Re: Defeating CAPTCHA

[Jayson Anderson <sonick () sonick com>]

That was an interesting article, I definetely got caught up clicking
thru for awhile.. One has to wonder, why hasn't a more effective system
been placed into production let alone conceptualized and largely
accepted as a solid approach for the future ? More specifically, the
claim that CAPTCHA as it stands now is not a Turing machine. I'm not
sure if that's entirely true as symbols pre-date their interpretation by
machine.=20
Regardless, like one gentleman mentioned in an article, a much more
clear method to differentiate man vs. machine would be to ask abstract
questions. Barring the cultural, linguistic and socioeconomic
implications, why not ask things like "which one is a pachyderm?". Or
"which texture most resembles stipple?". Or "Which of these strawberries
is most rotten?". Or "Which person is taller?" with same-sized figures,
but one the same sized as the car she stands next to, the other only
half. etc. etc. Ya know ? Sure it would take a significant multi-faceted
approach utilizing an amazingly heterogeneous set of contributors, but
that's where open source comes in. Pool a huge bank of acceptable
abstracts based on image size, obscurity and all the other standards
(which do NOT need to be complex at all), then refine that, seed the
array and answer presentations with some decent entropy, use yet more
entropy to randomize the units by which answers are delineated,
"a,b,c,d", "circle[~],eye{=3D],carrot[%],money[E]" each different each
time, and all the hundreds of other variables i've not thought of. It
seems like it is workable to me. Keep the project always living so that
submissions and refined objects are always being added to an update-able
system.....  SOMETHING is going to have to be done that is superior to
"crazytext", as ultimately it will be rendered nothing worse than a
speedbump. I think CAPTCHA still qualifies as Turing, just not an
effective one in it's environment. Seems that machine-proofing should
use anything BUT that which is found in almost every machine that would
be used to circumvent it :)=20

Sorry for the chatter but I've ALWAYS felt that crazytext(tm) was an
amazingly poor way to differentiate machine from man, and these articles
just prove what I and so many others I'm sure had always felt.....

Jayson

-
On Wed, 2005-08-24 at 14:29 -0400, robert () webappsec org wrote:
> This was linked off of slashdot (http://it.slashdot.org/article.pl?sid=05/08/24/1629213&tid=172&tid=95) 
> and explains some of the ways people are breaking CAPTCHA (http://en.wikipedia.org/wiki/Captcha) based systems.
>
> http://sam.zoy.org/pwntcha/
>
> - Robert
> robert_at_webappsec.org
> http://www.cgisecurity.com