[Nfb-web] Captcha Alternatives

Wed Jun 29 15:56:26 UTC 2011

Peter and others,

I am glad this has come up again, because I wanted a chance to respond to an earlier message and make a couple of comments about CAPTCHAs.

First, I do not particularly enjoy the role I often play of poking holes in CAPTCHA solutions.  Whether Peter and I always agree or not, I have always and 
continue to respect his "can do" approach to problems.  I hope that you understand that, Peter.  Part of what got all of us to where we are is to sometimes 
boldly move forward even when we're not all that certain what we're going to encounter.

Also, understand that some of my responses are to supply information that may not be obvious.  In some cases, I may well give information that I feel is 
missing but which some of you likely already know.  Not everything is obvious to everybody.

We have a lot of issues facing us regarding computer and web use.  CAPTCHAs are one very important issue, but they are really a part of a larger issue, 
that of security and proving one has legitimate access to a system.  We are seeing other barriers as well, such as keypads used to gain entrance where the 
numbers are assigned to keys randomly each time it is used so people can't figure out codes by watching your pattern of movement.  Many companies use 
connections where you have a small device that displays a password or PIN when you connect which constantly changes.  Some of these things are not 
new, but security has become a greater and greater concern over time.

CAPTCHAs are trying to address a complex problem.  There is a large and very skilled community out there who have nothing more constructive to do than 
to break into sites, steal money and information, harrass and swindle people, and otherwise make our lives difficult.  In the past, their jobs have been made 
easier because the attitude has been that web sites should not require any human intervention or monitoring.  I think that the landscape is going to get so 
complicated that in some cases, it will have to be accepted that there will need to be someone monitoring web activities in some way, but that's neither here 
nor there now.  What we're faced with is people trying to address security methods in whatever way they can think of, and in some cases, the 
rammifications to us are just not part of the overal concern.  A bank or grocery store won't fold because blind and deafblind customers can't get in, so we 
may need to get laws passed to make up for our small market.  Since there is so much that is a plus for us in our ability to participate in business on line, I 
don't think we can afford to just ignore all this, but I also don't think the answers are simple, either.  Therefore, part of our process has to be for us to look for 
likely reasons that this or that approach may not work.  This doesn't mean there isn't an approach that will work out there, only that we might as well figure 
out as soon as we can why a particular approach will be rejected and either have an answer or look for another approach.  We also have to realize that 
existing approaches are not perfect.  Text CAPTCHAS and audio alternatives will probably both become less effective as OCR and speech recognition get 
better.  If WebVisum is using some sort of specialized OCR, for example, it is only a matter of time that such capabilities will be available to most hackers.  If 
an I Pod app can identify objects as it can, it is only a matter of time before Captchas that ask you to identify the second picture from the right can be solved 
automatically by hackers.  So what about the approach that would say click when you hear the sound of a train as someone mentioned.  It's a neat solution 
for now, except of course for the fact that it excludes the deafblind, but there is already software that will analyze the recording of a song and identify it.  
How hard is it to identify particular sounds.  Over time, these things are going to come and go, and it's going to be hard to keep up with them because 
solutions that might work for us are going to come only a little ahead of solutions that will benefit hackers.  

Peter, what you say about doing the security check in the background makes sense.  In the case of blogging, for example, or other kinds of forums, what 
you have suggested should help a lot.  I looked at the CF Forms Protect web site and they are clearly trying to think this through.  A large part of what they 
do, though is based upon spam filtering techniques which won't play a role if a form is being filled out that does not have a message associated with it.  
However, they do look at some other criteria that could be applied generally such as trying to determine mouse movement and keyboard use.  While I don't 
condone everything that Google does, they seem like a company that looks at alternatives and tries to be ahead of the trends.  One would think that if some 
of the techniques that CF Forms Protect uses were solid, that large companies such as Google would adopt something similar.  I have found Google's audio 
CAPTCHA to be the most difficult I've had to deal with, and I'm guessing that they probably get hit as hard as anyone gets hit by bots trying to get free e-mail 
addresses.  The problem, of course, is that companies such as Google don't particularly want to talk about their approaches to security in case they give 
away something that might help hackers.  Probably, though, we are going to need to try to get some help from people who have experience with this on a 
large scale who know why some of these somewhat obvious approaches such as some that CF Forms Protect uses are not solid enough to use in general.  
I fear, though, that I already know part of the answer.  One of CF's approaches can tell if the user is using a keyboard.  I would guess that a "bot" can give 
the impression that a keyboard is being used if correctly constructed.  Another of CF's approaches looks at whether a user fills out a form by moving a 
mouse, with the thought being that a "bot" won't move the mouse.  Before people are concerned about this, though, CF Forms Protect mentions right on 
their site that this is not a very good indicator since blind people don't generally use a mouse, and they give mouse movement a low priority.  However, 
Window-Eyes and JFW can both move the mouse pointer, and both could move a mouse pointer by scripting.  I again see that as soon as it were to be 
known that a certain amount of mouse pointer movement is required that this could be done automatically through scripting.  I am not convinced that some 
of what seems like a good approach to use probably won't stand up for long against the real pros.

My point here isn't to shoot down CF Forms Protect because they are taking an interesting approach to the problem, and I believe that if you take what they 
are checking in the background in terms of patterns of keyboard and mouse usage together with analyzing the message content together with other 
processes they probably are not advertising, they likely provide some pretty good protection to BLOGs and other similar sites.  We should point to them as 
taking an innovative approach to this problem when we talk to people about CAPTCHAs.  This would seem to me to be a viable approach for Barracuda 
Networks, for example, if I could ever contact them.  <smile>

When I have said in the past that there are no cure-alls, that doesn't mean that temporary cures should be ignored.  I think, though, that we have to be 
careful about endorsing a particular alternative as a general approach without fully understanding the strengths and the weaknesses.  We will loose 
credibility if we confront a business offering a solution that can quickly be shown not to work well for them.  What my experiences and the discussions here 
indicate to me is that we do need to raise this problem on our list of priorities.  Unfortunately, the best solution would be to re-engineer human beings to not 
have the tendency toward crime that we seem to have, but that is probably a topic better left to Faith-Talk. 

Best regards,

Steve Jacobson

On Tue, 28 Jun 2011 20:54:15 -0500, Peter Donahue wrote:

>Hello Chris and everyone,

>    The best alternative I've seen is to completely remove the end user from 
>the verification process and perform such checks in the background. This is 
>exactly what CFForm Protect does. To see it in action visit:
>http://www.nfb-writers-division.net/blog

>        Leave a comment to one of the posts there and load it up with more 
>than six URLS, or enter words such as Viagra, free music download, etc.

>    Perhaps the Towson system could be modified to detect a Braille-aware 
>device and display random patterns of dots that a deaf-blind person could 
>feel. When they feel the pattern they would press the spacebar as do those 
>who hear the sound. These patterns would only be generated if a Braille 
>display is in use.

>    But as I said why mess with these things when there are technologies 
>that eliminate the need for user interaction and perform spam bot screening 
>in the background removing accessibility barriers for everyone.

>Peter Donahue

>----- Original Message ----- 
>From: "Chris Westbrook" <westbchris at gmail.com>
>To: "NFB Webmaster's List" <nfb-web at nfbnet.org>
>Sent: Tuesday, June 28, 2011 6:58 PM
>Subject: Re: [Nfb-web] Captcha Alternatives

>Unfortunately, I'm not sure there is a way to include the deaf blind without 
>making it too easy for spammers to defeat.  Deaf blind people need text, and 
>computers can process text fairly well now unfortunately.
>Chris Westbrook

>On Jun 28, 2011, at 6:10 PM, Peter Donahue wrote:

>> Hello everyone,
>>
>> That system still locks out the deaf-blind .
>>
>> Peter Donahue
>>
>>
>> ----- Original Message ----- 
>> From: "Gary Wunder" <GWunder at earthlink.net>
>> To: "'NFB Webmaster's List'" <nfb-web at nfbnet.org>
>> Sent: Tuesday, June 28, 2011 2:25 PM
>> Subject: Re: [Nfb-web] Captcha Alternatives
>>
>>
>> Wow, good deal. Thanks.
>>
>>
>>
>> -----Original Message-----
>> From: nfb-web-bounces at nfbnet.org [mailto:nfb-web-bounces at nfbnet.org] On
>> Behalf Of Jaquiss, Robert
>> Sent: Tuesday, June 28, 2011 1:50 PM
>> To: NFB Webmaster's List
>> Subject: Re: [Nfb-web] Captcha Alternatives
>>
>> Hello Gary:
>>
>>     I don't know if Dr. Lazar from Towson will be at the convention, but 
>> he
>> and his students have come up with a unique CAPTCHA.
>> The user is asked to press the space bar when a certain sound is heard. 
>> For
>> example, the user is asked to press space when they hear a train. The user
>> then hears a sequence of sounds such as a cat, horse, glass breaking, 
>> train
>> etc. the system seems to work.
>>
>> Regards,
>>
>> Robert
>>
>>
>> Robert Jaquiss
>> National Federation of the Blind
>> 200 East Wells Street at Jernigan Place
>> Baltimore, Maryland 21230
>> Phone: 410-659-9314, ext. 2422
>>
>>
>> -----Original Message-----
>> From: nfb-web-bounces at nfbnet.org [mailto:nfb-web-bounces at nfbnet.org] On
>> Behalf Of Gary Wunder
>> Sent: Tuesday, June 28, 2011 1:39 PM
>> To: 'NFB Webmaster's List'
>> Subject: Re: [Nfb-web] Captcha Alternatives
>>
>> Would you like to speak about it at the webmasters meeting?
>>
>> Gary
>>
>>
>>
>> -----Original Message-----
>> From: nfb-web-bounces at nfbnet.org [mailto:nfb-web-bounces at nfbnet.org] On
>> Behalf Of Peter Donahue
>> Sent: Sunday, June 26, 2011 3:21 PM
>> To: Discussion of the Graphical User Interface,GUI Talk Mailing List
>> Cc: nfb-web at nfbnet.org
>> Subject: [Nfb-web] Captcha Alternatives
>>
>> Hello everyone,
>>
>>    This whole issue has caused me to seek out alternatives to captchas and
>> the problems they cause for all Web site visitors. Being a ColdFusion
>> developer I was delighted to discover a utility called "CFForm Protect."
>> This plug-in does its work behind-the-scenes and requires no user
>> interaction removing the need to deal with traditional captchas and the
>> accessibility issues they create for the blind. To learn more about CFForm
>> Protect visit:
>> http://cfformprotect.riaforge.org/
>>
>>    To see a demonstration of how it works visit:
>> http://www.nfb-writers-division.net/blog
>>
>>    We currently have CFForm Protect running on the blog and will role it
>> out to other interactive components of this Web site in the coming months.
>> I'll also be installing it on several other ColdFusion sites I'm creating 
>> or
>> will build in the future. Want to give it a go? Select the link to the 
>> blog
>> post and leave a comment. In your comment type more than six URLS, enter
>> words and phrases such as free music download, or Viagra and see what
>> happens. In the future CFForm Protects capabilities will be enhanced by
>> linking it to Akismet and Project Honeypot.com.
>>
>>    One idea I suggested to control spam while not locking out blind Web
>> surfers is to find a utility that will compare a would-be spammer's IP
>> address with those of known spammers and preventing that spam bot from
>> entering data in to the form. Project Honeypot does exactly that! The IP
>> address of an entity attempting to fill out a Web form is compared with
>> Honeypot's extensive database of IP Addresses of known spammers. If a 
>> match
>> is not found the entity is allowed to fill out the Web site form. If a 
>> match
>> is found the entity attempting to fill out the form is prevented from 
>> doing
>> so thus protecting the site's owners from spam bots. Working with CFForm
>> Protect Project Honeypot gathers flagged form entries belonging to 
>> would-be
>> spammers and adds their IP addresses to its database. Hence we can do a
>> little community service as well as protecting our Web sites from spam 
>> bots
>> all with out creating accessibility barriers for blind computer users!
>> Project Honeypot is a free service.
>>
>>    Akismet is a paid service that can determine if the entity filling out 
>> a
>> Web form is a spammer or not. If it flaggs the entity as a spammer it
>> notifies the site owner so they can take further action.
>>
>>    My discovery of CFFormProtect has me wondering if there are similar
>> plugging, components, and utilities developed for other Web development
>> environments: ASP, PHP, ASP.NET, ETC. Perhaps this is a matter for our
>> Webmasters and the IBTC to explore and gather information about these
>> products and services. Whenever someone seeks our help to make their Web
>> site accessible we can recommend the installation of one of these programs
>> instead of captchas and the problems they create for blind and deaf-blind
>> computer users. Just thought I would spread the word.
>>
>> Peter Donahue
>>
>>
>> ----- Original Message -----
>> From: "Ken lawrence" <kenlawrence124 at aol.com>
>> To: <gui-talk at nfbnet.org>
>> Sent: Sunday, June 26, 2011 4:21 PM
>> Subject: [gui-talk] will Webvisum be rendered useless?
>>
>>
>> Hi Ken here.  I read in Kim Komando's email that firefox has started a new
>> schedule they will be new versions of the browser every too months.  I 
>> just
>> got the update automaticly today and they are recommending you install it
>> since no more updates will be made for version 4.  So in two months for
>> example version 6 or maybe 5 point something or other.  Webvisum has been
>> disabled since it isn't updated.  the firefox browser says it will enable 
>> it
>>
>> if it has an update.  But can webvisum possible keep up with a two months
>> schedule?  is our capcha solver useless thanks to this new timetable by
>> firefox?
>> _______________________________________________
>> gui-talk mailing list
>> gui-talk at nfbnet.org
>> http://www.nfbnet.org/mailman/listinfo/gui-talk_nfbnet.org
>> To unsubscribe, change your list options or get your account info for
>> gui-talk:
>> http://www.nfbnet.org/mailman/options/gui-talk_nfbnet.org/pdonahue2%40satx.r
>> r.com
>>
>>
>> _______________________________________________
>> Nfb-web mailing list
>> Nfb-web at nfbnet.org
>> http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>> To unsubscribe, change your list options or get your account info for
>> Nfb-web:
>> http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/gwunder%40earthlink
>> .net
>>
>>
>> _______________________________________________
>> Nfb-web mailing list
>> Nfb-web at nfbnet.org
>> http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>> To unsubscribe, change your list options or get your account info for
>> Nfb-web:
>> http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/rjaquiss%40nfb.org
>>
>> _______________________________________________
>> Nfb-web mailing list
>> Nfb-web at nfbnet.org
>> http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>> To unsubscribe, change your list options or get your account info for
>> Nfb-web:
>> http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/gwunder%40earthlink
>> .net
>>
>>
>> _______________________________________________
>> Nfb-web mailing list
>> Nfb-web at nfbnet.org
>> http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>> To unsubscribe, change your list options or get your account info for
>> Nfb-web:
>> http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/pdonahue2%40satx.rr.com
>>
>>
>> _______________________________________________
>> Nfb-web mailing list
>> Nfb-web at nfbnet.org
>> http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>> To unsubscribe, change your list options or get your account info for 
>> Nfb-web:
>> http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/westbchris%40gmail.com

>_______________________________________________
>Nfb-web mailing list
>Nfb-web at nfbnet.org
>http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>To unsubscribe, change your list options or get your account info for 
>Nfb-web:
>http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/pdonahue2%40satx.rr.com 

>_______________________________________________
>Nfb-web mailing list
>Nfb-web at nfbnet.org
>http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>To unsubscribe, change your list options or get your account info for Nfb-web:
>http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/steve.jacobson%40visi.com