OMG PONIES!!!
April 7, 2006 2:01 PM   Subscribe

I knew there were additional uses for Cute Overload - I just hadn't guessed what they were.
posted by AuntLisa at 2:07 PM on April 7, 2006

oh that's awesome. I'd love to see that here.
posted by puke & cry at 2:08 PM on April 7, 2006 [1 favorite]

See, the problem with this is that you need an unlimited (ok, huge) number of kitten pictures. The catchas work because they're generated dynamically and a computer can't recognize repeats. The kittenAuth is a huge step back.

Here's how to beat kittenauth 1.0:
Create a program to capture a few thousand images, then remove duplicates using a binary comparison. Next, have a human identify which images are kittens and which are not. With this data, all a program needs to do is compare two images to see if they're identical. Again, this can be done using a simple bit comparison, it doesn't even require any actual image parsing.
posted by Crash at 2:09 PM on April 7, 2006

This is a good idea, for the following reason: work in improving AI image recognition capabilities is needed, and if we let the arms race between honest folk and spammers go on, eventually the spammers will come up with image-recognition (or kitten-recognition, which is just as important, no?) algorithms paralleling the human brain. Why not let them do all the work?
posted by greatgefilte at 2:09 PM on April 7, 2006

Crash:
Or just masturbate long enough so that there's only one kitten picture left, and all the other ones are domo-kuns.
posted by qvantamon at 2:12 PM on April 7, 2006

Crash -- Flickr.
posted by greatgefilte at 2:12 PM on April 7, 2006

Matt, I still think you should implement this, simply because if a user manages to do the above engineering and programming, they deserve to able to post on this board.
posted by Parannoyed at 2:13 PM on April 7, 2006

I don't know if anyone would be that committed to doing all that work to beat the capcha.
posted by puke & cry at 2:18 PM on April 7, 2006 [1 favorite]

greatgefilte: See, that still requires a human to identify if the image is a kitten or not and to upload it into the kittenauth program, which requires work on your part. But to defeat it, I'll add the following:
When my program runs a comparison of images, if it finds a new image, it can save it into the system and email me to confirm if it's a kitten or not. Then it refreshes the page. The more images you upload, the greater the chance it won't have to deal with a new image after refreshing, so it gets through on the second try. Mean while, Matt's spending all his time trying to find more and more pictures of kittens to stay one step ahead of my app.

Seriously, this would take a couple of hours to write, tops. KittenAuth is fatally flawed. My apologies to who ever created it.
posted by Crash at 2:18 PM on April 7, 2006

Hilarious.
posted by mathowie at 2:19 PM on April 7, 2006

possible solution: Replace static kitten images with kitten webcams.
posted by Artw at 2:20 PM on April 7, 2006

Of course someone would write an app to do this. Hackers would write it to get credit for breaking your kittenauth, and spammers would write it to spam the twenty people still reading comments after that 5-year-old-hugger thread.
posted by Crash at 2:20 PM on April 7, 2006

Please keep captchas! I copy each down that I come across and am building a fine collection which, when the time is right, I will post as Captcha. Blogspot.com There may be some pattern to the captchas that we do not fully understand, perhaps a sort of intelligent design that someday will be meaningful to earthlings.

ps: when we had our baby girl 3 months ago, we named her Captcha.
posted by Postroad at 2:20 PM on April 7, 2006

OMG PONIES!!! YOU CLICKED 3 KITTENS!!!!!!

ahAHAHAHHA. There's a sign, I tell you. I want.

OMG baby otters, too! omgomgomg. *explodes*

Hey, aren't baby foxes also called kittens too? Or is that just kits?
posted by loquacious at 2:21 PM on April 7, 2006

All you have to do is add some randomly generated noise to the image before displaying it and any attempt at binary compare is completely foiled. You could still run an image recognition algorithm, but that is hardly easier than breaking a captcha.

It wouldn't be quite as cute after all that though..
posted by Chuckles at 2:22 PM on April 7, 2006

Seriously, this would take a couple of hours to write, tops. KittenAuth is fatally flawed. My apologies to who ever created it.

Why can't the system apply noise to the pictures so that they're not identical each time? I could identify a kitten even if it had a great big black spike through its head.
posted by Armitage Shanks at 2:23 PM on April 7, 2006

Damn that live preview.
posted by Armitage Shanks at 2:23 PM on April 7, 2006

Crash: What about randomly renaming the files, randomly padding the data or otherwise glitching the easily machine-comparable metadata?

This could easily be combined with an existing captcha algorithm to machine-randomize the image files.

End result is we get a real captcha generator, but OMG WITH KITTENS!!!11!
posted by loquacious at 2:25 PM on April 7, 2006

Artw's idea would defeat my program (assuming the kittens stay in front of the webcam, bandwidth isn't an issue, and everyone wants 9 embedded videos on the login page).

Filename's are irrelevant, he's already renaming them. I'm just comparing on binary size and then bit by bit comparisons.

Padding the gif's with data could corrupt the image file, and then no one can identify the kittens (we'll get 9 broken image icons).

Adding noise seems to defeat the purpose, and seems harder to do than creating the captcha's. You'd have to ensure you're not blurring the image so much the picture is unrecognizable to humans (a blurry kitten vs a blurry puppy vs a blurry rabbit? I'll never be able to log in again).
posted by Crash at 2:29 PM on April 7, 2006

All you have to do is add some randomly generated noise to the image before displaying it and any attempt at binary compare is completely foiled.

Pshaw. You don't have to do a 100% binary match, just sample a few pixels from each image and make probabilistic judgement.

Any project that involves an anti-CAPTCHA component is going to be a numbers game, so even what you might think of as pretty low success rates can be very profitable. The necessary investment in defeating CAPTCHAs is very near zero.

Here is a potentially better plan:
1) Make a huge list of common words
2) Grab Flickr imagesets for each word (copyright is obsolete to us Gibson-esque futuristos anyway, right?)
3) Display one or more images and prompt for what the user thinks best applies. If they guess right, they win!

You could do best 2/3, or something.
posted by sonofsamiam at 2:30 PM on April 7, 2006

OMG baby sloths!! and a new otter! Screw the captcha applications, this thing is fun just 'cause it's insanely cute and it makes my teeth hurt.

I think the application of this is a must. Imagine the moral boost. Who could possibly pound out some nasty personal attack or ad hominem argument and still post it after being confronted by the overwhelming furry awesomeness of the kitten captcha?

"AGH FUCK I HATE YOU YOU STUPID POOPY WRONGHEADED BABYSTABBER... oh. ohhh dear look at that kitten! omg look at that little baby prarie dog! Oh, oh no. Is that hedgehog? *melts, discards angry post*"
posted by loquacious at 2:33 PM on April 7, 2006

sonofsamiam, a bit more complicated, but how about this to defeat your flickrAuth: Locate the word you want the image to match, and run an http post request to flicker's search engine. Grab the first 100 images returned, and compare the smaller subset.

Of course, this assumes I know what image database you're using, so if you toggle between a few (google, flickr, ?), it might work. Or, just use a captcha to scramble your word. Of course, that kind of defeats the purpose again.
posted by Crash at 2:37 PM on April 7, 2006

Screw the cats, who's the girl holding the owlet? Now that's cute.
posted by myopicman at 2:38 PM on April 7, 2006

I think it's a good idea for a captcha, but it really should use a larger grid. Right now, the chances of randomly selecting three are 3/9 * 2/8 * 1/7 = 6/504 = 1/84. That's pretty susceptible to a brute force attack.

Just making it 4 kittens out of a 4x4 grid would decrease that chance to 4/16 * 3/15 * 2/14 * 1/13 = 24/43680 = 1/1820.

I don't know at what level of probability we want to say that susceptibility to a brute force attack becomes negligble, but ompare either of these to a six-characters alphanumeric captcha: 26 lower-case letters, 26 upper-case letters, and 10 numerals makes (1/62)^6 = 1/56800235584.

Kind of a big difference, no?
posted by Feral at 2:39 PM on April 7, 2006

Grab the first 100 images returned, and compare the smaller subset.

That would probably work. It is not easy to come up with problems that can be generated by computer, but solvable by humans and not solvable by computer.
posted by sonofsamiam at 2:40 PM on April 7, 2006

I would be interested to know what this does, or does not, have in common with Bank of America Site Key, which requires you to do something similar (you have to pick your image out of the array rather than kittens -- so it's like, a sloth, your grandma, and someone's summer house, and you choose your grandma) and whether or not it could be beaten in a similar way.

If so, huzzah!! Because I hate BoA with a very unreasonable passion.
posted by Medieval Maven at 2:47 PM on April 7, 2006

I could identify a kitten even if it had a great big black spike through its head.

"Yes, officer. <sniff> That's Friskers."
posted by TonyRobots at 2:53 PM on April 7, 2006

Here's a company that's doing this already, though with presumably less-cute humans.
posted by Ian A.T. at 2:55 PM on April 7, 2006

Ninety seconds after clicking the link, I have yet to see kitten one.
posted by jenovus at 3:06 PM on April 7, 2006

Or even "non-gray-box" one.
posted by jenovus at 3:07 PM on April 7, 2006

Yes sir. Any minute now.
posted by jenovus at 3:09 PM on April 7, 2006

I gave up on the kittens. :(
posted by jenovus at 3:15 PM on April 7, 2006

You could make this (almost) unbreakable by filtering the images through ImageMagick, which can dynamically resize, rotate, crop, recolor, etc. That would yield you a completely different file binarywise which still looks just like a kitten.
posted by Nahum Tate at 3:32 PM on April 7, 2006

Good point nahum. You could probably randomly rotate the images, or even (in a strange reversal of purpose) use a digital signature algorithm to perturb the pixels with a random signature.

Of course, you could probably write an image checksum algorithm that would return similar results for the same set of pixels regardless of order, give or take %20, and fuzz it a bit so that it wouldn't be thrown off by aliasing in the rotation. But personally I would find it tricky to get a good hit rate for a very large set of unknown images.
posted by xthlc at 3:50 PM on April 7, 2006

Could you not extend the odds by having a lot of cute picture of various things (squirrels, puppies, pandas etc) and randomly selecting which you have identify - with the description of the animal to be picked also being randomly generated (cat, kitten, feline, smaller version of a lion etc)
posted by Sparx at 4:02 PM on April 7, 2006

I'm thinking about the accessibility angle here, y'see? There need to be sound samples that go along with each image for the visually impaired, so they'd here 9 different critter noises and identify the adorable "meows" as kittens and the adorable "[whatever noise baby llamas make]" as baby llamas. Etc.

You could also make this harder for machines to solve by randomly choosing the target critter. Eg one person is told to click the kittens, another puppies.
posted by adamrice at 4:10 PM on April 7, 2006

OMG PONIES!!! YOU CLICKED 3 KITTENS!!!!!!

sorry, I just had to see that again.
posted by signal at 4:11 PM on April 7, 2006

OK. So, like, you set up 48 terrariums, 3 groups of 16 each that contain different animals, 1 of which in each group contains a kitten (with its legs amputated so it can't jump out--OK, maybe you leave one leg on so it can move around a little so as not to be static and a target for a probabalistic binary image match) and you have a web cam on each animal. Every log-in triggers a web cam shot of all of the animals and the user has to pick out the 3 legged kittens in 3 successive 4x4 grids. That would give you (1/1820)^3 = 1/6028568000 odds of a random crack *plus* you get 9 kitten legs for other projects!
posted by nonmyopicdave at 4:20 PM on April 7, 2006

Well yeah, if you added "noise" and "effects" (like changing the color, saturation, croping, etc) to the picture I think a persons ability compared to a computers ability to determine the diffrence between a kitten and a non-kitten vs. diffrent letters is greater. Actually that was a really confusing sentance, let me try again.

If the ability for a person to determine which letter is which in a 'messed up' image is A, and a computers' is B. Then if a person's ability to determine kitten vs. non-kitten is C and a computers's is D, then I think (C - A) > (D - B) and C > A.

So this would be the way to go.

On the other hand, with just a 9x9 grid a computer would only need to try 84 times (according to Feral) to get in and start spamming, which isn't that hard to imagine a computer doing.
posted by delmoi at 4:23 PM on April 7, 2006

I think captchas should be scrambled blonde jokes:
What does a blonde owl say?
1. So she could lip read.
2. Humpme Dumpme.
3. The joystick is wet
4. What, what?
5. Two brunettes.
6. In case she locks her keys in the car.
7. She burned her lips on the tailpipe.
posted by weapons-grade pandemonium at 4:37 PM on April 7, 2006

My vote is for logic captchas. They are accessible to the ~10% of population who have sight problems. They are also easier to figure out for most people then the images yahoo/godaddy/whatever use. It seems some fairly simple scripts could generate enough logic captchas to keep the spam bots busy.
posted by rsanheim at 5:01 PM on April 7, 2006

Medieval Maven, that's not what BofA's sitekey does. They present you with a picture that you've chosen in advance so that you can be sure you're talking to BofA instead of bankamerica.gimmeyourpassword.com. You can argue the effectiveness, but they're not using images as a captcha to see if you are who you say you are. They're showing an image you chose to verify that they are who they say they are. Kind of supplying a password back to you.
posted by team lowkey at 5:11 PM on April 7, 2006

I think you could get by the whole "need for infinite kitten pictures" by simply caging a few kittens and setting up web cams. Take still images from the (always changing) web cam and viola, you never use images enough times for them to be learned.
posted by pkingdesign at 5:18 PM on April 7, 2006

*click* *click click* *CLICKCLICKCLICKCLICK* AAAAAGH IT'S NOT DOING ANYTHING MAKE HIM GO WAY MAKE HIS HEAD ASPLODE AAAGH
posted by loquacious at 5:52 PM on April 7, 2006

Feral writes "I don't know at what level of probability we want to say that susceptibility to a brute force attack becomes negligble, but ompare either of these to a six-characters alphanumeric captcha: 26 lower-case letters, 26 upper-case letters, and 10 numerals"

Most captchas aren't case sensitive. I'd also avoid numbers and letters that look like each other like 0 and O if I was writing the app.
posted by Mitheral at 6:42 PM on April 7, 2006

My friend, who occasionally dabbles in facial recognition for his CS/stats degree discusses cracking it:

Well you get a collection of relatively uniform kittens faces say, then you have the computer approximate where certain kitten-like features are, then you create orthogonal representations of the variances between features, in descending order so that your first n vectors describe the most variation in your sample, then you go about scanning a (grayscale and rotated) version of the new image, checking the distance in the feature-space (nearer to 0 the more likely it is a positive match for that feature), sum up all the distances for all the features in the different scans of the images, and if one of those numbers is greater than some arbitrary number k, it's a kitten

Of course, my other friend thinks a simple drag-and-drop would work well. "Drag the round peg into the round hole."
posted by disillusioned at 7:36 PM on April 7, 2006

Just out of curiosity, how would one implement a drag-and-drop web-based application that does not run client-side?
posted by Feral at 8:38 PM on April 7, 2006

Heres an idea - there's a pretty much unlimited supply of text out on the interweb, much of which is accessable via XML feeds, why not make the user differentiate between sentences grabbed from news feeds and randomly generated gibberish sentences?
posted by Artw at 9:13 PM on April 7, 2006

(The gibberish would of course have to be sufficiently well fromed to parse as a sentance, without making any factual sense)
posted by Artw at 9:14 PM on April 7, 2006

1. I think it's really important for this great state of baseball to reach out to people of all walks of life to make sure that the sport is inclusive. The best way to do it is to convince little kids how to—the beauty of playing baseball.

2. No question that the enemy has tried to spread sectarian violence. They use violence as a tool to do that.

3. When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature's God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation.

4. I like my buddies from west Texas. I liked them when I was young, I liked them then I was middle-age, I liked them before I was president, and I like them during president, and I like them after president.
posted by weapons-grade pandemonium at 10:44 PM on April 7, 2006

Here's how to beat kittenauth 1.0:
Create a program to capture a few thousand images, then remove duplicates using a binary comparison. Next, have a human identify which images are kittens and which are not. With this data, all a program needs to do is compare two images to see if they're identical. Again, this can be done using a simple bit comparison, it doesn't even require any actual image parsing.

Here's how to beat your kittenauth beater. You only need ONE picture of a cat. Rotate that one picture, shear it, truncate it, stretch it, or deface it, by one pixel width at a time and you have a whole new cat image. Repeat the process several million times.
posted by zaebiz at 2:44 AM on April 8, 2006

I failed to click three kittens.
posted by Clamwacker at 3:43 AM on April 8, 2006

I became confused when one image contained both a kitten and an adult cat. IT'S A TRAP!
posted by de void at 5:36 AM on April 8, 2006

the 'choose from amongst these' set up is always gonna be able to get beaten just by numbers though - this is a cute idea but as someone already said, choosing three images from a 3x3 grid means you can just hit it with all possibilities. having to type something in means that you are radically increasing the number of possibilities.

although, for mefi there is already a $5 wall for any new account, and old accounts all have passwords... is the need for capchas because there are spammers trying to work out all our passwords and then use our accounts? and if they are, why?? how would it possibly make them any money...
posted by mdn at 6:45 AM on April 8, 2006

Good Lord you guys put too much thought into this.
posted by graventy at 7:02 AM on April 8, 2006

Someone was running a dictionary attack against old, inactive accounts. I think it was someone who had been perma banned.
posted by Mitheral at 7:10 AM on April 8, 2006

the Hack would have a 1 in 84 attack each time, the page would randomly reorder the kittens each time, that vastly effects the odds of success.

for example attempt one: the kittens are in sqare 1 4 and 8
on attempt two: 4 8 and 9
posted by Megafly at 3:59 PM on April 8, 2006