Full Disclosure mailing list archives
Re: defeating voice captchas
From: Stelian Ene <stelian.ene () gecadtech com>
Date: Tue, 14 Feb 2006 10:20:14 +0200
Gadi Evron wrote:
Therefore, how many times does one have to refresh the page and listen to the Captcha to be able to simply learn to identify the Captcha by say, an MD5 hash of the audio for each letter?
That is just a bad implementation, when done well audio Captchas are probably as secure as their visual counterparts. "Done well" means that, besides the 10 digits (and/or 26 letters) recorded by the sexy voice and replayed in a random order, the audio is mixed with multiple sound sources, different for each generated Captcha. For example, you can use a symphony(*), random white noise, the sound of the street, or all of these, at a level of 3 or 6 dB above the voice. The brain can easily distinguish the secret code from all the background noise, but it's much more difficult for a computer. While I'm not an audio expert either, I'm sure this problem is allot harder than a simple MD5 - just look how bad state of the art voice recognition software performs in almost ideal conditions, i.e. no background noise etc. (*) Of course, it's better to use sound sources that are hard to identify, and are ideally not available to the attacker; else he could obtain the same sounds and subtract them from the audio. I think some random pitch shifting (tremolo) would help against this. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- defeating voice captchas Gadi Evron (Feb 13)
- Re: defeating voice captchas Stelian Ene (Feb 14)
- Re: defeating voice captchas Jerome Athias (Feb 14)
- Re: defeating voice captchas Gadi Evron (Feb 14)
- Re: defeating voice captchas ol (Feb 14)
- Re: defeating voice captchas Stelian Ene (Feb 14)