

“Stop Spam, Draw Shapes”   - julien
http://www.josscrowcroft.com/demos/motioncaptcha/

======
slindstr
That's a pretty cool idea, but I don't like that it's an added step for the
user when submitting a form.

I used to get a TON of spam on my website(s) until I threw in a hidden text
field. When the form is submitted I assume the submission is spam if the
hidden text field's value isn't blank. I don't get spam anymore and people
don't have to mess around with a captcha (plus nobody's complained).

...although I'm sure it's only a matter of time until the spammers figure this
technique out.

~~~
ghurlman
It looks neat, but fails basic accessibility tests. Blind? Can't use a mouse?
You're out of luck.

~~~
micheljansen
Read again: he includes a hidden field for the "normal" user (blind or not)
and spambots fill that field out anyway and get caught. Pretty clever, but not
hard to work around as a spammer if this get widely adopted.

~~~
evilduck
Blind users would have a different sort of HTML rendering mechanisms (screen
readers, braille output, OCR, etc) that might make hidden tags visible input
unless you somehow indicated to them that the field was a honeypot. I'm not
sure on the details, but the concept of hiding a field from the user's view
probably doesn't translate very well once you leave the visual rendering
arena.

~~~
eridius
I can't speak authoritatively, but I believe the "hidden" attribute of a field
is not a visual cue, it is a presentational cue. In other words, it hides it
from all presentations, whether visual, audible, tactile, or other.

------
51Cards
I have concerns about this. While it is a neat concept and the implementation
is impressive, the reality may be problematic. A lot of users may not have the
dexterity to accomplish this task with a pointing device, like my Mother. Not
to mention anyone with special needs that requires an alternate input device.

~~~
josscrowcroft
Very good point, thanks for the feedback. The full release version will have
an option to toggle back to a standard letter-based CAPTCHA.

------
gregschlom
I wish people stopped trying to solve the CAPTCHA problem with other CAPTCHAs.

This proof of concept, while pretty cool from a geek point of view, doesn't do
anything to solve the problem in a better way.

Stuff like hidden fields, timestamp analysis, crowd-sourced classifiers (like
Akismet), on the other hand, do.

~~~
there
i gave up trying to do creative spam filtering long ago. email address
obfuscation, greylisting, etc. i put my domains behind postini (shame they got
bought out by google) and never have to deal with spam anymore. my e-mail
address is in plain sight in lots of places, and i only get false positives
once in a rare while that i have to login to postini and forward to my inbox.

same thing with spam comments on my site. i didn't bother with captchas or
other annoying requirements like openid. it submits everything through
defensio (<http://www.defensio.com/>) on the backend and if it looks like
spam, you just have to put in an email address to manually confirm the comment
and re-train defensio. otherwise people can leave anonymous comments without
any hassles. the amount of comments that need to get manually verified are
very low, and i never see spam get through.

~~~
__rkaup__
Why is it a shame that Postini got bought out by Google?

------
ori_b
Seems like it would be quite a bit easier to solve than the current text-based
capchas. You don't even need to do OCR.

~~~
akg0
Hell, in it's current form it's entirely client-side; hardly seems like it
should even count as a CAPTCHA. $(form).attr("action", $("#mc-action").val())
and you're done.

Even with server-side validation, it's still trivial to break; it only
requires tracking a line through an otherwise blank image.

This is fundamentally unusable as a CAPTCHA, and can't be made significantly
better. The whole point of a CAPTCHA is to be difficult for computers and
doable for humans, hence stuff like warped characters and image
categorization. Tracking a line against a blank BG is not difficult for a
computer.

~~~
jtheory
I don't like it for accessibility reasons, but if you have a site with n
disabled users (say, a site for archers?) it might work well.

Certainly, not hard for spammers to break, but as long as it doesn't have
widespread use, they won't bother putting in the effort.

~~~
pornel
> as it doesn't have widespread use, they won't bother putting in the effort

But this can be said about almost any Javascripty custom trick, and there are
ones that no effort from user and don't have accessibility issues beyond
requiring JS.

------
eLod
this was already submitted & commented:
<http://news.ycombinator.com/item?id=2620870>

------
owenmarshall
One of the key notes of humane UI design is that the average user is
_terrible_ with the mouse. Joel Spolsky touches on this in one of his
articles:

[http://www.joelonsoftware.com/uibook/chapters/fog0000000063....](http://www.joelonsoftware.com/uibook/chapters/fog0000000063.html)

Depending on the sensitivity, this CAPTCHA could definitely drive away users.

~~~
josscrowcroft
Very interesting - thanks.

I'm looking to include a "Switch to default captcha" option for those
concerned with usability (myself included)

------
pornel
If I write a completely stupid bot that just submits a rectangle, I'll have
10% chance of getting it right.

You need a lot more shapes… but there aren't many shape/size/position
combinations that are easy for humans.

You need complicated images, as plain shape/background (and in general shapes
on background that are separable on histogram) are easy to trace.

~~~
josscrowcroft
I'd suggest taking a look at the readme - it covers this and more!

~~~
pornel
I don't see where it addresses problem of generating large enough number of
shapes that are hard enough to recognize with computer vision.

I'm afraid that nice gesture recognition algorithm is not enough to defend
against bots programmed to recognize known solutions & replay (slightly
randomized) predefined answers.

------
PonyGumbo
There's almost no chance that my elderly parents would have the dexterity to
pass this.

------
ChuckMcM
Interesting idea. I thought it might be more confusing if it described the
shape to draw and put the 'prototype' line of a different shape in the box.
Robots would be trying to match the prototype, humans would be drawing the
requested shape.

For whatever reason I don't have the dexterity to draw a correct shape very
quickly :-) That suggests if the captcha was used a lot (like every time I
submitted a comment or something) I would quickly become frustrated and stop
participating.

------
mcantor
It seems like this would be a total stopping point for mobile users, too.

------
PetrolMan
It's kind of interesting that it uses the ribbon brush from mrdoob's harmony.
I guess it would make a match more likely if you did it really quickly.

~~~
josscrowcroft
The plugin actually combines two libs, the Ribbon brush is used only for
display (could be any brush if you switch out that class in the JS), meanwhile
the points you draw are also tested against the Protractor gesture recognition
algorithm.

------
tectonic
The recognition seems so-so - I drew something that looked NOTHING like the
image and it accepted it. Are you using chaincodes for recognition?

------
krallja
Spammers don't have to respect DISABLED attributes on forms. Client-side tests
are not trustworthy.

------
mmuro
And how the hell do you expect blind people to be able to submit the form?

------
Swizec
I was expecting to see something completely unsolvable on a trackpad.

But I was proven wrong: <http://i.imgur.com/QO8pY.png>

This looks pretty sweet, I wonder how the shape matching works.

~~~
jameskilton
Wow, that's the exact opposite of what I ran into:

<https://skitch.com/jameskilton/fdcir/motioncaptcha-demo>

It's a good idea, just needs to be a little more on the lenient side for those
of us who aren't artistically inclined.

Edit: Hmm if you go faster it has a fuzziness to it:

<https://skitch.com/jameskilton/fdci7/motioncaptcha-demo>

~~~
josscrowcroft
That's thanks to mrdoob's Harmony, specifically the Ribbon brush
(<http://mrdoob.com/projects/harmony/>)

------
dongsheng
Excellent work! reCAPTCHA is rather unfriendly to non-English users.

~~~
josscrowcroft
thanx :o) watch the repo to see when it becomes ready for use on live
websites.

------
J3L2404
Here is another take on captchas, with the source.

<http://jordan-adams.co.uk/humancheck/>

