While this is too simple (even the website admits that a bot could be written in virtually no time to break it), it does make me wonder if you could have a WarioWare CAPCHA. A minigame with extremely vague description that you have to react to quickly to pass.
Thinking about it some more it fails the primary criteria for a CAPCHA: it needs to be harder to write the bot that cracks it than each test case, by at least a couple orders of magnitude. Otherwise bot makers will just create custom bots for each contingency. They have more time and funding than you do.
It mostly depends on what you are trying to protect with your CAPTCHA.
When I managed a small phpbb forum, all I had to do was to change a few lines in the register page to make it non-standard and it stopped all bots. Better than the built-in CAPTCHA. Simply, no one cared enough about our forum to write a specialized tool, no matter how easy it was.
If it is all you have to protect, go ahead with your clever ideas, it can add a bit of flair to your website and stop bots effectively. For accessibility, you can always deal with special requests manually.
The problem is entirely different if you are Google. People will spend months trying to break your CAPTCHA for fun and profit. Hand crafted problems will be solved faster than they can be written so "bot vs bot" is essentially your only option.
I feel like you could have just asked them to type 'a'. If the threat was automated bots, all generic ones are defeated by a simple "do X" request. Especially if the request was in text, where a lazy human attacker could just copy paste.
One of our public facing systems I put up a silly "what is the capital of x country?" While we waited on some other stuff. I think it's still in production.
And to my knowledge no bot has gotten past it or even bothered.
we ask similar questions in my EMS (Paramedic) job to patients to determine if they're alert & oriented. Most providers ask name, year, location, president or something similar and many patients are used to being asked routine questions. I like to see if they can answer stuff like "Name a large city in Florida."
I am on a forum with like 20 other posters and bots were stopped by the addition of a call/response field. Nobody who wanted to register would forget the classic response, but no bot was going to be able to answer it without some pretty specific google fu
Speaking for myself, if was a little bigger than 20 members (around 100). The thing is that we wanted to keep the forum open to everyone, at least for the public parts. That's why I went with invisible tweaks (mostly just renaming fields) instead of a challenge.
But I could have came up with a challenge that anyone interested in our forum would have known. We were a rhythm games club, so a questions could have been "We organize a tournament for this game, in 3 letters". Anyone who heard of us would know it is DDR (it was our main event), and for those who didn't, all it took was a quick look at our website.
And even if it is just a hobby, you don't get the same thing from a forum compared to a WhatsApp or even a Facebook group. In fact, a few years after me and all the geeky admins left, they switched to Facebook, which completely killed the already dying online community.
Maybe nowadays we could use a Discord server, which does a bit more for a community than an WhatsApp group, and is more accessible than IRC, and saves history.
Another great thing about the forum is that I still have a backup from the time I still had admin rights, and I could bring it back to life on a private server with some friends, even though the club is now completely dead.
Memories are not lost, except for most of the external links (ImageShack...).
The one's I've seen are not difficult questions. I.e if it was a forum for some TV Series fandom, a question could be 'What is the main character's name?'
It's an offshoot forum of a video games guild subforum built from another larger forum. It's not going to grow (indeed, it is dying / dead at this point).
I can confirm that just a simple modification to the standard registration form keeps out all bot spammers. If your forum or bug tracker is small enough, that will eliminate all spam. The built-in spam countermeasures like CAPTCHA's seemed worthless from my experience.
This is the best comment, by far. Of course we can have lots of brainstorming about other fun captcha-ish constructions, but the key question is whether they satisfy their purpose, which is to filter machines out and only those.
In low scale settings, if it's a place almost nobody knows, then this works, but many approaches work like just asking "What is 1+1?". Scale is low, no bot writer will bother to adjust.
In high scale, high visibility, none of this works. The incentive to break your captcha is so high that you'd need to basically construct a reverse turing test. You need to assume that the attacker is very powerful and very smart and will spend months custom tuning their solution to vreak your captcha. This is really hard and how to do it is the interesting discussion.
In summay, the setting matters. If it's the first one, we can debate toys all day long but they only have entertainment value. If it's the second then this is really hard and state of the art is to click pictures with traffic lights.
While I know this is a fun captcha, it does bring up a problem I'm having more and more with the web and mobile. There's no way my mom would ever be able to handle this captcha. Heck I didn't even get the 4 kills on the first one and I regularly play FPSes (I used a trackpad for this).
Have the CAPCHA require properly constructing a nonlinear programming problem to solve an optimization problem, where the requirements are not expressed in terms of the NLP and the human has to design it.
Which would have the side effect of putting the bot makers to work on useful and hard problems to solve.
Spam and DoS prevention were actually the original purpose of Proof of Work. Hashcash, the first (I think) anti-spam PoW algorithm, was what Bitcoin's PoW algorithm was inspired by.
Or, the server provides a random string of bits with length n and requires a string of bits with length n+m that starts with the provided n bits and whose SHA-1 hash begins with 20 zero bits.
The DOOM Captcha is just using html/css/js so it's easy for bots to crack with simple DOM querying/manipulation in an automated browser. But what if canvas was used instead?
> A minigame with extremely vague description that you have to react to quickly to pass.
I dont know how advanced current bots are at breaking captchas these days but if you're using a canvas then they would have to use some kind of image/video processing and recognition and then also know the rules of the game. Just curious if using canvas would make things harder for bots. Maybe it's already been done, I have no idea
I believe a simple JS browser extension or automation script could easily ask about every pixel in the canvas. For this case I suspect it would be very easy to iterate over each row of pixels looking for a few consecutive pixels that uniquely match the monster and then trigger a click on those coordinates.
Probably by grabbing a pixel of a monster and "clicking" on it. Pixel bots are as old as time. Learned about then playing runescape as a kid but never wanted to be banned. My friend made a few for fishing and woodcutting
For traditional text captchas, bots are better than humans. Flow usally goes, pay humans to solve 50000 ($500) then train an ML model. For things like recaptcha things get harder because it is not easy to proxy the captcha puzzles to have humans solve them (which is nessary to collect training data).
Because I want to pay people in the 3rd world to solve them for me. There are a bunch of services that take crypto or PayPal and solve captchas with humans. Using those systems requires you download the image, send to service, get response (proxy is not 100% accurate)
I think a problem is if it's all client side it would be quite easy for hackers to much about with. Now maybe if it sent the mouse movements and target positions to the server it would be possible to tell human movements apart in a way that was quite hard to crack?
> The DOOM Captcha is just using html/css/js so it's easy for bots to crack with simple DOM querying/manipulation in an automated browser.
I mean, if you're looking at it at that level, it's just giving a "didn't pass" callback. A bad actor could just ignore that, and not care about it.
Without some sort of server side verification of the result, it doesn't really matter how difficult it is to script through the game itself. Even some crazy hard game in canvas isn't any more difficult for a bot to script around, if the server doesn't have any way of knowing anyone actually jumped through the hoop.
Yeah, I was really surprised to see it was basic DOM. Canvas version wouldn't even be that hard to do. And yes, it would definitely be breakable, but at least not with a javascript onliner.
You could train a classifier on all neat looking fortresses, then run outputs through the classifier. But you'd measure the cosine similarity to all previously-seen activations, and discard any that are too similar -- thus making sure that people need to come up with unique neat-looking fortresses.
WarioWare games aren't twich reflex games. They'll do something like show a bomb with a lit fuse on the screen and flash a single word like "blow" and you have to quickly maneuver the mouth of the character next to the fuse and press the button before it explodes. It's about comprehending the situation quickly, the actual action is extremely simple and low fidelity.
Thinking about it some more it fails the primary criteria for a CAPCHA: it needs to be harder to write the bot that cracks it than each test case, by at least a couple orders of magnitude. Otherwise bot makers will just create custom bots for each contingency. They have more time and funding than you do.