42 {{ upvoteCount | shortNum }}
42 {{ upvoteCount | shortNum }}

The Proof-of-Work CAPTCHA: Prove you are a computer!

by mekdroid
34 replies
Hello folks,

I filed a patent application for a new CAPTCHA technology. The details do not belong here (much, much too long) but if you are interested you can see them in my Warrior Forum blog The Proof-of-Work CAPTCHA.

Basically, what I am doing is combining a distorted-character captcha with something called a "Proof of Work" which is way to force the user's browser to carry out a complex computation of my choice, similar to HashCash and Bitcoin.

The Javascript code to perform the calculation is sent to the user's browser together with the captcha. The user is only required to solve the captcha, while their browser performs the calculations. In order for the user to be given access not only they have to solve the captcha (as in any regular captcha system) but their browser must also return the results of the proof-of-work calculation.

For an ordinary user this is no great burden, all they will see is that their computers will have a slightly higher processor load than normal. For the spammers, though, it will be a disaster.

The key is that, in general, automated spamming tools do not use a full browser, so they will not be able to produce the proof-of-work, and in any event the proof-of-work calculation will increase the amount of computation required well beyond anything reasonable (from the spammer's point of view).

I wonder if I can ask the warriors in this forum to suggest the best way to market this technology, and/or any ideas, suggestions, critiques (flames!) etc.

Thanks,
Joe (aka mekDroid)
#captcha #computer #proof of work #proofofwork #prove
  • Profile picture of the author massarogi
    Have you heard of these guys? End the CAPTCHA Agony | Are You a Human

    I saw mailchimp using them recently, basically, captcha in the form of games.
    {{ DiscussionBoard.errors[7973387].message }}
    • Profile picture of the author mekdroid
      Yep, I have seen them ... there are a few new image-based captchas around, captcha-games, etc.

      Unfortunately, they are all trivially easy to break. Basically, at any given time there will be only x variations of the game; all that a spammer has to do is collect enough variations and the corresponding answers to solve the captcha.

      Keep in mind that the standard for captcha security is that only 1 in 10,000 attempts should work--otherwise the captcha will not be secure enough to protect anything. And, in any case, a sophisticated spammer could send the game, images or whatever to a captcha-solving service somewhere in a low-wage country and have them solve the captcha. Since the captcha solvers are human they will be able to return an answer ...
      Signature

      Temporary occupation of some valuable piece of technical real-estate, followed by a negotiated retreat with full coffers

      {{ DiscussionBoard.errors[7973403].message }}
      • Profile picture of the author massarogi
        Originally Posted by mekdroid View Post

        Yep, I have seen them ... there are a few new image-based captchas around, captcha-games, etc.

        Unfortunately, they are all trivially easy to break. At Basically, at any given time there will be only x variations of the game; all that a spammer has to do is collect enough variations and the corresponding answers to solve the captcha.

        Keep in mind that the standard for captcha security is that only 1 in 10,000 attempts should work--otherwise the captcha will not be secure enough to protect anything. And, in any case, a sophisticated spammer could send the game, images or whatever to a captcha-solving service somewhere in a low-wage country and have them solve the captcha. Since the captcha solvers are human they will be able to return an answer ...

        According to their video, bots can't get through Secure from All Angles | Are You a Human
        {{ DiscussionBoard.errors[7973422].message }}
        • Profile picture of the author mekdroid
          Sure, but the spammers will use humans in low-wage countries to solve the captcha ... their algorithm might be able to tell a bot from a human, but if a human captcha-solver in a low-wage country is doing the work, well ... they are human!
          Signature

          Temporary occupation of some valuable piece of technical real-estate, followed by a negotiated retreat with full coffers

          {{ DiscussionBoard.errors[7973429].message }}
          • Profile picture of the author WillR
            Originally Posted by mekdroid View Post

            Sure, but the spammers will use humans in low-wage countries to solve the captcha ... their algorithm might be able to tell a bot from a human, but if a human captcha-solver in a low-wage country is doing the work, well ... they are human!
            So why wouldn't they just employ the same people to break your capture if all it takes is a person with a real browser solving a simple problem?
            Signature

            .


            .

            {{ DiscussionBoard.errors[7974029].message }}
            • Profile picture of the author NewParadigm
              Originally Posted by WillR View Post

              So why wouldn't they just employ the same people to break your capture if all it takes is a person with a real browser solving a simple problem?

              You'd need to read the blog post which is more in depth.
              Signature

              In a moment of decision the best thing you can do is the right thing. The worst thing you can do is nothing. ~ Theodore Roosevelt

              {{ DiscussionBoard.errors[7974087].message }}
            • Profile picture of the author mekdroid
              Hi Will,

              You missed the point! The whole idea is to force the spammer to use a real person, not a bot! Look, the highest cost for a spammer is to use a real person with a full browser, so that is the upper bound of cost on the thing.

              What every spammer wants to do is use a bot, though, not a person because: 1) It costs them money, and 2) It slows down their spamming speed dramatically.

              That is the best we can do ...
              Signature

              Temporary occupation of some valuable piece of technical real-estate, followed by a negotiated retreat with full coffers

              {{ DiscussionBoard.errors[7974712].message }}
              • Profile picture of the author WillR
                Originally Posted by mekdroid View Post

                Hi Will,

                You missed the point! The whole idea is to force the spammer to use a real person, not a bot! Look, the highest cost for a spammer is to use a real person with a full browser, so that is the upper bound of cost on the thing.

                What every spammer wants to do is use a bot, though, not a person because: 1) It costs them money, and 2) It slows down their spamming speed dramatically.

                That is the best we can do ...
                Yeah, I got ya.

                But the cost to have people enter these things must be dirt cheap if outsourcing to 3rd world countries and well worth it for them. 1 cent for a captcha enter, even I'd happily pay that -- if I were that way inclined.

                It's certainly an ongoing problem. Some smart person will come up with a solution one day.
                Signature

                .


                .

                {{ DiscussionBoard.errors[7974757].message }}
          • Profile picture of the author philrich21
            Originally Posted by mekdroid View Post

            Sure, but the spammers will use humans in low-wage countries to solve the captcha ... their algorithm might be able to tell a bot from a human, but if a human captcha-solver in a low-wage country is doing the work, well ... they are human!
            Yes this is what I was also under the impression was occurring.
            Signature
            FREE Instant Download - Learn How to Build Massive Residual Home Income with my My Guide to Leveraging the Power of Blogs & How to Quickly Build a Massive Mailing List Click Here to Download
            {{ DiscussionBoard.errors[7987477].message }}
  • Profile picture of the author NewParadigm
    Interesting blog read, have you set up a site and invited hackers to try and break it? I think challenge would be newsworthy and get some attention.

    Please help craigslist, they are now deluged w/ spammers. I am selling a few items and get bombarded with BS spam trying to get me to reply to grab my email address. CL needs some captcha or double blind email system.
    Signature

    In a moment of decision the best thing you can do is the right thing. The worst thing you can do is nothing. ~ Theodore Roosevelt

    {{ DiscussionBoard.errors[7973912].message }}
    • Profile picture of the author mekdroid
      Originally Posted by NewParadigm View Post

      Interesting blog read, have you set up a site and invited hackers to try and break it? I think challenge would be newsworthy and get some attention.

      Please help craigslist, they are now deluged w/ spammers. I am selling a few items and get bombarded with BS spam trying to get me to reply to grab my email address. CL needs some captcha or double blind email system.
      Hi,

      Not yet, I am in the process of implementing it for various platforms (WP, etc).
      Signature

      Temporary occupation of some valuable piece of technical real-estate, followed by a negotiated retreat with full coffers

      {{ DiscussionBoard.errors[7974697].message }}
    • Profile picture of the author goindeep
      Originally Posted by NewParadigm View Post

      Interesting blog read, have you set up a site and invited hackers to try and break it? I think challenge would be newsworthy and get some attention.

      Please help craigslist, they are now deluged w/ spammers. I am selling a few items and get bombarded with BS spam trying to get me to reply to grab my email address. CL needs some captcha or double blind email system.
      Excellent marketing and PR tactic, however if they smash your site to bits which is very, very likely not only are you going to look like a douche but your site will be blasted into a thousand peices and good luck trying to fix everything withouse spending time and money, even if you do a backup right before the hack-a-thon you still will have your server melted with costs and then all the work to do all the uploads and de-bugging afterwards.
      Signature
      {{ DiscussionBoard.errors[7977325].message }}
  • Profile picture of the author jchengery
    Hello Joe,

    I agree with NewParadigm: It's interesting, and by inviting hackers to break it, not only would it become newsworthy (i.e. press releases), but you could also make sure that you and your team are not overlooking anything. (I'm not saying you are, but just to make sure there isn't any angle that was overlooked by accident).

    Certainly, a very innovative idea, and a very NEEDED one as well!

    Good luck!

    Take care,

    Joe Chengery
    Signature

    My free ebook on pancreatic cancer: http://ow.ly/nPVhm Let's help my friend Courtney Reagan strike out cancer!

    Are you WORRIED about what wheat is doing to your waistline and your health? You SHOULD be! http://ow.ly/jSIY9 Internet marketer, copyeditor, copywriter, content creator, author - http://www.joechengery.com

    {{ DiscussionBoard.errors[7974004].message }}
  • Profile picture of the author Sushiman1111
    I'm far from technically savvy, but this sounds like a great idea. Overload the spammers' computers with processing requests...brilliant!

    I just finished reading Daemon, by Daniel Suarez – great book if you like tech thrillers – and this sounds just like something that his evil (?) genius character would dream up. Best of luck!
    Signature
    If you've made your first dollar online and want to take things to the next level - ie, $1000/month - sign up here to get on the WSO prelaunch list.

    Got a health/fitness niche list? Become an affiliate for something new and different here.
    {{ DiscussionBoard.errors[7974094].message }}
  • Profile picture of the author SteveSRS
    I read your blog, its a interesting idea! I don't think it is a full proof solution but def another weapon in the fight against spammers.

    The whole idea hitting the spammers where it hurts (in the pocket) is a very good one though. Up their costs of solving captchas will def help against spam, if we can make it that expensive that it just doesn't get them enough money anymore is a good approach. However there are many other factors like using bots (as mentioned earlier) and also the fact that computing power is getting cheaper by the years so you'll be needing to update the settings as well.. also you might also hit some legit users on legacy computer in company networks etc.. there are still plenty of companies running completely on Win XP..
    Signature
    {{ DiscussionBoard.errors[7974185].message }}
  • Profile picture of the author funkynassau
    If your idea works then that's great! At this moment our site is down thanks to spammers who got into our forum and flooded it with thousands of spam in one day. I am beyond irritated about this. My web design person said there is a captcha set up but how then did they get past it? Right now we cant get in to look at what went wrong, the domain host needs to give us some bandwidth (as we have none) so we can resolve this. Hopefully today all will be resolved. If only spammers used their smarts for good things.
    Signature

    ChipFixx custom mixed auto touchup paint kits.
    http://www.chipfixx.ca

    {{ DiscussionBoard.errors[7974897].message }}
    • Profile picture of the author Paul Myers
      Hmmm. Leaving aside possible prior art objections, does this work and play well with the browsers used on portable devices?


      Paul
      Signature
      .
      Stop by Paul's Pub - my little hangout on Facebook.

      {{ DiscussionBoard.errors[7974922].message }}
      • Profile picture of the author mekdroid
        Hi Paul!

        It should. This is how it works:

        1) I set up a hash problem at the server (i.e., I pick a number that needs to be hashed.) This is exactly the same as what Bitcoin does, except that the difficulty of the hash needs to be adjusted so that it takes only X seconds to solve on average. Think of it as forcing the user's browser to do some Bitcoin mining, just much less difficulty than Bitcoin :p and therefore much faster (only seconds).

        2) I send the browser a piece of Javascript that has the initial hash value and the code that is necessary to perform the hashing calculations. The code starts running as soon as the page loads (i.e., no user intervention).

        3) The proof-of-work result of the hash (which is simply a number that when hashed together with the original hash results in a hash that is numerically smaller than the original one) is stored in a hidden variable.

        4) When the user fills-in the captcha and clicks submit the server will simply verify the hidden value (this can be done very quickly at the server, as the verification takes only one hashing operation).

        So, re. mobile browsers, they simply need to be able to execute Javascript, which they do. Also, I am not really doing anything very special with the Javascript, and I do not rely on external Javascript libraries, the whole thing is self-contained and pretty small at that.

        As for the prior art, I am crossing ma fingers on that one! I have been through the patent process enough times that I think there is a reasonable chance. The patent search did not pick up any patent or patent application that disclosed this particular combination, and the examiner cannot put two patents together for a 102 prior art rejection, for that they need to pick a single patent that teaches both.

        More worrisome is the chance of a 103 obviousness rejection ... here the examiner needs to find two patents, one for a captcha (bunch of them around) and one for a proof-of-work (some there too) and argue that it is obvious to put the two together. That is how it always goes with patents, though, so there is a reasonably good chance that even if I do get slapped with a 103 rejection it could be overturned on appeal.

        Thanks!
        Joe
        Signature

        Temporary occupation of some valuable piece of technical real-estate, followed by a negotiated retreat with full coffers

        {{ DiscussionBoard.errors[7974989].message }}
  • Profile picture of the author NewParadigm
    I would think the bar to set is not being perfect, but rather, being tougher than the next captcha so the spammers move on to lower hanging fruit.

    Like a burglar skipping your house w/ an alarm system sign and going next door to the house that left a window open.
    Signature

    In a moment of decision the best thing you can do is the right thing. The worst thing you can do is nothing. ~ Theodore Roosevelt

    {{ DiscussionBoard.errors[7975213].message }}
  • Profile picture of the author NewParadigm
    What's goin on w/ the large botnet attacks on wordpress?
    Signature

    In a moment of decision the best thing you can do is the right thing. The worst thing you can do is nothing. ~ Theodore Roosevelt

    {{ DiscussionBoard.errors[7976090].message }}
  • Profile picture of the author DubDubDubDot
    The basic concept is nothing new. Bill Gates floated the idea of a "processor tax" when sending an email to curb spam.

    Here's a story from January 2004:
    Gates reveals his 'magic solution' to spam - CNET News

    It was somewhat interesting for email spam back then because those spammers were known to have 10, 20, 30 computers running at once sending the spam 24/7. If you could force a computation that takes even one second, the email spammers would have to spend a significant amount of money on more systems. This is of course speaking in 2004 terms when the Pentium 4 was king and ran $1,500 to $2,000. At just one email per second per computer it would have been impossible for them to recover their former mailing power without spending six or even seven figures on more computers.

    There's a couple obstacles here in 2013 whether we are talking about a processor tax for email or captcha. First, there is a wide range of processing power in the hands of consumers today since computers don't go obsolete at the rate they once did. So that 1 second tax on the computer that was purchased yesterday is quite the annoyance for someone using an older system that takes longer to make the computation. Second, are captcha spammers running multiple boxes 24/7? If not, does it really matter if it takes their single computer 3 hours to do the dirty work versus the current 10 minutes? You really aren't curbing anything in that case.

    Email spam filtering has come a long way since Bill Gates' idea to tax systems. Similar concepts will have to be applied to forum and comment spam.
    {{ DiscussionBoard.errors[7976473].message }}
  • Profile picture of the author Kevin Maguire
    And, in any case, a sophisticated spammer could send the game, images or whatever to a captcha-solving service somewhere in a low-wage country and have them solve the captcha. Since the captcha solvers are human they will be able to return an answer ...
    These would be people hired through services yes? Human captcha breakers. Would they not have full browsers open to solve your extra calculation request?

    So basically it might beat basic OCR based solvers on the market. But would still remain useless against actual human solvers.

    Looks like a good time to invest in the human captcha solving sector.
    {{ DiscussionBoard.errors[7977093].message }}
    • Profile picture of the author mekdroid
      Hi Kevin,

      Not really. Yes, the human captcha solvers would have full browsers, but they are not actually on the site being cracked.

      The way this works is that the spammer uses an automated tool to go to the site, scrapes the captcha image (only) and sends the image to the captcha-solving service.

      The captcha-solving service then selects one of their workers (they have thousands) and sends them the image. They return the answer to the captcha to the captcha-solving company, which then sends the image back to the spammer.

      For what is worth, there is even a standard for sending the captchas

      Unfortunately for the spammers, the standard does not (as of now) cover the situation in which their spamming tool is asked to execute the operations needed for the proof-of-work, and the spamming tools (i.e., ScrapeBox) do not use a full browser.
      Signature

      Temporary occupation of some valuable piece of technical real-estate, followed by a negotiated retreat with full coffers

      {{ DiscussionBoard.errors[7977123].message }}
  • Profile picture of the author clever7
    With such a complicated captcha, many real people will feel discouraged to post a comment.
    Signature
    Join my Affiliate Program and Sell Original eBooks
    Scientific Dream Interpretation – A Solution to All Problems

    How to Be Extremely Successful in Life
    {{ DiscussionBoard.errors[7977214].message }}
    • Profile picture of the author mekdroid
      Hi clever ...

      No, the user never sees the proof-of-work! The idea is that all they see is a normal captcha, but meanwhile their browser is performing the calculations. In fact, the captcha can be made easier than normal because of the proof-of-work ...
      Signature

      Temporary occupation of some valuable piece of technical real-estate, followed by a negotiated retreat with full coffers

      {{ DiscussionBoard.errors[7977230].message }}
  • Profile picture of the author Alex Blades
    Sounds like a great idea, and hopefully you can get the patent for it, but there is always a way around everything. There are armies of human captcha solvers in third world countries.

    But you never know, you may be able to sell your captcha system to a big company for big bucks
    Signature
    " I knew that if I failed, I wouldn't regret that.
    But I knew the one thing I might regret is not ever having tried. "

    ~ Jeff Bezos

    {{ DiscussionBoard.errors[7977232].message }}
    • Profile picture of the author mekdroid
      Hi Alex,

      Yes, there are thousands of them! The idea behind this captcha is to slow down spamming and to increase the cost to the spammers/captcha solving companies/captcha workers so that the costs of spamming go above the economic benefit.

      Keep in mind that spammers make a very, very small amount of money for every message. We don't know exactly what this amount is, but I can definitely give you a lower bound: it must be higher than $0.0014 US per message. Why? Because that is how much it costs to break a captcha using a captcha-solving company. In addition to that spammers have to pay for hosting, proxies etc.

      We don't have good numbers on the upper bound for profits. One of the studies in this field assumes profits in excess of 50%. If that is the case, all we need to do is to increase the average cost of breaking a captcha from $0.0014 us to $0.0028 to make a very significant dent in their profits ...
      Signature

      Temporary occupation of some valuable piece of technical real-estate, followed by a negotiated retreat with full coffers

      {{ DiscussionBoard.errors[7977267].message }}
      • Profile picture of the author Alex Blades
        No need have to explain, I understand the concept, and it sounds alot better than what's out there. Like I said, you may be able to sell it for big money if wish
        Originally Posted by mekdroid View Post

        Hi Alex,

        Yes, there are thousands of them! The idea behind this captcha is to slow down spamming and to increase the cost to the spammers/captcha solving companies/captcha workers so that the costs of spamming go above the economic benefit.

        Keep in mind that spammers make a very, very small amount of money for every message. We don't know exactly what this amount is, but I can definitely give you a lower bound: it must be higher than $0.0014 US per message. Why? Because that is how much it costs to break a captcha using a captcha-solving company. In addition to that spammers have to pay for hosting, proxies etc.

        We don't have good numbers on the upper bound for profits. One of the studies in this field assumes profits in excess of 50%. If that is the case, all we need to do is to increase the average cost of breaking a captcha from $0.0014 us to $0.0028 to make a very significant dent in their profits ...
        Signature
        " I knew that if I failed, I wouldn't regret that.
        But I knew the one thing I might regret is not ever having tried. "

        ~ Jeff Bezos

        {{ DiscussionBoard.errors[7977303].message }}
  • Profile picture of the author goindeep
    "whats in it for me?"

    Is what im thinking?

    If im going to implement something like this on my website it had better not make it harder for my customers or for me.

    If im going to be using a web service that uses this technology, it had better not make my life harder.

    Thats my only thoughts besides me wondering how your going to monetize something that is currently FOC via open source.

    Otherwise good idea.
    Signature
    {{ DiscussionBoard.errors[7977311].message }}
  • Profile picture of the author Hackbridge
    Two things I'd like to ask, and forgive me I haven't read the blog (Yet!) 1. It's going to take a spammer a long time just to crack the captcha, it wouldn't be worth it surely? 2. Will you be beta testing the captcha here on the WF or in a closed environment?

    Cheers! I'm off to bed. See you later today.

    Brian
    Signature
    Looking For Top Amazon Keywords? Look no further NO CHARGE ;-)
    {{ DiscussionBoard.errors[7977404].message }}
    • Profile picture of the author mekdroid
      Originally Posted by Hackbridge View Post

      Two things I'd like to ask, and forgive me I haven't read the blog (Yet!) 1. It's going to take a spammer a long time just to crack the captcha, it wouldn't be worth it surely? 2. Will you be beta testing the captcha here on the WF or in a closed environment?

      Cheers! I'm off to bed. See you later today.

      Brian
      Hi Brian!

      1) Yes, I hope that the spammers will find the captcha hard to break, so that the technology might be worth something ...

      2) I will be beta testing in a closed environment first, but I will ask members of this forum to try it out

      Thanks!
      Joe
      Signature

      Temporary occupation of some valuable piece of technical real-estate, followed by a negotiated retreat with full coffers

      {{ DiscussionBoard.errors[7979022].message }}
  • Profile picture of the author Kevin Maguire
    Now that I have had time to reflect on it. My view is this.

    Your presenting the world with a solution to a current problem. But your solution is flawed in it's basis. Your method is as easy to bypass or manipulate as captchas are in the first place. It's like when they added CVV to the back of the credit card. It created a new security barrier, but was quickly circumvented.

    I purchased one of the latest Captcha breaking softwares recently. The GSA Captcha breaker. Not cheap I have to say. But after seeing it in action. It is very impressive. Seems to work off some kind of huge shared database of images. And learns as it grows. With really impressive results. As of now it solves over 500 captcha types. This number seems to grow every day. And solves most of them at over 30% success.

    But you see my point is. That no matter what type of Captcha or Human confirmation a site puts up to prevent spamming. The spammers will adjust accordingly. The number of spamming attempts will not decrease. If anything increase as placed links become more valuable.

    So In short the only thing that making captcha unbreakable will achieve. Will be the increase in the value of a backlink. Its not tackling the problem of spam at all really. Just rolling the rock down the road a bit more.
    {{ DiscussionBoard.errors[7977447].message }}
  • Profile picture of the author exoduspress
    It will all depend on implementation. You'll be competing with Google's ReCaptcha service which is free. You'll have to bring something VERY attractive to the table in order to get people to pay for the service.

    Once that is accomplished, and assuming your service gets popular enough, the software companies will just implement the functionality necessary to hash the number. I'm not saying this isn't a great idea, I definitely think it is clever, but as always, people will adapt.

    I think your biggest battle will be monetizing it when a popular service like Google's ReCaptcha exists for free. I'm not saying there's is better, but cost is always a factor.

    All the best!
    {{ DiscussionBoard.errors[7987313].message }}

Trending Topics