[Dailydave] confirming it's a person

Tue Mar 25 14:44:42 EDT 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

re Captchas:

You could just ask the user to retype two strings and measure how long 
it takes for them type it in, a.la. BioPassword. BioPassword tries to 
use biometrics to determine which person someone is (by measuring how 
long their fingers take to move between keys with a flash applet, for 
example), but biometrics are often quite useful for "this is a person". 
Of course, you'll have to make a model for each different keyboard type 
if you're internationally savvy. Rather than having a single password 
the user types, you'll want to have a "random string".

Hmm. If you give everyone two strings to type, you could build a 
database of timings with the second string, and simple datapoint 
grouping will get you which keyboard they are using so you can build 
your models. Then you can start rotating that second string in and 
retiring your first string after your model is built and tested. You 
need a continual stream of random strings+statistical models because 
otherwise people will just type them in once, slightly modify them, and 
submit them mechanically.

I don't have code to do this, of course. The counter-attack would be a 
good model of how a human types on a keyboard, where given a random 
string you could generate timings. That might not be a difficult thing 
to build to the level of precision you'd need, but it might. Then again, 
typing in long random strings might be much more annoying than trying to 
read distorted images. :>

Just as an FYI, Justine and JMS are heading to CanSecWest and JMS is 
going to demo his new CANVAS Win32 kernel rootkit for anyone who asks, 
he tells me. :>

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH6UgatehAhL0gheoRAqZzAJ9++E9WwssHekJKK8Ga7K0RO78bQQCcDW90
oHmCYGf0IHtLkS8gS2cObOI=
=vtqh
-----END PGP SIGNATURE-----