WebApp Sec mailing list archives

RE: [WEB SECURITY] Re: Defeating CAPTCHA

From: "Marian Ion" <marian.ion () e-licitatie ro>
Date: Mon, 29 Aug 2005 15:39:11 +0300

        Maybe it will not be such a good ideea ... especially if some mobile
communication providers would have some network issues on a critical moment ...
And such a method will be based also on a pre-defined algorithm, possibly easy
to learn, to implement.

        On a longer term, maybe a faster implementation of IP6 will bring some
new logging / blocking possibilities (based, for example, on "sender
validation"), supported also by a strict legislation.
        Also, applications implementations (including CAPTCHA) based on
artificial intelligence will provide improved security on many IT aspects.
Neural nets are becoming smarter, and due to improved optimisations brought by
genetic algorithms, ants or bees algorithms, are learning a lot faster than us,
especially when discussing on repetitive tasks.

        On short term ... better, non-repetitive CAPTCHAs, based on random
lengths and characters types, with several effects applied on the generated
image, are probably the best way.
        Also, the implementation of "expiration" events, based on time passed
without a reply message or manual (or automatic) validation, or something
similar would do good. And also some application filters, in listing the
records, to ignore/eliminate some garbage data.


Marian Ion






-----Original Message-----
From: victor [mailto:victor () outblaze com] 
Sent: Monday, August 29, 2005 1:54 PM
To: robert () webappsec org
Cc: websecurity () webappsec org; webappsec () securityfocus com
Subject: [WEB SECURITY] Re: Defeating CAPTCHA

I was struck by the CAPTCHA issue a while back too, it happens to me 
that CAPTCHA reminded me of all these anti-piracy technique that have 
been developed over the past 2 decades.   Put this special data into 
that sector of the disc so pc-tools can't copy it or install this 
special cd checker to make sure the cd is not pirated.  We all know the 
result, finding a crack to all these protection is only a question of when.

I would say CAPTCHA is too a case of trying to fight intelligent with 
more intelligent. which is an endless loop with no true winner.   And so 
I wonder maybe a true solution to this abuser protection issue lies 
somewhere else.

I myself look at the setup this way, all these tool hacker uses depends 
on one thing to function, the question being presented as part of the 
signup/login procedure, because we must make the question presentable 
online and friendly enough for humand to process, it is bound to be 
possible to come up with some porgram to come up/brute force the answer.

So in another word, the existence of the question itself has made it 
possible for hacker to come up with software to defeat the protection.  
In a way, the solution has itself become the problem, so I am thinking 
maybe instead of trying to improve it.  We should look into eliminating it.

I can see some good example out there that is going into that 
direction.  Many online banking service are taking advantage of SMS, 
sending user a passkey where they have to use to login to the service.   
Or this implementation  pay pal has implemented, that debit user's 
credit card and ask user to use that sum as some form of passkey as one 
of the gentlemen here has pointed out.

These solution are very expensive compare to CAPTCHA but the direction 
seems to be more reliable and hack-profe.  If a better solution to 
CAPTCHA should be found, this maybe one direction you fellow might want 
to consider.

Tor.



robert () webappsec org wrote:

This was linked off of slashdot

(http://it.slashdot.org/article.pl?sid=05/08/24/1629213&tid=172&tid=95)

and explains some of the ways people are breaking CAPTCHA

(http://en.wikipedia.org/wiki/Captcha) based systems.


http://sam.zoy.org/pwntcha/

- Robert
robert_at_webappsec.org
http://www.cgisecurity.com



-- 
<!---------------------------------------------
                           Victor
                           Development Engineer
                           Outblaze Ltd
---------------------------------------------->


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Current thread:

Re: Defeating CAPTCHA, (continued)
- - - Re: Defeating CAPTCHA Chris Shiflett (Aug 25)
    - Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
    - Re: Defeating CAPTCHA Andrew van der Stock (Aug 25)
  - Re: Defeating CAPTCHA Stephen de Vries (Aug 25)
    - RE: Defeating CAPTCHA Glenn Euloth (Aug 26)
    - Re: Defeating CAPTCHA Christopher Kunz (Aug 31)
- Re: Defeating CAPTCHA Subs (Aug 26)
  - Re: Defeating CAPTCHA Michal Zalewski (Aug 26)
- Re: Defeating CAPTCHA Paul M. (Aug 26)
- Re: Defeating CAPTCHA victor (Aug 29)
  - RE: [WEB SECURITY] Re: Defeating CAPTCHA Marian Ion (Aug 29)
- RE: Defeating CAPTCHA Derick Anderson (Aug 26)
  - Re: Defeating CAPTCHA Devdas Bhagat (Aug 28)
- RE: Defeating CAPTCHA Derick Anderson (Aug 29)
  - RE: Defeating CAPTCHA wilsonc (Aug 29)
  - Re: Defeating CAPTCHA Devdas Bhagat (Sep 05)
- RE: Defeating CAPTCHA Derick Anderson (Sep 06)