From: Mark Burnett <mb@xato.net>
There has been some talk of CAPTCHA's in this thread and I wanted to comment
on them further. Although CAPTCHA's are very effective at blocking automated
abuse, in their current form they are not an effective long term strategy.
The problem is that with our current image enhancement, OCR, and AI
technology, they can be cracked with quite good accuracy. Their limited use
and proprietary implementations still makes them useful for now but once
someone releases a script kiddie tool to automate CAPTCHA cracking, they will
become mostly ineffective.
I'm surprised that no one has implemented one yet. Though OCR programs
are at least halfway there. In the absence of those, the method of using
a porn site and passing the image to someone to decode for you is very
effective.
Furthermore, I have seen many CAPTCHA implementations that are simply flawed.
For example, instructing the user to select one of three choices means that a
script can randomly guess and still be 33% accurate. Furthermore, I have seen
e-mail systems that come with a collection of photos for CAPTCHA use but
everyone with that program has the same exact photos. It would be trivial to
build a tool to bypass that product's CAPTCHA feature. I have also seen image
manipulations, such as excessive use of color or adding noise, which might
seem confusing to humans but are quite meaningless to a computer program and
do little to prevent automated interpretation.
Using SIRDS as a transformation might be pretty effective against current
recognizers. Methods similar to the anti-copying protections on cheques
would be worthy of trying (displaying larger dots with larger spacings
and smaller dots with smaller spacings for a consistant color). Might be
interesting to use patterns similar to color-blindness tests, but then
you need to be able to count on someone to be color-sensitive (though you
can then use this as secondary protection, color-blind get a different
answer).
This still only works as long as someone doesn't produce an OCR that
recognizes them. Only a matter of time.
Someone earlier mentioned adding a secret question to the CAPTCHA, but you
must be careful with that type of implementation. Before you ask a secret
question, you first must know who the user is. This leads to continuity
problems and might allow for attackers to brute-force usernames, which can
also be a problem.
And worse, it is simply another password. Adds difficulty, but it is just
another password. Worse, this is likely to be much easier to guess than
the original password.
--
(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)
\ ( | EHeM@cs.pdx.edu PGP 8881EF59 | ) /
\_ \ | _____ -O #include <stddisclaimer.h> O- _____ | / _/
\___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/
