BotDetect CAPTCHA Generator

BotDetect™ CAPTCHA generator is a form security solution using Captcha challenges, that are easy for humans but hard for bots, to prevent automated page posting. Bots are kept from accessing protected website functionality using generated Captcha images specifically designed to be out of reach of computer vision and OCR technologies. BotDetect also provides an audio Captcha alternative to keep websites accessible to people with impaired vision, enabling you to make WCAG and Section 508 compliant websites.

CAPTCHA Generator Features

BotDetect CAPTCHA Box
  • Self-hosted • Licensable source-code
  • Works in China • No third-party server dependencies
  • Native .NET Core 1/2, .NET, Java & PHP backends
  • Works with Angular/JS, jQuery, etc, .js web frameworks
  • TestMode-enabled -- ready for your CI/CD pipelines
  • Localized Captcha generation, using various Unicode character sets and multi-language sound pronunciations
  • Custom Captcha image size, code length, css & icons, tooltips, and pretty much everything else...
  • 60 secure & legible Captcha image styles
  • 20 secure & accessible audio Captcha sound styles
  • Produces XHTML 1.1 Strict, Section 508, and WCAG AAA compliant markup
  • And it does not stalk you around 24/7 • GDPR, anyone?

Why BotDetect?

BotDetect Captcha vs. ReCaptcha

The years of Google’s relentless abuses of their organic and paid search monopolies, and the years of their equally relentless campaign of disinformation and FUD about captchas, took a toll among our former competitors -- there are only two viable players left. Ladies and gentleman, this is 'BotDetect Captcha' vs. 'Recaptcha the Stalker' fight. Please take your seats.

That said, the original Nocaptcha Recaptcha stalker is gone, too. Recently, Google euthanized it.
BotDetect Team: OK Google, the Stalker was neither a captcha, nor was it thwarting bots well.

It is replaced with an even creepier stalker that does not even pretend it is a captcha any more -- aside from keeping the variant of the same misleading name -- the Invisible Recaptcha.
BotDetect Team: OK Google, the Invisible Stalker, we got it. Good luck with that :).

Let's see how we stack up against each other:

2018/05/30: Recaptcha Bypass! Ouch :)

2017/10/31:

The Stalker's audio is broken again :)!
We are not surprised. How about you?

'Whatever Google has in mind to replace its reCaptcha had better be ready soon: ...'

unCaptcha: A Low-resource Defeat of reCaptcha's Audio Challenge

85.15%, in 5.42s! GoogleBorg learned nothing out of that 2017/03 breach of Recaptcha audio.

2017/10/26:

Vicarious broke Recaptcha, BotDetect, Yahoo and PayPal captchas.

Vicarious, funded with $122m, couldn't find anything more useful to do. The Timewasters :)!

Brace yourself for a few 'spamfix' releases coming out in rapid succession. Vicarious' timewasters opened the new patching season; the first one after 2006. Sorry, c'est la vie :(.

2017/03/02:

Recaptcha the Stalker audio cracked!

This time around with a little help from Google's own Speech Recognition API :)

2016/04/07:

Recaptcha broken by Columbia Uni Trio!

Automatically solved 70.78% of the time through what looks like multiple inherent design flaws. This is the biggie that is going to haunt Recaptcha for years to come.

1) BotDetect Is Secure

BotDetect is unique among Captcha generators in offering many Captcha image and sound styles. While each of them is easily comprehensible to human users, randomly using multiple Captcha generation algorithms makes the generated Captcha challenge extremely difficult to pass automatically.

This approach to Captcha security is validated by the BotDetect track record: since 2004, we have over 3000 paying customers and only a single confirmed case of automated Captcha breaking by ordinary spammers.

2) BotDetect Works in China

BotDetect Captcha works in China -- while Recaptcha does not!

With its 1.3B people China has approximately 20% of the world population and outputs like 16% of the world GDP. The size of China's economy is second only to the size of the US'.

Even if you do not actively target the Chinese market, the chances are that some of your visitors, users, and customers sometimes venture or even reside there. It helps not having Recaptcha breaking your website for them.

However, if you, or your users, do target the Chinese market, making your website fully functional for the visitors from China should be one of the top items on the 'minimum requirements' check-list. Make sure to check it!

3) BotDetect Is Multinationals Friendly

With more than a hundred world languages already supported in the code, and 53 different audio localizations being just a download away, BotDetect Captcha will ensure that your interaction with every local market is done to that particular local market's familiar combination of script and language.

4) BotDetect Lets You Meet Regulatory
Requirements

2018/07/30: Java, PHP

2018/05/27: .NET, Java

  • Added iOS 11.3+ audio support

2018/02/15: BDC PHP v4.2.0

2018/02/15: BDC Java 4.0.Beta3.2

2018/02/15: BDC ASP.NET 4.2

Recaptcha is a 3rd-party stalking service delivered from the cloud that you have no control over; and due to its obfuscation and encryption you can only guess what payload your users get. 'Plug & Pray', one might say :).

BotDetect is self-hosted on your own servers, and its source code is available; thus enabling you to easily meet whatever regulatory or security requirements that are, or might be, imposed on your application or website!

Think: GDPR, eff. 2018/05/25, or the California Consumer Privacy Act of 2018, eff. 2020/01/01, or whatever else might come in your direction.

5) BotDetect Is Accessible and Legal on US Government Websites

BotDetect Captcha is both Section 508 and WCAG compliant, and as such legal on the US federal agencies' websites -- unlike Recaptcha, that is just lame-ducking there while awaiting for its Section 508 lawsuit by a disgruntled employee or a user to throw it away.

Why is it like that? It is simple. When you block cookies in your browser, or go into incognito mode, Recaptcha reverts back to the old 'two-words Recaptcha', or to various 'pigs, dogs, and street signs' pictures. And a few things aside from a miracle will make your application using either the 'two-words Recaptcha', or those 'pigs, dogs, and street signs' pictures, able to satisfy this particular Section 508 requirement.

6) BotDetect Will Not Get You Sued Over
the 578 Patent Infringement

As BotDetect does not use those 'pigs, dogs, and street signs' pictures at the center of the Confident Technologies vs. Ticketmaster case we couldn't be bothered to waste money on lawyers' fees in order to check the merit of the case -- that is on the Ticketmaster's plate.

But, the Confident Tech is not a patent troll; those guys had a product back then; so we opt to assume that they know what they are doing -- albeit we are perplexed that they went after the Recaptcha users, instead of after Google itself.

Note that settling such a suit might cost a small fortune; what is still peanuts compared with how much it would cost to defend it. For Ticketmaster, the Stalker turned out to be an expensive joke.

Ensuring that neither you nor your customers get sued over the 578 patent infringement should be the next item on that 'minimum requirements' check-list. Isn't it?

7) BotDetect Is Both Privacy and National Security Friendly -- It Does Not Spy

Unlike Recaptcha, BotDetect does not operate under 'if it can stalk you then you are human' principles; and will not make your application rejected by the majority of world governments on the grounds of national security; be it on their own websites, or on the websites of their sensitive institutions and industries.

If you have a privacy or national security sensitive website or application and are considering the Stalker, think again:

  • Recaptcha the Stalker refuses to work 'as advertised' if you switch your browser into incognito mode, block cookies, or use Tor Browser. It gets annoyed when prevented from stalking. Why?
  • It is owned by Google who already knows who you are; think Gmail, Search, Docs, Play, YouTube, etc. And now, Google can cross-match that data with your activities on all Stalker armed websites.
    Kiss goodbye to both your users' privacy and national security.
  • Its client-side is a .js payload; obfuscated, encrypted, and delivered from the cloud by the party who knows your identity (Google); straight into your browser; completely bypassing servers of the Stalker armed website you are visiting.
    Hm, what could possibly go wrong :)?

In short, Recaptcha is not a captcha, but a stalker disguised as a captcha. By default, it does not check your humanity at all, but fingerprints your browser and cookies and matches it with your past activities across the web. It is a sort of 'Login by Google' -- just a way more dangerous one.

8) BotDetect Means No Post-GDPR EU Legal Murkyland

GDPR bans 'forced consent' -- while Recaptcha the Stalker forces your users to accept being stalked by GoogleBorg even just to submit your form -- not to mention to use your service.

A legal Murkyland, or outright illegal?

Google mismarkets the Stalker as a captcha. Now imagine a convicted serial arsonist who mismarkets his 'setting your farm alight' urge as a pest-control service -- no difference!

Google might argue that stalking is necessary for providing its stalking service. That would be a valid point -- as a stalker it has to stalk -- if it was not mismarketed as a captcha service.

But, who knows, Google might go googlish and even argue that the stalker named reCAPTCHA was not marketed as a captcha. Any takers?

What stance the EU DPAs will take, and then the judges, is anyone's guess -- but, see those enormous fines; feel like betting the farm on it?

Did anyone mention Brazil :)?

9) Captcha, Inc. Eats Its Own Dog Food

While Google, since 2009, mostly avoided using Recaptcha on its own properties. Why?

A cynic would argue that on its own properties Google already knows who you are so Recaptcha the Stalker was not needed there -- and it does not thwart bots that well anyway.

2017/06/27: EU Fined Google Then-Record $2.7B for Manipulating Search Results!

'The company demoted rivals and unfairly promoted its own services', says the EU.
'What Google has done is illegal under EU antitrust rules,' said Margrethe Vestager.

Whenever it was about its organic and paid search monopoly abuses, Google showed its catch-us-if-you-can attitude. The EU did the job.

2018/02/20: The Case Against Google

2018/05/21: How Did Google Get so Big?

2018/07/18: Google Slapped a Record $5B for Android Antitrust Abuse! Thanks EU!

2018/07/18: Gary Reback, Legendary US Antitrust Lawyer Involved in Both Cases:

'On one hand, the EU deserves ... praise and credit for what they've done,' Reback said. 'But man, they only look good because we're totally absent.'

Kinda whenever Google's antitrust violations do expand its stalking abilities -- the FTC vanishes into thin air. Gone! A kind of magic, or what?

10) Captcha, Inc. Does Not Break
Antitrust Laws

While Google exposed itself to huge legal risks by breaking every rule in the antitrust book, in order to force-feed you Recaptcha the Stalker through the nose.

A product that:

  • has no known revenues; losing them a fortune each quarter; year after year.
  • does not work in China; and will break your website for everyone there.
  • might get you, and/or your users, sued over the 578 patent infringement in the US.
  • will drown you, or your users, in the murky legal waters of the post-GDPR EU.
  • is deliberately designed to be inaccessible; a no-no for the US Federal Agencies' sites.
  • and is broken so often and so thoroughly; that over the last eight years even Google itself mostly refused to use it.

That is weird, isn't it?

11) Captcha, Inc. Lives Off BotDetect License Sales

But where the Recaptcha money is coming from, in amounts large enough to justify taking the risk of breaking the antitrust laws, is a sort of mystery.

A cynic might ask you to pick your preferred scenario:

  • It does not; and at some point Google will pull the plug on Recaptcha completely, as they did with Google Reader and other such products resting in the Google Graveyard.
    BotDetect Team: OK Google, that is called 100% enterprise-ready; a CIO's wet dream :).
  • Some undisclosed parties license the Stalker's data-feed and pay Google a fortune, and then some, so Recaptcha is actually profitable -- and the Stalker is watching you!
    BotDetect Team: OK Google, who are they? And, what do they use the data-feed for :)?

Which scenario do you prefer?

2018/03/19: Raleigh Police Went to Court ... And Got a Warrant Requiring Google to Share the Details of Any Users That Were Close to Crime Scenes During Specific...

'...the data haul is not limited to users of Google hardware i.e. phones running Android but also any phone that ran Google apps – which encompasses everything...'

GoogleBorg complied; and left us wondering if the list was sorted by name, immigration status, NRA card number, or just by sexual kinkiness.

Welcome to 'Surveillance Capitalism'!

The moral of the story here is that once such a data-trove is allowed to exist -- even small town cops can figure out where the 'search box' is -- and, how to google it!

While the G-Men Knew It Since Forever:

FBI: https://tips.fbi.gov/ (since at least 2015)

Note that your details are 'optional' -- of course -- and, guess what 'captcha' is on the page :)?

Twist a bit that warrant mentioned above -- and get the 'details' of all the users who were on some Stalker armed site, during a specific time!

2017/04/19: If A Warrant Is Needed At All

We're spying on you for your own protection, says NSA, FBI • Except we're not, of course, because that would be illegal.

12) Captcha, Inc. Does Not Manipulate
the Captcha and Recaptcha Articles
on Wikipedia

Do you find it strange that as of 2018/03/26 the 'Security' section of the 'Recaptcha' article on Wikipedia has no Stalker's vulnerabilities listed that are less than five years old?

Which is actually an improvement -- because not that long ago, there weren't any listed there that were less than almost eight years old :).

It is not like no one was complaining that it looks like a Recaptcha marketing brochure -- exactly how the 'Captcha' article looked before the separate 'Recaptcha' article even existed.

Unfortunately, a truly independent review of all the IP addresses, entities, bots, and humans involved in all the edits of both 'Captcha' and 'Recaptcha' articles -- following both the money and the data-feed -- is still left to be desired.

Who is behind the Wikipedia issue?

But, there are other entities; far better adept at concealing their activities -- whose interest in the Stalker's data-feed cannot be overestimated -- who come to our minds as the primary suspects.
BotDetect Team: OK Google, that Wikipedia job -- was that you guys, or the G-Men's 'pals' :)?

Think for yourself!