Sophos Cloud Optix
If you want to put a spanner in the works of automated bots leaving spam comments on your blog, or creating fake accounts on your website, one of the things you may deploy is a CAPTCHA system.
We’ve all seen them. They are the questions (often using distorted graphics) that you get asked by a website which is trying to determine if you are a human being or an automated computer program.
Sometimes they’re not much of a hurdle for humans to jump over:
On other occasions, they may present some of us with a tricky challenge:
And although some have tried to make the task of completing a CAPTCHA fun,
others have probably made the barrier of entry too high:
A Naked Security reader has pointed me to a new CAPTCHA system, being actively promoted by the Civil Rights Defenders group.
According to the Swedish-based group, its CAPTCHA system “takes a stand for civil rights issues across the globe” and it hopes that it will “help promote and empower our partners – brave human rights defenders, who often put themselves at great risk through their engagement for other people’s rights.”
Here’s an example, where you are asked if you feel glamorous, pleasant or agonized at the thought of gay people being beaten with a stick:
And another, where website visitors are asked how they feel about a ban on “homosexual propaganda”:
If you fail to answer correctly (or at least, fail to answer in accordance with the opinion of the Civil Rights Defenders group and any sane member of society), you will be told to wait five seconds and another question will be popped up for you to try again.
If I have any issue with the Civil Rights Defenders’ CAPTCHA system it would be that at the moment there seems to be a very limited selection of questions – and all the ones I saw required a negative response.
A wider gallimaufry of questions for web users to ponder – both negative and positive – would probably be a more effective challenge for automated bots.
All this, of course, is ignoring the fact that CAPTCHAs are frequently beaten today by spammers outsourcing the cracking of CAPTCHAs to impoverished workers in the third-world, paid a pittance for completing thousands of the puzzles each day.
Nevertheless, this is an imaginative step by the Civil Rights Defenders group.
My favourite Captcha-alternative asked:
Prove you are not a computer:
What is 56 + 89?
The irony was overwhelming.
Where is the calculus one from?
The Ruđer Bošković Institute in Zagreb, Croatia.
More details can be found at http://nakedsecurity.sophos.com/2011/03/09/a-comp…
The Civil Rights Defenders' CAPTCHA system sounds like a great way to decrease your website's traffic and lose customers.
The customers from hell
How would a spambot cope with:
Solve vii+xii-ix
Maybe the Romans weren’t too dumb.
Would the answer be 27 or XXVII?
Ooops, I mean 10 or X?
Obviously the answer is Glamorous. I don't see the problem here?!?!
So, Graham, you are happy with homosexual propaganda. And you are happy to suggest that anyone who disagrees with you is, er, insane and, um, politically incorrect.
The parliament in St Petersburg is democratially elected by the people. The Civil Rights Defenders are not elected by anybody. Nor are you. The question you and the Civil Rights Defenders need to answer is whether or not this law has the support of the democratic majority in St Petersburg. If it has, it's democratically legitimate. If it hasn't, it isn't.
I'm a democrat. You?
My understanding is that the St Petersburg legislation outlaws anything which promotes a homosexual, bisexual or transgender lifestyle.
So, for instance, Gay Pride parades adn events would be banned from the city – and anyone participating in them could be charged.
This is all twenty years after Russia decriminalised homosexuality.
So, yes, seeing as you ask – I am against a law banning "homosexual propaganda" (please note the quotes). I would like to think that most other people living in the 21st century would feel similarly. I'm not claiming to be elected, or have any rights to impose my feelings on others, but I do feel that we should treat a frequently victimised community with kindness and understanding.
My apologies to anyone I offended over the "sane" comment. I'm not medically qualified, so I shouldn't purport to diagnose the mental health of those who are less sympathetic to gay people.
Assuming you haven't picked up this story from The Daily Currant (http://dailycurrant.com), I find this a disturbing development, and hope others of similar mind will make their feelings known, or at least boycott any sites employing the technique.
I suspect I'd, ordinarily, be over dismissive of the impact, but think I'm correct in recognising this as psychological conditioning. You noted the restricted set of questions, which is, probably, modelled to take advantage of the “say it 3 times and people believe it” phenomenon.
In the present case, the technique is being employed to promote views that you (and very many people) hold positive but, on reflection, do you really wish this to be the means by which others are brought to share your opinion? Surely, we should be defending freedom of thought as the foundation for freedom of speech.
For the record, I am in no way unhappy about a prohibition of homosexual propaganda (under my interpretation of the term), but I can't find any way in which the imposition of one, by people I do not know, upon people I do not know, makes me feel “almighty” or even vaguely “powerful”. Perhaps they were trying to determine whether it was God, not a mortal, using their web site. (A Turin Test, maybe?)
“gallimaufry”? Really?
A large vocabulary is a good thing!
I think hat the problem is that in the first examples there is only one correct answer whereas the cicil rights examples do not actually have a right answer and could be asking for an opinion. It would seem that only those people who agree with their views are allowed to go to their website.
If all of the CAPTCHAS are one negative (correct) answer and two positive answers, it doesn't really matter whether people agree; it's more whether a computer can differentiate between the expected answer and the other options like a human could.
The second captcha appears to discriminate against Russian lawmakers (who should have answered "powerful") — except that just like EULAs, most people probably choose the answer they feel they're expected to choose. A computer would have a harder time doing that.
In short, the concept may be sound, even if the implementation is somewhat flawed. This doesn't of course say anything about the fact that third parties have already found ways to "crowdsource" to bypass captcha systems.
It seems like a nice idea to outsmart computers
…but:
-if we assume that a bot can decipher the individual words from the captcha-
what if the bot simply guesses one of the three words?
even with only one try it already has a chance of 1/3 of getting it right. If tries several times, the chance goes up to 5/9, 19/27 ~ .7, 179/243 ~ 0.73 etc.
So to make such a captcha secure, we need to block mass guessing somehow.
In addition I wonder about the effort required to generate captchas. For your standard captchas you only need images of scanned text, run image (distortion) algorithms over them, done. For the civil rights captcha, you probably do need a human to create each individual captcha, and there need to be many different ones, so that bots can't remember all the right answers too easily. In other words: I don't think civil rights captchas scale too well.