Finger, a verification library to prove hommaannnnnness of a user

Finger achieves this by showing pictures of N hands holding up random fingers and asking users to verify how many fingers am I holding up, which is a task our machine friends suck at!

This is my first package for elixir, hex, some things are not quite right. Please be gentle :slight_smile:


This version has imagemagick dependency.

I have added a TODO to address asset loading from a package. I came across Joses post from 4 years ago on this forum so I followed that route. It is not as clean as I would like it to be though.

https://hexdocs.pm/finger/readme.html#content

If you want to see it in action you can always visit the registration page on my website.

Code and finger contributions are more than welcome :smiley:

9 Likes

How do you handle different cultures counting their fingers differently? Like in the first image it could be read as 2025, or it could be read as 1001215, or a couple of other ways. Saying ‘count’ of fingers might be better, but still not helpful if english is not their native language.

EDIT: Fixed miscount, lol

6 Likes

Honestly, I did not account for variance in the counting of fingers.

Which cultures would count as 18 and how do they reach there? do closed fingers mean 10 or 5 to different cultures?

The library only provides the image and answer, the text and hints to require input are in your control so could use the appropriate instructions and wording for the culture and language.

Thank you for a great point regardless, I will do some research on it and update the assets to be more clear as necessary.

2 Likes

I’ve personally met people that count with fingers in base-2 starting with the thumb as 1, and people who count using their thumb placed on the parts of the fingers between the joints (starting with pinky near hand, so 3 per finger, 4 fingers, so they count to 12 on each hand), and I’ve seen other popular methods online as well.

2 Likes

From UI perspective:

  • I will definitely make the text to describe each opened, clear finger count as one
  • 0 is the special case of shape
  • Add an example of challenge and the answer in a question mark help text

Library:

  • maybe completely remove 0 from the library to prevent confusion
  • Add guards for generation between sane numbers
2 Likes

In the first picture there are 4144. Obviously.

Nothing is said about them need to be stretched or folded, so you see 4 fingers and one thumb on 3 of them, one finger and a thumb on one.

3 Likes

You guys are more literal than the robots :stuck_out_tongue:

joking aside addressing the clear instructions issue as we speak

4 Likes

We are developers.

It’s our job to recognize important edge cases before they hot production. :wink:

3 Likes

I am only joking, I appreciate the help!

with 0.1.4

  • the 0 edge case is gone
  • added actual integration tests to solidify the stitching part

Now time to update the elxsy and clear the instructions with help

1 Like
3 Likes

If culturally it is too complex to make a solution that suits them all I am wondering if you could use pictures of random objects, like coins, pencils, forks, spoons, bottles, etc. for the same purpose. It may even be harder for AI engines to break.

1 Like

Those are interesting and good reads thank you! I Will definitely read more of the first link :slight_smile:

I basically did what you have thought of a decade ago before catcpha2 ripped it off in a really bad way again that people make memes off it again. I posted short history on this blog post but didn’t link to the library.

That picture is coming from the Webarchive 2009-06

The idea was to click on distinctively different objects, requiring user input that bots don’t have and allowing people to validate the result locally with a 3-4 line method that uses same signature as the api call result.

2 Likes

sorry, I mean put many random objects of the same type and make people count them instead of finger, like, : 5 coins, 3 forks, 1 cloth pin, 7 marbles.
People didn’t even need to know what the objects are, so long as the objects are distinguishable.

1 Like

I see, we are going down the google route there.

our vision speed, clustering >> detection >> analysis - counting.

Hand and fingers are native to us since childhood so I went down the analysis route identifying and counting some different objects will take slower time and chore some for many.

I will sleep on it.

I might resurrect IamHuman with my own image set as an open-source service again - then won’t have any trouble for copyright, royalties of publishes used pictures.

1 Like

Some of those are quite interesting. ^.^

I have had so many typos in my post, lack of sleep showed there! I can’t edit it now but thank you for understanding.

Two decades ago I had to do instruction and teaching courses as well as computer science and engineering courses

I studied both of these subjects and found them fascinating. Greatly helped me do visual games and simulations for challenging physics subjects.

Basis of them are very similar to CS, how humans operate (Behaviour - Kernel), and how humans learn (Cognitive - How to shape your programme)

If it’s any interest have a read.

1 Like

So far
It has been out in the wild for a couple of days but had 0 spam incoming and now time to reap the benefits

Setup and context

  • field is named as “fingers”, throws bots off, don’t know how to treat the field name
  • It is marked as required on HTML5 form as well as on the server validation which happens in the controller or Ecto right now.
  • It is a number field on HTML5, so only integer numbers can be entered given the browser supports it
  • A human is expected to enter numbers into it

I have been logging stuff on the "failed cases"

don’t worry omitting password and email fields before logging

Failed Registration from 5.166.201.102
%{"email" => "***@gmail.com", "fingers" => "", "name" => "Susanteete", "password" => "***"}

Failed Contact from 170.254.230.186
%{"email" => "***@edlen.com", "fingers" => "rdHoGzYqkDZLgVc", "message" => "mWAhJiaHvrMLSlR", "subject" => "YQJxLAFTXWkVl"}

Failed Registration from 170.254.230.186
%{"email" => "***@edlen.com", "fingers" => "NMFbSguTeYn", "name" => "ocJLmzwV", "password" => "***"}

You can check the reputation of IPs from this open community awesomeness (which I use to mass ban 20k bots via my firewall, god knows how much logs I would get if I hadn’t already)

https://www.abuseipdb.com/check/170.254.230.186

It is definitely a harmful spam bot.

Armed with these bits of information we could do the following.

Taking it to the next level

When the verification fails, don’t just disregard it, but pass the answer and given answer into the library analysis section. Could be a different supervisor tree or even offline, cron process.

Hoomannn vs Makina

  1. Is it empty? It can’t be empty for an actual user with a “text/html” browser
  2. Is it the required string length? Asked for 2 images how many did we receive?
  3. Does it contain non-numeric characters? It can’t or shouldn’t be for an actual user on html browser.

Ok matches total weight is higher than the threshold, very likely a bot but could be a human dicking around:

  • Verify the reputation and confidence with abuseipdb api
  • Send the report to abuseipdb, because even dicking around is abuse and should be reported. If it’s a genuine user then it will expire after a while without given no any other reports incoming.

Not enough confidence or evidence:

  • log and move on

Enough confidence and evidence:

  • Ban the IP via OS, network firewalls (ufw, iptables, ipset, WAF etc)
  • Preferably via a small driver package for each flavour

what do you people think?

2 Likes

When your library gets traction it will end-up in the human automated solving APIs:

We assign a worker for your captcha

100% of captchas are solved by human workers from around the world. This is why by using our service you help thousands of people to feed themselves and their families.
An average worker makes about $100 per month which is a very good salary in such countries like India, Pakistan, Vietnam and others. With your help they now have a choice between working in polluted industries and working in front of a computer.

So, you may want to give random names to each image you send for a challenge, like a timestamp based hash, thus it will make hard/impossible for this types of services to cache the result to each of your challenges.

2 Likes

ahaha loved that website, the animations especially the quality control side :smiley: thank you for that!

Currently, all images are stitched together as a final image with the name of your choosing. The software won’t be able to identify individual pictures.

From their instructions, it is apparently solved by actual humans so it will solve any captcha on the planet since it is designed to prove humanness :smiley: we need an anti-anti-captcha design that is only solvable by machines for those guys :smiley:! That will show them!

3 Likes

Bear in mind that this guys are just one of the many services of the type. Many more exist, and some may only exist in the dark-web.

The point is that its solved by humans only on the first API call done to their service, afterwards they return the cached result, otherwise it would not scale.

In my opinion this name should be unique for each time a challenge is made.