Re: Defeating CAPTCHA

[Christopher Kunz <chrislist () de-punkt de>]

Glenn Euloth wrote:
> IMHO, this solution is a step backward from Captcha.
I concur. The solution suggested by ESP-PIX is bad on many levels.

a) As pointed out earlier, 72 possible solutions are far too few, since there is
always a probability of 1/72 or higher that the test is defeated by coincidence.
While clicking through the test, I had to answer "wire" twice, "camera" twice
and "ticket" thrice, within maybe fourty tries. By just sticking to the first
answer I ever gave in the test, "ticket", I'd have had a rough 3/40th success rate.

b) Internationalization is a nightmare, and gets more nightmarish when the size
of the data set is increased. I wouldn't want to translate, say, 10.000 nouns
from english to german, just to have a usable CAPTCHA implementation.
Furthermore, many of the images I saw had english text or related to information
that is only accessible to english-speaking folks.
OTOT, there might be language issues that involve synonymous use of words and
stuff like that

c) No gain for accessibility whatsoever. Blind people won't be able to tell that
they're currently not seeing 4 images of goats.

d) Copyright issues. The PoC implementation presented looks very much like the
images were pulled off images.google.com. Legally obtaining a large enough
copyright-free image collection would require use (and licensing) of stock
images or similar. If there's just 1000 pictures, an attacker would go ahead and
create a database of all images with their meanings, since there currently is a
1:1 image:meaning relation. That would cost the attacker maybe a day (or less,
with the free-porn-scheme in place) and utterly defeat the ESP-PIX approach.

e) Intelligence issues. Can anyone tell me why the solution to the attached
image is "bone"? The spine in the top right picture is not prominent enough to
make it distinctive, and I can't even figure out what that thing on the bottom
right image is. A knee joint?

No, the solution to the CAPTCHA problem is not ESP-PIX, I'm sure. A way to make
it harder for the attacker could be the following: Devise a quick task, like
"multiply three and six", "which color is the background?" or the default "enter
the phrase 'foobar'" and embed that in the CAPTCHA. That way, the computing
power needed for CAPTCHA cracking would increase (since the task is also
deformed using the normal captcha mechanisms) and the attacker would have to
create a parser for all tasks.

This would probably scale terribly (on both sides), since graphics creation on
the fly is resource intensive - but I can't think of any other way to keep
graphical CAPTCHAs upright at the advent of PWNtcha.

Just my €.02,

--ck