Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How robots and spiders are causing issues, how to stop them. We can also talk about Completely Automated Public Turing Test To Tell Computers And Humans Apart - their use, their compliance issues, porn proxies, PWNtcha and other ways to defeat them. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
CACTHPA
Posted by: nEUrOO
Date: April 11, 2007 07:20PM

Today, I thought about a variation of the captcha we all know. The goal is to prevent the OCR to get the word.
So my idea is to scramble a little bit the pass word/phrase.
(You can have some information about reading scrambling words with this study from Cambridge: http://www.mrc-cbu.cam.ac.uk/~mattd/Cmabrigde)

The problem I can see is that with an OCR + dictionary attack (based on minimization on a disatnce -levenstein- between the words) it is possible to find the pass word/phrase. But well, I'm pretty sure that there is some special words that are quite ambiguous for a dictionary attack...

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: CACTHPA
Posted by: blad3
Date: April 11, 2007 11:42PM

Captcha-s are pretty hard to read and people pay a lot of attention when reading them. So, most of them will just enter the non-sense letters and not the word.
Damn, once I had to enter a captcha five times before getting it right (from 6 tries). Since then, I pay close attention to captcha-s.
It was an invitation for TL, so I had to get it :P

Options: ReplyQuote
Re: CACTHPA
Posted by: kuza55
Date: April 12, 2007 01:18AM

I don't think this is a good idea for a CAPTCHA, simply because doing this kind of work is easy for a computer - just have a lookup table of words where all the characters are sorted, then sort all the characters from the image, and viola you've got your answer.

The problem has to be a LOT harder for computers than for humans, simply because computers can do a LOT of work much faster than humans. And anyway, even a 5% chance of decoding a CAPTCHA is still workable for all purposes I've seen, simply because there are no negatives (other than lack of success) applied when a captcha is solved incorrectly, and making 20 requests for something is a negligible amount of difficulty.

Options: ReplyQuote
Re: CACTHPA
Posted by: Hong
Date: April 12, 2007 06:27AM

How about the reverse? Computers(Robot) can realize it but humans can't.
For example, consider the following picture,

The squares marked A and B are the same shade of gray.
Computer can realize it if it just compares their value of pixel. But humans can't due to illusion.
Computers need to simulate how visual system to determine the shade of gray to defeat it.
Any comments?

- Hong

Options: ReplyQuote
Re: CACTHPA
Posted by: kuza55
Date: April 12, 2007 07:32AM

Hong Wrote:
-------------------------------------------------------
> How about the reverse? Computers(Robot) can
> realize it but humans can't.
> For example, consider the following picture,
> http://web.mit.edu/persci/people/adelson/images/ch
> eckershadow/checkershadow_illusion4med.jpg
> The squares marked A and B are the same shade of
> gray.
> Computer can realize it if it just compares their
> value of pixel. But humans can't due to illusion.
> Computers need to simulate how visual system to
> determine the shade of gray to defeat it.
> Any comments?

Its an interesting idea; but we do understand quite a bit about how the mind forms images (I don't know much myself, but the mind tries to establish what context it is viewing things in, and since it thinks tile B is in a shadow, it will try to make it look more like what it thinks it should look like, therefore lightening it), so it just becomes a different type of OCR.

And then there's also the difficulty of having a computer actually generate these images and be able to determine the answer itself, which might be an issue; and a significant processing burden, IMO.

But the most important question is; what questions would you ask? Would you ask what tile is lighter? Well, there are only two answers; you could have a trickier image, with say all 25 tiles marked, and get asked which tile is the lightest or darkest? Well, there's still only 25 tiles; 4% is enough chance for people to just try brute force+proxies for most things; and would most people be able to easily tell the difference between two shades of grey, if they weren't right next to each other?

So while, its an interesting idea I don't think its really workable, sadly. But maybe I'm missing something.

Options: ReplyQuote
Re: CACTHPA
Posted by: Anonymous User
Date: April 12, 2007 08:37AM

Ok, this is just a stupid copy&paste from an article comment of mine about preventing CSRF via captchas - was too lazy to rewrite the whole thing again:

<copy&pasted>
Hi! Just talked with christ1an about the captcha problematics.

Imagine the following: The captcha is not just one image but four/five/six separate images which are sorted via inline CSS or Javascript. Also you don't embed the images via src="/bla/image.php" but via temporarily saved images like src="/tmp/786868767/567578.gif" - what could an attacker possibly do to be able to circumvent this?
</copy&pasted>

http://christ1an.blogspot.com/2007/04/preventing-csrf-efficiently.html#comment-4658928258263719379



Edited 1 time(s). Last edit at 04/12/2007 08:47AM by .mario.

Options: ReplyQuote
Re: CACTHPA
Posted by: christ1an
Date: April 12, 2007 08:41AM

.mario: In my judgement nothing apart from guessing. I don't see a way circumvent this.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: CACTHPA
Posted by: Hong
Date: April 12, 2007 12:07PM

kuza55 Wrote:
-------------------------------------------------------

>
> Its an interesting idea; but we do understand
> quite a bit about how the mind forms images (I
> don't know much myself, but the mind tries to
> establish what context it is viewing things in,
> and since it thinks tile B is in a shadow, it will
> try to make it look more like what it thinks it
> should look like, therefore lightening it), so it
> just becomes a different type of OCR.

Yes, it just becomes a different type of OCR. It just tries to make OCR more difficult to recognize the image.

>
> And then there's also the difficulty of having a
> computer actually generate these images and be
> able to determine the answer itself, which might
> be an issue; and a significant processing burden,
> IMO.

Thanks, it is a problem.

>
> But the most important question is; what questions
> would you ask? Would you ask what tile is lighter?
> Well, there are only two answers; you could have a
> trickier image, with say all 25 tiles marked, and
> get asked which tile is the lightest or darkest?
> Well, there's still only 25 tiles; 4% is enough
> chance for people to just try brute force+proxies
> for most things; and would most people be able to
> easily tell the difference between two shades of
> grey, if they weren't right next to each other?

Maybe it can using other type of illusions, i.e. Illusory contours http://en.wikipedia.org/wiki/Illusory_Contours
For example, The Kanizsa triangle

If it is not a triangle, it is a word that using the same theory to display, maybe it is not possible, I don't know.

>
> So while, its an interesting idea I don't think
> its really workable, sadly. But maybe I'm missing
> something.

In fact, its an idea that using illusions of human visual system on CAPTCHA.

- Hong

Options: ReplyQuote
Re: CACTHPA
Posted by: nEUrOO
Date: April 12, 2007 05:16PM

I really like the idea of illusions, but for me the problem is to generate this.
If you use a simple algorithm then it would be quite "easy" for a learning machine to find the solutions.
A complex algorithm would take a long time to generate correct illusions I guess... not quite sure about this.

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: CACTHPA
Date: April 12, 2007 06:57PM

I saw an interesting CAPTCHA the other day, but unfortunately I don't know where it is (the URL), and favorited it on my other computer, which I'm not hooking up. It was mostly a joke, but it was a CAPTCHA based on grammar, which stated something similar to, "Windows98SE is greater ______ Windows Vista", and then gave you the choices for "then" or "than", and if you made the correct decision ("than") you were welcomed to the internet. There's also "http://hotcaptcha.com/", which I got off Jungsonn's blog, and find terribly effective. Wouldn't the illusion CAPTCHA generate a problem for assholes like myself who have already seen these illusions, and would naturally choose, "The lines are the same length", and the rest of the item1 versus item2 scenarios?


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: CACTHPA
Posted by: kuza55
Date: April 12, 2007 06:58PM

.mario Wrote:
-------------------------------------------------------
> Ok, this is just a stupid copy&paste from an
> article comment of mine about preventing CSRF via
> captchas - was too lazy to rewrite the whole thing
> again:
>
>
> Hi! Just talked with christ1an about the captcha
> problematics.
>
> Imagine the following: The captcha is not just one
> image but four/five/six separate images which are
> sorted via inline CSS or Javascript. Also you
> don't embed the images via src="/bla/image.php"
> but via temporarily saved images like
> src="/tmp/786868767/567578.gif" - what could an
> attacker possibly do to be able to circumvent
> this?
>
>
> http://christ1an.blogspot.com/2007/04/preventing-c
> srf-efficiently.html#comment-4658928258263719379


Well; I'm not in any way sure of this, but it might be possible to use Javascript to determine where they are in relation to the page, but that' just a guess, I might be completely wrong. But even then; there exist open source CSS parsers, so it wouldn't be too difficult to extract them for your purposes.

If the images are static - no matter what filename is being used, then simple hash checks could be used once all the images are solved separately. If not then why bother with the temporary names at all, just have generate.php?123456, generate.php?34728, generate.php?random_number_here, etc.

Hong Wrote:
-------------------------------------------------------
> Yes, it just becomes a different type of OCR. It
> just tries to make OCR more difficult to recognize
> the image.

Maybe this would be a good way to enhance existing CAPTCHAs as well, by making the image easier for humans to read than for computers to read; I have no idea how you could achieve it, but something where there is a small difference in pixel value, but where the eye increases the difference because of what context it thinks its in?

Options: ReplyQuote
Re: CACTHPA
Posted by: Hong
Date: April 14, 2007 11:32AM

I just make a simple demo

I think it is not difficult to generate this type of images, but maybe it is still too simple and computers can read. I know nothing about OCR, is there any anti-CAPTCHA software I can try?
And does anyone can't read it?

- Hong

Options: ReplyQuote
Re: CACTHPA
Posted by: jungsonn
Date: April 14, 2007 11:44PM

IMHO I think images are not the way, they all or most of them be broken if not already been. I have high hopes for detecting user interfaces which only humans can perform.

A reader of my blog is busy with a new form of CAPTCHA, I can't tell you now what it is but it requires human interaction, and I have high hopes for this one. I've seen the prototype, and it complies with almost any point:

- Usability
- No JavaScript
- No typing over an image
- No quiz
- No flash/sound
- No cookies
- Completely W3C compliant.
- Screenreader accessible.
- Fully accessible for anyone, race, language, etc
- And the biggest for me: it's really quick and fun to do.

I'm pretty excited about it and wish I could show it to you yet.
As soon he is done, I will let you guys know allright?



Edited 1 time(s). Last edit at 04/14/2007 11:47PM by jungsonn.

Options: ReplyQuote
Re: CACTHPA
Date: April 14, 2007 11:53PM

Looking forward to it, just hope its not something like 'Please call 1.800.123.4567 to verify you are human' =oP

Options: ReplyQuote
Re: CACTHPA
Posted by: rsnake
Date: April 15, 2007 01:38AM

Ultimately I think we are up against a simple premise - if computers can generate it they can also break it (at least most of the time). Things like hotcaptcha are vulnerable to a number of different kinds of attack, not the least of which is the image composition analysis systems that companies like Messagelabs built, and the fact that the entire species of human race is only a few billion, making the image database fairly trivial to construct - especially since it is probably derived from existing photos available on the internet.

Sure, it's hard, but it's certainly not impossible to break.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CACTHPA
Posted by: jungsonn
Date: April 15, 2007 05:46AM

Yeh that hotcaptcha is a total failure, I tryed it out a couple of times I think I got a ratio of 6 good 4 wrong.

But, the CAPTCHA I talked about, is totally different and I think anyone wil be pretty amazed how simple it is. I did a few testrounds on the prototype and it's pretty damn hard to bypass, if not unpossible. Well, we shall see. this person is working on it right now and I can't wait to see the next results soon.

And no CrYpTiC_MauleR it isn't a number to call ^^

Options: ReplyQuote
Re: CACTHPA
Posted by: Anonymous User
Date: April 19, 2007 11:00AM

http://olbertz.de/blog/2005/03/10/captcha-extreme/

break this one!

;)

Greetings,
.mario

Options: ReplyQuote
Re: CACTHPA
Posted by: trev
Date: April 19, 2007 07:11PM

.mario: looks scary but it is actually a simple one. The answer is 0,69314718055994530941723212145818 :)

Options: ReplyQuote
Re: CACTHPA
Posted by: Anonymous User
Date: April 20, 2007 06:34AM

@trev - yepp! yesterday we were mad enough to calcuulate the the result too ;)

Options: ReplyQuote
Re: CACTHPA
Posted by: rsnake
Date: April 21, 2007 12:44AM

The irony of that one is that it's actually easier for a computer to solve than a human.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CACTHPA
Posted by: trev
Date: April 21, 2007 09:00PM

The irony is that there are lots of real CAPTCHAs out there where I start wondering whether an OCR would help me figure it out...

Options: ReplyQuote
Re: CACTHPA
Posted by: rsnake
Date: April 22, 2007 12:12PM

I've seen the inside of software that does OCR based CAPTCHA breaking. It's incredibly trivial to write for some of them. Take a look at GOCR. It's pretty damned good.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CACTHPA
Posted by: Kyran
Date: June 07, 2007 01:03AM

trev Wrote:
-------------------------------------------------------
> The irony is that there are lots of real CAPTCHAs
> out there where I start wondering whether an OCR
> would help me figure it out...


I once spent 20 minutes trying to solve a CAPTCHA manually.

- Kyran

Options: ReplyQuote


Sorry, only registered users may post in this forum.