[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Fake Captcha Protection

From: Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Fake Captcha Protection
Date: Wed, 30 Apr 2008 09:14:10 -0700


On Apr 29, 2008, at 7:50 PM, Bil Corry wrote:

Bryan Sullivan wrote on 4/29/2008 7:21 PM:
I like Jeremiah’s CAPTCHA effectiveness criteria – is this what you were trying to find? http://jeremiahgrossman.blogspot.com/2006/09/captcha-effectiveness- test.html
Should Jeremiah's CAPTCHA ever be invented, it will simply drive more business to India:

----- Cyber criminals are employing sweatshops in India for as little as $4 a day to defeat anti-spam security checks, according to a recent analysis by net security firm Trend Micro. It reckons miscreants prefer to hire cheap labour rather than using automated techniques to defeat CAPTCHAs - that are only effective 30-35 per cent of the time - or malware-based approaches.
<http://www.theregister.co.uk/2008/04/10/web_mail_throttled/>
-----
Google has a couple of interesting patents that can infer a user's "ethnicity, reading level, age, sex and income":
<http://yro.slashdot.org/article.pl?sid=08/03/22/1314253>
I wonder if the technology can be extended to infer if the user is a bot or from a sweatshop in India?

That's funny, I never thought of it that way. The test was not meant as a pass/fail for CAPTHA systems, but as the name in implies a way to measure their effectiveness at detecting humans from bots. No CAPTCHA system I've seen hits every mark perfectly, but that's OK. Should a really good CAPTCHA system force attackers to leverage humans to defeat it (as opposes to technology) then its done its job, only that the problem has now moved to something else.

For high value targets, we might consider something out of band like SMS, email, or some other creative ideas to drive up the $4 cost you mention.

Regards,

Jeremiah-

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] Fake Captcha Protection
  - From: The Burmese Hacker
- RE: [WEB SECURITY] Fake Captcha Protection
  - From: Chris Weber $Casaba Security$
- Re: [WEB SECURITY] Fake Captcha Protection
  - From: Arian J. Evans
- RE: [WEB SECURITY] Fake Captcha Protection
  - From: Bryan Sullivan
- Re: [WEB SECURITY] Fake Captcha Protection
  - From: Bil Corry

Prev by Date: Re: [WEB SECURITY] Fake Captcha Protection
Next by Date: [WEB SECURITY] Insomnia: Whitepaper - Access Through Access
Previous by thread: Re: [WEB SECURITY] Fake Captcha Protection
Next by thread: RE: [WEB SECURITY] Fake Captcha Protection
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site