Defeating Captcha 430
An anonymous reader pointed us at PWNtcha, a package that breaks various on-line captcha algorithms. The site provides numerous examples of easy (Paypal, and an older version of Slashdot make the list) and hard Captcha. It also links various sources explaining why Captcha is a bad idea.
Old news is no news. :-( (Score:5, Informative)
mirrored (Score:5, Informative)
What Captcha is... (Score:5, Informative)
A captcha is a type of challenge-response test used in computing to determine whether or not the user is human.
It is patented (Score:4, Informative)
This is a good study of how hard it is to design secure systems. It's just like a non-cryptographer trying to create their own cipher, only in the visual processing world. Sadly, the article does not touch on non-visual captchas, which are alternatives for the blind. It would also be interesting to see what Jakob Nielsen [useit.com] might have to say on this technology from a usability perspective.
Of course, one of the primary bad things is that the concept of a captcha is patented, and the patent language is very broad. US Patent# 6,195,698
Also see the Wikipedia article [wikipedia.org] for more information.
This was made by the GNAA (Score:1, Informative)
Re:spammer's low-tech way (Score:3, Informative)
Commentary on w3's captcha-inaccessibility page (Score:2, Informative)
Among the claims:
- captchas are inaccessbile to the blind - true
- a horde of human beings can decode the entire library over time - only true if the images are recycled, not if they are created on-demand or for one-time use.
It also discusses some of the side-effects of making access to real humans harder, or harder for a class of users such as the visually impaired. For example, I've seen sites that say "If you cannot read this, call this phone number for access." Too bad for you if you don't have a phone.
As alternatives, it offers
- logic puzzles
- sound output
- credit-card validation
- live operators
- limited-use of unverified accounts, such as throttling for email
- behavior and heuristic analysis
- already-established credentials, such as single-sign-on systems or public-key-based systems
- biometrics
The article briefly discusses the pros and cons of each.
I rate its conclusion
"Visual verification alone is known to create problems with users. It is imperative that site designers take the needs of users with disabilities into account, and it is likewise hoped that one or more of these potential solutions can make that process easier."
as: insightful +5 obvious -1.
The article as a whole gets an "informative +5."
Re:spammer's low-tech way (Score:1, Informative)
Re: Disabilities (Score:2, Informative)
Re:From the site... (Score:5, Informative)
This is what slashdot's previous iteration of a captcha looked like in an in-memory associative array after the intersecting lines had been removed and a de-skewing algorithm applied. There was actually a version of the code after that which properly picked out where the lines actually intersected the letters and didn't erase the intersecting section to create those gaps.
Before they switched to the newest CAPTCHA system, I was breaking their CAPTCHAs with a modified SS.pl script with almost 100% accuracy (it had a little trouble properly splitting up the text when a j or other similar character wrapped partially under another letter).
Of course, the new CAPTCHAs are much harder. I can't even read some of them myself, but the point is that breaking CAPTCHA that people can easily read usually isn't really that hard.
Yes, I used ImageMagick's Perlmagick library.
**WARNING** THE PWNTCHA LINK IS NSFW - GOATSE (Score:1, Informative)
Re:spammer's low-tech way (Score:4, Informative)
Re:What Captcha is... (Score:3, Informative)
Re:The GOATSE picture is NOT in the mirrordot (Score:3, Informative)
Re:What Captcha is... (Score:2, Informative)
Just got ditched by your Belgian girlfriend or what did we deserve this statement for?
At least we got good-tasting beer that can help you feel less bad about whatever is bothering you
greets,
Tom
The linked page is NSFW (Score:5, Informative)
Please don't link to the goatse man without at least some warning.
Thanks.
Goatse Man (Score:5, Informative)
The link is not work safe.
Re:From the site... (Score:4, Informative)
About 3/4ths down the page there is a goatse picture, and the caption at the top thanks the GNAA. Wake up slashdot.
Re:spammer's low-tech way (Score:3, Informative)
Re:ADA (Score:2, Informative)
Re:Prime Numbers? (Score:3, Informative)
For info on why, see the mathworld prime number [wolfram.com] entry.
Interestingly, it says that, at one time, 1 was considered prime and 2 was not. Pretty amazing, considering importance of the Fundamental Theorem of Arithmetic [wolfram.com].