captcha 1 are you human? (sorry, i had to ask). captcha 2 agenda what is captcha? types of captcha...
TRANSCRIPT
CAPTCHA
1
Are you Human?(Sorry, I had to ask)
CAPTCHA
2
Agenda
What is CAPTCHA? Types of CAPTCHA Where to use CAPTCHAs? Guidelines when making a CAPTCHA Ways to break CAPTCHAs reCAPTCHA Human Computation Games
CAPTCHA
3
Example: Filling out a form
Google uses CAPTCHA for Gmail accounts:
CAPTCHA
4
Beginnings
Completely Automated Public Turing test to tell Computers and Humans Apart
Created in 2000 for Yahoo to prevent automated e-mail account registration,
by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford, Carnegie Mellon University.
CAPTCHA
5
What is CAPTCHA?
A program that can tell whether its user is a human or a computer.
It uses a type of challenge-response test to determine that the response is not generated by a computer.
CAPTCHA
6
Turing Test
„Standard Interpretation"
player C, the interrogator,
is tasked with trying to determine which player
- A or B - is a computer and which is a human.
CAPTCHA
7
Reverse Turing Test
A CAPTCHA is sometimes described as a reverse Turing test, because it is
administered by a machine and targeted to a human.
CAPTCHA
8
So, CAPTCHA is…
A program that can generate and grade tests that:
Most humans can pass; Current computer programs cannot pass.
CAPTCHA
9
Making a CAPTCHA
Pick random string of characters (or words)
ifhkfp
Renders it into a distorted image
CAPTCHA
10
Making a CAPTCHA
… and the program generates a test:
Type the characters that appear in the image
CAPTCHA
11
Type: Early CAPTCHAs
Generated by the EZ-Gimpy program; Used previously on Yahoo!
CAPTCHA
12
Type: Improved CAPTCHA
high contrast for human readability; medium, per-character perturbation; random fonts per character; low background noise;
CAPTCHA
13
Type: A modern CAPTCHA
rather than attempting to create a distorted background and high levels of warping on the text;
focus on making segmentation difficult by adding an angled line;
CAPTCHA
14
Other Types of CAPTCHA
Animated CAPTCHAs
3D CAPTCHA
ASCII art
Reverse CAPTCHA "Leave this field blank"
CAPTCHA
15
Other: Cognitive Puzzles
Distinguish pictures of dogs from catsChoose a word that relates to all the
imagesTrivia questions Math and word problems 3D Object CAPTCHASolve failed OCR inputs
CAPTCHA
16
Other: Distinguish pictures
Microsoft Asirra (Animal Species Image Recognition for Restricting Access);
KittenAuth Project .
CAPTCHA
17
Other: Tests
„Common Sense" questions:• „What is 3 + 5?“• „What color is the sky?"
Type the word 'orange'; Require a valid email to approve;
These attempts violate principles: • they cannot be automatically generated; • they can be easily cracked given the state of AI.
CAPTCHA
18
Where to use CAPTCHAs?
Data Collection Worms and Spam Preventing Comment Spam in Blogs Protecting Email Addresses From Scrapers Online Polls Protecting Website Registration Preventing Dictionary Attacks Search Engine Bots
CAPTCHA
19
Where to use CAPTCHAs?
Preventing Comment Spam in Blogs. Protecting Email Addresses From
Scrapers. Mechanism to hide your email address, require users to solve a CAPTCHA before showing your email address
Online Polls. You cannot trust the results of an online roll because anybody could just write a program to vote for their favorite option thousands of times.
CAPTCHA
20
Where to use CAPTCHAs?
Protecting Website Registration. (E-mail services: Yahoo, Microsoft, Google)
Preventing Dictionary Attacks (in password systems). Prevent a computer to iterate through the entire space of passwords by requiring it to solve a CAPTCHA after a certain number of unsuccessful logins.
Search Engine Bots. It is sometimes desirable to keep webpages unindexed to prevent others from finding them easily.
CAPTCHA
21
Guidelines
Image Security. Images of text should be distorted randomly before being presented to the user.
Script Level Security. Insecurities: • Systems that pass the answer in plain text;• Systems where a solution to the same CAPTCHA
can be used multiple times ("replay attacks").
CAPTCHA
22
Guidelines: Accesibility
Hard to read CAPTCHAs:
CAPTCHA
23
Guidelines: Accesibility
Worst CAPTCHAs:
CAPTCHA
24
Ways to break CAPTCHAs
Exploiting bugs in the implementation that allow the attacker to completely bypass the CAPTCHA;
Improving Character Recognition software (OCR – Optical Character Recognition );
Using cheap human labor to process the tests (sweatshops).
CAPTCHA
25
Break: Character Recognition
Programs that have the following functions:• Extraction of the image from the web page • Removal of background clutter, for
example with color filters and detection of thin lines;
• Segmentation, i.e. splitting the image into regions each containing a single letter;
• Identifying the letter for each region.
CAPTCHA
26
Attacks – EZ-Gimpy 2000
Yahoo's early CAPTCHA called "EZ-Gimpy“; The program picks a word from a dictionary,
and produces a distorted and noisy image of the word;
Algorithm for breaking EZ-Gimpy (92%):
1. Locate possible letters at various locations;
2. Construct graph of consistent letters;
3. Look for plausible words in the graph.
CAPTCHA
27
Attacks – EZ-Gimpy 2000
EZ-Gimpy
Possible Letters
Graph of Letters
Plausible Words
CAPTCHA
28
Attacks – Jan/Feb 2008
Google(Jan 17) 20%
Hotmail(Feb 6) 30-35%
Yahoo(Feb 22) 30-35%
CAPTCHA
29
Break: Human solvers
Attacks that uses humans to solve the puzzles;
Approaches:• relaying the puzzles to a group of human
operators who can solve CAPTCHAs; • copying the CAPTCHA images and using
them as CAPTCHAs for a high-traffic site owned by the attacker.
CAPTCHA
30
Spammer Companies (October 2007)
They write a program that fills out the entire registration form (ex Yahoo);
When the program gets to the CAPTCHA it can’t solve it;
So it copies the CAPTCHA back to the spam page;
One person gets the screen saying if you want to see the next picture, you’ve got to tell what word is in the specific CAPTCHA.
CAPTCHA
31
Spammer Companies (October 2007)
CAPTCHA
32
Next CAPTCHA Generation
CAPTCHAs can be made stronger, but they are already too advanced for a large percentage of Internet users;
CAPTCHA devolves from a simple human reading test into an intelligence test or an acuity test.
CAPTCHA
33
reCAPTCHA
Pairs an unknown word with a known one; Distorts them both and puts a line through
them and then sent them to be proofread; Respondent answers both elements:
• half of effort validates the challenge; • the other half is captured as work.
CAPTCHA
34
Time spent
Roughly 60 million CAPTCHAs are solved each day;
Medium 10 seconds to solve a captcha;
People around the world waste more than 150,000 hours on solving CAPTCHAs;
CAPTCHA
35
Human Computation
Things that we humans can do and computer cannot, like:• Labeling images with words;• Picking out a voice in a loudly room;
Humans have trouble remembering long, random strings of characters, yet they excel at remembering faces and objects.
CAPTCHA
36
Bibliography
Site: Luis von Ahn Website (2006) Site: reCAPTCHA (2007) Site: CAPTCHA (2007) Site: Gwap (2008) Interview: „Using “captchas” to digitize
books“ (2007) Interview: „For Certain Tasks, the Cortex Still
Beats the CPU“ (2007)
CAPTCHA
37
Thank you!