Re: [PHP] MD5 bot Question
At 7:50 PM -0500 4/10/07, Richard Lynch wrote: On Sun, April 8, 2007 11:12 am, tedd wrote: chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? You are wrong. The Tijnema! solution of memorizing every single image would fail. Then I'm right, because that's what I was saying. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 8:11 PM -0500 4/10/07, Richard Lynch wrote: On Tue, April 10, 2007 7:47 am, tedd wrote: Your use of metaphor is quite colorful, but if you if change a single pixel in an image, then you change the MD5 signature -- that is what I was talking about -- and that is not wrong. Unless I look at enough images to figure out that you are just changing N random pixels, and I construct a distance function to compute how different image A is from image X, where I already know X points up http://php.net/imagecolorat can be used to do exactly this. In fact, I've done that to break a CAPTCHA that had random noise pixels added to the text. Actually, I was able to remove the noise first and then compute distance function for character by character analysis of the text on the image. I do not understand why you are obsessing on the MD5 crack when it's probably not the weapon that would be chosen, unless your CAPTCHA is so lame that it's susceptible to an MD5 crack... If it's not that lame, then the attacker just doesn't use an MD5 signature, and employs another technique. Have we not been through this whole thread enough times already? Apparently not enough times because, no offense, you missed the point. We are not talking about how one could break this type of captcha, we were talking about how this captcha could be broken by a MD5 method and what steps could be taken to make it unbreakable by that method. It was a learning exercise as to the scope and use of MD5. That's it -- that's all. See the subject line. If you want to talk about other ways to break this type of captcha, then pease do. I am sure that I could learn a lot from you -- and I expect to do so. But please don't infer that we are obsessing about a topic we are discussing; or that my work is lame when it was designed to test one point; or state that I'm wrong because you didn't understand what I said in context. That's not constructive nor right. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 7:52 PM -0500 4/10/07, Richard Lynch wrote: On Sun, April 8, 2007 11:26 am, tedd wrote: The way I figure it, in an image I have 72 dot per square inch -- so, in one square inch that's 5,184 places for me to store a 24 bit key. To me, that's a lot of places to hid my Easter egg -- is that not enough? No. If the egg is visible to a human, a computer program can be crafted to see the egg as well. Again. I am talking about MD5 and you're talking about something else. Please read. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 8:36 PM -0500 4/10/07, Richard Lynch wrote: With millions of different images and more being added, it presents a considerable challenge to crack. I think not... You only have to find 10,000 people who hate MS and give each of them 200 unique images to identify. Well actually, all one would need to do is to setup a asirra captcha and have people solve it. Then in the background tag which is cat/dog and store. I estimate that one could easily identify 12 images in 20 seconds, 36 per minute. As such, identification of two million pictures would take less than 1000 man hours. So you are right -- it's not the formidable problem I thought. FOr that matter, the images are coming from Petfinder, according to their blurb... How tough could it be to find the same bytes in an image in Petfinder and then detect the cat or dog tag on their website -- assuming they have categorized their Petfinder images by species/genus? Good point. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Wed, April 11, 2007 7:30 am, tedd wrote: At 7:50 PM -0500 4/10/07, Richard Lynch wrote: On Sun, April 8, 2007 11:12 am, tedd wrote: chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? You are wrong. The Tijnema! solution of memorizing every single image would fail. Then I'm right, because that's what I was saying. You're right that it can't be broken WITH THAT TECHNIQUE, which is not what you actually typed... Your wrong that it can be broken, without massive computer resources, which is what you actually typed. :-) By all means, publish a bunch of differnt nifty CAPTCHAs and re-name to Assira or whatever so you can claim to be doing something new and different, but do not for an instant delude yourself that a dedicated attack won't succeed no matter what you do. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Wed, April 11, 2007 8:09 am, tedd wrote: -- that's all. See the subject line. I'm sorry that I thought the thread had spilled over beyond the scope of the Subject. Since we rarely do that here in PHP General, I should have known better. :-) I don't think your work is lame I think it's lame to say it can't be broken without massive computer resources. And, actually, even with the MD5 technique... An MD5 is 32 bytes. 2 million images, sauteed down to 32 bytes each, is 64 Meg, plus some DB overhead. Plus an index on the MD5 field, for speed, but that cannot exceed the original 64Meg, almost-for-sure. So, a machine with 128 Meg DB is massive resources? I think not. True, you would use a lot of bandwidth and time to compute the MD5 hashes. But what do you think zombie bot Windows computers are for? This is an IDEAL problem-space for massive parallel computation, distributed across as many machines as a Bad Guy can control. So the massive computing resources turns out to be readily available cracked Windows boxes, if you even need it, which I doubt. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 8:10 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 17:14 -0400, tedd wrote: At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. No, you're wrong. Read the part about I mentioned about virus signatures. A small portion of the whole can be used as an identifier where that portion is unique to the overall entity. For instance, I can throw a tub of tar over you, then a tub of feathers ;) ;) and if one of your fingers doesn't get covered, I can still identify your chicken ass ;) Cheers, Rob. Rob: Your use of metaphor is quite colorful, but if you if change a single pixel in an image, then you change the MD5 signature -- that is what I was talking about -- and that is not wrong. Plus, if you: [A] Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself or [B] Similarly watermarking the image using fractal patterns should also provide good noise. You would still leave at least one pixel the same as it was before so your chicken ass would still be exposed, right? Or does your ripple/watermark application alter every pixel by changing its alpha channel or something? And if so, then why is it that you are required to change every pixel? I am sure that there are images that have at least one pixel in common, so I don't see the point you're trying to make -- please explain. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
You were talking about an OCR reader for the arrows to see what letters it is pointing to. If the arrow would be at a random location in the actual image, the arrow being not an arrow but ie. a man pointing and the arm being flexible (so even if the man himself would move around randomly, the arm would always face the right direction for the image. I like the idea of a pointing arrow, it could be quick, pretty effective (not 100% since nothing is) and easy for the user to identify. If there was a miniature version of this available, i would use it on my site. Since i hate the text versions. - Olafur W 2007/4/10, tedd [EMAIL PROTECTED]: At 8:10 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 17:14 -0400, tedd wrote: At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. No, you're wrong. Read the part about I mentioned about virus signatures. A small portion of the whole can be used as an identifier where that portion is unique to the overall entity. For instance, I can throw a tub of tar over you, then a tub of feathers ;) ;) and if one of your fingers doesn't get covered, I can still identify your chicken ass ;) Cheers, Rob. Rob: Your use of metaphor is quite colorful, but if you if change a single pixel in an image, then you change the MD5 signature -- that is what I was talking about -- and that is not wrong. Plus, if you: [A] Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself or [B] Similarly watermarking the image using fractal patterns should also provide good noise. You would still leave at least one pixel the same as it was before so your chicken ass would still be exposed, right? Or does your ripple/watermark application alter every pixel by changing its alpha channel or something? And if so, then why is it that you are required to change every pixel? I am sure that there are images that have at least one pixel in common, so I don't see the point you're trying to make -- please explain. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 10:46 PM +0100 4/9/07, Tijnema ! wrote: On 4/9/07, tedd [EMAIL PROTECTED] wrote: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. Cheers, tedd But then OCR would still work, as when somebody scans a document, there are also some not white pixels. Tijnema Tijnema: An OCR is an Optical Character Reader -- it's design is to recognize characters (A-Z 0-9), not images. That's the reason why I previously used the term OCR-like application -- meaning that it would be designed/programmed to see the differences between images and then make a decision as to what to do. That requires more effort than an OCR program. Add to that, that every image could present a new problem to decipher and you have the makings of a formidable deterrent. That's what asirra is all about, see: http://www.asirra.com/examples/ExampleService.html With millions of different images and more being added, it presents a considerable challenge to crack. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 12:55 PM + 4/10/07, Ólafur Waage wrote: You were talking about an OCR reader for the arrows to see what letters it is pointing to. If the arrow would be at a random location in the actual image, the arrow being not an arrow but ie. a man pointing and the arm being flexible (so even if the man himself would move around randomly, the arm would always face the right direction for the image. I like the idea of a pointing arrow, it could be quick, pretty effective (not 100% since nothing is) and easy for the user to identify. If there was a miniature version of this available, i would use it on my site. Since i hate the text versions. - Olafur W Olafur: I don't have a miniature version yet, but that's not a real problem because it's simply changing the css file. If you want the code as-is just ask. http://sperling.com/a/arrows/ Otherwise, I will eventually have it on my site as a style of visual captcha and will have this audio version as well: http://sperling.com/examples/captcha/index.php My intent is to provide several different types of captchas for public use. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Tue, 2007-04-10 at 08:47 -0400, tedd wrote: At 8:10 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 17:14 -0400, tedd wrote: At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. No, you're wrong. Read the part about I mentioned about virus signatures. A small portion of the whole can be used as an identifier where that portion is unique to the overall entity. For instance, I can throw a tub of tar over you, then a tub of feathers ;) ;) and if one of your fingers doesn't get covered, I can still identify your chicken ass ;) Cheers, Rob. Rob: Your use of metaphor is quite colorful, but if you if change a single pixel in an image, then you change the MD5 signature -- that is what I was talking about -- and that is not wrong. Yes but you completely missed the point of my metaphor :) The point is, I can take an md5 signature of subset of the image's pixels and still identify it if the subset is representative (this is the point about still ID'ing someone with their finger print despite the rest of them being tarred and feathered :) This is how many virus detection systems work. They find a single portion of virus' binary program that is representative and can use it as a search within other binaries to detect the presence of the virus. So if you only change a few pixels, there is a high likelyhood of a subset set md5 signature still being recognized. Plus, if you: [A] Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself or [B] Similarly watermarking the image using fractal patterns should also provide good noise. You would still leave at least one pixel the same as it was before so your chicken ass would still be exposed, right? Or does your ripple/watermark application alter every pixel by changing its alpha channel or something? These would alter every pixel, without generally affecting a human's perception of the object... this is the point since now subset of the images pixels would be representative. And if so, then why is it that you are required to change every pixel? I am sure that there are images that have at least one pixel in common, so I don't see the point you're trying to make -- please explain. Explanation above :) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Tue, 2007-04-10 at 13:13 -0400, Robert Cummings wrote: On Tue, 2007-04-10 at 08:47 -0400, tedd wrote: Rob: Your use of metaphor is quite colorful, but if you if change a single pixel in an image, then you change the MD5 signature -- that is what I was talking about -- and that is not wrong. Yes but you completely missed the point of my metaphor :) The point is, I can take an md5 signature of subset of the image's pixels and still identify it if the subset is representative (this is the point about still ID'ing someone with their finger print despite the rest of them being tarred and feathered :) This is how many virus detection systems work. They find a single portion of virus' binary program that is representative and can use it as a search within other binaries to detect the presence of the virus. So if you only change a few pixels, there is a high likelyhood of a subset set md5 signature still being recognized. Plus, if you: [A] Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself or [B] Similarly watermarking the image using fractal patterns should also provide good noise. You would still leave at least one pixel the same as it was before so your chicken ass would still be exposed, right? Or does your ripple/watermark application alter every pixel by changing its alpha channel or something? These would alter every pixel, without generally affecting a human's perception of the object... this is the point since now subset of the That should have read: ... since no subset of... images pixels would be representative. And if so, then why is it that you are required to change every pixel? I am sure that there are images that have at least one pixel in common, so I don't see the point you're trying to make -- please explain. Explanation above :) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 1:17 PM -0400 4/10/07, Robert Cummings wrote: -snip- That should have read: ... since no subset of... Oh well, now it makes sense ! :-) Actually, I see exactly what you are saying. If you take a small portion of a file and MD5 it, it will give you a signature. If I simply change a single pixel in the image and that pixel is NOT included in the small portion you use for your MD5, then the MD5 check will return the same signature as before the alteration. However, if your portion includes the pixel change, then the resultant MD5 will be different. That's the reason why you need to alter a significant portion of the image so that smaller portions will probably contain some alteration. Thanks for explaining that. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/10/07, tedd [EMAIL PROTECTED] wrote: At 1:17 PM -0400 4/10/07, Robert Cummings wrote: -snip- That should have read: ... since no subset of... Oh well, now it makes sense ! :-) Actually, I see exactly what you are saying. If you take a small portion of a file and MD5 it, it will give you a signature. If I simply change a single pixel in the image and that pixel is NOT included in the small portion you use for your MD5, then the MD5 check will return the same signature as before the alteration. However, if your portion includes the pixel change, then the resultant MD5 will be different. That's the reason why you need to alter a significant portion of the image so that smaller portions will probably contain some alteration. Thanks for explaining that. tedd That just means that you should store about 10-20 MD5 summed parts, and then take the same 10-20 parts (and MD5 sum) and compare, and if a few (or maybe just 1) match, then you know it's same image :) Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
You only have 9 arrows. How tricky can it be to detect which of the 9 images you are displaying? Even if the URL is the same every time, it's a no-brainer to use OCR to detect which array is there. How many variations on this theme are we going to go through? On Sat, April 7, 2007 10:59 am, tedd wrote: At 11:56 PM +0100 4/6/07, Tijnema ! wrote: On 4/6/07, tedd [EMAIL PROTECTED] wrote: At 2:55 PM +0100 4/6/07, Tijnema ! wrote: I know, but animated gifs are still quite easy to read with a bot. Really? What if I a created a box surrounded by letters, like so: A B C D E F G H I However, where E is located I have a gif (animated or not) pointing to a letter, which would be the key. How would a bot read that? Cheers, tedd Assuming you're using the same arrow the whole time, you could use md5 check for example. Save MD5 for all directions of the arrow and compare :) Tijnema: Okay, here's an example: http://sperling.com/a/arrows/ How would someone MD5 that? Furthermore, how would a bot decipher anything different from that? From my perspective, no matter which way the arrow is pointing, the code remains the same. The only thing that changes is the arrow and a screen reader would have to be programmed to recognize the change -- am I wrong? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sat, April 7, 2007 7:02 pm, Jim Lucas wrote: This would make things almost impossible for a computer to see, but the chances of a human screwing it up would be almost impossible. Sigh. Look. If a HUMAN can see the differen, then a program can be written to detect the difference. This stopped being rocket sience a couple decades ago when AI researchers started doing optical recognition in the field, with 98% success rates. Think of it this way: You know how a barcode reader works? All I have to do is write a custom barcode reader that works for your images. Game Over. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sun, April 8, 2007 7:48 am, Robert Cummings wrote: On Sun, 2007-04-08 at 05:41 -0700, benifactor wrote: indeed. i was just throwing out the idea of ever changing values. Except IP addresses aren't ever changing ;) Unless the visitor is on AOL. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sun, April 8, 2007 11:12 am, tedd wrote: chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? You are wrong. The Tijnema! solution of memorizing every single image would fail. The attacker would then simply swith to another technique, of recognizing the image as an image, rather than as a random collection of bytes to be memorized. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sun, April 8, 2007 11:26 am, tedd wrote: The way I figure it, in an image I have 72 dot per square inch -- so, in one square inch that's 5,184 places for me to store a 24 bit key. To me, that's a lot of places to hid my Easter egg -- is that not enough? No. If the egg is visible to a human, a computer program can be crafted to see the egg as well. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sun, April 8, 2007 11:46 am, Jochem Maas wrote: in theory it's all crackable - but somewhere along the line the problem becomes too hard to make it worth the effort to try (unless your securing Fort Knox or something) In REALITY, 99.9% of the Bad Guys will be kept out by *ANY* CAPTCHA/defese no matter how lame it seems. In REALITY, if you are guarding Fort Knox, then a CAPTCHA is the wrong way to go, for a total solution, as it can be cracked by a determined individual. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Tue, April 10, 2007 7:47 am, tedd wrote: Your use of metaphor is quite colorful, but if you if change a single pixel in an image, then you change the MD5 signature -- that is what I was talking about -- and that is not wrong. Unless I look at enough images to figure out that you are just changing N random pixels, and I construct a distance function to compute how different image A is from image X, where I already know X points up http://php.net/imagecolorat can be used to do exactly this. In fact, I've done that to break a CAPTCHA that had random noise pixels added to the text. Actually, I was able to remove the noise first and then compute distance function for character by character analysis of the text on the image. I do not understand why you are obsessing on the MD5 crack when it's probably not the weapon that would be chosen, unless your CAPTCHA is so lame that it's susceptible to an MD5 crack... If it's not that lame, then the attacker just doesn't use an MD5 signature, and employs another technique. Have we not been through this whole thread enough times already? -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
A) 2 million MD5s is chump-change. B) Telling a cat from a dog is probably a homework exercise for AI Vision grad students. On Mon, April 9, 2007 3:35 pm, tedd wrote: At 1:04 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. I'm not out to validate, or invalidate, what you said. I'm just making the point that a finite number of pictures is different than an almost infinite number of on the fly generated graphic images. The new captcha M$ is trying, is to use pictures of objects and have the user identify which are cat pictures, like so: http://research.microsoft.com/asirra/ The web site states that it has over two million pictures of cats and dogs. This captcha requires that you simply to select ALL the cat photos leaving the dog photos unchecked. After doing so, it checks your score to allow entry. This one is different than the first one I saw, which presented only one cat picture in several dog pictures -- I think I could break that. But, this one is more difficult. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Tue, April 10, 2007 8:01 am, tedd wrote: An OCR is an Optical Character Reader -- it's design is to recognize characters (A-Z 0-9), not images. That's the reason why I previously used the term OCR-like application -- meaning that it would be designed/programmed to see the differences between images and then make a decision as to what to do. That requires more effort than an OCR program. It requires more or less effort depending on the problem space and how well the computer has to see the image... I'm sure there are simple and harder OCR-like problems. Add to that, that every image could present a new problem to decipher and you have the makings of a formidable deterrent. That's what asirra is all about, see: http://www.asirra.com/examples/ExampleService.html With millions of different images and more being added, it presents a considerable challenge to crack. I think not... You only have to find 10,000 people who hate MS and give each of them 200 unique images to identify. FOr that matter, the images are coming from Petfinder, according to their blurb... How tough could it be to find the same bytes in an image in Petfinder and then detect the cat or dog tag on their website -- assuming they have categorized their Petfinder images by species/genus? Methinks a dedicated cracker could defeat this in very short order. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, tedd [EMAIL PROTECTED] wrote: At 4:38 AM -0700 4/8/07, benifactor wrote: hmm, why don't you md5 more then once.. I read somewhere that MD5'ing anything more than once, does not increase security. Cheers, tedd Not in this case, as it doesn't goes about decrypting the key here, that's impossible with MD5, you can only bruteforce. But that's totally not of interest, a cracker doesn't want to implement a MD5 bruteforcer in his bot that brute forces the MD5 key each time (which can take up to several years to complete on regular PCs). Tijnema -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
Tijnema ! wrote: You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M -- Wishlists: http://snipurl.com/vrs9 Switch: http://browsehappy.com/ BCC?: http://snipurl.com/w6f8 My: http://del.icio.us/mhulse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. As for Flash, the only problems it presents is IF it's installed, or not. But, it has pretty good saturation. Of course, the major problem with Flash, and all this thread, is that visually impaired users can't use graphic images unless some other information accompanies it -- that's the reason for the alt attribute. Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 08:46 -0400, tedd wrote: At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 8:49 AM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 08:46 -0400, tedd wrote: At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. I doubt that their image repository infinite. Plus, I envision a method where a bot could: 1. Scan the site, gather the images and key phrase. 2 MD5 the images. 3. Place all the MD5's with the associate key phrase in a dB. 4. Refresh and repeat. With repeated refreshes (not attempts at trying to enter), the key phrases associated with the MD5's will build and the bot will learn. It works like this -- the phrase find the kitty or key word kitty will always be associated with the picture of the kitty WHEN kitty is the solution. All other key phrases/words associated with the kitty picture will eventually stack out as just be background noise as data is gathered. As such, a bot could have a foundation at making an intelligent guess. Also, every guess (successful or not) provides even more data to be considered. The more data gathered, the better the guess. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 09:45 -0400, tedd wrote: At 8:49 AM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 08:46 -0400, tedd wrote: At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. I doubt that their image repository infinite. Plus, I envision a method where a bot could: 1. Scan the site, gather the images and key phrase. 2 MD5 the images. 3. Place all the MD5's with the associate key phrase in a dB. 4. Refresh and repeat. With repeated refreshes (not attempts at trying to enter), the key phrases associated with the MD5's will build and the bot will learn. It works like this -- the phrase find the kitty or key word kitty will always be associated with the picture of the kitty WHEN kitty is the solution. All other key phrases/words associated with the kitty picture will eventually stack out as just be background noise as data is gathered. As such, a bot could have a foundation at making an intelligent guess. Also, every guess (successful or not) provides even more data to be considered. The more data gathered, the better the guess. Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 09:45 -0400, tedd wrote: At 8:49 AM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 08:46 -0400, tedd wrote: At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. I doubt that their image repository infinite. Plus, I envision a method where a bot could: 1. Scan the site, gather the images and key phrase. 2 MD5 the images. 3. Place all the MD5's with the associate key phrase in a dB. 4. Refresh and repeat. With repeated refreshes (not attempts at trying to enter), the key phrases associated with the MD5's will build and the bot will learn. It works like this -- the phrase find the kitty or key word kitty will always be associated with the picture of the kitty WHEN kitty is the solution. All other key phrases/words associated with the kitty picture will eventually stack out as just be background noise as data is gathered. As such, a bot could have a foundation at making an intelligent guess. Also, every guess (successful or not) provides even more data to be considered. The more data gathered, the better the guess. Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. And then not to mention that md5 has a limitation, and that there probably would be 2 different images, with the same MD5... Using MD5 on the normal write the key CAPTCHAs isn't gonna work, they are mostly generated on the fly, and even if they weren't, then there probably a lot solutions, and not just 8 that i had with your arrow captcha. Those write the key CAPTCHAs are the best crackable with an OCR reader. But that's why they are so transformed these days. So that requires extra steps to make it readable. I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Tijnema -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. Uhm, blind people can't even view your page :P I think you mean visual impaired people :) Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. Uhm, blind people can't even view your page :P I think you mean visual impaired people :) Yes they can... http://www.webaim.org/articles/visual/blind.php -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Stut [EMAIL PROTECTED] wrote: Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. Uhm, blind people can't even view your page :P I think you mean visual impaired people :) Yes they can... http://www.webaim.org/articles/visual/blind.php -Stut Interesting... Didn't know that... :) Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 17:28 +0200, Tijnema ! wrote: On 4/9/07, Stut [EMAIL PROTECTED] wrote: Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. Uhm, blind people can't even view your page :P I think you mean visual impaired people :) Yes they can... http://www.webaim.org/articles/visual/blind.php -Stut Interesting... Didn't know that... :) By blind though I meant both visually impaired and as Stut pointed out for you, completely blind :) They sort of need the same solution unless the visual impairment is minor. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 9:58 AM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 09:45 -0400, tedd wrote: However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. I doubt that their image repository infinite. Plus, I envision a method where a bot could: 1. Scan the site, gather the images and key phrase. 2 MD5 the images. 3. Place all the MD5's with the associate key phrase in a dB. 4. Refresh and repeat. With repeated refreshes (not attempts at trying to enter), the key phrases associated with the MD5's will build and the bot will learn. It works like this -- the phrase find the kitty or key word kitty will always be associated with the picture of the kitty WHEN kitty is the solution. All other key phrases/words associated with the kitty picture will eventually stack out as just be background noise as data is gathered. As such, a bot could have a foundation at making an intelligent guess. Also, every guess (successful or not) provides even more data to be considered. The more data gathered, the better the guess. Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: At 9:58 AM -0400 4/9/07, Robert Cummings wrote: Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: At 9:58 AM -0400 4/9/07, Robert Cummings wrote: Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. Cheers, Rob. Steganography has been able to hide text in images for quite some time now. Basically you cram whatever info you want into the 'unused' or 'less used' bytes of the image. With this in mind I imagine even if you did have an image repository of only 8 images you could add some random bytes to the right spots in the image without distorting it beyond recognition/corrupting it, and therefore get a hybrid of static/on-the-fly images, that hashing couldn't break so simply. 2 cents... Travis Doherty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Travis Doherty [EMAIL PROTECTED] wrote: Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: At 9:58 AM -0400 4/9/07, Robert Cummings wrote: Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. Cheers, Rob. Steganography has been able to hide text in images for quite some time now. Basically you cram whatever info you want into the 'unused' or 'less used' bytes of the image. With this in mind I imagine even if you did have an image repository of only 8 images you could add some random bytes to the right spots in the image without distorting it beyond recognition/corrupting it, and therefore get a hybrid of static/on-the-fly images, that hashing couldn't break so simply. 2 cents... Travis Doherty This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 1:04 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. I'm not out to validate, or invalidate, what you said. I'm just making the point that a finite number of pictures is different than an almost infinite number of on the fly generated graphic images. The new captcha M$ is trying, is to use pictures of objects and have the user identify which are cat pictures, like so: http://research.microsoft.com/asirra/ The web site states that it has over two million pictures of cats and dogs. This captcha requires that you simply to select ALL the cat photos leaving the dog photos unchecked. After doing so, it checks your score to allow entry. This one is different than the first one I saw, which presented only one cat picture in several dog pictures -- I think I could break that. But, this one is more difficult. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 4:19 PM -0400 4/9/07, Travis Doherty wrote: Steganography has been able to hide text in images for quite some time now. Basically you cram whatever info you want into the 'unused' or 'less used' bytes of the image. With this in mind I imagine even if you did have an image repository of only 8 images you could add some random bytes to the right spots in the image without distorting it beyond recognition/corrupting it, and therefore get a hybrid of static/on-the-fly images, that hashing couldn't break so simply. Yes, that's the conclusion I came to in this experiment. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: On 4/9/07, Travis Doherty [EMAIL PROTECTED] wrote: Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: At 9:58 AM -0400 4/9/07, Robert Cummings wrote: Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. Cheers, Rob. Steganography has been able to hide text in images for quite some time now. Basically you cram whatever info you want into the 'unused' or 'less used' bytes of the image. With this in mind I imagine even if you did have an image repository of only 8 images you could add some random bytes to the right spots in the image without distorting it beyond recognition/corrupting it, and therefore get a hybrid of static/on-the-fly images, that hashing couldn't break so simply. 2 cents... Travis Doherty This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, tedd [EMAIL PROTECTED] wrote: At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. Cheers, tedd But then OCR would still work, as when somebody scans a document, there are also some not white pixels. Tijnema -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
tedd wrote: ...snip... that's the reason for the alt attribute. Thanks for clarification! :) You are doing some great work with captchas... I also really like your audio captcha experiments. Keep up the great work! Cheers, Micky -- Wishlists: http://snipurl.com/vrs9 Switch: http://browsehappy.com/ BCC?: http://snipurl.com/w6f8 My: http://del.icio.us/mhulse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 17:14 -0400, tedd wrote: At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. No, you're wrong. Read the part about I mentioned about virus signatures. A small portion of the whole can be used as an identifier where that portion is unique to the overall entity. For instance, I can throw a tub of tar over you, then a tub of feathers ;) ;) and if one of your fingers doesn't get covered, I can still identify your chicken ass ;) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/8/07, tedd [EMAIL PROTECTED] wrote: Well, I cracked it for you :) http://86.86.80.41/dev/debug/tedd.php At the bottom it shows you the MD5 code of your arrow image, and it shows you which way it points to :) If you're interested in the code: http://86.86.80.41/dev/debug/tedd.txt Tijnema Tijnema: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Cheers, tedd Looks interesting. It generates a different MD5 each time I'll take a deeper look at it today, and hope to find a way to crack it :) Tijnema -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/8/07, Tijnema ! [EMAIL PROTECTED] wrote: On 4/8/07, tedd [EMAIL PROTECTED] wrote: Well, I cracked it for you :) http://86.86.80.41/dev/debug/tedd.php At the bottom it shows you the MD5 code of your arrow image, and it shows you which way it points to :) If you're interested in the code: http://86.86.80.41/dev/debug/tedd.txt Tijnema Tijnema: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Cheers, tedd Looks interesting. It generates a different MD5 each time I'll take a deeper look at it today, and hope to find a way to crack it :) Tijnema You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) and of course i show you the code: http://86.86.80.41/dev/debug/tedd.txt Waiting for your next try :P Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
hmm, why don't you md5 more then once.. for example, use a condition that will change with every visitor. like the third num in $_SERVER['REMOTE_ADDR']; or something of the sort. then make a loop.. say the third num in my ip address is 5 the person that visits after me would get my value, and say you were right before me and yours was a 7 the md5 check for me would look like md5(md5(md5(md5(md5(md5(md5($value))); and for the person right after me md5(md5(md5(md5(md5($value); this way for each visitor, a piece of the puzzle is changed. just an idea, and have no idea if it would even work for what your doing... Tijnema ! wrote: On 4/8/07, Tijnema ! [EMAIL PROTECTED] wrote: On 4/8/07, tedd [EMAIL PROTECTED] wrote: Well, I cracked it for you :) http://86.86.80.41/dev/debug/tedd.php At the bottom it shows you the MD5 code of your arrow image, and it shows you which way it points to :) If you're interested in the code: http://86.86.80.41/dev/debug/tedd.txt Tijnema Tijnema: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Cheers, tedd Looks interesting. It generates a different MD5 each time I'll take a deeper look at it today, and hope to find a way to crack it :) Tijnema You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) and of course i show you the code: http://86.86.80.41/dev/debug/tedd.txt Waiting for your next try :P Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sun, 2007-04-08 at 04:38 -0700, benifactor wrote: hmm, why don't you md5 more then once.. for example, use a condition that will change with every visitor. like the third num in $_SERVER['REMOTE_ADDR']; or something of the sort. then make a loop.. say the third num in my ip address is 5 the person that visits after me would get my value, and say you were right before me and yours was a 7 the md5 check for me would look like md5(md5(md5(md5(md5(md5(md5($value))); and for the person right after me md5(md5(md5(md5(md5($value); this way for each visitor, a piece of the puzzle is changed. just an idea, and have no idea if it would even work for what your doing... Ugh, don't do that... it's no more differentiated than doing the following which is cleaner: md5( $_SERVER['REMOTE_ADDR'].$value ); The above uses the IP address as a salt. But better yet, since the above is still prone to abuse by the same server making repeat attempts, create a multi-salt system... $salt1 = 'YoUR SeKreT SaLT'; $salt2 = time(); $salt3 = uniqid(); $md5 = md5( $salt1.'__'.$salt2.'__'.$salt3.'__'.$value ); Then in your form you include the value of $salt2, $salt3, and $md5. In this way only those who know the secret salt can rebuilt the md5 to check validity. Presumably you won't allow the same md5 to be used twice. The time is tracked so that you can limit validity of the salt for a period of time. So if the time on your server is more than 20 minutes ahead of the time for the submission, you can feel free delete entries ion your database since the time has expired. This allows you to not need to track all md5s ever generated. Only the last X minutes of md5s. If you implement this, Tijnema won't be able to break it. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
indeed. i was just throwing out the idea of ever changing values. Robert Cummings wrote: On Sun, 2007-04-08 at 04:38 -0700, benifactor wrote: hmm, why don't you md5 more then once.. for example, use a condition that will change with every visitor. like the third num in $_SERVER['REMOTE_ADDR']; or something of the sort. then make a loop.. say the third num in my ip address is 5 the person that visits after me would get my value, and say you were right before me and yours was a 7 the md5 check for me would look like md5(md5(md5(md5(md5(md5(md5($value))); and for the person right after me md5(md5(md5(md5(md5($value); this way for each visitor, a piece of the puzzle is changed. just an idea, and have no idea if it would even work for what your doing... Ugh, don't do that... it's no more differentiated than doing the following which is cleaner: md5( $_SERVER['REMOTE_ADDR'].$value ); The above uses the IP address as a salt. But better yet, since the above is still prone to abuse by the same server making repeat attempts, create a multi-salt system... $salt1 = 'YoUR SeKreT SaLT'; $salt2 = time(); $salt3 = uniqid(); $md5 = md5( $salt1.'__'.$salt2.'__'.$salt3.'__'.$value ); Then in your form you include the value of $salt2, $salt3, and $md5. In this way only those who know the secret salt can rebuilt the md5 to check validity. Presumably you won't allow the same md5 to be used twice. The time is tracked so that you can limit validity of the salt for a period of time. So if the time on your server is more than 20 minutes ahead of the time for the submission, you can feel free delete entries ion your database since the time has expired. This allows you to not need to track all md5s ever generated. Only the last X minutes of md5s. If you implement this, Tijnema won't be able to break it. Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sun, 2007-04-08 at 05:41 -0700, benifactor wrote: indeed. i was just throwing out the idea of ever changing values. Except IP addresses aren't ever changing ;) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
but most people have different ones :) you could also use a random position :) fooeee. Robert Cummings wrote: On Sun, 2007-04-08 at 05:41 -0700, benifactor wrote: indeed. i was just throwing out the idea of ever changing values. Except IP addresses aren't ever changing ;) Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 9:42 AM +0200 4/8/07, Tijnema ! wrote: You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) and of course i show you the code: http://86.86.80.41/dev/debug/tedd.txt Waiting for your next try :P Tijnema: I might not be able to stop you, but I am sure I can wear you out. Here's my latest: http://sperling.com/a/arrows/ But before you spend too much time tying to figure it out, which with a HEX editor you should be able to easily discover -- this is what I did. 1. All my arrow GIF files range in size from about 500 bytes to 1.1 KB (it's not important to the solution, just a matter of range); 2. Between DEC 64 (HEX 40) to DEC 109 (HEX 6C) in the header exist all zeros. They don't provide any information regarding this image; 3. I simply used this area to store a single HEX number ranging from 0 to 255 DEC (HEX 0-255); 4. This gave me 11,475 different combinations for each GIF by changing a single bye in the header. If I used two bytes in the header, then the combinations would square. If I used all available space, then the possible combinations would be 11,475 to the 255 power (if my math is right) for each GIF. True, you could: 1. Record every MD5 of every combination for every GIF (8 x 11,475^255 different combinations) and then use those to crack this; 2. OR, simply zero out the area from DEC 64 to DEC 109 and use that. Either case would break my code. However, I am positive if I generated the image on the fly OR merged the image with a single randomized placement pixel I could generate an image that would be easily recognized by a human but not resolved by a MD5 solution. Remember, I could also use a jpeg file and have millions of colors to chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? Cheers, tedd PS: I love these types of discussions -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 12:38 AM +0100 4/8/07, Stut wrote: tedd wrote: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Give up now, while you're still sane. Think about what you're trying to do. You're trying to do something different on the client every time, but without letting that client know something is different. It really really really can't be done. Something needs to be visually different, therefore something in what the client gets needs to be different. Do you see why it's not possible now? -Stut -Stut: With all due respect, I figure that you've probably forgot more about php than I know, but sometimes people have to find out for themselves. That's what I'm doing. However, in the past I have gone up against conventional theory and changed it. I don't think this is one of those times, but who knows? Perhaps you know better, but I don't know yet. The way I figure it, in an image I have 72 dot per square inch -- so, in one square inch that's 5,184 places for me to store a 24 bit key. To me, that's a lot of places to hid my Easter egg -- is that not enough? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/8/07, tedd [EMAIL PROTECTED] wrote: At 9:42 AM +0200 4/8/07, Tijnema ! wrote: You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) and of course i show you the code: http://86.86.80.41/dev/debug/tedd.txt Waiting for your next try :P Tijnema: I might not be able to stop you, but I am sure I can wear you out. Here's my latest: http://sperling.com/a/arrows/ But before you spend too much time tying to figure it out, which with a HEX editor you should be able to easily discover -- this is what I did. 1. All my arrow GIF files range in size from about 500 bytes to 1.1 KB (it's not important to the solution, just a matter of range); 2. Between DEC 64 (HEX 40) to DEC 109 (HEX 6C) in the header exist all zeros. They don't provide any information regarding this image; 3. I simply used this area to store a single HEX number ranging from 0 to 255 DEC (HEX 0-255); 4. This gave me 11,475 different combinations for each GIF by changing a single bye in the header. If I used two bytes in the header, then the combinations would square. If I used all available space, then the possible combinations would be 11,475 to the 255 power (if my math is right) for each GIF. True, you could: 1. Record every MD5 of every combination for every GIF (8 x 11,475^255 different combinations) and then use those to crack this; 2. OR, simply zero out the area from DEC 64 to DEC 109 and use that. Either case would break my code. Since you're already telling how to break, i'm not gonna break it anymore :) Btw, also you should be able to convert it to JPEG/PNG/BMP/TIFF and then convert it back to GIF. That should clean up the header :) However, I am positive if I generated the image on the fly OR merged the image with a single randomized placement pixel I could generate an image that would be easily recognized by a human but not resolved by a MD5 solution. Remember, I could also use a jpeg file and have millions of colors to chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? Maybe... What about OCR programs? they can read letters from images, if you could transfrom that to an program that could read arrows instead of characters. then you probably could crack it, also if you store random pixels in it. And that doesn't use massive computer resources :) That's why i wanted to go for movies, because they are a lot harder to process, but still they are processable by a bot, and so it could be cracked I don't think any of us will ever find a code that's not crackable, but the amount of time needed to crack needs to be as high as possible, so that crackers will stay away because it takes way too much time, and maybe also too much computer resources. But while doing this, it should never disturb the normal user from using your site. Cheers, tedd PS: I love these types of discussions Me too :) -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
just a few random thought on how to make it even more painful to crack. random colored borders, random border width, slight changes in width/height, random pixel noise or varying colors, animated gifs (where does the arrow stop), animated gifs (where does the red/pink/blue/green arrow point to), make the letters random with regard to character and position [and make the letters generated images them selves] that way know where the arrow is pointing is only half the solution. or may rather take this technique and combine it with std captcha such that you output an image with a stack of [freaky] letters in it and one of them has an arrow pointing at it. yadda yadda. in theory it's all crackable - but somewhere along the line the problem becomes too hard to make it worth the effort to try (unless your securing Fort Knox or something) Tijnema ! wrote: On 4/8/07, tedd [EMAIL PROTECTED] wrote: At 9:42 AM +0200 4/8/07, Tijnema ! wrote: You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) and of course i show you the code: http://86.86.80.41/dev/debug/tedd.txt Waiting for your next try :P Tijnema: I might not be able to stop you, but I am sure I can wear you out. Here's my latest: http://sperling.com/a/arrows/ But before you spend too much time tying to figure it out, which with a HEX editor you should be able to easily discover -- this is what I did. 1. All my arrow GIF files range in size from about 500 bytes to 1.1 KB (it's not important to the solution, just a matter of range); 2. Between DEC 64 (HEX 40) to DEC 109 (HEX 6C) in the header exist all zeros. They don't provide any information regarding this image; 3. I simply used this area to store a single HEX number ranging from 0 to 255 DEC (HEX 0-255); 4. This gave me 11,475 different combinations for each GIF by changing a single bye in the header. If I used two bytes in the header, then the combinations would square. If I used all available space, then the possible combinations would be 11,475 to the 255 power (if my math is right) for each GIF. True, you could: 1. Record every MD5 of every combination for every GIF (8 x 11,475^255 different combinations) and then use those to crack this; 2. OR, simply zero out the area from DEC 64 to DEC 109 and use that. Either case would break my code. Since you're already telling how to break, i'm not gonna break it anymore :) Btw, also you should be able to convert it to JPEG/PNG/BMP/TIFF and then convert it back to GIF. That should clean up the header :) However, I am positive if I generated the image on the fly OR merged the image with a single randomized placement pixel I could generate an image that would be easily recognized by a human but not resolved by a MD5 solution. Remember, I could also use a jpeg file and have millions of colors to chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? Maybe... What about OCR programs? they can read letters from images, if you could transfrom that to an program that could read arrows instead of characters. then you probably could crack it, also if you store random pixels in it. And that doesn't use massive computer resources :) That's why i wanted to go for movies, because they are a lot harder to process, but still they are processable by a bot, and so it could be cracked I don't think any of us will ever find a code that's not crackable, but the amount of time needed to crack needs to be as high as possible, so that crackers will stay away because it takes way too much time, and maybe also too much computer resources. But while doing this, it should never disturb the normal user from using your site. Cheers, tedd PS: I love these types of discussions Me too :) -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 6:33 PM +0200 4/8/07, Tijnema ! wrote: On 4/8/07, tedd [EMAIL PROTECTED] wrote: Remember, I could also use a jpeg file and have millions of colors to chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? Maybe... What about OCR programs? they can read letters from images, if you could transfrom that to an program that could read arrows instead of characters. then you probably could crack it, also if you store random pixels in it. And that doesn't use massive computer resources :) Yes, I was excluding that -- I was dealing only with MD5 solutions. Of course, OCR-like programs can decipher and interpret an arrow. It would not be too hard to find the center of the square and then determine in which one of eight zones the majority of contrasting pixels were. I did similar stuff many years ago detecting movement by comparing frames to see what was areas in a frame were changing and then direct stepping motors to control the camera. Neat stuff. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 6:46 PM +0200 4/8/07, Jochem Maas wrote: just a few random thought on how to make it even more painful to crack. random colored borders, random border width, slight changes in width/height, random pixel noise or varying colors, animated gifs (where does the arrow stop), animated gifs (where does the red/pink/blue/green arrow point to), make the letters random with regard to character and position [and make the letters generated images them selves] that way know where the arrow is pointing is only half the solution. or may rather take this technique and combine it with std captcha such that you output an image with a stack of [freaky] letters in it and one of them has an arrow pointing at it. yadda yadda. in theory it's all crackable - but somewhere along the line the problem becomes too hard to make it worth the effort to try (unless your securing Fort Knox or something) My attempt here was only to show that a MD5 solution could become so vast that there would be no point in pursuing that avenue. As for other ways to crack this, of course there ARE other easier ways. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 4:38 AM -0700 4/8/07, benifactor wrote: hmm, why don't you md5 more then once.. I read somewhere that MD5'ing anything more than once, does not increase security. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/7/07, tedd [EMAIL PROTECTED] wrote: At 11:56 PM +0100 4/6/07, Tijnema ! wrote: On 4/6/07, tedd [EMAIL PROTECTED] wrote: At 2:55 PM +0100 4/6/07, Tijnema ! wrote: I know, but animated gifs are still quite easy to read with a bot. Really? What if I a created a box surrounded by letters, like so: A B C D E F G H I However, where E is located I have a gif (animated or not) pointing to a letter, which would be the key. How would a bot read that? Cheers, tedd Assuming you're using the same arrow the whole time, you could use md5 check for example. Save MD5 for all directions of the arrow and compare :) Tijnema: Okay, here's an example: http://sperling.com/a/arrows/ How would someone MD5 that? Furthermore, how would a bot decipher anything different from that? From my perspective, no matter which way the arrow is pointing, the code remains the same. The only thing that changes is the arrow and a screen reader would have to be programmed to recognize the change -- am I wrong? Cheers, tedd Well, I cracked it for you :) http://86.86.80.41/dev/debug/tedd.php At the bottom it shows you the MD5 code of your arrow image, and it shows you which way it points to :) If you're interested in the code: http://86.86.80.41/dev/debug/tedd.txt Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 10:33 PM +0200 4/7/07, Tijnema ! wrote: On 4/7/07, tedd [EMAIL PROTECTED] wrote: At 11:56 PM +0100 4/6/07, Tijnema ! wrote: On 4/6/07, tedd [EMAIL PROTECTED] wrote: At 2:55 PM +0100 4/6/07, Tijnema ! wrote: I know, but animated gifs are still quite easy to read with a bot. Really? What if I a created a box surrounded by letters, like so: A B C D E F G H I However, where E is located I have a gif (animated or not) pointing to a letter, which would be the key. How would a bot read that? Cheers, tedd Assuming you're using the same arrow the whole time, you could use md5 check for example. Save MD5 for all directions of the arrow and compare :) Tijnema: Okay, here's an example: http://sperling.com/a/arrows/ How would someone MD5 that? Furthermore, how would a bot decipher anything different from that? From my perspective, no matter which way the arrow is pointing, the code remains the same. The only thing that changes is the arrow and a screen reader would have to be programmed to recognize the change -- am I wrong? Cheers, tedd Well, I cracked it for you :) http://86.86.80.41/dev/debug/tedd.php At the bottom it shows you the MD5 code of your arrow image, and it shows you which way it points to :) If you're interested in the code: http://86.86.80.41/dev/debug/tedd.txt Tijnema Tijnema: You did more than crack it for me -- you broke my brain. Now I have to figure out what the heck is going on. It's one of those love/hate things -- on one hand a love a challenge and on the other I hate the idea that I was clueless about it. So what you did was to load in each arrow image, md5() the image file, get the results and manually match them to the solution, place that in an array, and then use those results to crack it. Damn, that's sweet! I never thought about an image file producing an unique hash string. I learn something new every day, and I'm getting damned tired of it. :-) Thanks for the education. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
Well, I cracked it for you :) http://86.86.80.41/dev/debug/tedd.php At the bottom it shows you the MD5 code of your arrow image, and it shows you which way it points to :) If you're interested in the code: http://86.86.80.41/dev/debug/tedd.txt Tijnema Tijnema: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
tedd wrote: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Give up now, while you're still sane. Think about what you're trying to do. You're trying to do something different on the client every time, but without letting that client know something is different. It really really really can't be done. Something needs to be visually different, therefore something in what the client gets needs to be different. Do you see why it's not possible now? -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
Stut wrote: tedd wrote: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Give up now, while you're still sane. Think about what you're trying to do. You're trying to do something different on the client every time, but without letting that client know something is different. It really really really can't be done. Something needs to be visually different, therefore something in what the client gets needs to be different. Do you see why it's not possible now? -Stut ah, but it is possible, if he could change the color of the background and arrow on each page refresh, then it would be pretty damn hard to cache all the possible combinations of that, plus toss in a few random degrees of difference with say 3 arrows that point to the right, but one is at 90 deg's while another is at 88 and another yet at 92. This would make things almost impossible for a computer to see, but the chances of a human screwing it up would be almost impossible. Jim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
