WebApp Sec mailing list archives
RE: [WEB SECURITY] Re: Defeating CAPTCHA
From: "Gokhan Azaphan" <gokhan.azaphan () mkk com tr>
Date: Mon, 29 Aug 2005 17:31:33 +0300
Please read the links at the bottom of the following link, they're pretty enlighting indeed. http://en.wikipedia.org/wiki/Captcha -----Original Message----- From: Marian Ion [mailto:marian.ion () e-licitatie ro] Sent: Monday, August 29, 2005 3:39 PM To: victor () outblaze com; robert () webappsec org Cc: websecurity () webappsec org; webappsec () securityfocus com Subject: RE: [WEB SECURITY] Re: Defeating CAPTCHA Maybe it will not be such a good ideea ... especially if some mobile communication providers would have some network issues on a critical moment ... And such a method will be based also on a pre-defined algorithm, possibly easy to learn, to implement. On a longer term, maybe a faster implementation of IP6 will bring some new logging / blocking possibilities (based, for example, on "sender validation"), supported also by a strict legislation. Also, applications implementations (including CAPTCHA) based on artificial intelligence will provide improved security on many IT aspects. Neural nets are becoming smarter, and due to improved optimisations brought by genetic algorithms, ants or bees algorithms, are learning a lot faster than us, especially when discussing on repetitive tasks. On short term ... better, non-repetitive CAPTCHAs, based on random lengths and characters types, with several effects applied on the generated image, are probably the best way. Also, the implementation of "expiration" events, based on time passed without a reply message or manual (or automatic) validation, or something similar would do good. And also some application filters, in listing the records, to ignore/eliminate some garbage data. Marian Ion -----Original Message----- From: victor [mailto:victor () outblaze com] Sent: Monday, August 29, 2005 1:54 PM To: robert () webappsec org Cc: websecurity () webappsec org; webappsec () securityfocus com Subject: [WEB SECURITY] Re: Defeating CAPTCHA I was struck by the CAPTCHA issue a while back too, it happens to me that CAPTCHA reminded me of all these anti-piracy technique that have been developed over the past 2 decades. Put this special data into that sector of the disc so pc-tools can't copy it or install this special cd checker to make sure the cd is not pirated. We all know the result, finding a crack to all these protection is only a question of when. I would say CAPTCHA is too a case of trying to fight intelligent with more intelligent. which is an endless loop with no true winner. And so I wonder maybe a true solution to this abuser protection issue lies somewhere else. I myself look at the setup this way, all these tool hacker uses depends on one thing to function, the question being presented as part of the signup/login procedure, because we must make the question presentable online and friendly enough for humand to process, it is bound to be possible to come up with some porgram to come up/brute force the answer. So in another word, the existence of the question itself has made it possible for hacker to come up with software to defeat the protection. In a way, the solution has itself become the problem, so I am thinking maybe instead of trying to improve it. We should look into eliminating it. I can see some good example out there that is going into that direction. Many online banking service are taking advantage of SMS, sending user a passkey where they have to use to login to the service. Or this implementation pay pal has implemented, that debit user's credit card and ask user to use that sum as some form of passkey as one of the gentlemen here has pointed out. These solution are very expensive compare to CAPTCHA but the direction seems to be more reliable and hack-profe. If a better solution to CAPTCHA should be found, this maybe one direction you fellow might want to consider. Tor. robert () webappsec org wrote:
This was linked off of slashdot
(http://it.slashdot.org/article.pl?sid=05/08/24/1629213&tid=172&tid=95)
and explains some of the ways people are breaking CAPTCHA
(http://en.wikipedia.org/wiki/Captcha) based systems.
http://sam.zoy.org/pwntcha/ - Robert robert_at_webappsec.org http://www.cgisecurity.com
-- <!--------------------------------------------- Victor Development Engineer Outblaze Ltd ----------------------------------------------> --------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/ Bu mesaj ve ekleri mesajda gonderildigi belirtilen kisi/kisilere ozeldir ve gizlidir.Bu mesaj tarafiniza yanlislikla ulasmis olsa da mesaj iceriginin gizliligi ve bu gizlilik yukumlulugune uyulmasi zorunlulugu tarafiniz icin de soz konusudur. Boyle bir durumda, lutfen gonderen kisiyi bilgilendiriniz ve mesaji sisteminizden siliniz. Mesaj ve eklerinde yer alan bilgilerin dogrulugu ve guncelligi konusunda gonderenin ya da sirketimizin herhangi bir sorumlulugu bulunmamaktadir.Sirketimiz mesajin ve bilgilerinin size degisiklige ugrayarak veya gec ulasmasindan, butunlugunun ve gizliliginin bozulmasindan, virus icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan sorumlu tutulamaz. This message and attachments are confidential and intended solely for the individual(s) stated in this message.If you received this message although you are not the addressee you are responsible to keep confidential the message. In that case please warn the sender and delete the message. The sender has no responsibility for the accuracy or correctness of the information in the message and its attachments.Our company shall have no liability for any changes or late receiving,loss of integrity and confidentiality,viruses and any damages caused in anyway to your computer system
Current thread:
- RE: [WEB SECURITY] Re: Defeating CAPTCHA Gokhan Azaphan (Aug 29)