CAPTCHA The Flag

So I was wandering around the Microsoft Research site, and happened upon something I had not heard of before: Asirra. It’s a new model for a CAPTCHA test, and it seems to be pretty simple to implement.

For those of you not familiar with the term CAPTCHA, it stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” You’ve certainly seen them before on sites like Ticketmaster, where you’re asked to enter some characters that are all skewed and blurry in an image. Here some examples:

The basic idea behind it is simple. You need a test that a human can pass, but that software cannot. Imagine if Ticketmaster DIDN’T have a CAPTCHA challenge on their site. When baseball tickets went on sale, or seats to the Radiohead concert become available, a scalper could fire up his software, buy ALL of the tickets, and then re-sell them at a significant profit somewhere else. You wouldn’t have a chance.

But, by enforcing a CAPTCHA challenge, that scalper is only able to buy tickets in small quantities (maybe 10) at a time, before he’s forced to visually interpret some data that only a human can read. A computer has a serious challenge in reading text that has been skewed accurately.

Enter Asirra. While only a project of the Microsoft Research team, it IS available for public consumption. It also challenges the idea that a CAPTCHA challenge needs to be letters and numbers that are jumbled up to be unreadable by optical character recognition (OCR) software. Instead, it presents you with a set of 12 images. They’re all pictures of animals. It’s up the human to determine which ones are cats. With over 3 million images currently available, and a database that grows in size by roughly 10,000 images per day, there’s a good chance you’ll never even see the same pictures twice. I’ve included an example of it on this page, but it’s not part of a form, so it’s just for display purposes. A link to a working sample of mine is in the next paragraph.

Using some simple javascript and a few lines of C#, I have built a page that demonstrates this powerful tool for keeping your site from being exploited. You can see the Asirra CAPTCHA in C# action here. Also important to note is that they have also provided this tool with code samples for using it with Python, PHP, C#, VB, JScript, and Perl. This is not tied to any Microsoft-specific tools or languages. In fact, the web service that runs the challenge is actually written in Python. My sample code running in C# can be downloaded here.

On top of the technical problem that this solves, it’s also good for the pet community. All of the images come from PetFinder.com, and all of those animals are unwanted, but perfectly lovable animals in need of a home. Exposing their pictures and profiles to a larger audience can only help to find a place for some of these needy animals to live. I think these kinds of solutions have a certain elegance that you don’t see much in software.

kick it on DotNetKicks.com

5 thoughts on “CAPTCHA The Flag

  1. Sorry, but I can’t see the point. People go to a lot of effort to make nice standards compliant HTML, only to then go and put image based CAPTCHA systems all over it. A large part of web standards is about ensuring the web is available to the visually impared. I don’t see how this system is going to improve things.As you might guess from noting the url attached to my name, I don’t particularly like image based CAPTCHAs; so much so I created my own library to do my bit to eliminate them.

  2. You, sir, have been kicked.

  3. Do the image links change for every request?Even with 3 million or more images, someone could easily embed this on multiple sites, proxy the requests, and quickly build up a database of dog and cat URLs

  4. I will agree with that to a point. Yes, it may take longer to pass, but you can also be confident you’re going to pass it the first time. Some CAPTCHAs these days, I feel like, “Um, I think that’s an L…”Cat vs. Dog is pretty absolute. Having said that, I am not recommending Asirra as THE THING that should be used. I’m merely offering it up as a simple alternative to writing your own CAPTCHA, or at the very least, an alternative to the eyestrain of some of the more traditional CAPTCHAs can provide.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s