Brilliant building of software. Less than brilliant copy.
I would change
Black plays; checkmate in one!
This is a chess CAPTCHA.
Click on the board to make your move,
and prove you are human.
to
This is a chess CAPTCHA...
To prove that you are human,
click on a black piece, then
click on the only destination
square that will checkmate.
I really don't mean to nitpick, but took me a minute to figure out what to do. Sometimes the thing that makes the biggest difference for us programmers is not our communication with our compiler but our communication with our users.
Great job. Thanks to you, I just announced I won't be ready for brunch for another half hour. <Refresh> Sigh.
There are many blind chess players. Competitive chess rules allow blind players access to special equipment (basically an auxiliary pegged board) so that they can 'feel' the position. Really strong chess players don't actually need sight of the board and I imagine the best blind players (there are many of master strength) don't make extensive use of this provision.
In the biannual international chess 'olympiads' (team competition between countries) a multi country blind players team competes. Some other disabilities are also represented in the same way.
One of my friends spent his 2 years of military service in Israel playing chess -- up to 2 dozen chess games simultaneously, blind folded, against soldiers in the Israeli army. After his army service, he eventually ended up in grad school and later on became a professor. But more than his research papers, it is his chess playing that I remember.
I think blind chess is a lot easier than blind go. Apparently there are master-level blind chess players, while Sensei's Wiki mentions only a 26-kyu blind go player (i.e., around the level of somebody who has been playing for about a month).
"Charles played chess using a special board with holes for the pieces and raised squares." [1]
"Are there any blind chess masters in the world? Have there been any throughout history? Yes. Al Sandrin, who died a few years ago, was an USBCA member who was a master." [2]
The original copy is better than your proposal: you get to the checkmate point, which is the essence of the captcha, at the very end.
The way it was originally laid out, it's clear that you are looking for checkmate in one, while in your copy it seems acceptable to click any black piece.
Uh, if it's a CAPTCHA intended to be usable by those who know chess as opposed to those who actually play chess then yes, they should probably ask for what they actually want instead of saying something that will lead the user to the right assumption.
Of course if it's really "CHESS player CAPTCHA" then I could be way off...
Starting with "Hey, let's solve a CAPTCHA because I'm not sure if you are a human" and burying information which side the user is supposed to play somewhere in the middle of the text would make it a major PITA.
I like the original wording because it is exactly how chess problems are typically introduced. I'm not sure the usefulness of this anywhere beyond a chess - related site, but I agree - - it's absolutely brilliant! I wish I had thought of it.
I would change "human" to "biological entity"...we should not exclude extraterrestrials from the target audience...this is at the risk of offending non-biological (and probably also extra-terrestrial) entities, but they would presumably render all captchas obsolete anyway.
While I think both version of the text would work, I think it's worthwhile to go over some reasons why the suggestion could actually be less clear than the original.
1) The two most important pieces of information (player color and goal) became separated from each other;
2) The third piece of information (number of moves) went missing;
3) The player's color became hidden in the middle of the paragraph instead of the first word;
4) The player's goal disappeared to the end of the paragraph, instead of in the first sentence after player color;
5) The original has a clear and unambiguous goal for both new and regular users, while the alternative became very verbose, especially for returning users.
6) Usability is about the target audience, and the target audience is chess players, not software developers.
7) In contrast to how the founders want to position the brand, a very watered down, a newbie-friendly CAPTCHA could alienate experts from the site, and an expert-friendly CAPTCHA could alienate beginners.
To the OP: Since you have an established chess community, you should be asking them if they have a strong opinion rather than blindly taking advice from Hacker News :)
I will just point out that the first example I was given was a chess CAPTCHA which had two checkmates, so it is not a case of "the only destination square that will checkmate" -- there may be two moves.
No need. Given the demographic targeted, the current text is sufficient (possibly overly wordy at that) and regards the question of how to move, they are used to interfaces far worse than this---they will figure it out. I suppose that you could claim that as part of the puzzle :)
I disagree. Use the clearer set of instructions. Do not leave confusing instructions in place just because the target demographic can decipher them while others are left in confusion.
BTW, the sentence "Black plays; checkmate in one!" is popular with giving such chess quizzes in various chess books, magazines etc. Probably this is the reason to start with this.
When writing instructions for users who might see the instructions frequently, putting an introduction like that, especially with the locally-relevant data buried, is not helpful.
Instead, their terse instructions, written in a familiar and easily-parsable format are ideal. Placing a "What is this?" link afterward that opens[1] to more detailed instructions is how you should approach this.
[1] Through whatever mechanism is most appropriate for your audience. I'd suggest a tooltip by default.
It is interesting because you can't really A/B test the response time with the different text, since the response time includes the human processing time of the chess problem.
Sure you can. You're just adding two (probably normal-ish) distibutions: the distribution of human response times for processing the chess move, and the distribution of human response times for parsing the instructions.
You are right, of course, and I knew I was going to regret the use of even the toned-down term "probably normal-ish". The question is whether the one can meaningfully ask which text is faster to parse, despite the "noise" the comes from the time to actually perform the chess move. I suspect the answer will be 'yes'.
I think the answer will be 'no' as solving a chess problem is a learned skill and not as innate as reading and understanding text and the time delta of comprehension between two similar text passages << time to solve chess problem distributed between users of low and high skill.
Why would the distribution of user skill differ across test groups? There's no reason it should. The expected time to solve the puzzle itself would be the same across both groups.
Are you lichess creator? Just wanted to congratulate you for the great peace of software you got there. IMHO is one of the best multi-player chess platforms out there. It is so straightforward and UX is amazing. The "analyze game" link after the end of the game is also very good.
Even though I am only a ~1200 ELO player, I play almost daily and enjoy your platform a lot :)
I am fairly certain it would be quicker to program a computer that can brute force a checkmate in one than I can solve these things by hand.
You have what, 11 pieces, they can move into 64 positions each (at most, much less in reality). That means a computer must brute force 64*11 = 704 attempts.
In other words, no time at all to bruteforce this once you've read the grid. Reading the grid in itself is rather trivial since you only have a small number of clearly distinguishable pieces to recognise.
So after an afternoon of coding, I could have a computer that solves this CAPTCHA in a few seconds. As a human I need more than 30 seconds just to read the current situation on the board.
I've seen forums get flooded for no other apparent rationale than some random skiddie had nothing better to do for an hour or two than irritate the admins. It being not worth anyone's time to break isn't actually a feature, but it being relatively easy for anyone with time to waste on it is a flaw.
OP may have been suggesting it's not actually a CAPTCHA in the first place, under the understanding that CAPTCHAs are at least nominally supposed to target something computers are bad at.
Chess is even a particularly ironic implementation because it was one of the first traditionally human passtimes where computers excelled.
A site can have a CAPTCHA that's so bad it's not actually a CAPTCHA even if no one bothers to attack it. My hidden forum could require a user to sum one thousand integers before seeing any posts. I probably wouldn't attract any spammers (because no one would join to read their spam), but that doesn't mean the so-called CAPTCHA is beyond reproach.
I'd agree partially, but I'd comment that it's also security by diversity. If every site had a unique captcha solution requiring custom software for a defeat, the force multiplier effect of "write once, run everywhere" would be hugely diminished, and it would be much less cost effective to implement various types of spam. So, the particular security strategy here is indeed weak, but I would say that it might actually strike closer to the root of the problem than just making a really hard, but still universally applied, captcha technology.
The economics of spam commenting makes sense if it can be done automatically at a massive scale. If only one or a very small number of "humanity tests" exist, then cracking those tests has a high payoff value. Having a huge number of different, ad-hoc authentication schemes would make developing automatic cracks unacceptably expensive for the actual level of benefit achieved by posting the spam comment. Therefore, being a site with a unique CAPTCHA system attacks the core value proposition of spam comments, which strikes the root of the issue.
Another way to look at it is like the entire collection of CAPTCHAs on the Internet is really just one big CAPTCHA library, which tests a subset of "human" abilities. The larger the subset, the more difficult it will be to circumvent. Relying on one or two special abilities makes it easier for a machine to emulate those behaviors and gain access. I hope that clarifies the point I was making.
Probably not, but we are talking about the CAPTCHA itself :)
You raise a good point about making captchas that target your target audience in that they aren't really designed to keep out bots, but humans who wouldn't fit in. This looks very much like that sort of captcha.
Any chess engine could load this and solve these problems in milliseconds. Which is far easier than most captchas that require moderately sophisticated image processing.
It would have been easy to have just stored that bit of session state to the server.
It’d also be pretty easy to alter the HTML board to a prerendered image with imagemap click detection. At which point someones writing custom image feature detection software to break your captchas.
Of course, this mainly works because of the obscurity, even with the upgrades. And since someone’s already going to have to write custom software to break this I’m not sure it’s worth it to upgrade - as I doubt it’s worth anyone’s time to do write the minimal software that needed now.
by this argument, the captcha would become useless as soon as it saw widespread adoption. The idea of a captcha is to be strong against bots even if it was directly targeted by spammers.
No, a captcha is supposed to get rid of spam without annoying the users. If it gets rid of lichess.com's spam without annoying the users, then it is perfect.
CAPTCHA solve a specific design problem. They are not an IETF protocol or solution to be used everywhere. That's kind of the issue. Once a CAPTCHA is worth enough it will be overcome.
The problem is to design a CAPTCHA that implements just enough headache to make it worthwhile not to overcome and at the same time not frustrating users. I think this chess problem uniquely and elegantly solves the problem for the site in question by achieving both.
Then again, I am not familiar with the users, maybe the site is often trolled by chess mastah wanna-bes.
The design itself could be improved though to make it stronger against scripting, though. For instance, there's no reason the values for the pieces and the boards necessarily need to be human-readable and to follow the notation of chess in the code itself, those variables could be randomly generated per load, perhaps with a salted hash. That could also serve as csrf protection maybe.
if the idea of the chess captcha is to be used once on a single site, (ignoring the fact that it's a chess captcha for a chess community) it's very over engineered. Jeff Atwood gets away with a captcha where all you have to do is type "orange" to post a comment[1] and even that manages to mitigate a lot of spam.
It's chess. You don't have to use this board to check every possible move, as any engine that knows the chess rules can verify if the result is indeed checkmate, without using this site's engine.
But, basically you're right. If the bot is not using an external chess engine, it could effectively be blocked from brute force attacks the way you describe.
As I expected most of the HN comments are criticizing it for one reason or another but I like this just because solving simple chess puzzles is FUN which is not true for the tasks in the typical CAPTCHA.
Yes, there could be a concern over a spammer automating the process but that might be more hassle than it's worth just to spam an small chess forum.
'Fun' should only really be considered after 1. security and 2. usability, and this CAPTCHA fails on 1. As soon as this CAPTCHA becomes widespread, spammers will have additional incentive to create bots that brute-force it, defeating the point.
Also I think you overestimate the amount of coding required to brute force this particular CAPTCHA.
I can assure you, this CAPTCHA will not become widespread, because most people don't know how to play chess. It's specifically on a forum about chess, so it's reasonable there, but anywhere else would be ridiculous.
I will agree that coding a brute force method would work well, though.
This is a very creative CAPTCHA. However, computers are rather good at playing chess, so a chess problem is probably the least thing you want to use to distinguish between humans and computers (unless your aims is to keep stupid humans out).
Other possibilities: guess fruits (http://www.eurekalert.org/pub_releases/2013-03/ip-std030613....), human emotions, animals etc.
This looks like a clever solution to the problem for lichess, at least until someone plugs together a relatively simple bot with 100% success rates. Though, just because it can be cracked easily doesn't necessarily demerit it, perhaps their biggest problem is random untargetted bots, in which case this is great (the argument that it could take longer isn't really important to people on a chess forum).
The captcha seems very easy (I am not a chess player)- I tried three times and always got a board to solve in one move, so I doubt anyone that knows the rules of chess is going to be excluded. That's probably not a problem for this forum :)
Agreed. I had never played chess in my life, but with the help of Wikipedia [1], I figured out which piece to move where.
(I enjoy this mini chess, it's like a low tech version of Bejeweled. I don't have the patience for full fledged chess games, but just finding the last move is fun.)
You might enjoy chess puzzles then. They are usually of the form "[Color] to move. [X] moves to checkmate." Typically, where X > 1, the opponent's moves are forced by check. (i.e. the opponent generally only has one option if you're making the correct moves.)
Screen readers have already been mentioned. But also, how about people from cultures that don't play chess? How about people from cultures that do play chess that just haven't ever given time to the game?
I learned to play chess when I was a kid, but never had anyone to play with. The internet wasn't any help, either, because when you're a kid it's just not that much fun to constantly have your ass handed to you in a game. I gravitated to other games as a result. And now this thing just gives me that same sense of dread, of "I have no idea what the hell I'm doing", even though I know all of the rules of the game, because I'm so not involved in the culture of the game at all.
Congrats, you've alienated several classes of users.
Chess doesn't seem like a useful CAPTCHA. To begin with not everyone knows the rules of chess, and secondly computers are much better and much faster than the average human chess player.
Perhaps a bug. Chrome on my Galaxy S3 showed the white's queen (and I believe bishop) as the color of the background. This was a problem because they were on a grey tile. When I first tried the captcha, the board arrangement looked like white had a king and a few pawns in the lower right and that black had two queens and a bishop in addition to their king at the top of the board. The white, according to my incorrect reading of the board, instantly looked like it was in check, but the captcha was saying that it was white's turn to put black into checkmate. I was completely confused and tried multiple times to move the "black" queen into a position that would checkmate white believing the captcha text to just be incorrect or misleading. After a couple failed attempts, I realized the queen I was trying to move was grey, not black, and then I solved the captcha.
In this case, the captcha took way too long because the pieces were hard to distinguish and the captcha text was unclear. I think that captchas should be something you can do near instantaneously. However, I really like the concept and the trying of a new approach.
I've had success implementing what I feel to be very simple captchas: solve simple arithmetic problems. I'm sure a parser could be created simply enough that would solve them, but I have had zero forum spam in a couple of small forums that use it.
Considering that modern chess software can defeat grandmasters, the Chess CAPTCHA seems more designed to admit bots instead of humans.
"It was my luck (perhaps my bad luck) to be the world chess champion during the critical years in which computers challenged, then surpassed, human chess players"
topic filtering ... and suddenly they noticed a sudden raise in quality in the forum.
Anyway, the same effect could be obtained by writing a "captcha" that simply asks: "Click on the queen", a fixed chess board picture.
They are assuming no one targets them, so it's not so important how hard it is. (until someone targets them)
I have to agree with most if not all of those points but for some people that don't know how to play chess it would be harder.
I thinks is pretty innovative but I definitely wouldn't try to release it publicly as an attack could easily use a DOM parser to bypass it.
For it to even be nominally effective, the state of play would need to be non-scriptable - but the piece types, positions, number of necessary moves are all available in the DOM (and some in handy data statements no less). And it appears to post by ajax to a url which returns a boolean for success or failure. And it lets you retry. So yeah, other than being pretentious about chess it would appear to be more or less pointless at actually detecting whether someone is a human or a bot.
Most of these captchas are very easy. If the targeted king was easier to spot (e.g. marked red) I'm sure I would solve them faster than the omnipresent reCaptchas (even knowing that I only need to type the less legible word).
I know a lot of people are commenting on how effectively this could be used, but I'm simply amazed at how clever this is.
The idea behind it is very interesting, but it obviously can't be used as a mainstream way of human detection. I think what matters here is the really well-made implementation with HTML5.
I thought image recognition on that would be trivially easy to compute? You could identify each piece, then just analyse it to work out the 1 move. As a layman, it seems less computationally difficult to solve that than a state-of-the-art captcha currently?
Not even image recognition. The chessboard is nicely marked-up with relevant classes (e.g. 'bishop') for each piece; would be very easy to automatically solve. However, as others have said, since it's such a narrow target, it's probably not worth cracking.
The fact that it's a chessboard captcha with no relevant target behind it proably outweights even the satisfaction of cracking it. "Hey, I broke the chessboard captcha" "You did WHAT? I loved that thing!"...
Easy captcha to solve by a computer, no? Just hook up a program that recognizes the pieces etc. Not to mention requires a human to know the rules of chess.
However, it may be said that no one would put the effort to make captcha solvers for everything... unless captcha crackers pooled together.
That makes for an interesting question. Since to solve CAPTCHAs you have to build progressively stronger UIs, can it be said that if there sprung up a "CAPTCHA plugin industry", with people using captchas of everyday things, then the combined solver would eventually be some really versatile AI?
I remember recommending that people just send in pictures of street signs etc. as this would be much better than the best CAPTCHAS right now
i like the idea, but i'm not that good in chess so i'm lost here =) my advantage? i could learn it, and solve the problem, but what are blind people doing? they have no chance to solve the captcha.
are there any ideas, how to deal with this problem? like a audio file, where all positions are being told? or anything like that? right now i would not have an idea how to solve this in a good way.
me as a web-developer often thinks about the common problem, we we need these captchas, and would be a good alternative to them. until now i had no idea )= hopefully someday someone has a idea to replace captchas with an easier protection for all people.
the sad part is, that we need stuff like captchas since years... stupid spam!!
Though I like this a lot, as has been said, there are some obvious ways to crack it. There would be ways around this though, so as a proof of concept for one specific site it is pretty cool.
In order to contribute to the ways in which this can be 'broken', I present you with a brute force, not on the server, but on the chess game itself:
http://bookmarkify.it/114
(this is a bookmarklet, but you can also just copy-paste the code from the editor (scroll down) and paste it in your console).
This will be effective as long as it isn't widespread, but there are much simpler CAPTCHAs you can use to avoid spam if you want to take the obscurity approach. For example, I've had great success with simple traps that just make it hard for automated programs to figure out the input form. That approach is completely invisible to human users.
But if you do go for obscurity, you're going to lose once your technique becomes widespread, or once your site becomes big enough to be worth targeting.
Interestingly enough, it looks like it has a specific checkmate in mind. It generated a board for me in which black could be mated in two different ways, but one didn't count.
This is a good example of the pitfalls of CAPTCHA design. A bot that knows nothing about this site won't be able to get past it, but a determined attacker who for whatever reason wanted to spam this site could just pick a random square, or parse the board and use existing chess libraries to just break the CAPTCHA outright. Any success rate significantly greater than zero is all a spammer needs to succeed.
Yeah, chess is easy for computers but it's not the point here.
Jeff Atwood had probably a lot more traffic on his blog and still his whole protection was a fixed word "orange". The chess guys are still way ahead in terms of captcha hardness vs spammer benefit ratio.
I'm now going over all of the forums I know trying to come up with an algorithmic forum-themed captcha. Say, "what's wrong with this recipe?" for a cooking forum :)
The important thing everyone can learn from this isn't that a chess captcha might work for every site, but rather that there's a lot of potential for sophisticated captchas that are better than the ones that are currently being used (math, image recognition etc.) - a large variety of completely different ways to prove that you're human makes automatic attacks harder.
This is probably easier for a computer to crack than a well-built traditional CAPTCHA. Recognizing a pre-defined small set of images (the chess pieces) and performing a search for the winning move seems much easier than beating the image distortions in CAPTCHAs with OCR modifications.
CAPTCHAs are an interesting example of software that actually gets worse the more people are using it. Making fun and unique CAPTCHAs for large sites might be a good business for programmers that aren't interested in the winner-take-all pressures of normal software.
Great point. My first thought was, anyone who doesn't know how to, or doesn't like to play chess would not create a topic on this page.
The game-as-captcha idea is good tho, IMO.
I was in a forum talking about this with fellow game devs a while back. Something like a mini platformer that required you to run and jump your character to a flag, for example, might be interesting, or solve a block-fit-style puzzle, or rotate pieces to solve a puzzle, and so on.
For some reason my brain interpreted the white queen as black. The 'right' move was still obvious since white only had a rook and pawns besides the invisible queen, but it took me way too long to see why it was a checkmate!
I play a little chess, but I had lots of trouble distinguishing the king from the queen in this graphics. I've tried all the moves with no luck until I've understood that I've mistaken the king for the queen.
Looks impressive, but I got to say this. I am horrible at chess and couldn't find the move to checkmate white. I would probably get frustrated with this and not even bother to finish the form.
I'd say that the next step would be a CAPTCHA for Go -- creating an efficient Go player is still an open problem, and we could crowdsource the AI research to spammers!
Seeing that computers have already surpassed human in ability to play chess, what makes you think that this CAPTCHA isn't just easier than morphed text CAPTCHAs.
A quick google gives this; apparently from the creator.
"I[t] tells how fast your computer talks with lichess server. It measures the time a message needs to make the round trip from your browser to lichess, then from lichess to your browser.
I'm interrested in knowing what your ping is, depending on the country/city where you live.
I live in Le Mans, France, and my ping is around 30-40ms.
My apologies Jim, as I was not trying to insult your intelligence.
I did not know the answer, but that is the answer given by the creator and it leaves a lot to be desired. His answer appears to indicate that he just did it for shits and giggles.
lichess.org is a game server, and supports real-time playing. The ping is a critical information when you play fast games, it helps to diagnose lagging when it happens.
Great, I like this a lot. It is much better than those horrible squiggly characters in invisible colour combinations.
As an added bonus on, say blog comments, this could filter out obvious idiots.
Consider offering a choice of a few different puzzles for those who don't play chess?
This is very easy to crack due the 2D board, which is trivial to "OCR".
Now the concept is interesting: one could probably do the same in 3D (with random camera angles -- up to a limit) and then it would prove more problematic for AI because one would then need to be able to correctly pieces in 3D and their position on the board.
I would change
to I really don't mean to nitpick, but took me a minute to figure out what to do. Sometimes the thing that makes the biggest difference for us programmers is not our communication with our compiler but our communication with our users.Great job. Thanks to you, I just announced I won't be ready for brunch for another half hour. <Refresh> Sigh.