Page 1 of 3

Alternating Sequential User Input Challenge - ASUIC

Posted: Thu Feb 02, 2006 11:20 am
by Groone
Okay, so I am trying an alternative type of challenge which I have termed - Alternating Sequential User Input Challenge or ASUIC.

Basically, it takes a sequence of letters, or numbers. Randomly takes a selection of these sequences and then randomly removes one of the letters or numbers. Then in a multiple choice format, you are asked the question, "which item is missing?" You will then answer the correct answer.

Well, I can't explain it that good, so here is the code.

Code: Select all

<?php
   switch (mt_rand(1,2)){
        case 1:
           $alphanumeric = "12345678987654321";
           break;
        case 2:
           $alphanumeric = "ABCDEFGHIHGFEDCBA";
           break;
    }

    $str=substr($alphanumeric,mt_rand(0,12), 5);
    $random=mt_rand(0,4);
    $strTmp=substr($str, 0, $random). "_".substr($str, $random+1, 5-$random);
    $missing=substr($str, $random,1);

    echo "The sequence: ".$alphanumeric."<br>";
    echo "What is missing from this sequence?  ".$strTmp."<br>";  
    echo "Possible Answers: <br><br>";
    
    switch (mt_rand(1,2)){
         case 1:
                $answer = array("A.) ", "B.) ", "C.) ", "D.) ", "E.) ", "F.) ");
                break;
         case 2:
                $answer = array("1.) ", "2.) ", "3.) ", "4.) ", "5.) ", "6.) ");
                break;
     }
       $placement = mt_rand(0,5);

        $limit = count($answer);
        

        for ($i=0; $i<$limit; $i++){
            if ($i == $placement){
                 echo $answer[$i].$missing."<br>";
                 $correct = $answer[$i].$missing;
            }else{
                  $str=substr($alphanumeric,mt_rand(0,12), 1);
                  while ($missing == $str){
                     $str=substr($alphanumeric,mt_rand(0,12), 1);
                   }
                  echo $answer[$i].$str."<br>";
            }
        }
        echo "<br><br>Do Your Own Process on This - ".$correct;
?>
This should be pretty hard to scan with an OCR because you have to make a decision that is different every time. I suppose a lucky chance can get it, but seems pretty difficult to me. What do you think?

The output looks like this
The sequence: 12345678987654321
What is missing from this sequence? _7654
Possible Answers:

A.) 4
B.) 1
C.) 7
D.) 8
E.) 3
F.) 6


Do Your Own Process on This - D.) 8

Re: Alternating Sequential User Input Challenge - ASUIC

Posted: Thu Feb 02, 2006 12:11 pm
by Roja
Groone wrote:This should be pretty hard to scan with an OCR because you have to make a decision that is different every time.
OCR = Optical Character Recognition. It means recognizing characters in an image. Doesn't apply here.
Groone wrote:I suppose a lucky chance can get it, but seems pretty difficult to me. What do you think?
Seems easy to me. You just need to substr the "missing sequence" against the full sequence, and get the difference. Set the start for the substr to the first character after _, and then once you have the match in the main string, substr back one character. Done.

Highly scriptable.

Sequential is the downside to this. Here's an alternative. Offer a contextual challenge response instead.

Context matters, and you can vary the questions.. for example:

Bob's father is Steve. Steve's father is Alex.

Who is Alex's son?
Who is Steve's son?
Who is Bob's grandfather?
Who is Alex's grandson?

Notice the statement doesn't specifically state *any* of those items without recognizing the context. Its a slightly bad/biased example because it uses family relationships.. not every society is similar in its phrasing, and you might confuse some people.

But if you offer multiple types of contextual challenges, you should within 2-3 questions find one that pretty much any human can answer.

Low false-positive rate, low false-negative rate. Its good stuff.

Posted: Thu Feb 02, 2006 1:09 pm
by Groone
Thanks for the quick reply, and I understand what you are saying.

If we process the entire answer set as an answer, such as A.) A then the scripters would have to really work hard to script it wouldn't they?

If I were to have a series of questions, say a 100 questions. A scripter, by simply taking all the questions and pairing them with the correct answer then doing an compare with what was on the form could build a switch that easily finds the answers I would think.


Edit: After thinking about it, I could probably change the question a bit to say something like, "The first number is missing, what is it?" and then show the sequence, minus the underscore. Then under it have the possible answers. The word first would be a randomly generated number from 1 to how ever long the string is.

Posted: Thu Feb 02, 2006 2:29 pm
by Roja
Groone wrote:Edit: After thinking about it, I could probably change the question a bit to say something like, "The first number is missing, what is it?" and then show the sequence, minus the underscore. Then under it have the possible answers. The word first would be a randomly generated number from 1 to how ever long the string is.
Thats a significant improvement. The solution to scripting the answer doesnt come immediately to mind, so it is at least an improvement over the original idea. :)

I'll think it over and see if I can figure out a scriptable attack for it. Hopefully other posters will have ideas too.

Posted: Thu Feb 02, 2006 4:52 pm
by Groone
I got busy at work today so wasn't able to finish writing it. I will endeavor to complete it when I get home and put it on the guest book and let you, and whoever else, spam it. See if it would be easy enough.

Posted: Thu Feb 02, 2006 9:23 pm
by josh
Ok, I'm surprised no one has mentioned these:




Have 3 images - A, B, and C they would read. One of the images would be completely grayed out. It would ask the user which letter is grayed out (it would always be in sequential order). Pre-requisites to answering it are knowing the first 3 letters of the alphabet and being able to read black text on a white background. This however is very vulnerable to OCR, but better then the traditional captcha in my opinion. Another play on this would be to replace one letter with a number and ask them which box contains a number.




Another method I've seen is an image that contains text that says "Check the first and third box, leaving the middle box unchecked" and it has 3 checkboxs underneath it. You can play with the context to make it difficult to script for it - "Do not check any boxes except for the middle box", "Check all the boxes except for the third", etc.. mix "third" with "last"

Posted: Thu Feb 02, 2006 10:37 pm
by Groone
Okay, I finished the code for it, so go ahead and try it out.

http://www.groonesworld.com/gbook/index.php?act=add

It's interesting concept to say the least. Will definately stop stupid people rofl :lol:

Posted: Thu Feb 02, 2006 11:16 pm
by josh
In my opinion this is a poor idea, you're complicating the process for the user and this is easily scripted.. just using an old fashioned captcha would be better than this in terms of stopping bots.

Posted: Thu Feb 02, 2006 11:22 pm
by John Cartwright
jshpro2 wrote:In my opinion this is a poor idea, you're complicating the process for the user and this is easily scripted.. just using an old fashioned captcha would be better than this in terms of stopping bots.
Agreed. If I was confronted with anything that complex, I'd likely blow it off.

And yes, that is easily scripted.

Posted: Thu Feb 02, 2006 11:25 pm
by Groone
Is it easily scripted? Not that I doubt it, but I would like to see it spammed in action.

Posted: Fri Feb 03, 2006 12:01 am
by John Cartwright
Not that you've asked, but don't push anyone to try, as it violates US law if they do...

Posted: Fri Feb 03, 2006 12:23 am
by josh
Even so, like I'm really going to spend time writing a spam bot to prove something to you when you can't just take my word for it.



Take our advise or leave it, its your application


Edit: this is all assuming the implied request to write a spambot

Posted: Fri Feb 03, 2006 12:25 am
by AGISB
Wouldn't this work much better?

You have the input form where you input the text. On this site create a unique random number and save it to a session. Link the form to a verification script.

The verification script validates the data, places the data into hidden form, creates a hash of all data plus a secet passphrase and uncrypts the session number, increment it. Link the verification form to the submit script.

In the submit script check the hash against the data and check the incremented number agaist the original number. If all is ok submit if not don't submit.

Posted: Fri Feb 03, 2006 12:27 am
by josh
That would prevent what? Spammers that don't have access to CURL or low level sockets?

Posted: Fri Feb 03, 2006 12:29 am
by John Cartwright
Call me a block, but how does that prevent spam?