> scalpers are evil, profiteering bastards, to be sure.

No. Ticketmaster are evil monopolists. As for selling tickets for higher than some artificial price printed on the paper, that's just something the venues and Ticketmaster wish they could figure out how to get involved in. Why not have a concert and auction off all the tickets? Have no "face value" on any ticket, and just let the market decide how much they are worth. Don't you believe in capitalism?

It's no surprise Yahoo captchas are unbreakable: In most cases, they are just plain unreadable even to my human eye.

Yahoo has implemented them lately to access games.yahoo.com and I must say it's a real frustration when you enter the games site. OK, we no longer have porn ads in the rooms' common chat boxes but frankly the price to pay is expensive to me.

As you wrote, Google just proves that unbreakable doesn't have to be a synonym of unreadable!

"it is simultaneously the most readable and the most hellishly difficult to OCR correctly"
Most attractive, too. I'd use Google's CAPTCHAs as a desktop background. But *why* are Google's so much harder to crack than TicketMasters? Both seem to use warped writing. Is it the colours, the way they warp the image, or something I'm not getting?
Next up by Google: G-CAPTCHA. Actually, is it possible to copyright CAPTCHA technology?

"That's just something the venues and Ticketmaster wish they could figure out how to get involved in."
Well, that's blantantly not true, because it's not like scalpers are doing anything clever. They're just taking advantage of the time limit to distort the market.

"Don't you believe in capitalism?"
Haven't you heard of the Wall Street/DotCom Crash? How about Enron?
Capitalism works based on trust. Driving demand by hoarding until the last minute isn't good for anybody but the seller. An excellent book on market economics is "The Wisdom of Crowds" by J.Surowiecki.

Jeff, mind telling us how good you think your captcha is? :-)
The gothic letters don't seem that difficult to OCR.

Good post Jeff. In fact, it is possible to break EVERY CAPTCHA, that is readable. Do you know how? Hackers insert image with captcha from the site they want to break into some other site where there are a lot of visitors willing to receive some content for free (after passing fake registration with CAPTCHA from the site being hacked).

++Serge Wautier
I've had a flickr account - but after changing my user to a yahoo account (and forgetting the password) I am not able to access my flickr account any more.

It's nice to fight the bots - but it's dumb to fight the humans

Vitaly: that might work in many situations, but tickets to popular concerts will sell out in minutes--there's no time to wait for someone to come along and break a captcha for you, even if it's just 30 seconds.

> Jeff, mind telling us how good you think your captcha is? :-)
> The gothic letters don't seem that difficult to OCR.

Here is a function I've crafted to return the correct value for the box (based on my experience reading this website).
String CodHorCAPTCHADecode()
{
return "orange";
}
:)

If you can't read the CAPTCHA on Yahoo, you have terrible eyes or a bad monitor. They're easy.

Great post!

@Wouter Lievens: It's a thing of adequate security. Nobody would pay $1000 to bot-post on Jeff's blog (sorry Jeff). But those brokers DO pay much more to trick Ticketmaster.

@Jeff: I don't see, why Google ist so much harder to crack then Ticketmaster (no question it's better, because human readable). Do you have an explanation?

I suspect an element of Mechanical Turk going on...

Jeff, have you looked at http://recaptcha.net/ ??

It could be a constructive way to replace your existing captcha ;-)

Google's are much easier because they are pronuncible.

Personally, I like Asirra (http://research.microsoft.com/asirra/).

I find the google ones to be almost impossible to read. Those things are a nightmare, especially for those with dyslexia

Yeah, and ORANGE is really difficult as well.

What I wonder about is if Google would open source their captcha generator, would that make it easier to decode the images?

I suspect the real reason Tickmaster isn't using stronger captchas is because it's not losing any money (and it has a monopoly).

I believe the google ones are so good because along with the funky geometry they use dithering to produce low contrast areas that make edge detection harder. They look ok small, but I'd prefer sharp lines or smooth gradients instead of dithering if I was going to put them on my desktop background. I think the Yahoo ones make it too difficult to distinguish Xs and Ks and there's a G that could be a 6.

Could there be a market for artistic captchas on T-shirts?

The example on the Asirra page is ridiculous. Some of the images can barely be seen at that size.

Ticketmaster is right: CAPTCHA is pointless if one can earn $100 by solving a single puzzle. you don't even have to hire chinese sweatshops, anyone would work 8 hours a day for that wage.
CAPTCHAs might work for protecting near-worthless assets like email accounts but not for REAL MONEY!

I still believe putting the burden on humans is the wrong way to go. I've had great success with detecting the bots instead: http://nedbatchelder.com/text/stopbots.html

The issue isn't about producing some kind of pure captcha but simply of making the cost of breaking it exceed the potential benefit of breaking it.

So sure, as some people say, spammers could create a pr0n based mechanical turk to break google's captchas because they cannot be broken programatically. Or some sort of spammer labs central could produce some kind of uber-captcha-smasher. But the cost of doing these things will hopefully damage their operation's profit model.

That's all the police on your street corner hope to do - they don't make hardened criminals turn away from crime just by existing, they simply try to ensure that the cost of comitting a crime exceeds the benefit.

Actually, many spammers use much simpler methods to break captchas...

1. Throw up a porn site.
2. Pay for visitors.
3. Write software that screen captures / reproduces CAPTCHA on victim's website and then displays it on free login at porn site.
4. Porn visitors answer CAPTCHA for spammer.
5. Spammer software automatically enters correct CAPTCHA as inputted by porn site visitor.

It is quite simple and makes CAPTCHA's very weak. The only thing that make CAPTCHA's useful is if you have an equally valuable competitor who doesn't use them, which will divert the attention of spammers to that low hanging fruit first.

Hey Now Jeff,
Very interesting post. 'Hack CAPTCHA' made in China. Seems everything is made there huh? Thx 4 the info.
Coding Horror Fan,
Catto

A captcha that uses grainy backgrounds or different colors is ridiculous... convert the image to binary (just black/white) and apply errosion: you're left with letters every time, while the grainy and multi color backgrounds only added complexity to the human reader.

Hmm. Frankly, if all their captchas were like the 'licit' example, I wouldn't believe for a second they were unbreakable. The others are great, so many edges touching, bright colours and a curvy effect on the type face. Did Google make captcha sexy?

It looks like one big diff between Google and Ticketmaster is that Google is using much tighter letter-spacing, and Ticketmaster is using the stock amount.

One thing I noticed about the google chapta is that it alsways has a recurring letter differently deformed. I guess that throws off a lot of OCR apps.

"Jeff, have you looked at http://recaptcha.net/ ??"

reCaptcha accepts wrong answers, not the most secure thing in the world.

What about letters made out of letters with a little swirle for effect?

BBB HHH
B H H
BBB HHH

format didnt come through. oh well u get the idea

Wouter Lievens: "Jeff, mind telling us how good you think your captcha is? :-) The gothic letters don't seem that difficult to OCR."

Did you bother to read the first article Jeff wrote on CAPTCHA (that he linked to) before posting to this one, like he suggested? The first article discusses the CAPTCHA used on this site (including always using the same word) in depth.

It may be more than just a problem with captcha's being broken. Might be a cookie problem . . . .

I recently had to buy tickets from TicketBa$tard, and here's what I did: (This was a pre-sale event - tix on sale at 10:00 am - I was online at 9:59, etc.) They said they were only going to only show me 8 tickets at a time. They kept showing me the same 8 tickets, and they were lousy seats. I'd say no, the tickets would go away, and they'd show me the same 8 lousy tickets.

I had 8 or 9 browser windows open, and all of the tickets from each session were starting to show up in all the open windows. I kept discarding the tickets, and they'd show me 8 more, and they were different tickets. When a session would time out, I would hop to another open session. Eventually, I had about 200 tickets being offered to me, and the tickets offered at the end of the list were front row of the side sections, next to the stage. I removed the first 195 tickets from the session, and bought 5 tickets near the stage.

It shouldn't be like this . .. it shouldn't be this hard . ..

And you're assuming that ticketmaster (or its employees) *doesn't* do some of this itself, on the side, as a way of increasing profits?

This is interesing.. I wonder how big their dictionary is at ticketmaster because I know for a fact that I have gotten the word Bilbo before through their system. Maybe the hackers have a limited dictionary that they have formed that makes dealing wth ticketmasters CAPTCHA much easier.

Surely your not suggesting that we should implement our own CAPTCHA. Granted it's not tremendously difficult using some of the current graphics apis to produce and check the image but it's not like our clients can tell the difference or for that matter are willing to pay for the difference.

And how exactly do you test against chinese hackers? Certainly you can test some OCR but that would be a tedious process that would be very difficult to automate.

"reCaptcha accepts wrong answers, not the most secure thing in the world."

From the recaptcha website:

But if a computer can't read such a CAPTCHA, how does the system know the correct answer to the puzzle? Here's how: Each new word that cannot be read correctly by OCR is given to a user in conjunction with another word for which the answer is already known. The user is then asked to read both words. If they solve the one for which the answer is known, the system assumes their answer is correct for the new one. The system then gives the new image to a number of other people to determine, with higher confidence, whether the original answer was correct.

Google's captcha is the only one I can read easily. There are a lot that I can't make out at all. The other day I tried an audio captcha at some site where I couldn't read it and it was even worse. There was so much background noise (which was intentional) and different voices that I couldn't tell whether one of the numbers was significant or background noise.

"reCaptcha accepts wrong answers, not the most secure thing in the world."

One of the words comes from a book, so in theory you could type anything for that word, but the other word is a computer generated word, so you have to type in the correct word.

Hey, i got an idea:

Lets make scalping illegal.

I know, i know, then how will all the uncreative idiot leeches of society make a living....

"Ticketmaster is right: CAPTCHA is pointless if one can earn $100 by solving a single puzzle..."

You missed the entire point of the post. The CAPTCHA concept is not flawed, it is the way it is implemented.

Hmmm... you could always automate everything but the CAPTCHA, and enter it manually.

Build an app that prompts you for the CAPTCHA text over and over upon each ticket request.

Looking at the TicketMaster's implementation, I doubt any OCR mechanism is successfully reading the text.

Actual implementations of OCR are only 90% accurate at best, and this is with completely readable characters

captcha has been broken for a long time now. Look at Malik's research on shape matching:

http://www.eecs.berkeley.edu/Research/Projects/CS/vision/shape/

He doesn't come out and say it's specifically for breaking captcha, but what else could it be for?

Hell, for low-level CAPTCHA you can get a copy of XRumer, automated software from russia that blows through weak forum, email and comment CAPTCHA.

Pretty cool--the WSJ article has a link back to your blog!

Another strategy that might be just as effective is to switch up the captcha method right before a new concert series goes on sale. The bots wouldn't have time to adjust, even if they might ultimately be able to program a way to OCR the captcha.

With regard to Google's CAPTCHA being better than Ticketmaster's:
I wonder if it's possible that there exists an application to defeat Ticketmaster's CAPTCHA with 50% success simply because there's more of a financial incentive for such an app than there is for defeating Google's? Google's mangled text looks pretty similar to Ticketmaster's, except for the pretty colors and lack of a grid.

Yeah, scalpers are parasites. But on the other hand, wouldn't you want the option to see Hannah Montana for $237 rather than not being able to attend a sold-out show at all? (Well, maybe not H.M. but insert your favorite artist). By adding another market to the "lottery" system of popular concerts, the scalpers assure that there will be some supply available to those who really want it. Got to be a better way to achieve this though.

@Ryan: Seems like I got "bilbo" before as well. Is "bilbo" the new "orange"?

It's interesting that you pull up Google's CAPTCHA as a "good" example. I am unfortunate enough to have to use a cheap no-name LCD display at work; Google's CAPTCHAs are unreadable on these displays.

The basic problem is that this display cannot handle rapid changes of colour, whether in space or time. Google has some areas of their CAPTCHA where a small thin strip of white is significant. This display elides the strip of white, leaving me letters that can be (e.g.) t or li. There's no audio on these systems either.

As a result, I don't get to use services that Google CAPTCHA-protects from work. If I didn't buy better monitors at home, I'd be completely stuffed.

"Lets make scalping illegal."

Congratulations on the worst idea promoted on this thread. Criminalizing this activity could distort market prices for some shows even further by creating a true black market for it. Furthermore why would you remove someone's freedom to sell a ticket that they paid for?

we might have all missed the point here- $237 average for Hanna Montana- With a high of $749 on the floor in Charlotte Bobcat Arena later this week?????

If I could turn a $500 profit on each of 8 tickets I would, wouldn't you? That would by a great workstation. : )

See the captcha at the bottom of the page.
http://www.fairplaygames.com/cust_service.asp

It is a new ascii based captcha. I don't know why I never thought of that! Ticketmaster should take note.

"It's the economy, stupid"

Scalpers are just increasing economic efficiency by letting supply and demand drive the prices to their natural point. If Ticketmaster keeps selling the tickets at artificially fixed low prices, there will always be an incentive for scalping, and whatever technical measures they come up with will be overcome. It's just an arms race.

The only real solutions are economic solutions: 1) auction the tickets instead so that the tickets sell at their supply-and-demand prices; 2) do a real lottery, in a way that makes scalping non-profitable. For example, by selling "meta-tickets" so that if you win the lottery, you get the option of buying a concert ticket. If the ratio of meta-ticket price and probability is right, scalping will not be profitable. Of course, people will be reluctant to buy the meta-tickets since they are not certain to win and will feel like they were ripped off. Oh, well...

Scalpers are merely buying and selling a product. While I've had my rants against scalpers from time to time; they really are innocents in this. If you have a ticket to the upcoming Mega-Star-Tour... will you sell it for face value when a scalper will sell it for 500 bucks or more (knowing it will most likely be sold)?

It's an economics lesson: Supply vs. Demand. Up the supply and demand for the scarcity will drop. I wanted to see the Police, but the closest show had a face value of (I believe) 75 bucks for the nosebleeds... then add on the surcharges that Ticketmaster tacks onto EVERY ticket, then add on the surcharge that a scalper tacks on (since the tickets sold out before going on sale... yes you read that right... if you weren't part of the "pre-sale", you got nothing).

End result: I'll just wait and pray that the Police release either a live DVD of the tour (nudge to them... Christmas is FAST approaching!), or I get nothing.

The answer to end scalping is for these in-demand artists to perform more. When I was a kid, it wasn't uncommon for large acts (like Bruce Springsteen or the Rolling Stones) to play the local FOOTBALL STADIUM for like 4 days. Scalpers would charge you less "premium" than Ticketmaster. Now everyone plays 1 show, jacks the price as much as they can and then scalpers buy all the tickets.

Bah... I guess I'm just getting older and crustier.

What about look for the cute kitten? I would love to see some AI software trying to distinguish between a cute kitten and a toilet bowl.

OT: Isn't CAPTCHA redundant? Seems like "(C)ompletely (A)utomated (P)ublic (T)uring test" is sufficient. The rest, "to tell (C)omputers and (H)umans (A)part", is, I think, well-captured by "Turing"

CAPT: Wilbur. Wil outside no coat winter.

Why does captcha always is about typing some characters you see?
How about putting an image like of a tree and asking the question "What do you see?" If you didn't enter "tree" in your first 3 attempts, the server will block you.

AFAIK, there isn't any image recognition software out there yet.

BTW, this site seems to be affective against comment spam. I am not seeing any. Maybe Jeff can talk about what he's using.

ya, speaking of captcha, how comes yours is always the SAME word? doesn't seem very secure to me...

-sarah

Speaking of captchas, I'm surprised yours works so well. I agree with your assessment of Google's technique. This throws back to my comment on "Competing with the Internet." Ticketmaster should not have tried to reinvent the wheel that Google had already perfected.

adrain, I agree that outlawing scalping is a bad idea, but for a different reason.

The creation of a real black market might make the black market tickets cost more, but this would only happen if the number of tickets on the market decreased (creating higher demand). Less tickets on the black market means more tickets for legitimate direct buyers.

The reason I think it is a bad idea is the Coase theorem: basically, if transactions are cheap (in this case, low risk) then the tickets will end up in the hands of whoever values them the most. If transaction costs are high (in this case, high risk) then the tickets will end up in the hands of whoever happened to get them first.

I'm not defending scalpers, but I do believe in the free market (not that it is perfect), and I can't reconcile that belief with the belief that scalping should be illegal. It seems to me just like any other kind of arbitrage or investment.

Honestly, I don't see how Google's is unbreakable. Each letter is quite clear, and while OCR may not be able to recognize the letters, there are algorithms that could trace the outlines for each character and then with enough training, it could recognize those letters easily.

Other people have said it here, but I'll say it too: if you want scalpers to go away, sell tickets at market prices. At the right price, the show will sell out, but the last ticket will be sold only a little bit before the show begins. Just about anybody willing to pay the price will have gotten a ticket.

To respond to poster "deworde":
Enron did not exist in a free market. Neither did all the telecoms that went bust. Neither the energy nor the phone markets are close to free markets in this country.

The Dot-Com crash? How was that a bad thing? A bunch of companies that didn't do anything useful went under. A bunch of companies that survived were forced to become more efficient. Some companies that whose only market was to support all this excess went under too.

As someone who actually writes commercial OCR software, I would guess that I could write something that could read the Google strings at a fairly high success rate. Though if you put the time & money in, the Yahoo & Hotmail ones could also be read by current OCR technology (at some lower success rate).

Jeff, you are totally right!
Funny thing is that I was presented with a ticketmaster CAPTCHA and I was myself unable to solve it and lost my good spot. Ticketmaster's ones are really the worst I have seen so far: given that they are breakable, they should go back to the basics.

How long before they break KittenAuth?
http://www.thepcspy.com/kittenauth

@Capt.Jean-Luc Pikachu: Actually he does come out and say it: "Breaking a visual CAPTCHA" http://www.cs.sfu.ca/~mori/research/gimpy/

@blip, abdu : 'Image' CAPTCHAs: http://www.captcha.net/cgi-bin/esp-pix

Some of them are a bit weird, and not easily human-solvable.

- Roddy

The google one is the only one that is readable that is "unbreakable".

Unbreakable? Anything can be broken with time, money resources. So, Captchas in general are fallible.

If these tickets are being sold online, isn't there a credit card involved? Couldn't you print something on the ticket that would correspond to the users credit card, like a bar code or something similiar? That way, the card that bought the ticket would have to be presented when the ticket was presented at the box office.

I guess if you just taking the tickets in there will always be scalping, but if you tie in the ticket with the entity that bought it, then scalping comes to an end.

Pushing someone's card through a credit reader at the gate should take that much longer than taking the ticket.

The google one is the only one that is readable that is "unbreakable".

Unbreakable? Anything can be broken with time, money resources. So, Captchas in general are fallible.

If these tickets are being sold online, isn't there a credit card involved? Couldn't you print something on the ticket that would correspond to the users credit card, like a bar code or something similiar? That way, the card that bought the ticket would have to be presented when the ticket was presented at the box office.

I guess if you just taking the tickets in there will always be scalping, but if you tie in the ticket with the entity that bought it, then scalping comes to an end.

Pushing someone's card through a credit reader at the gate should take that much longer than taking the ticket.

> convert the image to binary (just black/white) and apply errosion: you're left with letters every time, while the grainy and multi color backgrounds only added complexity to the human reader

Exactly. Many of the pictured CAPTCHA algorithms waste their time shifting colors or contrast when it makes no difference whatsoever to an OCR algorithm. If a person can read it (and a person *has* to read it for it to work!), then so can OCR. Varying color/contrast is a complete waste of time. Distortion and perturbation are the only thing you need, at least according to Google's highly effective CAPTCHA image algorithm.

I love the Ticketmaster one that is just grainy, but undistorted. It looks just like a bad fax, and that's a basic, basic OCR problem.

I personally have about a 50% success rate at deciphering Ticketmaster's captchas. I have no idea what the lower right Ticketmaster image is and I only have a guess on the upper left image! Also, their servers are woefully incapable of handling the demand during large events. When they are overtaxed, the captcha shows up as a little red x. This is especially frustrating when you manage to make it to the top of the queue for something like the first game of the World Series, only to be booted out because your captcha image won't load!

I liked the idea of simply showing some random image and asking "What is this?" You could even provide a simple multiple choice solution:
"a. A Tree b. An Umbrella c. A Car d. A Bicycle". For global companies, simply provide a language option.

The main reason ticketmaster is so much easier than googles is that Ticketmaster use words from a dictionary!!

This makes the task much easier. Once you've got a few characters you can then reference a dictionary to fill in the ones you can't recognise.

With the google ones you've got to get every single character by OCR.

Everyone knows you don't use words found in a dictionary for secure passwords, same goes for these.

Why not print the orignial buyer's name on the ticket, then require photo id at the gate? How would a scalper get around that?

Seems some of ya’ll don't understand how scalping works. At the risk of creating more scalpers--here's how to be a scalper:

Demand for an event is a bell curve. A tiny number of people are wiling to pay $10,000. A few more will pay $1,000. Many will pay $100. A lot will pay $50. Some would pay $20 and a few would pay $5. (At the bottom end we're taking people who simply aren't interested and are going out of curiosity)

The best way to make money would be to charge everyone the max they would pay. However, there's no way to do that. So, instead Ticketmaster has to compromise on a price that will result in the most successful concert.

For Ticketmaster there are two factors:
1) Max of Money
2) Happy Fans

Say the ticket price that would bring the best overall return is $250. But, it would only half fill the seats in the arena. Fans don't like going to empty concerts. Artists don’t like performing at empty concerts. In short, if the concert hall isn’t packet, Ticketmaster will loose the next gig to a competitor. So Ticketmaster has no choice but to under price their tickets in order to keep the fans happy and maintain the power of their brand. So, we have the absurdly low price of $63.

Oops, scalpers buy them up and resell at $250. Scalpers don’t care if only half the tickets sell. The half that do sell will pay for the original purchase plus 100% profit.

Unlike Ticketmaster that must keep fans happy. Keeping fans happy has no economic benefit for the scalper. If the scalpers destroy Ticketmaster’s business, they’ll simply go on to scalp the tickets of whatever competitor that takes over Ticketmaster’s business.

That ladies and gentleman is how to be a scalper.

Jeff,

Your right.

Roddy: Oops. Well, no one's ever accused me of being literate...

A free solution that I use for phpbb (bulletin board) allows me to write questions with the corresponding answers. For example:

1 + 2 = __
2 x 5 = __
Jack and Jill went up the ___
Humpty Dumpty sat on the ___

I've had zero problems using the above (of course I need to be aware of cultural & language differences when using nursery rhymes). I realize this isn't a cure-all but is a very simple implementation.

I just flat refuse to buy tickets from scalpers and whenever possible--which is most of the time--I do not buy tickets through Ticketbastard (or is it Sticketmaster?)

For an apropos discussion of the relationships among the mutability of letters, their readability by humans, and their recognizability by computers, see Douglas Hofstadter's _Metamagical Themas_.

The solution is simple, Ticketmaster is selling at too low a price. If they want to prevent scalpers, they should raise their prices. Then scalpers would not make a profit between Ticketmaster's price and the market price. Then they should discount the prices as the concert date approaches, similar to how stock option prices have a time value and depreciate closer to expiration. Start at $250, the market price, and depreciate down to $1 the day before. If customers want to ensure their seat, they will pay the higher price sooner rather than later. If there are empty seats, they can sell at the door, or invite an orphanage for a free show.

@abdu: "How about putting an image like of a tree and asking the question "What do you see?" If you didn't enter "tree" in your first 3 attempts, the server will block you."

Dammit. I tried "birch", "aspen", and even "maple". Doesn't that site's idiot programmer know his trees?

(Note that the exact same problem happens with pictures of kittens - a cat fancier may well enter "himalayan" 3 times and get locked out....

Short answer Jeff:

CAPTCHAs are not broken, Ticketmaster is broken.

Many concerts are high-demand, low availability events and Ticketmaster is the gatekeeper with a ton of conflicted interests.

Goodness knows, it wouldn't surprise me to know that people inside of Ticketmaster's IT are probably "in" on the whole thing.

As to the "free market" touted by other commenters, it may actually be in the best interest of performing groups to do a giant seat-sale auction. Right now, those Hannah Montana tickets are not generating more than $50 for Miley Cyrus yet people are expecting a $200 show. I'd say that it's time for artists to renegotiate, but there's no competition to TM right now, so it's an uphill battle.

But hey, it's back to point #1: TM is broken.

I'm a computer graphics programmer (with a number of publications to my name) and if you paid me a couple grand, I could write software to decode Google's captchas. It would take no more than a couple weeks. They are a challenge but by no means impossible.

Here's an alternative type of captcha, pretty much impossible for a program to defeat. Seems to work great for the women, not so well for the men: http://www.hotcaptcha.com/

This example of bad CAPTCHA's in unfortunately just one of many examples in which programmers just invent their own amateur algorithm based on nothing more than their gut feeling and pray for the best...

It shows that software engineering really isn't engineering at all in many cases.

p.s. Is your own "orange" CAPTCHA a joke or what?

> I'm a computer graphics programmer (with a number of publications to my name) and if you paid me a couple grand, I could write software to decode Google's captchas. It would take no more than a couple weeks.

I often see glib claims like this, and I'll say the same thing to you that I mentally say to all of them: SHOW ME. Heck, if it's so easy, why don't you show the entire class?

I'll tell you what's easy: making ridiculous claims in a comment box on a web page.

The difficulty is the use of NON-LINEAR transforms. Not any of the baloney you suggest.

Linear Transforms are easily reversed even if they are destructive. Non-linear transforms require non-linear methods which are more difficult to implement.

Essentially you need at least an undergraduate degree in stats or CS to get much success with the non-linear transforms.

Please stop suggesting stupid captchas like the cat captcha. Captcha Generation is a HARD AI PROBLEM. This means it is hard to generate new classes of captchas just as it is a HARD AI PROBLEM to solve them.

Jeff,

Is there a reason why the captcha on your comments section is always ORANGE? and its not even trying to be hard to decipher - it is using a standard font.

Ash.

I liked the captcha I saw where you had to choose the three attractive women out of 8 shown. Of course there's the problem with individual definitions of attractiveness, but if I had to choose between trying to decode Hotmail's god-awful mish-mash of pixels and looking at 3 hot girls...

@ash
Jeff has written about why it is a static captcha before. He was getting a lot of comment spam and after implementing this simple captcha, it eliminated 99% of the problems (most bots don't bother to try to defeat it since they are based on spamming on a massive scale). There's no reason to work any harder than that if it solves your problem.

Same principle applies here as in the article. A simple captcha for protecting against comment spam is enough protection for Jeff, but not nearly enough for Ticketmaster.

Jon Raynor wrote: "If these tickets are being sold online, isn't there a credit card involved? Couldn't you print something on the ticket that would correspond to the users credit card, like a bar code or something similiar? That way, the card that bought the ticket would have to be presented when the ticket was presented at the box office
....
Pushing someone's card through a credit reader at the gate should take that much longer than taking the ticket."

---

Hmm. So how do I...
1)...give away or sell my tickets (at face value, of course) to an event that I can't attend, for some unforeseen reason?
2)...buy more than 1 ticket with a single credit card? Sure, this might work if EVERYONE in the group shows up at the same time and meets outside the gate. What about very large groups (schools, churches)?

Seems kind of inconvenient and anti-free market. You're telling my that I can't even GIVE AWAY something I purchased legally with my own hard-earned money. I guess we are used to seeing this with certain operating systems, computer applications and video games.

In the end Ticketmaster themselves are evil and need to be investigated for the fees they add to a ticket. The last time I went to buy tickets from them their fees we're more than the price of tickets. I once tried to get around this by phoning the bar directly, they informed me that I would still need to pay the fees. Some sort of evil agreement they have with Ticketmasters.

I so want Google (or Amazon) to setup a competing site...they could destroy them.

JJ

>>The example on the Asirra page is ridiculous. Some of the images can barely be seen at that size.

Venkman - did you notice you can mouse over the images to see a much larger version of them? Or just dismiss it out of hand because it comes from Microsoft Research?

"Other people have said it here, but I'll say it too: if you want scalpers to go away, sell tickets at market prices. At the right price, the show will sell out, but the last ticket will be sold only a little bit before the show begins. Just about anybody willing to pay the price will have gotten a ticket."

I really don't understand this. Surely the scalpers will just buy as many tickets as possible right at the start, when the demand is lower, and then take advantage of the price spike at the box office at the end. Basically, what they do now, except that the box office price will rise as well, so there's no place you can go to get a decent price. How does this benefit *anyone* but the scalpers?
My assumption when I hear this is that they've heard the "Market Cinema prices" (see the Wisdom of Crowds book I talked about) and overapplied the principle, without considering reduced supply.

On topic, is there any explanation for why Google's captchas are so secure and Ticketmasters aren't? Is it simple overlap?

If you've ever been to any professional sports event, you've seen the army of scalpers outside. There's easily 100 of them at any Colts or Pacers game. Multiply that by 32 NFL cities, a few more with NBA and no NFL, etc, and nationwide, you've got a real army of thousands of professional "ticket brokers." Add in to that a few thousand opportunistic ticket resellers who know that a show like Hannah Montana will generate an easy profit (like the $$ I made in college in '85 waiting in line all night at the local Karma records to buy springsteen tickets to resell in the local paper's classifieds) and it's easy to see that it's much more likely that the ticket shortage and resale prices are caused by a few thousand ticket resellers nationwide who each bought their allotment of 8 tickets instead of a small number of resellers using broken captcha to buy hundreds or thousands of tickets each.

Yes, some captchas are bad, hacks for them can be purchased. But that doesn't seem like the most obvious and easy answer to what's happened here.

Ben Houston wrote:

> I'm a computer graphics programmer (with a number of publications to my name) and if you paid me a couple grand, I could write software to decode Google's captchas. It would take no more than a couple weeks. They are a challenge but by no means impossible.

Jeff Atwood replied:

> I often see glib claims like this, and I'll say the same thing to you that I mentally say to all of them: SHOW ME. Heck, if it's so easy, why don't you show the entire class?

I'm purposely not making these two comments anonymous while claiming that I can break it after a couple weeks worth of work. I am open to freelance arrangements. I'm not so insecure that I will spend a bunch of time to do this for FREE just to show people up, but I am open to payment only on success arrangements.

I would respond to this post on the merits of CAPTCHAs and their current state, but your "evil, profiterring bastards" comment got me off track.

http://sablog.com/archives/2007/11/21/scalpers-not-evil-or-your-lack-of-an-efficient-market-is-not-my-problem

Re: CAPTCHAs? Join this forum for a month ($99) just to see the current state of affairs:
http://seoblackhat.com/

Apparently working captcha-breakers can fetch as high as $10k.

I often get "Oops, CAPTCHA appears to be invalid.." from digg.com and it confused me so much.
I know what is wrong now. thanks.
BTW, this site always let enter the word ORANGE. i bet it is the simplest CAPTCHA in the world.

Another vote for http://recaptcha.net/

"reCAPTCHA improves the process of digitizing books by sending words that cannot be read by computers to the Web in the form of CAPTCHAs for humans to decipher. More specifically, each word that cannot be read correctly by OCR is placed on an image and used as a CAPTCHA."

Content based CAPTCHA is the way to go. For example Chew and Tygar http://www.cs.berkeley.edu/~tygar/papers/Image_Recognition_CAPTCHAs/imagecaptcha.pdf created a system that shows six pictures and asks which is different. Easy for humans, hard for computers.

>SHOW ME. Heck, if it's so easy, why don't you show the entire class?

Not only that, but if someone's willing to pay $6k just for the software to break Ticketmaster's Captcha 50% of the time, there's got to be some monetary incentive in actually breaking Google's.

Then again, if Ticketmaster had reasonable prices I might be willing to pay $6k to bypass their crap just so I don't have to try the damned thing 5 times and end up with a terrible seat every time I want to see a big name play at a large venue (thankfully the small venues in my area don't usually sell out and don't have seats).

A few people have suggested using "free" porn sites as a way to break CAPTCHA's (i.e., if the wanker wants to see the porn, he has to solve a captcha from another site). That isn't a reliable way of breaking catpcha's for time-sensitive applications like buying tickets when they go on sale. For buying tickets, you want a guarantee that a certain number of people will be available to solve captcha's exactly when you need them. The best way to do that is to employ some people. It's a low-skilled job, but you pay someone enough and they'll do it. If they quit, you can train someone else in 10 minutes. Set up the system so that everything else is automatic.

May be you all might be interested in my post.

"Another vote for http://recaptcha.net/" - Nick L

Here's my second vote against reCaptcha.

Accepting wrong answers: dumb
Using dictionary words: dumb

http://www.captchakiller.com/ breaks it

haven't read all the comments, due to the numbers of those, so i apologize in advance if this has been mentioned.

i would suggest making a second (or a third, or a fifth) textbox to enter the numbers/letters and a little icon in front of each one, that changes colors. 2 captchas, one with a string of the color of the text box you have to put the code in, another for the actual string.
wouldn't be all that difficult to write, and if done right would add (almost) no friction for an actual user, but a program would have to 'decode' 2 captchas, and then wonder what the main color of each icon is, then put the string into the correct one.

as a ticket broker i can tell you for a fact that ocr is not neccessary to break ticketmasters captcha system. Its fairly simple if you think outside the box

Joseph Cooney: "did you notice you can mouse over the images to see a much larger version of them? Or just dismiss it out of hand because it comes from Microsoft Research?"

No, I simply had Javascript disabled when i tried it.

I can break the google captcha dude... just coz you dont know it dont say it is unbreakable for god sake...

The most credible attempt at breaking all kinds of CAPTCHA's I've seen was in your previous CAPTCHA-related post, Jeff. That oke from Carnegie Mellon who did his doctorate in Human Computation.

I really admired how he tackled a simple problem (ie. computer not being able to read letters but humans can) and attacked it with the same simplicity (if only humans can solve it, lets do just that).

My thoughts on Google's successful CAPTCHA's is that they focus more on image effects rather than the transformation of the content. The other CAPTCHA's all contain some kind of transformation of the text - rotation, sizes and it looks like they even try and rotate it in 3D! But the thing is that there is a pattern of what they do to the text. They twirl it around and change the size at random places.

It looks like Google put their CAPTCHA's through one of those effects you get on a MacBook! The image is expanded or pressed in at places having an effect on the text. But the focus seems more on the image and not the text, which probably makes it harder.

I believe that Google has the best Captche in the above list, the ticketmaster, yahoo and hotmail can be too defficult to read.

Anyway, what about doing the Captcha as Gif Animnation or Flash ?

I know people hate when something moves (this is web !pages!, not movies... bla bla). But anyway, time could be an extra factor that would make it defficult for the OCR tools. I would much rather have something jump around, move, scale dynamically then having something I cant read.

I know of a company who gathers insurance quotes from using automated bots and then seel the information to competitors. To get around the captcha problem they simply pop up the captcha code on a machine in India where humans enter the code. The bot can then keep running to get the quote. According to my source they literaly gather 1000's of quotes per day this way.

reCAPTCHA (http://recaptcha.net/) is an interesting project in this topic. From developer's point of view the best is that don't have to (re)invent your own CAPTCHA for your site, you can use it as a service many ways:
http://recaptcha.net/resources.html

I've just created a new possibility to use it's functionality:
http://code.google.com/p/mailhide-tag/
It is a JSP tag which helps developers to hide mail address from spambots.

This is an interesting video which pretty much sums up why I don't trust captchas

http://video.google.com/videoplay?docid=-8246463980976635143

ORANGE LOL NEED I SAY MORE?

"reCAPTCHA (http://recaptcha.net/) is an interesting project in this topic" - Magyusz

Try reading the comments first... I already posted a link to a site that can break it.

There is a paper from Microsoft Research (http://www.ceas.cc/papers-2005/160.pdf) that shows that the main problem computers has facing when trying to decode captcha is character segmentation (i.e. where a character begins and where it ends). For isolated characters, computers do better than humans !!

This paper is definitely worth reading!

Venkman - re: JavaScript, that's fair enough. I've been burned by that kind of thing too http://jcooney.net/archive/2006/10/21/35475.aspx

I won't cross the streams.

I guess I am just getting too old. Looking through my stacks of old tickets stubs i find: Eagles (Hotel California tour) $13, Led Zeppelin (Physical Graffiti) $12, Pink Floyd (Dark Side of the Moo) $14, etc.

All of the old concerts used to cost about 2 or 3 albums.

Paying $100-$3000 for a 1 hour concert is just, um...., lets say not a great value for your entertainment dollar.

I'v never heard of Miley Cyrus before, but people are paying $300+ for a ticket to see her? What on earth for? You could buy every CD and DVD from the Artist for less than half the price of a single ticket, or go to 100 movies (or more).

Or buy a car, or put down a downpayment on a house. Sheesh.

But then people are willing to pay $6,000 for a ticket to the Superbowl.

Yes, I know we live in a democratic capitalist society, but it sure feels broken to me.

I guess I am just getting too old. Looking through my stacks of old tickets stubs i find: Eagles (Hotel California tour) $13, Led Zeppelin (Physical Graffiti) $12, Pink Floyd (Dark Side of the Moo) $14, etc.

All of the old concerts used to cost about 2 or 3 albums.

Paying $100-$3000 for a 1 hour concert is just, um...., lets say not a great value for your entertainment dollar.

I'v never heard of Miley Cyrus before, but people are paying $300+ for a ticket to see her? What on earth for? You could buy every CD and DVD from the Artist for less than half the price of a single ticket, or go to 100 movies (or more).

Or buy a car, or put down a downpayment on a house. Sheesh.

But then people are willing to pay $6,000 for a ticket to the Superbowl.

Yes, I know we live in a democratic capitalist society, but it sure feels broken to me.

There's a really serious flaw within most CAPTCHA implementations: accessibility. A friend of mine is blind and since a few years, he is unable to use 99% of all websites, even if they are overall "blind friendly".

Only a few websites offer audio CAPTCHAs as alternative. Why isn't there some ready-to-use, free, "good" CAPTCHA implementation in form of a library that everyone uses?

THere's a common word illusion going around that basically says that words don't have to be spelled in their correct order to be recognized:

for e.g:
fi yuo cna raed tihs, yuo hvae a sgtrane mnid too
Cna yuo raed tihs? Olny 55 plepoe out of 100 can.
i cdnuolt blveiee taht I cluod aulaclty uesdnatnrd waht I was rdanieg. The phaonmneal pweor of the hmuan mnid, aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it dseno't mtaetr in waht oerdr the ltteres in a wrod are, the olny iproamtnt tihng is taht the frsit and lsat ltteer be in the rghit pclae. The rset can be a taotl mses and you can sitll raed it whotuit a pboerlm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe. Azanmig huh? yaeh and I awlyas tghuhot slpeling was ipmorantt! if you can raed tihs forwrad it

Could this be used to make CAPTCHAS more secure?

If Google sold something that could be resold at 100X face value, then you bet their CAPTCHA would've been broken by now.

I saw a form of a CAPTCHA which I was particularly fond of. It asks you to calculate something. IMHO this can be used to make CAPTCHAs even better. Formulate a question in such a way that a human would be able to give an anwser. The bots will not be able to desipher the question unless a good AI comes along.

@Valdis - make a drawing of the object instead of a photo of the object.
Or tell users to say what object it is instead of what kind of object it is.

to Roddy: I checked that site. You choose a word from a list of words?
I don't think that's random enough.

"It asks you to calculate something."

Hmm yeah I think that will captcha 75% of humans too.

"Paying $100-$3000 for a 1 hour concert is just, um...., lets say not a great value for your entertainment dollar."

It's called supply and demand. Demand (in the form of people with significant disposable income) has increased enormously since back in the day.

Yeah, me too, I also hate the unreadable captchas

Other feedback :
http://sam.zoy.org/pwntcha

The captcha that involve sums like 1 + 1 = ? are machine-solvable using something similar to what compilers use to resolve expressions. Once you have tokenized the captcha, it becomes simple to calculate the answer.

Jeff describes the Google, Yahoo and Hotmail CAPTCHAs as 'unbreakable'. The page he takes the images from does not.

Trying to stop scalping with CAPTHA's, effective or not, is an exercise in futility. They are only filling a demand.

If anyone should be outraged, it should be the performance artists. Ticketmaster is selling their product for less that market value, denying the artist revenue. Instead, that revenue ends up in the pockets of scalpers.

If an artist gets only $20 from a ticket that sold for $350, then the artist is getting seriously ripped off.

The artists should auction their tickets for whatever the market will pay. They should keep all the revenue from the sale of tickets to their performances.

As long as demand exceeds supply, the price will be "high". When the US tried to outlaw alcohol, it only created rich criminals (Al Capone). Trying to outlaw ticket sales only creates rich criminals such as Ticketmaster and scalpers.

In addition, letting the market decide the price, and the artist to get revenue, will make things better. It will give the artist incentive to produce more shows, and to pick appropriate venues. It will allow venue owners to charge the appropriate price, which will help upgrade and maintain venues.

The bottom line is, as long as people are willing to pay, there there will be a market. The only question is who do you want getting that money? The scalpers or the artists?

On one of my websites I use random questions to perform verification. The problem with CAPTCHA is that the hacker knows he has to type into the box whatever is in the image. If you add a human only element, where the user has to understand and/or interpret a question, then it makes it inifintely harder to break. If you're ticketmaster, and using the english site, in the US, you could ask a question such as: "We live in the _____ States of America" or something similar. As long as they can spell United they can move on. Obviously hackers will compromise that question because they'll get the answer and program it into their scripts, but if you have a database of questions large enough, say 5000 questions, each dynamically generated when you get to the page, the likelyhood of answering the question correctly is slim, or even knowing all the answers to all the questions, because the hacker will need to see them first to create an answer. By having different methods of answering such as blanks, checkboxes, radio buttons, etc, it makes it more difficult. Not to say that CAPTCHA when implemented correctly can work well, but it also makes it very hard for the humans to recognize the letters as well. At ticketmaster.ca I guess 8/10 times that I use it I screw up on the CAPTCHA image, and I have good eyesite. I know my mother has never been able to. Eventually people will get pissed off and not use it. But if the question is: "type cat with an 's' after the 't' into the box below" it will fool any script UNTIL the hacker finds a pattern in the question or the answer to the question. Again, make the questions random and different methods, and make the database of questions large enough and you won't have as big a problem. When we had the standard vBulletin CAPTCHA installed we got 100s of spam users/posts a day, once I implemented a few hundred random questions I haven't got a single spam user (other than a REAL person) in almost 6 months. There are/will be some flaws, the questions themselves may be too difficult for people to answer, but considering the sad state of CAPTCHA as it is, when 50% of people can't get the damn thing right, the questions aren't such a bad idea.

@Ron: Let's examine this Rock and Roll "economic" theory. Maybe I've misunderstood something.

"Trying to stop scalping with CAPTHA's, effective or not, is an exercise in futility. They are only filling a demand."

"Filling" whose demand? Who is demanding to be ripped off? They're actually *exploiting* a demand. That's when you cynically take advantage of high demand to rip off customers by creating an artificial bubble, also known as "playing the markets".

"If anyone should be outraged, it should be the performance artists. Ticketmaster is selling their product for less that market value, denying the artist revenue. Instead, that revenue ends up in the pockets of scalpers.
If an artist gets only $20 from a ticket that sold for $350, then the artist is getting seriously ripped off."

Not if the artist is only producing $20 worth of entertainment/ticket. Don't confuse "not getting the most money you could possibly get" for "not getting a fair wage". Yes, if Ticketmaster was selling the ticket for $350, they'd be ripped off, but that's not the case.

"The artists should auction their tickets for whatever the market will pay. They should keep all the revenue from the sale of tickets to their performances."
Wait, so what's an incentive to run a venue for an artist in this case? Direct fee? As a venue holder can charge whatever they like for their venue (assuming it's the only one of the right size locally), why shouldn't they demand $100 dollars/seat REGARDLESS of the number of seats filled? Or did you forget that artists need venues?

"In addition, letting the market decide the price, and the artist to get revenue, will make things better."
Better For WHO? The consumers will be ripped off. The venue staff will be either ripped off, or ripping off the artist. The artist will either be being ripped off or be at the mercy of an extremely small and hostile audience (why should all the places be filled? Buying for re-sale'll still exist), who paid $1,000 for a ticket (nothing to keep prices low under this system, as there's no competition in the market), and want their money's worth. Now that's entertainment!
At absolute best, live performances would become a thing of the past, as people grew tired of paying during a spike, at which point prices would slump, so people would start going again. I believe this is called a Boom and Bust economy, and is considered a Bad Thing by anyone involved.

"It will give the artist incentive to produce more shows, and to pick appropriate venues. It will allow venue owners to charge the appropriate price, which will help upgrade and maintain venues."
Wha? No, the artist's incentive will be to do LESS shows. Every show they do reduces the market value of their tickets. And as they're getting *all* the profit, they'll make enough money from a small number of shows to support themselves for months, even if they build a cocaine lake. And how you get that it will "allow" the venue staff to charge an appropriate price (because that's their goal, obviously) is beyond me. Could you elaborate?

"The bottom line is, as long as people are willing to pay, there there will be a market. The only question is who do you want getting that money? The scalpers or the artists?"
Of course there will always be a market for second-hand tickets. But by preventing people from buying large numbers of tickets for re-sale, you place a control on the upper price limit.
Seriously, wave an American-flag covered copy of Adam Smith at me as hard as you like, unregulated markets are a Very Bad Idea, especially in an area of Completely Indefinable Return. It wasn't called the Great Depression because of a lack of Prozac.

> Jeff describes the Google, Yahoo and Hotmail CAPTCHAs as 'unbreakable'. The page he takes the images from does not.

Until there's a price next to them, they are unbreakable. Unless you're selling software that can solve Yahoo, Google, and Hotmail CAPTCHAs?

Jeff, I'm sure someone will eventually break Google, Hotmail, and Yahoo's CAPTCHAs as well. It is just a matter of time.

>...they informed me that I would still need to pay the fees. Some sort of evil agreement they have with Ticketmasters.

That's part of the ticketmaster contract - that tm is the *only* place one can purchase the tickets, and the box office for the venue ends up becoming a ticketmaster outlet. I believe it was Phish that tried to do tours at venues not covered by tm, and they had a very hard time finding places to perform at.

Getting back to the Cyrus/Montana issue, the problem is a bit more cut and dried. Members of the fan club were able to pre-order tickets, and every parent I know who's kid was a member of the fan club got a ticket, while the ones who weren't members got to pay the scalpers. Further, I believe the "lack of tickets" was artificially induced to amplify the hype for the character and the upcoming movie.

An earlier post talked about Google making there CAPTCHA service available.

I found one here looking for some CAPTCHA code examples...
http://captchas.net

Its FREE!!

> Until there's a price next to them, they are unbreakable. Unless you're selling software that can solve Yahoo, Google, and Hotmail CAPTCHAs?

Jeff, why do you make these stupid claims? Microsoft even showed they can break their own captcha if it segmented. And you know what? It doesn't have to be segmented. You can try to solve for each possible 50x50 region in the image.

Scalpers are entrepreneurs and heroes. They are reallocating resources to higher-valued uses, which in case no one noticed is what the market is THERE TO DO and success at which makes one (and one's society) wealthy.

"scalpers are evil, profiteering bastards, to be sure"

Agree. But just how are they any different from Ticketmaster?

Same thing: buying bulk tickets and reselling them at a higher price.
Oups, no, same price + "convenience fee"
And not buying bulk tickets, but *all* the tickets.

fi yuo cna raed tihs, yuo hvae a sgtrane mnid too
Cna yuo raed tihs? Olny 55 plepoe out of 100 can.

I can read this easily (English is not my native language!). 55 of 100 seems too low for me, maybe 100% can read this.
Saddly it seems relative easy to read by AI (all word are in the correct place, all word first and last letter are correct, etc...)

"scalpers are evil, profiteering bastards, to be sure"

- That's for sure!

Actually, having done work for the industry at many levels, almost everyone in the chain except the artists are profiting quite well from ticket sales. If you ever saw their profit margins it would make you sick. If you every saw the real bottom line for the artist, it would make you sick. Hint: When you see the numbers for what the act is receiving for a show, dig a little deeper. The act the has to pay ALL of the expenses for the tour. Usually a promoter (scumbag) or label (big scumbags) pays for those expenses up front and the artist has to reimburse them at an inflated rate. The artist gets whatever is left over. Acts are not usually the particularly good business people. Actually, history would show that they are lousy financial managers and the industry uses every opportunity to, ahem "seperate" the artist from their income. Having seen hundreds of concerts as an "insider", most of them are lousy once you get past the hype. Watching an aritst vomit all over a stage (I've seen it many times) does not lend itself to a high quality performance. Yes, Hanna Montana/Miley Cyrus is the exception....daddy wasn't.

I stopped buying tickets to those events a long time ago. Truth be known, I really don't miss it. I have better things to spend my money on (hmmm one Hannah Montana show vs. a weekend trip with the family...sorry Hannah, you loose!)

Re: Making scalping illegal
They've tried this here in Norway. In effect, they made it illegal to resell a ticket for more then it's face value. The jury is still out on how effective it is, and so far it seems to mainly make trouble for legitimate resellers (fanclubs etc.)

Maybe the problem is easy credit from consumer credit cards.

Make people save up for a concert and use debit only from their checking accounts.

If people could only spend what they saved or what they earned that pay period, it might lower prices.

I remember when my aunt was outraged that they were trying to charge 30 dollars 'for a doll?!' (Cabbage Patch Kids). What's 30 dollars if you just 'charge it'?

As long as easy credit remains available to 'hyperbolic discounters', we will all have to pay the same higher prices that 'hyperbolic discounters' are willing to pay, even though unlike them, we may feel that a lifetime of 'easy payments' is actually a bad deal in the long run.

If you don't think easy credit can run up prices, take a look at the housing market.

How much more do housing prices need to drop to be back in line with what a long term price trend would have predicted they be now?

I think that Ned Batchelder, as per his comment here, is on to something.

Oh, and this whole ticketmaster discussion is so artificial. Real musicians do not play shows for $200, and they never have. Pop music is a commercial product, the only people it affects are the owners (record labels), so in all honesty who cares?

Artificially high ticket prices, and artificial music, will collapse along with the mainstream record industry.

Yahoo's CAPTCHA doesn't seem to be unbreakable.
They have implemented it on the Yahoo Chat service, and the chat rooms contain more spam bots than actual users.

A good rule of thumb for a CAPTCHA is that it can only protect an asset worth $.01, because thats about what it would cost to have your chinese turing farm or porn-for-CAPTCHA scam (or pay at Mechanical Turk) to do it for you.

bring back figlets to create fun captchas! :)

There are two related problems here - one is that the rapid advance of technology means that there is little time for actual standards to emerge, and very little chance that the overworked, underpaid code-monkey asked to write a captcha is going to be afforded the opportunity to discover and employ the standard.

But that's not the biggest problem. Arguably "captcha coding standard" ought to solve that problem if the coder thinks to Google it (remember that many of these coders are not native English speakers).

No, the biggest problem is that whether its captcha or an encryption method, programming your own solution rather than using an open standard is an invitation to disaster... AND an opportunity for exploitation.

Last year I was helping a Fortune 50 company with PCI compliance when a mainframe coder told me that the system was now compliant because he had instituted 'encryption.' When I investigated, I discovered that he had 'invented' his own encryption method, which was simply an arbitrary scramble of the data fields.

I didn't bother trying to crack it, but I assured him that he needed a standards-based solution, and that his method would not suffice.

It occurred to me afterward that he had a great opportunity there. Assuming he was crooked (which is my job as an infosec consultant) I realized that if he had gotten his 'encryption' method to work he could then have sold its backdoor, secret key, or built-in vulnerability to the highest black-hat bidder.

Likewise with these weak captchas - the original Ticketmaster coders would be in an excellent position to exploit their knowledge of the captcha weaknesses in order to create their own scalping company.

Meanwhile here in Minnesota scalping has recently been made legal. That's a brilliant solution - one way to fight crime is to take the laws off the books, then everything's legal!

Ludvig Ericson wrote: "If you can't read the CAPTCHA on Yahoo, you have terrible eyes or a bad monitor. They're easy."

I found this comment grossly offensive. It suggests that anyone who has "terrible eyes" isn't worth bothering about. My eyes are not "terrible", they're probably about average for someone of my age (61), and I can't read some Yahoo CAPTCHAs. Let me guess, Mr Ludvig Ericson - you are under 30 years old and have little or no respect for older people or for partly-sighted people. Just wait 40 years; you will develop a different perspective.

Surely captchas are not the optimal way to prevent spam, however they are a "good enough" solution in most cases, at least limiting the amount of spam comments/bot logins.
Also, reCaptcha helps digitalize books, so you feel like contributing in some way!
Can it be broken? Sure, but right now it's still better than nothing.

Years ago, I had a friend who worked as a buyer for a ticket broker. On opening day for ticket sales of a big event, he and several others would stand in line at TM to buy tickets. After the tickets were purchased (I think the max was 6 back then), the broker would hand them cash for the purchase price plus a $100 premium.

They could easily do the same thing (and probably do) with online sales. Captchas or not, using several humans to handle the purchases will get through.

Wow, The Schneier linked to you, Jeff.

http://www.schneier.com/blog/archives/2007/12/defeating_captc.html

what about sound captcha or why don't we use image rabbit+duck technique?

just curious thx

Captcha and usability article ..
http://www.vebguru.com/?p=99

In some cases (such as where I work) it is not the programmer, but the company that fails to use the right captcha technology in the right way in the right places and with the right frequency. I am myself a programmer asked to redesign and code our new single sign on solution only to have virtually all my security and captcha suggestions shot down as "too hard" for the typical user. I will not mention the company, but only say that they are in dire need of higher standards of security. So, don't be quick to blame the programmers. Companies share the burden, too. Lesson here is make sure your company is educated on the pitfalls of implementing security. It's an uphill battle with little reward.

Any suggestions on how to mimic the google method via PHP's GD library?

I can't figure out how to distort the image like that...

Steve:
http://www.captchakiller.com/ has no captchas broken. They use humans to crack captchas :-)))) Read the posts there to make sure.

I noticed this site is offering an opensource captcha breaker but it is written in OCaml so I doubt spammers are smart enough to even compile it.

http://churchturing.org/captcha-dist/

Live Mail (Hotmail) and Gmail said to be broken:
http://www.websense.com/securitylabs/blog/blog.php?BlogID=171
http://www.websense.com/securitylabs/blog/blog.php?BlogID=174

Yeah, hotmail is listed as unbreakable because the hacker can't write a program to read them. BOLD I /BOLD can't read them!
The last time I tried to sign up for a hotmail account I gave up after failing the CAPTCHA several times in a row.

I think the idea of having images of animals/vehicles/whatever as a captcha is an EXCELLENT idea.. I dont know why its not been done sooner.. I cant imagine the amount of work it would take to be able to decipher the type of animal from a picture of it!

What will always make the human win over machines is the fact that we learn by association.

For example:
A captcha prompts you "name the type of vehicle"
the picture is a paper airplane.

so, the algorithm would not only need to be able to determine any vehicle from pictures of actual vehicles (which there are millions) but also things that are LIKE the vehicles (which is something closing to infinity)..

Beat that! =P

return "orange"; // Like it!

http://bxd.net.ru/

Hi
This best protect in this post!

Dear Sir,

This bid could be an unknown to you when you see it for the very first time. Firstly, I would waste few moments of your valuable times to introduce myself. I am Nazrul Islam of DATAENTRY Solutions Centre. I am a citizen of Bangladesh. I must say that I am very fortunate to contact with you.

Probably, you might have known the technology is being widely extended day by day to keep pace with the developed countries, in Bangladesh. For any business or job, now a days, internet is one of the best sources of earning.

We have 86 (eighty six) operators with computer. If we would be selected to work on your captcha entry project, I would be very beneficial as well as you. I could assure you of minimum 100,000 (one hundred thousand) CAPTCHAs' are accomplished daily easily(if your captchas will be available). If you want then we will given 15,000 (fifteen thousand) captcha enter for you. The people who have been working with us are very sincere and hard worker, good temperament, having persuasion power and 50-60 wpm of typing speed skill.

They have been given you 1 MB (full Duplex) dedicated Internet facilities.

We will ready for any time to giving you 24/7 facility.

Therefore, I am seeking a work on your captcha entry project. If we could begin here, the long time relationship between us would end up nowhere.

Give me your demo.

I would look forward to your reply.

Thank you.
Nazrul Islam
Managing Director
of
DATAENTRY SOLUTIONS CENTRE
Dhaka,Bangladesh
yahoo id dataentrysolutionscentre

Most popular CAPTCHA types alredy recognize by spammers. I hate spammers. http://freexmovies.webng.com/map.html Every day i get a 50-120 letters to e-mail and over 100 comments into blog. It’s crazy! Spam filters is not best way…