WebApp Sec mailing list archives
Re: Defeating CAPTCHA
From: Stephen de Vries <stephen () corsaire com>
Date: Thu, 25 Aug 2005 16:19:43 +0000
Hi Jayson,The ESP-PIX Captcha is a simplified version of the system you're proposing. See: http://gs264.sp.cs.cmu.edu/cgi-bin/esp-pix
Stephen On 25 Aug 2005, at 15:40, Jayson Anderson wrote:
That was an interesting article, I definetely got caught up clickingthru for awhile.. One has to wonder, why hasn't a more effective systembeen placed into production let alone conceptualized and largely accepted as a solid approach for the future ? More specifically, the claim that CAPTCHA as it stands now is not a Turing machine. I'm notsure if that's entirely true as symbols pre-date their interpretation bymachine.=20 Regardless, like one gentleman mentioned in an article, a much more clear method to differentiate man vs. machine would be to ask abstract questions. Barring the cultural, linguistic and socioeconomic implications, why not ask things like "which one is a pachyderm?". Or"which texture most resembles stipple?". Or "Which of these strawberries is most rotten?". Or "Which person is taller?" with same-sized figures,but one the same sized as the car she stands next to, the other onlyhalf. etc. etc. Ya know ? Sure it would take a significant multi- facetedapproach utilizing an amazingly heterogeneous set of contributors, but that's where open source comes in. Pool a huge bank of acceptable abstracts based on image size, obscurity and all the other standards (which do NOT need to be complex at all), then refine that, seed the array and answer presentations with some decent entropy, use yet more entropy to randomize the units by which answers are delineated, "a,b,c,d", "circle[~],eye{=3D],carrot[%],money[E]" each different each time, and all the hundreds of other variables i've not thought of. Itseems like it is workable to me. Keep the project always living so that submissions and refined objects are always being added to an update- ablesystem..... SOMETHING is going to have to be done that is superior to "crazytext", as ultimately it will be rendered nothing worse than a speedbump. I think CAPTCHA still qualifies as Turing, just not an effective one in it's environment. Seems that machine-proofing shoulduse anything BUT that which is found in almost every machine that wouldbe used to circumvent it :)=20 Sorry for the chatter but I've ALWAYS felt that crazytext(tm) was anamazingly poor way to differentiate machine from man, and these articlesjust prove what I and so many others I'm sure had always felt..... Jayson - On Wed, 2005-08-24 at 14:29 -0400, robert () webappsec org wrote:This was linked off of slashdot (http://it.slashdot.org/article.pl? sid=05/08/24/1629213&tid=172&tid=95) and explains some of the ways people are breaking CAPTCHA (http:// en.wikipedia.org/wiki/Captcha) based systems.http://sam.zoy.org/pwntcha/ - Robert robert_at_webappsec.org http://www.cgisecurity.com
Current thread:
- Defeating CAPTCHA robert (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA Debasis Mohanty (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA focus (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA Michal Zalewski (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA focus (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Chris Shiflett (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Andrew van der Stock (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Stephen de Vries (Aug 25)
- RE: Defeating CAPTCHA Glenn Euloth (Aug 26)
- Re: Defeating CAPTCHA Christopher Kunz (Aug 31)
- RE: [WEB SECURITY] Defeating CAPTCHA Debasis Mohanty (Aug 25)
- Re: Defeating CAPTCHA Michal Zalewski (Aug 26)
- RE: [WEB SECURITY] Re: Defeating CAPTCHA Marian Ion (Aug 29)
- <Possible follow-ups>
- RE: Defeating CAPTCHA Derick Anderson (Aug 26)
- Re: Defeating CAPTCHA Devdas Bhagat (Aug 28)
- RE: Defeating CAPTCHA Derick Anderson (Aug 29)