Slashdot Mirror

← Back to Stories (view on slashdot.org)

Making CAPTCHAs Even Harder With 3-D Models

Posted by timothy on from the now-what-is-the-man-doing-with-the-rabbit dept.

Michael G. Kaplan writes "CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) are commonly used to prevent computers from filling out web forms. Computer vision experts have been able to design programs to foil CAPTCHA with a high degree of success. I have designed a CAPTCHA that is based on the identification of attributes contained in an image generated by the grouping of easily recognized 3-D objects. I call this the Virtual Photographic CAPTCHA and it is likely to remain invulnerable to automated attack for many years to come. A novel anti-spam system necessitated its development."

10 of 326 comments (clear)

  1. Famous last words. by Anonymous Coward · · Score: 5, Funny

    Wow, you're just asking some bored hacker out there to prove you wrong.

  2. Implementing CAPTCHAs with PHP by shiflett · · Score: 5, Informative

    PHP developers might find this article useful:

    http://phpsec.org/articles/2005/text-captcha.html

  3. Captcha's have already been cracked by tekiegreg · · Score: 5, Interesting

    Awhile back on Slashdot (I'm too lazy to find the link) there was an article on Captcha's being attacked by Spammers who would set up a porno site requiring user registration using, the Captcha in mind to crack, then forwarding the results to the anti-captcha bot.

    Vision-recognition systems be dammed, all a spammer needs to do is use the inherent need of apparently most of the male race to look at pictures of naked women to get what he needs. I don't know if a counter was ever found to this method either...

    --
    ...in bed
  4. Here's another test... by Anonymous Coward · · Score: 5, Funny

    Show them the acronym, CAPTCHA. If they don't cringe, they are obviously non-human.

  5. Popular CAPTCHA implementation beaten by SJasperson · · Score: 5, Interesting

    http://www.brains-n-brawn.com/default.aspx?vDir=ai captcha The developer of an automated breaking bot explains how he did it.

    --
    Sigs? Sigs? We don't need no steenkin' sigs.
  6. Took a long time by cmclean · · Score: 5, Insightful

    Decoding the 5-letter example in the article took waaay too long when compared to current techniques (i.e. 30 seconds as opposed to 3), regardless of how good it is at eliminating nonhuman respondants.
    It seems a very good idea, but all that flicking back-and-forth of the eyes is to compute-intensive for my grey matter.

    --
    "Any similarity between the hooting of a million eager monkeys and Slashdot is purely coincidental." -THEFLASHMAN
  7. Why graphics? by Skevin · · Score: 5, Insightful

    Do you know how many times things like this have required me to use some browser other than Lynx or Links? You're blatantly discriminating against us terminal users. Then we have to find someone running a GUI envoronment. Oh! The insensitivity!

    Solomon Chang

    --
    "Twice half-assed makes an ass whole." --Solomon K. Chang
  8. already been done by Anonymous Coward · · Score: 5, Funny

    Deckard: You're reading a magazine... You come across a full page nude photo of a girl...
    Rachael: Is this testing whether I'm a replicant or a lesbian Mr Deckard?
    Deckard: Just answer the questions please.

  9. Re:This is a good thing! Not!! by tomhudson · · Score: 5, Funny
    The porn industry already defeats this easily by asking people who want to continue on their porn site to do the recognition - they then harvest the answer and use it to, for example, auto-register spam yahoo/hotmail accounts.
    1. Porn surfer wants more porn
    2. Porn/spammer's script tries to register a bogus email account
    3. Porn/spammer's script sends surfer image to be recognized
    4. Surfer types in the text, number, whatever
    5. Script then tries to register email account using info typed in by surfer
    6. If successful, let surfer continue
    7. Result: a new spam address validated by a human
  10. Won't be cracked in ten years? Ha! by 808140 · · Score: 5, Insightful
    This is the most ridiculous an overly complex CAPTCHA system I've ever seen. To make matters worse, it is actually very easy to crack, using current technology.

    Let's look at his "LUCKY" example to see why. So he has a picture of the standing man, the flower, and the sitting man, and all over the picture, he has a series of glyphs. As these glyphs are not distorted, they are easily extracted -- the whole point of this system is that distortion based CAPTCHAs are relatively easy to defeat, so he doesn't bother. In his example, he has 26 glyphs, corresponding to A-Z, but in practice, it isn't important what the set is -- only that it is small and finite.

    Once this set is extracted, we know that the "password" is some permutation of this set. Because the set of possible characters in an e-mail address is much smaller than the set of possible characters in an actual password (in particular, e-mail addresses are case insensitive), brute-force cracking of this password is much simpler than brute force cracking of a UNIX password, for example. But luckily for us, it's even easier than that.

    In the e-mail, he includes this "decoder" list.

    • The Leaf of the Flower
    • The Body of the Sitting Man
    • The Head of the Walking Man
    • The Vase
    • The Left Arm of the Sitting Man

    Of course, it should be clear at this point that this list would be relatively easy to extract from the e-mail, and further, that it tells you the exact length of the password, reducing the number of permutations to check to (in this case) 11,881,376.

    Furthermore, a little bit of extra logic could reduce this number still further by noticing repetitive patterns in the list. So if "The Leaf of the Flower" appears twice, we know that the letters in those two slots are the same. And if the glyph set is unique (ie, no glyph appears twice), then we can reduce the number of permutations to at most 7,893,600.

    Now, that's still a fairly large number of permutations to check, and at one point, it probably would have been enough. However, computational power is free now, at least for spammers. And it doesn't take much. Here's a sample perl (!) program I ran on my Debian GNU/Linux laptop (1.2GHz Pentium M).

    for $i (1 .. 26) {
    for $j (1 .. 26) {
    next if $i == $j;
    for $k (1 .. 26) {
    next if $i == $k || $j == $k;
    for $l (1 .. 26) {
    next if $l == $i || $l == $j || $l == $k;
    for $m (1 .. 26) {
    next if $m == $i || $m == $j || $m == $k || $m == $l;
    print chr(97 + $i) . chr(97 + $j) . chr(97 + $k) . chr(97 + $l) . chr(97 + $m) . "\n";
    } } } } }

    This just prints out all the permutations; of course they still would need to be checked.

    $ time perl -e ' ... program here ... '
    real 0m26.109s
    user 0m25.746s
    sys 0m0.020s

    Not very long on a modern computer, eh? And written in perl, too, not exactly the fastest programming language in the world. Now consider that spammers have access to just about infinite CPU and bandwidth, thanks to their army of zombie bots, and that both CPU power and bandwidth are likely to increase at a rather rapid rate in the next decade. Furthermore, this is a worst case scenario -- success in a brute force attack tends to occur somewhere in the middle, not towards the end, reducing the necessity to actually go through all the permutations.

    You don't think they'd try to crack it?

    Plus, by his own admission, e-mail addresses can be shared. What does this mean in this context? I don't even need to get the e-mail address encoded in the CAPTCHA! If I can get any working e-mail address, even one, I get through! So the more active he is, e-mail wise, the more likely I can randomly strike a hit in the first hundred or so tries.

    On top of