Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Account Lockouts

from [Alexander Klimov] Network Security [Permanent Link]
Subject: RE: Account Lockouts
Date: Fri, 10 Dec 2004 14:44:14 +0200 (IST) 
On Thu, 9 Dec 2004, David Robert wrote:


I find this very surprising.  Maybe I don't understand CAPTCHA's or image
processing technology well enough.
[...]
3) map out the parameter space so that humans have an easy time and OCR
programs don't.  This would be a bit of work but I expect the parameter
space to be contiguous.  I'm not sure this would be possible otherwise.
4) Now you have a very large set of transformations that can be randomly
generated - just generate random numbers within the parameter space you have
defined.


Let's drop in some numbers: you can do more than 1e9 operations per second, the
whole image is 290x80 (on yahoo) or less (AFAIR after two years, it was
something like 100x30 in my case)  that is 2.3e4 pixels, there are less than 100
characters (10 digits in my case), each glyph can be up to 50x50 large (20x20 in
my case). Now let's count the number of transformations. Suppose you have only
one contiguous (continuous?) coefficient -- scale. How many *sufficiently
different* values it can assume? Note that if template and image use scales
which are different but the results are differ by less than a single pixel you
will have very good response and so such difference of paramters is not to be
called *sufficient*. So, we can guess that there are ~50 different scales.
Suppose that x and y scales are different is there now 50x50 states in the space
of parameters? Probably not, since a 50x5 glyth is unreadable (BTW: I must admit
that out of 5 reloads of the yahoo picture I can guess only 3 -- ok, this is
probably not that bad since on average I would be able to login after 2 attempts
:-). Let's also add rotations: angle also have not so many possibilites.
Probably also some twirl effect (rotate sides more than center). Although in my
case there was only single scale and rotation, we can see that even in a more
general case the number of transformations is not that large as it seams at
first.

There are also a lot of possibilities for speed up: if picture is 290x80 you
could probably get the match even if you reduce it twice (note that this
is not only reduce a single match time 4-fold, but also reduce approximately
twice possibilities for each of the above parameters) or start with even coarse
resolution and prune most of possibilities before go to the next resolution
level.

-- 
Regards,
ASK
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Microsoft Writing Secure Code, David LeBlanc
Next by Date:  MD5 for powerpc, gurus
Previous by Thread:  Re: Account Lockouts, Valdis . Kletnieks
Next by Thread:  RE: Account Lockouts, Silcock, Stephen
Indexes:  [Date] [Thread] [Top] [All Lists]