On 4/9/07, Robert Cummings <robert@xxxxxxxxxxxxx> wrote:
On Mon, 2007-04-09 at 09:45 -0400, tedd wrote: > At 8:49 AM -0400 4/9/07, Robert Cummings wrote: > >On Mon, 2007-04-09 at 08:46 -0400, tedd wrote: > >> At 1:21 AM -0700 4/9/07, Micky Hulse wrote: > >> >Maybe use flash for this... harder to crack? (Of course, Flash will > >> >open door to other problems.) > >> > > >> >Sorry, coming in on this late. Good work Tedd! Very interesting. > >> > >> > >> M: > >> > >> Tijnema showed how MD5 could be used to identify an image file and > >> crack my arrow captcha. That's really what this thread was about. I > >> finally came up with enough variations to make it impractical. > >> > >> However, this did make me wonder about the images that M$ and others > >> are using for captchas -- like find the kitty in a set of pictures. > >> The MD5 application could be used to identify as many pictures as any > >> spammer would need. So, I think MD5 method, as described in this > >> thread, would work very well to crack those type of captchas. > > > >I doubt Microsoft is using a static image repository for captchas. > > > >Cheers, > >Rob. > > I doubt that their image repository infinite. > > Plus, I envision a method where a bot could: > > 1. Scan the site, gather the images and key phrase. > > 2 MD5 the images. > > 3. Place all the MD5's with the associate key phrase in a dB. > > 4. Refresh and repeat. > > With repeated refreshes (not attempts at trying to enter), the key > phrases associated with the MD5's will build and the bot will learn. > > It works like this -- the phrase "find the kitty" or key word "kitty" > will always be associated with the picture of the kitty WHEN "kitty" > is the solution. All other key phrases/words associated with the > kitty picture will eventually "stack out" as just be background noise > as data is gathered. > > As such, a bot could have a foundation at making an intelligent > guess. Also, every guess (successful or not) provides even more data > to be considered. The more data gathered, the better the guess. Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob.
And then not to mention that md5 has a limitation, and that there probably would be 2 different images, with the same MD5... Using MD5 on the normal "write the key" CAPTCHAs isn't gonna work, they are mostly generated on the fly, and even if they weren't, then there probably a lot solutions, and not just 8 that i had with your arrow captcha. Those "write the key" CAPTCHAs are the best crackable with an OCR reader. But that's why they are so transformed these days. So that requires extra steps to make it readable. I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real "hard to crack" CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
