Slashdot Mirror

← Back to Stories (view on slashdot.org)

Defeating Captcha

Posted by CmdrTaco on from the security-through-irritation dept.

An anonymous reader pointed us at PWNtcha, a package that breaks various on-line captcha algorithms. The site provides numerous examples of easy (Paypal, and an older version of Slashdot make the list) and hard Captcha. It also links various sources explaining why Captcha is a bad idea.

25 of 430 comments (clear)

  1. Old news is no news. :-( by XorNand · · Score: 4, Informative
    # Q. Where is the code? # A. No code is available yet. I am still pondering the pertinence of allowing code in the wild. The good old full-disclosure debate... If you think I should release the code for PWNtcha, feel free to explain your arguments to me.
    ::sigh:: The blurb leads one to believe that there's a new script kiddie tool in the wild. This is just someone's experiment with OCR and some AI. (And an old project at that; I remember reading this site about six months ago while working on my own Captcha implementation). There's a handful of researchers around the world doing the same type of work, including at team at UC Berkeley that devised a system that they claimed was 92% accurate... back in 2003. All in all, this isn't all that newsworthy.
    --
    Entrepreneur : (noun), French for "unemployed"
  2. mirrored by Anonymous Coward · · Score: 5, Informative

    here

  3. What Captcha is... by geders · · Score: 5, Informative

    Whew, I had never even heard of Captcha before...

    A captcha is a type of challenge-response test used in computing to determine whether or not the user is human.

  4. spammer's low-tech way by Anonymous Coward · · Score: 5, Interesting

    A while ago, I remember hearing about how some spammers whould post the Yahoo Mail (or other free email services) Captchas on the registration forms on pr0n sites. The pr0n registrants would have to fill out the Captcha, but this would then be used by the spammer to get around the Captcha without any fancy software.

    1. Re:spammer's low-tech way by Goaway · · Score: 4, Informative

      It originated as an off-hand remark by someone - maybe Cory Doctorow, I forget - as an example for a theoretical way to break captchas. This was quickly misremembered and blown out of proportion by people wanting to seem clever on Slashdot.

    2. Re:spammer's low-tech way by dgatwood · · Score: 4, Insightful
      Most of these techniques could be defeated with a simple color filter, sadly.... Regardless, crypto is a really good comparison because a lot of crypto can be broken with statistical techniques, and in that regard, getting past Captcha grids can be done using very similar methodology.

      Take a histogram of... say a hundred random subregious within the image of varying sizes and shapes. Sort colors by the number of these subregions in which they appear. Assume that colors that appear in every block (or above some threshold... say 90%) are background. Replace them all with white. Assume that colors that appear in only some of those blocks are foreground. Replace those colors with black. Do your OCR.

      To some extent, you can get around that by masking parts of the text using the same color or by adding chunks of background in the same color, but this is only of limited effectiveness. The only way you can really defeat even the most basic stochastic analysis is by making the color information change from one side of the picture to another. Even then, unless this is done randomly in a dynamic fashion, once you manually figure out the gradation once, the mechanism is broken.

      Basically, these things don't work even at a conceptual level. The fundamental problem is that you have a choice: either require the person to do something that doesn't require thought or require the person to solve problems that require logical thought.

      In the case of the former, it can be obscured easily, but the level of thought needed can be easily simulated by a computer program, and any algorithm one could write to fool that program is inherently reversible. If the noise level is sufficient to make this impractical, it also will be unlikely that a human can read it, though with multiple tests, this could still work---more on this later..

      In the case of the latter, the limitations to the reasonable size of the problem space mean that, while the computer can't simulate the intellect needed to actually figure out the example, it can trivially store a list of all of the problems and their answers and simply regurgitate the right answer on command, in much the same way that most lower animals can be trained to regurgitate an action on command even though they do not actually understand what the command means.

      The only potentially viable mechanism for doing this sort of thing involves dynamic creation of the images using random number generators to perturb the image in ways that are of similar color to the test, using color variation on the text to fool stochastic methods, using foreground masking of the text (i.e. lines that go in front of the text, not just behind it), and using a wide enough variety of fonts, some of which should be things like cursive fonts with variable baselines. That really makes OCR mad.

      If you do all of those things, you -might- have something that could only be broken by a computer a third of the time. The problem is that it could only be broken by a -human- about half of the time. If you do multiple tests, you should be able to establish a reasonable threshold above which the antagonist is likely to be a human rather than a piece of software, though even then, you will have to algorithmically change it frequently or else computers will eventually overtake humans no matter what your algorithm... because, quite frankly, computers are a lot better at DSP than we are. :-)

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    3. Re:spammer's low-tech way by McGregorMortis · · Score: 4, Insightful

      The thing is, then, the porn site asking you to solve the captcha doesn't know the answer themselves. You can screw 'em by giving the wrong answer.

      They'll waste their resources trying to spam with the wrong answer, and you'll still get your porn fix.

  5. rock paper scissors... by jpellino · · Score: 5, Funny

    captcha stops bots
    pwntcha breaks captcha
    slashdot cremates pwntcha

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
    1. Re:rock paper scissors... by swelke · · Score: 4, Funny

      Working that backwards: Slashdot cremates pwntcha, un-breaking captcha. Un-breaking captcha un-stops bots. Therefore, slashdot un-stops bots. I was starting to think the whole slashdot system was just an automated method of destroying the internet; now I have proof. Thanks.

      --
      Have you ever wondered How to Take Over
  6. ADA by dnoyeb · · Score: 5, Insightful

    Having a legally blind mother that uses the web, I wonder how captcha complies with the Americans With Disabilities Act (when used by American companies of course)?

    Is it compatible with BLINUX? I think by definition it is not.

    Perhaps I should ask, what alternate method of identification do sights employ to take into account blind users and the ADA?

    1. Re:ADA by donnyspi · · Score: 4, Interesting

      Instead of an image based Turing test like Captcha, I just have the last question on a log in screen or form be a randomly selected super easy question. For example, "Spell the number 7" or "What is the next logical number in the sequence 1, 3, 5, 7, ...? Check it out here: http://www.donnyspi.com/contact.php

    2. Re:ADA by Tumbleweed · · Score: 5, Funny

      I wonder how captcha complies with the Americans With Disabilities Act

      Simple - they just use ALT text for the image! :)

    3. Re:ADA by TheRaven64 · · Score: 4, Funny

      Hmm. Done right, you could weed out bots and stupid people. Excellent!

      --
      I am TheRaven on Soylent News
  7. Consider the problem by ReformedExCon · · Score: 5, Insightful

    The problem is that people are using robots to work in an autonomous manner to find ways around typical human limitations (we can only send several hundred emails a day, robots are not so limited). So people want to stop these "cheater" by making the user prove that they are a human rather than a robot.

    Is this really a good thing, though? Even on a site like Slashdot, in a story about defeating bots, the very first comment in this story is posted by a bot. How ironic is that? What is accomplished by banning users who can't read these "captchas" (what a horrendous fake word)? Nothing, apparently, as the story says. It only serves to annoy legitimate users and does nothing to hamper illegitimate robots.

    The solution is not this sort of halfway measure. The solution is to make it simply not worth the effort to be a nuisance on a discussion forum. I suppose that requires a glut of intelligent posters, but with the entire citizenry of the Internet available, that can't be so hard.

    --
    Jesus saved me from my past. He can save you as well.
    1. Re:Consider the problem by A+beautiful+mind · · Score: 5, Insightful

      "What is accomplished by banning users who can't read these "captchas" (what a horrendous fake word)? Nothing, apparently, as the story says."

      I actually disagree. The captcha method reduces spam load for most sites down to zero. Only the bigger sites need to worry, because spammers may set up a site to specifically target them by rerouting captchas. That's not the case with 99% of the websites using captchas, it's just not worth the effort.

      It's sorta like a copy protection: if it stops 90% of the people, then it's good enough.

      --
      It takes a man to suffer ignorance and smile
      Be yourself no matter what they say
  8. Heh by hungrygrue · · Score: 4, Funny

    Well I'm glad someone is writing code to solve those "prove you aren't a script" images, because a lot of times I can't quite figure them out myself.

    • "Q. What is your favorite color?.. No on second thought, nevermind that. What is written in this blob?"
    • A. I'm not sure, is this a rorschach test? Oh, I know 4 - 3 - Two flies mating - U - V - Giant Nose - X."
  9. Its bad idea for several reasons by bogie · · Score: 4, Insightful

    Chiefly among them is sometimes you can't tell what the fucking words are. Within the last few months on more than one occasion I simply could not read the letters because they were so distorted and the lines overlapped the letters too much. No fun redoing a web form over and over because you can't figure out what the hell the verification box says.

    I can't imagine how people with difficulties cope with this.

    --
    If you wanna get rich, you know that payback is a bitch
  10. Interesting flash-based captcha by fahrvergnugen · · Score: 4, Interesting

    I just saw a great flash-based Captcha designed to combat just this sort of attack. The test was composed of white text on a white background. Colored shapes of various sizes swirled in the background behind the text in a pseudo-random pattern, and the text was visible or obfuscated depending on whether there was a shape behind it at the moment. After watching it for a few minutes to see if there were any obvious flaws, I noticed that the entire phrase was never visible all at once.

    A little patience was required, but I was able to verify in less than 10 seconds. Animation seems to be very useful for this kind of application.

    --
    Even Jesus hates listening to Creed.
    1. Re:Interesting flash-based captcha by JimmehAH · · Score: 5, Insightful

      You could just write the bot to decompile the .swf file and grab the string (or vector/raster representation of the text) from that.

      Flash is a bad format to use for a CAPTCHA from a security and accessibility point of view.

  11. Easiest way to Defeat Captchas by Bondolo · · Score: 4, Interesting
    1. Put up a "free" pr0n site.
    2. Require visitors to the pr0n site to process a captcha before viewing the pr0n. In reality they are proxy processing a captcha for another site (paypal, hotmail, yahoo, etc.) which they never see.
    3. Profit!

    Captchas are next to useless and for the visually impaired very frustrating. One more of a example of a technology which annoys everyone and yet doesn't really stop the determined miscreant. <cough>airport shoe inspections</cough>

    --
    -- "Most people prefer a popular myth to an unpopular truth"
  12. Captchas = Turing test by G4from128k · · Score: 4, Insightful

    As with the Turing test, the entire purpose of a captcha is to distinguish humans from machines. As captcha-defeaters improve, the captchas will need to become more and more sophisticated and require more and more human or human-like intelligence to process. This arms race will culminate in a Turing test-like approach for discerning natural intelligences from artificial ones.

    The ultimate irony may occur when the first human-intelligent computer is created by a spammer for the purpose of assaulting our collective intelligences with their commerical drivel. Given the increasing value of online commerce and Google page ranking, there's probably more money in AI for captchas than AI for academic research.

    But before captchas get that sophisticated, the system will become self-defeating as the number of real humans defeated by captchas exceeds the number of AIs repelled by them.

    --
    Two wrongs don't make a right, but three lefts do.
  13. Re:From the site... by the_mad_poster · · Score: 5, Informative

    http://www.gh-sts.com/captcha.txt

    This is what slashdot's previous iteration of a captcha looked like in an in-memory associative array after the intersecting lines had been removed and a de-skewing algorithm applied. There was actually a version of the code after that which properly picked out where the lines actually intersected the letters and didn't erase the intersecting section to create those gaps.

    Before they switched to the newest CAPTCHA system, I was breaking their CAPTCHAs with a modified SS.pl script with almost 100% accuracy (it had a little trouble properly splitting up the text when a j or other similar character wrapped partially under another letter).

    Of course, the new CAPTCHAs are much harder. I can't even read some of them myself, but the point is that breaking CAPTCHA that people can easily read usually isn't really that hard.

    Yes, I used ImageMagick's Perlmagick library.

    --
    Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  14. The linked page is NSFW by poincaraux · · Score: 4, Informative

    Editors -

    Please don't link to the goatse man without at least some warning.

    Thanks.

  15. Goatse Man by Inda · · Score: 5, Informative

    Thanks for linking the Goatse Man image in the article. Oh how I've missed being tricked into viewing thee.

    The link is not work safe.

    --
    This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
  16. Totally fake by VAXGeek · · Score: 4, Insightful

    This article is a fraud. No source is presented, and goatse.cx is displayed in the examples. This whole thing was contrived just to get goatse.cx in a legitimate front page post. Best troll in years.

    --
    this sig limit is too small to put anything good h