[bct] Re: Fw: CAPTCHA the Internet

  • From: "Darrell Shandrow" <nu7i@xxxxxxxxxxxxx>
  • To: <blindcooltech@xxxxxxxxxxxxx>
  • Date: Mon, 27 Feb 2006 20:02:46 -0700

Hi Brent,

Nothing is perfect, audio usually includes a bit of distortion to prevent 
speech recognition, some visual CAPTCHAs are broken already and, well, 
accessibility needs must ultimately be considered if we are to survive in a 
technology driven world.  I believe the credit union form of the FDIC is called 
the NCUA?





Darrell Shandrow - Shandrow Communications!
Technology consultant/instructor, network/systems administrator!
A+, CSSA, Network+!
Visit http://www.petitiononline.com/captcha and sign the Google Word 
Verification Accessibility Petition today!
Information should be accessible to us without need of translation by another 
person.
Blind Access Journal blog and podcast: http://www.blindaccessjournal.com
  ----- Original Message ----- 
  From: Brent Harding 
  To: blindcooltech@xxxxxxxxxxxxx 
  Sent: Monday, February 27, 2006 7:59 PM
  Subject: [bct] Re: Fw: CAPTCHA the Internet


  I haven't contacted the federal reserve or anything. I'm not sure who you 
contact for credit unions. I have contacted people their a couple weeks ago. 
They said they were going to have someone call me after they contacted their 
online vender to see what they may be able to do about it, but I haven't 
received a call back. I think I'll call them again to see what they found out. 
At least it sounds like they hopefully want to do something as the person I 
spoke with understands the issue that I use speech output that is unable to 
read the code. Their issue, according to what they say, is getting their vender 
to do something, whether it be a fixed code that I enter or if they can put 
audio in. I know godaddy's argument against audio that speech recognition can 
be trained to defeat it, but what they probably could do is switch to a 
username and longer password. I see that 7-digit account numbers and 4-digit 
pins are badly hackable without captcha, but it integrates with their phone 
system.

    ----- Original Message ----- 
    From: Darrell Shandrow 
    To: blindcooltech@xxxxxxxxxxxxx 
    Sent: Monday, February 27, 2006 8:07 PM
    Subject: [bct] Re: Fw: CAPTCHA the Internet


    Hi Brent,

    Have you contacted someone at your bank and let them know that this means 
you are denied participation in online banking?  Not sure just changing to 
another bank, which might soon just do the same thing, is the way to handle it. 
 Doesn't FDIC, FTC, Federal Reserve or anyone like that have anything to say 
about this?

    Darrell Shandrow - Shandrow Communications!
    Technology consultant/instructor, network/systems administrator!
    A+, CSSA, Network+!
    Visit http://www.petitiononline.com/captcha and sign the Google Word 
Verification Accessibility Petition today!
    Information should be accessible to us without need of translation by 
another person.
    Blind Access Journal blog and podcast: http://www.blindaccessjournal.com
      ----- Original Message ----- 
      From: Brent Harding 
      To: blindcooltech@xxxxxxxxxxxxx 
      Sent: Monday, February 27, 2006 7:03 PM
      Subject: [bct] Re: Fw: CAPTCHA the Internet


      Yeah, it is really getting ridiculous. I'm going to have to get my money 
out of one of my bank accounts and find a credit card elsewhere some how. I 
just wonder who would give me one, had an advantage at the credit union of 
having money in the savings account. I'm just trying to find who to transfer it 
away to, since their captcha is on every login attempt and I heard this is 
becoming a banking trend.

        ----- Original Message ----- 
        From: Ray Foret Jr. 
        To: blindcooltech@xxxxxxxxxxxxx 
        Sent: Monday, February 27, 2006 6:04 PM
        Subject: [bct] Fw: CAPTCHA the Internet



        ----- Original Message ----- 
        From: Barb O'connor 
        To: broconnor1972@xxxxxxxxxxxxx 
        Sent: Monday, February 27, 2006 2:25 PM
        Subject: CAPTCHA the Internet


        I thought you might find this interesting.

        Barb

        Tag-strategia.com (Blog)
        Tuesday, February 21, 2006

        CAPTCHA the Internet

        CAPTCHA (an acronym for "Completely Automated Public Turing test to tell
        Computers and Humans Apart") has been on my mind ever since Phil Windley
        suggested a graphical CAPTCHA would make a good web service. I thought 
there
        might be those willing to pay to use it. Well, it's been done.

        There is a need for this type of test. Yahoo! and Hotmail use a CAPTCHA 
to
        stave off spammers when a user requests an email account. I suspect the 
most
        common use is on other sites is an attempt block automated comment spam 
in
        blogs.

        CAPTCHA excludes legitimate users

        As the W3C points out graphical CAPTCHAs are a significant barrier to
        low-vision and blind users. Those with learning disabilities, such as
        dyslexia, may also be adversely affected. As visual CAPTCHAs become more
        sophisticated, busy, patterned background becomes more of an issue for
        color-blind users.

        The U.S. Census Bureau estimated that in 1997 about 7.7 million 
Americans
        had difficulty seeing the words and letters in an ordinary newspaper. 
The
        American Foundation for the blind reported about 5 in 1,000 Americans 
are
        legally blind, and gives a low estimate of 1.5 million visually impaired
        computer users. That's a fairly significant potential market to ignore.

        Requiring users to interpret a visual CAPTCHA may lead to legal 
challenges.
        Earlier this month, the National Federation for the Blind filed suit 
against
        Target, claiming target.com discriminates by not being accessible to
        visually impaired users.

        Audio CAPTCHA

        Some companies are experimenting with audio CAPTCHAs, spelling out 
random
        letters with random noise in the background. However, aural 
disabilities are
        more common than visual ones, so the approach isn't really more 
accessible.
        Speech recognition software is more advanced than character 
recognition, so
        the purported purpose of differentiating between humans and computers 
is not
        filled anyway.

        CAPTCHA is broken

        Several projects to crack common visual CAPTCHA algorithms, 
particularly The
        CAPTCHA Project (by the Carnegie Mellon School of Computer Science), 
the UC
        Berkeley Computer Vision Group, and Sam Hocevar's PWNtcha, have had good
        success. Howard Yeend demonstrated a vulnerability in several public
        algorithms where he could reuse a solution several thousand times after
        manually solving it once.

        Social engineering is often easier than fancy programming. The first 
widely
        recognized social engineering solution was "borrowing" CAPTCHAs from 
target
        sites and showing them at entry points to porn sites. Visitors to porn 
sites
        would solve the CAPTCHAs, allowing spammers to get essentially free 
labor.
        Amazon's Mechanical Turk (tagline: "Artificial Artificial 
Intelligence"),
        which gives micro-payments for simple tasks is an example of another way
        CAPTCHAs could be defeated. Even at a few cents per image, the cost may
        still be too high for spammers, but it is a demonstration that the 
process
        can be outsourced. After all, the world is flat.

        What is the underlying purpose?

        The real reason for CAPTCHA is to screen undesirables. For low traffic
        sites, it means preventing automated access. This can be accomplished 
in a
        relatively simple way: add a single required question to the comment 
submit
        form. Something like "What color was George Washington's white horse?" 
or
        "Enter the fourth word in this sentence." This is enough to make the 
form
        non-standard, thus unusable by generic bots. Bypassing this added 
security
        would be very easy for spammers, the advantage is the relative 
obscurity of
        most blogs. To target multiple blogs, a spammer would need to address 
each
        one individually; individual attention is unlikely, so I suggest this 
method
        is the easiest for bloggers with a knowledge of web programming, and is 
as
        accessible as a comment form without a CAPTCHA.

        Major sites like Yahoo! and Google have a bigger problem. After all, 
they
        are targets both because of the value of their services, and their size.
        When it first launched Gmail, Google limited accounts to those who had 
been
        invited by other active users. Initially there was a good bit of 
commotion
        in the tech community as gmail.com addresses became a sign of prestige. 
The
        invitation system allows Google to track which users may be abusing the
        service, and which users invited the abusers. Google has gone a step
        further, and now allows potential users to have an invitation code sent 
to
        their mobile phones. The number of accounts requested per phone number 
can
        be tracked. The potential gain from a limited handful of throw-away 
email
        accounts, and the cost of mobile phones (even disposable ones) is 
enough to
        deter spammers, because less troublesome alternatives exist.

        If you look at Google's account request page, you'll see a CAPTCHA 
there.
        Google responsibly offers a way for users with disabilities to bypass 
the
        CAPTCHA, although it involves human-to-human interaction (and quite a 
bit
        more time) to complete-a costly alternative.

        Real solutions

        Several solutions to the problems with CAPTCHA have been proposed and
        debated. Most have major cost or accessibility problems.

        It would seem the only good solution is some sort of federated identity
        system, which is really just offloading the trouble of user validation 
to
        someone else.

        http://tag-strategia.com/blog/archives/2006/02/captcha-the-internet/


        --
        BlindNews mailing list

        Archived at: http://GeoffAndWen.com/blind/

        Address message to list by sending mail to: 
BlindNews@xxxxxxxxxxxxxxxxxxxx

        Access your subscription info at:
        
http://blindprogramming.com/mailman/listinfo/blindnews_blindprogramming.com

        To unsubscribe via e-mail: send a message to
        BlindNews-Request@xxxxxxxxxxxxxxxxxxxx with the word unsubscribe in 
either
        the subject or body of the message




        Yahoo! Groups Links

        <*> To visit your group on the web, go to:
            http://groups.yahoo.com/group/lendinghand/

        <*> To unsubscribe from this group, send an email to:
            lendinghand-unsubscribe@xxxxxxxxxxxxxxx

        <*> Your use of Yahoo! Groups is subject to:
            http://docs.yahoo.com/info/terms/



Other related posts: