Re: Account Lockouts

[Alexander Klimov <alserkli () inbox ru>]

On Sun, 5 Dec 2004, The Amazing Dragon wrote:

> > From: Mark Burnett <mb () xato net>
> > There has been some talk of CAPTCHA's in this thread and I wanted to comment
> > on them further. Although CAPTCHA's are very effective at blocking automated
> > abuse, in their current form they are not an effective long term strategy.
> > The problem is that with our current image enhancement, OCR, and AI
> > technology, they can be cracked with quite good accuracy. Their limited use
> > and proprietary implementations still makes them useful for now but once
> > someone releases a script kiddie tool to automate CAPTCHA cracking, they
> > will become mostly ineffective.
>
> I'm surprised that no one has implemented one yet. Though OCR programs
> are at least halfway there.

It is very hard to be sure that "no one has implemented one yet" :-) Quite some
time ago I had an argument with my friend web-master about total insecurity of
this approach and in less than one day I wrote a program to recognise numbers
written on an image. The program was in no way AI: I downloaded several images
and crop out all different digits, so the program simply load an image and the
images of all digits and for every place in image, every digit, and every
transformation calculates the difference between the image of the digit and the
image (I used simple sum of squares of differences in each pixel for this). The
program works less than a second (there are not so many points in image times
number of digits times *sufficiently different* transformations). Most of the
time I spent was to capture images and classify transformations, so I agree that
using CAPTCHA makes your site more vulnerable to script-kiddies, but even
implementing it youself does not protect you that much from somebody with
moderate patience and programming skills.

-- 
Regards,
ASK