Defeating Captcha

An anonymous reader pointed us at PWNtcha, a package that breaks various on-line captcha algorithms. The site provides numerous examples of easy (Paypal, and an older version of Slashdot make the list) and hard Captcha. It also links various sources explaining why Captcha is a bad idea.

Old news is no news. :-(

# Q. Where is the code? # A. No code is available yet. I am still pondering the pertinence of allowing code in the wild. The good old full-disclosure debate... If you think I should release the code for PWNtcha, feel free to explain your arguments to me.

::sigh:: The blurb leads one to believe that there's a new script kiddie tool in the wild. This is just someone's experiment with OCR and some AI. (And an old project at that; I remember reading this site about six months ago while working on my own Captcha implementation). There's a handful of researchers around the world doing the same type of work, including at team at UC Berkeley that devised a system [berkeley.edu] that they claimed was 92% accurate... back in 2003. All in all, this isn't all that newsworthy.

mirrored

here [mirrordot.org]

What Captcha is...

Whew, I had never even heard of Captcha [wikipedia.org] before...

A captcha is a type of challenge-response test used in computing to determine whether or not the user is human.

spammer's low-tech way

A while ago, I remember hearing about how some spammers whould post the Yahoo Mail (or other free email services) Captchas on the registration forms on pr0n sites. The pr0n registrants would have to fill out the Captcha, but this would then be used by the spammer to get around the Captcha without any fancy software.

Mod parent up

It's a cheap and scaleable method to defeat such algorithms. There will always be enough humans willing to do this for very little reward (some free pics).

Re:spammer's low-tech way

It's trivial to hack a browser (hell, you don't even have to actually hack it, just know how it works) to snag the image for you. Then repeat as per grandparent (have a unwitting (or witting) human do it for you).

Next stage: make the captcha Java code that generates the warped image dynamically. Reponse: send the JS to the unwitting human.

Next stage: make the Java code generate the token using something intrinsic to the machine running it (IP, etc, etc). Response: snatch the image from display ram to present to the unwitting human.

Next stage: include in the image information about what the image is for (site, etc). Response: block those parts, or use witting humans who don't care or are otherwise paid (in porn, 3rd-world wages, etc).

You can make it progressively harder, but you can't make it impossible. You might be able to make it hard enough, though.

Re:spammer's low-tech way

Most of these techniques could be defeated with a simple color filter, sadly.... Regardless, crypto is a really good comparison because a lot of crypto can be broken with statistical techniques, and in that regard, getting past Captcha grids can be done using very similar methodology.

Take a histogram of... say a hundred random subregious within the image of varying sizes and shapes. Sort colors by the number of these subregions in which they appear. Assume that colors that appear in every block (or above some threshold... say 90%) are background. Replace them all with white. Assume that colors that appear in only some of those blocks are foreground. Replace those colors with black. Do your OCR.

To some extent, you can get around that by masking parts of the text using the same color or by adding chunks of background in the same color, but this is only of limited effectiveness. The only way you can really defeat even the most basic stochastic analysis is by making the color information change from one side of the picture to another. Even then, unless this is done randomly in a dynamic fashion, once you manually figure out the gradation once, the mechanism is broken.

Basically, these things don't work even at a conceptual level. The fundamental problem is that you have a choice: either require the person to do something that doesn't require thought or require the person to solve problems that require logical thought.

In the case of the former, it can be obscured easily, but the level of thought needed can be easily simulated by a computer program, and any algorithm one could write to fool that program is inherently reversible. If the noise level is sufficient to make this impractical, it also will be unlikely that a human can read it, though with multiple tests, this could still work---more on this later..

In the case of the latter, the limitations to the reasonable size of the problem space mean that, while the computer can't simulate the intellect needed to actually figure out the example, it can trivially store a list of all of the problems and their answers and simply regurgitate the right answer on command, in much the same way that most lower animals can be trained to regurgitate an action on command even though they do not actually understand what the command means.

The only potentially viable mechanism for doing this sort of thing involves dynamic creation of the images using random number generators to perturb the image in ways that are of similar color to the test, using color variation on the text to fool stochastic methods, using foreground masking of the text (i.e. lines that go in front of the text, not just behind it), and using a wide enough variety of fonts, some of which should be things like cursive fonts with variable baselines. That really makes OCR mad.

If you do all of those things, you -might- have something that could only be broken by a computer a third of the time. The problem is that it could only be broken by a -human- about half of the time. If you do multiple tests, you should be able to establish a reasonable threshold above which the antagonist is likely to be a human rather than a piece of software, though even then, you will have to algorithmically change it frequently or else computers will eventually overtake humans no matter what your algorithm... because, quite frankly, computers are a lot better at DSP than we are. :-)

rock paper scissors...

captcha stops bots
pwntcha breaks captcha
slashdot cremates pwntcha

ADA

Having a legally blind mother that uses the web, I wonder how captcha complies with the Americans With Disabilities Act (when used by American companies of course)?

Is it compatible with BLINUX? I think by definition it is not.

Perhaps I should ask, what alternate method of identification do sights employ to take into account blind users and the ADA?

Re:ADA

Instead of an image based Turing test like Captcha, I just have the last question on a log in screen or form be a randomly selected super easy question. For example, "Spell the number 7" or "What is the next logical number in the sequence 1, 3, 5, 7, ...? Check it out here: http://www.donnyspi.com/contact.php [donnyspi.com]

Re:ADA

Hmm. Done right, you could weed out bots and stupid people. Excellent!

Re:ADA

I wonder how captcha complies with the Americans With Disabilities Act

Simple - they just use ALT text for the image! :)

Consider the problem

The problem is that people are using robots to work in an autonomous manner to find ways around typical human limitations (we can only send several hundred emails a day, robots are not so limited). So people want to stop these "cheater" by making the user prove that they are a human rather than a robot.

Is this really a good thing, though? Even on a site like Slashdot, in a story about defeating bots, the very first comment in this story is posted by a bot. How ironic is that? What is accomplished by banning users who can't read these "captchas" (what a horrendous fake word)? Nothing, apparently, as the story says. It only serves to annoy legitimate users and does nothing to hamper illegitimate robots.

The solution is not this sort of halfway measure. The solution is to make it simply not worth the effort to be a nuisance on a discussion forum. I suppose that requires a glut of intelligent posters, but with the entire citizenry of the Internet available, that can't be so hard.

Re:Consider the problem

"What is accomplished by banning users who can't read these "captchas" (what a horrendous fake word)? Nothing, apparently, as the story says."

I actually disagree. The captcha method reduces spam load for most sites down to zero. Only the bigger sites need to worry, because spammers may set up a site to specifically target them by rerouting captchas. That's not the case with 99% of the websites using captchas, it's just not worth the effort.

It's sorta like a copy protection: if it stops 90% of the people, then it's good enough.

It is patented

This is a good study of how hard it is to design secure systems. It's just like a non-cryptographer trying to create their own cipher, only in the visual processing world. Sadly, the article does not touch on non-visual captchas, which are alternatives for the blind. It would also be interesting to see what Jakob Nielsen [useit.com] might have to say on this technology from a usability perspective.

Of course, one of the primary bad things is that the concept of a captcha is patented, and the patent language is very broad. US Patent# 6,195,698

Also see the Wikipedia article [wikipedia.org] for more information.

Heh

Well I'm glad someone is writing code to solve those "prove you aren't a script" images, because a lot of times I can't quite figure them out myself.

• "Q. What is your favorite color?.. No on second thought, nevermind that. What is written in this blob?"
• A. I'm not sure, is this a rorschach test? Oh, I know 4 - 3 - Two flies mating - U - V - Giant Nose - X."

Its bad idea for several reasons

Chiefly among them is sometimes you can't tell what the fucking words are. Within the last few months on more than one occasion I simply could not read the letters because they were so distorted and the lines overlapped the letters too much. No fun redoing a web form over and over because you can't figure out what the hell the verification box says.

I can't imagine how people with difficulties cope with this.

Interesting flash-based captcha

I just saw a great flash-based Captcha designed to combat just this sort of attack. The test was composed of white text on a white background. Colored shapes of various sizes swirled in the background behind the text in a pseudo-random pattern, and the text was visible or obfuscated depending on whether there was a shape behind it at the moment. After watching it for a few minutes to see if there were any obvious flaws, I noticed that the entire phrase was never visible all at once.

A little patience was required, but I was able to verify in less than 10 seconds. Animation seems to be very useful for this kind of application.

Re:Interesting flash-based captcha

You could just write the bot to decompile the .swf file and grab the string (or vector/raster representation of the text) from that.

Flash is a bad format to use for a CAPTCHA from a security and accessibility point of view.

Easiest way to Defeat Captchas

1. Put up a "free" pr0n site.
2. Require visitors to the pr0n site to process a captcha before viewing the pr0n. In reality they are proxy processing a captcha for another site (paypal, hotmail, yahoo, etc.) which they never see.
3. Profit!

Captchas are next to useless and for the visually impaired very frustrating. One more of a example of a technology which annoys everyone and yet doesn't really stop the determined miscreant. <cough>airport shoe inspections</cough>

Captchas = Turing test

As with the Turing test, the entire purpose of a captcha is to distinguish humans from machines. As captcha-defeaters improve, the captchas will need to become more and more sophisticated and require more and more human or human-like intelligence to process. This arms race will culminate in a Turing test-like approach for discerning natural intelligences from artificial ones.

The ultimate irony may occur when the first human-intelligent computer is created by a spammer for the purpose of assaulting our collective intelligences with their commerical drivel. Given the increasing value of online commerce and Google page ranking, there's probably more money in AI for captchas than AI for academic research.

But before captchas get that sophisticated, the system will become self-defeating as the number of real humans defeated by captchas exceeds the number of AIs repelled by them.

The linked page is NSFW

Editors -

Please don't link to the goatse man without at least some warning.

Thanks.

Goatse Man

Thanks for linking the Goatse Man image in the article. Oh how I've missed being tricked into viewing thee.

The link is not work safe.

Totally fake

This article is a fraud. No source is presented, and goatse.cx is displayed in the examples. This whole thing was contrived just to get goatse.cx in a legitimate front page post. Best troll in years.

Re:From the site...

http://www.gh-sts.com/captcha.txt [gh-sts.com]

This is what slashdot's previous iteration of a captcha looked like in an in-memory associative array after the intersecting lines had been removed and a de-skewing algorithm applied. There was actually a version of the code after that which properly picked out where the lines actually intersected the letters and didn't erase the intersecting section to create those gaps.

Before they switched to the newest CAPTCHA system, I was breaking their CAPTCHAs with a modified SS.pl script with almost 100% accuracy (it had a little trouble properly splitting up the text when a j or other similar character wrapped partially under another letter).

Of course, the new CAPTCHAs are much harder. I can't even read some of them myself, but the point is that breaking CAPTCHA that people can easily read usually isn't really that hard.

Yes, I used ImageMagick's Perlmagick library.