I missed hearing about the 'Month of Bugs in Captchas' project until recently. I haven't gone through all the Captchas that were analyzed and the vulnerabilities that were found yet. The summary page of this project seems interesting.
,
,
Showing posts with label Captcha. Show all posts
Showing posts with label Captcha. Show all posts
Tuesday, January 08, 2008
Saturday, October 27, 2007
CAPTCHAs and P0rn
At last some proof that CAPTCHAs are being solved using p0rn. The Panda labs blog speaks about an application, which when installed on the system, offers p0rn in exchange for solving CAPTCHAs. They detect the client side application as Trj/RompeCaptchas.A.
I wonder how the application gets to know if the answer to the CAPTCHA is right or wrong. A desperate individual might enter wrong answers to view the images quickly.
, ,
I wonder how the application gets to know if the answer to the CAPTCHA is right or wrong. A desperate individual might enter wrong answers to view the images quickly.
, ,
Friday, June 22, 2007
Captcha email-ids
We know the risks of posting our email ids on the internet and so resort to address munging (eg.: instead of posting my-mail-id@isp.com we post my-mail-id(at)isp.com).
Here is a utility which creates a small Captcha for the emai id, so that people can post the image.
, ,
Here is a utility which creates a small Captcha for the emai id, so that people can post the image.
, ,
Wednesday, May 09, 2007
Microsoft's New Captcha - Cat or Not?
Microsoft came up with a new CAPTCHA idea. The CAPTCHA asks the user to classify the given photographs into a group of photos which depict a cat. This scheme is named Asirra.
The scheme is very similar to an earlier scheme called KittenAuth, in which also the CAPTCHA taker had to recognize the cat. The difference is that Microsoft is using labeled photos from www.petfinder.com and so has a huge database of images.
People who work at petfinder have done all the hard work in creating the CAPTCHA since they have labelled the photographs of the pets (cats and dogs). The claim is that the database has around 2 million images and more arrive regularly.
Humans can also adopt the pet that the like and so the creators hope that the animals will get a shelter.
Advantages of the scheme:
Disadvantages of the scheme:
Continuing more on the last disadvantage, does Microsoft mean that the best puzzles which the computer can NOT solve need to be human generated? Can't a computer create a puzzle which it can not solve?
, ,
The scheme is very similar to an earlier scheme called KittenAuth, in which also the CAPTCHA taker had to recognize the cat. The difference is that Microsoft is using labeled photos from www.petfinder.com and so has a huge database of images.
People who work at petfinder have done all the hard work in creating the CAPTCHA since they have labelled the photographs of the pets (cats and dogs). The claim is that the database has around 2 million images and more arrive regularly.
Humans can also adopt the pet that the like and so the creators hope that the animals will get a shelter.
Advantages of the scheme:
- Visual CAPTCHAs are always easier than the character based ones
- The test is easy to perform and is universal
- The database is very large
Disadvantages of the scheme:
- The scheme assumes that the database will always keep growing (what if petfinder.com stops its services?)
- Since no distortion is used, the database has to be kept a secret
- Humans are used to create the CAPTCHA (humans at petfinder.com label all the images and provide the 'difficulty' to the test. An elegant solution to this problem would not involve humans in creating it
Continuing more on the last disadvantage, does Microsoft mean that the best puzzles which the computer can NOT solve need to be human generated? Can't a computer create a puzzle which it can not solve?
, ,
Monday, November 20, 2006
Securiteam's new terminology for a CAPTCHA!
The author (Gadi Evron) blogs on the Securiteam's website about what he has named to be a 'Reverse CAPTCHA'! The author in this blog states that images used in spam can be called a 'Reverse CAPTCHA'.
There are some problems in using this terminology!
The definition of a CAPTCHA by the CMU team is thus:
====
A CAPTCHA is a program that can generate and grade tests that most humans can pass, but current computer programs can't pass.
====
Somehow the tests such programs generate has also got the name 'CAPTCHA'. We shall accept such a nomenclature. Thus the distorted letters that we see and try to recognize have also been called CAPTCHAs.
CAPTCHAs are a kind of 'Reverse Turing Tests' (RTT), this is also noted in the Securiteam Blog.
Thus then, is a 'Reverse CAPTCHA' a 'reverse-reverse-Turing test' == 'Turing test'?
Turing Test -> (reversed) --> CAPTCHA
CAPTCHA -> (reversed) --> Turing Tests
No, the author rightly mentions that, his definition of a 'reverse CAPTCHA' is based only on the intent. CAPTCHAs were designed to stop the bad guys and allow the good guys, while image based spam uses the same concept to allow the bad things in.
The reversal in this case is only in the intent. Calling that a 'reverse CAPTCHA' is not the right thing causes it only confuses and muddles up the terminology.
Image based Spam is also an example of a CAPTCHA. Humans can pass it while machines can not. It is just an abuse of the original concept of CAPTCHA.
, ,
There are some problems in using this terminology!
The definition of a CAPTCHA by the CMU team is thus:
====
A CAPTCHA is a program that can generate and grade tests that most humans can pass, but current computer programs can't pass.
====
Somehow the tests such programs generate has also got the name 'CAPTCHA'. We shall accept such a nomenclature. Thus the distorted letters that we see and try to recognize have also been called CAPTCHAs.
CAPTCHAs are a kind of 'Reverse Turing Tests' (RTT), this is also noted in the Securiteam Blog.
Thus then, is a 'Reverse CAPTCHA' a 'reverse-reverse-Turing test' == 'Turing test'?
Turing Test -> (reversed) --> CAPTCHA
CAPTCHA -> (reversed) --> Turing Tests
No, the author rightly mentions that, his definition of a 'reverse CAPTCHA' is based only on the intent. CAPTCHAs were designed to stop the bad guys and allow the good guys, while image based spam uses the same concept to allow the bad things in.
The reversal in this case is only in the intent. Calling that a 'reverse CAPTCHA' is not the right thing causes it only confuses and muddles up the terminology.
Image based Spam is also an example of a CAPTCHA. Humans can pass it while machines can not. It is just an abuse of the original concept of CAPTCHA.
, ,
Sunday, November 19, 2006
Google, Worms and CAPTCHAs
At the recently held WORM 2006 workshop, Niels Provos (Google) in his presentation, informed us that CAPTCHAs were used by Google in preventing worm attacks.
Some worms (I don't recollect the details and don't have my notes handy now) use Google to search for email addresses to mail themselves to. Google used CAPTCHAs to prevent such automated web attacks.
Will update this post with more details soon.
UPDATE 4/29/2007:
Found the details. It was the Slaty Worm against which CAPTCHAs were used by the Google team. The research paper detailing this is titled "Search Worms".
, ,
Some worms (I don't recollect the details and don't have my notes handy now) use Google to search for email addresses to mail themselves to. Google used CAPTCHAs to prevent such automated web attacks.
Will update this post with more details soon.
UPDATE 4/29/2007:
Found the details. It was the Slaty Worm against which CAPTCHAs were used by the Google team. The research paper detailing this is titled "Search Worms".
, ,
Wednesday, November 08, 2006
CAPTCHAs at Internet Storm Center
ISC ran a story titled 'Form Spam: Increasing the Attacker's work function'
To deal with spam they implemented a CAPTCHA. This was some home made CAPTCHA solution. They report that this led to a decrease in the number of submissions:
Kinda interesting to note that the highly-technical geeky chaps did not want to solve a CAPTCHA !
, ,
To deal with spam they implemented a CAPTCHA. This was some home made CAPTCHA solution. They report that this led to a decrease in the number of submissions:
Our somewhat ugly home made captcha solution caused submissions to drop by about 30%, which wasn't acceptable.
Kinda interesting to note that the highly-technical geeky chaps did not want to solve a CAPTCHA !
, ,
Tuesday, October 31, 2006
Solving CAPTCHAs
A Slashdost post indicated that humans are ready to solve CAPTCHAs for a very low price.
Somebody asked for a quote to solve CAPTCHAs in a 50 hour week on a freelancer recruitment website.
The average asking price to solve CAPTCHAs in 50 hours was 57$, which makes it almost a dollar for an hour. The least asking quote was 30$ (0.6$ for an hour).
The description for this job type is really vague. The number of CAPTCHAs to be solved is not specified. What is specified is the number of hours for which the human will have to work on solving the CAPTCHAs. I would expect a spammer to rather tell the number of CAPTCHAs that need to be solved.
Also there is somehow an implicit assumption that the CAPTCHAs are from a database or are generated by the software. It could very well be that they are relayed to the software application, in which case, the concept of 'finished the job' would not exist. The person who won the bid would have to be available for 50 hours, during which there could be high activity to no activity.
, ,
Somebody asked for a quote to solve CAPTCHAs in a 50 hour week on a freelancer recruitment website.
The average asking price to solve CAPTCHAs in 50 hours was 57$, which makes it almost a dollar for an hour. The least asking quote was 30$ (0.6$ for an hour).
The description for this job type is really vague. The number of CAPTCHAs to be solved is not specified. What is specified is the number of hours for which the human will have to work on solving the CAPTCHAs. I would expect a spammer to rather tell the number of CAPTCHAs that need to be solved.
Also there is somehow an implicit assumption that the CAPTCHAs are from a database or are generated by the software. It could very well be that they are relayed to the software application, in which case, the concept of 'finished the job' would not exist. The person who won the bid would have to be available for 50 hours, during which there could be high activity to no activity.
, ,
Thursday, October 19, 2006
Orkut and CAPTCHAs
Aha, Orkut is now using CAPTCHAs.
Their scheme:
If you scrap someone with a URL such as www.google.com, you might be an automated malicious entity and thus should prove that you are a human. The way to do that is by passing a very simple CAPTCHA.
If you get the CAPTCHA wrong, you are given another CAPTCHA to break.
They have been having problems with malicious links. I guess this is their way to solve that problem.
Great to see one more example of CAPTCHA !
, ,
Their scheme:
If you scrap someone with a URL such as www.google.com, you might be an automated malicious entity and thus should prove that you are a human. The way to do that is by passing a very simple CAPTCHA.
If you get the CAPTCHA wrong, you are given another CAPTCHA to break.
They have been having problems with malicious links. I guess this is their way to solve that problem.
Great to see one more example of CAPTCHA !
, ,
Subscribe to:
Comments (Atom)
Posts
