Professional Documents
Culture Documents
Outline
Description Usage General types
Text Image Audio
Description
Completely Automated Public Turing test to tell Computers and Humans Apart. Simple implementation by AltaVista in 1997. Term CAPTCHA and specifications formalized in 2000 at Carnegie Mellon University.
Description (cont.)
Specifications:
Cannot be solved by current computers. Can be solved by humans. Remains strong if attacker knows generation algorithm.
Usage
CAPTCHA can prevent or deter
Automated spam email. Automated postings into forums. Abuse of online purchase systems. Brute force attacks against web resources such as email services like Gmail. Abuse of bandwidth to other web resources.
Text CAPTCHA
Most common form of CAPTCHA. Closely related to OCR. Many Algorithms exist, most of them bad. Obscures text with:
Perturbation manipulation of characters. Addition of stray marks. Masking Patterns Random noise.
Yahoos CAPTCHA
Image CAPTCHA
Provide the user with a series of images Ask the user to:
Identify a picture matching a description Identify a common theme to the images
Audio CAPTCHA
Play scrambled audio to user. Compares against metadata. Developed to aid blind users. Strong audio CAPTCHA often impossible for users to decipher.
reCaptcha
Make use of Human Computing Power
Take text from books that could not be deciphered with OCR. Garble the text up more. Provide alongside known garbled text. Have user decipher both (authenticate with known). Repeat until enough users agree on the unknown text. This text is now known and book has been digitally encoded.
Criticism
Exclusionary to Users with disabilities. No official standards or ruling body for creation of CAPTCHA algorithms. Difficult user interactions. No published for proper implementation of algorithms.
Security
Very hard to balance effectiveness of CAPTCHA and usability. Difficult for programmer to identify bad CAPTCHA algorithms. Researchers frequently break seemingly strong CAPTCHA. Algorithms possibility protected under DMCA.
Security (cont.)
Methods to break:
OCR Artificial Intelligence Turing Farm Porn Turing Farm
None of these methods are effective in the wild. Spam business model breaks down with small increases in operating costs.
Summary
CAPTCHA do not provide individual authentication. CAPTCHA cannot stop extravagant exploits that utilize humans. In some situations user authentication is more suited. CAPTCHA are difficult to design. CAPTCHA are effective in reducing spam and automated attacks.
References
Are You Human? July 19, 2007. Podcast. Security Now!. grc.com. July 19,2007. <https://www.grc.com/securitynow.htm>. Palo Alto Research Corporation, "History." Palo Alto Research Corporation. 28 Feb 2003. 17 Apr 2008 <http://www2.parc.com/istl/projects/captcha/history.htm >. captchas.net, Free CAPTCHA-Service. captchas.net. 17 Apr 2008. 17 Apr 2008. <http://captchas.net/>. Hocevar, Sam. PWNtcha - captcha decoder. 17 Apr 2008. 17 Apr 2008 <http://sam.zoy.org/pwntcha/>. Mori, Greg. Malik, Jitendra. "Recognizing Objects in Adversarial Clutter:Breaking a Visual CAPTCHA." Ahn, Luis von. Blum, Manuel. and Langford, John. "Telling Humans and Computers Apart Automatically." Communications of the ACM 47(2004) Chellapilla, Kumar. Simard, Patrice Y. "Recognizing Using Machine Learning to Break Visual (HIPs)."
Questions
True or False, CAPTCHA can provide User authentication. Name one tool used to obscure source text in Text CAPTCHA algorithms.