This action might not be possible to undo. Are you sure you want to continue?
HUMAN OR SCRIPT? An AI approach to cryptography
Vulnerabilities, Threats, Controls 2 Precursors 4 Proposals 6 General Approaches 3 Deployment Options If time: issues and links
HTTP does not distinguish between human & machine users. HTTP & SSL do not guarantee client software or user is benign. Malicious bots can be anonymous and distributed. Benign bots spider for searches, etc.
txt or ³nofollow´ tags Poll Stuffing-. abusing free email. ³out of context´ Unwanted spidering-.Threats to Web Content Theft-.search engines may ignore robots.³scraping´ content from one site to display on another.  Web Spam-. scraping addresses .MIT vs. CMU on /.stealing paid data Copyright Infringement-.unsolicited commenting.
Web Spam Web comments. guest books. discussions. but most Web spam is legal. . Wikis. More eyeballs per message than e-mail E-mail spam is illegal. many public forms are open to spam messages. Bots collect email addresses on Web.
ads for real product/service Phishing-. etc. activism. . revenge.Motives Google-.more links. damage. higher ranking Profit-.competition.bait and switch for identity theft. financial theft Astroturfing-.promote agenda by simulating ³grassroots´ word-of-mouth Vandalism-. thrill.
if not easily cracked. IP masking. .Cracked Controls IP tracking/banning-.script makes own moderator account in DB Good start. use service like bugmenot.repurposed DDoS scripts. but may need more. hijacking User Authentication-.com Moderation (human review)-.
Manuel Blum Reverse Turing test-.computers finding humans. not a specific solution . not humans finding computers A category.CAPTCHA Acronym for Completely Automated Public Turing test to tell Computers & Humans Apart-Dr.
Altavista patent in 1998 first practical example of using slightly distorted images of text to deter bots. but only defeats stock OCR. but not proposed or formalized. not custom OCR .Precursors Unpublished manuscript by Moni Naor first mentions automated Turing test in 1997.
formalized by Luis von Ahn.´  www. John Langford of IBM ³A CAPTCHA is a cryptographic protocol whose underlying hardness assumption is based on an AI problem.net . Manuel Blum & Nicholas J.captcha.Definition In 2000. Hopper of Carnegie Mellon.
AI is advanced because a very difficult (unsolved) AI problem has been solved. steganographic cryptography is advanced  . If not cracked.Win-Win If cracked.
or Google API) Sounds-.visual puzzle. like Mensa tests (if 4 options.net Proposals Gimpy-.CAPTCHA. guess works 25%) Pix-.voice synthesis.photographic recognition (need large image DB. distortion .text distortion used by Yahoo! (routinely cracked & improved) Bongo-.
Frequently cracked and improved. background pattern Overlapping words need no noise. In current version. . User identifies 3 words. font. distortion. Random placement.Gimpy Images of distorted text. 5 pairs of overlapped words.
computers can be effective with random guess. but not solve. If not enough choices.Bongo Visual puzzle Computer can generate & display. humans get it wrong. If too many choices. .
etc.) .Pix Photo Recognition Need large image DB Images need keywords Four images with same keyword shown Random subset of keywords as choices Poor implementations easy to crack (color of top left pixel unique.
General Approaches Text (ASCII/Unicode) Image Speech Animation 3-D Combinations of all above .
0. Fools simplest text matching. Accented or non-English chars: Spám Chars to words: email@example.com --> uce at ftc dot gov URL/HTML entities: COPY becomes ¢.&Rho.ASCII/Unicode ©4Pt¢h4 Change text to look-alike: SPAM is $P4M.¥. but easy to crack It is not technically CAPTCHA . or %430P%59 Better than nothing.
methods used Show filtered photos as well as words Can deny accessibility to vision-impaired« . randomness.Image CAPTCHA Presents one-time-password as an image humans can read. To beat OCR. background. angles. overlap. too complex. human cannot read. noise. colors. but not scripts If image is too simple. font. language. vary position. warp. OCR can crack.
Professional ethics requires everyone else to do the same. but at risk of being considered rude.Considering Accessibility Government and everyone who does business with government must meet federal accessibility standards for disabilities. but chain only strong as weakest link. Often ignored by amateurs. Very few CAPTCHAs are ³accessible. with lesser consequences. . manual approval. Serious legal penalties.´ Solution (W3C): use both image & speech.
Speech CAPTCHA Usually spells out one-time-password in synthesized or recorded voices Voice recognition cracks simple case. Used with image CAPTCHA for increased accessibility. Applied audio filters risk human misunderstanding. . If both use same OTP. easier to crack.
animated GIF Often combined with speech Weaknesses of Image CAPTCHA apply Usually easier to crack due to extra data for pattern matching to analyze Much higher processor and traffic load Not practical in most cases .Animated CAPTCHA Can use Flash. MPEG.
3D Renders OTP in 3D space to image Reputedly the most difficult to crack Server needs good graphics card to be practical (rare) Can be combined with other methods Not yet common (tEABAG_3D) Might see more in future .
pose to human for free access to other content (adult. blogs) User unaware of helping spammers . news. search.Circumventing CAPTCHA Social engineering can foil most CAPTCHAs. How? Scrape captcha from origin.
Which CAPTCHA? Even simplest CAPTCHA can beat vast majority of scripts Even best CAPTCHA can be cracked by dedicated. cost (compute cycles. bandwidth. dollars) Be careful not to violate accessibility laws or open new holes. . sophisticated coders Weigh strength vs.
.Deploying CAPTCHA Install existing software (pro or free) Use remote CAPTCHA service Develop own CAPTCHA or customize open source scripts.
third-party testing results Big targets² cracking a popular control opens hundreds of sites to spammers Like antivirus. ineffective unless frequently updated. standards compliance. server requirements.Existing Software Hundreds or thousands of options Narrow choices by price. .
Saves bandwidth and processor time. . captchaS.net (experimental. Code is easy to embed (botblock) Service updates itself automatically.CAPTCHA Svc Providers Work even with servers not configured to generate images or sound. which sends image to client. Server sends encrypted OTP to service. but free) Trust issues when outsourcing security.
Custom CAPTCHA Starting from Open Source or public domain code. Customizing can make your implementation resistant to all but direct assaults. Can be stronger than using a service or preconfigured software. not too difficult to customize. . CAPTCHA volunteers may help you test and improve your algorithm.
.if sender not in address book or message is suspect.CAPTCHA Beyond the Web Prevent dictionary attacks in any password system (Pinkas & Sander) Protect e-mail systems from worms. other malware-. Deter unwanted macro-scripting of a standalone application. spam. challenge sender with CAPTCHA.
Select and install one.My Project Survey CAPTCHA alternatives. Test on MAMP (Mac / PHP) Deploy on LAMP (Linux) Evaluate and submit to my company for use with Wiki-based CMS .
did not meet requirements or failed accessibility tests Best bet now is on the service at http://www.captchas.Project Status Several false starts First few selections either did not install.net Asked for two-week extension to finish installation and paper. .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.