Even if I cannot use my own pc, I carry portable firefox on my thumb drive

http://portableappz.blogspot.com/search?q=firefox

Thats nice.

Getting Flash to work on Portable Firefox isn't exactly the easiest thing for most people though.

Although many don't like Flash, as far as practicality though (ignoring iDevices) a large majority of users have it installed.  And in fact, quite a number of corporate websites only have a Flash interface (yuck, but, that's what they do...).

I honestly think a bot coder capable of making a bot to solve a regular captcha (ie, writing their own OCR routines rather than linking to someone else's) would have little trouble solving this KeyCAPTCHA - after all, they just have to arrange the pieces in the correct place so that it looks similar to the sample image.  And there's not a whole lot of combinations to try...
It's also more difficult on the user, since it requires them to have some level of skill at solving these types of puzzles.

(01-07-2011 08:56 AM)ZiNgA BuRgA Wrote:  I honestly think a bot coder capable of making a bot to solve a regular captcha (ie, writing their own OCR routines rather than linking to someone else's) would have little trouble solving this KeyCAPTCHA - after all, they just have to arrange the pieces in the correct place so that it looks similar to the sample image.  And there's not a whole lot of combinations to try...

This is not that simple since:
1)
keycaptcha's "coorect" places (coordinates) are never repeated even for the same captcha;
2)
keycaptchas are shown randomly from a set of many captchas;
3)
captchas are constantly being changed by KeyCAPTCHA devs;
3a)
keycaptcha.com site has online designer for subscribers of "Personal KeyCAPTCHA" (5 USD per month or 20 a year) account  to create (any number of) their own captchas from their own images. Hardly someone would bother to create a bot to crack just for one site
If to use pre-built  basic set of (ready) keycaptchas, this service  is free.
4)
etc.

Note, I'm doing the "puzzle" one - I can't even solve the other one myself >_>

(01-12-2011 04:05 AM)Banalyst Wrote:  keycaptcha's "coorect" places (coordinates) are never repeated even for the same captcha;

However, the user/bot is given some fixed objects for where to place the missing parts.  Since all the examples I've been given are a 3x3 grid, and there's 3 pieces to place, some simple calculations based on the dimensions of each piece and where whitespace is can tell the bot where the coordinates are.

Once this has been determined there's a total of 6 combinations of where the pieces could go.  Or perhaps in a worst case scenario where you have 2x3 stacked pieces, 12 combinations.  Even if the bot doesn't try to identify the correct image and just randomly arranges the pieces, they will be correct 16% of the time.
But of course, anyone capable of writing an OCR routine would have little trouble identifying where the correct positions of the pieces are.

(01-12-2011 04:05 AM)Banalyst Wrote:  2)
keycaptchas are shown randomly from a set of many captchas;
3)
captchas are constantly being changed by KeyCAPTCHA devs;
3a)
keycaptcha.com site has online designer for subscribers of "Personal KeyCAPTCHA" (5 USD per month or 20 a year) account  to create (any number of) their own captchas from their own images. Hardly someone would bother to create a bot to crack just for one site
If to use pre-built  basic set of (ready) keycaptchas, this service  is free.

None of this really matters if you consider my point above, unless you change the underlying principle of the puzzle itself.

(01-13-2011 09:12 AM)ZiNgA BuRgA Wrote:  Note, I'm doing the "puzzle" one - I can't even solve the other one myself >_>

What do you mean?

(01-13-2011 09:12 AM)ZiNgA BuRgA Wrote:  However, the user/bot is given some fixed objects for where to place the missing parts

Have you really looked what is "given"?:
- the code in browser is obfuscated
- eaxh "visible" (percieved by human as one piece) element, fixed or movable one,  is a collection of randomly decomposed smaller pieces, randomly identified, randomly placed, of random sizes

How would one guess which smaller pieces belong to which visible part?  
or determine constituent "visible' elements

The same captcha, after each wrong attempt, has pieces decomposed and protected differently  

In a very few attempts a bot will be blocked for 10 min and proposed to solve a different captcha

One cannot even get both the repeatable (and clear) code and images  of a captcha  to develop a bot against all from the pool.  The bot approaches are easily identified, solving of captchas is being monitored, and captchas  are being created and changed much easier

(01-13-2011 09:12 AM)ZiNgA BuRgA Wrote:  Since all the examples I've been given are a 3x3 grid,

They are not. It is all smoke and mirrors

Also note that spammers here are dealing with a monitored active service (and the patterns of automated passing and/or even attemprs of cracking are easily detected) and platform for easy creation of new spamproofing solutions (in response and preventively), not just static and/or passive solutions (and services) offered by other services.  
In essence the question is not whether it is theoretically possible to pass our protection but by which comparative cost and  who is going to always win this competition

(01-13-2011 11:22 AM)Banalyst Wrote:  What do you mean?

I can't figure out how to solve the pairing puzzle.  It seems all my attempts fail.

(01-13-2011 11:22 AM)Banalyst Wrote:  Have you really looked what is "given"?:

Not behind the scenes no.  I don't intend on breaking this system myself, so I have better things to do with my time >_>

(01-13-2011 11:22 AM)Banalyst Wrote:  - the code in browser is obfuscated

Obfuscation != security

(01-13-2011 11:22 AM)Banalyst Wrote:  - eaxh "visible" (percieved by human as one piece) element, fixed or movable one,  is a collection of randomly decomposed smaller pieces, randomly identified, randomly placed, of random sizes

But the browser obviously knows how to piece them together to give 3 movable pieces.  What stops a bot from doing the same?

(01-13-2011 11:22 AM)Banalyst Wrote:  In a very few attempts a bot will be blocked for 10 min and proposed to solve a different captcha

Depends how this block is enforced.  IP blocking?  Then just use multiple proxies.  You only need enough to keep the bot happy for 10 minutes, then you can just keep cycling through.

(01-13-2011 11:22 AM)Banalyst Wrote:  One cannot even get both the repeatable (and clear) code and images  of a captcha  to develop a bot against all from the pool.

If the puzzle is actually changed often, then obviously the bot will, similarly, need to be updated often to get past the new system.  Whether or not they will bother is another issue, but all the while this is happening, the end user suffers from having to learn new puzzles.

(01-13-2011 11:22 AM)Banalyst Wrote:  The bot approaches are easily identified

Any bot worth bothering about won't obviously show any signs of looking like a bot.  Otherwise, we wouldn't need captchas, and just use these "other techniques" to identify these bots.

(01-13-2011 11:22 AM)Banalyst Wrote:  They are not. It is all smoke and mirrors

Regardless, it's unlikely you're going to make a big puzzle for the sake of the end user.  If it's not all 3x3, then it's probably not too far off from that either.  For example, I doubt you're going to have a 10x10.

(01-13-2011 11:22 AM)Banalyst Wrote:  Also note that spammers here are dealing with a monitored active service (and the patterns of automated passing and/or even attemprs of cracking are easily detected) and platform for easy creation of new spamproofing solutions (in response and preventively), not just static and/or passive solutions (and services) offered by other services.

Manual monitoring is silly IMO (if that's what you're referring to as "active monitoring").  Chances are, you're going to get close to 100% humans entering in captchas before it gets popular and bot coders decide to think of a way to automatically solve the puzzles.  And by that time, you're going to have a huge volume of legit users, and detecting the relatively small number of bots that attempt to solve the puzzles will hardly blip on your radar (assuming you still do manual monitoring at that point - which I'm sure you won't - the costs of this will be exceedingly high).

(01-13-2011 11:22 AM)Banalyst Wrote:  In essence the question is not whether it is theoretically possible to pass our protection but by which comparative cost and  who is going to always win this competition

That's essentially the case with ordinary captchas (significantly more difficult to solve by computer than to generate by computer), and will be the same with KeyCAPTCHA.  The advantage of the latter is that it's just being under-used, so unlikely any bot coder is going to bother.  More popular services such as reCAPTCHA already employ many of your benefits, such as central hosting, and I don't believe are easily solvable by bots (due to them not being OCR-able by the serving host).  reCAPTCHA also has the benefit of being more familiar to users and possibly easier to solve (at least I find it easier to copy text than try to piece together a puzzle; may not be the case with others)

(01-13-2011 01:44 PM)ZiNgA BuRgA Wrote:  I can't figure out how to solve the pairing puzzle.  It seems all my attempts fail.

I just made a few pairings and all my attempts succeeded.
Also we have statistics showing that the rate of failures in pairing solvings is low.
Do you match by color matching as it is written in instructions after overing over question mark?

(01-13-2011 01:44 PM)ZiNgA BuRgA Wrote:  But the browser obviously knows how to piece them together to give 3 movable pieces.  What stops a bot from doing the same?

Are you asking about puzzle?
Note it is just one of the possible types which has less than a month and it can be changed by other type in a month while someone will be thinking how to solve it.

(01-13-2011 01:44 PM)ZiNgA BuRgA Wrote:  Any bot worth bothering about won't obviously show any signs of looking like a bot.  Otherwise, we wouldn't need captchas, and just use these "other techniques" to identify these bots.

Are you implying that spamming is not detectable? Then, why to bother?

Do you know any service that would change their captcha after it is cracked?
We offer it

(01-13-2011 01:44 PM)ZiNgA BuRgA Wrote:  Manual monitoring is silly IMO (if that's what you're referring to as "active monitoring").

We do not have to we shall receive this info anyway when  and how KeyCAPTCHA was broken from our customers requests to our support    

(01-13-2011 01:44 PM)ZiNgA BuRgA Wrote:  And by that time, you're going to have a huge volume of legit users, and detecting the relatively small number of bots that attempt to solve the puzzles will hardly blip on your radar (assuming you still do manual monitoring at that point - which I'm sure you won't - the costs of this will be exceedingly high).

The costs of changing a captcha does not depend on number of users. They are all on our KeyCAPTCHA  servers.
When we change captcha the customers that already installed it do not need to reinstall it.
When new type appears (like puzzle that appeared in December, 2010), they just need to enter their setting webpage on our server and choose if they want additonal type to be sent to through their already installed KeyCAPTCHA ar as well by choosing from a set of values (currently, they are "All", "Pairs of objects", "Puzzle) in "CAPTCHA type" dropdown list.

(01-13-2011 01:44 PM)ZiNgA BuRgA Wrote:  

(01-13-2011 11:22 AM)Banalyst Wrote:  In essence the question is not whether it is theoretically possible to pass our protection but by which comparative cost and  who is going to always win this competition

That's essentially the case with ordinary captchas (significantly more difficult to solve by computer than to generate by computer), and will be the same with KeyCAPTCHA

Can you give me any examples of widely spread or even any  captcha service that has changed its type of captcha or permits its change on the fly (for customers who already had it installed)?
We can change the type of our KeyCAPTCHA in a very short time.

(01-13-2011 03:29 PM)Banalyst Wrote:  I just made a few pairings and all my attempts succeeded.
Also we have statistics showing that the rate of failures in pairing solvings is low.
Do you match by color matching as it is written in instructions after overing over question mark?

I didn't read.  I really don't think this sort of thing should require reading, and I certainly wouldn't expect it from my users.
I got the assemble geometric shapes puzzle, and from the image in the corner, it looks like all I have to do is assemble one of them, not every single piece.

I would suspect your collected statistics, at this point, do not reflect the general internet population.

(01-13-2011 03:29 PM)Banalyst Wrote:  Note it is just one of the possible types which has less than a month and it can be changed by other type in a month while someone will be thinking how to solve it.

Yes that is possible.  But it also means re-educating users to new puzzles.
It may be exciting to keep developing new puzzle types, but I doubt all of them will be friendly to end users.
What if there's a bug?  Constant change = constant risk.

(01-13-2011 03:29 PM)Banalyst Wrote:  Are you implying that spamming is not detectable? Then, why to bother?

No, I didn't say that.
What I am implying is that not all spam is detectable.

I don't care about the "stupid bots" here.  Essentially, I think your system is good enough to fend those off, just as a well designed CAPTCHA system probably is too, so I'm not debating over them.
It's the "smarter bots" that matter here, where these types of protection systems differentiate themselves.  If you're claiming your system is better than existing CAPTCHA systems, you need to really show that it is above and beyond existing systems, otherwise there's not much point.

(01-13-2011 03:29 PM)Banalyst Wrote:  Do you know any service that would change their captcha after it is cracked?

When this "cracking" is essentially a client side thing, I doubt you'll know if and when it's cracked.
Short of you guys actually finding a tool to do so.

Anyway, I don't really want to go there.  I can't predict how good your changes will be, how timely they'll be, or whether they end up breaking anything - that's beside the point, but the only thing I can point out is the efficiency of current puzzles.

(01-13-2011 03:29 PM)Banalyst Wrote:  We do not have to we shall receive this info anyway when  and how KeyCAPTCHA was broken from our customers requests to our support

I think most of your customers will be more clueless than your own team...
You'll probably end up getting a bunch of "fake" claims from people who are being targeted by Indian spammers or other systems which use humans to solve these puzzles.
But I guess that's one way of doing things, and seems a lot more efficient than manually trying to monitor trends.

(01-13-2011 03:29 PM)Banalyst Wrote:  The costs of changing a captcha does not depend on number of users. They are all on our KeyCAPTCHA  servers.
When we change captcha the customers that already installed it do not need to reinstall it.

I was referring to the costs of manual observation, which you've said you actually don't do (despite what it sounded like earlier), so it's moot point now.

(01-13-2011 03:29 PM)Banalyst Wrote:  currently, they are "All", "Pairs of objects", "Puzzle) in "CAPTCHA type" dropdown list.

Wait a sec...  if the user select one type of CAPTCHA, forgets it, and that particular type is cracked, how do you respond?  Change their selected type for them?

(01-13-2011 03:29 PM)Banalyst Wrote:  Can you give me any examples of widely spread or even any  captcha service that has changed its type of captcha or permits its change on the fly (for customers who already had it installed)?

reCAPTCHA.  They don't change it because they don't need to.  But as it's hosted remotely, the capability is certainly there.

(01-13-2011 07:16 PM)ZiNgA BuRgA Wrote:  You'll probably end up getting a bunch of "fake" claims from people who are being targeted by Indian spammers or other systems which use humans to solve these puzzles.

You do not know how this (btw legitimate and big) business works. Human solvers do not directly interact with web resources being cracked (in order to be legitimate, cheap and automatizable).  
KeyCAPTCHA can't be re-transmitted to 3d parties.  

(01-13-2011 03:29 PM)Banalyst Wrote:  reCAPTCHA.  They don't change it because they don't need to.  But as it's hosted remotely, the capability is certainly there.

reCAPTCHA was changed and many times but they cannot conceptually (due to their biz model and technical platform)  change its type and prevent spambots massively passing through it
Just google for "recaptcha cracked" for the last 3 days

Update:
"In fact, it [reCAPTCHA] became pretty useless on 4 January [2011] when spammers apparently got their collective hands on a piece of software that circumvents reCAPTCHA and allows for a fully automated registration process. The bots have been busy, very busy indeed, ever since"

Read more:
vBulletin forums hit by reCAPTCHA cracking spam bot | PC Pro blog http://www.pcpro.co.uk/blogs/2011/01/12/...http://www.pcpro.co.uk/blogs/2011/01/12/vbulletin-forums-hit-by-recaptcha-cracking-spam-bot/?DCMP=NLC-Newsletters#ixz