It would seem to me that ESP-PIX and other such solutions would not work
very well at all. These solutions provide a limited set of answers
"airplane, bee, brain, girl..." or "a, b, c..." etc. The ESP-PIX solution,
for example, provides 72 possible responses. Regardless of whether or not
the list of answers are changed each time or whether they are the same each
time the answer always has to be one of the 72 possible solutions.
One thing a computer is extremely good at is repetition. Assuming a random
distribution a program can simply always guess the 1st,10th or 22nd answer
each and every time the question is posed and the computer will guess
correctly once every N times on average. The smaller the answer sample the
more often it will get it right. Try it yourself, go to the ESP-PIX
solution and pick one word and keep guessing it over and over.
Unless there is some reliable way to penalize the individual for guessing
wrong, the solution is useless. If they want to submit the form 50 times
correctly then they need only set the program to execute the page N*50 times
where N represents the number of possible solutions.
The other major flaw I found while trying it out is that the images used
have to be carefully selected so as not to offend anyone making use of the
system. One of the pictures representing "girl" had two young ladies in a
very suggestive pose and while I, personally, was not offended I can think
of a number of people who would be if that image had popped up while they
were trying to signup for a web-based email account.
IMHO, this solution is a step backward from Captcha.
Trying to come up with something that would prove that a human, and not a
piece of software, was on the other end of the web connection is only going
to get progressively harder as the technology advances. While the puzzle
may get stronger and more difficult, the software used to crack the puzzle
is also getting stronger and more intelligent. It will get to the point
where the computer will be able to solve it but the human cannot.
The only real solution, it would seem, is to reduce the anonymity that the
Internet provides when using these facilities. For instance, you could
require an email confirmation to proceed. While this would not prevent it
from being abused you would at least be able to track it to a mailbox
somewhere and possibly to someone who might be abusing the software. That's
where real legal penalties need to be imposed for the abuse. As long as the
individual can get away with the abuse, the problem will never stop.
Regards, Glenn Euloth
-----Original Message-----
From: Stephen de Vries [mailto:stephen@corsaire.com]
Sent: August 25, 2005 1:20 PM
To: Jayson Anderson
Cc: webappsec@securityfocus.com
Subject: Re: Defeating CAPTCHA
Hi Jayson,
The ESP-PIX Captcha is a simplified version of the system
you're proposing. See: http://gs264.sp.cs.cmu.edu/cgi-bin/esp-pix
Stephen
On 25 Aug 2005, at 15:40, Jayson Anderson wrote:
That was an interesting article, I definetely got caught up
clicking
thru for awhile.. One has to wonder, why hasn't a more effective
system been placed into production let alone conceptualized and
largely accepted as a solid approach for the future ? More
specifically, the claim that CAPTCHA as it stands now is
not a Turing
machine. I'm not sure if that's entirely true as symbols pre-date
their interpretation by machine.=20 Regardless, like one gentleman
mentioned in an article, a much more clear method to
differentiate man
vs. machine would be to ask abstract questions. Barring the
cultural,
linguistic and socioeconomic implications, why not ask things like
"which one is a pachyderm?". Or "which texture most resembles
stipple?". Or "Which of these strawberries is most
rotten?". Or "Which
person is taller?" with same-sized figures, but one the
same sized as
the car she stands next to, the other only half. etc. etc.
Ya know ?
Sure it would take a significant multi- faceted approach
utilizing an
amazingly heterogeneous set of contributors, but that's where open
source comes in. Pool a huge bank of acceptable abstracts based on
image size, obscurity and all the other standards (which do
NOT need
to be complex at all), then refine that, seed the array and answer
presentations with some decent entropy, use yet more entropy to
randomize the units by which answers are delineated, "a,b,c,d",
"circle[~],eye{=3D],carrot[%],money[E]" each different each
time, and
all the hundreds of other variables i've not thought of. It
seems like
it is workable to me. Keep the project always living so that
submissions and refined objects are always being added to
an update-
able system..... SOMETHING is going to have to be done that is
superior to "crazytext", as ultimately it will be rendered nothing
worse than a speedbump. I think CAPTCHA still qualifies as Turing,
just not an effective one in it's environment. Seems that
machine-proofing should use anything BUT that which is
found in almost
every machine that would be used to circumvent it :)=20
Sorry for the chatter but I've ALWAYS felt that
crazytext(tm) was an
amazingly poor way to differentiate machine from man, and these
articles just prove what I and so many others I'm sure had always
felt.....
Jayson
-
On Wed, 2005-08-24 at 14:29 -0400, robert@webappsec.org wrote:
This was linked off of slashdot
(http://it.slashdot.org/article.pl?
sid=05/08/24/1629213&tid=172&tid=95)
and explains some of the ways people are breaking CAPTCHA (http://
en.wikipedia.org/wiki/Captcha) based systems.
http://sam.zoy.org/pwntcha/
- Robert
robert_at_webappsec.org
http://www.cgisecurity.com
