So, the pony express is easily buildable, bot-proof, not-porn proof, and not accessible.
Thanks Pratik for the example - it's really clear.
I've posted the hacked code at http://null.in/2006/08/30/paptcha-a-captcha-killer/ , in case anyone is interested.
Thanks, Pratik
Sorry, this should have gone out a couple of days ago but I was interrupted and forgot about it for a while.
@Pratik: +1 for posting the code!
@Greg. How about this:
CAPTCHA's strength: Bots can't read the obscured text being presented in the image. Stop there.
My primary concern: Reducing the software's demand on humans.
Everything else (such as bandwidth, accessiblity) is important, but secondary to the notion that a user must WORK to participate/contribute/use your software. Maybe I am from Mars, but CAPTCHA is just *one* of those many features that have snuck their way into (especially web) apps that sacrifice real usability in a glaring and obvious way. Excess form fields? Bad UI design? Clear copy? Terribly important but these come second in my book to 'make the user do work that software should do'
Pony Authentication isn't 100% better, but it's a hell of a lot easier to identify a pony and click it than it is to ask a user to read and type what looks like a unix admin's password.
A solution offered by someone who wrote to me privately follows, blatently plagerized as it was well expressed:
1. Put up a bunch of pictures (5x5 grid?), and ask the user to click one at random. "please click the picture of the young girl".
2. Use captcha-style noise generation to create a graphic which includes the instructions. people are good at reading words, even with noise. they don't have to get each letter right, they just need to know that it said "young girl" rather than "purple wolf". randomizing the graphic with the instructions means that the computer can't automatically match up pairs.
Faisal, the author of that concept combined the stregth of CAPTCHA with the strength of Pony Authentication. The Bot can't read the instructions, asking a user to make *one single click*
Greg, I don't know if that sounds like I'm avoiding your well-thought out and practical line of questioning, but I'm a fan of just pulling back to the main idea and going from there if it looks like a specific implementation isn't practical.
Right now, it looks like Pony Authentication as described by Faisal would be a *better* solution than CAPTCHA given that the priority is to minimize user demand. Most users would rather spend 1-5 seconds downloading some extra images then 10 seconds acting like a chimp, hunting and pecking on the keyboard.
chao, sudara
[...] } CAPTCHA's strength: } Bots can't read the obscured text being presented in the image. Stop } there. } } My primary concern: } Reducing the software's demand on humans. [...] } Pony Authentication isn't 100% better, but it's a hell of a lot easier } to identify a pony and click it than it is to ask a user to read and } type what looks like a unix admin's password.
It is, indeed, easier. It is easy enough for a spambot to do.
} A solution offered by someone who wrote to me privately follows, } blatently plagerized as it was well expressed: } } 1. Put up a bunch of pictures (5x5 grid?), and ask the user to click } one at random. "please click the picture of the young girl". } } 2. Use captcha-style noise generation to create a graphic which } includes the instructions. people are good at reading words, even with } noise. they don't have to get each letter right, they just need to } know that it said "young girl" rather than "purple wolf". randomizing } the graphic with the instructions means that the computer } can't automatically match up pairs. } } Faisal, the author of that concept combined the stregth of CAPTCHA with } the strength of Pony Authentication. The Bot can't read the } instructions, asking a user to make *one single click*
This isn't bad. On the other hand, see the other branch of this thread about doing it all in text, which has several advantages over both captchas and "Pony Authentication":
- it is accessible to the visually impaired - it requires less bandwidth (no images) - it requires minimal effort to develop lists of questions and answers
} Greg, I don't know if that sounds like I'm avoiding your well-thought } out and practical line of questioning, but I'm a fan of just pulling } back to the main idea and going from there if it looks like a specific } implementation isn't practical.
If you aren't familiar with the state of the art in AI algorithms and don't do the analysis of your candidate solutions, you don't have the tools to determine whether they will achieve your goals. I gave you an analysis of "Pony Authentication". If you are willing to accept those tradeoffs, it is a viable solution for you; if not, then it isn't.
Also, you need to be clear about what you are optimizing, and metrics for evaluating the dimensions you are optimizing. If you are only minimizing user demand, you don't use any verification system at all and spam gets posted. If you are also minimizing spam that gets posted, you must have a way of relating the value of minimizing one or the other. Even so, the appropriate solution in that case is to skip the verification system and just not publish anything until it's been reviewed by a human.
Realistically, you are optimizing on many variables including, but not limited to:
- ease of use - quantity of spam - delay between submission and publication - cost (which is really a combination of human time, bandwidth costs, etc.)
Before adopting a solution you need a decently solid idea of where the proposed solution lies in this high-dimensional space.
So carry on your out-of-the-box thinking and visionary adventures. Just remember that a proposed solution that doesn't solve your problem isn't of much use. It's a lot better to know that before implementing it and putting it in production.
} Right now, it looks like Pony Authentication as described by Faisal } would be a *better* solution than CAPTCHA given that the priority is to } minimize user demand. Most users would rather spend 1-5 seconds } downloading some extra images then 10 seconds acting like a chimp, } hunting and pecking on the keyboard.
Your last sentence is presented as a statement of fact, yet I suspect it is simply a statement of what you believe to be intuitively true. I know of no evidence to support it; do you? The studies I've seen show that users perceive a length of time spent waiting for something to happen as a much longer time than the same length of time when they are actually doing something.
I know I'm beating a dead horse, and that this isn't likely to actually change your thinking in these things, but I'm going to say it anyway. There is plenty of computer science and cognitive science research that covers the things you are thinking about. The literature is published, and much of the information is available from a Google search. Thinking outside the box is not the same as pontificating from a position of ignorance. You can only see farther by standing on the shoulders of those who have gone before you if you know what they learned.
} chao, } sudara --Greg
That's right.