CAPTCHA:

1. CAPTCHA: William Strickland COT4810 Spring 2008 April 17, 2008

2. Outline • Description • Usage • General types • Text • Image • Audio • reCaptcha • Criticisms • Security • Summary

3. Description • Completely Automated Public Turing test to tell Computers and Humans Apart. • Simple implementation by AltaVista in 1997. • Term CAPTCHA and specifications formalized in 2000 at Carnegie Mellon University.

4. Description (cont.) • Specifications: • Cannot be solved by current computers. • Can be solved by humans. • Remains strong if attacker knows generation algorithm. • Designed to detect that user is human, not which human.

5. Usage • CAPTCHA can prevent or deter • Automated spam email. • Automated postings into forums. • Abuse of online purchase systems. • Brute force attacks against web resources such as email services like Gmail. • Abuse of bandwidth to other web resources.

6. Text CAPTCHA • Most common form of CAPTCHA. • Closely related to OCR. • Many Algorithms exist, most of them bad. • Obscures text with: • Perturbation – manipulation of characters. • Addition of stray marks. • Masking Patterns • Random noise.

7. Weak Text CAPTCHA • Rapid Share’s CAPTCHA • EZ-Gimpy (formerly used by yahoo)

8. Strong Text CAPTCHA • Passport CAPTCHA • Yahoo’s CAPTCHA

9. Image CAPTCHA • Provide the user with a series of images • Ask the user to: • Identify a picture matching a description • Identify a common theme to the images • Requires huge databases of images with metadata to provides sets.

10. ESP-Pix Picture CAPTCHA

11. Audio CAPTCHA • Play scrambled audio to user. • Compares against metadata. • Developed to aid blind users. • Strong audio CAPTCHA often impossible for users to decipher.

12. reCaptcha • Make use of Human Computing Power • Take text from books that could not be deciphered with OCR. • Garble the text up more. • Provide alongside known garbled text. • Have user decipher both (authenticate with known). • Repeat until enough users agree on the unknown text. • This text is now known and book has been digitally encoded. • Strong CAPTCHA that accomplishes work.

13. Criticism • Exclusionary to Users with disabilities. • No official standards or ruling body for creation of CAPTCHA algorithms. • Difficult user interactions. • No published for proper implementation of algorithms.

14. Security • Very hard to balance effectiveness of CAPTCHA and usability. • Difficult for programmer to identify bad CAPTCHA algorithms. • Researchers frequently break seemingly strong CAPTCHA. • Algorithms possibility protected under DMCA.

15. Security (cont.) • Methods to break: • OCR • Artificial Intelligence • Turing Farm • Porn Turing Farm • None of these methods are effective in the wild. • Spam business model breaks down with small increases in operating costs.

16. Summary • CAPTCHA do not provide individual authentication. • CAPTCHA cannot stop extravagant exploits that utilize humans. • In some situations user authentication is more suited. • CAPTCHA are difficult to design. • CAPTCHA are effective in reducing spam and automated attacks.

17. References • “Are You Human?” July 19, 2007. Podcast. “Security Now!.” grc.com. July 19,2007. <https://www.grc.com/securitynow.htm>. • Palo Alto Research Corporation, "History." Palo Alto Research Corporation. 28 Feb 2003. 17 Apr 2008 <http://www2.parc.com/istl/projects/captcha/history.htm >. • captchas.net, “Free CAPTCHA-Service.” captchas.net. 17 Apr 2008. 17 Apr 2008. <http://captchas.net/>. • Hocevar, Sam. PWNtcha - captcha decoder. 17 Apr 2008. 17 Apr 2008 <http://sam.zoy.org/pwntcha/>. • Mori, Greg. Malik, Jitendra. "Recognizing Objects in Adversarial Clutter:Breaking a Visual CAPTCHA." • Ahn, Luis von. Blum, Manuel. and Langford, John. "Telling Humans and Computers Apart Automatically." Communications of the ACM 47(2004) • Chellapilla, Kumar. Simard, Patrice Y. "Recognizing Using Machine Learning to Break Visual (HIPs)."

18. Questions • True or False, CAPTCHA can provide User authentication. • Name one tool used to obscure source text in Text CAPTCHA algorithms.