[Nfb-web] Captcha Alternatives
Steve Jacobson
steve.jacobson at visi.com
Wed Jun 29 18:54:41 UTC 2011
Peter,
You missed my point, though. If Window-Eyes and JFW can move the mouse pointer, this can be scripted around in all likelihood regardless of the setting,
by hackers. Also, as their web site mentions, setting mouse movement too high in importance will probably cause blind persons to be flagged as spammers
because we don't move the mouse pointer. Still, I am not saying that this isn't an interesting alternative that is probably pretty effective. It would be nice if
there were statistics that compare its effectiveness to that of CAPTCHAs.
I recently saw another web site where you had to solve a simple math problem. This could probably be scripted to be dealt with automatically, too, but I
think I'll try to contact the web site developer to see if they know how many contacts this approach rejects.
Best regards,
Steve Jacobson
On Wed, 29 Jun 2011 12:23:32 -0500, Peter Donahue wrote:
>Hello Steve and everyone,
> The points CFForm Protect assigns to its various tests can be adjusted.
>Although the default is 1 for mouse movement if one fears that scripting
>could "Mimic" mouse or keyboard use these levels can be strengthened thus
>making it harder for bots and scripts to do their dirty work this way. Thus
>there is a lot of built-in configurability plus the utilization of other
>services such as Akismet and Project Honeypot for performing additional
>checks.
>Peter Donahue
>----- Original Message -----
>From: "Steve Jacobson" <steve.jacobson at visi.com>
>To: "NFB Webmaster's List" <nfb-web at nfbnet.org>
>Sent: Wednesday, June 29, 2011 10:56 AM
>Subject: Re: [Nfb-web] Captcha Alternatives
>Peter and others,
>I am glad this has come up again, because I wanted a chance to respond to an
>earlier message and make a couple of comments about CAPTCHAs.
>First, I do not particularly enjoy the role I often play of poking holes in
>CAPTCHA solutions. Whether Peter and I always agree or not, I have always
>and
>continue to respect his "can do" approach to problems. I hope that you
>understand that, Peter. Part of what got all of us to where we are is to
>sometimes
>boldly move forward even when we're not all that certain what we're going to
>encounter.
>Also, understand that some of my responses are to supply information that
>may not be obvious. In some cases, I may well give information that I feel
>is
>missing but which some of you likely already know. Not everything is
>obvious to everybody.
>We have a lot of issues facing us regarding computer and web use. CAPTCHAs
>are one very important issue, but they are really a part of a larger issue,
>that of security and proving one has legitimate access to a system. We are
>seeing other barriers as well, such as keypads used to gain entrance where
>the
>numbers are assigned to keys randomly each time it is used so people can't
>figure out codes by watching your pattern of movement. Many companies use
>connections where you have a small device that displays a password or PIN
>when you connect which constantly changes. Some of these things are not
>new, but security has become a greater and greater concern over time.
>CAPTCHAs are trying to address a complex problem. There is a large and very
>skilled community out there who have nothing more constructive to do than
>to break into sites, steal money and information, harrass and swindle
>people, and otherwise make our lives difficult. In the past, their jobs
>have been made
>easier because the attitude has been that web sites should not require any
>human intervention or monitoring. I think that the landscape is going to
>get so
>complicated that in some cases, it will have to be accepted that there will
>need to be someone monitoring web activities in some way, but that's neither
>here
>nor there now. What we're faced with is people trying to address security
>methods in whatever way they can think of, and in some cases, the
>rammifications to us are just not part of the overal concern. A bank or
>grocery store won't fold because blind and deafblind customers can't get in,
>so we
>may need to get laws passed to make up for our small market. Since there is
>so much that is a plus for us in our ability to participate in business on
>line, I
>don't think we can afford to just ignore all this, but I also don't think
>the answers are simple, either. Therefore, part of our process has to be
>for us to look for
>likely reasons that this or that approach may not work. This doesn't mean
>there isn't an approach that will work out there, only that we might as well
>figure
>out as soon as we can why a particular approach will be rejected and either
>have an answer or look for another approach. We also have to realize that
>existing approaches are not perfect. Text CAPTCHAS and audio alternatives
>will probably both become less effective as OCR and speech recognition get
>better. If WebVisum is using some sort of specialized OCR, for example, it
>is only a matter of time that such capabilities will be available to most
>hackers. If
>an I Pod app can identify objects as it can, it is only a matter of time
>before Captchas that ask you to identify the second picture from the right
>can be solved
>automatically by hackers. So what about the approach that would say click
>when you hear the sound of a train as someone mentioned. It's a neat
>solution
>for now, except of course for the fact that it excludes the deafblind, but
>there is already software that will analyze the recording of a song and
>identify it.
>How hard is it to identify particular sounds. Over time, these things are
>going to come and go, and it's going to be hard to keep up with them because
>solutions that might work for us are going to come only a little ahead of
>solutions that will benefit hackers.
>Peter, what you say about doing the security check in the background makes
>sense. In the case of blogging, for example, or other kinds of forums, what
>you have suggested should help a lot. I looked at the CF Forms Protect web
>site and they are clearly trying to think this through. A large part of
>what they
>do, though is based upon spam filtering techniques which won't play a role
>if a form is being filled out that does not have a message associated with
>it.
>However, they do look at some other criteria that could be applied generally
>such as trying to determine mouse movement and keyboard use. While I don't
>condone everything that Google does, they seem like a company that looks at
>alternatives and tries to be ahead of the trends. One would think that if
>some
>of the techniques that CF Forms Protect uses were solid, that large
>companies such as Google would adopt something similar. I have found
>Google's audio
>CAPTCHA to be the most difficult I've had to deal with, and I'm guessing
>that they probably get hit as hard as anyone gets hit by bots trying to get
>free e-mail
>addresses. The problem, of course, is that companies such as Google don't
>particularly want to talk about their approaches to security in case they
>give
>away something that might help hackers. Probably, though, we are going to
>need to try to get some help from people who have experience with this on a
>large scale who know why some of these somewhat obvious approaches such as
>some that CF Forms Protect uses are not solid enough to use in general.
>I fear, though, that I already know part of the answer. One of CF's
>approaches can tell if the user is using a keyboard. I would guess that a
>"bot" can give
>the impression that a keyboard is being used if correctly constructed.
>Another of CF's approaches looks at whether a user fills out a form by
>moving a
>mouse, with the thought being that a "bot" won't move the mouse. Before
>people are concerned about this, though, CF Forms Protect mentions right on
>their site that this is not a very good indicator since blind people don't
>generally use a mouse, and they give mouse movement a low priority.
>However,
>Window-Eyes and JFW can both move the mouse pointer, and both could move a
>mouse pointer by scripting. I again see that as soon as it were to be
>known that a certain amount of mouse pointer movement is required that this
>could be done automatically through scripting. I am not convinced that some
>of what seems like a good approach to use probably won't stand up for long
>against the real pros.
>My point here isn't to shoot down CF Forms Protect because they are taking
>an interesting approach to the problem, and I believe that if you take what
>they
>are checking in the background in terms of patterns of keyboard and mouse
>usage together with analyzing the message content together with other
>processes they probably are not advertising, they likely provide some pretty
>good protection to BLOGs and other similar sites. We should point to them
>as
>taking an innovative approach to this problem when we talk to people about
>CAPTCHAs. This would seem to me to be a viable approach for Barracuda
>Networks, for example, if I could ever contact them. <smile>
>When I have said in the past that there are no cure-alls, that doesn't mean
>that temporary cures should be ignored. I think, though, that we have to be
>careful about endorsing a particular alternative as a general approach
>without fully understanding the strengths and the weaknesses. We will loose
>credibility if we confront a business offering a solution that can quickly
>be shown not to work well for them. What my experiences and the discussions
>here
>indicate to me is that we do need to raise this problem on our list of
>priorities. Unfortunately, the best solution would be to re-engineer human
>beings to not
>have the tendency toward crime that we seem to have, but that is probably a
>topic better left to Faith-Talk.
>Best regards,
>Steve Jacobson
>On Tue, 28 Jun 2011 20:54:15 -0500, Peter Donahue wrote:
>>Hello Chris and everyone,
>> The best alternative I've seen is to completely remove the end user
>> from
>>the verification process and perform such checks in the background. This is
>>exactly what CFForm Protect does. To see it in action visit:
>>http://www.nfb-writers-division.net/blog
>> Leave a comment to one of the posts there and load it up with more
>>than six URLS, or enter words such as Viagra, free music download, etc.
>> Perhaps the Towson system could be modified to detect a Braille-aware
>>device and display random patterns of dots that a deaf-blind person could
>>feel. When they feel the pattern they would press the spacebar as do those
>>who hear the sound. These patterns would only be generated if a Braille
>>display is in use.
>> But as I said why mess with these things when there are technologies
>>that eliminate the need for user interaction and perform spam bot screening
>>in the background removing accessibility barriers for everyone.
>>Peter Donahue
>>----- Original Message -----
>>From: "Chris Westbrook" <westbchris at gmail.com>
>>To: "NFB Webmaster's List" <nfb-web at nfbnet.org>
>>Sent: Tuesday, June 28, 2011 6:58 PM
>>Subject: Re: [Nfb-web] Captcha Alternatives
>>Unfortunately, I'm not sure there is a way to include the deaf blind
>>without
>>making it too easy for spammers to defeat. Deaf blind people need text,
>>and
>>computers can process text fairly well now unfortunately.
>>Chris Westbrook
>>On Jun 28, 2011, at 6:10 PM, Peter Donahue wrote:
>>> Hello everyone,
>>>
>>> That system still locks out the deaf-blind .
>>>
>>> Peter Donahue
>>>
>>>
>>> ----- Original Message -----
>>> From: "Gary Wunder" <GWunder at earthlink.net>
>>> To: "'NFB Webmaster's List'" <nfb-web at nfbnet.org>
>>> Sent: Tuesday, June 28, 2011 2:25 PM
>>> Subject: Re: [Nfb-web] Captcha Alternatives
>>>
>>>
>>> Wow, good deal. Thanks.
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: nfb-web-bounces at nfbnet.org [mailto:nfb-web-bounces at nfbnet.org] On
>>> Behalf Of Jaquiss, Robert
>>> Sent: Tuesday, June 28, 2011 1:50 PM
>>> To: NFB Webmaster's List
>>> Subject: Re: [Nfb-web] Captcha Alternatives
>>>
>>> Hello Gary:
>>>
>>> I don't know if Dr. Lazar from Towson will be at the convention, but
>>> he
>>> and his students have come up with a unique CAPTCHA.
>>> The user is asked to press the space bar when a certain sound is heard.
>>> For
>>> example, the user is asked to press space when they hear a train. The
>>> user
>>> then hears a sequence of sounds such as a cat, horse, glass breaking,
>>> train
>>> etc. the system seems to work.
>>>
>>> Regards,
>>>
>>> Robert
>>>
>>>
>>> Robert Jaquiss
>>> National Federation of the Blind
>>> 200 East Wells Street at Jernigan Place
>>> Baltimore, Maryland 21230
>>> Phone: 410-659-9314, ext. 2422
>>>
>>>
>>> -----Original Message-----
>>> From: nfb-web-bounces at nfbnet.org [mailto:nfb-web-bounces at nfbnet.org] On
>>> Behalf Of Gary Wunder
>>> Sent: Tuesday, June 28, 2011 1:39 PM
>>> To: 'NFB Webmaster's List'
>>> Subject: Re: [Nfb-web] Captcha Alternatives
>>>
>>> Would you like to speak about it at the webmasters meeting?
>>>
>>> Gary
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: nfb-web-bounces at nfbnet.org [mailto:nfb-web-bounces at nfbnet.org] On
>>> Behalf Of Peter Donahue
>>> Sent: Sunday, June 26, 2011 3:21 PM
>>> To: Discussion of the Graphical User Interface,GUI Talk Mailing List
>>> Cc: nfb-web at nfbnet.org
>>> Subject: [Nfb-web] Captcha Alternatives
>>>
>>> Hello everyone,
>>>
>>> This whole issue has caused me to seek out alternatives to captchas
>>> and
>>> the problems they cause for all Web site visitors. Being a ColdFusion
>>> developer I was delighted to discover a utility called "CFForm Protect."
>>> This plug-in does its work behind-the-scenes and requires no user
>>> interaction removing the need to deal with traditional captchas and the
>>> accessibility issues they create for the blind. To learn more about
>>> CFForm
>>> Protect visit:
>>> http://cfformprotect.riaforge.org/
>>>
>>> To see a demonstration of how it works visit:
>>> http://www.nfb-writers-division.net/blog
>>>
>>> We currently have CFForm Protect running on the blog and will role it
>>> out to other interactive components of this Web site in the coming
>>> months.
>>> I'll also be installing it on several other ColdFusion sites I'm creating
>>> or
>>> will build in the future. Want to give it a go? Select the link to the
>>> blog
>>> post and leave a comment. In your comment type more than six URLS, enter
>>> words and phrases such as free music download, or Viagra and see what
>>> happens. In the future CFForm Protects capabilities will be enhanced by
>>> linking it to Akismet and Project Honeypot.com.
>>>
>>> One idea I suggested to control spam while not locking out blind Web
>>> surfers is to find a utility that will compare a would-be spammer's IP
>>> address with those of known spammers and preventing that spam bot from
>>> entering data in to the form. Project Honeypot does exactly that! The IP
>>> address of an entity attempting to fill out a Web form is compared with
>>> Honeypot's extensive database of IP Addresses of known spammers. If a
>>> match
>>> is not found the entity is allowed to fill out the Web site form. If a
>>> match
>>> is found the entity attempting to fill out the form is prevented from
>>> doing
>>> so thus protecting the site's owners from spam bots. Working with CFForm
>>> Protect Project Honeypot gathers flagged form entries belonging to
>>> would-be
>>> spammers and adds their IP addresses to its database. Hence we can do a
>>> little community service as well as protecting our Web sites from spam
>>> bots
>>> all with out creating accessibility barriers for blind computer users!
>>> Project Honeypot is a free service.
>>>
>>> Akismet is a paid service that can determine if the entity filling out
>>> a
>>> Web form is a spammer or not. If it flaggs the entity as a spammer it
>>> notifies the site owner so they can take further action.
>>>
>>> My discovery of CFFormProtect has me wondering if there are similar
>>> plugging, components, and utilities developed for other Web development
>>> environments: ASP, PHP, ASP.NET, ETC. Perhaps this is a matter for our
>>> Webmasters and the IBTC to explore and gather information about these
>>> products and services. Whenever someone seeks our help to make their Web
>>> site accessible we can recommend the installation of one of these
>>> programs
>>> instead of captchas and the problems they create for blind and deaf-blind
>>> computer users. Just thought I would spread the word.
>>>
>>> Peter Donahue
>>>
>>>
>>> ----- Original Message -----
>>> From: "Ken lawrence" <kenlawrence124 at aol.com>
>>> To: <gui-talk at nfbnet.org>
>>> Sent: Sunday, June 26, 2011 4:21 PM
>>> Subject: [gui-talk] will Webvisum be rendered useless?
>>>
>>>
>>> Hi Ken here. I read in Kim Komando's email that firefox has started a
>>> new
>>> schedule they will be new versions of the browser every too months. I
>>> just
>>> got the update automaticly today and they are recommending you install it
>>> since no more updates will be made for version 4. So in two months for
>>> example version 6 or maybe 5 point something or other. Webvisum has been
>>> disabled since it isn't updated. the firefox browser says it will enable
>>> it
>>>
>>> if it has an update. But can webvisum possible keep up with a two months
>>> schedule? is our capcha solver useless thanks to this new timetable by
>>> firefox?
>>> _______________________________________________
>>> gui-talk mailing list
>>> gui-talk at nfbnet.org
>>> http://www.nfbnet.org/mailman/listinfo/gui-talk_nfbnet.org
>>> To unsubscribe, change your list options or get your account info for
>>> gui-talk:
>>> http://www.nfbnet.org/mailman/options/gui-talk_nfbnet.org/pdonahue2%40satx.r
>>> r.com
>>>
>>>
>>> _______________________________________________
>>> Nfb-web mailing list
>>> Nfb-web at nfbnet.org
>>> http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>>> To unsubscribe, change your list options or get your account info for
>>> Nfb-web:
>>> http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/gwunder%40earthlink
>>> .net
>>>
>>>
>>> _______________________________________________
>>> Nfb-web mailing list
>>> Nfb-web at nfbnet.org
>>> http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>>> To unsubscribe, change your list options or get your account info for
>>> Nfb-web:
>>> http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/rjaquiss%40nfb.org
>>>
>>> _______________________________________________
>>> Nfb-web mailing list
>>> Nfb-web at nfbnet.org
>>> http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>>> To unsubscribe, change your list options or get your account info for
>>> Nfb-web:
>>> http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/gwunder%40earthlink
>>> .net
>>>
>>>
>>> _______________________________________________
>>> Nfb-web mailing list
>>> Nfb-web at nfbnet.org
>>> http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>>> To unsubscribe, change your list options or get your account info for
>>> Nfb-web:
>>> http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/pdonahue2%40satx.rr.com
>>>
>>>
>>> _______________________________________________
>>> Nfb-web mailing list
>>> Nfb-web at nfbnet.org
>>> http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>>> To unsubscribe, change your list options or get your account info for
>>> Nfb-web:
>>> http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/westbchris%40gmail.com
>>_______________________________________________
>>Nfb-web mailing list
>>Nfb-web at nfbnet.org
>>http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>>To unsubscribe, change your list options or get your account info for
>>Nfb-web:
>>http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/pdonahue2%40satx.rr.com
>>_______________________________________________
>>Nfb-web mailing list
>>Nfb-web at nfbnet.org
>>http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>>To unsubscribe, change your list options or get your account info for
>>Nfb-web:
>>http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/steve.jacobson%40visi.com
>_______________________________________________
>Nfb-web mailing list
>Nfb-web at nfbnet.org
>http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>To unsubscribe, change your list options or get your account info for
>Nfb-web:
>http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/pdonahue2%40satx.rr.com
>_______________________________________________
>Nfb-web mailing list
>Nfb-web at nfbnet.org
>http://www.nfbnet.org/mailman/listinfo/nfb-web_nfbnet.org
>To unsubscribe, change your list options or get your account info for Nfb-web:
>http://www.nfbnet.org/mailman/options/nfb-web_nfbnet.org/steve.jacobson%40visi.com
More information about the NFB-Web
mailing list