CAPTCHA:

William Strickland COT4810 Spring 2008 April 17, 2008

Outline
Description Usage General types
Text Image Audio

reCaptcha Criticisms Security Summary

Description
Completely Automated Public Turing test to tell Computers and Humans Apart. Simple implementation by AltaVista in 1997. Term CAPTCHA and specifications formalized in 2000 at Carnegie Mellon University.

Description (cont.)
Specifications:
Cannot be solved by current computers. Can be solved by humans. Remains strong if attacker knows generation algorithm.

Designed to detect that user is human, not which human.

Usage
CAPTCHA can prevent or deter
Automated spam email. Automated postings into forums. Abuse of online purchase systems. Brute force attacks against web resources such as email services like Gmail. Abuse of bandwidth to other web resources.

Text CAPTCHA
Most common form of CAPTCHA. Closely related to OCR. Many Algorithms exist, most of them bad. Obscures text with:
Perturbation manipulation of characters. Addition of stray marks. Masking Patterns Random noise.

Weak Text CAPTCHA

Rapid Shares CAPTCHA

EZ-Gimpy (formerly used by yahoo)

Strong Text CAPTCHA

Passport CAPTCHA

Yahoos CAPTCHA

Image CAPTCHA
Provide the user with a series of images Ask the user to:
Identify a picture matching a description Identify a common theme to the images

Requires huge databases of images with metadata to provides sets.

ESP-Pix Picture CAPTCHA

Audio CAPTCHA
Play scrambled audio to user. Compares against metadata. Developed to aid blind users. Strong audio CAPTCHA often impossible for users to decipher.

reCaptcha
Make use of Human Computing Power

Take text from books that could not be deciphered with OCR. Garble the text up more. Provide alongside known garbled text. Have user decipher both (authenticate with known). Repeat until enough users agree on the unknown text. This text is now known and book has been digitally encoded.

Strong CAPTCHA that accomplishes work.

Criticism
Exclusionary to Users with disabilities. No official standards or ruling body for creation of CAPTCHA algorithms. Difficult user interactions. No published for proper implementation of algorithms.

Security
Very hard to balance effectiveness of CAPTCHA and usability. Difficult for programmer to identify bad CAPTCHA algorithms. Researchers frequently break seemingly strong CAPTCHA. Algorithms possibility protected under DMCA.

Security (cont.)
Methods to break:
OCR Artificial Intelligence Turing Farm Porn Turing Farm

None of these methods are effective in the wild. Spam business model breaks down with small increases in operating costs.

Summary
CAPTCHA do not provide individual authentication. CAPTCHA cannot stop extravagant exploits that utilize humans. In some situations user authentication is more suited. CAPTCHA are difficult to design. CAPTCHA are effective in reducing spam and automated attacks.

References
Are You Human? July 19, 2007. Podcast. Security Now!. grc.com. July 19,2007. <https://www.grc.com/securitynow.htm>. Palo Alto Research Corporation, "History." Palo Alto Research Corporation. 28 Feb 2003. 17 Apr 2008 <http://www2.parc.com/istl/projects/captcha/history.htm >. captchas.net, Free CAPTCHA-Service. captchas.net. 17 Apr 2008. 17 Apr 2008. <http://captchas.net/>. Hocevar, Sam. PWNtcha - captcha decoder. 17 Apr 2008. 17 Apr 2008 <http://sam.zoy.org/pwntcha/>. Mori, Greg. Malik, Jitendra. "Recognizing Objects in Adversarial Clutter:Breaking a Visual CAPTCHA." Ahn, Luis von. Blum, Manuel. and Langford, John. "Telling Humans and Computers Apart Automatically." Communications of the ACM 47(2004) Chellapilla, Kumar. Simard, Patrice Y. "Recognizing Using Machine Learning to Break Visual (HIPs)."

Questions
True or False, CAPTCHA can provide User authentication. Name one tool used to obscure source text in Text CAPTCHA algorithms.