Analyzing CAPTCHAs 105
Bruce Schneier's blog pointed me to a research paper on
"Attacks and Design of Image Recognition CAPTCHAs" (PDF). The abstract says, "We systematically study the design of image recognition CAPTCHAs (IRCs) in this paper. We first review and examine all IRCs schemes known to us and evaluate each scheme against the practical requirements in CAPTCHA applications, particularly in large-scale real-life applications such as Gmail and Hotmail."
PDF warning? (Score:1, Troll)
2nd link is a PDF. Thanks for the warning...
Re: (Score:1, Offtopic)
Not always when they’re in the summary...
Sure, I probably should, but still...
Re: (Score:3, Funny)
And my apologies back to you and the rest of slashdot for using the phrase 'pdf file'
I should know better!
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Did I miss something?
Re: (Score:1, Offtopic)
Yes, a big Whoosh flying way over your head.
Re: (Score:1, Offtopic)
Except, the F doesn't stand for File, it stands for Format [wikipedia.org].
So, it most assuredly is a PDF file. It's not like saying "PIN Number", which is what you are implying.
Re: (Score:2)
the F doesn't stand for File, it stands for Format [wikipedia.org]
So, what format would that be then? The PDF format? ;)
The Portable Document one ...
Re: (Score:2)
And my apologies back to you and the rest of slashdot for using the phrase 'pdf file'
I should know better!
Its ok, we forgive you. But from now /. is going to require you to type in your PIN number. Not the same PIN number you use at the ATM machine though.
Re: (Score:1, Offtopic)
Re: (Score:2)
Eh, a few.
Best rickroll I’ve seen was written in assembly code and instructed you to paste it into DEBUG, resulting in a never-ending loop playing the first stanza or two. I ran it in DOSBox just to be on the safe side...
Best goatse was a black PNG with the image stored in the alpha channel.
Re: (Score:2)
Not quite the same – but nevertheless (I couldn’t find the original of the one I was referring to): http://forum.osdev.org/viewtopic.php?p=158449#p158449 [osdev.org]
And you can make the Goatse image yourself easily enough in GIMP... Slashdot wouldn’t display a thumbnail anyway, I’ll let you figure out what sites to post it on...
Re: (Score:2)
Just plugging a FireFox add-on related to that...
https://addons.mozilla.org/en-US/firefox/addon/3199/ [mozilla.org] - Link Alert
2010 Re:PDF warning? (Score:1)
It's 2010, get a life. Comments like this were funny sometimes around 1996.
Re: (Score:2)
It's 2010, get a life. Comments like this were funny sometimes around 1996.
It's 2010. In 1996, PDFs weren't a potential security vulnerability.
Re: (Score:2)
What do you mean? In 1996, everything was a potential security vulnerability.
hmm... (Score:2, Insightful)
Re: (Score:2)
I hear you can just pay people to sit in front of a PC all day solving captchas, and it's cheaper than a bot.
Re: (Score:2, Funny)
Re: (Score:2)
Not Cylons, Nigerians (Score:2)
I dealt with spam sent via phished passwords in a previous job. No one could relay through our site, and our IDS blocked large mail bombs via authenticated SMTP and IMAP, so the spammers always got in by logging in via the HTTP interface and apparently cutting and pasting spam messages one recipient at a time.
About 3/4 of the spammy logins were from Nigeria and Togo and the rest were from various places like Israel, Saudi Arabia, and various UAE states. It's the ultimate work from home job!
Re: (Score:2)
this is a problem with which I'm familiar. Used to be isolated to the 41. specifically Nigeria, then Ghana, Ivory Coast, Burkina Faso got into the act, then UAE, Egypt and Algeria. Lately the headache has been migrating to Malaysia and Jakarta. Throw in the random UK, Ireland, Spain, Portugal, Russian IPs, occasionally some from China.
I just track the IPs, when they reach a magical threshold I loop through with iptables and block the whole damned network, and when enough subnets are blocked, move up to the
Re: (Score:2)
Industry in WORLD 3-1 (Score:1, Offtopic)
Apparently we don't really need strong AI so long as we have cheap labor in the 3rd world.
Then perhaps we need to send people down the tube at the end of world 1-2 [flickr.com] to build roads and the like so that we can industrialize the 3rd world and make the labor more valuable.
Re: (Score:1, Offtopic)
Re: (Score:2, Informative)
Re: (Score:2)
Cheaper? Maybe for the initial cost of developing such a bot for a temporary amount of time, but the bot doesn't cost anything after that as far as I know.
Re:hmm... (Score:5, Funny)
It's happening already, I think, with turn-key solutions floating around featuring 20-35% accuracy. I don't have 100%, more like 80% or so, and I am a human.
OT, but I found a way to make RECAPTCHA entertaining. With two words given, I always just type one of the words, and put "fuck" for the other. The accuracy falls below 50%, but the giggles make it all worthwhile.
Re: (Score:2)
OT, but I found a way to make RECAPTCHA entertaining. With two words given, I always just type one of the words, and put "fuck" for the other. The accuracy falls below 50%, but the giggles make it all worthwhile.
Below 50%? I probably average ~90% ... the key is in figuring out which word you have to get correct. There’s always the button to get a different captcha if you can’t tell on the one it gave you...
Re: (Score:2)
Re: (Score:1, Insightful)
...and I am a human.
Can you prove that?
Re: (Score:2)
I have come to the conclusion that I am a bot. Half the time I can't read those captcha thingies.
Re: (Score:2)
Same here, I spent 15 minutes trying to get one to work the other day, but the letters were so messed up and the words so nonsensical that I couldn't manage it. So I tried the audio option. Makes sense right? Just listen to the words and it'll be easy! Except the audio was so fucked I couldn't understand it.
I managed to get in eventually, but I'm avoiding that website from now on.
Re: (Score:2)
Well, there's always the Turing Test [wikipedia.org], but that could make signing into web sites a real nuisance. :-P
Also this... (Score:2)
...There was a Numb3rs episode wherein a supercomputer was programmed to fake its way through a Turing test. Cool concept.
Re:hmm... (Score:5, Interesting)
Well, CAPTCHAs worked because they relied on vision tests - a skill that humans still do better than computers, but computer vision is already quite advanced. Then the countermeasures came where CAPTCHAs started getting so distorted that it was impossible to determine the code (I remember a forum I signed up for - too more than 15 tries and a cookie reset).
However, there are still difficult-for-computer-but-easy-on-humans tasks that can be done. I'm surprised no one's yet hooked a way into the Amazon Mechanical Turk or the like. Perhaps a simple one can be where you show a panoramic view along a busy street. Then you ask the question "What is the name of the store at number 763?" Or "What is the street number of ZZZ Supermarkets along this street?". "There is a large group of friends gathered near XXX store. How many people are in the group?"
Or simpler ones - if your forum or other thing is about a specific topic, ask a question about that topic. Or even self-referential ones. "What of the following will an art thief steal? A) Mona Lisa, B) Big screen HDTV, C) Cellphone, D) Money".
Might as well advance the state of things like image recognition and natural language queries while we're at it.
Re: (Score:1)
Re: (Score:1)
Coz with the alternatives you propose a human has to first figure out the correct answer to compare against the user's response in a CAPTcha challenge. If they had an algorithm to figure it out, the attacker would use it too. And, millions of CAPTCHAs are served everyday, so they have to be automated.
Trivia questions... (Score:2)
I recall how Planetarion [online game] used simple trivia questions in their CAPTCHAs. The arithmetic category was no problem, but a few of the simple trivia questions tripped me up, especially because they were Euro-centric (the game *is* based in the UK). I shouldn't have to Google for a CAPTCHA answer.
Re: (Score:2)
When they figure out how to win, YOU win (Score:2)
Re: (Score:2)
A lot of CAPTCHAs have sound alternatives; since I can see a computer screen perfectly fine, I've never bothered checking them out, but I can test for curiosity's sake sometime.
Granted, that's another vector for attacker sin addition to improving site accessibility.
Too focused on being perfect (Score:2)
My experience with captcha is they are too focused on being the perfect system, to the point where it goes from a simple annoyance to almost impossible to access whatever it's protecting.
Re:Too focused on being perfect (Score:4, Insightful)
At some point, CAPTCHAs will reach the point where ONLY a bot can get past them.
Re:Too focused on being perfect (Score:4, Insightful)
Then they’re designed wrong.
You should at least skim over the paper, that’s actually a significant portion of what it’s focused on... finding something that humans are good at and bots are not. As better bots have been written, that may have changed significantly... most present CAPTCHA systems are relatively broken.
Re: (Score:2)
The GP's point was that there are captchas out there that are very difficult for even human readers to understand. However, pattern recognition software is getting better all the time, while human pattern recognition is generally fixed (It's phenomenal, but not improving). Eventually pattern recognition software will overtake the human pattern recognition ability, and then the only ones who will be able to past a captcha is a bot.
Re: (Score:2)
Well, then you move on to a harder pattern, such as "what mood was the writer in when they wrote this" or "does the puppy in this picture look sad?" or, "is the person pictured in a dangerous situation".
If we're at that point...then I would assume we would also have the ability to detect spam in a contextual sense!
Re: (Score:2)
My experience with captcha is they are too focused on being the perfect system, to the point where it goes from a simple annoyance to almost impossible to access whatever it's protecting.
Then it's getting further away from being perfect. A perfect captcha would be unnoticed.
Chinese CAPTCHA farms (Score:2, Informative)
I have a friend that used to bot WoW for a couple years until Blizzard got the law on their side^H^H^H^H^H^H^H^H^H^H^H^H^H in their pocket. Turns out he used to redirect bot checking CAPTCHAs to an IRC channel where the paid minions would solve them.
CAPTCHA has been a moot point to me since I witnessed this process occur in real time.
Re:Chinese CAPTCHA farms (Score:4, Informative)
I heard porn sites were require a captcha to view an image, but it was really a redirect from another captcha. So porn surfers were solving captchas for bots.
Re:Chinese CAPTCHA farms (Score:5, Funny)
FTFY.
Re: (Score:2)
I've seen that too and I've always wondered if that isn't the real reason we are getting near impossible captchas these days. Some admin probably sees lots of bots getting past the captcha filter and instead of realising it's humans doing the work decides to make the captcha more and more difficult.
Some of the captchas go so far beyond a turing test this seems like the most plausible explanation. The current captchas can surely be toned down a bit in difficulty and still be impossible for state of the art a
Why not... (Score:2)
do captcha in a different way. Show an image of someone famous, like Obama, then ask who that person is. The answer key could have "Obama," "Barrack," "Barrack Obama" and every other iteration.
Re: (Score:3, Insightful)
There are only so many such images available for use, and the image library could fairly easily be exhausted and all of the images correctly identified at which point a bot could be used with near-100% accuracy.
Re:Why not... (Score:4, Funny)
There are only so many such images available for use
Not if they use images of Lady Gaga
Re: (Score:2)
There are only so many such images available for use
Not if they use images of Lady Gaga
Except the idea only works if the answer isn't always Lady Gaga
In all seriousness, though... (Score:2)
You're right, they can't all be pictures of the same person, but it seems like multiple pictures of the same person, mixed in with pictures of other people, could help or at least not hurt.
If the pictures of the same person look very different (Gaga's fashion choices would certainly be an example of that), that would help such a process
Re: (Score:2)
she is the near complete opposite of a cartoon character in that respect (say, Bart's red shirt and blue shorts) - almost every day's outfit is *different*.
[I'm assuming the joke was about her divergent fashion selections)
Re: (Score:1, Offtopic)
the actual correct spelling
Well, the actual spelling is also the correct one. Thanks for that clarification!
Re: (Score:2)
Are you implying that his redundant adjective is redundant?
Re: (Score:2)
I did indeed get caught up by some region-specific trivia on a European webgame's text CAPTCHA, so I have personal experience with the3 concept you're getting at. :)
yeah, the list of famous people that are famous worldwide would be small, limiting worldwide use of such a system for those reasons, and even if they're "on the grid" [as opposed to someone living out in the sticks or something], they might not have heard of particular people.
Re: (Score:1)
Collecting the pictures for this would be pretty expensive. You've got to figure out licensing, tagging (including acceptable synonyms in several target languages), down-sampling, storage, accessibility, etc. The attacker only has to figure some (imperfect) tagging, and they can use well-researched ideas (facial recognition) to help with this. Moreover, the larger and more valuable target you are, the more images you must find. Wo
Re: (Score:1)
It might work, except that someone who is famous to one person is unknown to another. Were you to put up a picture of Barack Obama or Joe Biden, I could identify either one easily. The same could not be said of all world leaders, however. I read pretty regularly about events involving David Cameron, Christian Wulff, and Nikolas Sarkozy, but I'm not sure if I could accurately identify a photo of any of them given no other context.
Lady Gaga? Show me a picture of her without any context, and I'd have to st
Re: (Score:2)
That is a strong point about why using a famous person should not be used but what about something simpler. I propose something like this:
5 images of random people are selected from a data base where the images are tagged about the person's appearance (i.e. hair color, sex, facial hair, eye color, etc).
A random question is asked about those five images (i.e.- how many have facial hair? How many have blue eyes? How many are women?)
If answer matches with the tags from the 5 random images you have a succes
Re: (Score:1)
Better, but still problematic for another reason.
Captcha requires lots of possibly incorrect responses. An answer with a minimum value of 0 and a maximum value of 4 (for example) means there are 5 possible responses. 0,1,2,3,4.
That gives a bot a 20% chance of being correct, which is unacceptably easy.
You've also made the captcha solution language-specific. And if you use colors, color-blindness may be an issue for you now as well.
Don't get me wrong, I can see some applications of picture-based captcha, b
Re: (Score:2)
Good points so lets address them. Your calculation is a bit flawed for a simple question you have 6 possible answers - 0,1,2,3,4,5. So the bot has a 1/6 chance of correctly guessing, which is still unacceptably easy. So add a second or third question raising the possibilities up to 1/36 and 1/216 respectively. Or add more images to raise the base number up from 6 to 11 or maybe 21. Suddenly you get from 1/6 odds up to 1/9261 (20 images 3 questions). The color issue would be problematic and the only wa
Re: (Score:2)
The trouble is that you've made it hard enough (by definition) that a human is needed to lovingly hand-craft each one as well. After all, if the computer could put them together from an image database, it could solve them the same way.
tl;ds
Too long; doesn't scale.
Re: (Score:3, Insightful)
Reverse image searches like TinEye [tineye.com] blow this idea out of the water before it's even begun.
Good study, would have preferred a more diverse (Score:1)
Re: (Score:2)
Design your own study then. Sounds like you know just what needs to be done.
My favorite one is this (Score:2)
Human resources are cheaper (Score:2, Insightful)
I dread Craptcha (Score:3, Informative)
Re: (Score:2)
A new captcha idea. (Score:2)
Once the captcha is defeated, a human being sends a simple question to the account to validate it.
"Was Jennifer Aniston in "Friends""
"Is Kentucky a country?"
"Is the Euro a kind of duck?"
Re: (Score:2)
If train A leaves Chicago traveling 100MPH and train B leaves New York traveling 150MPH and the distance between the two cites is 600 miles how far from New York will it be when the two trains meet?
And you thought word problems would never be useful!
Re: (Score:2)
Who was one of the female stars of friends?
What was the Dow yesterday?
Please respond and say that you are a banana.
I started this on a local personals site about 7 months ago and I'm seeing it everywhere now. I think it was invented in multiple places. It makes personals spam almost useless regardless of how real it seems.
Re: (Score:1)
Re: (Score:2)
The New York train has 3/5th of the total speed, so they'll be 3/5ths of the way, i.e. 360 miles. ... that'd still be beyond most people, though, I'm afraid.
Never knew those problems were that easy
XKCD (Score:1)