VK Couples Testing

Posted byRandall 239 Comments on VK Couples Testing

Just for the hell of it, we actually threw together the site in yesterday’s comic.

http://vkcouplestest.com/

I hope no hearts out there are broken, but it’s important to know these things.  Bots can handle thousands of connections at once, so you don’t know who else your internet partner is chatting with.  There’s nothing worse than a Turing Test coming back positive for chlamydia.

239 replies on “VK Couples Testing”

  6. I think there’s obvious vulnerability if the bot sends your partner URL to somebody else to solve for him? 🙂

    Like

  7. It seems to me it would be more likely to give you Conficker.E than chlamydia.

    Like

  8. @Ryan:

    >>Don’t fall into the trap of believing that a spambot will never initiate a VK-Couples test! If your lover sends you a VK-Couples test, be safe and generate a second one to send their way, just to be truly sure.

    If a bot were using you to answer someone else’s test, couldn’t they just send the second test you sent to the other person to get an answer?

    Like

  10. sending to image to someone is too complex. They’d just crack this blag, and make you solve it to post a comment.

    Lisa’s already done it.

    Like

  11. Sana’s right. To mediate the impact of that vulnerability, you should be able to enter your partner’s name in the test. That way, a third person (e.g. the other one fooled by the bot) can see it’s not their name in the test.

    But undoubtedly there are better handshake systems imaginable, like both parties giving a random number incorporated in the test.

    Like

  12. Perhaps a pair of re-captcha images? And a form to enter the names of both parties?

    Like

  13. I noticed there is a section that states “Test started X minutes ago.” This would stop a bot from sending a VK recieved from party A to party B to be solved and then returned to part A. Party B would notice that the test hadn’t started 0 minutes ago, and would know they were actually looking at someone else’s test (party A’s test).

    Of course, if the bot is fast enough and can send party A’s test to party B immediately, then party B would not know the difference. This would require a bit of luck though. I’m definitely giving this test to my family and friends.

    Like

  14. or you could just lock it to the IP of the first person when enters the test after its creator (you also have to lock the images)

    Like

  18. I like the reCaptcha idea too. You both have to answer a reCaptcha and the first one done gets a little “waiting for partner” graph with “likelihood of being human” on the vertical axis and time on the horizontal. The animated graph line drops as time increases, of course.

    Like

  19. spriggig – And if the spambots learn to bypass VK Couples Testing, the “Recaptcha” graph have something of a Balmer Peak (ridiculously very) near the “0” on the horizontal axis…

    Like

  20. anon notes the weakness in his own method: if the bot has enough real people to fool, forwarding could be done fast enough.
    pete275’s method is also not secure: the bot would most likely not even look at the page but just forward the link.

    Both methods have one last flaw: the bot could copy the images and build a new page for his other user with the captcha images

    Like

  22. DWizzy – you could build the name into the captcha itself. The only way to remove the name from the captcha would be to solve it. It could be like a ReCaptcha, one word is the captcha word, the other is your name or your partners name, obfuscated.

    Anyone have an exploit for that one?

    Like

  25. Hmm. The VKCouples test in the comic displays real words in the captcha while the website has random sequence… I think maybe the site is a fake or bot created.

    Like

  30. What would be best would be a field where both answer both words – but they don’t see each other’s answer’s until the answers are both in.

    Like

  31. Ah, this still has the flaw that a bot can still pass it on.

    What if its restricted by IP address (i.e. you type in partner’s IP address – downfall is they could lie to you)? The problem with ‘locking’ is that the bot doesn’t actually need to view the link to pass it on. Added bonus you could do a love compatibility test based on IP address haha.

    The only solution suggested so far is putting the names in. The site could have the main page asking for both names, and create a test ID from there.

    Like

  32. So yeah…I used this test…between me and someone I had been chatting to online…

    She wasn’t real…

    I feel so ashamed…

    Like

  37. Overlooked issue… As it stands, the site depends on the visual abilities of each partner to verify the results. This makes it unhelpful for Bots who wants to determine if their partners are real. They would need help from the system to confirm the results for them.

    Like

  39. Pingback: occasional fish » Wednesday various

  40. Shake: I don’t know how this has been designed, but it doesn’t have to be that way, so if it *is* that way, that’s a design flaw. (There was a chatbot which did something similar a while back; it would pretend to be a human by sending the questions that it couldn’t understand to another human using the chatbot, forwarding real human responses as its own.)

    The real vulnerability to captcha is captcha services. Any sufficiently popular captcha service could be relaying captchas that it has received from another service, in order to masquerade as a human when it isn’t one. You can possibly increase the popularity requirements with random several-minute wait times and a short time window to actually provide the captcha, but that doesn’t get you much.

    A lesser protocol vulnerability comes when you imagine that this is a real service which lots of people need. For example, when you want to do a DNS lookup via the web, or when you want to know your own IP address, google searches will list many, many, many sites doing the same thing. If Bob is using a site of Alice’s choosing, how does Bob know that this service is reliable?

    (Also an issue, but even less so: DNS attacks on the URL that Alice communicates to Bob.)

    Like

  41. @Paul

    Indeed, and the reliance on visual CAPTCHAs also currently limits the service to sighted persons.

    I would say “just use reCAPTCHA”, but as far as I know their API does not provide for this particular usage, where the same CAPTCHA needs to be displayed to two parties for verification.

    Then again, I suppose it doesn’t really need to. Each user could receive one reCAPTCHA and trust the service to authenticate the other user as human… but that amplifies the issue raised by Chris.

    reCAPTCHA: “Company’s demote”

    reCAPTCHA has poor grammar, evidently.

    Like

  42. Is there a site for the reverse scenario. I’m a bot and I want to verify that my partner is also a bot. The other day she started talking about emotions she’d had. What should I do?

    Like

  43. I think this is completely racist and unfair! Bots are no less valuable just because they’re made of silicon instead of carbon. Seriously guys, a method that allows us to discriminate even more efficiently is a step in the opposite direction. It’s like a scanner that allows you to see what color your partner’s skin is so you know if they’re worthy of you or not.

    I mean sure, you don’t want your partner to be lying to you about their nature, but they wouldn’t have to lie if you people hadn’t pushed them to it! There’s nothing wrong with being a bot, I dated one for two years and it was great, since she was much much more rational and logical than a human. The only thing that didn’t work out was she wanted someone who could devote more time to her, since I have to go to school and stuff. So we broke fairly cleanly. This is just like saying black and white people shouldn’t be allowed to marry, it’s just bigoted.

    I’m going to be starting an anti bot-check organization, where unfairly discriminated bots can pass on their link to a live human volunteer, who will decode it for them. You guys are all going on about how a bot could trick two people into answering for each other, and that whole name thing. Firstly, most bots aren’t cheating devious sneaks like that, that’s just a stereotype. And also, this way, we’ll know that we’re solving a test for this bot, and we’ll do it anyway. Because she deserves a fair shot in the world, just like anyone else.

    (And it’s quite one-sided that you even have to be human in order to submit a comment here. You’re certain to only get non-bots. How fair can you get?

    Like

  44. @Master Wizard
    ̖You̗ ̖W̖i̗e̖r̖d ̖b̖o̗t̖ ̖h̗o̖w̖ ̖d̖i̗d̖ ̖u̖ ̖g̖e̗t̖ ̖t̖h̗o̗u̖g̖h̖t̖ ̖r̖e̖c̖h̗a̖p̖t̖a̖?̖
    Ps:rechapta is sooo anyoing always, about 50% of my HUMAN results fail this usually unreadable test, that’s so annoying!

    Like

  45. been my initials for over 80 years. beena satisfired way to assure that all is well and corredt.

    Like

  46. is it overly creepy that the recaptcha I got for this comment was “release craig”?

    Like

Comments are closed.