Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This particular issue (AI performance on captchas) is really quite fascinating. It's an arms race, but the problem is, only one side can win. Google is claiming they have improved their system in some (understandably) unspecified way, but there's only so far this can go. Captchas need to detect whether someone is human, but it has to work for everyone, ideally, even those with disabilities. Any simple task a human can do will eventually be able to be automated. Tasks that aren't currently feasible to be automated, say some natural language processing tasks, have another problem: scalability. To prevent simple databases of problems -> solutions, the problems need to be generated en masse, and for cheap, which means a computer needs to generate the solutions in the first place. And of course, paying people to just do captchas all day already happens.

The street address/book scan approach that Google uses is interesting in that the exact solution is not known, so they presumably have to be somewhat forgiving in accepting answers (as their machine learning might have gotten it wrong). Perhaps this is what their "risk analysis" refers to--whether their response seems "human" enough according to their data, not necessarily whether it's correct.

I don't see a way around this problem for free services that still preserves privacy (so directly using some government-issued ID is off the table). Maybe some Persona-like digital signature system, where a person can go to a physical location with a government ID, and get a signature that says "Trusted authority X affirms that person Y is in fact a person". Obviously this still has problems, as you need to trust X, and it's a big pain in the ass.

There are parallels to the realm of passwords, which are also becoming obsolete (not that there's a good replacement...). Anything that a human can feasibly remember for a bunch of sites is becoming easier and easier for computers to guess.

So basically, computers are taking over the world, and we can't do anything to stop it. God help us all.



> It's an arms race, but the problem is, only one side can win.

I don't disagree, but although this specific problem can be automated, the arms race will continue as newer problems (requiring uniquely human intelligence) are presented. We can keep moving the bar until the singularity.

For example, a captcha: "Pick the most unsafe environment", followed by pictures of a house, a park, a volcano, a bed. To solve this, AI would have to have a mastery of language, a mastery of object identification, and a mastery of the metadata of those objects as they apply to human safety.


That runs into the scalability problem that I mentioned--someone (say, a Mechanical Turk user) can solve that problem once, and put it in a database. To avoid this, there needs to be a way to generate them cheaply, so you pretty much need a computer that can solve the problem in the first place.

Basically, my point is that there's no such thing as "uniquely human intelligence". There's lots of problems that fall into that category now, but with the continuing rise of computational power, it's getting harder and harder to find new problems of this sort without excluding a lot of real people.


So that begins to look a bit like the RSA problem, doesn't it? Find a problem which can only be solved efficiently given some "secret" knowledge – where, instead of that knowledge (the prime factors) being secret, the knowledge is something it's easy for a computer to use but hard for it to recognize.

I'm probably overgeneralizing, but it's an interesting framing.


>To avoid this, there needs to be a way to generate them cheaply, so you pretty much need a computer that can solve the problem in the first place.

I don't see how that follows. Many captchas are just text with a confusing grid overlayed - that's incredibly trivial to produce, and producing one tells you next to nothing about how to solve them. Or if that's too easy, throw in some random distortion - still easy to produce, even harder to read.


It seems more likely that there's no such thing as "computer-identifiable human intelligence". Human intelligence is easily discerned by other humans.


But one requirement of a captcha system is that it be easy for a computer to generate. The system you describe seems to require that humans build up a list of things with obvious-to-human answers, which doesn't scale, especially when they have to be designed under the assumption that "the enemy knows the system" (i.e. a worker on some "library of common knowledge" project could defect).

But if you could have an AI generate those problems, it would be capable of solving them too!

Current captcha systems exploit the one-way nature of problems, mainly "character distortion". This is what permits easy computer-generation but not computer-solution, and does not seem to be present in the class of problems you describe: it's just as easy to go from "noun -> adjective" as "adjective -> noun".


"Pick the most unsafe environment", followed by pictures of a house, a park, a volcano, a bed.

My sense is that IBM's Watson could tackle this particular question. Also interesting to note that the question introduces external considerations, such as whether or not there's someone dangerous near the house, bed, park, etc. A human respondent will have to ignore the matter of whether there's additional context and second-guess the captcha author to get the problem right -- presumably the most unsafe environment is the volcano.


Of course the simple way around

"Pick the most unsafe environment", followed by pictures of a house, a park, a volcano, a bed.

if you're a spammer is to choose randomly and make four times as many attempts. Which is why catchpas make you type six or more letters giving millions of combinations so you can't do it randomly. To get up to a similar resistance to random attempts with 'pick the unsafe environment' type questions you'd need of the order or eight of them (giving 4^8 or approx 65k combinations). Would you as a user want to fill in 8 of those things?


The key is that you are only presented with one captcha per request. But if you fail too many, you get labelled a spammer.


Like Deep Blue, Watson represented a major advance in the state of weak AI. However at its core, it's still just a text-based statistical search engine. It has no ability to "learn" new abilities. Its algorithms will use previous answers to adjust ranking of answers, but once a category is finished, that data is lost. For new data, its database needs to be re-indexed. For new behavior like recognizing pictures or playing a game, it needs to be programmed.

Watson played a simplified version of Jeopardy with no video or audio questions. This was a key compromise to allow a text based system to compete with humans. The AI problem of recognizing pictures is practically unsolved. It took Google's best researchers, a massive database of cat pictures, and a supercomputer just to train a computer to recognize when a cat was in a photo. So your sense of Watson's present abilities is a little skewed and unrealistic.


Yes its interesting; you can easily imagine that the following trends are detected:

* "home and safe" "safe as houses" etc

* "safe in bed" "safely tucked up in bed" etc

* "volcano" ... no clear data. Certainly dangerous being a volcanologist, but that'd be great AI googlefu

* "pensioner attacked in park" .. "our parks are not safe" etc... Hmm, Parks are the most dangerous.

Because frequency of local newspaper reports is a bad measure for volcanos I guess.


While probably not 99% reliability, I think google software could often solve this one too: Reverse image search could provide an image description, which combined with number of search queries for eg 'unsafe $image_description' to give a ranking. Google can already mostly handle synonyms; it does not need a mastery of the area as it can just use correlations and usage patterns.

Also, being solvable for humans and not computers is not the only criteria for a captcha. For example it must be quick and relatively easy for humans, and provide a definitive consistent answer. The brilliance of recaptcha is that it was making the work that humans excelled at actually useful beyond just 'proof of humanity'.


Or, you could use xkcd's idea: http://xkcd.com/810


A bot would solve this one with a random selection 25% of the time. You would need multiple puzzles to make this a useful solution.


The odd thing with a question like that is how "most dangerous" is determined. Logically the volcano is the most unsafe environment, and people do die on them, but statistically far more dangerous, at least by death count, is the bed.

This is the kind of problem that would still cause issues for some people, especially if you had to scale them to produce identical captcha's relatively rarely (if the same one shows up too many times it can easily be hard-coded, requiring the most basic detection to solve it reliably) in that as you come up with more of these types of questions the expected answer gets rapidly more nuanced.


So it's a captcha that keeps out computers and pedants on HN. Win/win, in my opinion.


Dangerous does not necessarily mean fatal. The posed question specifically states environment, and the bed as an environment is typically a flat, soft, blunt, rectangular prism.

Whereas volcanoes, and more specifically, active volcanoes can be unpredicable and spurt out hot lava and ash.

The question is worded fine and your attempt to poke holes into this is invalid.

Even if a question is worded well, it can always be interpreted incorrectly. The question should not be blamed for a person's inability to process information.


At the same time, though, a human would have to have familiarity with all of those objects in the context of their environment. A house doesn't look the same to everyone, nor does a park, bed, etc. People's life experiences can also affect their responses.

The problem we would then experience is unintentional prejudice and Western-mindedness in our "are you human" queries, similar to a problem that SATs and other standardized testing methods have been criticized for.


>To solve this, AI would have to have a mastery of language, a mastery of object identification, and a mastery of the metadata of those objects as they apply to human safety.

Actually for a captcha to work, you have to have a problem that is easy for an AI to pose and verify the solution to, but hard for AI to solve. This could potentially rule out some classes of working turing tests.


If you're curious about how the algorithm works, here's a recent talk from one of the authors of the paper where he talks about it: http://www.youtube.com/watch?v=iK3HIIsZGJY&t=1m32s

As to your questions, I think the way it's going with these convolutional neural nets, the idea of being able to tell a human from a computer with something like captcha isn't going to work. I'm thinking a captcha that still would work would be a randomly generated natural language instruction that a user has to interpret with some top down reasoning (possibly with a natural text answer). We've still got a ways to go before we can do that really effectively with software.


Ask for x BTC on signup, on the promise that it is returned in y weeks.

I was going to propose that it's only returned on good behavior, but that gives sites an incentives to harshly police their new user population.

Ideally you'd have some sort of service that both parties trust that is holding the BTC.


And then anyone who doesn't have extra resources is prevented from using your service... As if it is a trivial amount, spammers will pay it, and if it is non-trivial, then some people won't be able to afford it. Doesn't seem like a great idea.


MetaFilter is a web forum that charges $5 to create an account. Between that and aggressive but professional moderation, spam basically doesn't happen since a couple of obvious spam comments and you're permabanned.

However, it limits the user population to people with a debit card and $5 to spend. A bitcoin-based solution right now would be even more restrictive, since apart from buying bitcoin in person, you pretty much need a bank account to acquire them.


Humans have had an easy time for a while. Good to finally see some competition. :)

On the other hand, why is that we insist on humanity? None of the systems can block a captcha-solving team based in Nigeria. What we need to block is bad behavior by users and not their humanity.


Good point. I imagine that detecting such behavior will also be pretty difficult. It's one thing in a forum, where you'd maybe want to discriminate against idiots (but that would still leave you open to the problem of shills/sock puppets). But for big companies like Google, would they really want to open that can of worms?

Of course, there's a quite relevant xkcd: https://xkcd.com/810/


I think a big problem is Sybil attacks. Let's suppose I make a bot that posts thousands of reports of my computer crashing after using product X. To determine if such a post is bad behavior or not, you have to know if the claim is genuine. That can't be determined by the content of the post itself.


> The street address/book scan approach that Google uses is interesting in that the exact solution is not known, so they presumably have to be somewhat forgiving in accepting answers

reCAPTCHA presents a known problem and an unknown problem to the user. If the user answers the known one correctly, it assumes that the answer to the unknown problem is correct too. I believe the text-based reCAPTCHAs will accept an answer within a character or two as correct.


All captchas I have seen were used to stop spam. The problem with spam is that 1) it's noise and 2) appears in large amounts.

Captchas approach the problem 1), by assuring only people can post and then hopefully increase the signal quality. It sucks because it requires mental effort, is hard on people with disabilities, blocks potentially useful bots (see reddit bots) and leads to an arms race.

What if we tried to solve the problem 2)? One possible solution is requiring a proof of work. Some computation that requires a few seconds, easily disguised while the user is typing the comment or filling the fields. It's an old idea but I've never seen an implementation in the wild. (yes, it would fail for mobile devices. fall back to captcha or something)


Isn't most spamming done by botnets these days, to avoid IP bans? So they have a plentiful supply of CPU cycles?

Also, regular users who visited your site without wouldn't install any software, so they'd be running the proof-of-work as slow javascript, while spammers could use GPU or even ASIC acceleration if proof-of-work became widespread.


A few seconds of googling gave me this WordPress plugin that requres a proof-of-work when posting a comment: http://wordpress-plugins.feifei.us/hashcash/


The suggestion to "go to a physical location to get a trusted government signature" has deeper flaws as well.

What's to stop a bot writer from getting a signature and plugging it into his bot?


Blacklisting would soon force him to get hundreds or thousands of signatures, which would slow down the operation.

This said, i don't think "trusted authorities" are the way to go - we've seen the failure of that model with x.509, there is no need to repeat it elsewhere.


Presumably a service would only allow one (or a few) accounts per actual person. The end user will still need some amount of security. I had in mind some challenge-response mechanism, like:

  Person signs government ID number with public key, presents it to authority
  Authority signs public key and asserts it belongs to a real human
  Service presents random number at signup time
  Person signs the random number with the same public key, and presents the key signed by the authority


I'm not entirely sure how that would mitigate people from passing the government signed public key to their bot and letting it take over from there.


That's what I was referring to with services only allowing one (or N) accounts per person. A spammer could use the signature multiple times, but would need new email providers for every single account.

And as an uncle (?) comment points out, there could possibly be blacklists of signatures of spammers shared between providers. That definitely would cause some new problems, of course, but who knows what the future may hold...


Oh I see. I hope it doesn't ever come to that!


1. Unlike e-mail accounts or such, a botwriter wouldn't be able to get thousands of such signatures to go on as soon as the first one is identified and blocked; if he puts his own key in the bot - bam, you (and everyone else you know) can exclude him from your services permanently, and he wouldn't be able to come back with a fresh account unlinked to that one, ever.

2. The signature is linked to a specific person, so if the private key is stolen, then you (a) revoke it; and (b) punish the thief - because obtaining that signature most likely be treated as a felony, unlike spamming comments or other uses for breaking captcha's.


If multiple signatures from the same key are recognizably the same person, wouldn't this have the unfortunate implication that your identity can be linked across different services? There'd be no way to have multiple email addresses anonymously without being able to trust the provider.


Blacklisting the bad signature as well as being able to trace it back to a real person would be pretty significant deterrents.

That seems pretty obvious to me, making me wonder what you're really getting at.


> The street address/book scan approach that Google uses is interesting in that the exact solution is not known, so they presumably have to be somewhat forgiving in accepting answers (as their machine learning might have gotten it wrong).

In the original captcha algorithm there are two images shown, one where the answer is known and one where the answer is not known. The unknown - the street sign or that extract from an old newspaper - is guessed at by those filling in the captcha.

If 90 people say it looks like '11' and 5 people say it looks like '71' and another 5 say it looks like '77' then you can be 90% certain that it is '11'. The machine has therefore 'learned' what that number is, it is '11'. This can continue being used in the captcha however, now that it is known, people will have to type '11' for it.

That is how it fundamentally works and why the two snippets of information 'to get right'. You can try it for yourself, get the first one of the street sign deliberately wrong and see if it lets you through.


I can not remember the name of the paper, but researchers have recently discovered that neural networks can fairly easily be disrupted by carefully perturbing the pixels in incredibly slight amounts. Completely invisible to a human, but can ruin the ability of neural networks to classify it.


If the recognition algorithms for numbers and faces in StreetView are so wonderful, why are there so many randomly blurred out bushes and bus stop signs? In a typical frame you can find a row of No Parking signs or parking meters and randomly one of them is blurred out, as if they thought it was a face. Machine learning has plenty of learning left to do.


> It's an arms race, but the problem is, only one side can win.

It's already happening.

It turns out humans come quite cheaply, and you can actually solve captchas using humans at very high QPS for very low cost. And people do!

Site owners will have to come up with alternate means of "bot" enforcement that does not rely on human vs computer detection.


Agreed, cheap labor isn't hard to find, and there are countless people that would answer captchas all day long for a few dollars. How many captchas could you answer in a day? Let's say you work 8 hours, and answer one every 20 seconds. That's 1,440 captchas answered for $3/day. You get 5 captchas for a penny. If you can make more than a penny off 5 captchas and whatever you're trying to post or accomplish, you have a business.


It is only a security problem is somebody keeps track.

You can be issued a secure key ('a passport') to make new ids ('HN registration') but nobody needs to know who ('the passport') generated the website specific ids once your key has been used. The passport only gives access to generate further keys.


I wonder about the computer's ability to figure out what's spam and to manage the visibility of posts from new accounts dependent on its confidence in that. If captcha proves unwinnable, which I agree with you it very well may be, then all isn't necessarily lost.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: