A viable alternative to CAPTCHAs

[DChapman]

Zoints has developed what many feel is a viable alternative to the horror that are CAPTCHAs. Not only are CAPTCHAs annoying, they screw over blind people and are known to cause cancer. Therefore, based upon the ideas put forth by Matt May at http://www.w3.org/TR/turingtest/, a friend of mine came up with the simple logic puzzle implementation Zoints now uses. Thus far, we are receiving positive feedback (example: http://accessibilityblog.com/)

We call the system QAACK (Questions and Answers Answerable with Common Knowledge). And for the record, company policy states you have to quack like a duck if you say QAACK. You can view this CAPTCHA alternative in action by going to http://zoints.com and selecting "Create your profile". Simply put, rather than an image, you are asked to answer a very simple question.

We want to make this system available for any site to use. This will of course require that our bank of questions and answers grow exponentially. For this to happen, we need a means for the public to be able to submit questions and answers and a reveiew process so bad ones don't make it through. Or some innovative idea we haven't come up with. Thus far what we plan:

1. We will be implementing a system that tracks which questions are missed most often. The top X% will be thrown out each day. This will be an automated means to remove questions that confuse people.

2. We plan to create a means for people to submit questions and corresponding answers. This won't be hard.

The main issue:

We need to develop some sort of review process. We figure Zoints employees can initially scan submitted questions and answers. But for this to be a truly viable CAPTCHA alternative, the number of submissions needs to be HUGE and it needs to be in all available languages. Obviously a point will come when Zoints cannot have employees check every submission. Ideas on how to recify this situation would be appreciated.

Is the system perfect in its current state? No. But we'll be expending the necessary resources to change that. Any issues, potential exploits, constructive criticism, etc you can put forth would be greatly appreciated. We of course will never charge a dime for use of this system. We just want to help make the Internet accessible and less annoying.

[Calash]

Quote:

1. We will be implementing a system that tracks which questions are missed most often. The top X% will be thrown out each day. This will be an automated means to remove questions that confuse people.

Took a quick look and this part threw up a red flag for me. How would you prevent a bot from being setup to force specific questions off the list by continually responding wrong to them? A safety net of some kind would have to be setup to prevent abuse of this.

The other thing that troubles me is that a persistent person could setup a bot to take the question and plug it right into something like ask.com, and output the top text answer.

I do like the idea alot though. I think it is a good step in the right direction.


QAACK.....love the name

[TheMaTrIx]

You know plenty of Americans will fail that test and won't be able to sign up right? Especialy the southerners (just kidding )

I think its a pritty good idea and better then CATCPA or whatever its name is.
I've seen the CATCPA stuff beaten pleny of times, theres enough software and scripts out there that do OCR text processing, which makes CATCPA about as much of a security measure as simply echoing the text for copy/pasting.

This method your using on Zoints is good, as long as the amount of questions and anwsers number high (I'd say 1000's but a few douzen will probably do the job)

[bairy]

I hate captchas. I think the 3.6 ones are ugly and a quarter of the time impossible to read. You can remove the backgrounds but that kinda invalidates having them in the first place.

Anyway, one alternative I saw once was this: http://labs.mininova.org/passclicks/ which is ... well, pretty much explained on the page.
Not really going anywhere interesting with this post, just fyi.

[comperr]

I like captcha, except that over time bots will be able to read them.
Also with yours, it is a 50/50 chance and bots can just be programmed with a number of questions (humans go around reading them, and ading them to a text list on the internet. then bots just search through that list).

[DChapman]

Quote:

Originally Posted by comperr Also with yours, it is a 50/50 chance and bots can just be programmed with a number of questions (humans go around reading them, and ading them to a text list on the internet. then bots just search through that list).

It's not quite that easy Feel free to play around with it on Zoints.com and see why.

[Alex Apple]

Theres a hack for vB which does much the same as this, albeit a bit more low tech (no tick boxes, for one, just entering the answer). The problem I've found on the 3.6 version of vB is that both I and my staff found the new CAPTCHA virtually unreadable, even once we'd tweaked with the settings. And the questions we came up with seem to be much the same as on Zoints.

So, um, yeah - good idea!

[comperr]

Quote:

Originally Posted by [Zoints]DChapman It's not quite that easy Feel free to play around with it on Zoints.com and see why.

I was able to "register" with 30 accounts and a bot I wrote (I cancled before it went through)

[DChapman]

Quote:

Originally Posted by comperr I was able to "register" with 30 accounts and a bot I wrote (I cancled before it went through)

Did you use a proxy?

But yes, anyone can manually register accounts right now.

You're welcome to turn the bot on and let it go through (please turn it off before it registers more than 30 accounts though ). If you have indeed created a bot that overcame this captcha alternative, we'd love to work with you so we can improve the system. Thanks

[comperr]

Quote:

Originally Posted by DChapman Did you use a proxy? But yes, anyone can manually register accounts right now. You're welcome to turn the bot on and let it go through (please turn it off before it registers more than 30 accounts though ). If you have indeed created a bot that overcame this captcha alternative, we'd love to work with you so we can improve the system. Thanks

No, I did not use a proxy, but I did mask my IP address (return IP was another computer that would change IPs every once in a while)
My bot guesses randonly, and stores questions in a log file. It then asks me for the answers and uses them the next time around...

[DaiTengu]

Quote:

Originally Posted by comperr No, I did not use a proxy, but I did mask my IP address (return IP was another computer that would change IPs every once in a while) My bot guesses randonly, and stores questions in a log file. It then asks me for the answers and uses them the next time around...

As David said, when it is fully implemented and users can submit their own questions there will be hundreds of thousands of entries. The odds of getting the same question more than once will be pretty slim

[comperr]

Quote:

Originally Posted by DaiTengu As David said, when it is fully implemented and users can submit their own questions there will be hundreds of thousands of entries. The odds of getting the same question more than once will be pretty slim

Yes, but now take the following scenario:
1)A bunch of cr (not h)ackers add a list of questions and answers via form to http://mydomain.com/qs.txt
2)The bots go on hundreds of computers, going to thousands of forums (if zoints gets that large) and guessing. If it goes through then it adds the q & a to the list
3)some bots watch the traffic going to zoints IP address and looks for Q&As and it adds them.
4)It learns when you ask for a certain character of a certain word (to stop 30 character strings with random placements such as what is the sixteenth letter of sdggfdfyuguyfuiyufhsruiyfuiysuifyuidfuj)

Of what I just said, only #3 can actuualy be fully stopped by using the Secure HTTP protocall.

Edit: I am a hacker, that means I take a computer beyond its limit. A cracker does illegal things.
This is all theory (and I do some "test" bots), I do not plan on doing any of this stuff outside of a contolled area.

[DaiTengu]

Quote:

Originally Posted by comperr Yes, but now take the following scenario: 1)A bunch of cr (not h)ackers add a list of questions and answers via form to http://mydomain.com/qs.txt 2)The bots go on hundreds of computers, going to thousands of forums (if zoints gets that large) and guessing. If it goes through then it adds the q & a to the list 3)some bots watch the traffic going to zoints IP address and looks for Q&As and it adds them. 4)It learns when you ask for a certain character of a certain word (to stop 30 character strings with random placements such as what is the sixteenth letter of sdggfdfyuguyfuiyufhsruiyfuiysuifyuidfuj) Of what I just said, only #3 can actuualy be fully stopped by using the Secure HTTP protocall. Edit: I am a hacker, that means I take a computer beyond its limit. A cracker does illegal things. This is all theory (and I do some "test" bots), I do not plan on doing any of this stuff outside of a contolled area.

No solution is going to be 100%, Captchas and other things have been cracked, and the QAACK will have to evolve in order to stay ahead of the spammers. The best thing you can have behind a good verification system is a group of people keeping an eye on it.

1. With hundreds of thousands of questions in the database, a list of a few thousand really won't make much of a difference. You'll have a very low percentage chance of actually getting one. It'd also be feasable to only allow registered users to submit X amount of questions per day (say under 20 or so). Users who have shown their ability to enter good questions, and request the ability to add more could be manually approved by Zoints Staff to have that limit increased. They could even go so far as to tie the questions to an account, and disable them should they find something 'fishy' happening.

2. When QAACK is full steam ahead, it'd need to have at least 100,000 correct answers in it's database to be viable. I don't know about you, but I certainly don't have the time to sit down and answer 100,000 questions. Will someone do it? Sure, but that's where you add in a type of IP blocking system. No human is going to get a question wrong more than a few times. If you set a counter to something like 10, or 15, and then block that IP for a few hours or a even a day, you once again have an effective means of stopping spam. A few accounts will get through, but it'll be much better than if a thousand accounts get through and staff has to manually clean them up.

If an IP gets a question wrong more than 15 times in a certain period, they should be blocked from the site for a day. Then of course, all traffic from that IP will be logged and Staff can take action on whether or not to permanently ban that IP. In a botnet of 1000 computers, eventually all of them will be banned.

3. Difficult to do, and very easily solved by SSL. If you've managed to sniff the traffic, you might as well just take the logins & passwords instead of the questions.

4. Is the most difficult to program, but would be the most effective. The questions, however are not always 1-answer things. "In the word fifth, what are the first and fourth letters?" or "What are the first and fourth letters in the word fifth?" "What two letters come after the first in the word fifth?" There's so many combinations that it would be difficult, and there would of course be many wrong answers which would eventually trigger the IP block.


Is the QAACK perfect? No. Will someone find a way around it? probably. Human interaction is the key. With a good staff behind the QAACK, very few spammers will get through.

[comperr]

Quote:

Originally Posted by DaiTengu No solution is going to be 100%, Captchas and other things have been cracked, and the QAACK will have to evolve in order to stay ahead of the spammers. The best thing you can have behind a good verification system is a group of people keeping an eye on it. 1. With hundreds of thousands of questions in the database, a list of a few thousand really won't make much of a difference. You'll have a very low percentage chance of actually getting one. It'd also be feasable to only allow registered users to submit X amount of questions per day (say under 20 or so). Users who have shown their ability to enter good questions, and request the ability to add more could be manually approved by Zoints Staff to have that limit increased. They could even go so far as to tie the questions to an account, and disable them should they find something 'fishy' happening. 2. When QAACK is full steam ahead, it'd need to have at least 100,000 correct answers in it's database to be viable. I don't know about you, but I certainly don't have the time to sit down and answer 100,000 questions. Will someone do it? Sure, but that's where you add in a type of IP blocking system. No human is going to get a question wrong more than a few times. If you set a counter to something like 10, or 15, and then block that IP for a few hours or a even a day, you once again have an effective means of stopping spam. A few accounts will get through, but it'll be much better than if a thousand accounts get through and staff has to manually clean them up. If an IP gets a question wrong more than 15 times in a certain period, they should be blocked from the site for a day. Then of course, all traffic from that IP will be logged and Staff can take action on whether or not to permanently ban that IP. In a botnet of 1000 computers, eventually all of them will be banned. 3. Difficult to do, and very easily solved by SSL. If you've managed to sniff the traffic, you might as well just take the logins & passwords instead of the questions. 4. Is the most difficult to program, but would be the most effective. The questions, however are not always 1-answer things. "In the word fifth, what are the first and fourth letters?" or "What are the first and fourth letters in the word fifth?" "What two letters come after the first in the word fifth?" There's so many combinations that it would be difficult, and there would of course be many wrong answers which would eventually trigger the IP block. Is the QAACK perfect? No. Will someone find a way around it? probably. Human interaction is the key. With a good staff behind the QAACK, very few spammers will get through.

1)It can still do some damage
2)OK - each of 1000 people answer 5 questions per day, along with robots figuring out 50 each. It can be done (I have done this using a smaller scale, but slaso less answered by robot and people in controlled study)
3)true, but....
4)I already wrote a program that solves these types of questions. You need things like is a bannana a fruit type things.
5)IP block - ha ha. It is so easy to get around these it is not funny.

[fullphaser]

I saw something similar to this on slashdot, except instead of simple questions, there were images, that way the bot could never read something as a tiger or a lion, the questions were all off easily recognizable creatures, and then on top of that the awnser field was kept constantly random. Worked well from what I hear because you would have to have human intellegence to identify the images

[Brad]

Quote:

Originally Posted by fullphaser I saw something similar to this on slashdot, except instead of simple questions, there were images, that way the bot could never read something as a tiger or a lion, the questions were all off easily recognizable creatures, and then on top of that the awnser field was kept constantly random. Worked well from what I hear because you would have to have human intellegence to identify the images

The problem with this is it locks out blind people.

[DChapman]

Quote:

Originally Posted by Brad The problem with this is it locks out blind people.

Indeed.

I'd like to reiterate that what we have here is not infallible. We greatly appreciate you white hat hackers who are pondering ways to get past this system. The more feedback we get, the more likely a truly viable alternative to evil in image form (captchas) can be developed.

[Libertate]

Take the general idea that you have and enhance it by turning the whole Question and Answers into a single image.

Display the image and randomize the area where the click(s) are required using AREA.

Most LAMP installation will have GD or ImageMagick, and the above image could be generate quick. Important to name each new creation of the image the same.

To also compensate for visually impared users, you can have simple MP3 files playing the original "CAPTCHA" on request.

I have upload an example - I also added a bit of noise, which can be easy turned on or off, increased or decreased on the fly.

[comperr]

Quote:

Originally Posted by fullphaser I saw something similar to this on slashdot, except instead of simple questions, there were images, that way the bot could never read something as a tiger or a lion, the questions were all off easily recognizable creatures, and then on top of that the awnser field was kept constantly random. Worked well from what I hear because you would have to have human intellegence to identify the images

this would work, but not for long. (see what google could do with picture identification - they usualy get it right)

[comperr]

Quote:

Originally Posted by DChapman Indeed. I'd like to reiterate that what we have here is not infallible. We greatly appreciate you white hat hackers who are pondering ways to get past this system. The more feedback we get, the more likely a truly viable alternative to evil in image form (captchas) can be developed.

Just giving advice.
Oh and for future knolegde of everone reading this
hacker = some who takes a computer beyond its limits (think GUI)
[c]cr[/b]acker = some who does something mallicious (think jail)