If you want to post on 4chan and don't have a Pass, you need to solve a captcha for every single post. It becomes easier with practice, I fail maybe 1 in 10 captchas. And the more captchas you solve correctly, the easier the captchas for your IP get.
Probably the mankind will hate me, but I'm the kind of person who answers correctly the control word, and writes an incorrect, but similar word for the unknown one.
This is my way to protest against recaptcha.
rnmnthwu cntnfru
Sure, maybe sometimes you get a weird one and fail it. But typically the next challenge is easy to pass. Seems the author cherry-picked some of the worst reCaptcha examples for the article, but wrote it in a way that made it seem they were presented back-to-back.
Besides this -- the article makes no attempt to offer a better solution.
Captcha's are really the best way we have right now to "prove" someone is not a bot. Hidden Form fields, etc, don't work and are easily spoofed. Sure Captcha's can be beaten by bots sometimes -- but I trust Google's scale/volume with ReCaptcha to handle that for me (for the most part).
Captcha's are not going anywhere anytime soon.
That's completely irrelevant. Criticism is not about solving the problem. It's about pointing out that the current solution is inadequate.
Most movie critics never wrote, directed, or acted in movies. It doesn't invalidate their criticism.
In fact, your criticism of the other poster's criticism doesn't offer a better solution than criticism either. You simply criticize that post. (And that's OK, if ironic.)
Its turning in to the new version of "3rd world outsourced phone support" A strong indicator the user simply doesn't care about the customer experience.
For some industries / companies, this is perfectly OK and BAU. For others it can be a company-killer.
I see a captcha and I know the company doesn't like me, doesn't like what I'm doing, and doesn't care if I know how they feel about me. And for some situations that's perfectly OK. Certainly not all.
Which is truly unfortunate, as they're a fucking abomination, an embarrassment to the IT industry in general.
Try solving these actual examples:
https://i.groupme.com/311x122.png.48e978e0def70131a42422000b...
https://i.groupme.com/495x276.png.4da125f0def70131a42422000b...
You're probably right. But the fact remains that captchas aren't good enough. They can be partially automated; blackhats can use captcha solving farms which will be at least as accurate as the average human (probably more accurate, I imagine).
A better solution might employ heuristics similar to DDoS mitigation techniques. I really don't know, but there is a need for something better here.
That might be the problem right here. Try browsing with Tor or passing through an anonymizing proxy. The more you solve correctly, the easier they get. The more unknown you are, the harder.
I personally experienced this and can't wait.
http://googleonlinesecurity.blogspot.com/2013/10/recaptcha-j...
The Yahoo captcha used rotating, bouncing letters on a scrolling background of more letters - ridiculous. Microsoft's was just a typical smeared mess, but no easier to actually solve.
I think I failed each at least 3 times.
It's not just difficult captchas, but use of them everywhere. The site my university recommends for ordering textbooks starts inserting captchas if one searches more often than perhaps twice within a minute. Another I can't recall the details of requires a captcha solve to make any sort of profile change despite being previously authenticated.
ReCaptcha only requires one (1) out of two (2) words to be correct in the challenge.
It presents one known-by-the-system-word, and one not-known word. If you get the known word correct (the easier of the two to read) then it passes the challenge.
ReCaptcha then pools the answers for the second not-known word and after pooling thousands (or more) responses, then that word becomes "known" based on the average answers (and then that word is "digitized" and used by google maps, or ebooks, etc).
~~~~
And for those wondering, I find it easiest to read captcha's by just looking at the letters by shape.
Going down the list in the article:
onightsl secretary.
. phaRega
o ndaaar
proximity rsgrrem
and khseeke
. azedcg
elearsal 5
ination amesye
se ebtyR
Reomi now
ivestshm nwre
Again, it's important to note, you only have to get one of the two words correct to pass the challenge. So.. probably 99% of the above list would pass.
Edit in response to your edits
You've deleted your previous edit. Still, even with your current edit it is clear you are not actually reading the article. You say:
Again, it's important to note, you only have to get one of the two words correct to pass the challenge. So.. probably 99% of the above list would pass.
However, the author of the article explicitly states that he did this:
I decided to just guess the first word and hope “secretary” was the control. It wasn’t.
So the author correctly identified one of the two words (and makes the same identification as you did), but was still rejected because it was not the control word.
You obviously don't have an accurate understanding of ReCaptcha implementation, and you apparently are not reading the article with comprehension, despite claiming several times that you have.
From the article, in the context of ReCaptcha, it seems like Google has stabbed itself in the face with the sword of data.
Google may think the data is telling it something, but what it's really managing to do is irritate legions of humans with terrible (borderline hostile in this case) UI/UX.
Met a couple people who work at the company (I'm in Detroit and think that's where it is based) at some startup events a couple years ago. That's how I found out about it.
Out of curiosity, I went and opened the demo page (https://www.google.com/recaptcha/demo/ajax) in a new incognito window and timed myself. I can do about 8/minute at maybe 90% accuracy.
Captchas are only a problem if you compulsively refresh in hopes of getting something clear.
You're ignoring people with visual impairment or cognitive impairments.
I think any site that uses reCAPTCHA must not have any regular vision impaired users.
https://www.youtube.com/watch?v=HhFLC8ZZQeM https://www.youtube.com/watch?v=KNVcIogEXOo
find accessibility: https://www.google.com/recaptcha/intro/index.html
z̤͍̩͓̲̤̗̳̤̼̪̺̦̤̹̻͓̲̏̉ͥ̂͗̆̉͒͑͒ͬ͆̂́̀̚͘a̴̴̘̥̻̗̰͋̌ͨͧ̒̃̾́̒͑ͣ͜l̎ͤ̎͗̿̚͞҉̵̧̤̻̰͎͉̯͙͕̰̣̻̬͚͖͢ͅģ̏́̓̿̇͌ͥͬ̈ͭ͂͏̥̯̠̯͚͙̞͇̲̫̲̭͔̝͈̗o̴̐͒̂ͯ̐ͧͣͬ̒̈́̀͏̧̝̤̦̭̙̳̣̹͕͚͍͝ͅ
while yours is
rlyeh ryights
And generally it is a very bad idea to choose the most popular service among the alternatives, as by doing so you are contributing to the centralization and monopolization of the Internet.
Think of it in a Bayesian sense.
If 10% of anonymous users end up being bots (the prior), and the "hard" recaptcha has a 1% false-negative (incorrectly identifying someone as a human) rate, then of the anonymous users who succeed in getting past the recaptcha, .1% will be bots (the posterior).
But if 1% of sign-in users are bots (probably less than that), you only need a recaptcha with a 10% false-negative rate to achieve the same bot throughput limit. And, those users are less frustrated.
Also, '“Onightsl”? “Onighisl”? Are those even words?' No, my understanding is that dictionary words are never used as the control, so as not to be vulnerable to dictionary attacks.
Edit: I'm not suggesting that these captchas are in any way good; they do clearly have issues. I'm just saying that storyline in the blog post seems contrived. To me it would be more convincing if presented in a more genuine manner. However, perhaps he was simply very unlucky.
There you are, talking on and on and on about some tiny unimportant but extremely specific implementation detail no one should ever have to care about. People shouldn’t have to read a manual about the inner workings of this captcha implementation (and have some experience with what types of text computer vision is good and bad at recognising!) to have any chance solving it.
In this case the author clearly had no idea how that control/unknown system works in detail (it seems like they, just like me, only know that you do not have to recognise both, but they didn’t really understand the reason for that – nor should they have to) but that doesn’t really matter for their argument even a tiny bit.
For me at least, the point would have come across better if that (seemingly) false ignorance were dropped. (Either that, or frame it in terms of, "Here's what an average user sees when they try to log in," or something along those lines.)
Except for some untrusted websites / users who can get really difficult captchas sometimes: https://i.imgur.com/6pAatnC.png
The whole thing is a technology arm's race. The best solution would be one where you simply verify fixed private information. We use captchas for verifying a human being is not a bot, right? And we do that because we assume the user is anonymous for a short time.
Instead we could simply provide a secured authentication gateway where one could provide private information that is linked to a human identity. That way it can't be abused unless they have an unlimited supply of stolen identities. Even better would be if everyone signed up for a TOTP service provider and used their token generator and service-account to prove their human-ness without needing to put in sensitive information. But that's probably too much work.
I know what you're trying to say here, but consider today's xkcd[0] as a counter-point. I think "most people" are quite capable of solving a lot of puzzles. This issue is that any puzzle that we can solve in a reasonable timeframe is often a good target for a computer-generated solution as well.
Can't remember where I saw. Anyone knows?
Edit: From checking the source, it looks like they're using NuCaptcha (http://www.nucaptcha.com/). Looks like O2, Groupon, and StumbleUpon are also NuCaptcha customers. You can see examples on this page: http://nucaptcha.com/features/security-features
Yesterday I had to go through a moving captcha when trying to log into flickr. I got redirected to the yahoo login webpage where I copied and pasted that 20 something random characters yahoo had me working on for a cumulative time of an hour (I had to tweak pwgen to get some reaaally random stuff and yet see yahoo rejecting it because "too easy" and then wait for an hour or two before I could try again).
Then they had me confirm I was not a bot by asking me to type the moving letters in a captcha.
Basically I have to fill in the number and then guess whether it was the first or second set of characters and fill out bogus before or after the number and hope I got it right. The numbers weren't even hard for a computer to read. The only thing it does is waste everyones' time.
It was for a contact form on a vendor's website. Ended up going with another vendor who had identical product
Seems to be doable. The user pays 1 usd/month and gets 100 credits. The extension author can outsource the solving to http://antigate.com/ and get the answer in 15 seconds.
If someone could use [something like this](https://github.com/mekarpeles/captcha-decoder) to make an extension it would be great.
If it's those, I guess google uses recaptcha to get data for streetview.
I think we really, really need a replacement solution for them that works as reliably vs. bots.
Scroll to the bottom.
Time to switch to next, harder, AI problems as captchas :)
Although...maybe you could outsource the question and answering to Mechanical Turk. Turn the whole thing on its head. Have a real person write a question to try to trick the bot into revealing its botness, have the real human grade the answer.
Attacker can choose the frame that's easiest to attack and they can segment better with help of motion vectors and differences between frames.
Then we just hope that the spammers create a perfect solver again :)
This is why visual recognition is just one of the signals you need to use to tell humans and computers apart http://googleonlinesecurity.blogspot.com/2014/04/street-view...
Pretty neatly conveys the feelings on this topic.
They are getting ridiculous.
One simple way for minimizing junk going through automated submits. Idea without using recaptcha at all: http://ademsha.com/notes/simple-proposal-to-stop-spam-going-...
It works only with JS enabled and uses randomization in order to stop bots learning how to avoid it.
I don't even get the point of it since you can get passed them by just hiring people off like at http://antigate.com/ for as little as 70c per 1000 captchas
Also a couple of examples http://alicious.com/hard-recaptcha-huh/.
But point taken.
A simple solution is google Authenticator (or similar systems).
The only problem is a system for all kind of users and equipment.
