* Moving the slider bit by bit and OCRing will solve 90% of the images I've seen.
* If the image selection is small you could just build a DB of all slider positions and just teach it how it is supposed to look once.
* It's not only easier for the users. It is also easier for captcha solvers in India, China, etc. This will improve their productivity immensely and free up their other hand.
I'm not sure what you're saying. Good OCR should recognize the text when it's distorted slightly, right? Which would yield false positives, no?
As much as I'd like to pick this apart, I think the slide captcha is actually pretty clever. We can nitpick implementation details all day, but most of those can be fixed. I wish I had thought of it.
About the OCR - what I meant is that most of their images had text meaning I can OCR every step and if I get something with dictionary words I submit. It will work even the OCR is very permissive (recognizes distorted text as you put it) because this implementation accepts not only the perfect straight solution but also "close enough"s.
More generally speaking - it's a very nice idea, but basically there are too few invalid answers to make it practical. You changed an open-ended question of a conventional captcha into a multiple choice.
This is Yet Another Complete Crap CAPTCHA. It isn't solving the problem of prevent real spammers from sending you real spam, it's solving the problem of looking enough like a CAPTCHA to think you're getting somewhere. Or in this case, selling you something.
Also, at least the spiral one I got is flat-out solvable; run "find edges", run a search for the characteristic slope relationship of the lines at various points in the images... would probably take a decent computer vision student about four hours, tops. That hardly even qualifies as trying.
Even ignoring that, there appear to be only 30 distinct positions on the slider. Random guessing will net you a 3% success rate with no smarts whatsoever.
It's relatively easy to make a captcha that stands up to existing bots on when not widely deployed. For ages, I had a "captcha" on my blog that consisted of a single text field labeled, "Enter the word 'elbow'". The word didn't even change, it was hardcoded to "elbow". It kept spam away for years, because it wasn't worth anybody's time to fix their software to work with my little blog.
It really doesn't appear to me that much thought went into this thing as far as making it hard to automate solutions. Maybe I'm horribly wrong, but it looks like a gimmick, where they made something that looks hard to the naive due to being different.
Attacking your site, with minimal effort, would have yielded a 100% success rate. Attacking this site with a guess would have yielded a 3% rate. Some of the best captchas have been attacked with success rates in the high double digits: http://en.wikipedia.org/wiki/CAPTCHA#Computer_character_reco...
So 3% doesn't look too bad after all.
I do, by the way, agree with you that the vertical lines attack would work really well.
I really don't think I'm comparing apples and oranges. I'm simply noting that any novel captcha can look good when attackers can't be bothered to actually attack it.
From the site:
> minteye breaks through modern advertising blindness with active, engaging advertising products that can’t be ignored!
This could be fixed by applying a similar blur operation to the original, but I'm pretty sure something else could be found. The only advantage (security-wise) this would have over the OCR-CAPTCHA approach is its relative novelty - should this approach become popular, many new ways to beat it would come up, and we would be in an arms-race like with standard CAPTCHAs.
In reality you can probably remove the extreme values as it is unlikely to be 0-2 or 27-29, so you have a 1 in 24 chance. Those are pretty decent odds if you compare them to a regular 6 letter CAPTCHA where a random guess would have a 1 in 26^6 chance of being correct.
It's good to see some innovation in captchas but I don't see how this particular idea can overcome this hurdle.
For example:
- Distorted image: http://goo.gl/w2ykx (bad results, not human)
- Non-distorted image: http://goo.gl/R3WnQ This is the "perfect" choice and also returns a good amount of search results.
- Slightly distorted image: http://goo.gl/G0xQN This results in a "human" choice on the picker and picks up a fair number of search-results.
I imagine 15-20 searches per captcha, but if you just pick the best per set you're probably going to end up with adequate results in circumventing the system.
Although I think because outsourcing captcha to humans is so cheap, methods like this are not going to win in the long run.
I think a more sustainable strategy is to make it more and more expensive for those who want to solve captchas in large volumes.
Things like solving a cryptographic challenge using the computing power of your machine.
i.e. making it cheap/easy enough for legitimate users who may need to submit the form once a month but such that it becomes too expensive for those who want to exploit it and solve 100 of them in 5 minutes.
Just thinking out loud.
I can't really work out how this works on a site? Is the idea that I use this type of CAPTCHA for 'human' sign ups, and at the same time, an advertiser gets a hit? Almost as in, to sign up, you need to see this ad?
Either way, it's interesting: I also like the secondary result of "you don't get free impressions". ie. you only pay if they click or 'solve', but at the same time, they can't see the ad, remember the name and look for it elsewhere without essentially triggering the payment if that makes sense.
It also took me a while to realise that I had to drag the handle instead of just being able to click in the bar where I wanted it and slide from there, although this is presumably easy to fix.
