I find this very surprising. Maybe I don't understand CAPTCHA's or image
processing technology well enough. I've checked around a bit and can't get
a clear story on how these are done. The following is my idea of how I
would do this. Does this make sense? Why is it so easy to crack?
As far as I can see the problem can be broken down as follows:
1) Start with a test image of a series of alphanumeric characters
2) Use a general transformation on them. My first try would be a 2
dimensional polynomial transformation of order 3 or so. This would give us
a set of real numbers (the polynomial coefficients) to play with - these are
our parameters.
3) map out the parameter space so that humans have an easy time and OCR
programs don't. This would be a bit of work but I expect the parameter
space to be contiguous. I'm not sure this would be possible otherwise.
4) Now you have a very large set of transformations that can be randomly
generated - just generate random numbers within the parameter space you have
defined.
5) to generate a CAPTCHA, just generate a random series of alphanumeric
characters, create an image from them, and apply a random transformation.
I agree this is not perfect. There is a chance that the CAPTCHA will be too
hard to read. But that can be tuned to minimize this to an acceptable level.
The OCR program may also get it right once in a while. But the likelihood
of getting it right along with the right password has got to be low.
-DR
-----Original Message-----
From: Alexander Klimov [mailto:alserkli@inbox.ru]
Sent: Tuesday, December 07, 2004 4:29 AM
To: The Amazing Dragon
Cc: Mark Burnett; webappsec@securityfocus.com; secprog@securityfocus.com
Subject: Re: Account Lockouts
On Sun, 5 Dec 2004, The Amazing Dragon wrote:
From: Mark Burnett <mb@xato.net>
There has been some talk of CAPTCHA's in this thread and I wanted to
comment
on them further. Although CAPTCHA's are very effective at blocking
automated
abuse, in their current form they are not an effective long term
strategy.
The problem is that with our current image enhancement, OCR, and AI
technology, they can be cracked with quite good accuracy. Their limited
use
and proprietary implementations still makes them useful for now but once
someone releases a script kiddie tool to automate CAPTCHA cracking, they
will become mostly ineffective.
I'm surprised that no one has implemented one yet. Though OCR programs
are at least halfway there.
It is very hard to be sure that "no one has implemented one yet" :-) Quite
some
time ago I had an argument with my friend web-master about total insecurity
of
this approach and in less than one day I wrote a program to recognise
numbers
written on an image. The program was in no way AI: I downloaded several
images
and crop out all different digits, so the program simply load an image and
the
images of all digits and for every place in image, every digit, and every
transformation calculates the difference between the image of the digit and
the
image (I used simple sum of squares of differences in each pixel for this).
The
program works less than a second (there are not so many points in image
times
number of digits times *sufficiently different* transformations). Most of
the
time I spent was to capture images and classify transformations, so I agree
that
using CAPTCHA makes your site more vulnerable to script-kiddies, but even
implementing it youself does not protect you that much from somebody with
moderate patience and programming skills.
--
Regards,
ASK
