

Introducing MotionCAPTCHA: Stop Spam, Draw Shapes - potomak
http://www.josscrowcroft.com/2011/projects/introducing-motioncaptcha-stop-spam-draw-shapes/

======
a904guy
As far as I can tell from the demo there is no server side validation on this
captcha. Everything is handled on the client side. So really all your doing is
making an annoyance for your honest target users. And allowing a spam bot to
just totally ignore this 'captcha' to submit their POST regardless....

I've seen hundreds of these 'alternative' captchas. 'slide to unlock', 'sort
images' ect. None yet have proven to be as effective at stopping a simple curl
script.

Real captchas will store the value of the image or verification method on the
first fetch in a session, and when the form is finally filled out the server
will verify that the session value matches the submitted value. Without this
component, the alternative captchas are pointless and just an annoyance to
your real users.

Spam bots are not built on top of web browsers...

~~~
personalcompute
As for being client side, it's just a proof of concept at the moment.

~~~
josscrowcroft
Yeah, exactly. It's a proof of concept, with plans to turn it into a
production-ready solution that relies on a typical difficult PHP Captcha,
which is then replaced with the cooler MotionCAPTCHA on page load, if the
user's browser supports.

------
reso
Interesting concept, but I doubt it will take off. The present version would
be easily breakable by image-processing and some scripting. They could
obfuscate the image, but then you're in the same war-of-attrition you see with
text-based captchas today.

Text captchas suck, but they're the only thing that's ever been shown to be
robust over the long term.

~~~
josscrowcroft
Yeah, this is the plan - use a text-based captcha that's replaced onload.

------
senko
Do this using Kanji (or other complex character sets that have standard stroke
order), turn it into "stop spam, learn _x_ ", and you're on to something.

~~~
josscrowcroft
That is a remarkably good point... considered for v0.2!

------
kamkha
I'm fairly certain that a computer could handle these CAPTCHAs _better_ than I
could.

------
eLod
maybe i'm missing something here but the biggest issue i see with this is it
does not effectively prevent spamming/robots. the libraries which this is
based on were not created with distinguishing humans and robots in mind.
especially checking the $1 gesture recognizer
([https://github.com/josscrowcroft/MotionCAPTCHA/blob/master/j...](https://github.com/josscrowcroft/MotionCAPTCHA/blob/master/jquery.motionCaptcha.0.1.js#L470))
i don't see if this could be used in real life (for captchas).

------
foxhill
this reminds me of another alternative to captchas i'd seen, something like
kitten captcha or something..

the premise being, you had a 3x3 grid of thumbnails of animals, and you'd have
to pick out of them, which were kittens.

less invasive captchas are something that i'd really like to see on sites, but
despite the alternatives (of which i'm sure there are many) they never seem to
take off..

~~~
rorrr
Kitten captcha is stupid, because you only have to classify kitten images once
(manually, mechanical turk), and then it will be broken 100% of the time.

~~~
owenmarshall
The "kitten CAPTCHA" could then take countermeasures:

1\. Apply transforms to the images. This would require spam bots to perform
much harder processing.

2\. Use a larger pool of images -- after all, this is the Internet, a
communication medium used primarily to exchange pictures of kittens.

Of course the spammers would adapt. But CAPTCHAs are not one-shot solutions. A
good CAPTCHA works well enough to defeat most bots, and is updated once most
bots start defeating it.

------
rorrr
It's a completely client-side solution. It will be easily broken.

Even it it weren't, and shapes were generated and verified on the server side,
computers are extremely good at recognizing simple shapes.

EDIT:

Here, to break it on this page

<http://www.josscrowcroft.com/demos/motioncaptcha>

simply enter this into the URL box:

javascript:$('input').attr({'disabled':false});

~~~
josscrowcroft
You legend. Heh

