[bct] Re: Fw: CAPTCHA the Internet

  • From: "Darrell Shandrow" <nu7i@xxxxxxxxxxxxx>
  • To: <blindcooltech@xxxxxxxxxxxxx>
  • Date: Mon, 27 Feb 2006 21:12:37 -0700

Hi Brent and all,

Of course, as clarification, a lawsuit would certainly be jumping the gun, at 
least until lots of less drastic steps have been tried first...  :-)

Darrell Shandrow - Shandrow Communications!
Technology consultant/instructor, network/systems administrator!
A+, CSSA, Network+!
Visit http://www.petitiononline.com/captcha and sign the Google Word 
Verification Accessibility Petition today!
Information should be accessible to us without need of translation by another 
person.
Blind Access Journal blog and podcast: http://www.blindaccessjournal.com
  ----- Original Message ----- 
  From: Darrell Shandrow 
  To: blindcooltech@xxxxxxxxxxxxx 
  Sent: Monday, February 27, 2006 9:09 PM
  Subject: [bct] Re: Fw: CAPTCHA the Internet


  Hi Brent,

  I think failing to fix this would ultimately be good material for a lawsuite, 
not to mention severely negative public relations resulting from accusations of 
locking blind people out of their money.

  Darrell Shandrow - Shandrow Communications!
  Technology consultant/instructor, network/systems administrator!
  A+, CSSA, Network+!
  Visit http://www.petitiononline.com/captcha and sign the Google Word 
Verification Accessibility Petition today!
  Information should be accessible to us without need of translation by another 
person.
  Blind Access Journal blog and podcast: http://www.blindaccessjournal.com
    ----- Original Message ----- 
    From: Brent Harding 
    To: blindcooltech@xxxxxxxxxxxxx 
    Sent: Monday, February 27, 2006 8:15 PM
    Subject: [bct] Re: Fw: CAPTCHA the Internet


    Oh, think that's what it is. I wonder, if they ultimately say they can't do 
much about the issue, if the ADA has any play in this since it completely 
prevents the blind's access? If I were them, I'd find the audio solution a lot 
less costly than having to hire a company to Braille up statements. I am 
probably the only blind customer there anyways, but if their vendor fixes it 
could impact others that bank at places that use this system, hosting service, 
or whoever they go through.
      ----- Original Message ----- 
      From: Darrell Shandrow 
      To: blindcooltech@xxxxxxxxxxxxx 
      Sent: Monday, February 27, 2006 9:02 PM
      Subject: [bct] Re: Fw: CAPTCHA the Internet


      Hi Brent,

      Nothing is perfect, audio usually includes a bit of distortion to prevent 
speech recognition, some visual CAPTCHAs are broken already and, well, 
accessibility needs must ultimately be considered if we are to survive in a 
technology driven world.  I believe the credit union form of the FDIC is called 
the NCUA?





      Darrell Shandrow - Shandrow Communications!
      Technology consultant/instructor, network/systems administrator!
      A+, CSSA, Network+!
      Visit http://www.petitiononline.com/captcha and sign the Google Word 
Verification Accessibility Petition today!
      Information should be accessible to us without need of translation by 
another person.
      Blind Access Journal blog and podcast: http://www.blindaccessjournal.com
        ----- Original Message ----- 
        From: Brent Harding 
        To: blindcooltech@xxxxxxxxxxxxx 
        Sent: Monday, February 27, 2006 7:59 PM
        Subject: [bct] Re: Fw: CAPTCHA the Internet


        I haven't contacted the federal reserve or anything. I'm not sure who 
you contact for credit unions. I have contacted people their a couple weeks 
ago. They said they were going to have someone call me after they contacted 
their online vender to see what they may be able to do about it, but I haven't 
received a call back. I think I'll call them again to see what they found out. 
At least it sounds like they hopefully want to do something as the person I 
spoke with understands the issue that I use speech output that is unable to 
read the code. Their issue, according to what they say, is getting their vender 
to do something, whether it be a fixed code that I enter or if they can put 
audio in. I know godaddy's argument against audio that speech recognition can 
be trained to defeat it, but what they probably could do is switch to a 
username and longer password. I see that 7-digit account numbers and 4-digit 
pins are badly hackable without captcha, but it integrates with their phone 
system.

          ----- Original Message ----- 
          From: Darrell Shandrow 
          To: blindcooltech@xxxxxxxxxxxxx 
          Sent: Monday, February 27, 2006 8:07 PM
          Subject: [bct] Re: Fw: CAPTCHA the Internet


          Hi Brent,

          Have you contacted someone at your bank and let them know that this 
means you are denied participation in online banking?  Not sure just changing 
to another bank, which might soon just do the same thing, is the way to handle 
it.  Doesn't FDIC, FTC, Federal Reserve or anyone like that have anything to 
say about this?

          Darrell Shandrow - Shandrow Communications!
          Technology consultant/instructor, network/systems administrator!
          A+, CSSA, Network+!
          Visit http://www.petitiononline.com/captcha and sign the Google Word 
Verification Accessibility Petition today!
          Information should be accessible to us without need of translation by 
another person.
          Blind Access Journal blog and podcast: 
http://www.blindaccessjournal.com
            ----- Original Message ----- 
            From: Brent Harding 
            To: blindcooltech@xxxxxxxxxxxxx 
            Sent: Monday, February 27, 2006 7:03 PM
            Subject: [bct] Re: Fw: CAPTCHA the Internet


            Yeah, it is really getting ridiculous. I'm going to have to get my 
money out of one of my bank accounts and find a credit card elsewhere some how. 
I just wonder who would give me one, had an advantage at the credit union of 
having money in the savings account. I'm just trying to find who to transfer it 
away to, since their captcha is on every login attempt and I heard this is 
becoming a banking trend.

              ----- Original Message ----- 
              From: Ray Foret Jr. 
              To: blindcooltech@xxxxxxxxxxxxx 
              Sent: Monday, February 27, 2006 6:04 PM
              Subject: [bct] Fw: CAPTCHA the Internet



              ----- Original Message ----- 
              From: Barb O'connor 
              To: broconnor1972@xxxxxxxxxxxxx 
              Sent: Monday, February 27, 2006 2:25 PM
              Subject: CAPTCHA the Internet


              I thought you might find this interesting.

              Barb

              Tag-strategia.com (Blog)
              Tuesday, February 21, 2006

              CAPTCHA the Internet

              CAPTCHA (an acronym for "Completely Automated Public Turing test 
to tell
              Computers and Humans Apart") has been on my mind ever since Phil 
Windley
              suggested a graphical CAPTCHA would make a good web service. I 
thought there
              might be those willing to pay to use it. Well, it's been done.

              There is a need for this type of test. Yahoo! and Hotmail use a 
CAPTCHA to
              stave off spammers when a user requests an email account. I 
suspect the most
              common use is on other sites is an attempt block automated 
comment spam in
              blogs.

              CAPTCHA excludes legitimate users

              As the W3C points out graphical CAPTCHAs are a significant 
barrier to
              low-vision and blind users. Those with learning disabilities, 
such as
              dyslexia, may also be adversely affected. As visual CAPTCHAs 
become more
              sophisticated, busy, patterned background becomes more of an 
issue for
              color-blind users.

              The U.S. Census Bureau estimated that in 1997 about 7.7 million 
Americans
              had difficulty seeing the words and letters in an ordinary 
newspaper. The
              American Foundation for the blind reported about 5 in 1,000 
Americans are
              legally blind, and gives a low estimate of 1.5 million visually 
impaired
              computer users. That's a fairly significant potential market to 
ignore.

              Requiring users to interpret a visual CAPTCHA may lead to legal 
challenges.
              Earlier this month, the National Federation for the Blind filed 
suit against
              Target, claiming target.com discriminates by not being accessible 
to
              visually impaired users.

              Audio CAPTCHA

              Some companies are experimenting with audio CAPTCHAs, spelling 
out random
              letters with random noise in the background. However, aural 
disabilities are
              more common than visual ones, so the approach isn't really more 
accessible.
              Speech recognition software is more advanced than character 
recognition, so
              the purported purpose of differentiating between humans and 
computers is not
              filled anyway.

              CAPTCHA is broken

              Several projects to crack common visual CAPTCHA algorithms, 
particularly The
              CAPTCHA Project (by the Carnegie Mellon School of Computer 
Science), the UC
              Berkeley Computer Vision Group, and Sam Hocevar's PWNtcha, have 
had good
              success. Howard Yeend demonstrated a vulnerability in several 
public
              algorithms where he could reuse a solution several thousand times 
after
              manually solving it once.

              Social engineering is often easier than fancy programming. The 
first widely
              recognized social engineering solution was "borrowing" CAPTCHAs 
from target
              sites and showing them at entry points to porn sites. Visitors to 
porn sites
              would solve the CAPTCHAs, allowing spammers to get essentially 
free labor.
              Amazon's Mechanical Turk (tagline: "Artificial Artificial 
Intelligence"),
              which gives micro-payments for simple tasks is an example of 
another way
              CAPTCHAs could be defeated. Even at a few cents per image, the 
cost may
              still be too high for spammers, but it is a demonstration that 
the process
              can be outsourced. After all, the world is flat.

              What is the underlying purpose?

              The real reason for CAPTCHA is to screen undesirables. For low 
traffic
              sites, it means preventing automated access. This can be 
accomplished in a
              relatively simple way: add a single required question to the 
comment submit
              form. Something like "What color was George Washington's white 
horse?" or
              "Enter the fourth word in this sentence." This is enough to make 
the form
              non-standard, thus unusable by generic bots. Bypassing this added 
security
              would be very easy for spammers, the advantage is the relative 
obscurity of
              most blogs. To target multiple blogs, a spammer would need to 
address each
              one individually; individual attention is unlikely, so I suggest 
this method
              is the easiest for bloggers with a knowledge of web programming, 
and is as
              accessible as a comment form without a CAPTCHA.

              Major sites like Yahoo! and Google have a bigger problem. After 
all, they
              are targets both because of the value of their services, and 
their size.
              When it first launched Gmail, Google limited accounts to those 
who had been
              invited by other active users. Initially there was a good bit of 
commotion
              in the tech community as gmail.com addresses became a sign of 
prestige. The
              invitation system allows Google to track which users may be 
abusing the
              service, and which users invited the abusers. Google has gone a 
step
              further, and now allows potential users to have an invitation 
code sent to
              their mobile phones. The number of accounts requested per phone 
number can
              be tracked. The potential gain from a limited handful of 
throw-away email
              accounts, and the cost of mobile phones (even disposable ones) is 
enough to
              deter spammers, because less troublesome alternatives exist.

              If you look at Google's account request page, you'll see a 
CAPTCHA there.
              Google responsibly offers a way for users with disabilities to 
bypass the
              CAPTCHA, although it involves human-to-human interaction (and 
quite a bit
              more time) to complete-a costly alternative.

              Real solutions

              Several solutions to the problems with CAPTCHA have been proposed 
and
              debated. Most have major cost or accessibility problems.

              It would seem the only good solution is some sort of federated 
identity
              system, which is really just offloading the trouble of user 
validation to
              someone else.

              
http://tag-strategia.com/blog/archives/2006/02/captcha-the-internet/


              --
              BlindNews mailing list

              Archived at: http://GeoffAndWen.com/blind/

              Address message to list by sending mail to: 
BlindNews@xxxxxxxxxxxxxxxxxxxx

              Access your subscription info at:
              
http://blindprogramming.com/mailman/listinfo/blindnews_blindprogramming.com

              To unsubscribe via e-mail: send a message to
              BlindNews-Request@xxxxxxxxxxxxxxxxxxxx with the word unsubscribe 
in either
              the subject or body of the message




              Yahoo! Groups Links

              <*> To visit your group on the web, go to:
                  http://groups.yahoo.com/group/lendinghand/

              <*> To unsubscribe from this group, send an email to:
                  lendinghand-unsubscribe@xxxxxxxxxxxxxxx

              <*> Your use of Yahoo! Groups is subject to:
                  http://docs.yahoo.com/info/terms/



Other related posts: