Thursday, April 17, 2008

musings on the latest in CAPTCHA technology...

with the recent reports of bots being able to crack the CAPTCHA's on windows live and gmail, the cutting edge in human recognition has shifted to the next generation of image recognition combined with advanced heuristics.
the first example is kitten auth, one example of using an AI hard problem to defeat captcha bots, using a database of cute furry kittens to detect humans:
also good is hot captcha, backed by the hot or not database
both of these schemes use a grid of 9 images, 3 of which are of the target (either hot, or a kitten, depending on auth scheme). Using the combinatorial formula 9 choose 3 where ordering isn't relevant, we get a random probability of choosing the correct 3 images of 1 in 386 (point who cares...). So if you combine hotcaptha or kitten auth with an IP-blocking scheme where say, you have a pool of blocked IP's, after three failed attempts you add that IP to the pool which expires after a given timeout (half an hour?).
Then a random bot will have a 1 / 128 chance of cracking your captcha, a success rate of less than 1%, which is probably enough for most spam bots, but better than the 15% sucess rate for the latest round of captcha bots against OCR captchas.
To attack this captcha, it would help if you had... , oh say a massively distributed botnet at your disposal and some kind of distributed multimedia database to record the random correct categorisation of images to improve your hit rate. you would end up duplicating the multimedia database of the target captcha, but once you did your hit rate would climb towards 100%.
So at the end of the day even these kinds of captchas are vulnerable, but would be good as a failover from your regular captcha mechanism in the event it gets broken...
what we really need is some kind of open-ended input based on an image that relies on human "common sense". eg - a picture of george bush where 'miserable failure', 'ass-muppet' or 'clown' would be valid inputs to verify a human being. We're stuck in an arms race, and as long as spam is profitable spammers will be paying crackers to do AI...
(note: this is all written with tongue very firmly in cheek... ;-p )

No comments: