RE: [WEB SECURITY] Re: Defeating CAPTCHA

["Gokhan Azaphan" <gokhan.azaphan () mkk com tr>]

Please read the links at the bottom of the following link, they're
pretty enlighting indeed.

http://en.wikipedia.org/wiki/Captcha  

-----Original Message-----
From: Marian Ion [mailto:marian.ion () e-licitatie ro] 
Sent: Monday, August 29, 2005 3:39 PM
To: victor () outblaze com; robert () webappsec org
Cc: websecurity () webappsec org; webappsec () securityfocus com
Subject: RE: [WEB SECURITY] Re: Defeating CAPTCHA


        Maybe it will not be such a good ideea ... especially if some
mobile communication providers would have some network issues on a
critical moment ... And such a method will be based also on a
pre-defined algorithm, possibly easy to learn, to implement.

        On a longer term, maybe a faster implementation of IP6 will
bring some new logging / blocking possibilities (based, for example, on
"sender validation"), supported also by a strict legislation.
        Also, applications implementations (including CAPTCHA) based on
artificial intelligence will provide improved security on many IT
aspects. Neural nets are becoming smarter, and due to improved
optimisations brought by genetic algorithms, ants or bees algorithms,
are learning a lot faster than us, especially when discussing on
repetitive tasks.

        On short term ... better, non-repetitive CAPTCHAs, based on
random lengths and characters types, with several effects applied on the
generated image, are probably the best way.
        Also, the implementation of "expiration" events, based on time
passed without a reply message or manual (or automatic) validation, or
something similar would do good. And also some application filters, in
listing the records, to ignore/eliminate some garbage data.


Marian Ion






-----Original Message-----
From: victor [mailto:victor () outblaze com] 
Sent: Monday, August 29, 2005 1:54 PM
To: robert () webappsec org
Cc: websecurity () webappsec org; webappsec () securityfocus com
Subject: [WEB SECURITY] Re: Defeating CAPTCHA

I was struck by the CAPTCHA issue a while back too, it happens to me 
that CAPTCHA reminded me of all these anti-piracy technique that have 
been developed over the past 2 decades.   Put this special data into 
that sector of the disc so pc-tools can't copy it or install this 
special cd checker to make sure the cd is not pirated.  We all know the 
result, finding a crack to all these protection is only a question of
when.

I would say CAPTCHA is too a case of trying to fight intelligent with 
more intelligent. which is an endless loop with no true winner.   And so

I wonder maybe a true solution to this abuser protection issue lies 
somewhere else.

I myself look at the setup this way, all these tool hacker uses depends 
on one thing to function, the question being presented as part of the 
signup/login procedure, because we must make the question presentable 
online and friendly enough for humand to process, it is bound to be 
possible to come up with some porgram to come up/brute force the answer.

So in another word, the existence of the question itself has made it 
possible for hacker to come up with software to defeat the protection.  
In a way, the solution has itself become the problem, so I am thinking 
maybe instead of trying to improve it.  We should look into eliminating
it.

I can see some good example out there that is going into that 
direction.  Many online banking service are taking advantage of SMS, 
sending user a passkey where they have to use to login to the service.

Or this implementation  pay pal has implemented, that debit user's 
credit card and ask user to use that sum as some form of passkey as one 
of the gentlemen here has pointed out.

These solution are very expensive compare to CAPTCHA but the direction 
seems to be more reliable and hack-profe.  If a better solution to 
CAPTCHA should be found, this maybe one direction you fellow might want 
to consider.

Tor.



robert () webappsec org wrote:

> This was linked off of slashdot
(http://it.slashdot.org/article.pl?sid=05/08/24/1629213&tid=172&tid=95) 
> and explains some of the ways people are breaking CAPTCHA
(http://en.wikipedia.org/wiki/Captcha) based systems.
> http://sam.zoy.org/pwntcha/
>
> - Robert
> robert_at_webappsec.org
> http://www.cgisecurity.com
>
>
>  


-- 
<!---------------------------------------------
                           Victor
                           Development Engineer
                           Outblaze Ltd
---------------------------------------------->


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/ 
  
 
Bu mesaj ve ekleri mesajda gonderildigi belirtilen kisi/kisilere ozeldir ve gizlidir.Bu mesaj tarafiniza yanlislikla 
ulasmis olsa da mesaj iceriginin gizliligi ve bu gizlilik yukumlulugune uyulmasi zorunlulugu tarafiniz icin de soz 
konusudur. Boyle bir durumda, lutfen gonderen kisiyi bilgilendiriniz ve mesaji sisteminizden siliniz. Mesaj ve 
eklerinde yer alan bilgilerin dogrulugu ve guncelligi konusunda gonderenin ya da sirketimizin herhangi bir sorumlulugu 
bulunmamaktadir.Sirketimiz mesajin ve bilgilerinin size degisiklige ugrayarak veya gec ulasmasindan, butunlugunun ve 
gizliliginin bozulmasindan, virus icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan sorumlu 
tutulamaz. 
This message and attachments are confidential and intended solely for the individual(s) stated in this message.If you 
received this message although you are not the addressee you are responsible to keep confidential the message. In that 
case please warn the sender and delete the message. The sender has no responsibility  for the accuracy or correctness 
of the information in the message and its attachments.Our company shall have no liability for any changes or late 
receiving,loss of integrity and confidentiality,viruses and any damages caused in anyway to your computer system