| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 Jan 2007 17:12:04 +0200 (IST) From: Alexander Klimov <alserkli@...ox.ru> To: bugtraq@...urityfocus.com Subject: Re: Defeating CAPTCHAs via Averaging On Sat, 27 Jan 2007 noreply9871234@...-habe-fertig.com wrote: > The detailed article (including sample images) is online here: > http://www.cip.physik.uni-muenchen.de/~wwieser/misc/captcha/ > >> To extract a series of captchas with the same information (number) >> in them, it is sufficient to repeatedly call their captcha >> generator. I am not sure I understand how you propose to build an automatic system to attack it: If you can tell that two images contain the same number then it is very likely that you can recognize the numbers themselves (there are only 10 different digits). OTOH, if you have a human in the loop, they can just use gimp to create the averaged figure images from a single image per figure, and then use these templates to calculate correlation in different places of a given challenge. > Do not produce images with noise-like distortions. For example, > moving and rotaing individual letters by a large enough > distance/angle will spoil averaging by reducing the contrast in > averaged images. If the number of distinct tuples (position, angle) is not a very large number, the correlation attack will work anyway (and I doubt that it is possible to make the number large, because the attacker can try to start with a scaled down image and templates). -- Regards, ASK
Powered by blists - more mailing lists