One of the main points of reCAPTCHA is to help digitize books, newspapers and old time radio shows. Everytime you use reCAPTCHA, you're helping in this effort. I agree this is a nice alternative if it works for people not using reCAPTCHA but it'd be nice if more people would also use reCAPTCHA on their sites. Yes, it's free.
I agree that reCAPTCHA's mission is a noble one. That being said, it is REALLY annoying sometimes. I think even solutions that contribute to a noble cause will fall to easier and more intuitive ones (if they exist of course). Not that I necessarily think this is the answer, but a step in the right direction.
I'm not sure I can agree its 'noble'. Are the resulting digitisations going to be free to access for everyone? Is the OCR algorithm that I am helping to create? No.
While it may use your time to 'do something useful' - which is nice, that something is also to Google's competitive advantage - so its really more good business sense than noble (to me at least)....
Yes, the resulting digitizations are free to everyone, they are old newspapers like old NYT issues and books whose copyright has expired and are now in the public domain. How do you think you are able to search for so many old books pre-digital age on Google Books and read digital versions of old NYT news articles?
If this is true, why don't they say it on their website? why is there no link to the material created?
The only digitised versions of the NYT articles I can find on the web are on the NYT website, and you have to pay for them (at least, if you want the first paragraph)...
Can you provide me with some proof of what you say (links to free versions of the NYT for example)? Because I'm afraid I'm having a hard time believing it.
This may not be such a great alternative — it allows far too many attempts which make it susceptible to cracking. (a video showing this being beaten by a bot [1] was posted on HN [2] last week)
This won't work. The puzzle possibilities are limited.
This is about as effective as asking a random question, it stops bots because they don't know how to deal with it. It wouldn't have a chance against a targeted spam campaign/attack.
I assume you're saying a targeted campaign/attack would be effective because a human could train the bot to recognize the "right" items in the game.
I believe you're underestimating the concept. The current implementation is a simple game that asks a human about domain-specific knowledge. Here are the areas a generalized bot would need to succeed at:
1. Broad domain-specific knowledge base (at least as hard as IBM Watson on Jeopardy)
2. Image-to-text transformations of low-res images, with a very short time limit
3. The ability to adapt to the "rules of the game" at random
The current setup is limited, true, because the degrees of freedom haven't been fleshed out. I do think that's a fair criticism of this approach: the system needs a _much_ larger database covering different game engines, different knowledge domains, different assets (audio, images, videos), etc.
The other weakness I see (do you agree?) is that the game runs in client-side javascript. It should be fairly easy right now to attack the client-server interactions. I assume it's not just a "yes/no" response sent from the client to the server, but anything that reduces the complexity of the problem (i.e. simulating a thousand virtual games to learn the game mechanics) is probably not worth the effort to code up.
"The current setup is limited, true, because the degrees of freedom haven't been fleshed out. I do think that's a fair criticism of this approach: the system needs a _much_ larger database covering different game engines, different knowledge domains, different assets (audio, images, videos), etc."
That's why this doesn't work. Sure, the CAPTCHA author gets to write code to generate their games, but you must not forget, the CAPTCHA attacker gets to write code too. If the author writes code to make the shoes any of 256 colors, the attacker gets to write whatever code they like to detect any of 256 colors and match them in code. If the author writes a trivia game with fixed answers, the attacker gets to hit the game until they get all the answers. If the author writes "What is $randint + $randint?", the attacker gets to write if ($question =~ /What is (\d?) \+ (\d?)/) { return $1 + $2 }, and so on.
If you look at it from an information theory perspective, the ability of the author to put information into their test is generally dwarfed by the ability of the attacker to put information into their cracker. When this is not the case, CAPTCHAs are uninteresting anyhow. That's why the only ones that have worked up to this point are ones that involve something genuinely hard for the attacker to express, because we know of no way to even express the distorted letter solver in code... or rather, we didn't, and now we do.
Also, the attacker code need only to achieve a limited success rate (eg: ~10%).
Think of a gmail account creator: 1000 requests * success_rate = 10 accounts per minute. Not bat at all.
It appears to send all mouse movements and timing to the server for verification. Regardless, their database of games will never be large enough to disuade spammers if this becomes popular. It will work in the short term, but I don't see how they can make this work long term, especially with no clear route to monetization.
A bot would only be stopped by this because of novelty. Recaptcha can easily be bypassed by using human solvers, which are available for $1.50/1000 captchas last time I checked.
In my opinion, it would be easier to automate this than recaptcha because this uses common elements that don't have nearly enough difference between them to make it a challenge. A solve rate of <5% is effective for spammers. How is this going to stop anything when a spammer can simply cycle through to a game they know how to beat, and fake the mouse movements and timing?
Recaptcha is difficult to beat with OCR because it is designed to withstand attacks by OCR considered 'state of the art'. It is impossible to beat with off the shelf solutions. On the other hand, this would be rather simple to automate using pixel matching. The shapes and colors don't change (Take the pancake example, for instance).
What he is saying is that captchas work solely on the fact that computers aren't fantastic at character recognition yet, so there isn't much way to have bots force their way in. This method will work temporarily, because it's new, and obscure. But if someone specifically targeted a website that used this, they would just have to figure out how many puzzles there are, and design a more simple application to solve it each one, rather than create a groundbreaking solution to better OCR (optical character recognition).
This system only works if there are unlimited, non repeating puzzles.
Watching the browser requests as I try different games it appears that a determined person could reverse engineer that big json object that gets posted every time you interact with it. Just by looking at a couple it seems to keep track of the objects movements and whether the mouse button is down or not. I'm not saying it would be easy, but it seems a lot easier than trying to analyze audio or do some OCR. I wouldn't even know where to start with those tasks. This I could probably do if my desire was enough to spend the time on it.
This is fairly trivial to break. The number of puzzles are low and they repeat.
I could refresh til I get a desired puzzle (shoe matching). Then write a simple cursor controller program (say using Java Robot API). It would scan across the static shoe area on the right looking at shoe colors. Then scan across the shoes on the left. When it matches a color shoe, drag across to match.
There's no need to control the cursor, you can just replay the request. Open up Firebug, solve a puzzle and capture the POST data being transmitted to the server:
Vulnerable to the same attack as Captchas: paying humans to solve them for a few cents a pop. Cultural factors would probably require training for some of the puzzles --- but I don't think that helps much. Someone from the Chinese countryside would probably have about as much luck with the pizza toppings on the first go as I'd have with Chinese ideography, but they'd have it nailed by the tenth.
Unfortunately I automatically associate this with "punch the monkey" banner ads and the like; if I saw it on a registration page I think I might skip it without thinking.
First one I got was American-style pancakes, where I was supposed to put syrup and butter on it. Now due to partaking in way too much pop culture, I knew what to do. But while pancakes are pretty common, not everyone eats small, thick ones, stacked to incredible heights and thus is able to recognize them. Never mind the syrup, which is basically as international as a PB&J sandwich.
That's the problem with iconography in general. Easily outdated or subject to i18n goofs.
Peanut butter is pretty rare outside of the US. I think the Dutch have it as a "native" product and it's been getting more popular as a "typical American" import. Basically the roles of peanut butter and Nutella are reversed in large parts of Europe.
Ineffective at preventing bots and also ineffective at letting humans through reliably:
Good luck to those with accessibility needs (elderly, blind, etc) in catching those moving glyphs...
No more vegetarians visiting your site (after all if they don't put pepperoni on their pizzas they must be robots...)
The bot-writers meanwhile can write code for each puzzle (the puzzles, requiring art assets, are expensive enough to generate that the many spammers can out-muscle the few areyouhuman puzzle-setters)
The solution to captcha annoyance is not more annoyance in the form of a spammy-looking game. You can get to 99% of the use cases using some simple javascript logic and a hidden form element that is invisible to the user and catch the rest using a solid spam-detection algorithm on the server. The solution to spam is not to annoy your users. At least reCAPTCHA helps transcribe books…
As someone who works in tech, I realize it's a somewhat effective solution to a very difficult problem, but as a user, I just hate them.
Captchas are like the "customs check" you have to pass to leave a Best Buy. Because of a few bad apples, everyone's customer experience suffers a little.
I agree. After looking at all of these comments, it's safe to say this isn't ready to be a recaptcha alternative, but I do appreciate the attempt at making it a better process for the average user.
Interesting idea of challenging people/bots to complete higher-level tasks to prove they are human. This just needs keyboard accessibility (I couldn't tab to the start button or handicap symbol link).
http://www.google.com/recaptcha/learnmore
http://www.google.com/recaptcha/whyrecaptcha