E-mail List Archives
Thread: reCAPTCHA
Number of posts in this thread: 12 (In chronological order)
From: Stella Mudd
Date: Thu, May 31 2012 5:41PM
Subject: reCAPTCHA
No previous message | Next message →
Summary of the link below: Some guys figured out how to crack Google's
reCAPTCHA by audio mining the audio description used by visually impaired
users. To thwart this new security hole, Google has made it even more
difficult to decipher the audio description.
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
What can be done to stop reCAPTCHA from becoming increasingly
inaccessible? Should we start a movement to kill reCAPTCHA? How about
noCAPTCHA?
From: Elle
Date: Thu, May 31 2012 6:26PM
Subject: Re: reCAPTCHA
← Previous message | Next message →
Our organization uses a multilayered approach to handle security issues
with forms, none of which involve CAPTCHA (honeypot + email authentication
+ other stuff). It was a tough battle, but well worth the fight. My vote
is "noCAPTCHA" indeed.
Cheers,
Elle
On Thu, May 31, 2012 at 7:41 PM, Stella Mudd < = EMAIL ADDRESS REMOVED = > wrote:
> Summary of the link below: Some guys figured out how to crack Google's
> reCAPTCHA by audio mining the audio description used by visually impaired
> users. To thwart this new security hole, Google has made it even more
> difficult to decipher the audio description.
>
>
> http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
>
> What can be done to stop reCAPTCHA from becoming increasingly
> inaccessible? Should we start a movement to kill reCAPTCHA? How about
> noCAPTCHA?
> > > >
--
If you want to build a ship, don't drum up the people to gather wood,
divide the work, and give orders. Instead, teach them to yearn for the vast
and endless sea.
- Antoine De Saint-Exupéry, The Little Prince
From: Karl Groves
Date: Thu, May 31 2012 8:33PM
Subject: Re: reCAPTCHA
← Previous message | Next message →
Halfway through the article I thought to myself "Oh, I know how they can
beat the exploit: Munge the sound even more and make it more inaccessible. "
Sure enough, that's exactly what they did. Ugh
Karl Groves
www.karlgroves.com
@karlgroves
>
From: Randy Pope
Date: Thu, May 31 2012 11:22PM
Subject: Re: reCAPTCHA
← Previous message | Next message →
After reading the article, I cannot create an account to post my comment due
to the fact that I'm DeafBlind. The same with all website that use
CAPTCHA. Accessible? Yea, right. Grrr.
Randy Pope
From: Lucia Greco
Date: Fri, Jun 01 2012 11:52AM
Subject: Re: reCAPTCHA
← Previous message | Next message →
Yes and the last two weeks every time I get one I can't answer it
First they make it so a blind person needs to enter 6 or more words when the
sited person gets two and now it's harder to here this needs a better answer
From: J. B-Vincent
Date: Fri, Jun 01 2012 12:03PM
Subject: Re: reCAPTCHA
← Previous message | Next message →
Here's a longish article about strategies for CAPTCHA-free spambot protection from yesterday's Etre newsletter. The first two options he proposes make sense to me in an accessibility context; with the last one, the phoney field ("phield"?) would need to be hidden from assistive tech too. --Jane Vincent, University of Michigan
------------------------------------------------------------
Design tip #079: Bear this in mind
------------------------------------------------------------
I don't know about you, but my favourite bear-related
problem is the Bearproof Trashcan Problem. (I bet you
haven't even got a favourite bear-related problem, have
you? That's okay; living on the edge isn't for everyone.) I
first learned of this devilish dilemma while living in
California. Every time I visited one of the area's
beautiful national parks (to steal pic-a-nic baskets), it
seemed that the trashcans (or "sidewalks " as we call them
here in the UK) had been redesigned. The opening mechanism
had become a little more complicated and a little better
concealed; and the list of instructions printed on the side
had, accordingly, grown a little longer. Why did the
trashcans become progressively harder to open? Because
bears kept on figuring out how to open them.
The idea behind the bearproof trashcan is to make it as
hard as possible for bears to get at the trash within.
(Turns out that trash is to bears what Tom Cruise is to his
lovers: Irresistible, yet at the same time extremely bad for
their health. Just joking Maverick!) The problem with the
bearproof trashcan is that the harder you make it for bears
to get at the trash within, the harder you make it for
people to deposit their trash. Make the trashcan too hard
to open and people will place their trash beside it instead
of within...thereby giving the bears free access (and
defeating the purpose). Make the trashcan easy to open,
however, and while people will then deposit their trash
within, the bears will figure out how to get at it.
Alas, no one has been able to design a trashcan that is
simple enough for all of mankind to use and yet complicated
enough to keep out all of bearkind. As a park ranger once
explained, the problem is thorny because "the smartest
bears are smarter than the dumbest people." I think he got
it wrong though. For me, the problem has little to do with
intelligence and everything to do with motivation. A more
accurate interpretation is that bears are more committed to
learning how to open trashcans than people.
When you're designing any kind of system - be it, a
frequent flyer program, an investment scheme or a web
application - you face exactly the same problem. The
desirable audience will be willing to invest much less time
in learning how to use it than the undesirable audience.
Designers are often unaware of this problem and thus end up
creating systems that do a great job of deterring the
highly-committed, undesirable audience...while
simultaneously driving away the less committed, desirable
audience.
A good example is the use of CAPTCHAs on websites. CAPTCHAs
ask interweb users to "type the fuzzy text shown in the
picture above" before allowing them to do something more
interesting (such as send a message to the site's owner).
Lots of sites implement CAPTCHAs in an attempt to deter
spammers - as many spambots can't decipher fuzzy text.
However, just as bears are more committed to figuring out
how to open trashcans than most park-goers, spammers are
more committed to cracking CAPTCHAs than most internet
users. Some spammers, for example, are prepared to pay
armies of developers to work on improving the spambots'
ability to decipher the fuzzy text. By contrast, many
internet users will take one look at a CAPTCHA and think,
"Sod this for a game of skittles. I can't be bothered to
continue". Thus, add a CAPTCHA to, say, your contact form
and you'll receive fewer spam messages...but also fewer
genuine messages from your site's users. Don't add a
CAPTCHA and you'll receive more genuine messages from your
site's users...but also more spam messages. It's CAPTCHA 22.
How do you solve such Bearproof Trashcan Problems? Well, as
you've seen, increasing the complexity of a design is
counterproductive. As such, your best bet is usually to
abandon it and look for a better alternative.
In the case of bearproof trashcans themselves, you might
ditch 'em in favour of regular (easy-to-use) trashcans -
placing these regular trashcans outside of the park gates,
by the exits, where the bears can't reach them. Sure, this
probably means that some people will dump their trash in
the bushes while wandering around the park (rather than
wait until they reach an exit); however, you could handle
this issue (to some extent, at least) by imposing heavy
penalties upon those caught engaging is such heinous
behaviour. You could even start by placing regular
trashcans outside of the park and keeping bearproof
trashcans within the park, so as to give potential
litterers extra opportunity to dispose of their trash
responsibly. (Alternatively, you could give each bear a
copy of the Michelin Guide so as to encourage them to
develop a more cultured palate. I know what you're
thinking: It's this sort of blue sky thinking that won Etre
the Rolex account! Damn right, my friend.)
In the case of our web spam problem, you might drop your
CAPTCHA in favour of the "confirmation page trick". This
trick works like so: When a user clicks on your contact
form's Send button in an attempt to send her message to
you, instead of blindly accepting it, you take her to a
confirmation page, where you ask her to confirm that her
message is correct and that she really does want to send it
to you. This stops the aforementioned spambots in their
tracks, because they aren't expecting the additional step.
Unfortunately, it may also stop some of your users in their
tracks, because they won't be expecting the additional step
either. Good design—for example, warning the user of the
additional step upfront—can help address this problem
though.
Another alternative is to employ the "timing trick". The
premise of this trick is that people take longer to fill in
a form than spambots - since people need a while to consider
and input their responses; whereas spambots don't (the
clever little synthetic barstewards) and therefore fill-in
a form instantly. What this means is that you can measure
the amount of time that it takes a form-filler to complete
your form and where suspiciously brief, reject their
(spammy) submission.
Yet another alternative still is to employ the "hidden
field trick" (aka "The honeypot"). This works like so: You
add a text box to your form with a flirtatious label like
"Email address" and make it invisible using CSS. People
will never see this text box and, as such, will always
leave it empty; spambots, however, will see it and assume
that they need to fill it in. Thus, you can reject any form
submission that includes information obtained via the hidden
field safe in the knowledge that it's spam.
Anyway, by now, you get the idea: To overcome such
problems, you need to think outside of the trashcan. If not
you'll just have to grin and "bear" them. Oh dear, that's a
terrible pun to end on...er...Play me off Johnny!
» How was it for you? Email the author, Simon Griffin, at
= EMAIL ADDRESS REMOVED = or tweet @sigriffin
(http://twitter.com/sigriffin).
From: Jared Smith
Date: Fri, Jun 01 2012 12:09PM
Subject: Re: reCAPTCHA
← Previous message | Next message →
On Fri, Jun 1, 2012 at 12:03 PM, J. B-Vincent wrote:
> Here's a longish article about strategies for CAPTCHA-free spambot protection from yesterday's Etre newsletter.
We have a list of similar and more extensive recommendations on our
site at http://webaim.org/blog/spam_free_accessible_forms/
For our forms, we do three simple things:
1. A short "naughty word" list. Form data containing these words are
not submitted.
2. A honeypot - a hidden (also to screen reader users) text field
after the submit button. If it contains content, the message is not
submitted.
3. Basic time detection. We log the time the form is opened and the
time it is submitted. If the difference is less than 3 seconds or more
than 40 minutes, it is not submitted.
These three things have cut the automated spam on our online forms
from several thousand per month to 2-3 per month, most of which are
probably human spammers.
Jared
From: Stella Mudd
Date: Fri, Jun 01 2012 12:34PM
Subject: Re: reCAPTCHA
← Previous message | Next message →
This is all great info. I'm going to begin compiling a list of effective
techniques for various security needs. I have procured the domain name
www.nocaptcha.org where I would like to provide this information and a
whole lot more. If anyone is interested in pitching in or helping to get
some funding to provide something special in terms of design, info,
examples, consulting, etc., I'm up for any suggestions. Shoot me an
e-mail. Cheers.
-Stella
On Fri, Jun 1, 2012 at 11:09 AM, Jared Smith < = EMAIL ADDRESS REMOVED = > wrote:
> On Fri, Jun 1, 2012 at 12:03 PM, J. B-Vincent wrote:
> > Here's a longish article about strategies for CAPTCHA-free spambot
> protection from yesterday's Etre newsletter.
>
> We have a list of similar and more extensive recommendations on our
> site at http://webaim.org/blog/spam_free_accessible_forms/
>
> For our forms, we do three simple things:
> 1. A short "naughty word" list. Form data containing these words are
> not submitted.
> 2. A honeypot - a hidden (also to screen reader users) text field
> after the submit button. If it contains content, the message is not
> submitted.
> 3. Basic time detection. We log the time the form is opened and the
> time it is submitted. If the difference is less than 3 seconds or more
> than 40 minutes, it is not submitted.
>
> These three things have cut the automated spam on our online forms
> from several thousand per month to 2-3 per month, most of which are
> probably human spammers.
>
> Jared
> > > >
From: Rick Hill
Date: Fri, Jun 01 2012 12:59PM
Subject: Re: reCAPTCHA
← Previous message | Next message →
These other techniques mentioned so far (like those proposed by Jared) work well.
If you have a need for something like a CAPTCHA in addition, I have long advocated for a logic Turing test vs CAPTCHA. Since CAPTCHA's (visual or audio) are basically pattern recognition tests, the more sophisticated computer algorithms become at pattern recognition (like speech recognition and OCR), the CAPTCHA tools must present more difficult to recognize patterns until finally, humans can't read/understand them (but the computers can). In a Turing test, the user is presented with simple, text-based question questions that rquire cognition to interpret and undersatnd. Doesn't mean a computer couldn't be taught to interpret the questions (look at Jeopardy!). But it is effective for blocking most bad bots, is understanable by most all users (it is text after all and as long as the questions stay simple, shouldn't impose an issue for most folks with cognitive disabilities), and best of all, would use a simple text based database or even array to maintain. (where as CAPTCHA requires a vetted database of scanned images and audio). So, you could house the functionality locally on your servers. However, there is a t least one central service http://textcaptcha.com/
Example questions:
What is the sum of 2 plus 5?
Which is bigger, an ant or a whale?
More on the these and other techniques can be found at http://coding.smashingmagazine.com/2011/03/04/in-search-of-the-perfect-captcha/
There isn't a perfect solution. Probably best to to determine how important spam protection is for the given data/audience, weigh that against the impact on users, and determine what resources you have available to implement a given solution. The result is the "perfect" solution" for your need.
Rick Hill, Web CMS Administrator
University Communications, UC Davis
(530) 752-9612
http://cms.ucdavis.edu
Web CMS assistance at = EMAIL ADDRESS REMOVED = <mailto: = EMAIL ADDRESS REMOVED = >
From: Stella Mudd < = EMAIL ADDRESS REMOVED = <mailto: = EMAIL ADDRESS REMOVED = >>
Reply-To: WebAIM Discussion List < = EMAIL ADDRESS REMOVED = <mailto: = EMAIL ADDRESS REMOVED = >>
Date: Friday, June 1, 2012 11:34 AM
To: WebAIM Discussion List < = EMAIL ADDRESS REMOVED = <mailto: = EMAIL ADDRESS REMOVED = >>
Subject: Re: [WebAIM] reCAPTCHA
This is all great info. I'm going to begin compiling a list of effective
techniques for various security needs. I have procured the domain name
www.nocaptcha.org where I would like to provide this information and a
whole lot more. If anyone is interested in pitching in or helping to get
some funding to provide something special in terms of design, info,
examples, consulting, etc., I'm up for any suggestions. Shoot me an
e-mail. Cheers.
-Stella
On Fri, Jun 1, 2012 at 11:09 AM, Jared Smith < = EMAIL ADDRESS REMOVED = <mailto: = EMAIL ADDRESS REMOVED = >> wrote:
On Fri, Jun 1, 2012 at 12:03 PM, J. B-Vincent wrote:
> Here's a longish article about strategies for CAPTCHA-free spambot
protection from yesterday's Etre newsletter.
We have a list of similar and more extensive recommendations on our
site at http://webaim.org/blog/spam_free_accessible_forms/
For our forms, we do three simple things:
1. A short "naughty word" list. Form data containing these words are
not submitted.
2. A honeypot - a hidden (also to screen reader users) text field
after the submit button. If it contains content, the message is not
submitted.
3. Basic time detection. We log the time the form is opened and the
time it is submitted. If the difference is less than 3 seconds or more
than 40 minutes, it is not submitted.
These three things have cut the automated spam on our online forms
from several thousand per month to 2-3 per month, most of which are
probably human spammers.
Jared
From: Barry Hill
Date: Fri, Jun 01 2012 1:05PM
Subject: Re: reCAPTCHA
← Previous message | Next message →
I saw a conformation on one site that just asked the answer to a very simple
question. I believe the question was something like, "What day comes
between Wednesday and Friday".
Would this be a suitable alternative or would it perhaps cause an issue for
people with learning difficulties or cognitive disabilities?
Cheers
Barry
From: J. B-Vincent
Date: Fri, Jun 01 2012 1:13PM
Subject: Re: reCAPTCHA
← Previous message | Next message →
Barry: It could cause issues for both people with learning/cognitive disabiltiies and people who are not fluent in English. Some questions may also assume cultural knowledge (e.g., an urban teen might have difficulty identifying which of a group of animals "doesn't belong on a farm").
--- On Fri, 6/1/12, Barry Hill < = EMAIL ADDRESS REMOVED = > wrote:
From: Barry Hill < = EMAIL ADDRESS REMOVED = >
Subject: Re: [WebAIM] reCAPTCHA
To: "'WebAIM Discussion List'" < = EMAIL ADDRESS REMOVED = >
Date: Friday, June 1, 2012, 12:05 PM
I saw a conformation on one site that just asked the answer to a very simple
question. I believe the question was something like, "What day comes
between Wednesday and Friday".
Would this be a suitable alternative or would it perhaps cause an issue for
people with learning difficulties or cognitive disabilities?
Cheers
Barry
From: Morin, Gary (NIH/OD) [E]
Date: Mon, Jun 04 2012 7:55AM
Subject: Re: reCAPTCHA
← Previous message | No next message
If anyone is aware of this event this morning with the US Federal Communications Commission, the issues for IT accessibility and persons with cognitive disabilities!
* Monday, June, 04, 2012 09:00 - 12:30 Inaugural Session: 2012-2013 M-Enabling Global Briefing Tour
* http://g3ict.org/events/schedule/event_agenda/p/eventId_310/id_agenda, http://www.g3ict.org/
* http://www.fcc.gov/live
Gary M. Morin, Program Analyst
NIH Office of the Chief Information Officer
10401 Fernwood Rd, Room 3G-17
Bethesda, MD 20892, Mail Stop: 4833
(301) 402-3924 Voice, 451-9326 TTY/NTS
(240) 380-3063 Videophone; (301) 402-4464 Fax
Section 508 coordinators: http://ocio.od.nih.gov/Accessibility/Sec508coordinators.html
NIH Section 508 Team: mailto: = EMAIL ADDRESS REMOVED = ?subject=Section 508 Help or, for Section 508 Guidance, http://www.hhs.gov/web/508/index.html
Consider the environment. Please don't print this e-mail unless you really need to.
WHAT IF THE FIRST QUESTION WE ASKED WAS, "WHAT IS SO UNIQUE ABOUT THIS SITUATION THAT IT JUSTIFIES EXCLUSION? INSTEAD OF, "HOW MUCH DOES IT COST TO MAKE IT ACCESSIBLE?"