WebApp Sec mailing list archives
RE: [WEB SECURITY] Defeating CAPTCHA
From: <Glenn.Everhart () chase com>
Date: Thu, 25 Aug 2005 12:24:00 -0400
I have sometimes thought that the "texto" class of stego apps, with more variability in vocabulary, hit on something easier for humans to do than machines. They take an arbitrary message and encode it in an apparently meaningful looking (but longer) text message where choice of elements of sentence structure encodes bits of the message. The result of such encoding is a little like the old random-number-driven automatic report generators that used to appear for fun: long reports apparently about some topic that are seen as boringly written by humans. They look like something written by a person who hasn't much to say but must fill paper. Now, the original "texto" itself had a pretty small vocabulary, so would be not too hard to pick out, but a variant that switched vocabulary now and then but used similar structure choices might wind up harder to be sure of. Requiring a human to recognize which of a set of paragraphs was composed by another human vs. a texto type robot could be possibly used: arrange a decoder that produces something with any of the paragraphs but gives the "right" decoding only for the real robotic one. As for finding alternate example text, hmm, the internet is full of such, right? :-) 8-) :-) -----Original Message----- From: Michal Zalewski [mailto:lcamtuf () dione ids pl] Sent: Thursday, August 25, 2005 11:27 AM To: focus () karsites net Cc: webappsec () securityfocus com Subject: RE: [WEB SECURITY] Defeating CAPTCHA On Thu, 25 Aug 2005 focus () karsites net wrote:
I suppose if the user had to select each letter and/or numeric digit from a captcha seperately, and enter these using a randomly generated input sequence by the server, that would block any programs from reading the CAPTCHA and feeding it directly to the form input field.
Yeah, requiring them to enter characters separately into a number of boxes (possibly after reading the page to determine the requested order). Not any more difficult to accomplish, and won't stop anyone (Captcha attacks must be customized anyway, so this is just a minor annoyance). You could of course make the sequence hard to decipher for a machine... using a captcha. Yeah. There's really no good solution. Captchas work (for now) to deter common trolls and abusers - you are usually not that much obsessed about a particular forum or website to write and test a complext piece of image analysis software. They may of sudden stop working, the day somebody determined to code something like that for fun, fame, or profits, sells or contributes one of easy-to-use captcha busters to the public. The thing is, captchas don't measure a quality that is unique to humans. Image processing, filtering and picture recognition is something computers can do well, often better than humans, and no amout of text obfuscation is going to help. You will end up with captchas you can't solve, but computers can. We could use something other than text challenges (say, determination of mood of a photographed person) - but the thing is, individual, reliably predictable, everyday data processing capabilities of our brains are in general rather easy to simulate, especially with the accuracy needed for this task (1% success ratio is enough). It just takes some coding and tests. Things computers suck at (higher cognitive functions, so to speak) are usually hard to define and examine to start with, and work in a different way for different people; plus, many of us would naturally fail quite often ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you **********************************************************************
Current thread:
- RE: [WEB SECURITY] Defeating CAPTCHA Brecrost Jones (Aug 25)
- <Possible follow-ups>
- RE: [WEB SECURITY] Defeating CAPTCHA Glenn.Everhart (Aug 25)