lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon Feb 13 18:47:03 2006
From: very at unprivate.com (php0t)
Subject: Comment Spam: new trends,
	failing counter-measures and why it's a big deal

> http://en.wikipedia.org/wiki/Captcha#Defeating_Captchas
> might be a good place to start.  pwntcha is supposedly quite
successful.

  Thanks for the tip. Shame on me for not clicking the Wikipedia link
last time.
I will comment on the links I found worth while.

1) http://www.puremango.co.uk/cm_breaking_captcha_115.php
Different subject: it explains how to defeat poor implementations of it
that don't get rid of the session.

2) http://www.puremango.co.uk/acdc_breakcaptcha.php
Gonna look into it, seems promising in the aspect of letting me supply
an image of my choice.

3) http://web.archive.org/web/20050329185234/http://sam.zoy.org/pwntcha/
(quote) "Q. Please give me a copy of PWNtcha so that I can test it on my
own CAPTCHA and see how efficient it is! 
A. PWNtcha does not work that way. It is not an intelligent program that
tries to decode a random CAPTCHA. Such a program would be nearly
impossible to do. PWNtcha is simply a toolkit of image manipulation
functions, and a list of known CAPTCHAs with the associated list of
image operations to apply in order to decode each of them. If I have
never seen your CAPTCHA, then PWNtcha does not know about it, and there
is absolutely no way it could decode it."


  I've been saying from the start that I'm aware of the fact that there
are *some* programs that can defeat *some* captchas, just like this one.
Also, it doesn't offer what (2) did, probably because of the quote
above.
  Still, it's a page that is quite useful: it explains the weaknesses of
the certain implementations.
  I guess we can all learn from all these, some examples:

1) destroy the session when not needed any more
2) change the picture on a wrong attempt
3) take measures against 'brute force'
4) don't use constant parts (font, background, colors)
5) use rotation, deformation, maybe letters in 3D (adding extra edges
;])
6) layer more words on each other
7) if you sense too much spam, change a few things
etc
etc
etc
  I probably left out a lot of things that should be considered, so
additional ideas are very welcome.

php0t

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ