2415: Allow Captcha

Explain xkcd: It's 'cause you're dumb.
Revision as of 16:00, 18 February 2021 by 172.69.135.80 (talk) (Explanation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Allow Captcha
To prove you're human, please click all the number pairs that appear together in your Social Security number.
Title text: To prove you're human, please click all the number pairs that appear together in your Social Security number.

Explanation[edit]

Captcha is designed to prevent spambots from being able to post on websites by posing challenges that humans can easily solve but that spambots and other automated programs cannot solve. The original version (used in 632: Suspicion) asked users to identify text that was rotated, warped, or otherwise modified in order to make it more difficult for automated programs to solve. Once automated programs got good at that, new captchas were put out that exploited the fact that computers tend to be bad at image recognition, e.g. asking the user to select only images that contain cats from a grid of images of cats, dogs, and other objects (used in 1897: Self Driving). This captcha appears to combine the two methods—with the additional hurdle that in order to pass the captcha, users must be able to not only read but also understand (i.e. know the definitions of words). However, if the goal is to allow humans but not computers to pass (although, as the next paragraph will describe, it is not the goal), this is not a good method of differentiating between the two. Any computer program that can accurately read text (and there are now many programs that can do so) would know which words start with 'A' and would be able to look up the definitions (including parts of speech) online, so this would not be effective as a captcha. Humans on the other hand, would often get confused between "ale" and "ail" or between "allot" and "a lot". The English language has no distinction between nouns and verbs by spelling, only grammatical usage, and many words in English are both nouns and verbs, depending on context and placement.

In reality, however, the window is merely disguised as a captcha in order to trick human visitors into allowing the website to install "a helper tool", which may be malware, on their computer. The top of the window uses a similar shade of blue to the current version of reCAPTCHA (currently the most common brand of captcha), the prompt includes the phrase "to prove you're human", and the grid is similar to the grid used by reCAPTCHA. However, positioned to appear to humans as two reCAPTCHA boxes is a window asking viewers whether they want to allow or deny the website's request to install the supposed "helper tool". The idea is that because "allow" is a verb beginning with the letter A, human visitors would click on what they think is the box with the word allow in it but actually allow the website to install potential malware on their computer. The window attempts to disguise this by formatting many of the words in boxes as buttons and including other text in smaller font on other boxes. In addition, the captcha may be intentionally difficult so that users will be too distracted by wondering whether ale is a verb to process the meaning of the request.

It should be noted that simply tricking humans would not necessarily be enough to install malware on their computer. First of all, while a person can select any part of a grid box in order to select that box, only clicking on the actual button that says allow will allow malware unto the computer. If a person clicks on another part of the supposed box, nothing will happen, so the person will likely take a closer look in order to see why the window is not being selected and then possibly realize that this is a trick as a result. Further, the website would likely not be able to specify where the permission window appears, so would not be able to fit it into the fake reCAPTCHA. In addition, the user's computer may have an anti-virus software that will prevent the computer from executing malicious code downloaded by the website. Or in order for the user to install software, a second window may pop up requiring the user to type in an administrator password, which will likely startle the user.

Shady websites often use similar tactics to trick you into allowing notifications, including saying "Please allow notifications to confirm you are not a robot". This comic combines that with a traditional reCAPTCHA to try and trick savvier users too.

The title text is a another trick reCAPTCHA which is trying to make you give out your social security number by clicking the pairs of numbers that appear in your Social Security number. A social security number is a form of identification used in the United States, originally used for the Social Security Administration. Over time, this number has become a type of national identification number, so stealing these numbers would allow a scammer to commit identity fraud. Of course, it would use a different grid, as the grid pictured in the comic has words, not pairs of digits. If you can find all of the pairs then they would be able to guess your real number and thus this would be a weird kind of phishing attempt. If the grid is 4×4 (and some reCAPTCHA grids are only 3×3), then it can only show 16 of the possible 100 pairs of two digits, so any people who are successfully tricked likely would not reveal their entire Social Security numbers because some digit pairs in their Social Security numbers would not appear. However, it should be noted that this trick likely will not be as successful as the captcha-based trick because the phrase "Social Security number" will likely raise alarm bells concerning identity theft, and people who are not citizens or permanent or temporary residents of the United States will not have Social Security numbers, so they will not be able to be tricked into revealing personal information this way even if they are especially gullible.

It should also be noted that the phrase "to prove you're human", while also attempting to disguise the trick, has a somewhat different implication. In the first example, the idea of the supposed captcha is that it asks the user to complete a task that human brains but not computer programs can perform accurately easily, such as image recognition. In the example in the title text, the idea of the fake captcha appears to be that humans are issued Social Security numbers (at least if they live or have lived in the United States), but computers are not. As the website does not already know the users' Social Security numbers, it would not actually be able to tell whether the user's response was correct. There is nothing to prevent programming an automated spambot program to randomly select zero to four of the boxes. Likewise, users could lie and not reveal their actual Social Security numbers, although those who realize that the supposed captcha is an attempt at identity theft will likely not complete it at all and could report it to law enforcement instead.

Boxes on the reCAPTCHA[edit]

Position Contents Analysis Click?
Row 1

Column 1

Alike Adjective/Adverb: Related to the verb "Like", as in "similar" No
Row 1

Column 2

Elope Verb: To romantically abscond

But does not start with "A"

No
Row 1

Column 3

Aloe Noun: A specific type of plant, or its extracts

Vaguely similar to "Allow", but not normally a homophone

No
Row 1

Column 4

Ale

(and squiggles)

Noun: A type of beer

Confusable with the verb "ail": To suffer

"(To) ply with drink" is conceivably a verb form

No/Maybe
Row 2

Column 1

Avow

(and squiggles)

Verb: To declare Yes
Row 2

Column 2

Danny

(and squiggles)

A person's name: Familar version of Daniel/Danielle

(Also slang/dialect noun: The hand)

A strained off-homophone of "Deny", as used elsewhere

Does not even start with an "A", anyway!

No
Row 2

Column 3

Allele Noun: Genetic variation/subunit No
Row 2

Column 4

Allot

(and squiggles)

Verb: To assign or distribute

Can be misspelt "alot", causing confusion as to the legitimate word

Either of the above may be misused instead of "a lot", in its noun form meaning "many"

Yes
Row 3

Column 1

Askew Adjective/Adverb: Tilted, twisted, off-balance, strange No
Row 3

Column 2

Deny

(x2)

Verb: To refuse, disallow, etc

Does not start with "A"

No
Row 3

Columns 3+4

(squiggled "www.a????.com") wants to install a helper tool Might depend upon a legible version of the URL The true CAPTCHA answer would apply to cell Row 3, Column 3
Row 3

Column 3

Deny As above No
Row 3

Column 4

Allow Verb: To permit, licence, be contingent of In CAPTCHA context only

To avoid malicious behavior, you should avoid clicking this whole grid

Row 4

Column 1

Allow (smaller size)

Alto

(squiggled "to a????? ~squiggles~")

It might be easy to miss the "Allow", which is valid

"Alto", however, is a noun: Instrumental/choral pitch or range

The squiggles may include a 'valid' A-Verb

Yes, for "Allow", in CAPTCHA context

But if a Click-trap, you'd be best to close/Back-button the whole page

Row 4

Column 2

Allow (and squiggles) As elsewhere Yes

(or further trap)

Row 4

Column 3

Deal Verb, noun and adjectival: Various related or obscure meanings

But does not start with "A", in any case

No
Row 4

Column 4

Delay Verb (and related noun): Of an enforced wait

Does not start with "A", although the synonym "allay" does

("Delay" also shares common meanings with, and mixes the phonemes of, both "Allay" and "Deny")

No
Any cell Unremarked squiggles It is entirely possible that those squiggles, if decipherable, could include qualifying text Maybe..?

Transcript[edit]

[Header at the top of the image with white text inside a light blue rectangle]: To prove you're human, please click every box containing a verb that starts with "A"

[Below the header, a series of panels in a 4x4 grid. Each panel has a word in capitals. Most of the words appear to be in buttons, and several have illegible text above or below. Some are tilted or off-center]

Alike

Elope

Aloe

Ale

Avow

Danny

Allele

Allot

Askew

[Two buttons, both saying]: Deny

[The next two panels are joined together, with two buttons next to each other. One says "Deny" and the other "Allow". The text above reads]: [illegible].com wants to install a helper tool

[With the word "Allow" printed clearly above and illegible text below]: Alto

Allow

Deal

Delay


comment.png add a comment! ⋅ comment.png add a topic (use sparingly)! ⋅ Icons-mini-action refresh blue.gif refresh comments!

Discussion

Wow, this took me a while to figure out...The 𝗦𝗾𝗿𝘁-𝟭 talk stalk 03:48, 23 January 2021 (UTC)

Behold, the most ominous caption of all time. 172.69.34.152 07:38, 23 January 2021 (UTC)


When I saw this explanation the title text was explained like this:

Title text is a similar recaptcha thing trying to also do identity fraud at coords 3,3 and 4,3.

What does that even mean? I will change it, but if there is a meaning to those coordinates? then reinsert and explain... --Kynde (talk) 10:09, 23 January 2021 (UTC)

I'm guessing 3,3 and 4,3 refer to the table of boxes in the comic itself - the two boxes that contain the malware window are in the third row counting down from top, counting from the left one is in the third box and one in the fourth left box. Not particularly relevant to the title text, though. 172.68.146.216 13:50, 23 January 2021 (UTC)

Not all 9-tuples of digits can be determined from their pairs of digits. For example, 123-45-6781 and 234-56-7812 have the same pairs. Likewise, 121-31-4151 and 121-41-5131 have the same pairs 162.158.62.157 13:23, 23 January 2021 (UTC)

This makes me wonder what the smallest difference n-m is so that you cannot uniquely determine an n-tuple of numbers from all m-tuples contained within it. 162.158.158.253 20:24, 23 January 2021 (UTC)
It's zero. Even judging by the tuples of length n-1 contained within the n-tuple fails when the n-tuple alternates between two values, e.g. 121212121.162.158.187.129 01:57, 25 January 2021 (UTC)

This is called a Clickjacking attack, isn't it?--162.158.183.211 01:45, 24 January 2021 (UTC)

Aside from the manipulative elements of the 'CAPTCHA', this makes me think of a 'reverse Turing Test'. Instead of trying to get computer/human to prove their humanity, you ask them to do something that only a computer can excel at and a human will normally fail. (If used as a true-Turing test, the imperfect answer might be your clue as to who is(n't) faking, but that's why computer-candidates for these tend to always include deliberate 'tics', such as deliberately bad 'typing', grammar, punctuation, trying to seem less 'prefect' than the human correspondent.) With this comic's array, I'm left wondering if I'm getting the right verbs... is that even a verb..? "Doing word, right... but am I think of that one as an adjective and missing its verb use..?" when a robot-mind with the right lookup table would quickly assess everything 'correctly', and almost instantly. Which might (in legitimate CAPTCHA use) also be a clue that it's a robot-response, but only if the setter is that slightly bit more devious than the creator of the challenger. Complicated! 141.101.104.241 15:07, 24 January 2021 (UTC)

Added a Table section, from scratch. It may copy or restate things said in the main Explanation (which needs a lot of subediting down, IMO) but I think adds many things not already mentioned that aren't Computer Geeky but aren't too verbose for being Lexicographer Geeky. I of course welcome clarifications, corrections, etc. I thought I put enough in to not need Wiktionary/other external referencing, but that's still the most obvious enhancement (without increasing pure text content). Have at it, then, my fellow XplainKCDers! 141.101.99.49 19:11, 24 January 2021 (UTC)

Is there a category that would include this and https://www.explainxkcd.com/wiki/index.php/2228:_Machine_Learning_Captcha? SDT 162.158.74.59 02:04, 25 January 2021 (UTC)

I understand the malware box that offers to install a "helper" tool. But is there any special significance to the "DELAY" box and the "AVOW" box? Both of these have more prominent borders than the rest. Tenbob (talk) 11:48, 25 January 2021 (UTC)

I was under the impression that they were a cutout of a larger window, similar to captcha usage of snips of a picture file. This is most likely intentionally a "feature" additionally added to give some credibility to the actual clickbait.OhFFS (talk) 17:53, 25 January 2021 (UTC)

This entire comic ignores a simple fact of basic web page construction, specifically, that the action performed is separate from the label on the screen. So the button labeled "Deny" could be linked to the action to allow. In fact, it could be programmed that clicking anywhere in the entire picture could trigger a download. So if someone were behaving maliciously, they would not have have to hide an "Allow" button and trick people to click it. The entire page could be a "button" that when clicked would trigger a download. Rtanenbaum (talk) 18:50, 25 January 2021 (UTC)

I thought the concept was rather to obscure the fact that part of what's displayed is NOT the webpage, but the OS security dialog.

Comic with a similar concept: https://xkcd.com/565/ (Security Question)

I don't personally want to just revert the drastic mass-deletion edit https://www.explainxkcd.com/wiki/index.php?title=2415:_Allow_Captcha&diff=205299&oldid=205298 but I actually think the removed text was a good observation. Strings that are "valid verbs, prepended by an 'A'" is one (odd but consistent with xkcd) interpretation of the instruction. Hasn't anyone seen Only Connect/similar? Perhaps it should be given its own para in the Explanation (one more won't hurt)..? 172.69.54.73 00:22, 26 January 2021 (UTC)