A little about the history of CAPTCHA
In-depth traffic analysis systems have an additional protective function. It is about protection against DDoS. To do this, use one of the most popular and effective ways - CAPTCHA, or a fully automated public Turing test to distinguish between computers and people.
The test itself is fairly well known, but there are several interesting facts in its history and evolution that we want to talk about today.
/ Flickr / F â–˛ IL / CC
')
The original system was developed at the beginning of the XXI century by engineers from Carnegie Mellon University, USA. A team led by Luis von Ana (Luis von Ahn) was looking for a way to filter registrations on sites run by automated programs and spam bots.
The team has developed a system that shows the user a highly distorted text that cannot be recognized by software algorithms. Work with the resource could be continued only after the displayed word was correctly entered into the intended field. The solution was so successful that it became actively used around the world.
However, this quickly led to the emergence of a new type of earnings on the Internet - solving CAPTCHA tasks. Spammers began to pay people for entering a "pass phrase". Such income has become popular in poor countries, where the opportunity to get even minimal money for thousands of CAPTCHA solutions is quite attractive.
Despite this, the service did not lose popularity, on the contrary, developers began to be disturbed by the idea that they make millions of people useless to translate images into text, wasting time and effort without bringing any practical benefits. Therefore, Louis asked himself the question : "Is it possible to do something useful with this time?"
And I found the answer to it by submitting the reCAPTCHA application some time later. It was still “tied up” by entering images from the image, but instead of a random set of characters, the user had to “decrypt” the real text from archived documents. The software of that time was already able to recognize printed texts with high accuracy, but all the same, in the books, the ink spread over time, which prevented computers from defining certain words. The man copes with it without any problems.
The first in the queue for recognition were the archived issues of The New York Times. After that, when Google bought the service in 2009, old books underwent decoding. It turns out that every time you enter text with reCAPTCHA, you parse fragments from real archive texts. Louis von Ahn was very pleased with the new version of the program, asserting that the service would last a very long time, since there was plenty of printed material in the archives.
Similar experiments were conducted on image recognition from Google Maps and Google Street View. However, Google analysts soon had to look for an answer to successful attempts at automating the “ hacking ” of even the most complex images with a probability exceeding 90%.
To solve the problem, Google began to improve the technology, and in 2015, the company's engineers presented a new solution that did not oblige the user to recognize characters. The new system analyzed the user's behavior on the site until the “I am not a robot” test button was pressed, and then concluded: this is a person or a bot.
If the analysis did not give an unambiguous result, then the user was asked to undergo an additional test, for example, to select from a few pictures all that show trees.
In addition to the most common systems from Google, today there are other solutions aimed at distinguishing between man and machine. So, the developers of the TextCAPTCHA service offer users to answer simple logical questions. For example, about what letter in the word "car" is in third place.
It is believed that such intricate formulations will be enough to deceive the “automaton”, and specific questions are much simpler in terms of human perception. Also, some Turing test developers are of the opinion that it is better to ask users to solve simple mathematical equations.
Another interesting solution was suggested by Facebook in January 2011. The company experimented with so-called social authentication. According to representatives of the company, the idea was to show the user a few photos of his friend and ask for his name.
Facebook experts were sure that ill-wishers may hardly be familiar with your friends and will not collect all the information about you social circle, which is generally quite a controversial statement.
Also, various online services use other methods of “filtering” users, which provide another level of protection. They replace or supplement CAPTCHA.
/ Flickr / tarek / cc
Honeypot . In 2007, Phil Haack proposed a curious method for identifying bots. He was named Honeypot. Its feature is to add an additional field when filling out an online form that would be invisible to a human user. The bot is not able to understand whether this field is probably or not, therefore it fills it “by inertia”, which allows the administrator to block the registration as spam.
Temporary restrictions . On average, how much time do you need to complete an online form with 10 fields? Most people spend a few minutes on it, while bots do it almost instantly. The idea of ​​the solution is to mark all registrations as suspicious, the form fields during which were filled faster than a certain period of time. This method works well until spammers realize that such a time threshold exists, after which they teach their systems to fill in the input fields more slowly.
Interesting and simple games . The use of games in the fight against spam is becoming a fast-growing trend. Instead of introducing “captcha”, companies ask users to play a small game in order to prove their “humanity”. Games can be very different: small platformers (like Mario) or arcades, for example, with a rocket in space, which must be conducted through a meteorite belt. In addition to the standard functions of protection against bots, this solution adds a bit of fun to a fairly routine operation.
Audio Caps . This is an alternative to visual captcha. Service itself "says" what words you need to enter. And although this solution in theory looks efficient, in practice everything depends on the quality of the user's computer speakers. And if the user does not have a speaker system or headphones in availability, he will not be able to use the service.
The “arms race” between security experts and spammers will never end. Therefore, all new protection and circumvention mechanisms will be constantly developed. But despite this, the reCAPTCHA technology remains one of the most reliable ways to combat botnet networks and is successfully used in the DPI system SCAT for protection against DDoS attacks. The constant development of the platform and the release of new versions allows the use of current protection mechanisms.
The test itself is fairly well known, but there are several interesting facts in its history and evolution that we want to talk about today.
/ Flickr / F â–˛ IL / CC
')
The original system was developed at the beginning of the XXI century by engineers from Carnegie Mellon University, USA. A team led by Luis von Ana (Luis von Ahn) was looking for a way to filter registrations on sites run by automated programs and spam bots.
The team has developed a system that shows the user a highly distorted text that cannot be recognized by software algorithms. Work with the resource could be continued only after the displayed word was correctly entered into the intended field. The solution was so successful that it became actively used around the world.
However, this quickly led to the emergence of a new type of earnings on the Internet - solving CAPTCHA tasks. Spammers began to pay people for entering a "pass phrase". Such income has become popular in poor countries, where the opportunity to get even minimal money for thousands of CAPTCHA solutions is quite attractive.
Despite this, the service did not lose popularity, on the contrary, developers began to be disturbed by the idea that they make millions of people useless to translate images into text, wasting time and effort without bringing any practical benefits. Therefore, Louis asked himself the question : "Is it possible to do something useful with this time?"
And I found the answer to it by submitting the reCAPTCHA application some time later. It was still “tied up” by entering images from the image, but instead of a random set of characters, the user had to “decrypt” the real text from archived documents. The software of that time was already able to recognize printed texts with high accuracy, but all the same, in the books, the ink spread over time, which prevented computers from defining certain words. The man copes with it without any problems.
The first in the queue for recognition were the archived issues of The New York Times. After that, when Google bought the service in 2009, old books underwent decoding. It turns out that every time you enter text with reCAPTCHA, you parse fragments from real archive texts. Louis von Ahn was very pleased with the new version of the program, asserting that the service would last a very long time, since there was plenty of printed material in the archives.
Similar experiments were conducted on image recognition from Google Maps and Google Street View. However, Google analysts soon had to look for an answer to successful attempts at automating the “ hacking ” of even the most complex images with a probability exceeding 90%.
To solve the problem, Google began to improve the technology, and in 2015, the company's engineers presented a new solution that did not oblige the user to recognize characters. The new system analyzed the user's behavior on the site until the “I am not a robot” test button was pressed, and then concluded: this is a person or a bot.
If the analysis did not give an unambiguous result, then the user was asked to undergo an additional test, for example, to select from a few pictures all that show trees.
Other CAPTCHA and other solutions
In addition to the most common systems from Google, today there are other solutions aimed at distinguishing between man and machine. So, the developers of the TextCAPTCHA service offer users to answer simple logical questions. For example, about what letter in the word "car" is in third place.
It is believed that such intricate formulations will be enough to deceive the “automaton”, and specific questions are much simpler in terms of human perception. Also, some Turing test developers are of the opinion that it is better to ask users to solve simple mathematical equations.
Another interesting solution was suggested by Facebook in January 2011. The company experimented with so-called social authentication. According to representatives of the company, the idea was to show the user a few photos of his friend and ask for his name.
Facebook experts were sure that ill-wishers may hardly be familiar with your friends and will not collect all the information about you social circle, which is generally quite a controversial statement.
Also, various online services use other methods of “filtering” users, which provide another level of protection. They replace or supplement CAPTCHA.
/ Flickr / tarek / cc
Honeypot . In 2007, Phil Haack proposed a curious method for identifying bots. He was named Honeypot. Its feature is to add an additional field when filling out an online form that would be invisible to a human user. The bot is not able to understand whether this field is probably or not, therefore it fills it “by inertia”, which allows the administrator to block the registration as spam.
Temporary restrictions . On average, how much time do you need to complete an online form with 10 fields? Most people spend a few minutes on it, while bots do it almost instantly. The idea of ​​the solution is to mark all registrations as suspicious, the form fields during which were filled faster than a certain period of time. This method works well until spammers realize that such a time threshold exists, after which they teach their systems to fill in the input fields more slowly.
Interesting and simple games . The use of games in the fight against spam is becoming a fast-growing trend. Instead of introducing “captcha”, companies ask users to play a small game in order to prove their “humanity”. Games can be very different: small platformers (like Mario) or arcades, for example, with a rocket in space, which must be conducted through a meteorite belt. In addition to the standard functions of protection against bots, this solution adds a bit of fun to a fairly routine operation.
Audio Caps . This is an alternative to visual captcha. Service itself "says" what words you need to enter. And although this solution in theory looks efficient, in practice everything depends on the quality of the user's computer speakers. And if the user does not have a speaker system or headphones in availability, he will not be able to use the service.
The “arms race” between security experts and spammers will never end. Therefore, all new protection and circumvention mechanisms will be constantly developed. But despite this, the reCAPTCHA technology remains one of the most reliable ways to combat botnet networks and is successfully used in the DPI system SCAT for protection against DDoS attacks. The constant development of the platform and the release of new versions allows the use of current protection mechanisms.
Source: https://habr.com/ru/post/316276/
All Articles