We've all had to deal with CAPTCHA, the popular method to prove our humanhood wherein we are asked to type in the words that we can discern from a distorted image of those words.

What if you wanted, for fun, to run it in reverse - to create the distorted image from words of your selection?
I thought there would be a site out there somewhere that would have this little fluke of an idea already running for the pleasure of the webverse, but my googling didn't bring it to the fore.

Has anyone here ever seen anything like this?

I don't know, but I'll take this opportunity to say I hate captcha.

I currently use a "proof of work" filter on my blog and it's been 100% effective so far at preventing spam.

Hm. I hadn't even heard of Proof of Work filters. (Since Jon didn't provide an example link, I will: Kapow.) The basic idea is that the client is required to perform a complex programming task via JavaScript in the hopes that a real user is willing to wait a few seconds and a spammer is unlikely to want to spend CPU time to generate the appropriate response.

Personally, I question the validity of that argument. Undoubtedly, spammers currently don't have full JavaScript engines in their backends, so are currently failing those tests. But I doubt that that's going to be a huge concern if PoW filters become popular. I could be wrong.

I happen to think that ReCAPTCHA is a great solution. The PoW authors claim is that it's not difficult to programmatically decode the corrupted text. But they use text that has already failed to be decoded, because it's text that has failed OCR for a real text. This means that your effort is not going to wasted, as it's going to help OCR text in an automated turk fashion, and either the spambots are going to fail the test, or they're going to develop algorithms that can decode currently undecodable text. I think it's exceedingly clever social engineering.

Here's an interesting article on CAPTCHA by Jeff Atwood that would tend to support the PoW argument.

Personally, I feel that using a couple of seconds of brain time for something with some societal merit makes more sense than using a few seconds of CPU time for no additional benefit. There are certainly arguments regarding the accessibility of CAPTCHAs, though. YMMV.

There are multiple programs out there to defeat ReCaptcha. Not something I download specifically, but I know one specific program I use as a download manager has a plugin built-in for it, along with plugins for most other captcha variants.



If that's the case, then how does it work? What are they validating the human response against? For any similar turing test to work, the answer must be known ahead of time to validate the human's input. I always thought ReCaptcha used the first word for validation and the second word as the donation.

Captcha in general is a huge issue for accessibility. ReCaptcha has introduced a spoken word option to try and alleviate this issue, but I think it's useless. I've tried and and couldn't understand at all what was being spoken. I've also had to regenerate the words numerous times because even with perfect vision I could not decipher the globs of garbage on the screen. This is a greater problem with some other implementations, especially those that use mixed case and numbers. Both of which are asinine for this type of test.

IMO, this type of turing test is an engineering-less easy way out that puts undue pressure and discomfort on visitors to one's site. I'm against their use. If you need to protect your site's contact forms or comment forms, use a more clever solution that doesn't involve potentially pissing customers and visitors away.

I'll point out one huge problem with Jeff Atwood's article. He's ignored the facts. As everything he says and claims to be fantasy, is actually fact. A sweatshop for captcha could operate on $5 per day, not per hour. Porn-based gateways have been used and are in fact economically feasible. And there are programs out there now to defeat popular captcha implementations. There isn't one program to defeat them all, but unique solutions to each implementation. Choosing not to use captcha is also not due to believing the test is easily compromised - it's not and no one will compromise a custom implementation on a small site. It's about not treating your visitors and customers like douche bags.

After reading the KaPoW site, I'm lead to believe the only thing it tests for is a valid javascript interpreter in the client browser. And that this test would fail if a spammer were using some script-only connection method to your web host. IMO, that's not failure proof. Further, in the example of the comment system where it evaluates the comment contents and then decides on the strength of the PoW, another hassle. If the comment is decidedly spammy, just don't submit it and put back a message telling the visitor to post something less spammy. Causing the browser to sit crunching some problem for X amount of seconds just seems pointless in this case.

So I agree that a quick test to validate a javascript engine is a good painless exercise if you don't tell anyone hat you're doing, but the tests that take super-long aren't of any use to anyone IMO.

Now, in answer to the first post, what you want is one of the CAPTCHA scripts. That's what will convert text to a graphical image. Most are likely to use a piece of random text generated real-time, but with the source you should be able to modify this to accept text passed in from a form.

Apparently they send the unknown word to several users, and if all the responses match then the word is regarded as decoded.

That's exactly how it does it. That's what Bitt's referring to. OCR has failed on the word that ReCAPTCHA doesn't know.

And I'm not sure it's always the first word. I think they mix it up so you don't know. But I do notice that sometimes it's obvious which is which.

The article's over three years old. I didn't say that it was currently accurate. Computing power has increased a lot in three years. I was merely pointing out that if CPU consumption really is a potential gating component, then maybe PoW would actually work. In addition, as computing power increases, it's trivial to increase the amount of computing power needed in order to pass the test.


It uses one word for the validation and another for the donation, not necessarily the first and second. It does have no way to validate the unknown word, and only validates against the known word, but as long as the scrambling algorithm keeps ahead of the spammers, and the spammers keep playing catchup, at some point we'll have an OCR system that's better than what we have now. It's intentionally not hack-proof.


I've never had to do this with ReCAPTCHA. I have with other systems. This, combined with your inability to detect CRT flicker, leads me to disbelieve your assertion of perfect vision.


Assuming that the spammer's client had a working javascript interpreter, yes. But, importantly, also assuming that they're also willing to spend several seconds of CPU time per post maxing their CPU. Assuming that Jon's site used to get spam and doesn't now that he's implemented his PoW scheme, it seems that it's at least driven the spammers to gather lower-hanging fruit. I'm inclined to say that once all fruit gains the same height, it won't make a lot of difference, but maybe I'm wrong.

What makes you think that spammers are using their CPUs to do the work?

Also a good point.

Here's an interesting recent article on breaking CAPTCHA (PDF).

For the record, I'm using WP-HashCash.

By itself, it currently detects 100% of spam. If necessary, I could combine it with Akismet to make it even stronger.

My argument is that a spammer is more likely to spend that extra CPU time versus a legitimate visitor - if the option were there. I'm not gong to sit around for a few seconds waiting for my comment to post. Comments are pretty much bullshit anyway (on most sites), so I generally won't post them and contribute to the garbage pile. But If I did, I certainly wouldn't be around waiting as if I was on some 20 year old dial-up connection.

The stopping of spam has more to do with the spamming scripts not having javascript interpreters and not being able to do any calculations at all rather than the artificial time penalty. The most beneficial implementation of PoW is with a lightning fast calculation that won't even be noticed by the human visitor.

And this too can break accessibility for some people. Not all browsers have javascript (a text-only browser like Lynx comes to mind). I'm not a fan of using Javascript for something that isn't likely to benefit the viewer and isn't optional. I do like the server-side evaluation of the content however.

The spam script doesn't even need a javascript interpreter. All it really tests for is the ability to calculate sha-1 hashes. The spam script can easily parse the seed for the hashes out of the javascript file.

The plugin I use doesn't max out the cpu for several seconds. It just trys to use javascript to prove that someone at a keyboard physically typed out a comment. It's completely invisible to the commenter.

Which, I might add, is significantly less inconvenient that typing in a captcha.



Agreed. That's how wp-hashcash works. If/when the spammers get around to integrating a javascript engine, we'll have to see what happens. So far, I've not had a single spam comment get through.



That's where akismet comes in as a secondary filter. When clients that don't have js enabled comment, it just goes into my moderation queue and I approve them. no problem there.

As I said above, no javascript interpreter is needed for the spammer. You can calculate sha-1 hashes in any language. It's more about proving that you took the cpu cycles to do it. Unfortunately, the server must have to do the exact same work to compare answers!

I'd say it's probably impossible for a server to verify if a client has a working javascript interpreter. I imagine you haven't gotten any spam comments yet because (a) not enough sites use this system yet to make it worth someone's while to write the code to bypass it, and (b) the time delay required to do the calculations. Once widespread use of this system reaches a certain critical mass you'll probably start getting spam.

It's going to have to be site-specific code to by-pass different implementations however. And it still means that the attacker has to write something to interpret what the hoster is sending and expects back. It would probably be easier just to throw a javascript interpreter into their code.

Eh. They already have to write implementation-specific code.



I'm mistaken on that last part.
http://en.wikipedia.org/wiki/Hashcash#Sender.27s_side

It takes a long time for the sender to calculate but is quick and easy for the receiver to verify.

Not to pass the PoW implementation that have been linked. All that's needed is Javascript interpreter that can function as it does in a common web browser.

Sure, they could use javascript. They could also use an already existing web browser engine to post the http form data.

But either way, a PoW isn't a "quick test to validate a javascript engine" and has little to do with spammers not being able to get ahold of one.

Back to the OP. You can use your favorite scripting language, such as PHP, along with some graphics and font libraries (GD, imagemagick, freetype) to render text based on the contents of a string. Render each letter one at a time if you'd like, distort and then composite. Repeat. When done, display. But I'm sure you can find something out there already doing this if you search with some different terms.

Like this one: http://www.phpcaptcha.org/

Thanks, Bruno.

I'd forgotten but now I've remembered. Or had thrown in my face. One of the worst captcha implementations ever comes from the darlings of shit web design, inexplicable 'concepts,' eternal public alphas and buggy code, Google.

Trying to log into your Google "apps" account or adsense or really anything at Google will, quite very often, prompt you with a CAPTCHA. Why? There's never a reason or error given about your attempt to log in with username and password.

Google's scrambled words are very often impossible to make out, but they're always very difficult. If you have vision impairment then you're really in the shit. Try listening to the audio clip and it's even more confusing that the scrambled garbage they want to you look at.

To top this all off, what happens when you definitely type the right word? It may log you in. Or, it may just ask you for it again. With no error and no explanation given as to why. Click on the "can't access your account" link and you'll get a multiple choice prompt, of which none of the choices match the problem you're seeing. Pick one anyway and you'll get a list of excuses explaining that Google's account system has bugs that are being worked on. Yeah, I needed them to tell me their stuff is buggy. How many years exactly is this going to take to fix?

I'm frustrated as hell and can't log in to my old adsense account at all right now.

I saw a tv program that covered captcha and it's creator. They say that they use it for Google's online book scanning project. The captcha thingie will present you with a word it knows, and one from the scanning project that it can't ocr. If you get the one it knows right, it assumes that the other one is correct too and uses it in the book project.

Adsense blows.

You must have annoyed them, I've never seen a captcha connected to any of my Google logins/services.

Maybe you are using a bit of software that is logging into your Google account and doing something to trip their "not a human" throttle ?

Looks like you can see the Google catcha in action here:

https://www.google.com/accounts/DisplayUnlockCaptcha

Hitting refresh a few times shows that there are indeed some very hard to read ones and the audio is almost completely unintelligible to me, I certainly can't make out what I am supposed to type from the audio.

I'm glad I've never had one of those pop up in real life.

Maybe you could add something here:

http://www.google.com/support/forum/p/gmail/thread?tid=1362c6c8aa7ab5c4&hl=en

for all the good it will do, Google just don't do support

Thats reCAPTCHA not the Google one.

Part of the mystery solved.... When I try with Firefox, at least I can see an error message under the login that means something. For instance "incorrect password" - that's not showing up in Safari.

But even with Firefox, Google has come back to tell me that I don't have an adsense account with a particular email address. Even though I've received a message from Google TODAY to that email address about AdSense (the contents confirmed it was the adsense account - and it wasn't a phishing email).

Within my firm we often get captchas from google, because we have about 50000 staff connecting through our Germany gateway, and to Google that looks a bit like some sort of DoS attack or attempt to drive up clicks.

Never seen them as a problem - if I get one I can't figure out, I click for the next one.

Also not a fan of AdSense though - but I am happy that that is the payment model google use as it means I can avoid most of its effects.