RE: Defeating CAPTCHA

[Glenn Euloth <eulothg () hfx eastlink ca>]

It would seem to me that ESP-PIX and other such solutions would not work
very well at all.  These solutions provide a limited set of answers
"airplane, bee, brain, girl..." or "a, b, c..." etc.  The ESP-PIX solution,
for example, provides 72 possible responses.  Regardless of whether or not
the list of answers are changed each time or whether they are the same each
time the answer always has to be one of the 72 possible solutions.

One thing a computer is extremely good at is repetition.  Assuming a random
distribution a program can simply always guess the 1st,10th or 22nd answer
each and every time the question is posed and the computer will guess
correctly once every N times on average.  The smaller the answer sample the
more often it will get it right.  Try it yourself, go to the ESP-PIX
solution and pick one word and keep guessing it over and over.

Unless there is some reliable way to penalize the individual for guessing
wrong, the solution is useless.  If they want to submit the form 50 times
correctly then they need only set the program to execute the page N*50 times
where N represents the number of possible solutions.

The other major flaw I found while trying it out is that the images used
have to be carefully selected so as not to offend anyone making use of the
system.  One of the pictures representing "girl" had two young ladies in a
very suggestive pose and while I, personally, was not offended I can think
of a number of people who would be if that image had popped up while they
were trying to signup for a web-based email account.

IMHO, this solution is a step backward from Captcha.

Trying to come up with something that would prove that a human, and not a
piece of software, was on the other end of the web connection is only going
to get progressively harder as the technology advances.  While the puzzle
may get stronger and more difficult, the software used to crack the puzzle
is also getting stronger and more intelligent.  It will get to the point
where the computer will be able to solve it but the human cannot.

The only real solution, it would seem, is to reduce the anonymity that the
Internet provides when using these facilities.  For instance, you could
require an email confirmation to proceed.  While this would not prevent it
from being abused you would at least be able to track it to a mailbox
somewhere and possibly to someone who might be abusing the software.  That's
where real legal penalties need to be imposed for the abuse.  As long as the
individual can get away with the abuse, the problem will never stop.

Regards, Glenn Euloth


> -----Original Message-----
> From: Stephen de Vries [mailto:stephen () corsaire com] 
> Sent: August 25, 2005 1:20 PM
> To: Jayson Anderson
> Cc: webappsec () securityfocus com
> Subject: Re: Defeating CAPTCHA
>
>
> Hi Jayson,
>
> The ESP-PIX Captcha is a simplified version of the system 
> you're proposing.  See: http://gs264.sp.cs.cmu.edu/cgi-bin/esp-pix
>
> Stephen
>
> On 25 Aug 2005, at 15:40, Jayson Anderson wrote:
>
> > That was an interesting article, I definetely got caught up 
> clicking 
> > thru for awhile.. One has to wonder, why hasn't a more effective 
> > system been placed into production let alone conceptualized and 
> > largely accepted as a solid approach for the future ? More 
> > specifically, the claim that CAPTCHA as it stands now is 
> not a Turing 
> > machine. I'm not sure if that's entirely true as symbols pre-date 
> > their interpretation by machine.=20 Regardless, like one gentleman 
> > mentioned in an article, a much more clear method to 
> differentiate man 
> > vs. machine would be to ask abstract questions. Barring the 
> cultural, 
> > linguistic and socioeconomic implications, why not ask things like 
> > "which one is a pachyderm?". Or "which texture most resembles 
> > stipple?". Or "Which of these strawberries is most 
> rotten?". Or "Which 
> > person is taller?" with same-sized figures, but one the 
> same sized as 
> > the car she stands next to, the other only half. etc. etc. 
> Ya know ? 
> > Sure it would take a significant multi- faceted approach 
> utilizing an 
> > amazingly heterogeneous set of contributors, but that's where open 
> > source comes in. Pool a huge bank of acceptable abstracts based on 
> > image size, obscurity and all the other standards (which do 
> NOT need 
> > to be complex at all), then refine that, seed the array and answer 
> > presentations with some decent entropy, use yet more entropy to 
> > randomize the units by which answers are delineated, "a,b,c,d", 
> > "circle[~],eye{=3D],carrot[%],money[E]" each different each 
> time, and 
> > all the hundreds of other variables i've not thought of. It 
> seems like 
> > it is workable to me. Keep the project always living so that 
> > submissions and refined objects are always being added to 
> an update- 
> > able system.....  SOMETHING is going to have to be done that is 
> > superior to "crazytext", as ultimately it will be rendered nothing 
> > worse than a speedbump. I think CAPTCHA still qualifies as Turing, 
> > just not an effective one in it's environment. Seems that 
> > machine-proofing should use anything BUT that which is 
> found in almost 
> > every machine that would be used to circumvent it :)=20
> >
> > Sorry for the chatter but I've ALWAYS felt that 
> crazytext(tm) was an 
> > amazingly poor way to differentiate machine from man, and these 
> > articles just prove what I and so many others I'm sure had always 
> > felt.....
> >
> > Jayson
> >
> > -
> > On Wed, 2005-08-24 at 14:29 -0400, robert () webappsec org wrote:
> >
> > > This was linked off of slashdot 
> (http://it.slashdot.org/article.pl? 
> > > sid=05/08/24/1629213&tid=172&tid=95)
> > > and explains some of the ways people are breaking CAPTCHA (http://
> > > en.wikipedia.org/wiki/Captcha) based systems.
> > >
> > > http://sam.zoy.org/pwntcha/
> > >
> > > - Robert
> > > robert_at_webappsec.org
> > > http://www.cgisecurity.com