Slashdot Mirror

← Back to Stories (view on slashdot.org)

Defeating Captcha

Posted by CmdrTaco on from the security-through-irritation dept.

An anonymous reader pointed us at PWNtcha, a package that breaks various on-line captcha algorithms. The site provides numerous examples of easy (Paypal, and an older version of Slashdot make the list) and hard Captcha. It also links various sources explaining why Captcha is a bad idea.

9 of 430 comments (clear)

  1. Old news is no news. :-( by XorNand · · Score: 4, Informative
    # Q. Where is the code? # A. No code is available yet. I am still pondering the pertinence of allowing code in the wild. The good old full-disclosure debate... If you think I should release the code for PWNtcha, feel free to explain your arguments to me.
    ::sigh:: The blurb leads one to believe that there's a new script kiddie tool in the wild. This is just someone's experiment with OCR and some AI. (And an old project at that; I remember reading this site about six months ago while working on my own Captcha implementation). There's a handful of researchers around the world doing the same type of work, including at team at UC Berkeley that devised a system that they claimed was 92% accurate... back in 2003. All in all, this isn't all that newsworthy.
    --
    Entrepreneur : (noun), French for "unemployed"
  2. mirrored by Anonymous Coward · · Score: 5, Informative

    here

  3. What Captcha is... by geders · · Score: 5, Informative

    Whew, I had never even heard of Captcha before...

    A captcha is a type of challenge-response test used in computing to determine whether or not the user is human.

  4. It is patented by dmeranda · · Score: 3, Informative

    This is a good study of how hard it is to design secure systems. It's just like a non-cryptographer trying to create their own cipher, only in the visual processing world. Sadly, the article does not touch on non-visual captchas, which are alternatives for the blind. It would also be interesting to see what Jakob Nielsen might have to say on this technology from a usability perspective.

    Of course, one of the primary bad things is that the concept of a captcha is patented, and the patent language is very broad. US Patent# 6,195,698

    Also see the Wikipedia article for more information.

  5. Re:From the site... by the_mad_poster · · Score: 5, Informative

    http://www.gh-sts.com/captcha.txt

    This is what slashdot's previous iteration of a captcha looked like in an in-memory associative array after the intersecting lines had been removed and a de-skewing algorithm applied. There was actually a version of the code after that which properly picked out where the lines actually intersected the letters and didn't erase the intersecting section to create those gaps.

    Before they switched to the newest CAPTCHA system, I was breaking their CAPTCHAs with a modified SS.pl script with almost 100% accuracy (it had a little trouble properly splitting up the text when a j or other similar character wrapped partially under another letter).

    Of course, the new CAPTCHAs are much harder. I can't even read some of them myself, but the point is that breaking CAPTCHA that people can easily read usually isn't really that hard.

    Yes, I used ImageMagick's Perlmagick library.

    --
    Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  6. Re:spammer's low-tech way by Goaway · · Score: 4, Informative

    It originated as an off-hand remark by someone - maybe Cory Doctorow, I forget - as an example for a theoretical way to break captchas. This was quickly misremembered and blown out of proportion by people wanting to seem clever on Slashdot.

  7. The linked page is NSFW by poincaraux · · Score: 4, Informative

    Editors -

    Please don't link to the goatse man without at least some warning.

    Thanks.

  8. Goatse Man by Inda · · Score: 5, Informative

    Thanks for linking the Goatse Man image in the article. Oh how I've missed being tricked into viewing thee.

    The link is not work safe.

    --
    This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
  9. Re:From the site... by cHiphead · · Score: 3, Informative

    THIS IS ONE GIANT TROLL ARTICLE! LOL!

    About 3/4ths down the page there is a goatse picture, and the caption at the top thanks the GNAA. Wake up slashdot.

    --

    This is my sig. There are many like it, but this one is mine.