| |
|
| |
| |
| |
| |
| |
| |
My Yahoo! account continually asks me to solve a CAPTCHA. Can you help me? Yahoo! uses CAPTCHAs based on technology created in part at Carnegie Mellon University. However, Carnegie Mellon University does not decide how CAPTCHAs are used by Yahoo! or other companies. Click here to contact Yahoo! for all questions and concerns regarding their email services.
Should websites use an audio CAPTCHA as well as a visual one? Absolutely! Audio CAPTCHAs help visually impaired individuals navigate the Web easily.
A CAPTCHATM is a program that can generate and grade tests that most humans can pass, but current computer programs can't pass. For example, humans can read distorted text as the one shown below, but current computer programs can't:
Test drive a CAPTCHATM:
ESP-PIX
|
Gimpy
Principal Investigators
Luis von Ahn
Manuel Blum
Nicholas Hopper
John Langford
Some Publications
Telling Humans and
Computers Apart Automatically (CACM)
CAPTCHA: Using
Hard AI Problems
for
Security (Eurocrypt)
Since CAPTCHAs are based on open problems in artificial intelligence (AI), they also offer well-defined challenges for the AI community, and induce security researchers, as well as otherwise malicious programmers, to advance the field of AI. (This is similar to research in cryptography advancing algorithms for factoring large numbers.) Several groups have created programs that can pass many CAPTCHAs over 80% of the time (see below). These algorithms represent significant progress in the area of text recognition. CAPTCHAs are thus a win-win situation: either a CAPTCHA is not broken and there is a way to differentiate humans from computers, or the CAPTCHA is broken and an AI problem is solved. Using harder AI problems, our newly developed CAPTCHAs are still not broken.
Greg Mori and Jitendra Malik of the University of California at Berkeley have written a program that can solve ez-gimpy with accuracy 83%. Thayananthan, Stenger, Torr, and Cipolla of the Cambridge vision group have written a program that can achieve 93% correct recognition rate against ez-gimpy, and Malik and Mori have matched their accuracy. Their programs represent siginifcant advancements to the field of computer vision.
Gabriel Moy, Nathan Jones, Curt Harkless, and Randy Potter
of Areté Associates have written a program that can achieve 78%
accuracy against
gimpy-r. We therefore consider the gimpy-r challenge to
be broken. Congratulations to Gabriel, Nathan, Curt and Randy! More
challenges will come soon.
CAPTCHATM tests have several applications for practical security, including (but not limited to):
-
Online Polls. In November 1999,
www.slashdot.com
released an online poll asking which was the best graduate school in
computer science (a dangerous question to ask over the web!). As is the
case with most online polls, IP addresses of voters were recorded in order
to prevent single users from voting more than once. However, students at
Carnegie Mellon found a way to stuff the ballots using programs that voted
for CMU thousands of times. CMU's score started growing rapidly. The next
day, students at MIT wrote their own program and the poll became a contest
between voting "bots". MIT finished with 21,156 votes, Carnegie Mellon
with 21,032 and every other school with less than 1,000. Can the result of
any online poll be trusted? Not unless the poll requires that only humans
can vote.
Free Email Services. Several companies (Yahoo!, Microsoft, etc.) offer free email services. Most of these suffer from a specific type of attack: "bots" that sign up for thousands of email accounts every minute. This situation can be improved by requiring users to prove they are human before they can get a free email account. Yahoo!, for instance, uses a CAPTCHATM test of our design to prevent bots from registering for accounts.
Search Engine Bots. It is sometimes desirable to keep webpages unindexed to prevent others from finding them easily. There is an html tag to prevent search engine bots from reading web pages. The tag, however, doesn't guarantee that bots won't read a web page; it only serves to say "no bots, please". Search engine bots, since they usually belong to large companies, respect web pages that don't want to allow them in. However, in order to truly guarantee that bots won't enter a web site, CAPTCHATM tests are needed.
Worms and Spam. CAPTCHATM tests also offer a plausible solution against email worms and spam: "I will only accept an email if I know there is a human behind the other computer." A few companies are already marketing this idea.
Preventing Dictionary Attacks. Pinkas and Sander have also suggested using CAPTCHATM tests to prevent dictionary attacks in password systems. The idea is simple: prevent a computer from being able to iterate through the entire space of passwords.
The CAPTCHATM Project is a project of the School of Computer Science at Carnegie Mellon University. It is funded by the NSF Aladdin Center.
© 2000-2005 Carnegie Mellon
University,
All
rights reserved.
CAPTCHA is a trademark of Carnegie Mellon
University.