While this is too simple (even the website admits that a bot could be written in virtually no time to break it), it does make me wonder if you could have a WarioWare CAPCHA. A minigame with extremely vague description that you have to react to quickly to pass.
Thinking about it some more it fails the primary criteria for a CAPCHA: it needs to be harder to write the bot that cracks it than each test case, by at least a couple orders of magnitude. Otherwise bot makers will just create custom bots for each contingency. They have more time and funding than you do.
It mostly depends on what you are trying to protect with your CAPTCHA.
When I managed a small phpbb forum, all I had to do was to change a few lines in the register page to make it non-standard and it stopped all bots. Better than the built-in CAPTCHA. Simply, no one cared enough about our forum to write a specialized tool, no matter how easy it was.
If it is all you have to protect, go ahead with your clever ideas, it can add a bit of flair to your website and stop bots effectively. For accessibility, you can always deal with special requests manually.
The problem is entirely different if you are Google. People will spend months trying to break your CAPTCHA for fun and profit. Hand crafted problems will be solved faster than they can be written so "bot vs bot" is essentially your only option.
I feel like you could have just asked them to type 'a'. If the threat was automated bots, all generic ones are defeated by a simple "do X" request. Especially if the request was in text, where a lazy human attacker could just copy paste.
One of our public facing systems I put up a silly "what is the capital of x country?" While we waited on some other stuff. I think it's still in production.
And to my knowledge no bot has gotten past it or even bothered.
we ask similar questions in my EMS (Paramedic) job to patients to determine if they're alert & oriented. Most providers ask name, year, location, president or something similar and many patients are used to being asked routine questions. I like to see if they can answer stuff like "Name a large city in Florida."
I am on a forum with like 20 other posters and bots were stopped by the addition of a call/response field. Nobody who wanted to register would forget the classic response, but no bot was going to be able to answer it without some pretty specific google fu
Speaking for myself, if was a little bigger than 20 members (around 100). The thing is that we wanted to keep the forum open to everyone, at least for the public parts. That's why I went with invisible tweaks (mostly just renaming fields) instead of a challenge.
But I could have came up with a challenge that anyone interested in our forum would have known. We were a rhythm games club, so a questions could have been "We organize a tournament for this game, in 3 letters". Anyone who heard of us would know it is DDR (it was our main event), and for those who didn't, all it took was a quick look at our website.
And even if it is just a hobby, you don't get the same thing from a forum compared to a WhatsApp or even a Facebook group. In fact, a few years after me and all the geeky admins left, they switched to Facebook, which completely killed the already dying online community.
Maybe nowadays we could use a Discord server, which does a bit more for a community than an WhatsApp group, and is more accessible than IRC, and saves history.
Another great thing about the forum is that I still have a backup from the time I still had admin rights, and I could bring it back to life on a private server with some friends, even though the club is now completely dead.
Memories are not lost, except for most of the external links (ImageShack...).
The one's I've seen are not difficult questions. I.e if it was a forum for some TV Series fandom, a question could be 'What is the main character's name?'
It's an offshoot forum of a video games guild subforum built from another larger forum. It's not going to grow (indeed, it is dying / dead at this point).
I can confirm that just a simple modification to the standard registration form keeps out all bot spammers. If your forum or bug tracker is small enough, that will eliminate all spam. The built-in spam countermeasures like CAPTCHA's seemed worthless from my experience.
This is the best comment, by far. Of course we can have lots of brainstorming about other fun captcha-ish constructions, but the key question is whether they satisfy their purpose, which is to filter machines out and only those.
In low scale settings, if it's a place almost nobody knows, then this works, but many approaches work like just asking "What is 1+1?". Scale is low, no bot writer will bother to adjust.
In high scale, high visibility, none of this works. The incentive to break your captcha is so high that you'd need to basically construct a reverse turing test. You need to assume that the attacker is very powerful and very smart and will spend months custom tuning their solution to vreak your captcha. This is really hard and how to do it is the interesting discussion.
In summay, the setting matters. If it's the first one, we can debate toys all day long but they only have entertainment value. If it's the second then this is really hard and state of the art is to click pictures with traffic lights.
While I know this is a fun captcha, it does bring up a problem I'm having more and more with the web and mobile. There's no way my mom would ever be able to handle this captcha. Heck I didn't even get the 4 kills on the first one and I regularly play FPSes (I used a trackpad for this).
Have the CAPCHA require properly constructing a nonlinear programming problem to solve an optimization problem, where the requirements are not expressed in terms of the NLP and the human has to design it.
Which would have the side effect of putting the bot makers to work on useful and hard problems to solve.
Spam and DoS prevention were actually the original purpose of Proof of Work. Hashcash, the first (I think) anti-spam PoW algorithm, was what Bitcoin's PoW algorithm was inspired by.
Or, the server provides a random string of bits with length n and requires a string of bits with length n+m that starts with the provided n bits and whose SHA-1 hash begins with 20 zero bits.
The DOOM Captcha is just using html/css/js so it's easy for bots to crack with simple DOM querying/manipulation in an automated browser. But what if canvas was used instead?
> A minigame with extremely vague description that you have to react to quickly to pass.
I dont know how advanced current bots are at breaking captchas these days but if you're using a canvas then they would have to use some kind of image/video processing and recognition and then also know the rules of the game. Just curious if using canvas would make things harder for bots. Maybe it's already been done, I have no idea
I believe a simple JS browser extension or automation script could easily ask about every pixel in the canvas. For this case I suspect it would be very easy to iterate over each row of pixels looking for a few consecutive pixels that uniquely match the monster and then trigger a click on those coordinates.
Probably by grabbing a pixel of a monster and "clicking" on it. Pixel bots are as old as time. Learned about then playing runescape as a kid but never wanted to be banned. My friend made a few for fishing and woodcutting
For traditional text captchas, bots are better than humans. Flow usally goes, pay humans to solve 50000 ($500) then train an ML model. For things like recaptcha things get harder because it is not easy to proxy the captcha puzzles to have humans solve them (which is nessary to collect training data).
Because I want to pay people in the 3rd world to solve them for me. There are a bunch of services that take crypto or PayPal and solve captchas with humans. Using those systems requires you download the image, send to service, get response (proxy is not 100% accurate)
I think a problem is if it's all client side it would be quite easy for hackers to much about with. Now maybe if it sent the mouse movements and target positions to the server it would be possible to tell human movements apart in a way that was quite hard to crack?
> The DOOM Captcha is just using html/css/js so it's easy for bots to crack with simple DOM querying/manipulation in an automated browser.
I mean, if you're looking at it at that level, it's just giving a "didn't pass" callback. A bad actor could just ignore that, and not care about it.
Without some sort of server side verification of the result, it doesn't really matter how difficult it is to script through the game itself. Even some crazy hard game in canvas isn't any more difficult for a bot to script around, if the server doesn't have any way of knowing anyone actually jumped through the hoop.
Yeah, I was really surprised to see it was basic DOM. Canvas version wouldn't even be that hard to do. And yes, it would definitely be breakable, but at least not with a javascript onliner.
You could train a classifier on all neat looking fortresses, then run outputs through the classifier. But you'd measure the cosine similarity to all previously-seen activations, and discard any that are too similar -- thus making sure that people need to come up with unique neat-looking fortresses.
WarioWare games aren't twich reflex games. They'll do something like show a bomb with a lit fuse on the screen and flash a single word like "blow" and you have to quickly maneuver the mouth of the character next to the fuse and press the button before it explodes. It's about comprehending the situation quickly, the actual action is extremely simple and low fidelity.
The only criticism I have, is that your timer is too fast.
I can listen to their demands and negotiate a peaceful, mutual benificial resolution. After that we can establish a framework to resolve hostilities. But when I want to talk about free trade and opening borders to exchange goods... the timer runs out.
“[In a shooting range, confronted with numerous menacing-looking targets, Edwards shoots a cardboard little girl]
Zed: May I ask why you felt little Tiffany deserved to die?
James Edwards: Well, she was the only one that actually seemed dangerous at the time, sir.
Zed: How'd you come to that conclusion?
James Edwards: Well, first I was gonna pop this guy hanging from the street light, and I realized, y'know, he's just working out. I mean, how would I feel if somebody come runnin' in the gym and bust me in my ass while I'm on the treadmill? Then I saw this snarling beast guy, and I noticed he had a tissue in his hand, and I'm realizing, y'know, he's not snarling, he's sneezing. Y'know, ain't no real threat there. Then I saw little Tiffany. I'm thinking, y'know, eight-year-old white girl, middle of the ghetto, bunch of monsters, this time of night with quantum physics books? She about to start some shit, Zed. She's about eight years old, those books are WAY too advanced for her. If you ask me, I'd say she's up to something. And to be honest, I'd appreciate it if you eased up off my back about it.”
Source: IMDB
Let the proof of P != NP be A, where A is a proof expressible as a finite bitfield. The proof requires induction over an infinite sequence of proofs. But there is no mechanical way to move from the nth to the "n+1"th proof. Plus, "Galois", Gödel, Reimann and other intimidating names. QED.
I know it's a bit of fun and kind of a joke.... but, makes me wonder:
What will happen some day when solvers and bots get so smart and human-like (and the CAPTCHAs evolving to keep up, with harder and harder tests) that the technology "have nots" human beings of our world will not even be able to prove they're human any more?
Maybe the tests will move from requiring some precise correct answer to instead requiring randomness that machines can't yet generate. It would be similar to the captcha that asks you to click inside a box and analysis not the answer but how you do it.
Headshots in doom 1, the game that had auto aiming and no ability to look up originally? Also, fully 3d might make it slower to load in case somebody actually wanted to use this for real. I played a webgl doom clone once that lagged like crazy
Doom/II/Heretic/Hexen were 2.5D. That makes it easier to run on a 386 with fixed-point math, BSPs, and efficient z-buffers without busting out single-precision quaternions and 4x4 transformation matrixes. :)
Interestingly, Rise of the Triad, based on a modified Wolfenstein engine, is semi-3D with elevation changing.
Auto-aiming in the vertical axis only, IIRC it shot randomly all over the enemy. Enemies only had so many angle sprites IIRC and weren't really 3D.
There's a much better treatment of the Doom engine in Michael Abrash's writings, esp. Graphics Programming Black Book Special Edition. Trivia: his assistant once mailed me a replacement CD-R of the CD I lost from the paperback edition. I lose everything. Hehe.
Do you remember the Quake 3 hitbox (it was only one for all models), especially after a jump pad? Quake Live fixed most of these issues but back than things were pretty bad. Still way ahead of everyone else but yeah... it wasn't perfect
What this highlights is that CAPTCHAs/Security can be fun and not a never ending drag. Yes, this one is easy to break, even the author says so, but it's a fun concept. I hope this spurs a bunch of new thinking on what security can be. Miguel, GREAT JOB!
Interesting. Fundamentally, I believe CAPTCHA, and attempting to distinguish humans from computers is pointless. I think it's better just accept it and design applications accordingly.
Avoiding DDoSability of your app (removing bottlenecks, scaling up replicas, implementing rate-limiting, etc). There are probably some rare cases where captcha is useful, though. For example some account creations where you wish to have more human accounts created, especially if you need to later manually approve them by humans (verifying documents, etc) and don't want to deal with thousands of cat photos instead of passport scans.
A reputation system that grew from captcha and was eventually self referencing - so high rep IPS could vouch for other unknowns. Assumes most people's IPS remain static though.
I realise parent commenter was probably talking about identifying upfront.
Just took a break from playing Doom Eternal to find this, it's so cute! The simple embed is a great idea too, I hope as the internet starts to decentralize we'll see more fun things like this floating around.
Doesn't work on my old ipad. Or I don't know the magic gesture controls to make it happen. I'm not a robot, I think. But keyboard-only input systems are not obvious to me from an ipad.
This is fun but quite literally the opposite of what a captcha should be. I bet a bot will be able to solve this far easier than my grandma ever could.
Am I the only one that has a problem with audio that defaults to maximum volume? Amazon does this too. But I keep my default to a volume that lets me crank up soft stuff enough to be audible. For pages like this, the sound just about makes my ears bleed before I can mute it.
Firefox already displays a small speaker icon on each tab playing audio that can be used to mute it. A nice addon could display also a volume slider when hovering above it with the mouse, therefore allowing volume control.
I don’t, the “volume” adjusters on websites are all ... fake?
There are several layers of volume control but the last one on the stem level is the only real one (ok maybe one more level on a physical speaker amp if you have it)
Application levels can only cut dynamic range by adjusting volume, i would expect the default level to be full, if i want something quieter i’ll turn down the system loudness
The nominal loudness of a sound is sometimes inconsistent but that is on the sound mastering level not the application level.
I get annoyed when sites don't have things at their maximum volume, and I keep all my applications at the max too, unless I need to mute one. The master volume is the only thing I touch regularly.
This but with video games. 90% of them default to every volume being set to 100%. They're always so damn loud, I usually use windows Volume Mixer to set them process to 50%, then go in and tweak individual stuff in game.
I'm not sure how I'd cope without a volume knob right there on my desk. Having to tab out and adjust the OS audio sliders would drive me mad pretty fast.
It's almost my prime reason for having an external DAC.
If you are on desktop, when clicking the "I am human" checkbox, hold your mouse down for a few seconds, and move it around just a touch for good measure, before letting go. This is usually enough to convince the system you are human and it skips the image hunt.
Look if the site has an option to use the noscript recaptcha (you might be able to force it to appear by blocking scripts). That one's much easier: as long as you get it right it lets you through, and you always have to select three squares (none of that "keep clicking until there's no more matching" garbage).
The first set is all you really need. Answering the second set (if presented) with completely wrong answers will usually cause you to pass. Wild guess -- perhaps ReCAPTCHA is checking for mouse movement and other behavioural heuristics after the initial test.
Have you encountered the CAPTCHA from this monstrosity of a company called Arkose Labs? I don't get angry but I was trying to redeem gift cards for an elderly relative and I was shouting and gave up.
Not sure if I am allowed to paste links but search for "arkose labs reddit" or just the name of this company on Twitter. Or search "arkose labs san francisco" on Google and just read the reviews.
That CAPTCHA on Epic Games Store is hell. Worst part being you have to do it all over again if you fail even once and that one is enough for me to not login.
Easily the worst captcha there is, it makes you do the captcha 10 times (it says 10 to go after you do the first one) and if you get one wrong it doesn't tell you until the end after you've done them all, in which case you have to repeat it.
You can click whatever you want. Every captcha I’ve done in the last year says I missed something, then lets me pass. If I just click on trees and rocks, same thing, it lets me past. I think all they are doing is deeply fingerprinting you and the image matches are a red herring
The music is terrible - (gives me 90's website MIDI audio PTSD :P) - but it's a cute idea.
Would this actually be an effective CAPTCHA? E.G. Security-wise?
Also, speaking of 90's-internet PTSD, I actually almost mistook this for a spam banner ad knowing already what I went into. Wayyy too many of those 'punch the monkey' or 'shoot the duck' animated banner ads that didn't even care where you shot. :P
GUS Extreme, MT32, and SB16 Pro (or AWE64 Gold) with a Wave Blaster I or II, and you're set for the basic flavors of MIDI. Maybe an Ad Lib for extra vintageness and a Turtle Beach Multisound Pinnacle too.
Guys, I didn't mean the music itself was terrible, I meant the fact that music was included to be auto-on to start in web content produced post-2002...
I would have personally put the audio as off by default, with the little icon to set it to on. :)
I am fully aware what the DOOM soundtrack sounds like an my complaint is that there is audio at all - especially on by default - and that it reminds me of those awful websites from the 90's that did this.
I get your point - it was way too loud initially and would quickly get annoying after the second or third time if it was being used as an actual captcha.
That said, the music is what really sold it for me. How better to perfectly highlight the absurdity of proving your humanity by going on a virtual demon-slaying spree than dropping you right in the middle of a retro 90s metal cacophony!
Here I'm just clicking the entire row of pixels four times.
Even if you fixed that (perhaps misses could trigger a failure), then you still need to create a problem that's hard for a computer to solve .. finding the monster seems pretty straightforward.
The music is fantastic and classic, but there are modern remixes with actual guitar that are even better. Doom 1 and 2 both have full soundtrack remakes that fans made (possibly, by the dusk fellow?)
Thinking about it some more it fails the primary criteria for a CAPCHA: it needs to be harder to write the bot that cracks it than each test case, by at least a couple orders of magnitude. Otherwise bot makers will just create custom bots for each contingency. They have more time and funding than you do.