________________________________________________________________________________
Kasparov's amusing comment about a chess captcha: "Nice, but I have some bad news about using this to defend against the robots..."
https://twitter.com/kasparov63/status/905179347560124416
(Background: in 1997, Kasparov, the world chess champion, was famously defeated by IBM's Deep Blue computer, the first time a computer beat a world chess champion in a tournament.)
This is practically an anti-captcha. You could imagine a site demanding that users solve a mate in 10…
I don't think this would stop computers solving this at all... It would be trivial to write automation to bypass this, which defeats the point of it being a CAPTCHA
The most common use case for CAPTCHAs is to prevent or reduce automated spam bots that crawl around the web looking for input fields to fill. For that purpose, the CAPTCHA doesn't have to be perfect, just better than what some other sites have (i.e. no CAPTCHA at all) so that it's not worth it to spend time breaking into your input fields specifically when there's easier targets.
I'm not aware of any CAPTCHA solution that would protect you from actual targeted attacks where the attacker is determined to spend time on breaking your protection specifically.
> I'm not aware of any CAPTCHA solution that would protect you from actual targeted attacks
but that's the entire point of reCaptcha/hCaptcha/every CAPTCHA-as-a-service provider, because they provide good enough security that most websites can use it—if they could be broken, we'd likely see many more attacks that can successfully solve it, rather than services in low-income areas that offer to have real humans solve the problems for payment.
> if they could be broken, we'd likely see many more attacks that can successfully solve it
I've used buster for years, it's free and open source, one click to solve:
https://github.com/dessant/buster
So it's captcha through obscurity?
Yes. It works. Low-visibility sites can get a lot of mileage out of "Type 'x' in this box:" levels of CAPTCHA.
I've always been partial to a seemingly normal form field for data I don't need or want (e.g. id="name") that is visually hidden with CSS. Dumb bots will fill the field but humans won't.
Typing in a box is still much faster than dragging around chess pieces though. And it can be pretty decent with e.g.
some very trivial but text-based math questions.
But I can assure you if a site wants me to start
solving chess puzzles I'm out of there. It's basically a less
secure but much more cumbersome approach than Google's usual
"click on all traffic lights" captcha.
I ran a little wiki with just a few thousand users, and thought like you... I put a "please type the color of our universities logo into this box:" captcha...
Yet somehow the spammers still flooded in... They must have used a human to solve it the first time, and then automation to make thousands more user accounts and pages.
It surprised me anyone would bother for such a small low impact site.
You'll note my phrasing was "can get a lot of mileage out of" and not "never need anything more than"; that was for a reason. If you pick up a particular spammer, with the toolset they have, who either has a personal reason to attack you, or who notices that you have a lot more Google juice than you realize, or even just misidentifies you as a large site for whatever reason, obviously they'll blow right through something as trivial as this. It is far from solid protection.
However, it does quite often work for extended periods of time, and for someone running a small site, it's worth it to try this out before going to something crazier because there's a decent chance it'll work. There are sites I frequent where such simple things have been working for years. It's so easy, that if it doesn't work, there isn't much time wasted. Very good bang for the buck, even if it is not even remotely a guaranteed solution for everybody.
Same experience, for a wiki and forum with less than a dozen users. When I changed the questions I had some peace for a couple of days, then started flooding again.
Had the opposite experience - was running a wordpress site and picked up a lesser known anti-spam plugin. AFAIK the only thing it did was run a tiny bit of obfuscated js to fill an invisible field. Never had a single spam comment again for over 6 years (sorry for no-js users tho).
_edit_
Just looked it up - it actually used to have a no-js backup and still worked wonders. Sadly seems it has turned into bloatware since I last used it, but the FAQ goes into detail how it works.
https://wordpress.org/plugins/anti-spam/
Basically 1. extra field that you have to enter the current year (hidden and filled by js for most users) and 2. extra hidden url and email fields that bots tend to autofill.
This is a cool as a proof of concept, but seems rather user-hostile in practice.
That's how I would characterize captchas in general.
In its defense, it's quite robot friendly.
I posted this here after seeing essentially the same thing on lichess.org. Didn't post the link to that because it requires you to have an account in order to see it. Of course, this is only "security"-by-obscurity. Not only could computers solve these problems, but certainly they can do so better than us. So not very generalizable, but probably works well for a niche site. Still, I thought it was clever.
Interesting idea but disappointing that the versions on the websites are just gif images, not actual demos we can test.
_[Probably just as well, as I can only solve the 'mate in one' puzzle, in two!]_
Intersting idea yes, and I will make sure I will never go back to that website. Identifying fire hydrants or bicycles is annoying enough, but it takes 3-4 seconds. Setting up a chess board for 10 seconds? No thank you. If it is a service I use I will only write them once to complain, and if that doesn't go away I will drop them off (aka stop paying them)(and make sure they know why).
Security and Convenience are (most times) opposites. I don't want to spend 10-20secs to log in to a site. Especially if I am paying them.
When have you ever filled in a captcha for a paid service?
Hilton honors requires it to book a room with points. I finally called and spoke with a person, my privacy settings mean I rarely pass, and those are set that way for a reason.
Spotify, Dropbox, Carbonite are three that come to mind right now.
The login screen doesn't know I got a paying account until after I have logged in.
> Identifying fire hydrants or bicycles is annoying enough, but it takes 3-4 seconds. Setting up a chess board for 10 seconds? No thank you.
I'd actually prefer something like the chess puzzle to the normal reCaptchas. I find those so annoying that, unless I _really_ need to access the site in question, I'll just close the page as soon as I see one.
[Are you listening webmasters!]
Mind you, I'm impressed you can solve a reCaptcha in "3-4 seconds". They usually take me a hell of a lot longer than that because:
1: It's never made clear exactly what you're supposed to click on. For example. If I'm told to click on "traffic lights" does that mean just the lights?... or the poles as well?... and what about a square that only has a tiny bit in it? Does that count too, or is it only squares which are mostly filled by the object in question?
2: They make no concession to non-US English speakers. I've been asked to identify things before, where I had to guess what the word means because the same thing is called something completely different in UK English.
The only thing that approaches the level of rage that reCaptchas instil in me are those captchas where you've got to transcribe what's in a photo of some letters & numbers and where they NEVER fecking tell you whether it's case sensitive or not, or where they use identical characters for zero and letter O, one and letter I, etc.
Give me a chess puzzle any day!
PS: One tip I've found for trying to minimise reCAptcha killing rage is the "Buster" [0] plugin, which uses Google's AI against itself by using voice recognition to solve the audio ones. Unfortunately, it seems to work less and less reliably of late, which makes me think Google have got wise to it. I used to have almost 100% success 1st go with Buster. Now, it often takes me 2 or 3 goes before it works properly. Still infinitely less annoying than having to solve them manually, though.
Tip no. 2: If Buster doesn't work, or you haven't got it installed, I've found that the audio reCaptchas are actually a lot quicker to solve anyway. I've found out you don't need to transcribe the entire audio. I can usually pass one by identifying just one word out or even part of a word out of the phrase spoken. My most satisfying ones ever are when the phrase contains the word "the" and I'm able to pass the reCaptcha just by typing in "the".
In your face, Google!
[0]
https://chrome.google.com/webstore/detail/buster-captcha-sol...
[0]
https://addons.mozilla.org/en-GB/firefox/addon/buster-captch...
> If I'm told to click on "traffic lights" does that mean just the lights?... or the poles as well?... and what about a square that only has a tiny bit in it? Does that count too, or is it only squares which are mostly filled by the object in question?
I empathize with the first part of the question. As for the second - I'm fairly positive they want you to count the mostly-filled squares too, considering that the labels are for object-detection models
Always fun to see a captcha that's friendlier to computers than blind people.
You mean almost all of them? :)
lichess.org uses what looks like another chess captcha for posting in the forum.
Example on the bottom om the page:
https://lichess.org/forum/general-chess-discussion/blog-X5XE...
The lichess code is actually open source, although not in a simple component for people to use:
https://github.com/ornicar/lila/search?q=captcha
The lichess development process is actually very worthy of praise, lots of useful stuff linked from:
Now make a of lot variants and write the instructions in SVG with a random font.