RE: Account LockoutsDec 07 2004 02:26AM Jefferies, Darren (Darren Jefferies health wa gov au)
Hi All, I think the idea of using SIRDS to visually 'encode' the numerals is really good. I had considered writing software to do exactly this several years ago. Sort of like a pseudo-holographic signature. The problem with this method though is that most people can't see sirds. I wrote a SIRDS generator several years ago and found that very few people I know are actually able to see them.
I've given some thought to the whole captcha scenario and it seems to me that a good possibility would be using the same colormap for the foreground and background and using a fractal algorithm to generate two images with the second one being used as a 'template' for the text. One possibility would be to use two different fractal algorithms to generate the pictures. It would also be possible to use the same algorithm for both and 'rotate' the colour map. If the numbers were made reasonably large, using small random 'waves' to shift the image of the numbers vertically and/or horizontally would also help make OCR techniques extremely difficult to apply. The result of this would be a picture with the same colours throughout but the numbers would contrast to the human eye because of a different pattern in the colours. Such a system would be very difficult to distinguish the numbers electronically and due to nearly infinite possibilities for the 'seed' values it would be difficult for a computer to figure out the algorithm. Of course, for this to work, the seed values would have to change for every image sent.
Darren Jefferies
-----Original Message-----
From: The Amazing Dragon (Elliott Mitchell) [mailto:ehem (at) cs.pdx (dot) edu [email concealed]]
Sent: Monday, 6 December 2004 2:22 PM
To: Mark Burnett
Cc: secprog (at) securityfocus (dot) com [email concealed]
Subject: Re: Account Lockouts
>From: Mark Burnett <mb (at) xato (dot) net [email concealed]>
> There has been some talk of CAPTCHA's in this thread and I wanted to comment on them further. Although CAPTCHA's are very effective at blocking automated abuse, in their current form they are not an effective long term strategy. The problem is that with our current image enhancement, OCR, and AI technology, they can be cracked with quite good accuracy. Their limited use and proprietary implementations still makes them useful for now but once someone releases a script kiddie tool to automate CAPTCHA cracking, they will become mostly ineffective.
>
I'm surprised that no one has implemented one yet. Though OCR programs
are at least halfway there. In the absence of those, the method of using
a porn site and passing the image to someone to decode for you is very
effective.
> Furthermore, I have seen many CAPTCHA implementations that are simply flawed. For example, instructing the user to select one of three choices means that a script can randomly guess and still be 33% accurate. Furthermore, I have seen e-mail systems that come with a collection of photos for CAPTCHA use but everyone with that program has the same exact photos. It would be trivial to build a tool to bypass that product's CAPTCHA feature. I have also seen image manipulations, such as excessive use of color or adding noise, which might seem confusing to humans but are quite meaningless to a computer program and do little to prevent automated interpretation.
>
Using SIRDS as a transformation might be pretty effective against current
recognizers. Methods similar to the anti-copying protections on cheques
would be worthy of trying (displaying larger dots with larger spacings
and smaller dots with smaller spacings for a consistant color). Might be
interesting to use patterns similar to color-blindness tests, but then
you need to be able to count on someone to be color-sensitive (though you
can then use this as secondary protection, color-blind get a different
answer).
This still only works as long as someone doesn't produce an OCR that
recognizes them. Only a matter of time.
> Someone earlier mentioned adding a secret question to the CAPTCHA, but you must be careful with that type of implementation. Before you ask a secret question, you first must know who the user is. This leads to continuity problems and might allow for attackers to brute-force usernames, which can also be a problem.
>
And worse, it is simply another password. Adds difficulty, but it is just
another password. Worse, this is likely to be much easier to guess than
the original password.
I've given some thought to the whole captcha scenario and it seems to me that a good possibility would be using the same colormap for the foreground and background and using a fractal algorithm to generate two images with the second one being used as a 'template' for the text. One possibility would be to use two different fractal algorithms to generate the pictures. It would also be possible to use the same algorithm for both and 'rotate' the colour map. If the numbers were made reasonably large, using small random 'waves' to shift the image of the numbers vertically and/or horizontally would also help make OCR techniques extremely difficult to apply. The result of this would be a picture with the same colours throughout but the numbers would contrast to the human eye because of a different pattern in the colours. Such a system would be very difficult to distinguish the numbers electronically and due to nearly infinite possibilities for the 'seed' values it would be difficult for a computer to figure out the algorithm. Of course, for this to work, the seed values would have to change for every image sent.
Darren Jefferies
-----Original Message-----
From: The Amazing Dragon (Elliott Mitchell) [mailto:ehem (at) cs.pdx (dot) edu [email concealed]]
Sent: Monday, 6 December 2004 2:22 PM
To: Mark Burnett
Cc: secprog (at) securityfocus (dot) com [email concealed]
Subject: Re: Account Lockouts
>From: Mark Burnett <mb (at) xato (dot) net [email concealed]>
> There has been some talk of CAPTCHA's in this thread and I wanted to comment on them further. Although CAPTCHA's are very effective at blocking automated abuse, in their current form they are not an effective long term strategy. The problem is that with our current image enhancement, OCR, and AI technology, they can be cracked with quite good accuracy. Their limited use and proprietary implementations still makes them useful for now but once someone releases a script kiddie tool to automate CAPTCHA cracking, they will become mostly ineffective.
>
I'm surprised that no one has implemented one yet. Though OCR programs
are at least halfway there. In the absence of those, the method of using
a porn site and passing the image to someone to decode for you is very
effective.
> Furthermore, I have seen many CAPTCHA implementations that are simply flawed. For example, instructing the user to select one of three choices means that a script can randomly guess and still be 33% accurate. Furthermore, I have seen e-mail systems that come with a collection of photos for CAPTCHA use but everyone with that program has the same exact photos. It would be trivial to build a tool to bypass that product's CAPTCHA feature. I have also seen image manipulations, such as excessive use of color or adding noise, which might seem confusing to humans but are quite meaningless to a computer program and do little to prevent automated interpretation.
>
Using SIRDS as a transformation might be pretty effective against current
recognizers. Methods similar to the anti-copying protections on cheques
would be worthy of trying (displaying larger dots with larger spacings
and smaller dots with smaller spacings for a consistant color). Might be
interesting to use patterns similar to color-blindness tests, but then
you need to be able to count on someone to be color-sensitive (though you
can then use this as secondary protection, color-blind get a different
answer).
This still only works as long as someone doesn't produce an OCR that
recognizes them. Only a matter of time.
> Someone earlier mentioned adding a secret question to the CAPTCHA, but you must be careful with that type of implementation. Before you ask a secret question, you first must know who the user is. This leads to continuity problems and might allow for attackers to brute-force usernames, which can also be a problem.
>
And worse, it is simply another password. Adds difficulty, but it is just
another password. Worse, this is likely to be much easier to guess than
the original password.
--
(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)
\ ( | EHeM (at) cs.pdx (dot) edu [email concealed] PGP 8881EF59 | ) /
\_ \ | _____ -O #include <stddisclaimer.h> O- _____ | / _/
\___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/
[ reply ]