Slashdot Mirror
Defeating Captcha
An anonymous reader pointed us at PWNtcha, a package that breaks various on-line captcha algorithms. The site provides numerous examples of easy (Paypal, and an older version of Slashdot make the list) and hard Captcha. It also links various sources explaining why Captcha is a bad idea.
here
Whew, I had never even heard of Captcha before...
A captcha is a type of challenge-response test used in computing to determine whether or not the user is human.
A while ago, I remember hearing about how some spammers whould post the Yahoo Mail (or other free email services) Captchas on the registration forms on pr0n sites. The pr0n registrants would have to fill out the Captcha, but this would then be used by the spammer to get around the Captcha without any fancy software.
captcha stops bots
pwntcha breaks captcha
slashdot cremates pwntcha
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Having a legally blind mother that uses the web, I wonder how captcha complies with the Americans With Disabilities Act (when used by American companies of course)?
Is it compatible with BLINUX? I think by definition it is not.
Perhaps I should ask, what alternate method of identification do sights employ to take into account blind users and the ADA?
The problem is that people are using robots to work in an autonomous manner to find ways around typical human limitations (we can only send several hundred emails a day, robots are not so limited). So people want to stop these "cheater" by making the user prove that they are a human rather than a robot.
Is this really a good thing, though? Even on a site like Slashdot, in a story about defeating bots, the very first comment in this story is posted by a bot. How ironic is that? What is accomplished by banning users who can't read these "captchas" (what a horrendous fake word)? Nothing, apparently, as the story says. It only serves to annoy legitimate users and does nothing to hamper illegitimate robots.
The solution is not this sort of halfway measure. The solution is to make it simply not worth the effort to be a nuisance on a discussion forum. I suppose that requires a glut of intelligent posters, but with the entire citizenry of the Internet available, that can't be so hard.
Jesus saved me from my past. He can save you as well.
You could just write the bot to decompile the .swf file and grab the string (or vector/raster representation of the text) from that.
Flash is a bad format to use for a CAPTCHA from a security and accessibility point of view.
http://www.gh-sts.com/captcha.txt
This is what slashdot's previous iteration of a captcha looked like in an in-memory associative array after the intersecting lines had been removed and a de-skewing algorithm applied. There was actually a version of the code after that which properly picked out where the lines actually intersected the letters and didn't erase the intersecting section to create those gaps.
Before they switched to the newest CAPTCHA system, I was breaking their CAPTCHAs with a modified SS.pl script with almost 100% accuracy (it had a little trouble properly splitting up the text when a j or other similar character wrapped partially under another letter).
Of course, the new CAPTCHAs are much harder. I can't even read some of them myself, but the point is that breaking CAPTCHA that people can easily read usually isn't really that hard.
Yes, I used ImageMagick's Perlmagick library.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Thanks for linking the Goatse Man image in the article. Oh how I've missed being tricked into viewing thee.
The link is not work safe.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.