Oh, barbarian acronym. I hate it. It sounds like a buzz word, but by buzz word, I mean an horrible one.
AJAX, well, its funny, sounds like this good old cleaning product and afterall, its fine. Let’s not list now the hundred, i mean thousand, hundred of thousands of billions of acronyms and high tech buzz words created for the sole purpose of, well, make you sound cool and trendy !
So yea, CAPTCHA, meaning Completely Automated Public Turing test to tell Computers and Humans Apart. In other words, “Write the Image text In the Box”, i mean WIIB ! Yeap Wiib. Yeap this acronym now officially exists since approximately.. now.
Anyway, this sounds so much more sexy now. Let’s go on!
So this WIIB, simply ensure that you are a human and not a computer, since a computer has to recognize the text and it’s not an easy task (Or so one would think). I’m sure you’ve seen dozen of these
Some companies, recently self advertised in the news brought my attention to the low security this kind of protection provides. :read:
Let’s take the newest one, the
OCR Research team <http://www.ocr-research.org.ua/list/ppage/3.html>_. They’re claiming
to break WIIB’s for a living. Worst, they’re claiming to rate well known company WIIB’s. They’re also claiming to
provide (for a high fee) their own WIIB, which is just a 3D textured render of the words, with ugly colors (hardly human
readable, to be honest). Introducing… Teabag 3D. Oh yeah!
Take 1, TeaBag 3D
This version uses “military” style coloring, and it seems to make picture more pretty looking and readable.
Well, in general it’s still not perfectly readable but it’s extremaly hard to break, that’s for sure!
Can you read it ? I see a V, E then.. is it T ? is ir R ? hmm then.. O or 0 (zero) then a dot and.. well.. something. ooh! a nice little mountain ! :)
So yea, the idea is funny and original but far from good, as this is easy to render into wire frame (look at the polygons, the background ones are different) then separate the letters and finally recognizing the 3D model as a flat letter. Of course, the computer is not gonna recognise the characters I couldn’t recognize myself as a human, simply because they don’t look like characters at all :)
Take 2, the WIIB rating
Alright, now let’s see their competence level. Note, that I consider my own level to be sailing around null and shinning by it’s absence.
I selected the ua.fm WIIB. Well right, they only test weak ones and thus this one is rather weak, that’s true. The number of stars indicate the “strenght level”, meaning, the more stars the better protection. Alright boys and girls, here we go:
First sample. Looks simple to me, beside the R, which is reversed, so I actually don’t know if I should treat it as a letter. The letter is weird because it’s Ukrainian (just set your OCR dictionary to Ukrainian to recognize it :s )
Here’s another from the same site:
Well, right. They are second best in their tests which is pretty high (but hey, they’re not gonna put good ones since they sell their own;)
I’ll quote again
Strong enough CAPTCHA
Alright. So i made a 20 lines python script (using the integrated PIL module) which removes generic noise while keeping precision (unlike Gaussian filters). Of course you need different filters for different kind of noise a lot of websites are beating by this very simple one.
So yeah, here’s the image after the 0.01 ms processing:
Kinda clear uh ?
Let’s do it:
# gocr -p -f UTF8 -i clean_01.png ?965724
Note: You need the proper font installed or gocr to process this correctly.
Uhm yea.. hard =p If ever you’re unable to write a correct algorithm for recognizing forms anyway, you can do like they all do, use a small pre-coded neural network, associate a few samples with letters, and tada, it will recognize it for you and the detection rate will still be fairly high! It makes things much more simple.
.. note:: Sometimes, you need to separate the letters.
Ethics & the point
The main issue with such companies, is ethical. Usually, they sell their services to spammers/etc (although this one claims not to). Then if they don’t, they sell their services to test your CAPTCHA WIIB.
All fine, yea, but what they are not telling, is that we are to a level of knowledge where anyone who is able to code or script something, can figure out how to break most of them.
And if you can’t, usually, a human cannot read them either.
Or, you simple need to spend some more time on it than a single hour (like, recognizing lines striking the letters and removing them: the shapes are usually long and more or less straight, so it’s easy in theory but the algorithm is a bit annoying to code)
And I didn’t even rant about the coding part (often, you don’t need to recognize the text on the image to get the value… !)
Then they sell their own, which someone elses will break. Including the 3D nifty thing, I won’t publish the code for it but I gave the tips.
While this kind of trick works again stupid spammers and is cheap to implement, this is of course not the ultimate solution and will be totally void one day or the next.
Researches have been made into other directions (like, show 6 images with a bear and one with a car, and ask to choose which one is not fitting. Or, Ask questions like, what is the animal on the picture? they all have weaknesses and strength and I didn’t find the ideal one either)
As usual, everything is discussed and linked for you, by wikipedia: http://en.wikipedia.org/wiki/Captcha