This action might not be possible to undo. Are you sure you want to continue?
HUMAN OR SCRIPT? An AI approach to cryptography
Vulnerabilities, Threats, Controls 2 Precursors 4 Proposals 6 General Approaches 3 Deployment Options If time: issues and links
HTTP does not distinguish between human & machine users. HTTP & SSL do not guarantee client software or user is benign. Malicious bots can be anonymous and distributed. Benign bots spider for searches, etc.
“scraping” content from one site to display on another. CMU on /.  Web Spam-.unsolicited commenting. “out of context” Unwanted spidering-.stealing paid data Copyright Infringement-. scraping addresses .search engines may ignore robots. abusing free email.txt or “nofollow” tags Poll Stuffing-.Threats to Web Content Theft-.MIT vs.
Wikis. guest books.Web Spam Web comments. many public forms are open to spam messages. discussions. Bots collect email addresses on Web. More eyeballs per message than e-mail E-mail spam is illegal. but most Web spam is legal. .
more links.Motives Google-. thrill.ads for real product/service Phishing-.promote agenda by simulating “grassroots” word-of-mouth Vandalism-. etc. activism. revenge.competition.bait and switch for identity theft. financial theft Astroturfing-. . damage. higher ranking Profit-.
. use service like bugmenot. hijacking User Authentication-.Cracked Controls IP tracking/banning-.com Moderation (human review)-. but may need more.if not easily cracked. IP masking.script makes own moderator account in DB Good start.repurposed DDoS scripts.
not humans finding computers A category.CAPTCHA™ Acronym for Completely Automated Public Turing test to tell Computers & Humans Apart-. Manuel Blum Reverse Turing test-. not a specific solution .computers finding humans.Dr.
Altavista patent in 1998 first practical example of using slightly distorted images of text to deter bots. but only defeats stock OCR. but not proposed or formalized.Precursors Unpublished manuscript by Moni Naor first mentions automated Turing test in 1997. not custom OCR .
Definition In 2000. formalized by Luis von Ahn. John Langford of IBM “A CAPTCHA is a cryptographic protocol whose underlying hardness assumption is based on an AI problem.”  www.net . Hopper of Carnegie Mellon.captcha. Manuel Blum & Nicholas J.
Win-Win If cracked. steganographic cryptography is advanced  . If not cracked. AI is advanced because a very difficult (unsolved) AI problem has been solved.
or Google API) Sounds-.voice synthesis.photographic recognition (need large image DB.CAPTCHA.net Proposals Gimpy-. guess works 25%) Pix-.visual puzzle. distortion . like Mensa tests (if 4 options.text distortion used by Yahoo! (routinely cracked & improved) Bongo-.
In current version. font. Random placement. Frequently cracked and improved. distortion. User identifies 3 words.Gimpy Images of distorted text. background pattern Overlapping words need no noise. 5 pairs of overlapped words. .
Bongo Visual puzzle Computer can generate & display. If too many choices. humans get it wrong. . computers can be effective with random guess. If not enough choices. but not solve.
Pix Photo Recognition Need large image DB Images need keywords Four images with same keyword shown Random subset of keywords as choices Poor implementations easy to crack (color of top left pixel unique.) . etc.
General Approaches Text (ASCII/Unicode) Image Speech Animation 3-D Combinations of all above .
ASCII/Unicode ©4Pt¢h4 Change text to look-alike: SPAM is $P4M. or %430P%59 Better than nothing.&Rho.0.¥. Fools simplest text matching.gov --> uce at ftc dot gov URL/HTML entities: COPY becomes ¢. but easy to crack It is not technically CAPTCHA . Accented or non-English chars: Spám Chars to words: uce@ftc.
To beat OCR. but not scripts If image is too simple. vary position. too complex. noise. language. background.Image CAPTCHA Presents one-time-password as an image humans can read. colors. warp. human cannot read. OCR can crack. methods used Show filtered photos as well as words Can deny accessibility to vision-impaired… . angles. randomness. font. overlap.
but chain only strong as weakest link. but at risk of being considered rude. with lesser consequences. Serious legal penalties.Considering Accessibility Government and everyone who does business with government must meet federal accessibility standards for disabilities.” Solution (W3C): use both image & speech. Very few CAPTCHAs are “accessible. Professional ethics requires everyone else to do the same. . Often ignored by amateurs. manual approval.
Applied audio filters risk human misunderstanding. easier to crack.Speech CAPTCHA Usually spells out one-time-password in synthesized or recorded voices Voice recognition cracks simple case. Used with image CAPTCHA for increased accessibility. If both use same OTP. .
MPEG. animated GIF Often combined with speech Weaknesses of Image CAPTCHA apply Usually easier to crack due to extra data for pattern matching to analyze Much higher processor and traffic load Not practical in most cases .Animated CAPTCHA Can use Flash.
3D Renders OTP in 3D space to image Reputedly the most difficult to crack Server needs good graphics card to be practical (rare) Can be combined with other methods Not yet common (tEABAG_3D) Might see more in future .
blogs) User unaware of helping spammers .Circumventing CAPTCHA Social engineering can foil most CAPTCHAs. How? Scrape captcha from origin. pose to human for free access to other content (adult. news. search.
sophisticated coders Weigh strength vs. bandwidth.Which CAPTCHA? Even simplest CAPTCHA can beat vast majority of scripts Even best CAPTCHA can be cracked by dedicated. . cost (compute cycles. dollars) Be careful not to violate accessibility laws or open new holes.
.Deploying CAPTCHA Install existing software (pro or free) Use remote CAPTCHA service Develop own CAPTCHA or customize open source scripts.
ineffective unless frequently updated. standards compliance. .Existing Software Hundreds or thousands of options Narrow choices by price. server requirements. third-party testing results Big targets— cracking a popular control opens hundreds of sites to spammers Like antivirus.
Saves bandwidth and processor time. captchaS. which sends image to client.net (experimental. Server sends encrypted OTP to service.CAPTCHA Svc Providers Work even with servers not configured to generate images or sound. Code is easy to embed (botblock) Service updates itself automatically. but free) Trust issues when outsourcing security. .
Can be stronger than using a service or preconfigured software.Custom CAPTCHA Starting from Open Source or public domain code. Customizing can make your implementation resistant to all but direct assaults. not too difficult to customize. . CAPTCHA volunteers may help you test and improve your algorithm.
Deter unwanted macro-scripting of a standalone application. challenge sender with CAPTCHA. .if sender not in address book or message is suspect. spam. other malware-.CAPTCHA Beyond the Web Prevent dictionary attacks in any password system (Pinkas & Sander) Protect e-mail systems from worms.
Test on MAMP (Mac / PHP) Deploy on LAMP (Linux) Evaluate and submit to my company for use with Wiki-based CMS .My Project Survey CAPTCHA alternatives. Select and install one.
net Asked for two-week extension to finish installation and paper.captchas. did not meet requirements or failed accessibility tests Best bet now is on the service at http://www.Project Status Several false starts First few selections either did not install. .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.