Dailydave mailing list archives
Re: confirming it's a person
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 25 Mar 2008 14:44:42 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 re Captchas: You could just ask the user to retype two strings and measure how long it takes for them type it in, a.la. BioPassword. BioPassword tries to use biometrics to determine which person someone is (by measuring how long their fingers take to move between keys with a flash applet, for example), but biometrics are often quite useful for "this is a person". Of course, you'll have to make a model for each different keyboard type if you're internationally savvy. Rather than having a single password the user types, you'll want to have a "random string". Hmm. If you give everyone two strings to type, you could build a database of timings with the second string, and simple datapoint grouping will get you which keyboard they are using so you can build your models. Then you can start rotating that second string in and retiring your first string after your model is built and tested. You need a continual stream of random strings+statistical models because otherwise people will just type them in once, slightly modify them, and submit them mechanically. I don't have code to do this, of course. The counter-attack would be a good model of how a human types on a keyboard, where given a random string you could generate timings. That might not be a difficult thing to build to the level of precision you'd need, but it might. Then again, typing in long random strings might be much more annoying than trying to read distorted images. :> Just as an FYI, Justine and JMS are heading to CanSecWest and JMS is going to demo his new CANVAS Win32 kernel rootkit for anyone who asks, he tells me. :> - -dave dan () geer org wrote: | I would like to RTFM on alternatives to CAPTCHAs, | but I don't know what FM to R. | | If someone here wants to say "forget it" or "this | is the current best technique" or what-have-you, | I'd be thankful to hear. Not trying to start a | large thread; you can, if you like. | | --dan | | _______________________________________________ | Dailydave mailing list | Dailydave () lists immunitysec com | http://lists.immunitysec.com/mailman/listinfo/dailydave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH6UgatehAhL0gheoRAqZzAJ9++E9WwssHekJKK8Ga7K0RO78bQQCcDW90 oHmCYGf0IHtLkS8gS2cObOI= =vtqh -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- confirming it's a person dan (Mar 25)
- Re: confirming it's a person Dave Aitel (Mar 25)
- Message not available
- Re: confirming it's a person Dave Aitel (Mar 25)
- Message not available
- Re: confirming it's a person Dave Aitel (Mar 25)
- Re: confirming it's a person Agutin Gianni (Mar 26)
- Re: confirming it's a person Jon Oberheide (Mar 26)
- Re: confirming it's a person Stefan Wagner (Mar 26)
- Re: confirming it's a person Jonathan Wilkins (Mar 26)
- Re: confirming it's a person David Molnar (Mar 26)
- Re: confirming it's a person Andre Gironda (Mar 26)
- Re: confirming it's a person Isaac Dawson (Mar 26)
- <Possible follow-ups>
- Re: confirming it's a person Blake Frantz (Mar 26)