Experimenting with alternative CAPTCHA designs and a brief history of the modern day CAPTCHA

Examples of simple CAPTCHA designs

What is a CAPTCHA?
If you have ever registered yourself on any site (mail, social networking etc) there’s a good chance you’ve seen a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). It is a simple test to prove your humanity to the site you are visiting. In this post I will be discussing CAPTCHAs in general, and experimenting with some new designs that might further thwart spammers.

Why is it needed?
The problem stems from how HTML forms work – they’re very simple to fill out and submit. Using a specially coded software, a spammer could  create thousands of email account in a matter of seconds, these could be used for sending email spam. (Because the email sending page is essentially another HTML form.) Spamming guestbooks is also a popular SEO technique to drive up a particular sites PageRank with both Google and other search engines, which employ similar mechanisms. (As a side note, good practice is to use the nofollow attribute for all outbound links if you’re ever coding a guestbook.)

CAPTCHA systems were invented to stop spammers. A CAPTCHA is usually a generated image that shows some sort of distorted text, which the user can read and input properly. A lot of work go into crafting CAPTCHAs that are simple for the user to read and understand, but difficult for OCR software to comprehend properly. This is usually done by adding distortion of some sort. But as OCR software improves and some people actually write custom code that target specific CAPTCHA systems, more obfuscation is needed, and so unreadable examples as shown in the image below are not uncommon.

An excellent example of a horrible CAPTCHA

Therefore I applaud alternative designs. There has been a few ones including identification of cats and dogs, although these are also flawed because of their limited databases, which are subject to brute force attacks.
Here’s another one I found while researching this post that I quite enjoyed:

An excellent example of an excellent CAPTCHA

This simple substitution CAPTCHA is good because it is unbreakable by standard OCR and requires a special algorithm. This involves someone programming it, which involves manpower, which involves money, which is a rare commodity – therefore, unless this kind of CAPTCHA is run on a high-profile site it would be too much hassle breaking it, and so this kind of alternative implementations works well for smaller sites.

My experiments
I know that I’ll be needing to use a CAPTCHA for some of the projects I am currently working on, and so I sat down a few days ago and started brainstorming. Some of these CAPTCHA variations probably already exist, others are a bit more exotic. Feel free to implement and use any of these. If you do, I’d love an email on how you are using them and what improvements you have made.

– Counting upwards

This is a pretty simple idea that differs from the vast majority because the letters are jumbled – every letter has a corresponding number. You type the word by starting from one (1) and counting upward, in this case the word is SECRET, which we see if we move the groups by numerical order:

SECRET
———-
123456

This sort of CAPTCHA should work pretty well on even high-profile pages, especially if you apply some distortion to the background, because it provides two points of errors – not only do the letters have to be identified correctly, so do the numbers. This one probably requires a small explanation on how to solve it on the page where it is used.

– Follow the path

This is one of the more exotic ones, and it builds upon the idea of following the letters around the shape in the direction of the arrow, in this case we start from H and wrap around the shape to make out HELLO. There is some Lorem Ipsum text inside the shape to further fool OCR. A full implementation should also randomize where the arrow points and its location from all possible letters. Distortion could be put on the background to make letter identification harder. This almost certainly requires an explanation on how to solve it on the site where it is used.

– The hierarchy
Last one wasn’t exotic enough for you? Meet the hierarchy. The basic idea is that letters are stacked on the edges of an arbitrarily large pyramid. The example shows one with four letters on each side, but it can be of any size. Inside the pyramid is an arrow twisting upwards – now follow its path and pick up the letters on the way to spell out TEST. A full implementation should randomize the path of the arrow, and perhaps even use other shapes (squares, circles) although just switching out the letters should work well for low-profile site use. If you use this to authenticate your comment form and don’t feature some sort of explanation on how to use it you probably won’t get a lot of comments…

Questions?
If you have trouble understanding how any of the examples work (I know my explanations are usually clumsy at best) go ahead and throw me a comment or an e-mail. You can find my address on the Fair Use page.

But it’s still possible to beat them!
How you might ask? Indian slave labor. The article linked is a fascinating insight into the world of the professional CAPTCHA solvers, who make as little as 0.001 dollars per solved CAPTCHA. A truly fascinating read about how cheap manpower can be used to circulate more spam around the planet.

See you next time!
This article has talked about CAPTCHA in general and some experimental approaches to the problem, next time we’ll discuss various ways of implementing a CAPTCHA using PHP. Stay tuned!

Tinfoil Tom Series – Episode 1: Securing your web browser

“What’cha lookin’ at?!”
(Thanks to Sarah for this beautiful depiction of paranoia!)

Hi and welcome to the “Tinfoil Tom” series that I intend on running on this very blog. This series of post will be dedicated to end-user computer security – for the slightly paranoid. So it seemed appropriate to start with what you’re doing at this very moment – that is, surfing the web! (Whatever else you were doing is but your own business, in the spirit of tinfoil hats, paranoia and all.)

This guide is first and foremost directed at power-users, but it is written in a way so that (hopefully) anyone can follow it without problems.

The web browser
Try asking someone about their web browser preference and you’ll notice that many people would rather bite your head off than consider an alternative one. That being said, according to me – the power-user browser is Firefox. Opera is not far behind and may very well excel in some categories, but with the grand focus on security, the enormous community and the perpetually growing add-on library that all Firefox users can enjoy, it’s simply unbeatable, and so it will be a prerequisite for this tutorial.

With its out-of-the-box configuration Firefox is one of the most secure browsers, but we won’t stop there! To make your experience even safer – read on for some useful add-ons.

Added security
Here are some great add-ons that will help in tightening your browsers security.

Adblock Plus

Before and after shot. Unfortunately, some of that heavily
appealing “bling-bling” disappears together with the ads.

Whilst not technically a security add-on, Adblock plus make practically all ads on pages disappear, and in such way makes you less targetable to third-party exploits such as XSS attacks, not to mention those bastard animated smileys. *shivers*

Using Ad blocking software has come under heavy fire lately, with many ad-financed sites expressing heavy criticism towards the users, some sites have even started to reject users with ad-blocking software. Luckily, the number of these sites so far is very small, and let us hope it doesn’t spread. One could probably spend a whole series of posts just discussing the moral aspects of ad blocking (Which according to me has heavy parallels to downloading or TiVo‘ing TV shows, effectively skipping the commercials.) but I’ll leave it for another day.

Get Adblock for Firefox here.

NoScript

Evil script is evil.

Before you install this add-on, you should be aware of the fact that breaks almost all modern websites because it interferes (or rather completely shuts off) JavaScript support unless you specifically enable it on a per-site basis. But it also stops a lot of third-party homepages from running scripts and makes a lot of other security improvements under the hood. Although I don’t recommend this add-on for normal users, power users who often visit the same set of homepages may benefit greatly in terms of increased security – this add-on will truly make your browser an impenetrable fortress.

Get NoScript for Firefox here.

TorButton

Just watching that onion makes my eyes tear up… with laughter!

TorButton is actually a quick proxy gateway to Tor, an online darknet-like anonymization effort, but because the Tor software acts as a standard HTTP proxy, we can use any proxy server in its place, and because the TorButton add-on features many security tweaks, some similar to NoScript, even running it through a transparent server on your own computers adds security, and as far as I have noticed, TorButton breaks much fewer websites and barely requires any user attention. The only problem might be the cumbersome task of properly setting up a proxy server, but for Windows I can recommend CCProxy which I use myself. (Demo version with some non-timebased restrictions, although works fine for our intentions.)

Get TorButton for Firefox here.

Coming up!
In the next episode of the Tinfoil Tom series we will be discussing laptop security, secure file deletion through wiping and file recovery.

In other news…

Randomly speaking of video game soundtracks – the classical Unreal Tournament Score is really such a pearl. Fantastic and surprisingly mellow soundscapes with a hint of almost organic roughness. I’m pretty certain it isn’t being sold anymore (I think it was only included in the special editions to begin with.) but I found a mirror, let’s hope it stays up!