Comments - Improving KittenAuth

#11 /* 2 years, 11 months ago */

Lets see how this works

Testing Anonymous User

#12 /* 2 years, 11 months ago */

If there's a botnet of 100,000 machines then the 2^16 combination is not going to be good enough to keep all the bots out. The game concept in comment #8 at first seems good, but computers can be trained to play games too. The IP address timeout would not help in the above case either.

We'll always have a moving target for these things until someone finally sets up a global micro payment scheme in place so that you can charge a penny (or fraction of a penny) to register then it'll be worth it. Combine that with a CAPTCHA - man imagine the revenue generated by a botnet attacking your site!

Andy.

Quote Profile

Andy Normal User

#13 /* 2 years, 11 months ago */

What if you picked 2, 3 or more animal images, combined them randomly into an image, and then ask the user if they're all the same type of animal.

e.g. 3 fish and a kitten, no. 2 horses and 2 monkeys, no. 4 dogs, yes.

With sufficient supply of different images for each animal type, and having them randomly placed in the combined image, recognition software should be pretty stumped, especially if you allow overlapping.

This also makes the user's effort stupidly simple.

Quote Profile

Kyle Wayman Normal User

#14 /* 2 years, 11 months ago */

Sounds nice Kyle, but you're effectively providing the user a yes or no question, which is incredibly trivial for the computer to "brute" force.

The whole point of CAPTCHA systems is to ask the user a question which requires the use of their brains but doesn't translate well to machine understanding or brute force. Kittenauth improves on traditional "typing" CAPTCHA by using something easier to understand for humans, but still isn't easy for a computer to recognise, and with improved kittenauth, isn't easy to brute force either.

Quote Profile

Chris Grant Normal User

#15 — Author comment /* 2 years, 11 months ago */

As Chris says, Kyle, that brings the brute success rate back to one-in-two. Unfortunately when you've got a botnet and you can automate the procedure, 50% success is more than enough to plaster a site with spam.

Harvesting the images still seems to be the greatest flaw, highlighted in the latest round of feedback. If you're a hot target, you either need an immense amount of images and groups or you need to switch them out on a regular basis.

One thing I can say on this point though, is that bots are going to exhibit similar ways of accessing the images and perhaps a heuristic analytical process could stop them even seeing the CAPTCHA - a bit like the Karma plugin for wordpress. It's something, I'll admit, that requires some research.

Quote Site Profile

Oli Numero Uno

#16 /* 2 years, 11 months ago */

How about an LOLcat Auth :) There's hundreds of lolcat images on the web with varying lolcat phrases on each one.

Quote

phony Anonymous User

#17 /* 2 years, 11 months ago */

asda sfasgas gasgasdasf asgasg asgasdasfasgasgasgasdasfasgasgasgasdasf asgasgasg

Quote

asdasfasgasgasg Anonymous User

#18 /* 2 years, 9 months ago */

Pretty cute system (pun definitely intended).

A buddy showed me KittyAuth, and the first thing that came to mind is the utter simplicity of caching image bytesizes... while it's important to keep the images 'unique' and 'recognizable' to be decyphered by a human user, it's equally important to keep them as ambiguous as possible to a computer.

I completely agree that a single 'stitched' image is superior to an array of individual images for this reason. Just four unique images become 24 unique 4x1 stitched images, quickly increasing your entropy pool just by moving them around. Each individual image added to the pool increases that exponentially. Add a little bit of random noise to the images, maybe blur the edges to prevent (or at least discourage) pixel comparison, and it becomes an unreasonable task for a data parser to keep up.

The idea of ajaxing positional clicks with JS / xml maps, while good, may be too server intensive for some sites (and overly complicated for their creators ). If your stiched image is auto-generated, and the server knows which 'position' each image is in, simply dropping the checkboxes below each individual 'image' in the larger meshed version would have the same effect.. There's little practical difference in sending the selections as single clicks to be collected/verified sequentially versus sending them all at once. More often than not the user will click them in left-to-right order anyway.

Just my 2 cents.

Quote

Pat Anonymous User

#19 /* 18 months, 18 days ago */

asdcc

Quote

sfg Anonymous User

#20 /* 17 months, 0 days ago */

KittenAuth sounds like a great idea.
I suspect that it's already overkill for most blogs, but people (such as myself) can't resist thinking up minor improvements.

Brainstorming: Tell the user "click on the three dogs once, then click on the three cats twice."
Then Javascript can autosubmit after exactly 9 clicks -- so it's better usability than "click all the kittens, then press submit".
For a 3x3 grid of images, with exactly 3 cats, 3 dogs, and 3 other, I figure that gives you 1680 combinations -- so it's better security than "click all the kittens" in a 3x3 grid.
(And of course you can get more combinations by going to a bigger grid).

Brainstorming: perhaps you could put the instructions in the picture(s).
Even when the instructions are in easy-to-read, legible letters, it's still going to slow down spammers if they have to OCR each one.
And of course, submitters can't just type in the OCR'ed characters, a submitter has to make sense of the instructions.

Brainstorming: In an image, tell the user "In the textbox below, copy-and-paste the URL of this site followed by the 5 letters "cutie". Thank you." This helps you figure out if there really is a "free p*rn" man-in-the-middle attack.

Quote

davidcary Anonymous User

Comments for Improving KittenAuth

Latest Posts

Greatest Posts

Latest Elsewhere