List Info

Thread: confirming it's a person
confirming it's a person
country flaguser name
United States		 2008-03-24 16:04:35 
I would like to RTFM on alternatives to CAPTCHAs,
but I don't know what FM to R.

If someone here wants to say "forget it" or
"this
is the current best technique" or what-have-you,
I'd be thankful to hear.  Not trying to start a
large thread; you can, if you like.

--dan

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Re: confirming it's a person
country flaguser name
United States		 2008-03-25 13:44:42 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

re Captchas:

You could just ask the user to retype two strings and
measure how long 
it takes for them type it in, a.la. BioPassword. BioPassword
tries to 
use biometrics to determine which person someone is (by
measuring how 
long their fingers take to move between keys with a flash
applet, for 
example), but biometrics are often quite useful for
"this is a person". 
Of course, you'll have to make a model for each different
keyboard type 
if you're internationally savvy. Rather than having a single
password 
the user types, you'll want to have a "random
string".

Hmm. If you give everyone two strings to type, you could
build a 
database of timings with the second string, and simple
datapoint 
grouping will get you which keyboard they are using so you
can build 
your models. Then you can start rotating that second string
in and 
retiring your first string after your model is built and
tested. You 
need a continual stream of random strings+statistical models
because 
otherwise people will just type them in once, slightly
modify them, and 
submit them mechanically.

I don't have code to do this, of course. The counter-attack
would be a 
good model of how a human types on a keyboard, where given a
random 
string you could generate timings. That might not be a
difficult thing 
to build to the level of precision you'd need, but it might.
Then again, 
typing in long random strings might be much more annoying
than trying to 
read distorted images. :>

Just as an FYI, Justine and JMS are heading to CanSecWest
and JMS is 
going to demo his new CANVAS Win32 kernel rootkit for anyone
who asks, 
he tells me. :>

- -dave


dangeer.org wrote:
| I would like to RTFM on alternatives to CAPTCHAs,
| but I don't know what FM to R.
|
| If someone here wants to say "forget it" or
"this
| is the current best technique" or what-have-you,
| I'd be thankful to hear.  Not trying to start a
| large thread; you can, if you like.
|
| --dan
|
| _______________________________________________
| Dailydave mailing list
| Dailydavelists.immunitysec.com
| http://lists.immunitysec.com/mailman/listinfo/dailydave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFH6UgatehAhL0gheoRAqZzAJ9++E9WwssHekJKK8Ga7K0RO78bQQCc
DW90
oHmCYGf0IHtLkS8gS2cObOI=
=vtqh
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Re: confirming it's a person
country flaguser name
United States		 2008-03-25 15:44:07 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jonathan Wilkins wrote:
| The problem with that is that it's only as difficult for
the attacker to
| build the model as it is for the defender.
|

The defender doesn't have to build a model in this
particular example 
though - the mobs of humans build it for you -  you just
have to do 
pattern recognition on the data. So it is asymmetric because
you supply 
the random strings, and the humans generate data for you. I
don't think 
you are resource limited (if each human submits three
strings, one real 
and two statistics gathering examples, then your supply of
random 
strings+statistics should replenish faster than it goes
away?), but as 
for the false positive rate, I'm not sure. I'd have to go
head to head 
with you on this one with real working code, and I don't
have time to 
learn Silverlight/Flash right now. :>

All captcha type systems are broken if an attacker owns a
popular online 
service though, right? Because they can just put the captcha
up on their 
service and have a real human answer it. :>

Hmm. Palladium would have solved this problem, like almost
all security 
problems by building a trusted PKIed tunnel from the online
service to 
your machine's CPU, but everyone hated it. I wonder what
VMWare is going 
to do when Microsoft makes it mandatory to use
Palladium-like technology 
to get to hotmail and only VirtualPC is allowed to support
it?

- -dave


| To be useful, a system of this sort has to be:
| - Asymmetric in effort (has to cost the attacker much more
than the
| defender)
| - Can't rely on resource scarcity (of the type attackers
can steal).  This
| is the major weakness in hashcash type systems in the face
of bot nets.
| - Have a low random/partial success rate
|
| I have a white paper on breaking various CAPTCHA systems
(and building
| better ones) coming out soon.  I don't want to side track
the thread on
| specific CAPTCHA issues though.
|
| On Tue, Mar 25, 2008 at 11:44 AM, Dave Aitel <daveimmunityinc.com> wrote:
|
| re Captchas:
|
| You could just ask the user to retype two strings and
measure how long
| it takes for them type it in, a.la. BioPassword.
BioPassword tries to
| use biometrics to determine which person someone is (by
measuring how
| long their fingers take to move between keys with a flash
applet, for
| example), but biometrics are often quite useful for
"this is a person".
| Of course, you'll have to make a model for each different
keyboard type
| if you're internationally savvy. Rather than having a
single password
| the user types, you'll want to have a "random
string".
|
| Hmm. If you give everyone two strings to type, you could
build a
| database of timings with the second string, and simple
datapoint
| grouping will get you which keyboard they are using so you
can build
| your models. Then you can start rotating that second
string in and
| retiring your first string after your model is built and
tested. You
| need a continual stream of random strings+statistical
models because
| otherwise people will just type them in once, slightly
modify them, and
| submit them mechanically.
|
| I don't have code to do this, of course. The
counter-attack would be a
| good model of how a human types on a keyboard, where given
a random
| string you could generate timings. That might not be a
difficult thing
| to build to the level of precision you'd need, but it
might. Then again,
| typing in long random strings might be much more annoying
than trying to
| read distorted images. :>
|
| Just as an FYI, Justine and JMS are heading to CanSecWest
and JMS is
| going to demo his new CANVAS Win32 kernel rootkit for
anyone who asks,
| he tells me. :>
|
| -dave
|
|
| dangeer.org wrote:
| | I would like to RTFM on alternatives to CAPTCHAs,
| | but I don't know what FM to R.
| |
| | If someone here wants to say "forget it" or
"this
| | is the current best technique" or what-have-you,
| | I'd be thankful to hear.  Not trying to start a
| | large thread; you can, if you like.
| |
| | --dan
| |
| | _______________________________________________
| | Dailydave mailing list
| | Dailydavelists.immunitysec.com
| | http://lists.immunitysec.com/mailman/listinfo/dailydave
|
|>
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
|>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFH6WQWtehAhL0gheoRArHlAJ9az18a8B1MMhjZ/QtWXCVWaDKwagCe
Ksny
ncrqqPZmd3KbT7RAm8n/0UE=
=3fJB
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Re: confirming it's a person
user name
 2008-03-25 23:31:03 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think we have already discussed this topic, and someone
said we could
use pictures of cats and other animals and ask the user to
count the
number of cats on the photos.

Microsoft is working on this, it looks promising.

http://research
.microsoft.com/asirra/


dangeer.org wrote:
> I would like to RTFM on alternatives to CAPTCHAs,
> but I don't know what FM to R.
>
> If someone here wants to say "forget it" or
"this
> is the current best technique" or what-have-you,
> I'd be thankful to hear.  Not trying to start a
> large thread; you can, if you like.
>
> --dan
>
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFH6c/32jXd1kalE7wRAnpkAKCuhH7r982w5AiORGM37DRj8GA7FwCg
oIV+
vDo7fz6zoOm6XIabFFE4wv8=
=mgzW
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Re: confirming it's a person
user name
 2008-03-26 01:28:58 
On Mon, Mar 24, 2008 at 2:04 PM,  <dangeer.org> wrote:
>  I would like to RTFM on alternatives to CAPTCHAs,

I recall sending this link to Robert Auger when he was
interested in
gathering research on the current,
"state-of-the-art" in CAPTCHA
technology
http://www.ocr-researc
h.org.ua

Do per-page tokens or another solution even partly solve the
problem
you are trying to solve?

Cheers,
Andre
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Re: confirming it's a person
user name
 2008-03-26 09:31:40 
On Wed, 2008-03-26 at 01:31 -0300, Agutin Gianni wrote:
> I think we have already discussed this topic, and
someone said we could
> use pictures of cats and other animals and ask the user
to count the
> number of cats on the photos.

One of my favorite alternative captchas:

http://www.hotcaptcha.com/


(fairly safe for work I suppose)

Regards,
Jon Oberheide

-- 
Jon Oberheide <jonoberheide.org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C
17FE

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Re: confirming it's a person
user name
 2008-03-26 09:51:08 

  


  

    I think a lot of this is just guess work if we don't know what the purpose is. Is this to protect a login form on a web site?
One thing that I've always wondered is how well a site that has good state management will fair against a brute force attempt.


If the user must go through 2-3 actions to login, it should be pretty easy to determine if that sequence is being repeated more
than is normal for a human as the system can track the progress of where the user 'is9; on the server side.

-isaac


On Wed, Mar 26, 2008 at 3:28 PM, Andre Gironda < andreggmail.com">andreggmail.com> wrote:


On Mon, Mar 24, 2008 at 2:04 PM,  < dangeer.org">dangeer.org&gt; wrote:

&gt;  I would like to RTFM on alternatives to CAPTCHAs,




I recall sending this link to Robert Auger when he was interested in

gathering research on the current, "state-of-the-art" in CAPTCHA

technology

http://www.ocr-research.org.ua



Do per-page tokens or another solution even partly solve the problem

you are trying to solve?



Cheers,


Andre


_______________________________________________

Dailydave mailing list

 Dailydavelists.immunitysec.com">Dailydavelists.immunitysec.com

http://lists.immunitysec.com/mailman/listinfo/dailydave







  

  
  
   
     
    

  

    Re:  confirming it's a person
  


  

     user name

     2008-03-26 12:21:41
  


  

    
>  I think we have already discussed this topic, and
someone said we could
>  use pictures of cats and other animals and ask the
user to count the
>  number of cats on the photos.
>
>  Microsoft is working on this, it looks promising.
>
>  http://research
.microsoft.com/asirra/

I think a weak point may be that petfinder.com pictures are
available
to the public too.

An Attacker could let some bots crawl petfinder.com by
Category, grab
the thumbnails
(or the big pictures) and resize 'em to asirra thumbnail
size (to
avoid the bottom text "petfinder.com"
Logo on asirra big pictures) and put some CRC of that into a
DB (maybe
even make it b/w and
low-res, only take specified part(s) of the picture for the
CRC and so
on). This sure won't be perfect, but
for some usable percentage i think it may currently work.

Regards,
 Stefan
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave



  


  

    
  

  
  
   
     
    

  

    Re:  confirming it's a person
  


  

     user name

     2008-03-26 13:30:02
  


  

    

  


  

    



On Tue, Mar 25, 2008 at 9:31 PM, Agutin Gianni < agustingiannigmail.com">agustingiannigmail.com> wrote:




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think we have already discussed this topic, and someone said we could
use pictures of cats and other animals and ask the user to count the

number of cats on the photos.

Microsoft is working on this, it looks promising.

http://research.microsoft.com/asirra/







&nbsp;


As cool as ASIRRA is, and as awesome as it is that they help find homes for pets, ;it is more or less "a better CAPTCHA.&quot; I took the original post as a request for a manual for bot-detection techniques in addition to CAPTCHAs. I don't know of anything in one place on this topic, although I can think of things like Bayesian filters for the spam application as maybe a place to start.




 


Incidentally, this paper just showed up on eprint.iacr.org . The author claims an automatic classifier between cats and dogs that can pass a 12-image ASIRRA challenge 10.3% of the time: 



 


Machine Learning Attacks Against the ASIRRA CAPTCHA


Philippe Golle


http://eprint.iacr.org/2008/126


 


-David Molnar




  

  
  
   
     
    

  

    Re:  confirming it's a person
  


  

     user name

     2008-03-26 13:39:52
  


  

    

  


  

    Algorithms like SIFT (http://en.wikipedia.org/wiki/Scale-invariant_feature_transform) 
make this even more accurate.

FWIW, here's my opinion on the technology.  Some of this is from memory.&nbsp; 

First, they're ok with a 1/4096 success rate from random guesses according to
their paper.&nbsp; They say that they have a very large database to pull from (all
of the previously posted data that attackers wouldn';t have access to) but I'm

figuring that adding a few thousand pre-tagged animals to the mix every week
(the animals available for adoption currently) in combination with the fact that 
attackers can farm out solving them and also save correct answers means that 

the attacker&#39;s cost declines over time and their success rate increases.

Not good characteristics.

On Wed, Mar 26, 2008 at 10:21 AM, Stefan Wagner < ffm.stefangooglemail.com">ffm.stefangooglemail.com> wrote:


>  I think we have already discussed this topic, and someone said we could


>  use pictures of cats and other animals and ask the user to count the

>  number of cats on the photos.

>

>  Microsoft is working on this, it looks promising.

>

&gt;  http://research.microsoft.com/asirra/





I think a weak point may be that petfinder.com pictures are available

to the public too.



An Attacker could let some bots crawl petfinder.com by Category, grab

the thumbnails

(or the big pictures) and resize 'em to asirra thumbnail size (to

avoid the bottom text "petfinder.com"

Logo on asirra big pictures) and put some CRC of that into a DB (maybe

even make it b/w and

low-res, only take specified part(s) of the picture for the CRC and so

on). This sure won't be perfect, but

for some usable percentage i think it may currently work.




Regards,


 Stefan


_______________________________________________

Dailydave mailing list

 Dailydavelists.immunitysec.com">Dailydavelists.immunitysec.com

http://lists.immunitysec.com/mailman/listinfo/dailydave







  

  
  
   
     
    






 [1-10]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )