Yup, but for the jillions of free services they will not want to support
something that requires potential users to buy a piece of hardware (or
provide it themselves). In theory the captcha stuff should only come up
to create credentials on a site and then the point of pain is over. So
even if it takes 2-3 tries it's still better than requiring special
dongles. Of course sites have to support audio captcha and embed it in a
cross-browser way to cover 99% of the users. One captcha I reviewed
required the user to move a slider to prove they were human. I pointed
out to them that I could easily emulate that with a script since, in the
end, they just send back to the server that 'slider_move=true' or
something. I keep hoping for a silver bullet but nothing but the current
tough puzzles seems to work. As I mentioned some time back, it's an arms
race which is going to end badly. As the algorithms get better (IBM
Watson anyone) the puzzles that only people can solve are going to get
harder to keep them out. Eventually they will become so difficult people
won't actually be able to pass the Turing test or the algorithims will
storm the gates. This is while centralized ID systems like OpenID are
essential. If we can do one real person check one time and load all the
cost there we can then use that ID for everything else, we can do
non-automated tests which are not subject to online cracking. Facbook
IDs are becoming a defacto standard so that all the other sites don't
have to re-authenticate. We live in interesting times.
CB
On 11/9/11 5:31 PM, Brent Harding wrote:
Yes, this can be a hard one as computers can't think to do something
different to protect against harvesting the questions. I think the
thing that will end up working is some out of band means of generating
one time codes. Many of the sites you would have captchas on have you
make an account where such could be registered the first time. The
Yubikey from http://www.yubico.com is a good example of one anyone on
a computer could use. You plug it into a USB port, find the field on a
website that requests it and push inside the easily felt area and it
acts like a keyboard to fill the box with a code.
----- Original Message ----- From: "Chris Blouch" <[email protected]>
To: <[email protected]>
Sent: Wednesday, November 09, 2011 4:10 PM
Subject: Re: pdf, captcha, eba/paypal, and access.
If you've got one I'm all ears :) I've reviewed a number of them from
various research centers and they all fall down in one of the three
areas I mentioned. Most question based captchas either have so few
questions that a parser could figure out the right answers or they
aren't specific enough that there are multiple correct answers.
CB
On 11/9/11 4:37 PM, Karen Lewellen wrote:
What is wrong with the real questions that requre human input? One
can connect with all that way
We are talking about a solution that does not require captcha in my
book, but that is just me.
Karen
On Wed, 9 Nov 2011, Chris Blouch wrote:
So you're asking about people who have both audio and vision
impairment? It's a bit tougher case which would probably best be
handled by a third party out-of-band authentication service like
http://www.authentify.com/. If you can't see images or hear audio,
anything else you do in the browser is going to get cracked.
CB
On 11/9/11 2:14 PM, Red.Falcon wrote:
Hi Chris!
But of course quite a few people have a hearing impairment!
And have said the audio capture is bad for them!
What the solution for security is to get around this is going to be
difficult!
Colin
On 9 Nov 2011, at 19:01, Chris Blouch wrote:
> My usual rules of thumb for CAPTCHA which work at Internet scale
are:
> > 1. Algorithmically generated puzzles which are hard for
algorithms to > solve (one-way transforms)
> Likewise, puzzles which are reasonably possible for real
people to > solve
> 2. Puzzles which do not require localization
> 3. Puzzles which are not susceptible to brute force attacks (high
random > success rates)
> > That said, it should be obvious that swirled character image
captchas > will not work for those with vision impairments but
this is easily > remedied with an audio version. Audio and image
recognition are pretty > much the two areas that algorithms have
trouble with. Common solution is > multiple people speaking on
top of each other. Hard for algorithms to > crack but not
impossible for real people. Playback using Sound Manager 2
> > http://www.schillmania.com/projects/soundmanager2/
> > does the heavy lifting to select native html5 or flash for the
audio and > do it in a way that works for all browsers. Other
than that they just > have to make sure that the audio play
button is easily found in the tab > order and, once pressed,
moves focus to the text input. Not much else > needed beyond that.
> > CB
> > On 11/8/11 6:57 PM, Karen Lewellen wrote:
> > Hi folks,
> > For reasons that are complicated to explain I have the ear of
the > > legal department at paypal -ebay. Part of the reason is
that, as some > > of you may know, they are *requiring* all users
to agree that that > > they read pdf files, or they will lose
their account. Because of this > > and some other access issues
with paypal and ebay, i have been asked > > to document why
things like pdf and captcha are issues for those using > >
adaptive tools. I have told them already that to assume everyone
is > > using jaws is impractical, and that still browsers like
lynx, with its > > recent edition dated June 2011, are good
foundations for access. I > > have shared that pdf reaains a
hurtle, and captcha is flat out an >
> issue, as is stuff like flash.
> > because they are serious though I want to make maximum use of
this > > opportunity. What I would welcome is article
information, places that > > discuss why pdf for example and
captcha remain barriers. Likewise > > posts from you if you have
met with issues with either service would > > be welcome. I want
them to fix this for everyone, not just sweep me > > under the
corporate rug. That they are shifting all document > >
responsibility t the end user is disturbing, since if you have an
> > issue say with security, you will bare the blame for any
discrepancies > > in documentation.
> > > > Additionally, if part of your professional life is access,
share under > > your professional umbrella. If I get enough
research responses, i > > will construct a solid document for
them, and include as many other > > people as I can.
> > Thanks in advance,
> > Karen
> > > -- > You received this message because you are subscribed to
the Google > Groups "MacVisionaries" group.
> To post to this group, send email to
[email protected].
> To unsubscribe from this group, send email to >
[email protected].
> For more options, visit this group at >
http://groups.google.com/group/macvisionaries?hl=en.
>
--
You received this message because you are subscribed to the Google
Groups "MacVisionaries" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/macvisionaries?hl=en.
--
You received this message because you are subscribed to the Google
Groups "MacVisionaries" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/macvisionaries?hl=en.
--
You received this message because you are subscribed to the Google Groups
"MacVisionaries" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/macvisionaries?hl=en.
