
Chess CAPTCHA - denysonique
http://en.lichess.org/forum/general-chess-discussion/form
======
edw519
Brilliant building of software. Less than brilliant copy.

I would change

    
    
      Black plays; checkmate in one!
      This is a chess CAPTCHA.
      Click on the board to make your move,
      and prove you are human.
    

to

    
    
      This is a chess CAPTCHA...
      To prove that you are human,
      click on a black piece, then
      click on the only destination
      square that will checkmate.
    

I really don't mean to nitpick, but took me a minute to figure out what to do.
Sometimes the thing that makes the biggest difference for us programmers is
not our communication with our compiler but our communication with our users.

Great job. Thanks to you, I just announced I won't be ready for brunch for
another half hour. <Refresh> Sigh.

~~~
ornicar
thanks for the feedback, I will apply the suggested change soon.

~~~
shawn-butler
Ignore the feedback. Original copy is better.

It is interesting because you can't really A/B test the response time with the
different text, since the response time includes the human processing time of
the chess problem.

~~~
carbocation
Sure you can. You're just adding two (probably normal-ish) distibutions: the
distribution of human response times for processing the chess move, and the
distribution of human response times for parsing the instructions.

~~~
disgruntledphd2
Human response times are almost never normally distributed. They can't be, as
a matter of fact as negative response time is an impossibility.

In any case, they are typically long tailed and weird looking. Not normal, at
least in my experience of working with them

~~~
carbocation
You are right, of course, and I knew I was going to regret the use of even the
toned-down term "probably normal-ish". The question is whether the one can
meaningfully ask which text is faster to parse, despite the "noise" the comes
from the time to actually perform the chess move. I suspect the answer will be
'yes'.

~~~
shawn-butler
I think the answer will be 'no' as solving a chess problem is a learned skill
and not as innate as reading and understanding text and the time delta of
comprehension between two similar text passages << time to solve chess problem
distributed between users of low and high skill.

~~~
carbocation
Why would the distribution of user skill differ across test groups? There's no
reason it should. The expected time to solve the puzzle itself would be the
same across both groups.

------
Swizec
I am fairly certain it would be quicker to program a computer that can brute
force a checkmate in one than I can solve these things by hand.

You have what, 11 pieces, they can move into 64 positions each (at most, much
less in reality). That means a computer must brute force 64*11 = 704 attempts.

In other words, no time at all to bruteforce this once you've read the grid.
Reading the grid in itself is rather trivial since you only have a small
number of clearly distinguishable pieces to recognise.

So after an afternoon of coding, I could have a computer that solves this
CAPTCHA in a few seconds. As a human I need more than 30 seconds just to read
the current situation on the board.

~~~
danielweber
Yes, an afternoon of coding to be able to post spam on exactly one website.
Until they change the captcha.

~~~
rorrr
So you are, literally, arguing for security by obscurity. "Oh, my captcha is
unique, therefore nobody will bother".

There are easier to implement unique captchas, than chess.

~~~
aethertap
I'd agree partially, but I'd comment that it's also security by _diversity_.
If every site had a unique captcha solution requiring custom software for a
defeat, the force multiplier effect of "write once, run everywhere" would be
hugely diminished, and it would be much less cost effective to implement
various types of spam. So, the particular security strategy here is indeed
weak, but I would say that it might actually strike closer to the root of the
problem than just making a really hard, but still universally applied, captcha
technology.

~~~
rorrr
You are not making any sense.

~~~
aethertap
The economics of spam commenting makes sense if it can be done automatically
at a massive scale. If only one or a very small number of "humanity tests"
exist, then cracking those tests has a high payoff value. Having a huge number
of different, ad-hoc authentication schemes would make developing automatic
cracks unacceptably expensive for the actual level of benefit achieved by
posting the spam comment. Therefore, being a site with a unique CAPTCHA system
attacks the core value proposition of spam comments, which strikes the root of
the issue.

Another way to look at it is like the entire collection of CAPTCHAs on the
Internet is really just one big CAPTCHA library, which tests a subset of
"human" abilities. The larger the subset, the more difficult it will be to
circumvent. Relying on one or two special abilities makes it easier for a
machine to emulate those behaviors and gain access. I hope that clarifies the
point I was making.

------
adamt
The FEN notation(1) state of the the board is in the HTML:

    
    
          data-fen="7r/3k1ppp/3bpn2/1p3P2/1PbP4/2r2P2/P2K1Q1P/q5NR">
    

Any chess engine could load this and solve these problems in milliseconds.
Which is far easier than most captchas that require moderately sophisticated
image processing.

(1)
[http://en.wikipedia.org/wiki/Forsyth%E2%80%93Edwards_Notatio...](http://en.wikipedia.org/wiki/Forsyth%E2%80%93Edwards_Notation)

~~~
nmcfarl
It would have been easy to have just stored that bit of session state to the
server.

It’d also be pretty easy to alter the HTML board to a prerendered image with
imagemap click detection. At which point someones writing custom image feature
detection software to break your captchas.

Of course, this mainly works because of the obscurity, even with the upgrades.
And since someone’s already going to have to write custom software to break
this I’m not sure it’s worth it to upgrade - as I doubt it’s worth anyone’s
time to do write the minimal software that needed now.

------
bdg
Can brute force answer from the server quicky:

<http://en.lichess.org/captcha/0nbdeigw?solution=a1+a2> returns either 1 or 0.

The total complexity of this to brute force is 768 possible moves.

Most of us here could write a bot to spam their site with less than 30 minutes
of time and effort.

~~~
mich41
But serious spammers would prefer to spend this time writing a bot capable of
spamming all forums based on some widely used engine.

Cracking this captcha won't give you access to any significant audience.

~~~
alexjeffrey
by this argument, the captcha would become useless as soon as it saw
widespread adoption. The idea of a captcha is to be strong against bots even
if it was directly targeted by spammers.

~~~
shawn-butler
CAPTCHA solve a specific design problem. They are not an IETF protocol or
solution to be used everywhere. That's kind of the issue. Once a CAPTCHA is
worth enough it will be overcome.

The problem is to design a CAPTCHA that implements just enough headache to
make it worthwhile not to overcome and at the same time not frustrating users.
I think this chess problem uniquely and elegantly solves the problem for the
site in question by achieving both.

Then again, I am not familiar with the users, maybe the site is often trolled
by chess mastah wanna-bes.

~~~
alexjeffrey
if the idea of the chess captcha is to be used once on a single site,
(ignoring the fact that it's a chess captcha for a chess community) it's very
over engineered. Jeff Atwood gets away with a captcha where all you have to do
is type "orange" to post a comment[1] and even that manages to mitigate a lot
of spam.

[http://www.codinghorror.com/blog/2008/03/captcha-is-dead-
lon...](http://www.codinghorror.com/blog/2008/03/captcha-is-dead-long-live-
captcha.html)

~~~
mpyne
There's no such thing as overengineering if it entertains the users while
meeting the mission intent. :P

------
rweba
As I expected most of the HN comments are criticizing it for one reason or
another but I like this just because solving simple chess puzzles is FUN which
is not true for the tasks in the typical CAPTCHA.

Yes, there could be a concern over a spammer automating the process but that
might be more hassle than it's worth just to spam an small chess forum.

~~~
canttestthis
'Fun' should only really be considered after 1. security and 2. usability, and
this CAPTCHA fails on 1. As soon as this CAPTCHA becomes widespread, spammers
will have additional incentive to create bots that brute-force it, defeating
the point.

Also I think you overestimate the amount of coding required to brute force
this particular CAPTCHA.

~~~
xymostech
I can assure you, this CAPTCHA will not become widespread, because most people
don't know how to play chess. It's specifically on a forum about chess, so
it's reasonable there, but anywhere else would be ridiculous.

I will agree that coding a brute force method would work well, though.

------
draq
This is a very creative CAPTCHA. However, computers are rather good at playing
chess, so a chess problem is probably the least thing you want to use to
distinguish between humans and computers (unless your aims is to keep stupid
humans out). Other possibilities: guess fruits
([http://www.eurekalert.org/pub_releases/2013-03/ip-
std030613....](http://www.eurekalert.org/pub_releases/2013-03/ip-
std030613.php)), human emotions, animals etc.

~~~
fosap
or maybe go? Computers suck at go.

~~~
nawitus
They certainly beat the average human (because the average human doesn't even
know how to play Go).

------
benjoffe
This looks like a clever solution to the problem for lichess, at least until
someone plugs together a relatively simple bot with 100% success rates.
Though, just because it can be cracked easily doesn't necessarily demerit it,
perhaps their biggest problem is random untargetted bots, in which case this
is great (the argument that it could take longer isn't really important to
people on a chess forum).

~~~
mooism2
It also keeps out beginners. Depending on the forum (I'm not familiar with
lichess) that might be a drawback or a bonus.

~~~
calopetreep
The captcha seems very easy (I am not a chess player)- I tried three times and
always got a board to solve in one move, so I doubt anyone that knows the
rules of chess is going to be excluded. That's probably not a problem for this
forum :)

~~~
Samuel_Michon
Agreed. I had never played chess in my life, but with the help of Wikipedia
[1], I figured out which piece to move where.

(I enjoy this mini chess, it's like a low tech version of Bejeweled. I don't
have the patience for full fledged chess games, but just finding the last move
is fun.)

[1] <http://en.wikipedia.org/wiki/Chess#Movement>

~~~
redblacktree
You might enjoy chess puzzles then. They are usually of the form "[Color] to
move. [X] moves to checkmate." Typically, where X > 1, the opponent's moves
are forced by check. (i.e. the opponent generally only has one option if
you're making the correct moves.)

------
moron4hire
Screen readers have already been mentioned. But also, how about people from
cultures that don't play chess? How about people from cultures that do play
chess that just haven't ever given time to the game?

I learned to play chess when I was a kid, but never had anyone to play with.
The internet wasn't any help, either, because when you're a kid it's just not
that much fun to constantly have your ass handed to you in a game. I
gravitated to other games as a result. And now this thing just gives me that
same sense of dread, of "I have no idea what the hell I'm doing", even though
I know all of the rules of the game, because I'm so not involved in the
culture of the game at all.

Congrats, you've alienated several classes of users.

~~~
nh
the CAPTCHA is for posting in a chess forum :)

------
motters
Chess doesn't seem like a useful CAPTCHA. To begin with not everyone knows the
rules of chess, and secondly computers are much better and much faster than
the average human chess player.

------
sethammons
Perhaps a bug. Chrome on my Galaxy S3 showed the white's queen (and I believe
bishop) as the color of the background. This was a problem because they were
on a grey tile. When I first tried the captcha, the board arrangement looked
like white had a king and a few pawns in the lower right and that black had
two queens and a bishop in addition to their king at the top of the board. The
white, according to my incorrect reading of the board, instantly looked like
it was in check, but the captcha was saying that it was white's turn to put
black into checkmate. I was completely confused and tried multiple times to
move the "black" queen into a position that would checkmate white believing
the captcha text to just be incorrect or misleading. After a couple failed
attempts, I realized the queen I was trying to move was grey, not black, and
then I solved the captcha.

In this case, the captcha took way too long because the pieces were hard to
distinguish and the captcha text was unclear. I think that captchas should be
something you can do near instantaneously. However, I really like the concept
and the trying of a new approach.

I've had success implementing what I feel to be very simple captchas: solve
simple arithmetic problems. I'm sure a parser could be created simply enough
that would solve them, but I have had zero forum spam in a couple of small
forums that use it.

------
lenkite
Considering that modern chess software can defeat grandmasters, the Chess
CAPTCHA seems more designed to admit bots instead of humans.

"It was my luck (perhaps my bad luck) to be the world chess champion during
the critical years in which computers challenged, then surpassed, human chess
players"

From Garry Karparov:
[http://www.nybooks.com/articles/archives/2010/feb/11/the-
che...](http://www.nybooks.com/articles/archives/2010/feb/11/the-chess-master-
and-the-computer/?pagination=false)

~~~
mich41
This CAPTCHAs are easy enough for humans :)

And writing a bot to defeat them would take more time than posting your viagra
ads manually in all four sections of this forum.

------
afshinmeh
So if someone doesn't know Chess, it's not a human.

~~~
blaabjerg
Keep in mind Lichess is a free online chess platform. The vast majority of its
human visitors are likely familiar with the rules of chess.

~~~
afshinmeh
Aw, I didn't know that. Good idea guys.

------
C1D
It really isn't that secure since a bot could be used to calculate the
checkmate and it takes more time than a normal CAPTCHA.

~~~
throwaway125
That is definitely true, it's not good enough to secure yourself against a
persistent attacker but I do think it's a good captcha:

It's a topical captcha that the target audience of the site will recognize and
most likely enjoy.

It's significantly different from any other captcha so that automated
untargeted bots will not be able to beat it

It has a high enough entropy that untargeted bots that repeatedly attempt to
guess the answer will fail

People without a chess background most likely have to think about the answer
in a way that makes buying human workers a less attractive option (maybe)

~~~
ithkuil
topic filtering ... and suddenly they noticed a sudden raise in quality in the
forum.

Anyway, the same effect could be obtained by writing a "captcha" that simply
asks: "Click on the queen", a fixed chess board picture. They are assuming no
one targets them, so it's not so important how hard it is. (until someone
targets them)

------
munchor
I know a lot of people are commenting on how effectively this could be used,
but I'm simply amazed at how clever this is.

The idea behind it is very interesting, but it obviously can't be used as a
mainstream way of human detection. I think what matters here is the really
well-made implementation with HTML5.

Great job!

~~~
bmuon
There is no HTML5 here, just plain <div>s and JavaScript. But that doesn't
make it any less good. It's really polished.

------
CrLf
I don't know how to play chess. Guess I'm not human...

~~~
mich41
Guess you aren't.

Guess it isn't hard to learn the rules before posting on a chess forum.

------
NamTaf
I thought image recognition on that would be trivially easy to compute? You
could identify each piece, then just analyse it to work out the 1 move. As a
layman, it seems less computationally difficult to solve that than a state-of-
the-art captcha currently?

~~~
oneeyedpigeon
Not even image recognition. The chessboard is nicely marked-up with relevant
classes (e.g. 'bishop') for each piece; would be very easy to automatically
solve. However, as others have said, since it's such a narrow target, it's
probably not worth cracking.

~~~
solistice
The fact that it's a chessboard captcha with no relevant target behind it
proably outweights even the satisfaction of cracking it. "Hey, I broke the
chessboard captcha" "You did WHAT? I loved that thing!"...

------
EGreg
Easy captcha to solve by a computer, no? Just hook up a program that
recognizes the pieces etc. Not to mention requires a human to know the rules
of chess.

However, it may be said that no one would put the effort to make captcha
solvers for everything... unless captcha crackers pooled together.

That makes for an interesting question. Since to solve CAPTCHAs you have to
build progressively stronger UIs, can it be said that if there sprung up a
"CAPTCHA plugin industry", with people using captchas of everyday things, then
the combined solver would eventually be some really versatile AI?

I remember recommending that people just send in pictures of street signs etc.
as this would be much better than the best CAPTCHAS right now

------
marvwhere
i like the idea, but i'm not that good in chess so i'm lost here =) my
advantage? i could learn it, and solve the problem, but what are blind people
doing? they have no chance to solve the captcha.

are there any ideas, how to deal with this problem? like a audio file, where
all positions are being told? or anything like that? right now i would not
have an idea how to solve this in a good way.

me as a web-developer often thinks about the common problem, we we need these
captchas, and would be a good alternative to them. until now i had no idea )=
hopefully someday someone has a idea to replace captchas with an easier
protection for all people.

the sad part is, that we need stuff like captchas since years... stupid spam!!

------
mosselman
Though I like this a lot, as has been said, there are some obvious ways to
crack it. There would be ways around this though, so as a proof of concept for
one specific site it is pretty cool.

In order to contribute to the ways in which this can be 'broken', I present
you with a brute force, not on the server, but on the chess game itself:

<http://bookmarkify.it/114> (this is a bookmarklet, but you can also just
copy-paste the code from the editor (scroll down) and paste it in your
console).

------
mistercow
This will be effective as long as it isn't widespread, but there are much
simpler CAPTCHAs you can use to avoid spam if you want to take the obscurity
approach. For example, I've had great success with simple traps that just make
it hard for automated programs to figure out the input form. That approach is
completely invisible to human users.

But if you do go for obscurity, you're going to lose once your technique
becomes widespread, or once your site becomes big enough to be worth
targeting.

------
Permit
Interestingly enough, it looks like it has a specific checkmate in mind. It
generated a board for me in which black could be mated in two different ways,
but one didn't count.

~~~
drucken
Did you get a screenshot of it?

~~~
Permit
Yes I did: <http://imgur.com/6G8GCLo>

~~~
rmserror
That's, uh, not a checkmate. Kxb1

~~~
Permit
Oh whoops, I had the orientation of the board upside down haha. My mistake.

------
henning
This is a good example of the pitfalls of CAPTCHA design. A bot that knows
nothing about this site won't be able to get past it, but a determined
attacker who for whatever reason wanted to spam this site could just pick a
random square, or parse the board and use existing chess libraries to just
break the CAPTCHA outright. Any success rate significantly greater than zero
is all a spammer needs to succeed.

------
praptak
Yeah, chess is easy for computers but it's not the point here.

Jeff Atwood had probably a lot more traffic on his blog and still his whole
protection was a fixed word "orange". The chess guys are still way ahead in
terms of captcha hardness vs spammer benefit ratio.

I'm now going over all of the forums I know trying to come up with an
algorithmic forum-themed captcha. Say, "what's wrong with this recipe?" for a
cooking forum :)

------
wurso
The important thing everyone can learn from this isn't that a chess captcha
might work for every site, but rather that there's a lot of potential for
sophisticated captchas that are better than the ones that are currently being
used (math, image recognition etc.) - a large variety of completely different
ways to prove that you're human makes automatic attacks harder.

------
amatsukawa
This is probably easier for a computer to crack than a well-built traditional
CAPTCHA. Recognizing a pre-defined small set of images (the chess pieces) and
performing a search for the winning move seems much easier than beating the
image distortions in CAPTCHAs with OCR modifications.

------
MasterScrat
Not directly related, but I wonder why no one is using similar to the Google
Image Labeler service Google had online at one point
(<http://en.wikipedia.org/wiki/Google_Image_Labeler>) as a CAPTCHA?

------
seagreen
CAPTCHAs are an interesting example of software that actually gets worse the
more people are using it. Making fun and unique CAPTCHAs for large sites might
be a good business for programmers that aren't interested in the winner-take-
all pressures of normal software.

------
vfl0
Not gonna lie, it took me a while to figure out because I had no idea what a
checkmate was.

~~~
dpcan
Great point. My first thought was, anyone who doesn't know how to, or doesn't
like to play chess would not create a topic on this page.

The game-as-captcha idea is good tho, IMO.

I was in a forum talking about this with fellow game devs a while back.
Something like a mini platformer that required you to run and jump your
character to a flag, for example, might be interesting, or solve a block-fit-
style puzzle, or rotate pieces to solve a puzzle, and so on.

------
dlsym
Since computers are exceptionally good at chess, this might not be the best
approach.

Nice idea though.

------
tempestn
For some reason my brain interpreted the white queen as black. The 'right'
move was still obvious since white only had a rook and pawns besides the
invisible queen, but it took me way too long to see why it was a checkmate!

------
demetrius
I play a little chess, but I had lots of trouble distinguishing the king from
the queen in this graphics. I've tried all the moves with no luck until I've
understood that I've mistaken the king for the queen.

------
sareon
Looks impressive, but I got to say this. I am horrible at chess and couldn't
find the move to checkmate white. I would probably get frustrated with this
and not even bother to finish the form.

------
stuaxo
On a sunday, after a hung over weekend, I had a look at it for about a minute,
tried a wrong move and gave up..

If that had been on the pizza delivery site then someone else would have got
my order.

------
peter-fogg
I'd say that the next step would be a CAPTCHA for Go -- creating an efficient
Go player is still an open problem, and we could crowdsource the AI research
to spammers!

------
Comkid
Seeing that computers have already surpassed human in ability to play chess,
what makes you think that this CAPTCHA isn't just easier than morphed text
CAPTCHAs.

------
zxcvvcxz
Really neat idea, but if there's any type of CAPTCHA that a computer could
solve... wouldn't it be this?

I mean, they've been kicking our ass in Chess since Deep Blue.

------
indrax
Too much fun. Setup a simple 'chess puzzle' website that grabs a captcha every
time someone wins, forward the result and you get to post.

------
antihero
I know, let's get something computers are actually _better at than humans_ and
make it a test of whether someone is a real human!

------
arb99
Crap captcha if it became popular... to easy to brute force. I know its for a
chess site but it isn't even very user friendly

------
apetresc
Awesome. Because if there's one thing humans are better at than computers,
it's solving chess problems.

------
TomGullen
A fun novelty but not an effective CAPTCHA if it ever caught on. It would be
trivial to crack

------
dannydev
I dont mean to be pedantic but computer's have been playing chess for years...

------
jimktrains2
What's with the "Ping" at the bottom of the page. Why would someone do that?

~~~
TheBiv
A quick google gives this; apparently from the creator.

"I[t] tells how fast your computer talks with lichess server. It measures the
time a message needs to make the round trip from your browser to lichess, then
from lichess to your browser.

I'm interrested in knowing what your ping is, depending on the country/city
where you live.

I live in Le Mans, France, and my ping is around 30-40ms.

What about you?"

{source} <http://nn.lichess.org/forum/lichess-feedback/whats-your-ping>

~~~
jimktrains2
I know what a ping is. Why would someone do that on a website? It just seems
pointless and causes additional load on the server.

~~~
ornicar
lichess.org is a game server, and supports real-time playing. The ping is a
critical information when you play fast games, it helps to diagnose lagging
when it happens.

~~~
jimktrains2
Ah. I thought it was just a forum/web-site. That would make sense, then.

------
miga
Very appropriate for a chess server. Would like to have GO captcha too! :-)

------
SagelyGuru
Great, I like this a lot. It is much better than those horrible squiggly
characters in invisible colour combinations. As an added bonus on, say blog
comments, this could filter out obvious idiots.

Consider offering a choice of a few different puzzles for those who don't play
chess?

------
friscofoodie
This is freaking awesome. WAY better than the letter crap

------
spullara
Um, aren't computers better than humans at Chess?

------
lucb1e
I don't play chess :(

------
rainboiboi
Not everyone plays chesss. This is a huge assumption here.

~~~
drucken
Yes, a HUGE assumption for access to the chess forums of a chess server...

Indeed, nowhere does it say it is a general CAPTHCA solution.

------
shn
an then the conversion rate skyrockets :)

------
martinced
This is very easy to crack due the 2D board, which is trivial to "OCR".

Now the concept is interesting: one could probably do the same in 3D (with
random camera angles -- up to a limit) and then it would prove more
problematic for AI because one would then need to be able to correctly pieces
in 3D and their position on the board.

