Forget captcha; meet KittenAuth (24)

1 Name: Albright!LC/IWhc3yc : 2006-04-08 05:01 ID:jNSusQZc

A new human verification system uses kittens instead of text:
http://arstechnica.com/news.ars/post/20060407-6554.html

Brilliant. This is thinking outside of the box; not only could it work better than OCR-able captcha systems, but it was probably easier to code too.

2 Name: Albright!LC/IWhc3yc : 2006-04-08 05:03 ID:Heaven

3 Name: !WAHa.06x36 : 2006-04-08 11:45 ID:Heaven

It's a cute idea, but no good. The odds of getting a correct result by clicking on three random images is one in 9*8*7=504. That takes a minute or two to brute-force, over the net. It'll protect you against bots not tailored for your site, but so will this:

Type the word "kitten" in this box: <input type="text" name=kitten" />

4 Name: !WAHa.06x36 : 2006-04-08 11:47 ID:Heaven

Oh wait, order doesn't matter, and the article even mentions it: one in 84. Even worse. I don't know why they mention this but somehow think a bot is limited to just trying once.

5 Name: dmpk2k!hinhT6kz2E : 2006-04-08 12:22 ID:Heaven

They probably ban after a few bad tries?

I'm a bit more curious about the images themselves. Unlike letters, there will only be small number of valid kitty pictures (probably < 1,000). Acquiring those images shouldn't be hard for the attacker, so you'd still need to add some form of variable distortion to prevent it from being trivially breakable.

I like the idea though.

6 Name: !WAHa.06x36 : 2006-04-08 12:28 ID:Heaven

> They probably ban after a few bad tries?

Proxies.

7 Name: #!/usr/bin/anonymous : 2006-04-08 21:52 ID:Heaven

And this is "programming" how exactly?

8 Name: #!/usr/bin/anonymous : 2006-04-08 22:01 ID:Heaven

CAPTCHA design is part of web application design, which is programming. Duh.

9 Name: #!/usr/bin/anonymous : 2006-04-09 00:49 ID:Heaven

>>8
I hope that was sarcasm.

10 Name: #!/usr/bin/anonymous : 2006-04-09 16:32 ID:Heaven

>>9

Why? Are you some sort of circa-1997 Slashdotter who doesn't think "web applications" are "real programming"?

11 Name: #!/usr/bin/anonymous : 2006-04-09 21:32 ID:Heaven

Threads in /code/ should be about code, not cutesy ideas. At best, this is "UI design", but really it's just a stupid novelty.

12 Name: Albright!LC/IWhc3yc : 2006-04-09 21:46 ID:jNSusQZc

>Oh wait, order doesn't matter, and the article even mentions it: one in 84. Even worse. I don't know why they mention this but somehow think a bot is limited to just trying once.

Well, this number can be tweaked by adding more images to choose from, requiring more kittens to be clicked, and so on.

>> They probably ban after a few bad tries?
>Proxies.

Ban the proxies after a few bad tries too. Even with just random guessing, the odds are against a bot enough that it will probably only be able to sneak a couple past before it uses up its available proxy list. I think that is good enough; it stops a full-on flood, at least.

>Unlike letters, there will only be small number of valid kitty pictures (probably < 1,000).

Yeah, so doing kitties every time is probably a bad idea. For each post attempt, it would probably be best to randomly select one of a wide span of image types to click: click three kittens. Click three puppies. Click three porcupines. Click three ORANGE kittens. So on.

13 Name: #!/usr/bin/anonymous : 2006-04-09 21:48 ID:Heaven

>>11

Says who? Not only is human verification a huge and interesting topic which is definitely not mere UI design, but even if it was, that's no reason to somehow think it's below you to even discuss it.

14 Name: !WAHa.06x36 : 2006-04-09 23:42 ID:6/ycmqj4

> Well, this number can be tweaked by adding more images to choose from, requiring more kittens to be clicked, and so on.

Yes, but it quickly becomes more work than a normal text captcha that way. I figure that 4x4 with 6-8 kittens is enough for decent security, but that's already a whole lot more work than 3x3 with 3 kittens.

> Ban the proxies after a few bad tries too. Even with just random guessing, the odds are against a bot enough that it will probably only be able to sneak a couple past before it uses up its available proxy list. I think that is good enough; it stops a full-on flood, at least.

You severely underestimate the amount of proxies out there. The server would need some sort of timeout after which it forgets unsuccessful attempts, and you might even be able to rotate proxies often enough that no single proxy ever gets banned.

It does hamper a simple flood, but most of the time that's not your problem, but spammers are. They don't need to get more than a couple posts in every other day or so.

15 Name: #!/usr/bin/anonymous : 2006-04-13 18:13 ID:kGtvszBm

This is not accessible, so it's still shit.

That's also completely useless as soon as the kitty database becomes available.

I don't understand why this post is very popular and people think it's something new. It's not, and it's well-known why. If it can protect a small site like this one, good for the author, but as soon as somebody worth attacking will use it, this system will be a complete joke.

Making CAPTCHA is just like sending an e-mail with a link, a large inconvenience for users, that loses you some users/posts/business, but it is a never-ending arms race. You can't win, but if you defend yourself at the expense of the legitimate users' comfort, you show that you have lost.

16 Name: #!/usr/bin/anonymous : 2006-04-13 19:34 ID:13siUS3d

Why not ask a simple riddle? It should be on par with kittenauth if you have a lot of riddles.

17 Name: #!/usr/bin/anonymous : 2006-04-14 12:51 ID:iLdI4Ggx

>>16
That would require me to think, making it even worse than catchpa.

I like dot kde's solution, although it's probably simple enough to get around.

http://img67.imageshack.us/img67/1558/catchpa4xn.jpg

18 Name: !WAHa.06x36 : 2006-04-14 13:38 ID:Heaven

>>17

It's as effective as a button saying "click this button to post", or a text field saying "Type 'kittens' here:". It will stop an automated spam spider, but anyone attack it speficically will go through it like a giant razor flying horizontally through skyscraper made out of butter.

19 Name: #!/usr/bin/anonymous : 2006-04-14 13:49 ID:Heaven

>>18
comically?

20 Name: #!/usr/bin/anonymous : 2006-04-14 14:35 ID:Heaven

>>17 None of those buttons are labelled "m00t" ...

21 Name: #!/usr/bin/anonymous : 2006-05-02 23:53 ID:x9fw2CcC

>>16 That's only good for people good enough in English. Many riddles depend on language far too much to be solved by not so advanced speakers. That's also true for kitten auth with more than kittens. I for one didn't know what porcupines are until a moment ago.

22 Name: #!/usr/bin/anonymous : 2006-05-04 09:46 ID:Heaven

>>21
Honestly? Wow.

23 Name: #!/usr/bin/anonymous : 2006-05-05 11:24 ID:AKO85qm/

>>22

"Wow"? Maybe you should try actually learning a language sometimes. One of the hardest things is learning animal and plant names. These are usually completely different and unrelated in every language.

How many of the foreign-language animal names at http://members.tripod.com/Thryomanes/animals1a.html would you get from just seeing the word written?

24 Name: 22 : 2006-05-07 09:24 ID:Heaven

>>23
I studied Japanese at uni for a few years; and now that you mention it, you're totally right. Animal names are hard to remember. I think the only ones I can remember are dog and cat, and cat is plastered all over the interweb courtesy of otaku.

This thread has been closed. You cannot post in this thread any longer.