In past years captchas to prove you were human were intensely irritating things where you were shown numbers or letters against a background which made them hard to see, or the letters/numbers themselves were wildly distorted. Sometimes you had to ask for several different captchas before you got one you could actually decipher.
Now though most sites that use captchas simply ask you to tick a box labeled ‘I am not a robot’. The writing isn’t distorted or hidden at all. I’m puzzled as to how this can defeat a bot. How does it work?
I think the checkbox ones are all administered by Google. They give you a real captcha a few times, but after a while, they’re able to recognize you by whatever means (cookies, IP, browser version, whatever). Once they’ve gotten to know you, they can get away with only a very cursory check. But if you were logging in on a brand new account on a brand new computer, on the same site, you’d see a road sign or a passage from a scanned book or the like.
The “I am not a robot” captcha is reCAPTCHA, a Google product. Here’s Google’s page explaining to developers how to use reCAPTCHA, but it doesn’t really say anything about how it works: reCAPTCHA - الإصدار 2 | Google for Developers.
These articles give some details, but basically it is based on small irregularities in mouse movement prior to clicking the box, along with a few other, less secure (that is, more easily spoofed), clues like IP address.
I think the key for these is that no one outside a team of developers at Google knows how it works. I’m guessing that it’s somewhat probabilistic in nature, looking for various clues that would indicate an automated system vs. a live person, and those few seconds between clicking the button and getting approved, a whole lot of stuff gets looked at and if there’s a sufficient level of doubt, you get an actual CAPTCHA.
No, captchas really are used to train self-driving cars. The joke in that XKCD was just the notion that they were doing it while the car was on the road driving.
Do you have a cite for that? I’m not understanding how my clicking on a street sign in a captcha helps train a self driving car. I mean, the Google team working on the cars can presumably identify street signs themselves without my help. And since the captcha software already knows the right answer, how am I helping?
Way back a long time ago, reCAPTCHA was actually used to digitize books. They would show you two words scanned from an old manuscript of some kind and ask you to type them in. One of the words was known, the other one was the word they were trying to decipher. You passed the test if you got the known word right and your answer to the second word was just collected as data. If the crowds overwhelmingly interpreted the second word correctly, then they deemed that to be the correct interpretation.
Of course, some rascally internet tricksters launched campaigns to deliberately misinterpret the words and poison the data pool.
I have seen nothing so far that indicates what (IF ANYTHING) google is doing with data from the latest generation of reCAPTCHAs. But since autonomous vehicles are the best known current project, I can see why people would assume that one has something to do with the other.
Personally, I have found that moving my mouse in a straight direct line to the square and clicking yields the best results. I had assumed that making irregular movements would make me look less like a bot and more like a human. But if I could figure that out, so could any bot-developer. So it looks to me like they are using some reverse psychology.
Why hire hundreds of people to do the mind-numbing job of going through millions of pictures (and possibly making mistakes) when you can get hundreds of millions of people to do it for you for free? Plus you’ll get thousands of views of each sign, so any mistakes will stand out.
I AM NOT CLAIMING THEY ARE ACTUALLY DOING THIS. I am just saying it’s not unreasonable given that they have already used this technology to do other similar tasks.
Yes, fine, but you’re missing my point. The captcha software ALREADY KNOWS where the street signs are. The captcha couldn’t work if the software didn’t already know the answer. The teeming millions answering the question aren’t providing any new information. I’m also not convinced that simply finding which quadrant of the visual field a street sign exists in, not reading or understanding it, is actually the hardest problem in autonomous driving, so that they had to farm it out to us.
You’ve never done a reCAPTCHA and gotten the wrong answer and shouted “WTF??? I got every square with a vehicle in it!” And they never tell you what you got wrong – they just give you a completely different picture with no explanation.
When they give you a “pass” you don’t know if you might have actually missed a square or clicked an extra one. Conversely, when they give you a “fail” they may be noting that your interpretation of a picture differs from their initial interpretation, which may have been done by a human or by some program. If enough people get the picture “wrong” that could lead them to go back and investigate and possibly refine their algorithm.
So the software doesn’t necessarily have to KNOW every picture. They may be looking to find errors in the software and they just give you another task to do with no comment when you disagree with their result and you ASSUME that you must have made the mistake and not their software.
Without any firm evidence from the “I am not a robot” box-check developers that mouse movements are a factor, I am not going to accept anyone’s guesses that they are. My opinion (only an opinion) is that the simple box relies on a robot being minimally aware and not able to adequately parse an image and intelligently act upon it. So if the box is checked, it is assumed that a human did it. For non-critical applications, that’s probably good enough. For now. It will weed out the worst robots.
This video explains how it works, at least Google’s version of “I am not a robot.” (Fast forward to about 4:15 if you want to get to the nitty gritty.) A bunch of information is sent over when you click the box (mouse movements are part of it) and it is analyzed by a machine learning risk analysis engine which decides if, in fact, you are human or not.
That works when you’re making your own captcha for use just on your tiny little site that nobody cares about, for which it’s not worth the 5 minutes of any half-competent scripter’s time to bother with making a bot that’ll bypass it. But when you’re the world’s largest supplier of captchas to very important sites around the globe, someone is going to expend that modicum of effort, and then expend another modicum to share the tool that they made with everyone else in the world, so that everyone else doesn’t even need a modicum.
