[91866] in North American Network Operators' Group
Re: Captchas was Re: ISP wants to stop outgoing web based spam
daemon@ATHENA.MIT.EDU (Paul Jakma)
Wed Aug 16 13:52:39 2006
Date: Wed, 16 Aug 2006 18:51:53 +0100 (IST)
From: Paul Jakma <paul@clubi.ie>
To: Simon Waters <simonw@zynet.net>
Cc: nanog@merit.edu
In-Reply-To: <200608160921.07125.simonw@zynet.net>
Mail-Copies-To: paul@jakma.org
Mail-Followup-To: paul@jakma.org
Errors-To: owner-nanog@merit.edu
On Wed, 16 Aug 2006, Simon Waters wrote:
> You snipped the bit where I said "It would work for a minority use."
Sorry, don't think that is relevant really - least I have no data on
what minority uses are for captchas, nor majority uses or what the
difference is.
> The reason people use image recognition is it is something (most)
> humans find very easy, but requires considerable investment of
> effort (or resource for self training) to teach computers, and
> readily permits of variations ('click the kitten' being a good
> example).
Those need vast numbers of "kitten" pictures in order to be immune to
dictionary attacks. There's a reason 'captchas' consist of
auto-generated images of letters.
You can auto-generate questions too, obviously. With dictionaries of
question/answer tuples associated with some template question
language.
The tuples can be auto-generated, the strength lies in the variety of
the question forms in use across the internet and/or across a site.
The questions need not use language, they could be based on ASCII
pattern matching, e.g.:
oAwoZwoLwoC
what's the next letter, etc..
Or you could simply test people on their ability to google perhaps?
:)
> For a demonstration of bashing at ASCII captchas try any good chat bot.
And for image captchas, see:
http://www.cs.sfu.ca/~mori/research/gimpy/
and there are more. CAPTCHAs are, almost by definition, compelling
problems for academia to tackle ;).
> The reason no one defeated your text captcha was probably because
> no one tried, but that won't remain the case if it gets popular. We
> are locked in another arms race here.
Yes, that applies regardless of the form of the captcha.
> Although possibly the mistake is to assume you can distinguish
> between humans, and computers on the basis of intelligence.
Maybe so.
regards,
--
Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A
Fortune:
The meat is rotten, but the booze is holding out.
Computer translation of "The spirit is willing, but the flesh is weak."
