On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: > On 4/9/07, Travis Doherty <travis@xxxxxxxxxxxxx> wrote: > > Robert Cummings wrote: > > > > >On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: > > > > > > > > >>At 9:58 AM -0400 4/9/07, Robert Cummings wrote: > > >> > > >> > > >> > > >>>Hi Tedd, > > >>> > > >>>Put down the crack pipe please... captcha images are usually generated > > >>>on the fly. Their image repository is 0. Their image universe is all of > > >>>the permutations of an image containing all of the range of serial codes > > >>>embedded in the images according to their morphing routine. I highly > > >>>doubt the US Government could afford the space required to store all of > > >>>the permutations. Considering the number of bytes available to a > > >>>dynamically generated image, it is highly likely that the images would > > >>>be capable of exhausting the entire md5 universe. > > >>> > > >>>Cheers, > > >>>Rob. > > >>> > > >>> > > >>Rob: > > >> > > >>Duh -- put down the joint and stay on the subject. We were talking > > >>about M$'s "picture" captcha where they show pictures and ask a > > >>question like "Pick the picture that shows a kitty" and NOT an "on > > >>the fly" graphic captcha. There are different types of captchas. > > >> > > >> > > > > > >Ah, I see. I was too lazy to go check since I don't use Microsoft except > > >insofar as to make things work in their crappy browser. Either way, can > > >you verify the images are static? See if getting two kitty cats produces > > >the same md5 signature :) Just because it's a picture doesn't invalidate > > >what I said. > > > > > >Cheers, > > >Rob. > > > > > > > > Steganography has been able to "hide" text in images for quite some time > > now. Basically you cram whatever info you want into the 'unused' or > > 'less used' bytes of the image. > > > > With this in mind I imagine even if you did have an image repository of > > only 8 images you could add some random bytes to the right spots in the > > image without distorting it beyond recognition/corrupting it, and > > therefore get a hybrid of static/on-the-fly images, that hashing > > couldn't break so simply. > > > > 2 cents... > > > > Travis Doherty > > This is exactly what tedd did in his last arrow example. He edited the > header of the GIF image, and so that would result in different MD5. > > Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
