[DaveMorton]

One thing that I've been investigating here (since I can't draw to save my life) is to programmatically create the artwork. So far, I've scripted a fish, a cat and a butterfly. There are links to the examples below:







Each of the scripts generates at least some sort of random variation in color, angle, or decoration, to increase difficulty for the bots. I'm also working on adding "hotlink" protection, and a way to help thwart "brute force" attacks, by "randomizing" the name of the CAPTCHA's answer field. There's a simple example form at:

http://www.geekcavecreations.com/captcha_test/formTest.php

to check out. This is just one of many avenues I'm researching. Note that I don't yet have the scripted images integrated yet.

[sunama]

From what I can see, you have managed to embed your captcha (do you want to use a different name?) quite nicely.
Good work there.
Why don't you search for a partner who can handle all the drawings? Are you trying...if not, what is holding you back?
Best way forward is for somebody else to deal with the artwork, while you deal with technicalities and bringing your idea to commercial markets.

Personally, if done correctly, I think you could get some big investment on this.

Also, find out about your competitors. Obviously captcha is the brand leader, but there must be other people out there trying to create their own alternative...make sure you check out the competition and try and makes yours better than theirs.

Yesterday, I was filling out a form with a captcha box. There were 2 words. I had to refresh at least 15-20 times to get 2 words which I could actually read. The captcha system currently in place is laughable.

[Freddy]

Good work Dave, definitely worth developing further 

Re the brute force attacks.  Do you intend the user to have more than one chance at the same puzzle ?  I was just thinking if you set a limit of say three tries; it then opts to show a different puzzle.

[Bragi]

Such a set of images can also be very useful to train/test an AI that's able to handle visual input.

[DaveMorton]

@Sunama:
Actually, if truth be told, the only interest at all in this idea that's been generated (and I've discussed it in several "high traffic" areas) has been here. Nobody else seems to be interested at all in it. That doesn't mean that I won't keep trying, though. As to the artwork, for now I'll either keep at it by myself, or find someone willing to provide a small number of "pencil sketch" line art drawings of men and women (that's the only part I can't handle - the rest shouldn't be difficult) for a small fee, with a "bonus" if I either sell the idea, or can set up the means to license it out myself.

@Freddy:
Just like almost all other CAPTCHA's, the user gets only one shot at a particular image. Failure generates a new image to decipher. What makes the procedure more difficult involves the form the CAPTCHA sits in. In the example form I linked to, take a look at the source, then refresh the page and look at the source again. The input field where you type in the answer has a different name each time. Any script that tries to constantly send the same data will fail the second time (the field named 'honeypot', which seems to hold the answer field's name is just that; a honey pot. It's a red herring, designed to fool scripts), and any subsequent times, since the field's name is generated in the form's PHP code, and passed to the target script by other means. That form name is also compared to the previously used name, and if the same, triggers the bot detection script. Also, since it takes most bot scripts mere fractions of a second to fill out and submit a form, I've included a timeout value that HAS to expire, or the bot detection script is activated. I'm also working on adding in a "no hotlinking" feature to the CAPTCHA images (without using .htaccess, since my hosting provider won't allow those files) to ensure further that the CAPTCHA images are only visible within the form pages that call them. In total, this should considerably increase the difficulty of "cracking" the CAPTCHA, even (and especially) from those sites that "farm out" CAPTCHA's to other humans to solve.

@Bragi:
How do you mean, Jan? Are you referring to object detection, or something else altogether?

[DaveMorton]

I should probably point out that a couple of the features I've described aren't yet implemented on the "live" server, since I'm still testing them locally.

[sunama]

GeekCaveCreations, I hear what you are saying about the lack of positive feedback from other forums.
Don't let that dishearten you. When the Google duo were going to take on MSN, AltaVista, Yahoo and other search engine giants, you can bet that they would've been told that they stand 0% chance of beating their opposition. 14 years later we all know what happened.

What I like about your idea is the low amount of money needed to get the idea off the ground. This means that you can get a beta service, out the door, very quickly, just to test the response. You don't need to spend 3 years creating the product, before finding out if it sells or not. If the beta service gets a good response, then you can develop your idea further. If the beta service gets no response, then you can shelve the idea, knowing that you have tried.

[Bragi]

GCC: these are relatively simply forms with primarily 1 color. Something like that can easily be picked up with traditional 3 layered neural networks (given enough training). Mine can do this as well. It becomes trickier when there are multiple objects in the image.

[DaveMorton]

@Sunama:
I still have a few options left for checking "interest level" of this project, and I'm still considering the possibility of directly approaching other CAPTCHA providers directly, as they are likely to have the resources to test the efficiency of a script like this. We're in no danger yet of this project "falling by the wayside" yet.

@Bragi:
True, but as this is still in the "proof of concept" stage, I don't see that as a problem at this point. There are still untried techniques for creation/manipulation of the script that can increase the complexity of the script without sacrificing human readability. I can't unleash "everything" in the first round, can I?

[Bragi]

I cheer for anything that can solve captchas, just took a peek at it as if I wanted to break it. I have already heard of these neural net techniques being used, with success, on traditional captchas (using OCR).
Also, about the input field: This can probably be circumvented using window's User interface automation. This allows you to access any object on a html page (or any other application, sort of), using paths that don't rely on names (the idea being to allow 'driver' applications to handle exactly this type of scenario).  Try taking a  look at UI automation (http://smartbear.com/support/viewarticle/11708/)  and UISpy (an MS app for devs). I actually also wrote a little test app, similar like UISpy, for this a long time ago and no longer available, in preparation for the designer (it should become part of the designer at some point in time).

[sunama]

Bragi, if some person wants to "crack" a system...they will crack it. There is nothing you can do to stop it.
It applies to game protection.
It applies to BluRay/DVD protection.
It applies to pretty much all software.
A car lock/alarm.

The key here is to make sure that you make it as difficult as possible.

No system is 100% bullet proof.

With regards to cracking the system being talked about here....this is going to be immensely difficult, providing the creator keeps coming up with 1000s of different images, the cracking software will always be one step behind.

If however, the creator only make 100 images and stops there, the entire system shall be "cracked" in a very short time.

This project hinges on the creator being able to produce new images on a regular basis, much like a factory, non-stop.

[ivanv]

maybe combination of few images would make things more difficult?

[sunama]

What if you have a basic picture and then changed some background colours or added some patterned backgrounds.
this would allow you to use the same basic picture but have 3-5 versions of it.
I'm pretty sure that this would make it difficult for "bots" to match the images already held in its library.

[Bragi]

One thing I would definitely do for the filler/main color, is to make each pixel differ enough so a smoothing algorithm has a hard time making the colors the same again so that you can't simply count the nr of pixels for each color.

[DaveMorton]

As an "undocumented option", you can add a gradient background to the CAPTCHA, by adding a Query String flag, "g", like so:



http://www.geekcavecreations.com/captcha_test/captcha.php?g&b

In the "live" version there, I don't have text background neutralization integrated in, so the gradient tends to wash out the question, and the images involving lines are more difficult to see, since the lines are black (I intend to fix this today), and it may be better to make the gradient run diagonally across the image, or maybe to slope out to a color other than black. These are all things that I plan on trying out, at some point.