Silk Road forums

Support => Feature requests => Topic started by: freewheelinf on February 20, 2012, 09:35 am

Title: SR Captchas UN-safety
Post by: freewheelinf on February 20, 2012, 09:35 am
Am I the only one that finds the SR captchas pretty uneffective?
I mean, you just get a set of images that at some point repeat..
You won't need any special skill to make a script to compare the images and bypass the captcha automatically..
And anyway the typeface looks quite easy to OCR.

Is it something the SR team is working on? Do you need help in that?
Title: Re: SR Captchas UN-safety
Post by: johnhamil90 on February 21, 2012, 10:20 pm
Well it's not like they're completely necessary as of now.
No one's trying to DDoS SR or anything. If the need arose I'm sure the SR team would get on it.
Title: Re: SR Captchas UN-safety
Post by: freewheelinf on February 22, 2012, 02:47 pm
I'm not talking about ddosing (also because the captchas won't help with that at all).
I'm talking about possible brute-forcing of buyers/sellers passwords.
But I guess everybody is already choosing passwords with more than 8 characters, numbers, uppercase, specialy symbols, whatever, right?? :)
Title: Re: SR Captchas UN-safety
Post by: SierraRS on March 05, 2012, 11:48 pm
Speed of Silk Road + reasonably good password + need to bypass captcha = time needed to brute force password is greater then time needed to make all drugs legally available to adults.
Title: Re: SR Captchas UN-safety
Post by: jpisbetterthanme on March 06, 2012, 12:34 am
Speed of Silk Road + reasonably good password + need to bypass captcha = time needed to brute force password is greater then time needed to make all drugs legally available to adults.


^ This :)

Point: Captcha is pretty durn effective when combined with a good password. If you want to be the white hat hacker who proves otherwise I think that would be awesome to see. . .
Title: Re: SR Captchas UN-safety
Post by: freewheelinf on March 06, 2012, 10:56 pm
Speed of Silk Road + reasonably good password + need to bypass captcha = time needed to brute force password is greater then time needed to make all drugs legally available to adults.

Nice :)
Therefore the whitehat hacker which would do it would even make drugs legal!
Cool!
Except then SR would disappear :P
Title: Re: SR Captchas UN-safety
Post by: kmfkewm on March 07, 2012, 03:08 am
Speed of Silk Road + reasonably good password + need to bypass captcha = time needed to brute force password is greater then time needed to make all drugs legally available to adults.


^ This :)

Point: Captcha is pretty durn effective when combined with a good password. If you want to be the white hat hacker who proves otherwise I think that would be awesome to see. . .

Captcha is actually pretty easy to largely by pass. People will just hire indians or chinese people to do them all day. Or they will make pop up spam that requests people fill in the captcha to see pr0n. Or they will make their botnet with a million windows users on it replace the screen lock with a screen that makes them type in five different captchas before they can get back to their desktop. Captcha are good for stopping the average spammer / whatever, but if you ask a security pro about using captcha for any critical security system they will lol at it. They would probably lol at using passwords too though, and suggest that zero knowledge authentication be used instead.

http://www.sitepoint.com/avoid-captchas/
Title: Re: SR Captchas UN-safety
Post by: jpisbetterthanme on March 07, 2012, 03:21 am
Captcha is actually pretty easy to largely by pass. People will just hire indians or chinese people to do them all day. Or they will make pop up spam that requests people fill in the captcha to see pr0n. Or they will make their botnet with a million windows users on it replace the screen lock with a screen that makes them type in five different captchas before they can get back to their desktop. Captcha are good for stopping the average spammer / whatever, but if you ask a security pro about using captcha for any critical security system they will lol at it. They would probably lol at using passwords too though, and suggest that zero knowledge authentication be used instead.


How? I mean Captcha images used by SR are like random portions of words + random amount of numbers encoded in huge streams of bits. How would you decode that?
Title: Re: SR Captchas UN-safety
Post by: dankology on March 07, 2012, 03:26 am
The problem is there aren't that many of those.  I've even seen the same captchas over and over again to the point that I remember them now when I see them. 
Title: Re: SR Captchas UN-safety
Post by: freewheelinf on March 08, 2012, 08:55 am
That's what I was trying to point out in the beginning.
The captchas are not randomly generated, they are a fixed set of images which are appearing, with a fix set of files.
Once you download all the files and write down the name of the file together with the content of the captcha, a userscript which automatically fills in the captcha is no big deal.
That said, I anyway agree that probably the speed of the SR drastically reduces the chances of succesfully bruteforcing passwords..
Title: Re: SR Captchas UN-safety
Post by: Delta11 on March 08, 2012, 08:43 pm
That's what I was trying to point out in the beginning.
The captchas are not randomly generated, they are a fixed set of images which are appearing, with a fix set of files.
Once you download all the files and write down the name of the file together with the content of the captcha, a userscript which automatically fills in the captcha is no big deal.
That said, I anyway agree that probably the speed of the SR drastically reduces the chances of succesfully bruteforcing passwords..

Even if someone were to somehow bruteforce their way into your  account you still have your secondary password that will protect you from the hacker sending all of your coins to their wallet.