Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Defeating CAPTCHA

from [victor] Network Security [Permanent Link]
Subject: Re: Defeating CAPTCHA
Date: Mon, 29 Aug 2005 18:53:43 +0800
I was struck by the CAPTCHA issue a while back too, it happens to me that CAPTCHA reminded me of all these anti-piracy technique that have been developed over the past 2 decades. Put this special data into that sector of the disc so pc-tools can't copy it or install this special cd checker to make sure the cd is not pirated. We all know the result, finding a crack to all these protection is only a question of when.

I would say CAPTCHA is too a case of trying to fight intelligent with more intelligent. which is an endless loop with no true winner. And so I wonder maybe a true solution to this abuser protection issue lies somewhere else.

I myself look at the setup this way, all these tool hacker uses depends on one thing to function, the question being presented as part of the signup/login procedure, because we must make the question presentable online and friendly enough for humand to process, it is bound to be possible to come up with some porgram to come up/brute force the answer.

So in another word, the existence of the question itself has made it possible for hacker to come up with software to defeat the protection. In a way, the solution has itself become the problem, so I am thinking maybe instead of trying to improve it. We should look into eliminating it.

I can see some good example out there that is going into that direction. Many online banking service are taking advantage of SMS, sending user a passkey where they have to use to login to the service. Or this implementation pay pal has implemented, that debit user's credit card and ask user to use that sum as some form of passkey as one of the gentlemen here has pointed out.

These solution are very expensive compare to CAPTCHA but the direction seems to be more reliable and hack-profe. If a better solution to CAPTCHA should be found, this maybe one direction you fellow might want to consider.

Tor.



robert@webappsec.org wrote:

This was linked off of slashdot (http://it.slashdot.org/article.pl?sid=05/08/24/1629213&tid=172&tid=95) and explains some of the ways people are breaking CAPTCHA (http://en.wikipedia.org/wiki/Captcha) based systems.

http://sam.zoy.org/pwntcha/

- Robert
robert_at_webappsec.org
http://www.cgisecurity.com






--
<!---------------------------------------------
                          Victor
                          Development Engineer
                          Outblaze Ltd
---------------------------------------------->

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Combatting automated download of dynamic websites?, Matthijs R. Koot
Next by Date:  RE: Defeating CAPTCHA, Derick Anderson
Previous by Thread:  Re: Defeating CAPTCHA, Paul M.
Next by Thread:  RE: [WEB SECURITY] Re: Defeating CAPTCHA, Marian Ion
Indexes:  [Date] [Thread] [Top] [All Lists]