ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] defeating voice captchas

2006-02-13 16:06:53
from [Gadi Evron] [Permanent Link] 
Going to X-post. My apologies to those who get this twice.

One of the newest (now known though) tricks in the Captcha book is using
Voice.

If users cannot understand what the letters are in the now too-complex
Captchas that are forced on us due to spammer counter-measures at
defeating Captchas, he or she can click on an icon and listen to it. :)

Here is the earliest example of it that I know of:
http://www.notonebit.com/projects/killbot/kbaudio.php

That example is a bit amateurish, as the recording is bad and obviously
not done by a girl with a sexy voice. Still, the disturbance from the
bad Microphone can be eliminated or kept entirely. It doesn’t matter.

In this case each letter is played by itself. Further, each letter was
recorded only once.

Therefore, how many times does one have to refresh the page and listen
to the Captcha to be able to simply learn to identify the Captcha by
say, an MD5 hash of the audio for each letter?

Even if it was all set in one audio file, and even if the audio was
played with to be, as an example, in a higher pitch. Or perhaps even if
several different voices would greet us…
Looking at general similarities in the audio file itself would be enough
to break down this Captcha once enough harvesting attempts (not that
many really) were saved.

Auto-generated voice? That sounds easy to beat but I am not an audio
expert so, “sounds like” will stay as my opinion.

It’s is great to be able to finally understand these new annoying
Captchas, but already we are getting to a point where one can’t
understand the recorded speech either due to counter-measures from the
spammers and the Captchas becoming more and more difficult.

For information on breaking regular text-image Captchas, check:
http://en.wikipedia.org/wiki/Captcha
http://blogs.securiteam.com/index.php/archives/208

For my post on new comment spam problems:
http://blogs.securiteam.com/index.php/archives/285

This text can be found here:
http://blogs.securiteam.com/index.php/archives/287

        Gadi.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Asrg] defeating voice captchas, Gadi Evron <=
Previous by Date:  Re: [Asrg] Re: Charging for e-mail, Justin Mason
Next by Date:  [Asrg] comment spam samples, Gadi Evron
Previous by Thread:  [Asrg] Comment Spam: new trends, failing counter-measures and why it's a big deal, Gadi Evron
Next by Thread:  [Asrg] comment spam samples, Gadi Evron
Indexes:  [Date] [Thread] [Top] [All Lists]