Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Dailydave: Re: confirming it's a person

Re: confirming it's a person

From: Dave Aitel <dave_at_immunityinc.com>
Date: Tue, 25 Mar 2008 16:44:07 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jonathan Wilkins wrote:
| The problem with that is that it's only as difficult for the attacker to
| build the model as it is for the defender.
|

The defender doesn't have to build a model in this particular example
though - the mobs of humans build it for you - you just have to do
pattern recognition on the data. So it is asymmetric because you supply
the random strings, and the humans generate data for you. I don't think
you are resource limited (if each human submits three strings, one real
and two statistics gathering examples, then your supply of random
strings+statistics should replenish faster than it goes away?), but as
for the false positive rate, I'm not sure. I'd have to go head to head
with you on this one with real working code, and I don't have time to
learn Silverlight/Flash right now. :>

All captcha type systems are broken if an attacker owns a popular online
service though, right? Because they can just put the captcha up on their
service and have a real human answer it. :>

Hmm. Palladium would have solved this problem, like almost all security
problems by building a trusted PKIed tunnel from the online service to
your machine's CPU, but everyone hated it. I wonder what VMWare is going
to do when Microsoft makes it mandatory to use Palladium-like technology
to get to hotmail and only VirtualPC is allowed to support it?

- -dave

| To be useful, a system of this sort has to be:
| - Asymmetric in effort (has to cost the attacker much more than the
| defender)
| - Can't rely on resource scarcity (of the type attackers can steal). This
| is the major weakness in hashcash type systems in the face of bot nets.
| - Have a low random/partial success rate
|
| I have a white paper on breaking various CAPTCHA systems (and building
| better ones) coming out soon. I don't want to side track the thread on
| specific CAPTCHA issues though.
|
| On Tue, Mar 25, 2008 at 11:44 AM, Dave Aitel <dave_at_immunityinc.com> wrote:
|
| re Captchas:
|
| You could just ask the user to retype two strings and measure how long
| it takes for them type it in, a.la. BioPassword. BioPassword tries to
| use biometrics to determine which person someone is (by measuring how
| long their fingers take to move between keys with a flash applet, for
| example), but biometrics are often quite useful for "this is a person".
| Of course, you'll have to make a model for each different keyboard type
| if you're internationally savvy. Rather than having a single password
| the user types, you'll want to have a "random string".
|
| Hmm. If you give everyone two strings to type, you could build a
| database of timings with the second string, and simple datapoint
| grouping will get you which keyboard they are using so you can build
| your models. Then you can start rotating that second string in and
| retiring your first string after your model is built and tested. You
| need a continual stream of random strings+statistical models because
| otherwise people will just type them in once, slightly modify them, and
| submit them mechanically.
|
| I don't have code to do this, of course. The counter-attack would be a
| good model of how a human types on a keyboard, where given a random
| string you could generate timings. That might not be a difficult thing
| to build to the level of precision you'd need, but it might. Then again,
| typing in long random strings might be much more annoying than trying to
| read distorted images. :>
|
| Just as an FYI, Justine and JMS are heading to CanSecWest and JMS is
| going to demo his new CANVAS Win32 kernel rootkit for anyone who asks,
| he tells me. :>
|
| -dave
|
|
| dan_at_geer.org wrote:
| | I would like to RTFM on alternatives to CAPTCHAs,
| | but I don't know what FM to R.
| |
| | If someone here wants to say "forget it" or "this
| | is the current best technique" or what-have-you,
| | I'd be thankful to hear. Not trying to start a
| | large thread; you can, if you like.
| |
| | --dan
| |
| | _______________________________________________
| | Dailydave mailing list
| | Dailydave_at_lists.immunitysec.com
| | http://lists.immunitysec.com/mailman/listinfo/dailydave
|
|>
_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
|>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH6WQWtehAhL0gheoRArHlAJ9az18a8B1MMhjZ/QtWXCVWaDKwagCeKsny
ncrqqPZmd3KbT7RAm8n/0UE=
=3fJB
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Received on Mar 25 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos