Well I have 22 million reasons why this is a stupid method. Anyone want to buy an email list?

The install was pretty easy including getting PHP 5.1.2, Apache 2, and MySQL 5 installed using the familiar apt-get command. (I wish they had included php 5.1.4, but this wasn’t a deal breaker)

I was dismayed to find that they didn’t have a package for PDO extension (PHP Database Objects). So I installed the PDO via the pecl command:

bhiv@devserver:~# pecl install pdo

It downloaded, phpized, configured, compiled and installed just fine. The only thing I had to do was add the line:

extension=pdo.so

to the files:

/etc/php/apache2/php.ini
/etc/php/cli/php.ini

(and restart apache)

But what good was the PDO without a driver for a database, in my case MySQL. So I tried:

bhiv@devserver:~# pecl install pdo_mysql

It downloaded, phpized, then failed on the configure command with the error:

configure: error:
You’ve configured extension pdo_mysql, which depends on extension pdo,
but you’ve either not enabled pdo, or have disabled it.

After trying a number of ways to force it to install, trying to foce the dotdeb distribution to install I found the simplest solution was to manually download the package with the following commands:

bhiv@devserver:~# wget http://pecl.php.net/get/PDO_MYSQL-1.0.2.tgz

bhiv@devserver:~# tar zxvf PDO_MYSQL-1.0.2.tgz

bhiv@devserver:~# cd PDO_MYSQL-1.0.2

bhiv@devserver:~# phpize

bhiv@devserver:~# vi configure
comment out lines 4163-4173

bhiv@devserver:~# ./configure

bhiv@devserver:~# make

bhiv@devserver:~# sudo make install
add the lines:
extension=pdo.so
extension=pdo_mysql.so
to the very bottom of the file.

bhiv@devserver:~# sudo vi /etc/php/apache2/php.ini

bhiv@devserver:~# sudo vi /etc/php/cli/php.ini

bhiv@devserver:~# sudo apache2ctl restart

Hopefully there will be a php-pdo package soon. But until then, this was the simplest way to get PDO installed on your new Ubuntu system.

In the meantime, I will be consolidating all my links into a single entry, like so:

• Data Mining Amazon Wishlists – A great read of what a programmer can do with public accessible information. Does make you wonder what people behind the curtains can do with full access to data
• 10 Beautiful Experiments, they say the most beautiful, but isn’t that in the eye of the beholder?
• MySQL compatibility in PostgreSQL, in its beta stages but it is an interesting idea to say the least.
• Creative tries and rewrites the definition of Podcast, sorry your products didn’t take over the world like Apple’s did, but this is a battle you can’t win.

Anyway, I think you may get the idea of what theBuzz will be like, nothing special just a simple quick links. The next issue will be shorter without all this explanation.

Examples:

I’m sure they received complaints and they changed it again, this time altering the thickness of the background lines and dropping the dictionary words, this new version also seems to only produce ~1% human unsolvable.

More Examples:

My past technique would no longer work. While it is definitely better, it still has the weakness of a consistent font and placement. If I wanted to break it again, I could take samples of colors from the areas I know would not be letters, remove them, and train the OCR to the font they use. I won’t be demonstrating how because ultimately I want to continue to use digg and they are obviously aware of the problem now.

Now onto another CAPTCHA that will be 100% breakable…

Digg’s CAPTCHA Weaknesses:

1. Dictionary Words
2. Same background
3. Same Font
4. No deformations
5. All lowercase letters
6. Constant colors

Tools

• gocr – a GPL Optical Character Recognition program
• ImageMagick – for command time image editing
• Perl – to tie everything together

Sample Size
100 images with 95 different words with an average word length of 5.3 letters.

First Test
Just dumping all the images through gocr yielded 26% correct responses. Not too shabby. It yields some easily manipulated results:

• = groUDS
• = single
• = t’ o.l,i.c,e ‘. . .’.’. ”,
• = be.cause.

Looking at the results I’m sure that we could improve the results with a little string manipulation.

Tweaking output
We can mess with the output to yield better results

• Convert all output to lowercase
• Remove non letter characters
• Spell checker

The first two yield 53% correct responses; just with this simple tweak we are able to get more correct guesses than incorrect. With adding the first guess of a spell checker it bumps the accuracy to 67%

Tweaking input

• Removing boarder
• Adjusting contrast and brightness
• Using edge detection

So becomes

Since we are already over 2/3rds accurate we don’t need to adjust the input of every image, just the results that aren’t dictionary words. Part of them problem is that while one adjustment will improve results for one image, it will degrade the results for another. My solution was to try 10 variations, run them through the OCR and then spell check. I then had the program pick the solution with duplicate results, in the case of a tie or no duplicate I had the program pick the one with the fewest number of variations. This method resulted in the final accuracy of 88%.

Problems with this technique
While these quick results have come close to becoming usable, they are still a far cry from 100% accuracy. Since digg uses a consistent font I could train gocr for problematic letters (such as p) also given that in 100 images I received 5 sets of duplicate words I would estimate their dictionary is only a couple thousand and could hand tweak the results.

Other resouces

• PWNtcha – a project to build a captcha decoder
• Breaking a Visual CAPTCHA – the breaking of EZ-Gimpy CAPTCHAs

Disclaimer
I did contact digg last week to let them know I would be publishing this and offered them the opportunity to have it delayed while the upgraded their CAPTCHA. I haven’t heard from them as of now. I still offer them the opportunity to contact me and I will temporarily remove this article.

Update:
~30 hours after I posted this they have changed the nature of their CAPTCHA, I will be writting a follow up soon … here is my reponse