open All Channels
seplocked Features and Ideas Discussion
blankseplocked So "remove captcha" is not valid suggestion ?
 
This thread is older than 90 days and has been locked due to inactivity.


 
Author Topic

Valandril
Caldari
Ex-Mortis
Posted - 2009.07.23 13:35:00 - [1]
 

Edited by: Valandril on 23/07/2009 13:35:58
Because apparently suggesting it is just a rant (http://www.eveonline.com/ingameboard.asp?a=topic&threadID=1126462&page=1#4). Or maybe it's just a rant because i didn't copy/paste 30 pages of lorem ipsum or write other nonsense to back my idea ?
If so, brace yourself.

There are a few approaches to defeating CAPTCHAs:
exploiting bugs in the implementation that allow the attacker to completely bypass the CAPTCHA,
improving character recognition software, or
using cheap human labor to process the tests.
brute-force - multiple sequential attacks instead of Recognition Software

Insecure implementation Like any security system, design flaws in a system implementation can prevent the theoretical security from being realized. Many CAPTCHA implementations, especially those which have not been designed and reviewed by experts in the fields of security, are prone to common attacks.

Some CAPTCHA protection systems can be bypassed without using OCR simply by re-using the session ID of a known CAPTCHA image. A correctly designed CAPTCHA does not allow multiple solution attempts at one CAPTCHA. This prevents the reuse of a correct CAPTCHA solution or making a second guess after an incorrect OCR attempt.[8] Other CAPTCHA implementations use a hash (such as an MD5 hash) of the solution as a key passed to the client to validate the CAPTCHA. Often the CAPTCHA is of small enough size that this hash could be cracked.[9] Further, the hash could assist an OCR based attempt. A more secure scheme would use an HMAC. Finally, some implementations use only a small fixed pool of CAPTCHA images. Eventually, when enough CAPTCHA image solutions have been collected by an attacker over a period of time, the CAPTCHA can be broken by simply looking up solutions in a table, based on a hash of the challenge image.

Computer character recognition A number of research projects have attempted (often with success) to beat visual CAPTCHAs by creating programs that contain the following functionality:
Pre-processing: Removal of background clutter and noise.
Segmentation: Splitting the image into regions which each contain a single character.
Classification: Identifying the character in each region.

Steps 1 and 3 are easy tasks for computers.[10] The only step where humans still outperform computers is segmentation. If the background clutter consists of shapes similar to letter shapes, and the letters are connected by this clutter, the segmentation becomes nearly impossible with current software. Hence, an effective CAPTCHA should focus on the segmentation.

Several research projects have broken real world CAPTCHAs, including one of Yahoo's early CAPTCHAs called "EZ-Gimpy"[1] and the CAPTCHA used by popular sites such as Paypal,[11] LiveJournal, phpBB, and other open source solutions.[12][13][14] In January 2008 Network Security Research released their program for automated Yahoo! CAPTCHA recognition.[15] Windows Live Hotmail and Gmail, the other two major free email providers, were cracked shortly after.[16][17]

In February 2008 it was reported that spammers had achieved a success rate of 30% to 35%, using a bot, in responding to CAPTCHAs for Microsoft's Live Mail service[18] and a success rate of 20% against Google's Gmail CAPTCHA.[19] A Newcastle University research team has defeated the segmentation part of Microsoft's CAPTCHA with a 90% success rate, and claim that this could lead to a complete crack with a greater than 60% rate.[20]

Izztyrr Maemtor
Posted - 2009.07.23 13:39:00 - [2]
 

You're crying because you have to press a few more keys when you login? Grow up.

Valandril
Caldari
Ex-Mortis
Posted - 2009.07.23 13:40:00 - [3]
 

Originally by: Izztyrr Maemtor
Grow up.
Grow a brain
Captcha is useless and antihuman, if someone wants to crack it he will do it without any problem while valid human beeings have to put up with it.

Ydyp Ieva
Caldari
Amarrian Retribution
Posted - 2009.07.23 13:42:00 - [4]
 

Originally by: Valandril
Originally by: Izztyrr Maemtor
Grow up.
Grow a brain
Captcha is useless and antihuman, if someone wants to crack it he will do it without any problem while valid human beeings have to put up with it.

That is why only the highest successrate I see in your post is 35% and not a 100%?

As said in your previous post as well, the captcha isn't the problem. I got more problems with the removal of the "remember me" option.

Valandril
Caldari
Ex-Mortis
Posted - 2009.07.23 13:47:00 - [5]
 

Originally by: Ydyp Ieva
Originally by: Valandril
Originally by: Izztyrr Maemtor
Grow up.
Grow a brain
Captcha is useless and antihuman, if someone wants to crack it he will do it without any problem while valid human beeings have to put up with it.

That is why only the highest successrate I see in your post is 35% and not a 100%?

As said in your previous post as well, the captcha isn't the problem. I got more problems with the removal of the "remember me" option.
I didn't even read what is in there, copy/paste from wiki as "how easy it is to break captcha and how many ****ed customers this will bring to you" is in every begginer webdev/programmer ABC book, so i would say that qualified CCP employes should know it by know.
Not mentioning how ridiculous it is to have captcha not on registering but on LOGIN. I mean come on, is this the only way you can think of to stop bruteforce attacks via http ? Really ?

Regat Kozovv
Caldari
Alcothology
Posted - 2009.07.23 13:55:00 - [6]
 

You could have just posted the Wiki article you copied from.

It's just a theory, but I'm guessing that the sudden implementation of CAPTCHAs are a result of the attacks that the boards have been under for the past few days. While the article is correct in saying that CAPTCHAs are not a perfect solution, they do serve as a speed bump to scripts and automated services seeking to penetrate the site.

The goal is not to prevent robots or others from posting, but to slow it down and/or make the process costly enough that continued attempts are not worthwhile. All of the workarounds listed in the wiki article would require time, effort, and resources to defeat, all of which may be over the attacker's threshold of what they're willing to expend. Combined with the fact that the forum administrators are still actively deleting offending threads, this may be enough to make continued attempts to spam the forums unprofitable.

Valandril
Caldari
Ex-Mortis
Posted - 2009.07.23 14:01:00 - [7]
 

Edited by: Valandril on 23/07/2009 14:05:54
Originally by: Regat Kozovv
You could have just posted the Wiki article you copied from.
Apparently short posts without at least 200 words are considered rants so i've decided to copy/paste it.
Originally by: Regat Kozovv
stuff
I'm starting my watch till first spampost arrive and i'm willing to bet that it will be within 5 hours rendering captcha obsolete.
Any takers ?

You cannot prevent spammers, but you can efficently fight with effects of an attack thanks to magnificiant world of spam databases and regular expressions. It also comes without stress lvl5.

Regat Kozovv
Caldari
Alcothology
Posted - 2009.07.23 14:06:00 - [8]
 

Originally by: Valandril
Originally by: Regat Kozovv
The goal is not to prevent robots or others from posting, but to slow it down and/or make the process costly enough that continued attempts are not worthwhile.
I'm starting my watch till first spampost arrive and i'm willing to bet that it will be within 5 hours rendering captcha obsolete.
Any takers ?




Bolding my quote.

Whitehound
The Whitehound Corporation
Frontline Assembly Point
Posted - 2009.07.23 14:07:00 - [9]
 

Yes, those things are annoying. But the spam lately is even more annoying. I also want to see a reduction of ISK seller spam in-game. It is the lesser of two evil. Now stop complaining or CCP will hit you harder than with only locking your thread. They do not do it for fun and to annoy people, really.

Valandril
Caldari
Ex-Mortis
Posted - 2009.07.23 14:07:00 - [10]
 

Originally by: Regat Kozovv
Originally by: Valandril
Originally by: Regat Kozovv
The goal is not to prevent robots or others from posting, but to slow it down and/or make the process costly enough that continued attempts are not worthwhile.
I'm starting my watch till first spampost arrive and i'm willing to bet that it will be within 5 hours rendering captcha obsolete.
Any takers ?




Bolding my quote.
I did read it, so all forum readers will now how to put up with captcha to have 5 hours of spam free forums ? Yay

CCP Navigator


C C P
C C P Alliance
Posted - 2009.07.23 14:36:00 - [11]
 

Valandril,

Everyone at CCP is dedicated to making our forums safe and to prevent key logging programs that can have an adverse affect on players, not only with the EVE logins but also other sensitive logins. The security of your information is paramount to us so we will investigate all options to prevent people from potentially doing you harm.

I appreciate that a Captcha can be inconvenient for players but we are introducing this measure for now while we investigate other permanent options.

It should also be noted that reposting locked threads is not permitted so this one will also be locked.


 

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only