

AreYouHuman CAPTCHAs defeated using SimpleCV - kscottz
http://spamtech.co.uk/software/cracking-the-areyouhuman-captcha/

======
neil_s
From my brief time playing around with the demo on the AreYouHuman page, it
seems like the game is loaded onto the client side, and the javascript then
initiates a callback to the php form indicating the results. Since the client
has complete control over the javascript, it seems like it would be possible
to simply send the server fake acknowledgement that the user has completed the
game successfully. This seems fundamentally flawed and differs from regular
captcha, where the client side has no awareness of right and wrong answers,
and can't give immediate feedback. It simply acts an input to the server,
which then judges the correctness, and if it isn't correct, returns a
_different_ problem, so a bot would have to start all over again.

So I think beating this captcha wouldn't require computer vision and stuff,
simply sniffing the traffic on a successful run of the game and then
replicating it appropriately later.

Also, how will this captcha system scale? They'll have to keep coming up with
new sets of objects where some of them belong on a target and some don't.

------
dexen
From the video, the `AreYouHuman' captcha strikes me as quite culture-
specific. `Put the tools in toolbox', `make pancakes' -- some people will know
what and how to, others will not.

Meanwhile, a simple bot, as demonstrated, achieves high success rate. Could
also be improved with automated learning , using suitable AI library; such
libraries are freely available for making games.

With both false negatives and false positives high, the captcha's either done
for, or at least needs some serious tweaks.

------
koide
Why does the captcha allow infinite retries?

And why it lets you keep trying once you solved it?

Not that any of that would really fix the captcha, you'd just need to improve
the code accordingly.

------
haberman
Image-based CAPTCHAs are already getting to the point where I can barely make
out the letters. I'm guessing half the time and get annoyed when my guess was
incorrect. The computers will only get better at solving them; what happens
when there's no easy way for a computer to verify that it's talking to a
person?

~~~
ZenPsycho
Disable comments! Batten the hatches, skew the mizzenmast, Turing to
starboard! Knuth to port! There's a mean storm ahead and I'm not losing any
more men. NOT ON MY WATCH.

------
desaiguddu
I have created Image Based CAPTCHA. which is combination of Normal CAPTCHA and
advanced CAPTCHA.

You can find the research details here. If any CAPTCHA scientist want to
further research on my CAPTCHA, I can OpenSource it completely.

<http://dndcaptcha.blogspot.in/2010/04/textareaid.html>

------
tocomment
How does the script move the mouse?

~~~
fluffyllemon
There are many python libraries available for controlling the mouse/keyboard.
Here are a few I've used or heard of:

Autopy: <https://github.com/msanders/autopy>

PyMouse: <http://code.google.com/p/pymouse/wiki/Documentation>

Dogtail: <https://fedorahosted.org/dogtail/>

If you're on Windows, I believe win32api / win32con also can work.

~~~
tocomment
Cool. I don't suppose there is anything cross platform?

~~~
fluffyllemon
I know Autopy is cross platform, and I'm pretty sure PyMouse is too. Not sure
about Dogtail.

------
h84ru3a
The whole CAPTHCA concept (while it is certainly clever) just seems backwards.
Why are we trying to stop automation? It seems like we should be designing
systems that accomodate automation, not try to stop it. If "automation is the
problem", then something is wrong with the larger system. It would mean, e.g.,
that Googlebot is a problem because it is an automaton and not human.

We cannot just assume that everything that is automated is something we need
to stop simply because it is automated.

Maybe the design of email is the problem?

Maybe the design of blog comment systems are the problem?

CAPTCHA's are aimed at stopping automation. That appears to be the only
criteria they filter on. It just seems strange.

Of course CAPTCHA's will eventually be useless. Because most of us are working
our tails off trying to push automation forward, not find ways to block it
simply because it is automation.

~~~
eurleif
>Maybe the design of blog comment systems are the problem?

How would you design a blog comment system that doesn't get spam without using
a CAPTCHA?

~~~
meric
If technology was advanced enough: An automaton that sweeps comments, keeps
only ones that are relevant and deletes the rest. Both automatons and humans
can comment, as long as their comment is relevant.

~~~
chc
So you just have your bot Google the article's keywords and repost content it
finds along with spam links. Or heck, just repost part of the article or
another comment. Practically guaranteed relevance. Some bots already do this.
Even this fictional ridiculously smart AI is not up tithe task.

~~~
meric
If it has a spam link then it isn't relevant.

~~~
h84ru3a
I'm not an expert on spam, but doesn't almost all blog spam contain a working
hyperlink somewhere? So what if you just instruct commenters who want to post
links that they should leave off the <http://> or break the url some other
way. Then have your blog scripts automatically fix all such broken url's into
working hyperlinks. What is the likelihood a blog spammer would post a broken
url?

~~~
meric
Probably the same likelihood as a spammer deliberately constructing a custom
spamming bot just for your website... but good point - It'll be difficult if
the spammer posts mangled URLs as part of their spam.

~~~
h84ru3a
I imagine you could use some idiosyncratic scheme; lots of different ways you
could do it. Do blog spammers have time to customise their scripts for
specific sites? Is it worth it? My guess is they tailor them to different
types of popular blog software. And then have to hit a very large number of
blogs. Sort of like email spammers have to send out enormous quantities of
email.

