New CAPTCHA

Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here.
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
Post Reply
Xore
Registered User
Posts: 80
Joined: Mon Jul 21, 2003 11:44 pm
Location: The desert
Contact:

Re: New CAPTCHA

Post by Xore »

MKruer wrote: Just playing around and came up with this idea.

Use a complex pattern background, something that has visual redundancy, but still has hard lines to it, then use different fonts, some outlined, others not, in multi color gradients or images, stretch and twist the image, and I think that you will have some thing that is hard to crack. At least its more entertaining then some of the other CAPTCHA
it's a pretty good job, a (hopefully constructive) criticism is to note that the cubic grid in the background matches the color gradient. If i were to take a stab at cracking it, the first thing i'd do is normalize the color vector across the image, which should trivially filter out all the hard edges that aren't part of the text. Likewise, it's uniformity makes it an easy target for filtering out.
User avatar
DavidMJ
Registered User
Posts: 932
Joined: Thu Jun 16, 2005 1:14 am
Location: Great Neck, NY

Re: New CAPTCHA

Post by DavidMJ »

A quick edge detection example... All the letters have colors in them, the rest is either white or grayish...

However, it is still kinda cool...
Attachments
example1.png
(327.37 KiB) Downloaded 1858 times
Freedom from fear
EWT
Registered User
Posts: 18
Joined: Tue Jan 11, 2005 2:59 am

Re: New CAPTCHA

Post by EWT »

would the above captcha be easy to filter due to the all color LN sequence, or some other reason? If the coloring is the reason, why not have the LN sequence in grayscale?
User avatar
DavidMJ
Registered User
Posts: 932
Joined: Thu Jun 16, 2005 1:14 am
Location: Great Neck, NY

Re: New CAPTCHA

Post by DavidMJ »

It's not the colors, its the rate of change in the intensity gradient.

However, removing the colors does give an advantage in this situation. Some of the characters are hard to determine due to the edge detection algorithm picking up the geometric lines in the background...
Freedom from fear
MKruer
Registered User
Posts: 156
Joined: Sun Jul 20, 2003 9:01 pm

Re: New CAPTCHA

Post by MKruer »

Yeah the color might be over kill but try these two.

The first one is Pixilation. The upside to this is that when you go to find the edges you end up with a gird at least that what shows up on my side.
The next one is a displacement map this is used to break up the characters so they can not be easily recognized.

Ultimately there is no one stop shop perfect solution for this. Instead it’s going to come down to a blanket approach. What I mean by that is have multiple CAPTCHA. Honestly I would prefer to take the above techniques with modifications to the images so they are not obvious to simple deconstructs but we are getting to the point where if you see it a program can decipher it.

I am a really big fan of the logic puzzles, such as “what is 2 plus 5” any person with a first grade education should be able to answer that. Anyone that can’t, shouldn’t be using a computer in the first place, let alone trying to register for a forum on line. I think that is a fair assumption. The only problem with the logic question is that in order for it to be LCD for the user, is that it is susceptible to simple brut force attacks.

That could be a way to go, when someone first registers, give them 2 to 3 problems. Such as type what you see and then answer the logic question (two different sections of the page). If the person fails, keep piling on more and different questions. The idea is that if it’s a person, they should be able to get it right regardless of how many questions. It might be annoying, but from a bots stand point, it doesn’t know how many question there could be, that coupled with a few false positives hidden from the users but able to be seen in the code of the page. Basically try to confuse the bots as much as possible.

Edit: Add Dodge Example
Attachments
dgexample.jpg
Dodge
(82.01 KiB) Downloaded 1982 times
dmexample.jpg
Displacement Map
(30.24 KiB) Downloaded 1978 times
pxexample.jpg
Pixcliate
(27.59 KiB) Downloaded 1978 times
User avatar
Wernight
Registered User
Posts: 26
Joined: Sun Apr 02, 2006 2:15 pm
Location: France
Contact:

Re: New CAPTCHA

Post by Wernight »

APTX wrote: Maybe a transformation like this will be good.
Not really. This transformation is known. It can be modelled easilly because there is no noise almost. Noises and any random elements are what you are looking for.
DavidMJ wrote: A quick edge detection example... All the letters have colors in them, the rest is either white or grayish...

However, it is still kinda cool...
Again it's too easy to defeat for computers as they can just keep the pixels that are not gray. Now to have a good image quality some gray should be kept, so it's probably a bit more complex but still to easy.

The example of squirrelface that is just to easy to defect. Only humans have problems solving it (which is the opposite effect of what we want). What we want is make it easy to read for humans only.

Just a note about colours. More people have some problems seeing colours then blind people. Levels of gray are just similar to having colours for a computer. R*V*G = 24bits_Code that can be intepreted as a single gray-scale value by a computer.

What to do if phpBB goes with CAPTCHA? Probably one of the best way to make it hard for computers is:
- Make a random transformation that humans can still correct
- Add noises
Restauring such a damaged image can be really hard or impossible, so reading the characters from it becomes much harder also.

Another good ideas is to use logic problems. Computers are stupid (trolls also :P). If you have some ideas about simple tests for intelligence that can be random without simple computer algorithm to solve them... I think it's really hard, as the generation of the questions requires also intelligence in order not to be pre-defined.

Same goes for general cultures tests (like knowing what is an elephant for example). The problem isn't easy, and might be impossible to solve in the future.
Yawnster
Registered User
Posts: 342
Joined: Sat Jan 29, 2005 9:18 pm
Location: London, UK
Contact:

Re: New CAPTCHA

Post by Yawnster »

Personally I have devised a rather simple CAPTCHA system for my own blog after finding a few ideas in an existing Wordpress plugin. It relies not on 1 hard deterent, but on randomness and lots of different ones..

I have a number of folders which I call different objects from which each distort the image in turn.. I have done it in the 2 layer effect at present, however I want to add a 3rd when I get time. The first is a background effect, the second is the font and thirdly will be some sort of overlay.

The background pattern at present only has two possibilities, but many more can be written simply and dropped into a folder and the application will pick them up instantly and use them.. The second folder is for fonts, each letter can have a different font and colour and already they have distortions however I hope to put per letter distrotions in the future.. The 3rd step although not implemented at present would be some sort of overlay, which helps distort the current unbroken letters..

Personally I feel the main problem with the majority of CAPTCHAs at present isnt that they are coded poorly, but you can only keep things safe for a length of time and this time will be reduced if choice is limited like with the 1 style CAPTCHA..

If you had 3 different background effects, 3 font distortions and 3 different overlays then the the logic suggests that there is 27 different possiblities (Im not too great at maths but im guessing 3^3 is 27).. This obviously beats the current implementation of just 1 style as the attacker would have to write complex sub-sets of the detection program to deal with each bit.

Im not disputing that the CAPTCHA I have produced isnt easy to get on its own, as i know it is but you can see the concept, another arguement in this is that code bloat begins to appear, but say you have a small subforum dedicated to producing new parts for the CAPTCHA's that all people have to do if they are getting attacked is download and drop in, problem solved. I will also say that this CAPTCHA is still in development as I know alot of the effects are unreadable to most, but the point of this post was more of the randomness concept and splitting the image into different layers which I dont think anyone has brought up yet...

Anyways, Enjoy.. Yawnster

PS.. Looking at this a different way I have noticed that alot of users will not bother to check back and try to make themselves more secure, so this way it can be rather easy to distribute new patches to a CAPTCHA if it ever gets broken, just ask them to remove a file and add a new one back in upon updating, and on install ask them to install different fonts etc..
User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: New CAPTCHA

Post by EXreaction »

What about letter outlines?

I was just looking at a mellow yellow can, and around the text I noticed there is an outline...if you had it randomly make some letters have outlines...well, I think that would work pretty well...

And make some have shadows...

And have each letter/number use a random font...and have like 50 different fonts to choose from...
EWT
Registered User
Posts: 18
Joined: Tue Jan 11, 2005 2:59 am

Re: New CAPTCHA

Post by EWT »

I have read some of the interesting posts and links on this subject and I have been interested because of problems I have been having on a board I'm involved in. One writer pointed out that a good captcha must be easy for humans to solve but hard for computer algorithms, and later suggested some sort of logic test which seems to have some merit. Another writer clearly pointed out that even the best captcha or logic test will not deter human trolls who only register to place pharmaceutical, gambling, and porn web addresses in their user profiles with no intention of ever posting. Some days, I have to delete as many as 10 or more new registrants.

The suggestion I have (in addition to the captcha/logic tests) is to add a feature in the board configuration which initially removes the areas in the UCP profile so that a new user would not be able to display their web site, email address, or signature block until: (1) a number of days have transpired (perhaps even a week), and (2) one or more posts have been made by the new user. This would deter if not eliminate a lot of the problems I am seeing. Furthermore, if you set up the user pruning to delete new users who haven't posted their first post within 1 week, then it would keep the board pretty free of most of the trolling and robotic spamming that I have been seeing.

I know this is in the category of a feature suggestion (which Olympus is and has been frozen for a while now) but if its too late to incorporate something like this at this time, then perhaps a mod could appear soon after release.

E.
User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: New CAPTCHA

Post by EXreaction »

On the main page in the adminCP, it tells you what users have registered, but have not activated their account(if you have user account activation on)...and there is a user prune section that lets you removed users depending on certian variables. 8)
Post Reply