Comments on: Improved CAPTCHA? http://www.analyticalengine.net/archives/27 Application Security, General Technology, and Geek Ramblings Tue, 06 Jan 2009 11:00:23 +0000 http://wordpress.org/?v=2.6.5 By: Joshbw http://www.analyticalengine.net/archives/27#comment-33 Joshbw Wed, 16 Apr 2008 13:58:03 +0000 http://www.analyticalengine.net/?p=27#comment-33 Yeah, I read that article on ars yesterday. I've found that no more spam than usual has made it through my outlook filter (the built in filter in 2007 is remarkably good) but I have been getting a great deal more spam in my gmail account, from gmail and hotmail domains. I've also seen the Asira project before and I like the intent of it. That said, I have a concern with it. It is technically feasible to crawl petfinder and download all of the images, which are conveniently categorized by type (cat, dog, bird, rabbit, etc) and then create a simple database that uses a hash from the image as a key to look up the type. Then, when crawling sites that are asira enabled the images could just be rehashed and looked up. Hopefully MS is actually doing some modifications (resize, slight color filter, etc) that would cause the Asira image to have a different hash value, which would frustrate that approach. Yeah, I read that article on ars yesterday. I’ve found that no more spam than usual has made it through my outlook filter (the built in filter in 2007 is remarkably good) but I have been getting a great deal more spam in my gmail account, from gmail and hotmail domains.

I’ve also seen the Asira project before and I like the intent of it. That said, I have a concern with it. It is technically feasible to crawl petfinder and download all of the images, which are conveniently categorized by type (cat, dog, bird, rabbit, etc) and then create a simple database that uses a hash from the image as a key to look up the type. Then, when crawling sites that are asira enabled the images could just be rehashed and looked up.

Hopefully MS is actually doing some modifications (resize, slight color filter, etc) that would cause the Asira image to have a different hash value, which would frustrate that approach.

]]> By: Jim http://www.analyticalengine.net/archives/27#comment-32 Jim Tue, 15 Apr 2008 23:42:07 +0000 http://www.analyticalengine.net/?p=27#comment-32 Holy cats and dogs - have you seen this? http://research.microsoft.com/asirra/?0sr=a Holy cats and dogs - have you seen this?

http://research.microsoft.com/asirra/?0sr=a

]]> By: Jim http://www.analyticalengine.net/archives/27#comment-31 Jim Tue, 15 Apr 2008 23:37:37 +0000 http://www.analyticalengine.net/?p=27#comment-31 Ouch - the world could use better Captcha protection: http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html Ouch - the world could use better Captcha protection: http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html

]]> By: Joshbw http://www.analyticalengine.net/archives/27#comment-30 Joshbw Fri, 11 Apr 2008 14:43:07 +0000 http://www.analyticalengine.net/?p=27#comment-30 I think an animated GIF would be better for client side support, and isn't technically difficult to dynamically generate. The downside is that it does take significantly more processing time than static graphics to generate, and for captchas on popular websites dynamic generation is usually the only viable route (since otherwise the attackers can just harvest all of the images, and create a database of hashes from the file and associated text). Flash is definitely and easier route in terms of server resources, but you are absolutely right about it being a pain with the myriad of flash versions (is flash even present, is it a smart device that uses flash-lite, etc). I think an animated GIF would be better for client side support, and isn’t technically difficult to dynamically generate. The downside is that it does take significantly more processing time than static graphics to generate, and for captchas on popular websites dynamic generation is usually the only viable route (since otherwise the attackers can just harvest all of the images, and create a database of hashes from the file and associated text).

Flash is definitely and easier route in terms of server resources, but you are absolutely right about it being a pain with the myriad of flash versions (is flash even present, is it a smart device that uses flash-lite, etc).

]]> By: Jim http://www.analyticalengine.net/archives/27#comment-28 Jim Thu, 10 Apr 2008 21:12:25 +0000 http://www.analyticalengine.net/?p=27#comment-28 You are onto something here - there are a number of ways to protect content via flash. The only downside - need to support a wide variety/versions of the flash engine. But still, I like it. You are onto something here - there are a number of ways to protect content via flash. The only downside - need to support a wide variety/versions of the flash engine. But still, I like it.

]]>