I was playing a little bit with your code, after all it looked like that… http://pastebin.com/m50d11fa2

How ever I use Octave insted Matlab and I just hit the problem … the code at paste bin produces error:

http://pastebin.com/m5661fd57

Now the problem I think is here:

adjacentpixels=(imdilate(thisarea, [0 1 0;1 1 1;0 1 0])&~thisarea);

but I have no idea how to fix that. Can you help or explain please?

Oh yes and if I uncomment this:

%class(thisarea)
%class(temp)
%class(region)

i get:

ans = logical
ans = double
ans = double

Thanks!

That was actually easier than just reading it.

http://www.wowanno.com/forums/ucp.php?mode=register

I placed it there after a shitload of spam on that abandoned site.

A message to any potential spammer out there that might use the help you provide: fuck you.

I like it when there’s no cultural knowledge required: recognising celebrities would probably stop me from posting, and coins can be very unclear to foreigners (especially if some modern graphic designer has taken the numbers off them). Text-based ones like the normal ones have the advantage of requiring no knowledge beyond what you need to read and understand the site it’s on. A friend of mine ran a videogame website and its captcha rather cleverly asked you to identify game boxes. Obviously it only had a finite number of questions, which was a drawback, but for a small site that’s not a problem. (Although I’m certain that spambots have mastered the art of email confirmation by now.)

It is, you’re right, a massive disadvantage to have a computer sat opposite the subject in the Turing test, but it shouldn’t be automatically fatal: we know computers can test things they can’t do. For example, hashing algorithms can’t be reversed, but can be tested against. We have to find something where the computer can work backwards from the answer (say by warping the letters and drawing lines on) to generate a question, but can’t work forwards from there to find the answer. The hard part is that it has to be something a human can do easily. I suspect the bigger problem is that computers are too clever and people too dim.

Or. I may write this one next for the hell of it. You display random notes and coins in random position (some overlapping) – and ask for the total amount?

Or… How about recognising celebrities?

or… analysing the data given in other form fields?

or… testing that the entered email address exists?

It’s a fascinating subject – I believe the fatal flaw may in the first two letters of the Captcha acronym – ie: Completely Automated. We are asking a one computer to test another.

Check out this author’s run down of why linear transformation is not enough:

http://churchturing.org/captcha-dist/captcha/final.medium.png
http://churchturing.org/captcha-dist/

I’d like to think that means I’m open to correction, but I usually seem to end up with roughly the same opinion I had before but for better reasons so either my instincts are fantastic or I can justify any irrational prejudice. I don’t really know how to tell the two apart. I usually enjoy the process, though, so I don’t worry about it much.

The “answerhash” isn’t just the md5 of the answer, by the way. It’s salted with a site ID and some material unique to the page it’s on, so a stored answer would only work on one page. If I have to change it again I’ll add to that a question ID so that when a question is retired all hashes associated with it are retired as well. It’d mean checking five hashes instead of one, but that’s okay.

With image-based ones, the gap between “what computers can’t do” and “what humans can do” is closing fast, and probably closed long ago if you consider humans with any kind of disabilities. I don’t even think captchas on individual sites are the right approach, long term. We need to stop the spam being sent in the first place — the web traffic it generates is problematic and expensive enough and the tests to block it are the antithesis of most modern interface design principles.

(Personally, I think we need to start identifying the people whose computers are spam-sending zombies and taking away their broadband. They can’t be trusted with it.)

Firstly, you CANNOT allow the user to see the relationship between the captcha question or image and it’s solution. You’d be surprised at how often this is done. For example, the md5 hashing of the question that you provide on this site does just this (the md5 “answerhash” is embedded in the form code and thus visible to any HTML parser). Once one solution is calculated (which is easy in your case), it can be applied since they know the relationship between the hashing and the solution, even though it changes. Banning ip addresses wouldn’t work either because spam bots typically work in groups to avoid this, and you don’t want to ban a potential website visitor because they’ve slipped typing in the answer. Once spammers get it, they share the methods to other spammers so that everyone may enjoy the security hole.

Secondly, you MUST generate a unique captcha every time. A question or image should never come up twice, no matter what. It is pretty clear why this is important. This is typically why text verification is rarely used, at least by itself.

Thirdly, a good, foolproof, changing, and unique captcha image needs to be developed. For example, you may have an external chunk of php code using gd to generate an image, generate an id for this image, and put both the id and the solution in a database somewhere unbeknownst to the user. Then upon submission of something, check the id against the solution in the database, maybe have a script on the db return either true or false, and automatically and immediately delete that entry from the database.

I’ve always been interested in seeing how easy captcha images are to crack, and maybe even writing some code myself to do so. You should put a small section up on your site where users can submit a link to a chunk of code somewhere that outputs an image, and see how long it takes to develop a crack for it (one that can be applied to any image that is generated, and computes the correct solution 100% of the time). I firmly believe that with the proper linking of the characters with lines, and the correct usage of colors, fonts, scaling, rotation, overlapping, etc…that captchas are extremely effective.

In all fairness, you’ve attacked weak catpchas in your post above. There are some good ones!

A general algorithm would be more interesting, yes, but it would be a major investment of time and I’d be the wrong person to do it. My point was just that I could spend a week or so, crack phpBB’s captchas, and then spam all the phpBB forums in the world, which to my mind is a far greater weakness than a susceptibility to advanced computer vision algorithms, because as you pointed out there are so many people who could do what I just did. A few of them are bound to do it.

On the subject of my own captcha, I think to be fair you’ve underestimated it. It actually was broken once, but not by “entering two letter q’s”. That’s just one of five or six questions that loop around the comments form, which are all simple tasks involving maths and/or moving letters around, and about a year ago, a spambot learned to add two numbers (which is a common question in captchas anyway). All I did was load up the captcha file and delete that question (leaving four or five others). That secured the site again without blocking real comments, and later that day I replaced it with a new question so no harm was done. Yes, the questions are weak but the system that surrounds them is much more robust. I could put in a conventional image-based captcha if I wanted, although that would reduce accessibility, so for the amount of traffic I have now it would probably do more harm than good.

But that’s the only time I’ve had any spam (other than pingbacks, which are so problematic they’ve all but shut down Technorati) since I installed it, whereas phpBB’s captchas are broken daily even on low-traffic forums. Okay, so the smarter spammers you enjoy might learn to enter two “q’s” in a day, but I can remove that question that same day. I expect an automated system could remove it in a moment the first or second time WordPress detected a “spammy” comment getting through. Unless they can reverse-md5 long and meaningless strings, they’ve got nothing long-term but cracking individual questions as they appear.

Computer Vision is (and has been for some time) quite advanced. Trust me when I say that if Computer Vision is powerful enough to race autonomous robots through unknown terrain, navigate cars through a city on their own, take facial fingerprints (not images, but measurements) of every single person entering the stadium for the Superbowl in 2001, it can be used to crack a stupid captcha image.

The problem is that you are focusing on each individual captcha that you are cracking, and engineering a crack based on that particular image. So what? Any green-horn should be able to do that, and if they can’t should not even be trying. Why wouldn’t you push toward designing a program to read ANY image captcha that it encounters? You may have to put aside your trusty old Matlab for that one, and no, I won’t send you any code.

The rant about a administrator approving each and every attempt to register a user is about as brute force of a solution as I can think of. There are effective captchas out there, some of which I have written that have never been cracked a single time and have been up on forums, guestbooks, blogs, etc… for years with thousands of visitors a day. Don’t claim that you have accomplished something because you have cracked phpBB’s image captcha, which, by the way, is not cracking anything at all, since it is open source to begin with.

Maybe you should submit your solution “entering two letter q’s” to open source forums so they can benefit from this knowledge.

If I was an asshole, I’d redirect the spam traffic that I get on all the websites I’ve written and maintain to here; they’d have you cracked in a day or so and fill you up so full of crap you’d actually have some content on the site.

Sorry if I sound mean, I actually spit out my coffee when I read the letter ‘q’ thing because I was laughing so hard. You made my day man. Thanks.