Breaking the Silk Road's Captcha

This a great writeup and super easy to follow along with. The figures are really nice!<p>One observation: training a neural net to classify segmented characters is probably overkill. The author observed that the font never changed, but never ended up exploiting this fact. After the very effective preprocessing, thresholding, etc the characters are almost identical to the &#x27;average&#x27; representations the author generated!<p>I bet it would be enough simply to classify an unknown character by the letter that it shows highest correlation with.

FYI: Captchas are generally considered &quot;broken&quot; at between 1% and 10% rates of success with automated approaches, because attackers can run hundreds of thousands of requests, generally &quot;for free&quot; at the margin. There is no practical difference in the amount of abuse suffered by a site with a 90% captcha and a 9% captcha -- the first one just requires 10X as many HTTP requests to abuse.<p>This is one of the unfortunate &quot;math favors the bad guy&quot; consequences in a lot of anti-abuse filtering tasks. (Anti-spam research has similar problems, which is why the main innovation wasn&#x27;t making filters better but radically increasing the cost of getting caught, via burning the reputation of the offending IP. IP addresses are a lot more expensive to acquire in quantity than packets.)

Author here. Here&#x27;s the corresponding proggit thread: <a href="http://www.reddit.com/r/programming/comments/2hisfk/breaking_the_silk_roads_captcha/" rel="nofollow">http:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;programming&#x2F;comments&#x2F;2hisfk&#x2F;breaking...</a>

That was a surprisingly simple and easy-to-follow write-up. I will have to try some captcha-breaking for myself soon.

Very cool and well-written post.<p>I&#x27;ve created many similar programs to defeat captcha&#x27;s. I would classify this as a medium severity bug, you would still need to brute force the passwords on a terribly slow and intermittent connection.

Silk Road used ReCaptcha long ago and it finished bad: <a href="http://krebsonsecurity.com/2014/09/dread-pirate-sunk-by-leaky-captcha/" rel="nofollow">http:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2014&#x2F;09&#x2F;dread-pirate-sunk-by-leak...</a>

I feel like a much smarter programmer after reading that.

And more + reddit captcha<p><a href="https://github.com/dawjan/Open_Me/tree/master/Captcha%20Crack" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dawjan&#x2F;Open_Me&#x2F;tree&#x2F;master&#x2F;Captcha%20Crac...</a><p>Also &#x2F;.. is php tor

Could that last step be considered a kind of Levenshtein distance measurement?

The lesson? Include a developer API with your site, so people don&#x27;t have to undermine your security to use it.

I believe that the Silk Road was built on the CodeIgniter frameowkr for PHP.

Why wouldn&#x27;t you just pay a captcha breaking service to get a near-100% success rate? Less noticable for botting and $10 will buy you around 10k captchas on antigate or deathbycaptcha. Don&#x27;t really need to log in and out that much, so that&#x27;d probably be plenty.