RE: [WEB SECURITY] Defeating CAPTCHA

[<Glenn.Everhart () chase com>]

I have sometimes thought that the "texto" class of stego apps, with more
variability in vocabulary, hit on something easier for humans to do than
machines. They take an arbitrary message and encode it in an apparently
meaningful looking (but longer) text message where choice of elements
of sentence structure encodes bits of the message. The result of such
encoding is a little like the old random-number-driven automatic report
generators that used to appear for fun: long reports apparently about
some topic that are seen as boringly written by humans. They look like
something written by a person who hasn't much to say but must fill paper.

Now, the original "texto" itself had a pretty small vocabulary, so would
be not too hard to pick out, but a variant that switched vocabulary now
and then but used similar structure choices might wind up harder to be
sure of.

Requiring a human to recognize which of a set of paragraphs was composed by
another human vs. a texto type robot could be possibly used: arrange a
decoder that produces something with any of the paragraphs but gives the 
"right" decoding only for the real robotic one.

As for finding alternate example text, hmm, the internet is full of such,
right? :-) 8-) :-)


-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf () dione ids pl]
Sent: Thursday, August 25, 2005 11:27 AM
To: focus () karsites net
Cc: webappsec () securityfocus com
Subject: RE: [WEB SECURITY] Defeating CAPTCHA


On Thu, 25 Aug 2005 focus () karsites net wrote:

> I suppose if the user had to select each letter and/or numeric digit
> from a captcha seperately, and enter these using a randomly generated
> input sequence by the server, that would block any programs from reading
> the CAPTCHA and feeding it directly to the form input field.

Yeah, requiring them to enter characters separately into a number of boxes
(possibly after reading the page to determine the requested order). Not
any more difficult to accomplish, and won't stop anyone (Captcha attacks
must be customized anyway, so this is just a minor annoyance).

You could of course make the sequence hard to decipher for a machine...
using a captcha. Yeah.

There's really no good solution.

Captchas work (for now) to deter common trolls and abusers - you are
usually not that much obsessed about a particular forum or website to
write and test a complext piece of image analysis software.

They may of sudden stop working, the day somebody determined to code
something like that for fun, fame, or profits, sells or contributes one of
easy-to-use captcha busters to the public.

The thing is, captchas don't measure a quality that is unique to humans.
Image processing, filtering and picture recognition is something computers
can do well, often better than humans, and no amout of text obfuscation is
going to help. You will end up with captchas you can't solve, but
computers can.

We could use something other than text challenges (say, determination of
mood of a photographed person) - but the thing is, individual, reliably
predictable, everyday data processing capabilities of our brains are in
general rather easy to simulate, especially with the accuracy needed for
this task (1% success ratio is enough). It just takes some coding and
tests.

Things computers suck at (higher cognitive functions, so to speak) are
usually hard to define and examine to start with, and work in a different
way for different people; plus, many of us would naturally fail quite
often

**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format. Thank you
**********************************************************************