What will happen when bots become so smart that they can feasibly solve ALL Captchas?

Actually that looks easy. The edges all have straight lines. All you nave to do is measure the straight line lengths for each RGB value. That will match up easier than letters. For example

Blue = 16 pixels, red = 6 pixels, blue = 12 pixels.

Will then match another section

Blue = 15 to 17 pixels, red = 5 to 7 pixels, blue = 11 to 13 pixels.

You get a nice map every time of several results. I only showed 3 results per line. But in fact there are many results per line, so If you get 10 results per line it is almost impossible to make a mistake.

 

Log in or Sign up to hide all adverts.

you should try it. most mouse(mice?) aren't sensitive enough. it truly is hard. it took me several tries.
How would your program know which pieces go where? point being, it would require very specific hardcoding. No amount of AI can solve riddles like that.

 

Log in or Sign up to hide all adverts.

I wouldn't use a mouse on its own, I would use the screen X/Y locations to steer the mouse origin. It would be automated. The matching colours like I described match X/Y locations on the screen. A mouse used this way is 100% accurate down to a single pixel.

 

Log in or Sign up to hide all adverts.

Since the captchas take advantage of our human abilities and how they differ from the abilities that can be programmed, the programming will more and more resemble human abilities. Companies with much money could even develop neurological systems when they become cheaper so that to mimic human abilities. It is in the future of course, but we are constantly moving towards it.

Self-learning neurological systems are being studied extensively and are not a mere reflection of the intelligence of the programmer, but is becoming more and more like a intelligence of its own.

 

I certaintly won't refute that. I am merely aruging semantics I suppose. I remember seeing something on one of the geek channels about a small robot (with limited functionality) being controlled by a mouse's brain (it was hardwired to the brain).

I would like to see that type of development but I believe we are far off from it. Since the system has to exist inside of a mainframe of some sorts, the functionality of the AI and the depth of it is very much dependant on the processing power and capabilites of the languages the systems are structured in. That is why I say that AI is not intelligent unto itself.

 

If they made the Captchas 3D rotations, it would be hard to crack them... probably.

 

I personally haven't seen any but I wouldn't assume they don't exist or won't ever exist.

 

This is what I was saying. The time will come. And all it takes is some cyber terrorist to cause mass destruction and chaos. The only way to defeat this may be to go to an international office to get your own secure identity for online purposes, much like a social security number.

 

Every time a government pulls the "New World Order, Everyone is assigned a number" statement, people in their fear-filled ignorance protest/riot. just look at when the UK previously intended to roll out a National ID Schema, it was soon dumped, people feared that all this secretive information collection would be tied to their "number" and various companies and organisations might misuse it to make decisions without them.

Although it doesn't mean they don't have secretive databases collecting data and it doesn't mean they everyone lacks a "clerical" number assigned, if anything those things already exist, they really just wanted to see how much they could get away with at the time.

 

If standard captcha is supported properly with "honey pots" the bot has no idea what to fill in and what not to. Nil field entry required means that if an entry is submitted it fails. [for example]
Honey pots can be installed invisibly to the public but only visible to the bot.
[eg: the required value for the field is nul. If the entry has a value the form submission dies]

The key, I think, is simply to realize that the bot can not recognize a "nul entry required" as it is purpose built to submit details not omit details. Especially if the input filed is invisible to the public.
One wonders how a bot would approach an image captcha that was blank... and how people would approach the same thing. [knowing that it is supposed to be blank]

I set up a field once for experimental purposes that showed publicly the label:

"Not for human input" [_______________]

required*
and never got a successful submission from any bot... [ according to the bot monitor ]
or a deliberate robot entry required field:
For web bots only:
sum of 10 + 10 + 10 = [________________]
[programmed cursor shut down to prevent accidental entry by a human]

and require 190367.67834/3452++23#@$ as the answer

 

I think a lot of this fear is fueled by the atrocities committed during WW2 when certain racial/ethnic groups were required to register and acquire a number only later to be used to round them up and "gas" them. If I am not mistaken abuse of identity registrars, is historically a huge issue.
"It is not the government of the day that is the problem... it is the governments of tomorrow and the next day that may be"

 

No-Mans Land: The Captcha Minefield

Smart Programmers Versus "Stupid" Users

I don't use the term stupid to undermine users, I'm actually referring to the reasoning "Stupid simple", in the sense for the majority of people they don't want to have to think, work or use any effort to achieve whatever goal it is they "desire". For instance when people complain about Captcha's online, perhaps it's because they feel it's like an Aptitude test or Intelligence test and they feel slightly insulted, either because they aren't automatically assumed to be whoever they claim to be, or they are just insulted that they might actually fail a test designed to keep bots out. (Perhaps it's just about the fact that it's effort looking at an extra page and filling in information which could be as simple as pressing keys 1 through 4 or clicking a picture)

As for the programmers, well there is two types, there is the one's trying to create more ingenious systems (not necessarily for malicious purposes) that don't just recognise the tests but pick the right answers and then there are programmers out there to thwart them. This battleground is where the average "stupid" user is caught in "No man's land".

While a number of different methods are attempted to beat Captcha's, developers attempting to thwart them don't keep to just one type of captcha, they can expand into area's that the AI developers are weakest at. This of course creates an AI developer counter attack where they renew focus on a new area of expertise and the battle continues to cycle with front's changing but not real ground gained on either side.

[A definitive point made about such "futility" with the classic film "Wargames" where an AI poised at making a misinformed choice of launching a nuclear attack is "taught" through the simple game of "noughts and crosses"(tic-tac-toe) that no matter which targets are picked the end game everyone loses since no more moves can be played (There is no decisive victor)]

The main problem with development and implementation is that it's very much like a game of poker, there's a lot of "bluffing" with both players trying to keep what actual values they have a secret from one another. I know this from developing an Anti-bot system previously that included a Captcha but did not rely solely upon the Captcha as a means to distinguish Bots from Humans, I would state what methods were used however like I point out, "It's a secret".

 

nods at Stryder.... yes it's a secret.

The bots can not employ "improvisation" and that is their key weakness as they are pre-programmed and not "now-programmed" as humans are. [ normally *?*]
(limitations of AI -pre-programmed improvisations - where as humans can escape their conditioning while even sophisticated AI's generally can't )
I recall the security field label of a particular site that was deliberately a cryptic puzzle [ a bit like "the missing symbol"] They wanted only certain types of members of a certain intellectual bias.
Suffice to say the challenge was incredibly tough and not a bot in the world could work it out IMO. [And no, I couldn't register.. the cryptic puzzle was just way too hard.]

 

The main problem with these techniques is you have to consider that you have one site aimed at testing "one user", versus the usage of parallel processed responses being used to build accurate response models for automation. This means in recent years bot's have started to "cycle" various input to try and bruteforce response placement, if a site doesn't crumble straight away it get's flagged to have humans look at what is being done as a preventative measure and this is when most of the hidden fields and methods get caught.

Variations that have been tried are things like depending on the session use the available "data field names in different positions than they normally are used", so "Password" becomes temporarily "Username" in the back end, obviously the Password isn't stored as a Username, it's just the naming convention causes entries to be placed in different positions. So for instance if an entry was "Country" but said "Gender", all bot's entering Male or Female would be caught.

It's possible to do coding like that, however if there is an error in the code it could effectively cause a "Sewerage issue" (unsanitised data handling)

(Incidentally a number of bot's online are actually run by certain clandestine groups/organisations that are on a government payroll to identify flaws/exploits within the network, fake and rogue sites etc.)

 

Yes it is only when the human perp has to visit the site to work out what methods are being used to thwart his bots activities.
So obviously if the bots attempt was always successful [ to it ] but did no damage to the site then the sites methods would not be flagged...

1] >>>>bot >>>> entry from bot valid >>>> form success >>>>delete data
2] >>>>bot >>>> entry from human valid >>>> form success >>> retain data

the key maybe in being able to use the form to identify the bot or human aspect and then use the forms output differently...

Set up so that as far as the bot is concerned regardless; Mission accomplished!
How can a bot know that it has been identified as a bot?
Set up flood protection...as well of course

 

One point missed in both previous posts of mine was "The issues with Legacy".

We can keep creating more and more ingenious was to defeat bots, however we are still stuck with requiring legacy support for people that are visually impaired. This means that when support is included for them it can actually create a weakpoint for attack by bot creators.

I had considered a method for blind people to train to use, however it basically turns a blind person into an Enigma coding machine. It requires a blind person to pair two auto Braille touchtexters (One per hand) to create an internal mnemonic imprint of a letter, word or syllable. The patterns relayed to each touchtexter would be incomplete forms (on their own or as a pair) which when paired together and using the blind persons own judgement (Their own mnemonic appraisal) creates recognisable outputs.

Don't ask why I thought about this, I couldn't tell you, perhaps weather conditions, the type of coffee being drunk, whether the wind was in the right direction, who knows.

 

I think that may be you are thinking ahead a little because at some point in the future the user will have to be identifiable from his physical position and not his virtual one.... retina scanning, special dual hand coding etc may become the norm in 10 years or so.

I tend to believe as we discuss this, that simply being able to identify the bot or human element is the first and foremost priority. Once identified the data can then be delegated or relegated accordingly.
Installing a sort of "Bot filter" rather than a "spam filter" would be the idea.

Identify the input>>>> Is it bot or human >>>> route data accordingly.

Never let the bot know that it has been discovered as being a bot

So the key for a bot safe output is in the identification [of bot or human] and NOT the blocking. [a long term solution rather than a "brute force blocking" short term one perhaps]

 

I found the only way to fully protect the "back end" was to deliberately "corrupt" the index file placing it offline server side. Which is a bit of a pain because when you actually need to get into the back end you have to fix the index file first server side, [ extra 5 minutes if that]
imagines a system called "Bot assassin" instead of "Spam assassin" [chuckle]

 

Fact is, if we were able to identify "bot or human" and divert output accordingly captcha type systems and security fields become redundant except to minimize DOS type floods and other less common issues...

 

Dont they have floating 2D images? You have to grab them, same as the puzzle type. Maybe another way would have a simple animation and have the user answer a simple question like what color did you see? Randomly generated colors, of course. Random generated time code and ask - Identify the object at 1:09. Is that an option?

Isn't the key the randomness, images and now movement?