Making CAPTCHAs Even Harder With 3-D Models

Michael G. Kaplan writes "CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) are commonly used to prevent computers from filling out web forms. Computer vision experts have been able to design programs to foil CAPTCHA with a high degree of success. I have designed a CAPTCHA that is based on the identification of attributes contained in an image generated by the grouping of easily recognized 3-D objects. I call this the Virtual Photographic CAPTCHA and it is likely to remain invulnerable to automated attack for many years to come. A novel anti-spam system necessitated its development."

Famous last words.

Wow, you're just asking some bored hacker out there to prove you wrong.

Implementing CAPTCHAs with PHP

[shiflett]

PHP developers might find this article useful:

http://phpsec.org/articles/2005/text-captcha.html

Captcha's have already been cracked

[tekiegreg]

Awhile back on Slashdot (I'm too lazy to find the link) there was an article on Captcha's being attacked by Spammers who would set up a porno site requiring user registration using, the Captcha in mind to crack, then forwarding the results to the anti-captcha bot.

Vision-recognition systems be dammed, all a spammer needs to do is use the inherent need of apparently most of the male race to look at pictures of naked women to get what he needs. I don't know if a counter was ever found to this method either...

Re:Captcha's have already been cracked

[shiflett]

Yes, I first heard this from an engineer at Yahoo. They were, as far as I know, the first site to have to deal with this technique on a major scale. Fortunately, this attack requires that the attacker's system communicate with your server, playing the role of a typical user.

So, although the "answer" to the CAPTCHA is provided an actual human, you can still pinpoint mass registrations and the like to a single group of IP addresses in most cases, because the users are not the ones interacting with your application. This becomes a network problem rather than an application problem.

I don't like it already

[A+beautiful+mind]

Check the last sentence on his page.

"Patents pending."

Tyvm, but no.

Here's another test...

Show them the acronym, CAPTCHA. If they don't cringe, they are obviously non-human.

Popular CAPTCHA implementation beaten

[SJasperson]

http://www.brains-n-brawn.com/default.aspx?vDir=ai captcha The developer of an automated breaking bot explains how he did it.

Kinda scary...

[Sanity]

...when you can't make out the numbers or letters on one of these things, as has happened to me on a number of occasions.

The logical conclusion is that I'm not actually human. My girlfriend will be very upset when I tell her.

Took a long time

[cmclean]

Decoding the 5-letter example in the article took waaay too long when compared to current techniques (i.e. 30 seconds as opposed to 3), regardless of how good it is at eliminating nonhuman respondants.
It seems a very good idea, but all that flicking back-and-forth of the eyes is to compute-intensive for my grey matter.

Why graphics?

[Skevin]

Do you know how many times things like this have required me to use some browser other than Lynx or Links? You're blatantly discriminating against us terminal users. Then we have to find someone running a GUI envoronment. Oh! The insensitivity!

Solomon Chang

already been done

Deckard: You're reading a magazine... You come across a full page nude photo of a girl...
Rachael: Is this testing whether I'm a replicant or a lesbian Mr Deckard?
Deckard: Just answer the questions please.

Don't invest time in these things yet.

The federal government is considering outlawing this abusive practise. I met with a senator from SC and another from GA in the past month wrt this issue. They, like most people I know, hate it, and hate the artificial barrier it creates for Internet usage.

I work at a school for the deaf and blind, and captcha's make it impossible for the blind or many of the vision impaired to do many things on the Internet without having help from someone with good vision. Even I, with my cheap LCD monitor and 73 year-old eyes, have trouble reading the Yahoo ones.

Re:Don't invest time in these things yet.

[PurpleFloyd]

Outlaw CAPTCHAs? I agree that they are a hideous usability-breaking kludge, but to outlaw them certainly seems to be overreacting.

To allow governments to actually control the content of websites on such a fine level seems rather draconian to me. Also, while they're typically buried, some websites provide an audio-based alternative; I know that Hotmail offers this. It seems to me that you should rather lobby websites which offer no alternative for blind or vision-impaired users to change their policies.

Finally, I'd like to note that with relatively young eyes and a surplus CAD-workstation monitor, I also find the Yahoo CAPTCHAs difficult to see. The problem is not your eyes, it is rather that in trying to make graphics illegible to computers the algorithm has managed to make the graphics illegible to humans as well.

solving the handwriting problem

[bremstrong]

Use handwritten challenges and let the spammers solve the handwriting recognition problem for us.

Counter to this method

They will design a Captcha that only females can solve. You can ask your mom to solve it, machines can't.

Re:This is a good thing! Not!!

[tomhudson]

The porn industry already defeats this easily by asking people who want to continue on their porn site to do the recognition - they then harvest the answer and use it to, for example, auto-register spam yahoo/hotmail accounts.

1. Porn surfer wants more porn
2. Porn/spammer's script tries to register a bogus email account
3. Porn/spammer's script sends surfer image to be recognized
4. Surfer types in the text, number, whatever
5. Script then tries to register email account using info typed in by surfer
6. If successful, let surfer continue
7. Result: a new spam address validated by a human

Obligatory checklist

[Wesley+Felter]

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(X) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
(X) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

(From http://www.craphound.com/spamsolutions.txt)

This is a bad thing for the blind.

And how are visually impaired people supposed to do this? Use the alt text?

Re:This is a bad thing for the blind.

[zobier]

Auditory CAPTCHAs

*blows whistle* Five-minute major...

[kapella]

...for not understanding core principles of Ethernet.

Although it's tangential to the topic, you can't "ban by MAC addresses". Not unless you're on the same ethernet segment as the attacker. Try it the next time you've got access to a few machines separated by at least one router. Ping from two different machines to a third on another network and run tcpdump to inspect the MAC addresses on the packets. Let me know how it turns out. (hint: they'll have the MAC address of the router)

This sucks.

[Sam+H]

This proposal totally sucks. The goal of a CAPTCHA is not only to be extremely difficult for a computer, you also need to make it simple enough for the user. Most current implementations are considered extremely inaccessible, and if you have accessibility in mind, these 3D images are a huge step backwards. The utter vanity of it all is emphasised by its vulnerability to the porn site attack (offering porn to monkeys to crack CAPTCHAs). Be assured that I and other people will devote as much time as possible to eradicate moronic CAPTCHAs from the Internet.

US govt contractors won't be able to use it

[tepples]

Many companies that do business in the United States of America are subject to regulations that forbid them from discriminating against people with disabilities; companies that have significant contracts with the United States Government are subject to the stricter guidelines of Section 508 of the Rehabilitation Act. Anything that discriminates so flagrantly against people with vision or cognitive disabilities may get companies in trouble with the law.

why?

[sillivalley]

Why would I want to view images in an e-mail message?

Spam is a problem, but for me at least, this ain't the solution! I'm not about to jump through these hoops. If you want to exchange e-mails with me, fine. This system tells me you don't.

A lot of people won't understand it, and a lot of people who do are going to ignore it and move on to the next message in the inbox.

Problems with This System

[MidnightBrewer]

1. It uses a whitelist as a means of solving spam. The system claims to allow strangers to effectively email each other, but only after first forcing the user to jump through several hoops. Correspondence will be slowed, and many people may give up in irritation before they bother to send the mail a second time. Imagine a prospective employer who decides that it's not worth tracking down Joe Blow because the email didn't get through, or a university attempting to contact a student by email. This particular method of foiling spam eliminates one of the key benefits of email: easy correspondence with a fast response time.
2. Users have to maintain a database of trusted senders, as well as another database of recipients who trust them. This means extra data and the possibility of users accidentally falling off of each other's whitelists whenever somebody loses their address book.
3. It will generate too many bounced messages, thus increasing network overhead to a point where it really may not be much better than spam. It also requires transmission of graphics, which again increase system overhead, as well as extra computational time to generate said images and to register and process the responses.
4. The system claims it will benefit from server-side cooperation, instead of keeping the method purely client-side. This means that users have to rely on the benevolence of their ISP to keep the system updated and maintained.
5. The graphical images contain a fixed number of very easily discerned letters that can be combined to form "easily-remembered" words. Once the letters are extracted, they can be recombined into known sequences, first of common English words, then popular web slang, then even transcribed into 1337 for the heck of it. Shouldn't take long to hack that.
6. Sub-addresses? So you want to explain this one to my parents? "I know you picked out one, simple email address that you really like and will never have to change, but now I want you to pick out a new one. It might be a good idea to change it once every few months or so, too." The whole purpose of an address is to allow someone to have a unique identity that can be easily found.

Honestly, this particular system sounds like it relies more on sheer grunt work and the wasted time of its users to make it work, rather than any innovative computer programming.

Re:Heh...

[farnz]

Only works if the originator has a globally unique MAC address. Think dial-up modems, point to point links, private systems using administrator defined addresses (UML hosts for example)...

Like so many, he obviously doesnt think anyone can

[dopeghost]

Computer vision experts have been able to design programs to foil CAPTCHA with a high degree of success. I have designed a CAPTCHA that is based on the identification of attributes contained in an image generated by the grouping of easily recognized 3-D objects. I call this the Virtual Photographic CAPTCHA and it is likely to remain invulnerable to automated attack for many years to come

spare us the modesty!

Won't be cracked in ten years? Ha!

[808140]

This is the most ridiculous an overly complex CAPTCHA system I've ever seen. To make matters worse, it is actually very easy to crack, using current technology.

Let's look at his "LUCKY" example to see why. So he has a picture of the standing man, the flower, and the sitting man, and all over the picture, he has a series of glyphs. As these glyphs are not distorted, they are easily extracted -- the whole point of this system is that distortion based CAPTCHAs are relatively easy to defeat, so he doesn't bother. In his example, he has 26 glyphs, corresponding to A-Z, but in practice, it isn't important what the set is -- only that it is small and finite.

Once this set is extracted, we know that the "password" is some permutation of this set. Because the set of possible characters in an e-mail address is much smaller than the set of possible characters in an actual password (in particular, e-mail addresses are case insensitive), brute-force cracking of this password is much simpler than brute force cracking of a UNIX password, for example. But luckily for us, it's even easier than that.

In the e-mail, he includes this "decoder" list.

• The Leaf of the Flower
• The Body of the Sitting Man
• The Head of the Walking Man
• The Vase
• The Left Arm of the Sitting Man

Of course, it should be clear at this point that this list would be relatively easy to extract from the e-mail, and further, that it tells you the exact length of the password, reducing the number of permutations to check to (in this case) 11,881,376.

Furthermore, a little bit of extra logic could reduce this number still further by noticing repetitive patterns in the list. So if "The Leaf of the Flower" appears twice, we know that the letters in those two slots are the same. And if the glyph set is unique (ie, no glyph appears twice), then we can reduce the number of permutations to at most 7,893,600.

Now, that's still a fairly large number of permutations to check, and at one point, it probably would have been enough. However, computational power is free now, at least for spammers. And it doesn't take much. Here's a sample perl (!) program I ran on my Debian GNU/Linux laptop (1.2GHz Pentium M).

for $i (1 .. 26) {
for $j (1 .. 26) {
next if $i == $j;
for $k (1 .. 26) {
next if $i == $k || $j == $k;
for $l (1 .. 26) {
next if $l == $i || $l == $j || $l == $k;
for $m (1 .. 26) {
next if $m == $i || $m == $j || $m == $k || $m == $l;
print chr(97 + $i) . chr(97 + $j) . chr(97 + $k) . chr(97 + $l) . chr(97 + $m) . "\n";
} } } } }

This just prints out all the permutations; of course they still would need to be checked.

$ time perl -e ' ... program here ... '
real 0m26.109s
user 0m25.746s
sys 0m0.020s

Not very long on a modern computer, eh? And written in perl, too, not exactly the fastest programming language in the world. Now consider that spammers have access to just about infinite CPU and bandwidth, thanks to their army of zombie bots, and that both CPU power and bandwidth are likely to increase at a rather rapid rate in the next decade. Furthermore, this is a worst case scenario -- success in a brute force attack tends to occur somewhere in the middle, not towards the end, reducing the necessity to actually go through all the permutations.

You don't think they'd try to crack it?

Plus, by his own admission, e-mail addresses can be shared. What does this mean in this context? I don't even need to get the e-mail address encoded in the CAPTCHA! If I can get any working e-mail address, even one, I get through! So the more active he is, e-mail wise, the more likely I can randomly strike a hit in the first hundred or so tries.

On top of