2415: Allow Captcha

Explain xkcd: It's 'cause you're dumb.
Revision as of 08:19, 23 January 2021 by (talk) (Explanation: spelling)
Jump to: navigation, search
Allow Captcha
To prove you're human, please click all the number pairs that appear together in your Social Security number.
Title text: To prove you're human, please click all the number pairs that appear together in your Social Security number.


Ambox notice.png This explanation may be incomplete or incorrect: Created by a malicious design practice that already exists out there. Please mention here why this explanation isn't complete. Do NOT delete this tag too soon.
If you can address this issue, please edit the page! Thanks.

Captcha is designed to prevent spambots from being able to post on websites by posing challenges that humans can easily solve but that spambots and other automated programs cannot solve. The original version (used in 632: Suspicion) asked users to identify text that was rotated, warped, or otherwise modified in order to make it more difficult for automated programs to solve. Once automated programs got good at that, new captchas were put out that exploited the fact that computers tend to be bad at image recognition, e.g. asking the user to select only images that contain cats from a grid of images of cats, dogs, and other objects. This captcha appears to combine the two methods—with the additional hurdle that in order to pass the captcha, users must be able to not only read but also understand (i.e. know the definitions of words). However, if the goal is to allow humans but not computers to pass (although, as the next paragraph will describe, it is not), this is not a good method of differentiating between the two. Some of the words, such as allot, appear to be fragments of other non-verb words (like ballot), and other words are non-verbs that could be confused with verbs. The English language has no distinction between nouns and verbs by spelling, only grammatical usage, and many words in English are both nouns and verbs. On the other hand, any computer program that can accurately read text (and there are now many programs that can do so) would not get confused between ale and ail or between skew and askew and would be able to look up the definitions (including parts of speech) online, so this would not be effective as a captcha.

In reality, however, the window is merely disguised as a captcha in order to trick human visitors into allowing the website to install "a helper tool", which may be malware, on their computer. The fact that the top uses a similar shade of blue to the current version of reCAPTCHA (currently the most common brand of captcha), the top includes the phrase "to prove you're human", and the grid is similar to the grid used by reCAPTCHA—albeit 4×4 instead of 3×3. However, positioned to appear to humans as two reCAPTCHA boxes is a window asking viewers whether they want to allow or deny the website's request to install "a helper tool", which may be malware, on their computer. The idea is that because allow is a verb beginning with the letter A, human visitors would click on what they think is the box with the word allow in it but actually allow the website to install potential malware on their computer. The window attempts to disguise this by formatting many of the words in boxes as buttons and including other text in smaller font on other boxes as well. In addition, the captcha may be intentionally difficult so that users will be too distracted by wondering whether ail or ale is a verb and the like. It should be noted that simply tricking humans would not necessarily be enough to install malware on their computer. First of all, while a person can select any part of a grid box in order to select that box, only clicking on the actual button that says allow will allow malware unto the computer. If a person clicks on another part of the supposed box, nothing will happen, so the person will likely take a closer look in order to see why the window is not being selected and then possibly realize that this is a trick as a result. In addition, in order for the user to install software, a second window may pop up requiring the user to type in an administrator password, which will likely startle the user. Also, the user's computer may have an anti-virus software that will prevent the computer from executing malicious code downloaded by the website.

Shady websites often use similar tactics to trick you into allowing notifications, including saying "Please allow notifications to confirm you are not a robot". This comic combines that with a traditional recaptcha to try and trick savvier users too.

Title text is a similar recaptcha thing trying to also do identity fraud at coords 3,3 and 4,3.


Ambox notice.png This transcript is incomplete. Please help editing it! Thanks.

comment.png add a comment! ⋅ comment.png add a topic (use sparingly)! ⋅ Icons-mini-action refresh blue.gif refresh comments!


Wow, this took me a while to figure out...The 𝗦𝗾𝗿𝘁-𝟭 talk stalk 03:48, 23 January 2021 (UTC)

Behold, the most ominous caption of all time. 07:38, 23 January 2021 (UTC)

When I saw this explanation the title text was explained like this:

Title text is a similar recaptcha thing trying to also do identity fraud at coords 3,3 and 4,3.

What does that even mean? I will change it, but if there is a meaning to those coordinates? then reinsert and explain... --Kynde (talk) 10:09, 23 January 2021 (UTC)

I'm guessing 3,3 and 4,3 refer to the table of boxes in the comic itself - the two boxes that contain the malware window are in the third row counting down from top, counting from the left one is in the third box and one in the fourth left box. Not particularly relevant to the title text, though. 13:50, 23 January 2021 (UTC)

Not all 9-tuples of digits can be determined from their pairs of digits. For example, 123-45-6781 and 234-56-7812 have the same pairs. Likewise, 121-31-4151 and 121-41-5131 have the same pairs 13:23, 23 January 2021 (UTC)

This makes me wonder what the smallest difference n-m is so that you cannot uniquely determine an n-tuple of numbers from all m-tuples contained within it. 20:24, 23 January 2021 (UTC)
It's zero. Even judging by the tuples of length n-1 contained within the n-tuple fails when the n-tuple alternates between two values, e.g. 121212121. 01:57, 25 January 2021 (UTC)

This is called a Clickjacking attack, isn't it?-- 01:45, 24 January 2021 (UTC)

Aside from the manipulative elements of the 'CAPTCHA', this makes me think of a 'reverse Turing Test'. Instead of trying to get computer/human to prove their humanity, you ask them to do something that only a computer can excel at and a human will normally fail. (If used as a true-Turing test, the imperfect answer might be your clue as to who is(n't) faking, but that's why computer-candidates for these tend to always include deliberate 'tics', such as deliberately bad 'typing', grammar, punctuation, trying to seem less 'prefect' than the human correspondent.) With this comic's array, I'm left wondering if I'm getting the right verbs... is that even a verb..? "Doing word, right... but am I think of that one as an adjective and missing its verb use..?" when a robot-mind with the right lookup table would quickly assess everything 'correctly', and almost instantly. Which might (in legitimate CAPTCHA use) also be a clue that it's a robot-response, but only if the setter is that slightly bit more devious than the creator of the challenger. Complicated! 15:07, 24 January 2021 (UTC)

Added a Table section, from scratch. It may copy or restate things said in the main Explanation (which needs a lot of subediting down, IMO) but I think adds many things not already mentioned that aren't Computer Geeky but aren't too verbose for being Lexicographer Geeky. I of course welcome clarifications, corrections, etc. I thought I put enough in to not need Wiktionary/other external referencing, but that's still the most obvious enhancement (without increasing pure text content). Have at it, then, my fellow XplainKCDers! 19:11, 24 January 2021 (UTC)

Is there a category that would include this and https://www.explainxkcd.com/wiki/index.php/2228:_Machine_Learning_Captcha? SDT 02:04, 25 January 2021 (UTC)

I understand the malware box that offers to install a "helper" tool. But is there any special significance to the "DELAY" box and the "AVOW" box? Both of these have more prominent borders than the rest. Tenbob (talk) 11:48, 25 January 2021 (UTC)

I was under the impression that they were a cutout of a larger window, similar to captcha usage of snips of a picture file. This is most likely intentionally a "feature" additionally added to give some credibility to the actual clickbait.OhFFS (talk) 17:53, 25 January 2021 (UTC)

This entire comic ignores a simple fact of basic web page construction, specifically, that the action performed is separate from the label on the screen. So the button labeled "Deny" could be linked to the action to allow. In fact, it could be programmed that clicking anywhere in the entire picture could trigger a download. So if someone were behaving maliciously, they would not have have to hide an "Allow" button and trick people to click it. The entire page could be a "button" that when clicked would trigger a download. Rtanenbaum (talk) 18:50, 25 January 2021 (UTC)

I thought the concept was rather to obscure the fact that part of what's displayed is NOT the webpage, but the OS security dialog.

Comic with a similar concept: https://xkcd.com/565/ (Security Question)

I don't personally want to just revert the drastic mass-deletion edit https://www.explainxkcd.com/wiki/index.php?title=2415:_Allow_Captcha&diff=205299&oldid=205298 but I actually think the removed text was a good observation. Strings that are "valid verbs, prepended by an 'A'" is one (odd but consistent with xkcd) interpretation of the instruction. Hasn't anyone seen Only Connect/similar? Perhaps it should be given its own para in the Explanation (one more won't hurt)..? 00:22, 26 January 2021 (UTC)