The Heyes CAPTCHA

Re: The Heyes CAPTCHA

Anonymous User — Fri, 01 Jun 2007 02:26:44 -0500

pure wisdom, history teaches best. thanks, it's a nice insight!

Re: The Heyes CAPTCHA

thornmaker — Thu, 31 May 2007 17:21:23 -0500

this reminds me of knuth's story about when he thought he could create a good random number generator by making a ridiculously complicated algorithm. after very little analysis though, he found that it had very short cycles and even a fixed point if i recall correctly. the point being is that often times you can't just throw in some additional complexity to make something more secure. a much better approach is to come up with a cleaner design. now i'm not saying a good javascript based captcha is impossible, i'm just saying you're not going to end up with one by adding additional complexity to an already known weak one.

Re: The Heyes CAPTCHA

WhiteAcid — Sun, 27 May 2007 05:52:36 -0500

You can make it harder but as long as you're sticking to JS it can always be solved programatically.

Re: The Heyes CAPTCHA

Gareth Heyes — Sun, 27 May 2007 04:47:19 -0500

Heh cool attack! So simple to bypass :)

What about if a random seed was used on the sequence though? So the length varies and the seed is removed on the server before the check. I could also randomise the function calls and also the method of assigning the sequence.

If I applied those techniques, could another method be created to easily bypass? I'm guessing that is would be more difficult to bypass on the server side.

Re: The Heyes CAPTCHA

WhiteAcid — Sat, 26 May 2007 22:29:20 -0500

My programming skills, specifically embedding a JavaScript engine into a program aren't what they need to be to create a standalone app, instead I've made this bookmarklet which would solve the captcha:

HeyesCaptcha.prototype.complete = function() {seqK  = '';for (i=0; i;seqK += x.substr(44,1);seqK += x.substr(81,1)}document.getElementById('sequence').value = seqK;this.count = 4;this.seconds = '';this.updateKey()};heyescaptcha.complete()

Re: The Heyes CAPTCHA

Gareth Heyes — Sat, 26 May 2007 19:32:42 -0500

It was a technical challenge I set myself to see if I could create some code that couldn't easily be parsed without pressing a key and executing the javascript. I know what you are saying but if the parser doesn't know what to execute and it is complex enough to prevent regular expressions then maybe it's possible to prevent automation in this way.

Could you provide me an example on how to bypass this technique?

Re: The Heyes CAPTCHA

WhiteAcid — Sat, 26 May 2007 19:20:20 -0500

You could always embed an existing JavaScript engine into your solver and use that. Anything your browser can do another program can do.

Re: The Heyes CAPTCHA

Gareth Heyes — Sat, 26 May 2007 19:12:22 -0500

Hi WhiteAcid the javascript creation is simple at the moment but it does change everytime you visit the page. The class I wrote could be expanded upon to include more complex code creation, in order to successfully pass the test you would have to get the javascript and have some sort of engine to parse it, although now it would be possible to write a simple one that could convert the javascript into php and therefore create the correct hash, I think with enough random code generation it would be very difficult to bypass without executing the javascript.

I'm going to release the code under GPL so I guess I will find out if it has been a waste of time or not :)

Re: The Heyes CAPTCHA

WhiteAcid — Sat, 26 May 2007 18:57:00 -0500

Heh, I saw this on php-planet before readin git here. Anyway... It's still entirely JavaScript based and can be automated. All you have to do is read a few variables, parse them a bit and md5 them. Totally doable.

Re: The Heyes CAPTCHA

Gareth Heyes — Sat, 26 May 2007 15:41:00 -0500

Continuing my quest for a non-image based captcha, I've released a new version of the HeyesCaptcha. Using research gathered from the last time, I think I've made this one far more secure against automation.

Can anyone automate it?
http://www.thespanner.co.uk/2007/05/26/heyes-captcha/

Re: The Heyes CAPTCHA

rsnake — Mon, 21 May 2007 19:00:42 -0500

I actually don't think I ever said, "The CAPTCHA fails to protect, because the experts can crack it." What I said is that it does keep out kiddies, but they are rarely worth thinking about in most critical applications. It does slow down robots, but it doesn't stop attackers. So you have to weigh the value of what you are trying to protect. Please don't read into this too much, read it for what it says. I do think CAPTCHAs provide value - just not what most people use them for.

Re: The Heyes CAPTCHA

Anonymous User — Thu, 17 May 2007 07:28:33 -0500

Well I don't know, some "lock kiddies" or just people who walk in the streets are also no experts on locks. Still, they are designed to keep the good people good. They are no protection agains the people who really want to break in.

Normal people may take 3 days to open the same lock, an expert lockpicker does in under 2 minutes. So can I compare it? yeah I think I actually can.

So no lock is safe, should we stop use it then?

Cause like you said: The CAPTCHA fails to protect, because the experts can crack it. To me, that is a pretty useless statement in analogy with the lock. Because what it implies is what I said earlier: If that is the case, why have security at all.

Yesterday I saw an interesting news story in my country about a real world heist, know how they did it? they drove to a bank, and of coarse, the bank is protected. So they waited behind the bank. 2 bank employees where filling the ATM with money in the room where the bank robbers where waiting behind the back door. The robbers spilled gasoline on the door, so that the bank employees smelled the gasoline and opened the secured door to look where the smell was coming from, quickly the bank robbers did go in and took all the money.

A weak link, despite tons of steel doors and thick walls, and other security stuff. Smart idea, It kept out good citizens, but the bad guys won. They always win.

But it doesn't mean we should throw away barriers and perimeters. Is it?

Re: The Heyes CAPTCHA

rsnake — Wed, 16 May 2007 11:17:28 -0500

I'm not sure that's a good analogy. Locks keep out 99.99% of people who shouldn't have access, while CAPTCHAs keep out no one except (theoretically) robots (and blind people). Further, for me to break into 1000 doors, even if I'm good, by your math would take me 2 minutes x 1000 doors, assuming there is no travel time between them. CAPTCHAs, on the other hand, take far less time than that because of scale. You could do 1000 in 2 seconds if it were a weak CAPTCHA or if you had enough porn proxies set up, regardless of geographic location.

What you are getting at is the economy of the issue which is a different problem and one worth discussing, although I'm still not sure how this conversation ended up in this thread. It probably deserves a new thread since this has nothing to do with Heyes in particular. If it's worth a lot (like the contents of a house to be analogous to a dork lock) to break a CAPTCHA, no, CAPTCHAs fall down much faster than 2 minutes per. If it's worth next to nothing (instead of the contents of a house, all they get is a text link on some page) yes, a CAPTCHA has done it's job since it is not worth it to break the CAPTCHA.

And be careful, I never said they were useless. I actually said they do keep out the kiddies, but unfortunately, the kiddies are barely worth thinking about in most of the applications I work on. So while CAPTCHAs provide some incremental value, they are anything but "secure". Should you use them? Depends completely on what you are trying to solve. In most cases the answer is no, in my experience. However, certain things like brute force actually do help, since the name of the game is increasing the level of inconvenience for the robotic activity (similar to time delays in login screens after failed attempts).

I simply don't think you should think of CAPTCHAs as a security device, I think you should only think of them as a tool to slow down robotic activity, and that's it. I do think there is a lot of good security in the world, but CAPTCHAs do not fall into that category. Sorry if this isn't what you wanted to hear, but I've seen every CAPTCHA deployed in a large scale environment broken in real life (not just the lab). I'm not talking about my theories here. It just really is a pretty weak tool. While locks are also very susceptible to being broken, the physical annoyance and likelihood of getting caught are the few things that allow it to prevail. Don't forget that the anonymity of the Internet is one of the main causes for it being such a great place for attackers. Attackers don't have that luxury in real life for the most part.

Re: The Heyes CAPTCHA

Anonymous User — Sat, 12 May 2007 14:30:33 -0500

So we can agree upon one thing then: It's useless to use a captcha.

Well, while where at it: Why have security at all.
cause every protection can be broken isn't it? I know some lock pickers who can open up every door under 2 minutes. Do they say that locks are useless now? No I can't recall that they said something like that. To their viewpoint, every customer doorlock can be opened under 2 minutes: So it's broken.

Is this feasible?

No, and you know why: One of the most used security philosophy today is build upon one thing: Preventing attacks, by slowing them down. It's impossible to stop everything in the end.

So are CAPTCHAs useless, are they broken? No, not for me.
I think one can't say it's broken, or useless. it all depends on the context where it is used and implemented.

Re: The Heyes CAPTCHA

rsnake — Fri, 11 May 2007 11:10:58 -0500

Okay, but the next question you have to ask yourself is where is the tradeoff? In biometrics it's similar to a crossover rating, but here we have to think about the cost benefit analysis from an attacker's perspective. Did that CAPTCHA slow down the people you want enough to in any way solve your issue? If you have to use offline analytics to pull down things for human review, CAPTCHAs haven't done their job. They may have slowed the scale by which you have to review by human eyes, but they certainly haven't stopped it. So the most important question here is have you stopped the bad guys from doing what they want to do? Ultimately CAPTCHAs are ineffective at that unless it makes it economically infeasible. Also, since most of them can be solved by computers anyway, it hasn't even solved the most basic requirement that it even be a human. So in my opinion while they may not be 100% broken in all cases, they have limited security value but tons of obfuscation value. So yes, good for keeping out a few kiddies, completely worthless for stopping the people who I worry most about.

Re: The Heyes CAPTCHA

Anonymous User — Thu, 10 May 2007 05:56:10 -0500

Well theoretical security concepts are designed to stop them, but practical security concepts show that that is impossible. Nothing can be secured in the real world. So given this fact we can conclude this:

a.security does not exist in the real world, only in theory.
b.security does exists in the real world and can only slow down attacks, not stop them.

I'll go for B. for the main reason why this is standing firm ground, I can compare it to a bulletproof vest. That is also designed to slow down bullets, but with a huge caliber one can shoot right through it. Same with bulletproof glass, metal etc. I just use it as an analogy to the concept of security.

I'm not sure it hold enough water for the Captcha example, but in general if anything else, it's the best we can do.

Re: The Heyes CAPTCHA

kuza55 — Thu, 10 May 2007 02:16:15 -0500

Ronald Wrote:
-------------------------------------------------------
> Right, but security in general is only meant to
> slow down hackers, attackers, spammers, etc.
> That's the whole deal with security, and in fact
> the only reason security exist to keep the good
> guys good, and to slow down possible bad guys.

Actually, I really disagree with that. The goal of security is to stop attackers. We realise that we can't predict everything, so we accept that we'll lose at one point, but that doesn't mean our goal changes - if a system only slows an attacker, then it is not a security measure - it should be nothing more than a band-aid until something better can be implemented.

The only time simply slowing an attacker down is acceptable is when such an attack (e.g. brute force) is unsolvable because the attack does not exploit technology, but rather exploits a user's inability to choose a good password, or similar. CAPTCHAs are used there, and are useful, especially considering that having humans solve that many CAPTCHAs is infeasible. Sure, CAPTCHAs are also used to prevent SPAM, but SPAM is not a security problem - it may be one which we try to address, but it is not a security problem, there is no attack, it is simply automated usage.

Re: The Heyes CAPTCHA

Anonymous User — Wed, 09 May 2007 20:56:35 -0500

Right, but security in general is only meant to slow down hackers, attackers, spammers, etc. That's the whole deal with security, and in fact the only reason security exist to keep the good guys good, and to slow down possible bad guys.

So when someone can slow down attacks, or make it more difficult to break it efficiently or make it more difficult to monetize it, I think it works.

Still I have trouble to understand why human captcha solvers are being used. And for what reason. What they solve and let's say post after it can be removed in a few mouse clicks. If humans solve them, Captchas aren't broken either, because they are human, and thereby solve the captcha.

Hence, Another method I used in some applications is what I called "Post Spam Resolving" where a script is daily actively searching all database records on Spam signiatures, and list them to be evaluated by humans to be removed.

So I really cannot say that the bad guys win and captchas lose, it's a trade-off.

Re: The Heyes CAPTCHA

rsnake — Tue, 08 May 2007 19:16:14 -0500

It definitely is cost effective to break CAPTCHAs depending on the site. If you are just talking about a 200 person site with no pagerank, no, not worth it. If you are talking about protecting an enterprise with it I would re-think the CAPTCHA you use. Anything that can be reverse engineered will be. Anything that can't will go through human CAPTCHA breaking factories. As long as it is worth more than fractions of a penny to solve, it is worth it to solve. It may take time for them to find the target, but at that point that's the only thing protecting the site - time.

Re: The Heyes CAPTCHA

Anonymous User — Wed, 02 May 2007 08:54:11 -0500

@NickWilliams Sure I understand it can be automated, everything can. I'm fully aware of that, thats just what I said. nothing tough about that in any way, but is it worth it to do? is it cost effective? if not, I still think CAPTCHA's aren't broken.

Automation cen be seen in different contexts. It is really automated if someone only has to load sites into his bot through Google for instance and hit submit. Takes 5 minutes and thats cost effective. Now, building custom scripts which takes much longer isn't cost effective.

Now, if one can mix up the code in a way it's hard to RegEx on, i can say it is _harder to automate_ and thereby I can say: it can be safe from automated submissions, because spammers don't have awful lot of time like we do to break something that is used on 20 websites. it's tricky what I said, and it surely was asking for explanation.

Re: The Heyes CAPTCHA

trev — Tue, 01 May 2007 20:37:58 -0500

No, the bots don't send referrer headers :)
I had a few human spammers however - that's where I got the search requests from. Bots seem to use similar search requests, at least when I changed robots.txt to exclude post forms and such bot activity dropped significantly. Even though I still have "Powered by phpBB" there. And I was sure that you didn't mean removing just the one string - just wanted to make this point clear.