lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon Feb 13 17:31:55 2006
From: very at unprivate.com (php0t)
Subject: Comment Spam: new trends,
	failing counter-measures and why it's a big deal 

> > the global solution against word recognition based challenges? If it

> > was like that, it would mean that there is no way anybody could make

> > an image generator that would change its success rate from 90% to 
> > 0%...

> It's *really* *really* difficult to produce a graphic image of letters
and numbers that is still recognizable to a human but can't 
> be beaten by a good edge-detection algorithm.  For instance, you can
"bleed" the edges so that they're fuzzy - but then the 
> human has a hard time telling if it's an 'i' or an 'l', or an 'h' or a
'b' (and so on).


  This is kind of like the problem that you have when you get a
confirmation code in SMS, and you can't tell between I's and l's etc
thanks to your mobile phone's display. But that doesn't mean the problem
is about verifying the person via SMS. They just need to filter / change
some letters used to make it a little more obvious (and maybe balance it
with longer strings).

What you're saying sounds nice, but I ask again - both of you - to post
some links to some of these high success rate AI bots (preferably php's)
with that algo you say is hard to beat.

  I'm certainly interested in this, because all this time I thought that
even if there were *some* applications that could defeat *some*
challenges, the Turing test was still up to the current times, but what
you're telling me totally contradicts that.
Since you both mentioned these things as certain existing facts, it
would be nice to get a reference to a URL (preferably more) so people
could just look at it (them) and try for themselves (and naturally play
around with them until they beat it - you say it's *very very* hard, I
say I have yet to see it - even if it's hard, it'd be worth my time to
experiment with it, others will probably agree who think this subject is
interesting). Yes, I googled, I didn't get 


> I suppose you *could* put up a picture of something, and ask "What is
this a picture of" - but then you need a sufficiently 
> large library of images that an attacker can't just download all of
them and have a human name each one once. And of 
> course, this has the danger that a user can be left saying: "WTF? Is
that an antelope or a gazelle?"....


  You're right, I don't like the idea of having a database of all the
possible answers, and the antelope/gazelle thing certainly got me pissed
on the captcha site. When I tested it, first it was a couple of bugs (I
didn't find neither insect, neither bug in the list), then it was
umbrellas with an exception picture - it was more like a pain in the
ass, a computer would have better luck by going through the option list
:P


  Eagerly waiting for examples,
php0t


Ps: these are what I found on google about the subject. They're nice,
but 1) they contain no code / tryout option, and some of them only focus
on solving certain captchas. (as I previously said, *some* apps, *some*
tests...)

http://www.comp.leeds.ac.uk/fyproj/reports/0405/Rice.pdf
http://algoval.essex.ac.uk/rep/textloc/IjdarSpecialFinal.pdf
http://bhiv.com/2005/09/30/defeating-diggs-captcha/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ