WebApp Sec mailing list archives
RE: Defeating CAPTCHA
From: Glenn Euloth <eulothg () hfx eastlink ca>
Date: Fri, 26 Aug 2005 10:52:34 -0300
It would seem to me that ESP-PIX and other such solutions would not work very well at all. These solutions provide a limited set of answers "airplane, bee, brain, girl..." or "a, b, c..." etc. The ESP-PIX solution, for example, provides 72 possible responses. Regardless of whether or not the list of answers are changed each time or whether they are the same each time the answer always has to be one of the 72 possible solutions. One thing a computer is extremely good at is repetition. Assuming a random distribution a program can simply always guess the 1st,10th or 22nd answer each and every time the question is posed and the computer will guess correctly once every N times on average. The smaller the answer sample the more often it will get it right. Try it yourself, go to the ESP-PIX solution and pick one word and keep guessing it over and over. Unless there is some reliable way to penalize the individual for guessing wrong, the solution is useless. If they want to submit the form 50 times correctly then they need only set the program to execute the page N*50 times where N represents the number of possible solutions. The other major flaw I found while trying it out is that the images used have to be carefully selected so as not to offend anyone making use of the system. One of the pictures representing "girl" had two young ladies in a very suggestive pose and while I, personally, was not offended I can think of a number of people who would be if that image had popped up while they were trying to signup for a web-based email account. IMHO, this solution is a step backward from Captcha. Trying to come up with something that would prove that a human, and not a piece of software, was on the other end of the web connection is only going to get progressively harder as the technology advances. While the puzzle may get stronger and more difficult, the software used to crack the puzzle is also getting stronger and more intelligent. It will get to the point where the computer will be able to solve it but the human cannot. The only real solution, it would seem, is to reduce the anonymity that the Internet provides when using these facilities. For instance, you could require an email confirmation to proceed. While this would not prevent it from being abused you would at least be able to track it to a mailbox somewhere and possibly to someone who might be abusing the software. That's where real legal penalties need to be imposed for the abuse. As long as the individual can get away with the abuse, the problem will never stop. Regards, Glenn Euloth
-----Original Message----- From: Stephen de Vries [mailto:stephen () corsaire com] Sent: August 25, 2005 1:20 PM To: Jayson Anderson Cc: webappsec () securityfocus com Subject: Re: Defeating CAPTCHA Hi Jayson, The ESP-PIX Captcha is a simplified version of the system you're proposing. See: http://gs264.sp.cs.cmu.edu/cgi-bin/esp-pix Stephen On 25 Aug 2005, at 15:40, Jayson Anderson wrote:That was an interesting article, I definetely got caught upclickingthru for awhile.. One has to wonder, why hasn't a more effective system been placed into production let alone conceptualized and largely accepted as a solid approach for the future ? More specifically, the claim that CAPTCHA as it stands now isnot a Turingmachine. I'm not sure if that's entirely true as symbols pre-date their interpretation by machine.=20 Regardless, like one gentleman mentioned in an article, a much more clear method todifferentiate manvs. machine would be to ask abstract questions. Barring thecultural,linguistic and socioeconomic implications, why not ask things like "which one is a pachyderm?". Or "which texture most resembles stipple?". Or "Which of these strawberries is mostrotten?". Or "Whichperson is taller?" with same-sized figures, but one thesame sized asthe car she stands next to, the other only half. etc. etc.Ya know ?Sure it would take a significant multi- faceted approachutilizing anamazingly heterogeneous set of contributors, but that's where open source comes in. Pool a huge bank of acceptable abstracts based on image size, obscurity and all the other standards (which doNOT needto be complex at all), then refine that, seed the array and answer presentations with some decent entropy, use yet more entropy to randomize the units by which answers are delineated, "a,b,c,d", "circle[~],eye{=3D],carrot[%],money[E]" each different eachtime, andall the hundreds of other variables i've not thought of. Itseems likeit is workable to me. Keep the project always living so that submissions and refined objects are always being added toan update-able system..... SOMETHING is going to have to be done that is superior to "crazytext", as ultimately it will be rendered nothing worse than a speedbump. I think CAPTCHA still qualifies as Turing, just not an effective one in it's environment. Seems that machine-proofing should use anything BUT that which isfound in almostevery machine that would be used to circumvent it :)=20 Sorry for the chatter but I've ALWAYS felt thatcrazytext(tm) was anamazingly poor way to differentiate machine from man, and these articles just prove what I and so many others I'm sure had always felt..... Jayson - On Wed, 2005-08-24 at 14:29 -0400, robert () webappsec org wrote:This was linked off of slashdot(http://it.slashdot.org/article.pl?sid=05/08/24/1629213&tid=172&tid=95) and explains some of the ways people are breaking CAPTCHA (http:// en.wikipedia.org/wiki/Captcha) based systems. http://sam.zoy.org/pwntcha/ - Robert robert_at_webappsec.org http://www.cgisecurity.com
Current thread:
- Defeating CAPTCHA robert (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA Debasis Mohanty (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA focus (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA Michal Zalewski (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA focus (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Chris Shiflett (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Andrew van der Stock (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Stephen de Vries (Aug 25)
- RE: Defeating CAPTCHA Glenn Euloth (Aug 26)
- Re: Defeating CAPTCHA Christopher Kunz (Aug 31)
- RE: [WEB SECURITY] Defeating CAPTCHA Debasis Mohanty (Aug 25)
- Re: Defeating CAPTCHA Michal Zalewski (Aug 26)
- RE: [WEB SECURITY] Re: Defeating CAPTCHA Marian Ion (Aug 29)
- <Possible follow-ups>
- RE: Defeating CAPTCHA Derick Anderson (Aug 26)
- Re: Defeating CAPTCHA Devdas Bhagat (Aug 28)
- RE: Defeating CAPTCHA Derick Anderson (Aug 29)
- RE: Defeating CAPTCHA wilsonc (Aug 29)