Dailydave mailing list archives
Re: confirming it's a person
From: "Blake Frantz" <blakefrantz () gmail com>
Date: Tue, 25 Mar 2008 21:32:12 -0700
*An uneducated statement made from row 41 seat D destined to Michigan* CAPTCHAs that are based on obfuscation are a losing battle (imho) due to what I like to call 'the sophistication arms race'. Good guys write increasingly sophisticated CAPTCHAs (I hate typing that, btw, let's use HIP (Human Interactive Proof)). The 'bad guys' write software to break them. The 'bad guys' also have access to other really smart people trying to solve other computer vision problems. Check out the work conducted by the UC Berkeley Computer Vision Group. Anyhow, the efficacy of the HIP system decreases proportionally with the number of carbon based life forms that can actually decode the mess. Which means the good guys are limited in their sophistication because everyday grey matter can't figure it out well enough. On a long enough timeline, or so I suppose, the number of humans capable of passing the test drops below 'most' acceptable false negative rates. The result is the 'bad guy' wins the race and spams the universe. I've implemented an SMS based HIP system at areyouahuman.org. Yes, you can slang some code onto your mobile device to get the challenge. But, I'm currently writing the per-site threshold mechanism that should resolve this. This system presumably helps prevent site automation via thresholds, driving the cost of breaking it up, and by using an identifier that is in lesser quantities - IPs are 'easier' to commandeer than phone numbers. What are some thoughts on this approach? Blake
I would like to RTFM on alternatives to CAPTCHAs, but I don't know what FM
to R.
If someone here wants to say "forget it" or "this is the current best
technique" or what-have-you, I'd be thankful to hear. Not trying to start a large thread; >you can, if you like.
--dan
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- confirming it's a person dan (Mar 25)
- Re: confirming it's a person Dave Aitel (Mar 25)
- Message not available
- Re: confirming it's a person Dave Aitel (Mar 25)
- Message not available
- Re: confirming it's a person Dave Aitel (Mar 25)
- Re: confirming it's a person Agutin Gianni (Mar 26)
- Re: confirming it's a person Jon Oberheide (Mar 26)
- Re: confirming it's a person Stefan Wagner (Mar 26)
- Re: confirming it's a person Jonathan Wilkins (Mar 26)
- Re: confirming it's a person David Molnar (Mar 26)
- Re: confirming it's a person Andre Gironda (Mar 26)
- Re: confirming it's a person Isaac Dawson (Mar 26)
- <Possible follow-ups>
- Re: confirming it's a person Blake Frantz (Mar 26)