browsing with Adblock on?

------
agscala
What's wrong with recaptcha anyways? I actually like helping with translations
of book scans.

------
zentechen
People are making everything into an ad. Stop creating more junks!

------
9ec4c12949a4f3
This is not a replacement for captchas.

