----- Original Message ----- From: JimBeam To: [email protected] Sent: Sunday, June 10, 2007 1:00 PM Subject: Re: [ITCENTER] Cegah Brute Force di Halaman Login
well, itu kan asumsi anda saja attacker-nya ngga bisa menebak captcha nya. ingat captcha itu ditampilin ke layar anda, jawabannya ada di layar anda juga. ngga seperti password yg key-nya tersimpan di server. ======================================================== Justru disitulah letak keamanan captcha, dia ditampilkan di layar berupa image, artinya : hanya manusia yang bisa membaca image itu, bukan mesin. BFA dilakukan oleh mesin, so.. buat kesimpulan aja dari situ.. coba baca ini: "Neural networks <http://en.wikipedia.org/wiki/Artificial_neural_network>have been used with great success to defeat CAPTCHAs as they are generally indifferent to both affine<http://en.wikipedia.org/wiki/Affine_transformation>and non-linear transformations. As they learn by example rather than through explicit coding, with appropriate tools<http://en.wikipedia.org/wiki/Neural_network_software>very limited technical knowledge is required to defeat more complex CAPTCHAs." (http://en.wikipedia.org/wiki/Captcha#Computer_character_recognition) ======================================================= Saya udah baca, malah semua referensi anda mendukung statement saya. ini saya kutip diantaranya : "A CAPTCHA is a type of challenge-response test used in computing to determine whether the user is human. "CAPTCHA" is an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart", trademarked by Carnegie Mellon University. A CAPTCHA involves one computer (a server) which asks a user to complete a test. While the computer is able to generate and grade the test, it is not able to solve the test on its own. Because COMPUTERS ARE UNABLE to solve the CAPTCHA, any user entering a correct solution is presumed to be human." Jelas dikatakan disini bahwa Computers are unable to solve captcha. "A CAPTCHA system is an automated means of generating new challenges which current COMPUTERS ARE UNABLE to accurately solve, but most humans can solve [3]. A CAPTCHA does not rely on the attacker never having seen the given type of CAPTCHA before. For example, a checkbox "check here if you are not a bot" might serve to distinguish between humans and computers, it is not a CAPTCHA because it relies on the fact that an attacker has not spent effort to break that specific form. To be a CAPTCHA, a system must be able to automatically generate new challenges that require artificial intelligence techniques to solve." disini dijelaskan, kalaupun komputer/bot berusaha menebak captcha, dia hanya punya kesempatan satu kali menebak, karena captcha akan selalu berganti baru setiap diload. Beda dengan password yg tidak akan berubah, sehingga computer punya banyak kesempatan untuk menebak. Andai saja Captcha itu ngga berganti-ganti barulah komputer bisa menebaknya, itupun tetap lebih susah karena harus menebak image bukan menebak character. sehebat apapun neural networks itu, kalo yg namanya password tetap saja dia harus menemukan key yg tepat. ===================================================== Begitupula dengan captcha, harus tepat juga dong. Malah lebih susah captcha karena bentuknya image dan selalu berganti-ganti. sedangkan pasword, berupa satu kata yg tdk berubah-ubah dan ada di dalam database. Ingat, justru lebih banyak cara menjebol database !! bisa lewat sql-injection dsb. apa yg saya bilang: "penggunaan captcha bukan utk mencegah BFA" it's as exact as mathematics, as exact as: 1+1=2. it's still valid for the next 100years. ==================================================== Ngga ada satu paragraf pun dari referensi anda yang menyimpulkan begitu. Silahkan tunjukkan ke saya, bagian mana? apa yg anda bilang: "captcha bisa digunakan utk mencegah BFA" it comes with the assumption that the machine can NEVER solve the captcha. it comes with the assumption that todays machines cannot perform the calculation quick enough to get the right combination of: possible keys of password * possible keys of captcha (again, with the assumption that the machine can never solve the captcha). ==================================================== kalau constrain anda kaya gini, ya ngga ada ujung nya. Teorinya nya memang ga ada jaringan yg 100% aman, tapi bukan berarti ngga ada solusi. Kalo terus berpatokan kaya gitu, ya sekalian ngga usah ada aja security, toh nantinya bisa dijebol. Anda mau berfikiran ky gini? nah, anda bisa bilang: "kalau gitu gw design aja captcha yg ga bakal bisa ditembus oleh mesin". saya cuman bisa nanya: "how complex do you want the captcha to be?" selama ini saja saya uda beberapa kali salah menebak captcha karena bentuk hurufnya yg ngga jelas. gimana kalo di design yg super kompleks? ===================================================== Sekompleks -kompleks nya captcha pasti akhirnya bisa dibaca manusia, kecuali anda buta huruf :D dan hal itu ngga percuma kok, lebih baik user salah nebak bebrapa kali asalkan sistem terlindung dari BFA. Justru ini bagus kok, anda nya aja yg harus lebih sabar dan menilai sisi baiknya. sisi baiknya yaitu : Anda aja yg manusia sulit baca, apalagi mesin. kompleksitas captcha ada batasnya. ingat captcha itu utk membedakan manusia dan mesin. kalau manusia ngga men-solve captcha itu, sama aja boong-nya kan? ==================================================== Sekali lagi, sekompleks-kompleks nya captcha harus bisa dibaca manusia pada akhirnya. Ini syarat mutlak. btw, mas acho, kalo saya sih ngga berani nyimpan value captcha di cookies. =================================================== Emang siapa yg bilang saya make cookies?? saya make session kok. Silahkan baca lagi. Jangankan session, nyimpen di database spt yg anda lakukan aja saya ngga berani, itu tindakan yg sungguh rawan. Makanya saya bilang, belajarlah dulu buat captcha yg bener. Jeam Beam ini lucu sekali, saya tanya, malah saya disuruh googling, giliran > saya googling dan dapet buktinya kalo captcha bisa digunakan untuk BFA, > dia > malah ngomong "saya ngga rugi kl anda ngga percaya..." ngga beda jauh > sama > ferry setiawan yg bilang "saya mah orang bodo pak.." > > lalu kemana argumen anda yg selama ini...?? kenapa jeam? sulit mengakui > kesalahan? grow up dude.. be a gentleman! utk yg ini saya ga perlu comment deh... ================================================= Ya memang sebaiknya ngga usah comment, lagian mo jawab apa? saya cuman ada satu pesan: you're welcome to attack my idea, but don't get personal. it would be an ugly scene. ============================================== Saran yang baik, bahkan akan lebih baik lagi kalo anda yg menerapkannya. Contohnya ke syafril, Itu lebih tepat!! saya mulai menyentuh personal juga itu lantaran syarifl mulai menyentuh personal. ============================================= Jadi ada pengecualian nihh untuk diri anda?? Unfair yauw.. kalau anda perhatikan tulisan saya, ngga ada satupun yg menyentuh personal anda. mengenai intelligence itu, itu bukan ditujukan ke anda. ============================================= Jelas-jelas ke saya dong, anda kan me reply post dari saya. Belajar reply yg bener dulu deh. -- www.itcenter.or.id - Komunitas Teknologi Informasi Indonesia Gabung, Keluar, Mode Kirim : [EMAIL PROTECTED] ## Jobs: itcenter.or.id/jobs ## Bursa: itcenter.or.id/bursa ## ## Jaket ITCENTER tersedia di http://shop.itcenter.or.id Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/ITCENTER/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/ITCENTER/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
