Comments for The Cutest Human-Test: KittenAuth

Neat. Very neat.

Hrm, here's an idea: a library of 3d models of kittens, puppies etc. Every so often (or constantly on a rolling basis) new renders of these models are created with different angles, lighting, textures etc.

Done right, I think a human would be able to tell kitten from rabbit but it would no longer be possible for an attacker to simply index all the pictures.

This is easy to get around by paying sweatshop workers to specify the relation between any two pictures.
Preferably serving them the whole captcha session realtime so they can supply the answer to the zombie that then selects this answer.
If there is money in spam, there is surely enough to pay some people to do this 24/7 :-(

I wannna see your kittend

sdfssds

It's a sexeh piece of authentication if I may say so.

I wannna see your kittend

Same

asdfwefaefe

That's a really cool idea. Ingenius!

You probably can't just send images, you'd want to do a little random customisation to each image before sending.
If the images are always identical it would be possible for someone to train a bot to recognise them something like this:

1. Bot tries auth 1000 times and for each time it stores:
copies of the images,
a copy of the web page,
its response,
whether it was sucessful or not.

2. Bot user goes through the results and tags each image as kitten/not-kitten (or what ever, they have the web page to tell
them what the answer should be).

3. Run the bot again, it still does not know what a kitten is but now it knows that the image with some specific sequence of
byte values (regardless of name change) has been tagged as a kitten.

So you could blend in a random watermark to the image before sending to the client, humans would still recognise the kittens, but bots would no longer see duplicate image files. You'd also have to be careful about image editing software leaving messages in the image file, if all your kitten images were taken with the same camera, or on the same day or provided from the same company they are likely to have tag fields in them that have the same values, so the bot could be set to look for these.

Rob.

You could insert one step to randomize the image filenames before they are streamed to the client. This way a bot can't brute force for a while and learn which image paths are correct whenever a successful hit occurs. That would make it tougher for someone to come up with an algorithm that got better every time and keep them from pushing the 1/84 down by remember previous sessions.