The NYT has an article predicting the end of CAPTCHAs, or rather their replacement with a new type of test.
I don't think we have seen the end of the CAPTCHA. Like passwords they are easy to implement and have a high ratio of perceived security to cost. Designers like to sprinkle them liberally onto their Web sites as 'magical anti-bot pixie-dust'.
The problem with CAPTCHAs and their replacements is that the problems chosen are hard for computers to solve because until recently there was no incentive to solve them. Back in 2000 there was nobody who was spending their time trying to OCR on text that had been deliberately obfuscated with lines, distortion, etc. Today there are plenty of folk in Eastern Europe and Russia who have become experts at it.
Asking folk to pick out all the cats from a mixture of cats and dogs may appear hard today, but wait a couple of weeks after deployment and see if it is still so hard.
And there is also the systems attack. Methinks that Microsoft do not have a very large catalog of photographs to show to users, maybe a thousand, maybe a hundred thousand. The attackers don't need to build a machine to sort the pictures out, they can have people do that for them. They can use the man-in-the-middle porn site attack or just pay folk to do it for them. All they need to do once the pictures are sorted is to undo whatever obfustication is in place to prevent simple matching of the photographs.
Bruce Schneier often remarks that anyone can design an encryption scheme that they cannot break themselves. In the area of CAPTCHAs I can't do that. I can break every scheme I have seen and I can break every scheme I can think of.
Update: Welcome TPM visitors. Following Josh's link it turns out that the database of pet pictures has two million entries. More significant though is the rate of addition - 10,000 a day. This is an order of magnitude higher than my original guess, but I don't think it invalidates the suggested lines of attack.
The hard part is cataloging the original database - ten man years worth of effort. That is certainly going to cost more than the $5,000 the Kiev gang would charge for breaking a text CAPTCHA. Unfortunately certain organized crime rings have repeatedly demonstrated that they have the necessary level of resources to simply pay people to break the problems by brute force.
Once the main catalog is sorted it is quite easy to keep up as it turns out that Asirra has a 'tell'. If you have 90% of the catalog archived and the images are selected randomly the chances are that you will only be presented with one unknown image per test. Since Asirra requires the subject to be 100% correct a cataloging bot can tell whether the unknown image was a dog or a cat by whether it passed the test or not. A simple way to fix this tell would be to weaken the match criteria so that 9 out of 10 correct answers was sufficient, but this opens up the door to other attacks.
The other weakness I see in the approach is asking image recognition experts to estimate the difficulty of differentiating pictures of cats from pictures of dogs. It isn't the right test. The hidden assumption here is that the best attack is going to solve the problem the way a human would. Thats not the way internet criminals think. Ants solve similar problems every day with 100,000 total neurons.
Update 2: it appears that the code as implemented, as opposed to the documentation allows one wrong answer out of 12. Turns out that it does not defeat the automatic cataloging attack described earlier as I assumed. In order to use the automatic cataloging trick the attacker would have to present ten correct tries, and one deliberately wrong try together with the unknown picture.
Monday, June 11, 2007
The end of CAPTCHA? - hardly
Linkworks:
FARK
del.icio.us
StumbleUpon
reddit
Subscribe to:
Post Comments (Atom)
19 comments:
I know there'd be copyright problems with this, but one way you could keep ahead of cats vs. dogs picture database attack would be to use celebrity pictures, as in "select all the Britneys." Since there is a massive and constantly growing collection of Britney pictures out there (many conveniently labeled with her name already) you could send a bot out to collect Britney images all the time. People trying to keep a database of images to use against your CAPCHA widget wouldn't be able to keep up.
I saw an interesting technique on a blog the other day that did away with images all together. It simply prompted the user to answer a question: 'What color is an orange?' Seems like it might be difficult to design something capable of overcoming a shifting series of simple questions like that. Especially if, instead of a pre-set database of questions, the administrator simply came up with a sufficiently random question off the top of his head every so often, which doesn't seem too demanding.
wow, cool post, dood.
Microsoft is claiming over 2 million photos. That doesn't invalidate your point, but Microsoft at least is making the bar a little higher than you mention.
What everyone seems to miss is the subtitle of the original CAPTCHA paper: "How Lazy Cryptographers Do AI".
From the academic/crypto viewpoint, people breaking CAPTCHAs is good becasue the goal is to force them to solve an otherwise hard and annoying problem (eg, character recognition when things are really distorted).
I just turned CAPTCHA on for posting comments, could not resist the irony.
I had not seen the final paper How Lazy Cryptographers do AI but it is worth a read and as is often the case the inventors of the scheme are more than aware of the weaknesses that later deployments blithely ignore.
The problem here is that the CAPTCHA technology was designed before professional Internet crime was widely acknowledged as a problem. Any CAPTCHA test is certainly sufficient to block vote fraud, stopping crime is quite a different matter. Whoever is paying $5,000 to break CAPTCHAs is creating one heck of a lot of accounts somewhere.
An amusing side note: if you have read Doonesbury you will know that Alex went to MIT after an online poll where the MIT students proved to be better at stuffing the ballot than CMU.
Actually, it's much harder to solve than you think. I'm using this captcha on our forums:
http://panda3d.org/phpbb2/
Click on the "register" link to see the captcha. The forum admin is expected to drop in their own photographs. This is as simple as copying them from your digital camera into the image directory. Furthermore, the forum admin can choose any two kinds of objects, not just cats and dogs. If you give the forum admin this range of choice, then effectively, every website has its own custom captcha.
How much more, or less, secure than capchas are things such as my one Senator's website uses, where you have to choose word No. 5, or whatever, from a list of eight, and the count varies whether top-down or bottom-up?
In response to Gadfly, schemes like that are perfectly secure until they are used widely enough to provide an incentive to an attacker.
given a large collection of search terms, couldn't this image CAPTCHA be implemented through Google images? This could save you a hell of a lot in storage, bandwidth and cataloging -- no need to index the damned things, let Google do it for you... send two queries to Google image search ('cat' and 'dog'), cache the top 5 of the resulting images to your local server, present the images, then ask the user to pick one of the images that is of a cat. No need to obfuscate the image, since the odds of you using it again are quite slight.
I think that with the image labeling business Google Image Labeler you could get even better assurance that what you present really does have something to do with your search.
DrFu
Google images tends to be a counter-example. What Google can do automatically the attackers can do automatically.
The cost to the attacker is proportional to the cost to the defender here, there is no exponential leverage.
Aside from the complex physical connections that make up its infrastructure, the Internet is facilitated by bi- or multi-lateral commercial contracts (e.g., peering agreements), and by technical specifications or protocols that describe how to exchange data over the network. Indeed, the Internet is essentially defined by its interconnections and routing policies.
As of December 30, 2007, 1.319 billion people use the Internet according to Internet World Stats. Writing in the Harvard International Review, philosopher N.J. Slabbert, a writer on policy issues for the Washington, D.C.–based Urban Land Institute, has asserted that the Internet is fast becoming a basic feature of global civilization, so that what has traditionally been called "civil society" is now becoming identical with information technology society as defined by Internet use. - web design company, web designer, web design india
black mold exposureblack mold symptoms of exposurewrought iron garden gatesiron garden gates find them herefine thin hair hairstylessearch hair styles for fine thin hairnight vision binocularsbuy night vision binocularslipitor reactionslipitor allergic reactionsluxury beach resort in the philippines
afordable beach resorts in the philippineshomeopathy for eczema.baby eczema.save big with great mineral makeup bargainsmineral makeup wholesalersprodam iphone Apple prodam iphone prahacect iphone manualmanual for P 168 iphonefero 52 binocularsnight vision Fero 52 binocularsThe best night vision binoculars here
night vision binoculars bargainsfree photo albums computer programsfree software to make photo albumsfree tax formsprintable tax forms for free craftmatic air bedcraftmatic air bed adjustable info hereboyd air bedboyd night air bed lowest pricefind air beds in wisconsinbest air beds in wisconsincloud air beds
best cloud inflatable air bedssealy air beds portableportables air bedsrv luggage racksaluminum made rv luggage racksair bed raisedbest form raised air bedsaircraft support equipmentsbest support equipments for aircraftsbed air informercialsbest informercials bed airmattress sized air beds
bestair bed mattress antique doorknobsantique doorknob identification tipsdvd player troubleshootingtroubleshooting with the dvd playerflat panel television lcd vs plasmaflat panel lcd television versus plasma pic the bestThe causes of economic recessionwhat are the causes of economic recessionadjustable bed air foam The best bed air foam
hoof prints antique equestrian printsantique hoof prints equestrian printsBuy air bedadjustablebuy the best adjustable air bedsair beds canadian storesCanadian stores for air beds
migraine causemigraine treatments floridaflorida headache clinicdrying dessicantair drying dessicantdessicant air dryerpediatric asthmaasthma specialistasthma children specialistcarpet cleaning dallas txcarpet cleaners dallascarpet cleaning dallas
vero beach vacationvero beach vacationsbeach vacation homes veroms beach vacationsms beach vacationms beach condosmaui beach vacationmaui beach vacationsmaui beach clubbeach vacationsyour beach vacationscheap beach vacations
bob hairstylebob haircutsbob layeredpob hairstylebobbedclassic bobCare for Curly HairTips for Curly Haircurly hair12r 22.5 best pricetires truck bustires 12r 22.5
washington new housenew house houstonnew house san antonionew house venturanew houston house houston house txstains removal dyestains removal clothesstains removalteeth whiteningteeth whiteningbright teeth
jennifer grey nosejennifer nose jobscalebrities nose jobsWomen with Big NosesWomen hairstylesBig Nose Women, hairstyles
Web Art Sense a web design company is here for a purpose to make art and design of your imagination alive and real on the web platform. After several months of hunting of the best talent and struggling for the name of their design company they finally reached a vertical which engages their vision of togetherness. The best talented people in web designs have joined hands to compete and provide innovative, unique concepts to users/clients all across the globe. Web Art Sense is not any design company; they take real care of having your brands be presented that invokes your revelation to others who see it.
Web Art Sense has their sales offices in London, New Jersey and New Delhi are heading towards marketing themselves to main continents of Europe, Australia and America. Web art sense already has ground foundation and is providing web based design development and SEO Services in countries like USA, UK, Australia and Italy. Web Art Sense has been growing above hundred percent every financial year since its foundation.
Web Design Company
Web Art Sense a leading web design company, affordable web design, web development, ecommerce, XHTML Services. Web Design Company offers a complete collection of web design solutions for business. Web Art Sense team of professionals with proven knowledge in the field of web design & development are skilled of providing high quality, e commerce websites, development and website redesign & maintenance solutions.
Thank you for this nice post. Website Hosting | windows hosting
Thanks for such an informative post.
Web Developer | Web Design
Captchas are sometimes really irritating. Especially for the fact that they are at times so difficult to read. Why can't they be made for easier human reading? Web Designer Web Hosting
Day night,gold für wow the moon or on world of warcraft gold the tree,cheap wow gold Hao Jie pouring down the moonlight, as if accompanied by Xiaotu Feifei enter sweet dreams. In the dream, a dream Feifei about his sister to the moon night. Will open the door,wow gold kaufen go down the moon sister.mesos Xiaochanzouxia take is that they did not see the moon sister. At that time, anchored at the tree on the moon sister saw Xiaochan, they yelled loudly: "Feifei, Feifei, I tree, the tree, I." Xiaochan sit at the moon to his sister, who Daizhaoxiaochan came wow geld to the beautiful pond. Only, water,maple story mesos everywhere in the lush leaves and beautiful flowers.maple story items A frog squatting lotus leaf, see Xiaochan, surprised and said: "Xiaochan,wow gold farmen you can even sit on the moon. You simply It's amazing!maple story money I am sure that you are the first animals to the moon by the animal. good,wow leveling I envy you!Maple Story Accounts "Xiaotu listening, happy to smile. Then, with the moon sister Xiaotu to its home.powerlevel Only, the moon sister's home stars are everywhere. The eyes of a star a Zha Zha,world of warcraft power leveling like Xiaotu greeted the arrival of a mouth, like: "Xiaochan, Hello, we at the Moon Palace waiting for your arrival."maple story powerleveling Xiaotu listened
Post a Comment