Apathy Sketchpad

The first phpBB3 captcha and all the info on that article about the phpBB3 Admin Panel are from “Beta 1″ and are completely obselete since the final (well, RC1 at least) is completely different. The captcha used on http://www.phpbb.com is the final captcha, and the final Admin Panel has an option to add random “same color as the letters” lines to obfuscate it.

Yeah, I’ve not downloaded phpbb3 to check up on it, as I don’t really have any use for it any more, but I think there ‘random “same color as the letters” lines’ would do little to stop the routine outlined above — they might generate some false positive areas, but they’d mostly be the wrong size and shape so it wouldn’t take much morphology to identify and discard them.

It’s a clever captcha in a sense: it looks so utterly unlike other captchas that most generic cracking programmes would probably not work. But it’s going to be so widely used by almost everyone who installs phpbb3 that it’ll be worth writing routines specifically to crack it.

I think they’d be better off making it very easy for users to create and install their own captchas. Granted, a lot of users wouldn’t know how to do that, but if enough do it’ll become far less worthwhile cracking the default one, and at least it’ll mean some people get a secure forum.

The excellent article is made better with the little test on your own reply form.
Simple and effective.

Is there a package for C#, java that can do this matlab trick?

I’ve not found one. There are a few image processing libraries for C#, although most of them are pricey. Most of the functions I’ve called on this page are simple enough to write, although an efficient version of bwlabel would be a pain to code — you’d want to start with a flood fill and build it from there. Simple flood fill routines are very inneficient, though. A good one is a scanline fill — not too complex, but usually very fast.

I don’t know anything much about Java programming, though. I expect there’s something out there.

Hi,

Do you crack yahoo captcha in any of your articles? Do you know where I can find it?

Thanks,

Nick

No. I never use Yahoo, so I’ve not even seen their captcha. The only ones I ever see these days are on Blogger.

Apparently MediaWiki-sites now have a captcha for when someone tries to put external links in an entry.

There’s always KittenAuth.
http://www.thepcspy.com/contact

To begin, I must say that the author fancies himself a bit more of an intellectual than he actually is. Allow me to elaborate on his opinions if I may.

Computer Vision is (and has been for some time) quite advanced. Trust me when I say that if Computer Vision is powerful enough to race autonomous robots through unknown terrain, navigate cars through a city on their own, take facial fingerprints (not images, but measurements) of every single person entering the stadium for the Superbowl in 2001, it can be used to crack a stupid captcha image.

The problem is that you are focusing on each individual captcha that you are cracking, and engineering a crack based on that particular image. So what? Any green-horn should be able to do that, and if they can’t should not even be trying. Why wouldn’t you push toward designing a program to read ANY image captcha that it encounters? You may have to put aside your trusty old Matlab for that one, and no, I won’t send you any code.

The rant about a administrator approving each and every attempt to register a user is about as brute force of a solution as I can think of. There are effective captchas out there, some of which I have written that have never been cracked a single time and have been up on forums, guestbooks, blogs, etc… for years with thousands of visitors a day. Don’t claim that you have accomplished something because you have cracked phpBB’s image captcha, which, by the way, is not cracking anything at all, since it is open source to begin with.

Maybe you should submit your solution “entering two letter q’s” to open source forums so they can benefit from this knowledge.

If I was an asshole, I’d redirect the spam traffic that I get on all the websites I’ve written and maintain to here; they’d have you cracked in a day or so and fill you up so full of crap you’d actually have some content on the site.

Sorry if I sound mean, I actually spit out my coffee when I read the letter ‘q’ thing because I was laughing so hard. You made my day man. Thanks.

No, that’s kind of my whole point: “any green-horn” (whatever that might be) should indeed be able to do all of the above, because it’s really quite easy. Computer Vision, and all its high-end algorithms, is all well and good and doing amazing things, but it’s well outwith the reach of the average person.

A general algorithm would be more interesting, yes, but it would be a major investment of time and I’d be the wrong person to do it. My point was just that I could spend a week or so, crack phpBB’s captchas, and then spam all the phpBB forums in the world, which to my mind is a far greater weakness than a susceptibility to advanced computer vision algorithms, because as you pointed out there are so many people who could do what I just did. A few of them are bound to do it.

On the subject of my own captcha, I think to be fair you’ve underestimated it. It actually was broken once, but not by “entering two letter q’s”. That’s just one of five or six questions that loop around the comments form, which are all simple tasks involving maths and/or moving letters around, and about a year ago, a spambot learned to add two numbers (which is a common question in captchas anyway). All I did was load up the captcha file and delete that question (leaving four or five others). That secured the site again without blocking real comments, and later that day I replaced it with a new question so no harm was done. Yes, the questions are weak but the system that surrounds them is much more robust. I could put in a conventional image-based captcha if I wanted, although that would reduce accessibility, so for the amount of traffic I have now it would probably do more harm than good.

But that’s the only time I’ve had any spam (other than pingbacks, which are so problematic they’ve all but shut down Technorati) since I installed it, whereas phpBB’s captchas are broken daily even on low-traffic forums. Okay, so the smarter spammers you enjoy might learn to enter two “q’s” in a day, but I can remove that question that same day. I expect an automated system could remove it in a moment the first or second time WordPress detected a “spammy” comment getting through. Unless they can reverse-md5 long and meaningless strings, they’ve got nothing long-term but cracking individual questions as they appear.

Unfortunately, most boards, particularly those that are freely available, suffer from fundamental downfalls in their captcha methods.

Firstly, you CANNOT allow the user to see the relationship between the captcha question or image and it’s solution. You’d be surprised at how often this is done. For example, the md5 hashing of the question that you provide on this site does just this (the md5 “answerhash” is embedded in the form code and thus visible to any HTML parser). Once one solution is calculated (which is easy in your case), it can be applied since they know the relationship between the hashing and the solution, even though it changes. Banning ip addresses wouldn’t work either because spam bots typically work in groups to avoid this, and you don’t want to ban a potential website visitor because they’ve slipped typing in the answer. Once spammers get it, they share the methods to other spammers so that everyone may enjoy the security hole.

Secondly, you MUST generate a unique captcha every time. A question or image should never come up twice, no matter what. It is pretty clear why this is important. This is typically why text verification is rarely used, at least by itself.

Thirdly, a good, foolproof, changing, and unique captcha image needs to be developed. For example, you may have an external chunk of php code using gd to generate an image, generate an id for this image, and put both the id and the solution in a database somewhere unbeknownst to the user. Then upon submission of something, check the id against the solution in the database, maybe have a script on the db return either true or false, and automatically and immediately delete that entry from the database.

I’ve always been interested in seeing how easy captcha images are to crack, and maybe even writing some code myself to do so. You should put a small section up on your site where users can submit a link to a chunk of code somewhere that outputs an image, and see how long it takes to develop a crack for it (one that can be applied to any image that is generated, and computes the correct solution 100% of the time). I firmly believe that with the proper linking of the characters with lines, and the correct usage of colors, fonts, scaling, rotation, overlapping, etc…that captchas are extremely effective.

In all fairness, you’ve attacked weak catpchas in your post above. There are some good ones!

I have. What I did, really, was to see the captcha for phpBB3, think “that’s rubbish, I bet I can crack it in a day” and attack it to see if I could. To be honest, the captcha for phpBB is fairly irrelevant anyway, given how easy it is for even the dimmest script-kiddies to gain access to the admin panel and turn the index page into a billboard.

The “answerhash” isn’t just the md5 of the answer, by the way. It’s salted with a site ID and some material unique to the page it’s on, so a stored answer would only work on one page. If I have to change it again I’ll add to that a question ID so that when a question is retired all hashes associated with it are retired as well. It’d mean checking five hashes instead of one, but that’s okay.

With image-based ones, the gap between “what computers can’t do” and “what humans can do” is closing fast, and probably closed long ago if you consider humans with any kind of disabilities. I don’t even think captchas on individual sites are the right approach, long term. We need to stop the spam being sent in the first place — the web traffic it generates is problematic and expensive enough and the tests to block it are the antithesis of most modern interface design principles.

(Personally, I think we need to start identifying the people whose computers are spam-sending zombies and taking away their broadband. They can’t be trusted with it.)

This is how all my opinions seem to work; I start out with a gut instinct, and tell people until I happen across one who knows what they’re talking about, and after a few exchanges I have a far better justified position.

I’d like to think that means I’m open to correction, but I usually seem to end up with roughly the same opinion I had before but for better reasons so either my instincts are fantastic or I can justify any irrational prejudice. I don’t really know how to tell the two apart. I usually enjoy the process, though, so I don’t worry about it much.

Well, I enjoyed your article quite a bit just for the record.

Captchas have to use non-linear transformation to become “hard”. Rotation, skew, etc. can all be solved by Principle Component Analysis.

Check out this author’s run down of why linear transformation is not enough:

http://churchturing.org/captcha-dist/captcha/final.medium.png
http://churchturing.org/captcha-dist/

Hi Dr. Taylor, A very interesting article. Having written my first captcha, I was searching for info on cracking them and found your site. My first idea was to place random objects such as guns, umrellas, scarecrows etc at a random position, at a random angle with lots of random line and dots placed over them. I then felt this would be too easily solved by histogram analysis. The idea I settled on was to use random moire clockfaces shown at different angles where the user has to convert the time from analog to digital. You can see a demo at http://evolveradio.com/clockedya (released under GPL)
I would welcome any feedback on it’s effectiveness or any advice you have may have to offer as to how I might improve it. At the moment, I am not limiting the number of tries – I guess I should as I reckon the odds of guessing the correct answer are 1 in 1320. (12 x 11 x 10) the hands can not appear in the same position as each other.
Anyway, as I said, if you have a few minutes, I’d love to know how easy or difficult you think it would be for my captcha to be solved by a computer.

Oh I forgot to say.. How about a simple crossword clue combined with an anagram captcha or maybe an odd one out puzzle of the type you find in IQ tests?

Or. I may write this one next for the hell of it. You display random notes and coins in random position (some overlapping) – and ask for the total amount?

Or… How about recognising celebrities?

or… analysing the data given in other form fields?

or… testing that the entered email address exists?

It’s a fascinating subject – I believe the fatal flaw may in the first two letters of the Captcha acronym – ie: Completely Automated. We are asking a one computer to test another.

I can’t find a working demo of the clock captcha on the web. It sounds interesting, although I can’t see how hard it could be to automate the reading of an analogue clock. Finding the angles of straight lines, especially if they all start in the centre of the image, is pretty straightforward. The hardest part would be telling the hands apart, which didn’t ought to be too taxing depending on the style, but even if you didn’t bother, you’ve still cracked 1 in 6 of them by chance. That said, ‘moire clockface’ isn’t a term I’m familiar with, so I may have missed something there.

I like it when there’s no cultural knowledge required: recognising celebrities would probably stop me from posting, and coins can be very unclear to foreigners (especially if some modern graphic designer has taken the numbers off them). Text-based ones like the normal ones have the advantage of requiring no knowledge beyond what you need to read and understand the site it’s on. A friend of mine ran a videogame website and its captcha rather cleverly asked you to identify game boxes. Obviously it only had a finite number of questions, which was a drawback, but for a small site that’s not a problem. (Although I’m certain that spambots have mastered the art of email confirmation by now.)

It is, you’re right, a massive disadvantage to have a computer sat opposite the subject in the Turing test, but it shouldn’t be automatically fatal: we know computers can test things they can’t do. For example, hashing algorithms can’t be reversed, but can be tested against. We have to find something where the computer can work backwards from the answer (say by warping the letters and drawing lines on) to generate a question, but can’t work forwards from there to find the answer. The hard part is that it has to be something a human can do easily. I suspect the bigger problem is that computers are too clever and people too dim.

How about cracking this captcha? :)

http://www.wowanno.com/forums/ucp.php?mode=register

I placed it there after a shitload of spam on that abandoned site.

A message to any potential spammer out there that might use the help you provide: fuck you.

MATLAB again:
imshow(imdilate(imerode(im(:,4:320)==im(:,1:317),ones(3)),ones(3)))

That was actually easier than just reading it.

Hello,

I was playing a little bit with your code, after all it looked like that… http://pastebin.com/m50d11fa2

How ever I use Octave insted Matlab and I just hit the problem … the code at paste bin produces error:

http://pastebin.com/m5661fd57

Now the problem I think is here:

adjacentpixels=(imdilate(thisarea, [0 1 0;1 1 1;0 1 0])&~thisarea);

but I have no idea how to fix that. Can you help or explain please?

Oh yes and if I uncomment this:

%class(thisarea)
%class(temp)
%class(region)

i get:

ans = logical
ans = double
ans = double

Thanks!

I’ve never used Octave, but whenever I get a type error like this I normally solve it by adding double(…) or logical(…) or whatever around whatever variable or expression it’s whining about.

double() solved this, thanks! :)