Slashdot Mirror
Making CAPTCHAs Even Harder With 3-D Models
Michael G. Kaplan writes "CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) are commonly used to prevent computers from filling out web forms. Computer vision experts have been able to design programs to foil CAPTCHA with a high degree of success. I have designed a CAPTCHA that is based on the identification of attributes contained in an image generated by the grouping of easily recognized 3-D objects. I call this the Virtual Photographic CAPTCHA and it is likely to remain invulnerable to automated attack for many years to come. A novel anti-spam system necessitated its development."
Yes, I first heard this from an engineer at Yahoo. They were, as far as I know, the first site to have to deal with this technique on a major scale. Fortunately, this attack requires that the attacker's system communicate with your server, playing the role of a typical user.
So, although the "answer" to the CAPTCHA is provided an actual human, you can still pinpoint mass registrations and the like to a single group of IP addresses in most cases, because the users are not the ones interacting with your application. This becomes a network problem rather than an application problem.
Decoding the 5-letter example in the article took waaay too long when compared to current techniques (i.e. 30 seconds as opposed to 3), regardless of how good it is at eliminating nonhuman respondants.
It seems a very good idea, but all that flicking back-and-forth of the eyes is to compute-intensive for my grey matter.
"Any similarity between the hooting of a million eager monkeys and Slashdot is purely coincidental." -THEFLASHMAN
The novel anit-spam system mentioned in the article seems on the surface to be a great idea. However, I do see one small problem with the seperate username;subaddress@domain.com per correspondent idea. Image an environment where there are 1,000 employees and each employee recieves mail from 100 different users. Doesn't that place 100,000 seperate mailboxes, forwarded to 1000 "internal" mailboxes? That will have an overhead to be sure. Also, if the spammer is able to obtain a traffic sample coming to/from this ficticious corporate mail server, could the spammer then obtain the subaddresses directly? If the spammer then sent a spam email to every subaddress for a user, the user would then end up with 100 copies of the spam letter in their inbox.
Just some hypotheticals.
Be Safe! Sleep with a Marine. Semper Fi!
This system sucks, and nobody will ever use it. Sorry that nobody has been honest with you until now, but it is time to face facts. It is far too complex.
Do you know how many times things like this have required me to use some browser other than Lynx or Links? You're blatantly discriminating against us terminal users. Then we have to find someone running a GUI envoronment. Oh! The insensitivity!
Solomon Chang
"Twice half-assed makes an ass whole." --Solomon K. Chang
This will fail miserably. It requires too much human involvement, the munging of previously easy to remember email addresses (however easy ilovemypoodlexo42@hotmail.com wass to remember anyway), but perhaps most importantly, it generates a bounce. Anytime a typical clueless user sees a bounce message, they don't bother to read it. They see "ERROR" and that's as far as they get before calling their buddy and bitching about the bum email address. Maybe if you're lucky, they'll doublecheck to see if they spelled it right, but that's about it. For any CAPTCHA to work, it has to be a one-time event (like registering a yahoo email address) that does not result in apparent error messages being thrown back at people. For any anti-spam system to work, it must be transparent to the end-user (like these new sender-id verification systems).
I suspect that one of these choices is incorrect. Correct.
I had a conversation with a senior executive at a former employer.
He told me that, just as companies were outsourcing tech support to India/China/etc, companies which handled mass-emailing were also outsourcing work to have people sit there and recognize CAPTCHAs as well as respond to those stupid validation things some people try with their email (ie, you have to respond back to some silly email from their server saying "yes, I do ACTUALLY want to email you"). The mass-emailing companies would forward all the responses they got to a mailing to the company, and rooms of people would go through them all.
Very little training was required for the CAPTCHAs, and only rudimentary English for the email-response things.
Please help metamoderate.
Inspiring the well funded sex-pr0n industry to advance the basic research in computer vision would be good for society.
This proposal totally sucks. The goal of a CAPTCHA is not only to be extremely difficult for a computer, you also need to make it simple enough for the user. Most current implementations are considered extremely inaccessible, and if you have accessibility in mind, these 3D images are a huge step backwards. The utter vanity of it all is emphasised by its vulnerability to the porn site attack (offering porn to monkeys to crack CAPTCHAs). Be assured that I and other people will devote as much time as possible to eradicate moronic CAPTCHAs from the Internet.
God, root, what is difference ?
Many companies that do business in the United States of America are subject to regulations that forbid them from discriminating against people with disabilities; companies that have significant contracts with the United States Government are subject to the stricter guidelines of Section 508 of the Rehabilitation Act. Anything that discriminates so flagrantly against people with vision or cognitive disabilities may get companies in trouble with the law.
That's an excellent question: there are Federal laws regarding accessibility.
The higher the technology, the sharper that two-edged sword.
Why would I want to view images in an e-mail message?
Spam is a problem, but for me at least, this ain't the solution! I'm not about to jump through these hoops. If you want to exchange e-mails with me, fine. This system tells me you don't.
A lot of people won't understand it, and a lot of people who do are going to ignore it and move on to the next message in the inbox.
Auditory CAPTCHAs
Me lost me cookie at the disco.
- It uses a whitelist as a means of solving spam. The system claims to allow strangers to effectively email each other, but only after first forcing the user to jump through several hoops. Correspondence will be slowed, and many people may give up in irritation before they bother to send the mail a second time. Imagine a prospective employer who decides that it's not worth tracking down Joe Blow because the email didn't get through, or a university attempting to contact a student by email. This particular method of foiling spam eliminates one of the key benefits of email: easy correspondence with a fast response time.
- Users have to maintain a database of trusted senders, as well as another database of recipients who trust them. This means extra data and the possibility of users accidentally falling off of each other's whitelists whenever somebody loses their address book.
- It will generate too many bounced messages, thus increasing network overhead to a point where it really may not be much better than spam. It also requires transmission of graphics, which again increase system overhead, as well as extra computational time to generate said images and to register and process the responses.
- The system claims it will benefit from server-side cooperation, instead of keeping the method purely client-side. This means that users have to rely on the benevolence of their ISP to keep the system updated and maintained.
- The graphical images contain a fixed number of very easily discerned letters that can be combined to form "easily-remembered" words. Once the letters are extracted, they can be recombined into known sequences, first of common English words, then popular web slang, then even transcribed into 1337 for the heck of it. Shouldn't take long to hack that.
- Sub-addresses? So you want to explain this one to my parents? "I know you picked out one, simple email address that you really like and will never have to change, but now I want you to pick out a new one. It might be a good idea to change it once every few months or so, too." The whole purpose of an address is to allow someone to have a unique identity that can be easily found.
Honestly, this particular system sounds like it relies more on sheer grunt work and the wasted time of its users to make it work, rather than any innovative computer programming."Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life
I'm not sure why this is marked "Funny"...
Using a system like this for EVERY login for ANY site could generate a lot of valid spam accounts, just always say the person got it right, and probably 90% of the responses would be correct for use as spam accounts. Scary.
To allow governments to actually control the content of websites on such a fine level seems rather draconian to me. Also, while they're typically buried, some websites provide an audio-based alternative; I know that Hotmail offers this. It seems to me that you should rather lobby websites which offer no alternative for blind or vision-impaired users to change their policies.
Finally, I'd like to note that with relatively young eyes and a surplus CAD-workstation monitor, I also find the Yahoo CAPTCHAs difficult to see. The problem is not your eyes, it is rather that in trying to make graphics illegible to computers the algorithm has managed to make the graphics illegible to humans as well.
That's it. I'm no longer part of Team Sanity.
C'mon slashdot. Informative??
.. or freely available for implementation.
D'you really expect the man not to take credit for his work?
Just because its patented doesn't mean it cannot be open sourced
Whether it will be, of course is another issue. Great work by Michael all the same. Hope this works.
Let's look at his "LUCKY" example to see why. So he has a picture of the standing man, the flower, and the sitting man, and all over the picture, he has a series of glyphs. As these glyphs are not distorted, they are easily extracted -- the whole point of this system is that distortion based CAPTCHAs are relatively easy to defeat, so he doesn't bother. In his example, he has 26 glyphs, corresponding to A-Z, but in practice, it isn't important what the set is -- only that it is small and finite.
Once this set is extracted, we know that the "password" is some permutation of this set. Because the set of possible characters in an e-mail address is much smaller than the set of possible characters in an actual password (in particular, e-mail addresses are case insensitive), brute-force cracking of this password is much simpler than brute force cracking of a UNIX password, for example. But luckily for us, it's even easier than that.
In the e-mail, he includes this "decoder" list.
Of course, it should be clear at this point that this list would be relatively easy to extract from the e-mail, and further, that it tells you the exact length of the password, reducing the number of permutations to check to (in this case) 11,881,376.
Furthermore, a little bit of extra logic could reduce this number still further by noticing repetitive patterns in the list. So if "The Leaf of the Flower" appears twice, we know that the letters in those two slots are the same. And if the glyph set is unique (ie, no glyph appears twice), then we can reduce the number of permutations to at most 7,893,600.
Now, that's still a fairly large number of permutations to check, and at one point, it probably would have been enough. However, computational power is free now, at least for spammers. And it doesn't take much. Here's a sample perl (!) program I ran on my Debian GNU/Linux laptop (1.2GHz Pentium M).
This just prints out all the permutations; of course they still would need to be checked.
Not very long on a modern computer, eh? And written in perl, too, not exactly the fastest programming language in the world. Now consider that spammers have access to just about infinite CPU and bandwidth, thanks to their army of zombie bots, and that both CPU power and bandwidth are likely to increase at a rather rapid rate in the next decade. Furthermore, this is a worst case scenario -- success in a brute force attack tends to occur somewhere in the middle, not towards the end, reducing the necessity to actually go through all the permutations.
You don't think they'd try to crack it?
Plus, by his own admission, e-mail addresses can be shared. What does this mean in this context? I don't even need to get the e-mail address encoded in the CAPTCHA! If I can get any working e-mail address, even one, I get through! So the more active he is, e-mail wise, the more likely I can randomly strike a hit in the first hundred or so tries.
On top of
Many cards have a user configurable MAC address.
The solution isn't to outlaw the CAPTCHA, the solution is to make additional alternatives available for people who can't "solve" a CAPTCHA. For the blind the solution would be an audio CAPTCHA, and for the very few who are both deaf and blind, a dialogue with a real person, you fill out a form and a dialogue with a real person ensues, you prove that you are a person by answering like a real person. As long as only few users need this personal assistance it should be doable.
Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
Your suggestion involves breaking up the protocol layers. Both Ethernet and TCP/IP owe their success to Keeping It Simple Stupid. If you start overlapping them, introducing MAC addresses into IP headers, you are merging them into a kind of TCP/IP/Ethernet super-protocol. It's no longer Simple, and you can no longer patch, upgrade, change them independently of each other. Different implementations of Ethernet on disconnected networks will now start interfering with each other in unexpected ways, depending exactly on what you plan to do the MAC address when you see it. Privacy advocates will have a fit.
And besides that it's easily defeated, just override your TCP/IP settings to lie about your MAC address. In principle it could even be done for your whole LAN at the firewall, a sort of MAC-NAT.
Nothing solved, whole raft of problems intoduced.
-- Nick "Hallo this is Beel Gates, und I pronounce weendows as