elxsy where humanity wins the fight against machines

ImHuman – a Humanized “Are you human?” checker

History

The internet we know is nearly 10 years old. Before that, it was dark and static ages, where you put up an HTML website via editors and FTPs and wait for people to email you or mainly phone you about your website.

With the new interactive web pages and database connections, we human beings were finally able to post our weird, funny, whatever comes to our mind ideas in to the world wide web via guest books, forums, comments and many many more you know of. But like every new innovation we made, we brought up problems with that also. We started to flood the entry forms in terms of fun, hacking, attacking, advertisement or digital harassment. And like this is not enough we have created applications to do the harassment for us faster and easier (attack launchers, flooder, spam bots). But hey, it was all 56K modem speed right, what was the harm in 1 spam per minute in once a week when couple geeks connects to the internet from SF to check some new chicks. PCs and their power were limited also, taking 4 minutes to power up and 2 minutes to load the internet browser. Well then we got cable modems, T1 lines, ADSL lines, fiber optics and satellite connections all for to download porn faster of course Abuse to the top! With faster doubled, quadrant CPUs, RAMS bigger than your foot and with an internet population of 70% world population! Yeah baby now we are talking!

Well of course we came up with methods to prevent these abuse also, like auditing at first. We hired people and volunteered to monitor the content that's being posted. Then we developed banning, blocked attack routes, issued backup servers in the name of keeping porn 7/24 alive on the air. But thats not working because when we post something we want to see it on air immediately! That is why forums are so alive, people can see their comments and keep an eye on their posts. It simulates the normal human dialogue and conversation, where you get a response nearly for everything you send.

But in the audit you read an annoying argument about a discussion then u post your ideas too and as a human being you follow your nature and wait for a response on the web page. you wait... wait then finally give up. God knows when the editor is free and enables your post. God knows when other poster returns to that website and reads your post and posts a reply and again wait for audit approval gives up. Months later you stumble that website again and remember "ohh shit yeah I posted some stuff here..". Then cycle begins in an irritating way over again or you just say.. "ahh the hell with it" and hit the X

Then some fellas said "hey you know what, computer programs can only read text. If we put an image with some confirmation in it, they cant read that, so they cant post.. hahah sweet. cool mann.. you rock!". Then we all started to put "Completely Automated Public Turing test to tell Computers and Humans Apart" CAPTCHA s in our personal web pages. Like we are some bank or some government security department faces abusive attacks everyday. Anyhow everything was going smooth until...

The other side came along ( like all natures' bad fellas = which is usually the smarter, more skilled and better know how equipped ) and said "Dude! I got news for ya. computers can read images also if you teach them how, Pwned!". So the epic battle between good and evil began and like all battles, public ( we the internet users ) is the only victim.

So instead thinking of more innovative or humanly ways, good guys just said ok then I am going to fold, trash, noise, distort the image and lets see you teach the computer to read that. This is where we are now. In reality nobody tries to spam out 85% of the websites or abuse their entries but still people go crazy about who will be the winner of creating the most ugliest, human enemy, pain in the ass CAPTCHAs ever!

CAPTCHAs

Lets just not all talk, here is some examples I picked up tonight in 2 minutes at my very first trials. I did not intentionally tried on getting them this ugly. One of the best ones out there is reCAPTCHA itself, which supports a good cause but still ...

call me blind but I want to ask you even in my 1024px resolution, what the hell is this? Is that a G or C or A or S?

One of the best examples shown in Top 10 worst captcha ever

The one I have failed to capture but thanks to this guy he didn't fail. Rapidshare is one of the most used file sharing services and look at the result worst captcha ever. I failed to capture Megaupload's recent captcha, after all the complaints they changed it to a semi better one now. And yet one more worst ever with a funny comment at the end

Problems

If we return to the subject, one day my friend asked me for help on msn and I said sure. She said she couldnt register for a Google Mail account I was like "pfftt, women" and told her I can open her a new one and give it to her. Well, after my 50th effort maybe to match the characters to the image (although they match 30 times) I have managed to open one with tons of frustration. No need to provide them, whenever you want to check you can see it in the "Innovative Google" register page but here is two shots I have.

AND there is a disabled icon near the input area like mocking us! Well I think you are the real disabled one dear, by creating that block of code and still keeping it on the most "Innovative" Company's website. So this was kinda my first strike.

And the most interesting part is that, this method is efficient hmm maybe yes, secure maybe yes, but does it overcomes the existing problem? definitely NOOO! You remember what happened right, good guys put image, bad guys read the image so good guys now putting retardly distorted images. I guess you understand what I am trying to say. Plus, it created another problem! Readability and user friendly level of a captcha image! We are doing something wrong here.. . very wrong..

So are they secure, well in a way. They are random letters put together in an image instead of outputting as text, and to prevent them being read by a computer again, they are distorted. Now this is the question in your mind, "Cant computers read the letters in distorted images ?" Yes they can! They can read whatever you teach them to read. They had cracked lots of easy, mid level captchas and read through them like butter. With computer vision techniques and some several day wasting on matlab and methodology trials you can crack them too depending on your CV skills and distortion of the image. Plus if no randomness or hash methods included in the generation of an captcha, you can always go back from result (distorted image) to the source (original clean letters ready to serve as butter for OCR). It is mathematics, 2 + 2 = 4, 4 = x + x, not very hard to find X right?

How about brute forcing? Well they are perfect for eliminating them because of their combination size.Back to 8th grade mathematics, Permutations. If you use english alphabet as the sample array ( which has 26 letters ) and print 3 random letters in the captcha for the user to enter, with not any of them being unique, the probability of input strings: You need to select among 26 letters for first letter, therefore you have 26 choices. Then for the second one you have 26 also and so on..Meaning an attacker (may) need to try 26 ^ 3 = 26.26.26 = 17576 different strings to find the exact code. (Well I said may because you can find it at first trial or last trial, it is unlikely but anything can happen in the limits of probability)

Getting started with the Idea

Well my second strike was my own fault at my own captcha system. I typed nearly 1 page long reply to a comment on one of my websites then entered 3 image letters and bam! wrong image characters. I read the letters in the image correct BUT while I was typing them to the entry I made a typo and all the post contents are gone.. puff.. I know it is my fault but it wasn't the first time while I tried to read the letters and type in the boxes and made typos. Specially in 6-10 letter captchas like Google's you spend an important time on to read and type, if you don't check the letters you wrote in the input you are prone to errors and it can be very frustrating. So I said that's it, time to go for another methodology for my own and visitors sake.

Challange is to provide some sort of "are you a human" check that does not irritates humans while eliminating bots correctly.

What irritates myself while using normal captchas ?

• Trying to read retardish crooked and distorted images while having a brain fry!
• Yet to see that I have failed to read the image!
• Having to type all those random letters and numbers and upper - lower case stuff and have finger cramps!
• Double check the stupid image to see if I made a typo and have a double brain fry from reading and checking this time
• Copy my every post before posting in any case stupid captcha fails

What satisfies a human lazy bum like me?

• Just leave a tick says "I m human dammit! cant you see me?" before clicking the button and it should check itself when it sees me!

So the resulting check should be

• User and eye friendly
• Less or minimum input required
• Completely eliminating human error from check procedure
• Easy and fun to use

I could use audio, flash and images again to check against the epic "are you human" control. Then I remembered the audio checks I have tried on Google and recaptcha, I didn't understand a WORD! Never trusted flash also.

Best kind of checks I like are the ones that asks you 2 + 3 = ? or some simple mathematical operations but they are so easy to hunt with bots. I could use it inside an image but as a user thinking "after all the typing finished and I took control of the mouse and I am ready to click away ! please don't interrupt me". so I sailed away from that..

There are some academic works about captcha also, one includes rotating images to correct degree by a slider other one is usual captcha divided by clickable zones for mobile browsers. Rotating image is a good one and degree of angle is 360 possibilities also but arranging an image with a slider to nearly perfect degree sounds annoying to me. And that slider should be cross browser JavaScript supported one more headache because there are people out there still using Internet Explorer! Please be aware of them. And it is not hard to tell the rotation degree of an image as a computer program once u have the image and manually set it to 0 degrees.

I remembered once in a while like 2 years ago I stumbled on an project like page and read about some cutekittens protection method. ( I searched it all over the internet, again and now again to provide links and credits to the website, but no results :/ ). It was just an idea talking about if it is possible to make people type how many kitties are shown in the image to pass the captcha test, instead of making them read distorted letters.

I said, hell I got better idea, lets make them select the cats against dogs in a visual way so u just type your post and click on the cats and ready to go. Methodology is simple, In order to confuse a cat with a dog you must be mentally challenged or a spam bot. Two types of visitor comments which I don't want to see in any of my websites.

First Prototype

So I gathered around 100 80 * 80 cat pictures manually, and 200 80 * 80 dog pictures, Named and clustered them nicely then coded my Class to construct a X x Y grid of randomly selected Given number of cats from randomly selected grid - given number of dogs, positioned and stitched randomly all together in one (X * 80) X ( Y * 80 ) captcha image. Of course the answer were recorded before last randomization.

Image was dynamically created on the visitor's session and assigned as the background of a big DIV tag. Bıg div contents were again DIVs which are divided by grid's dimension, with transparent backgrounds to click and select the imaginary cells. Assigned with custom CSS rules and a simple JavaScript, it was selecting images ( DIV borders in reality ) and highlighting selection, then writing the selection combination to the hidden variables of course to check on the evaluation part.

First Feedback

I put the script on folderland.com and all member websites of it. (I had to passivize the script for now due to server overload from another website)

First, I did not receive any complaints about "I can not post comment, arghh my whole comment is gone" which I usually have due to human error and you can check my current ImHuman replacement captcha there, it is pretty big and readable for everyone. But as I said, we are human we make errors and blame the machine.

Secondly all the member websites had a boost of 26% comment rate increase. People were intrigued about the thing and wanted to comment to see how it functions I have faced several comments where people thanked the author for the "puzzle" provided and how cute and easy it is And my mobile browser tests all functioned correctly also.

Lastly, well this is kinda only to my favor: I had cuilbots and lots of useless bots which even I ban them through IPs or user agent they kept crawling the websites, leeching my bandwidth and clicking on every link, filling on forms etc.. because they do not produce click events on JavaScript, they could not send out empty or spam filled forms.

Changing to a global API

I was happy with the new system so I have decided to implement it to my other website at that point I realized I have to duplicate 300+ files of database for just one website (Well I am lazy and thought it unorganized for the first time) then I have updated the new website with extra 100+ manual entries of images and realized I didn't do the same for first one. The time I said well it is the last anyway no more update, my friend told me that he wants to use the system on his 2 website too.

So I decided to write an API and assign a domain for its usage for us and then other request of an other friend made me realize, who is going to update the entries manually? It is really irritating to search and find images, cut, trim to exact shape and upload them via [place doesn't matter]. Whose server is going to handle all the heavy duty image operations? and plus all the bandwidth required to serve them through all the websites and 100K visits a day through 4+ websites with image size of 30KB per image and of course images are not cached. Well you do the math, it is a number I didn't want to put my hosting package under it.

Using the power of Flickr

While I was thinking on how to overcome these and checking the documentation of a class on the internet, I saw the authors flickr images on the right of his website and I found the answer. Images were pre sized, Flickr would do the hosting them and mostly importantly they were already pre-tagged [categorized] by their uploaders ! It was the perfect solution for our problem and after I prepared the API and its management and humanizer management it was working like a charm.

So did the flickr did all good to the project? well no, it reduced our security ratio. Because I used to stich images on the fly to a random generated image but flickr is showing images one by one, enabling people to see its path/source. So lets see the security disadvantage of flickr.

How about security

Like everything well ImHuman is crackable too, nothing is bulletproof in this world. I believe the key is to create such big of a job and vast probability, so people simply will not even think to try. I am not going to explain how to hack or exploit ImHuman of course but using manual classification it can be done. That is the weakness flickr puts into our chain, by showing image sources 1 by 1, it helps the manual identification. Manual classification of flickr images, that's a time saver for you and if you are still thinking about doing it, well here is a hair saver for you. I do not play it fair also, there is no golden ratio in APIs randomness. There is no destiny in the API its all part of a big plan (LOST reference)

Adding Humanizers are pretty pretty easy. I have added 730 humanizers to the API while having my coffee. Considering at least 10 people will add 50 in lets say 10 minutes in a day.. with the lowest grow, our sample goes to HUGE.

Can computer vision techniques be used to classify our images and tags? Yes they can but in 20 years maybe. CV fails catastrophically when it comes to classification. Because they don't have active neurons ( ha ha ) in their CPUs we cant teach them learning from experience in parallel computing to classify vast range of information like we do.

Brute force, again back to 8th grade mathematics again with Permutations with the mathisfun for who forgot the old tricks. The magic formula is n! / r!(n-r)! where n is how many humanizer you want and r is how many to select. In simple words, if you want 5 humanizer and 3 to select. For first one 5 possibilities to chose from * second one this time 4 left to chose from * third time only 3 left to chose from = 60 possibilities but we dont care for the order so 1/3! and possibility goes to 10.

It is not tough because of its selection property but I and most developers usually block the access to a commentator with 3 consecutive fails. Means you are not a human, you are a bot just trying to spam. Furthermore, humanizer possibilities are renewed everytime you fail, meaning brand new 10 to chose from if you go with that sample size.

I have prepared a table for the grid, selection values and possibilities to chose from that can help you choose your level. My concern is - which I said blocking after 3 consecutive fails and brand new set at every fail - is the display area and its size that's why I use 5 * 1 grid with 3 selection. Easy, user friendly and simple.

GRID	SELECTION	POSSIBILITIES
5	2-3	10
6	2-4	15
6	3	20
7	3-4	35
8	4	70
9	4-5	126
25	12-13	5200300

But! not easy to force by possibility

In order to spam, auto complete or attack a form and its return values you need to know what form posts as parameters. Lets explain it with example, in a normal comment form you have COMMENT_PARENT_ID, NAME, COMMENT. You can spam the pages by posting these values via software or automated methods. (well I guess lots of people know about this already so I wont feel bad to explain how spamming works). Anyhow with normal captcha, you would put an extra field like CATPCHA and its value should match the string shown on the image.

Although your bot doesn't know the captcha value, or didn't use any OCR methods to read its value, if captcha its a low string and not designed properly (like refreshing, session tracking, auto clear, one time entry) you can still brute force that form with known values and SUCCEED.

Now why ImHuman not easy to force? Well it is because we produce a 6 character hashed unique random name identifier for each of the images we provided and 12 character hashed unique random value for each of them. Meaning, 1st step: even the entry names are a security check, you can not post a form with same values twice, it is impossible! Without even checking values or anything, we just look what came to our doormat and if its not what we expected, we don't even get up from the couch. If the package properties are correct, then we check if the information inside is correct.

Even when you use AJAX based methods to check and submit forms, you should regenerate a new CAPTCHA (doesn't matter ImHuman or any other captcha, its a global security method and necessity) at EVERY FAILED check. That just climbs your "force by possibility" possibility to impussible. So after the tip here is two runs for the post values from Wordpress Plugin of ImHuman. ImHuman generated values are shown in BOLD. These are two separate comment posting, as you can see, if three is no ImHuman on the system, all the parameters are known and stays there for good, thus ready to spam.

Wrong Answer Given with 4 selections	Correct Answer Given with 3 selections
Param Value 2c83a5 9c3901aa1901 3dcc1b 73b60b45135c 53990c 439613e3a47b _wp_unfiltered_html_comment f151b1ce0c comment abcdef comment_parent 0 comment_post_ID 37 e4ab72 b513ffbedc9d submit Submit	Param Value 1461e6 b216694abc3c 511ebf 4eaf0d6e9aa0 991384 60b7fa17aeaa _wp_unfiltered_html_comment f151b1ce0c comment jklmno comment_parent 0 comment_post_ID 37 submit Submit

Can we increase the possibilities and make it helishly secure?

Sure:

• Visitor will enter the number shown in the picures into the box below
• Visitor will click on the correct humanizers from left - to right or rigt to left in order
• we can ask visitors to order animals, objects by size by dragging around
• or compare objects in order or re categorize them
• or like banks, we can ask them to enter "First letter of third image, the last second letter of second image from right, forth letter of first image"

and make your visitor regret his/her choice of posting some information on your website. Our main point was to create a user friendly, less input required, eliminating human error from check procedure, easy and fun to use security check not a torture in hellnet.

Demo

Well you can see the active API running right at the bottom, in the comments section.

Download

imhuman-php-class Sample ImHuman PHP - Class implementation

ImHuman Wordpress Plugin (0.0.6)

ImHuman Wordpress Plugin (0.0.7) from wordpress.org plugins page (16.06.2009)

Problem with Wordpress is, lots of people using it with different versions and plugins and preferences and its limited playground. Some want JavaScript and fancy options while some doesn't want JavaScript in order to use from mobile devices etc.  This leads to a poorly cache handling. Well I guess it is going to take votings and feedbacks then 1-2 versions of the plugin to satisfy most of the people.

Support

Support for the project will be given throughout its documentation, FAQ and API pages.

There are implemented versions of its API already in the downloads section.

If you liked the project and want to support it

You can support the project in several ways

1. Use the ImHuman Project in your website and give us a link, feedback
2. Spread the word, link to us, put up our banners in your website, publish posts about it, ping us, tell your friends etc..
3. Go to control panel and add some fun humanizers in your free time!
4. Help us translate the ImHuman into your language
5. Write your own code of clients, prettifies and selection scripts and share with people
6. If you have couple bucks to spare for the growing hosting expenses then make a donation