Dailydave mailing list archives
Re: confirming it's a person
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 25 Mar 2008 16:44:07 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jonathan Wilkins wrote: | The problem with that is that it's only as difficult for the attacker to | build the model as it is for the defender. | The defender doesn't have to build a model in this particular example though - the mobs of humans build it for you - you just have to do pattern recognition on the data. So it is asymmetric because you supply the random strings, and the humans generate data for you. I don't think you are resource limited (if each human submits three strings, one real and two statistics gathering examples, then your supply of random strings+statistics should replenish faster than it goes away?), but as for the false positive rate, I'm not sure. I'd have to go head to head with you on this one with real working code, and I don't have time to learn Silverlight/Flash right now. :> All captcha type systems are broken if an attacker owns a popular online service though, right? Because they can just put the captcha up on their service and have a real human answer it. :> Hmm. Palladium would have solved this problem, like almost all security problems by building a trusted PKIed tunnel from the online service to your machine's CPU, but everyone hated it. I wonder what VMWare is going to do when Microsoft makes it mandatory to use Palladium-like technology to get to hotmail and only VirtualPC is allowed to support it? - -dave | To be useful, a system of this sort has to be: | - Asymmetric in effort (has to cost the attacker much more than the | defender) | - Can't rely on resource scarcity (of the type attackers can steal). This | is the major weakness in hashcash type systems in the face of bot nets. | - Have a low random/partial success rate | | I have a white paper on breaking various CAPTCHA systems (and building | better ones) coming out soon. I don't want to side track the thread on | specific CAPTCHA issues though. | | On Tue, Mar 25, 2008 at 11:44 AM, Dave Aitel <dave () immunityinc com> wrote: | | re Captchas: | | You could just ask the user to retype two strings and measure how long | it takes for them type it in, a.la. BioPassword. BioPassword tries to | use biometrics to determine which person someone is (by measuring how | long their fingers take to move between keys with a flash applet, for | example), but biometrics are often quite useful for "this is a person". | Of course, you'll have to make a model for each different keyboard type | if you're internationally savvy. Rather than having a single password | the user types, you'll want to have a "random string". | | Hmm. If you give everyone two strings to type, you could build a | database of timings with the second string, and simple datapoint | grouping will get you which keyboard they are using so you can build | your models. Then you can start rotating that second string in and | retiring your first string after your model is built and tested. You | need a continual stream of random strings+statistical models because | otherwise people will just type them in once, slightly modify them, and | submit them mechanically. | | I don't have code to do this, of course. The counter-attack would be a | good model of how a human types on a keyboard, where given a random | string you could generate timings. That might not be a difficult thing | to build to the level of precision you'd need, but it might. Then again, | typing in long random strings might be much more annoying than trying to | read distorted images. :> | | Just as an FYI, Justine and JMS are heading to CanSecWest and JMS is | going to demo his new CANVAS Win32 kernel rootkit for anyone who asks, | he tells me. :> | | -dave | | | dan () geer org wrote: | | I would like to RTFM on alternatives to CAPTCHAs, | | but I don't know what FM to R. | | | | If someone here wants to say "forget it" or "this | | is the current best technique" or what-have-you, | | I'd be thankful to hear. Not trying to start a | | large thread; you can, if you like. | | | | --dan | | | | _______________________________________________ | | Dailydave mailing list | | Dailydave () lists immunitysec com | | http://lists.immunitysec.com/mailman/listinfo/dailydave | |> _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave |> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH6WQWtehAhL0gheoRArHlAJ9az18a8B1MMhjZ/QtWXCVWaDKwagCeKsny ncrqqPZmd3KbT7RAm8n/0UE= =3fJB -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- confirming it's a person dan (Mar 25)
- Re: confirming it's a person Dave Aitel (Mar 25)
- Message not available
- Re: confirming it's a person Dave Aitel (Mar 25)
- Message not available
- Re: confirming it's a person Dave Aitel (Mar 25)
- Re: confirming it's a person Agutin Gianni (Mar 26)
- Re: confirming it's a person Jon Oberheide (Mar 26)
- Re: confirming it's a person Stefan Wagner (Mar 26)
- Re: confirming it's a person Jonathan Wilkins (Mar 26)
- Re: confirming it's a person David Molnar (Mar 26)
- Re: confirming it's a person Andre Gironda (Mar 26)
- Re: confirming it's a person Isaac Dawson (Mar 26)
- <Possible follow-ups>
- Re: confirming it's a person Blake Frantz (Mar 26)