Re: [PHP] MD5 bot Question
At 7:50 PM -0500 4/10/07, Richard Lynch wrote: On Sun, April 8, 2007 11:12 am, tedd wrote: chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? You are wrong. The Tijnema! solution of memorizing every single image would fail. Then I'm right, because that's what I was saying. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 8:11 PM -0500 4/10/07, Richard Lynch wrote: On Tue, April 10, 2007 7:47 am, tedd wrote: Your use of metaphor is quite colorful, but if you if change a single pixel in an image, then you change the MD5 signature -- that is what I was talking about -- and that is not wrong. Unless I look at enough images to figure out that you are just changing N random pixels, and I construct a distance function to compute how different image A is from image X, where I already know X points up http://php.net/imagecolorat can be used to do exactly this. In fact, I've done that to break a CAPTCHA that had random noise pixels added to the text. Actually, I was able to remove the noise first and then compute distance function for character by character analysis of the text on the image. I do not understand why you are obsessing on the MD5 crack when it's probably not the weapon that would be chosen, unless your CAPTCHA is so lame that it's susceptible to an MD5 crack... If it's not that lame, then the attacker just doesn't use an MD5 signature, and employs another technique. Have we not been through this whole thread enough times already? Apparently not enough times because, no offense, you missed the point. We are not talking about how one could break this type of captcha, we were talking about how this captcha could be broken by a MD5 method and what steps could be taken to make it unbreakable by that method. It was a learning exercise as to the scope and use of MD5. That's it -- that's all. See the subject line. If you want to talk about other ways to break this type of captcha, then pease do. I am sure that I could learn a lot from you -- and I expect to do so. But please don't infer that we are obsessing about a topic we are discussing; or that my work is lame when it was designed to test one point; or state that I'm wrong because you didn't understand what I said in context. That's not constructive nor right. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 7:52 PM -0500 4/10/07, Richard Lynch wrote: On Sun, April 8, 2007 11:26 am, tedd wrote: The way I figure it, in an image I have 72 dot per square inch -- so, in one square inch that's 5,184 places for me to store a 24 bit key. To me, that's a lot of places to hid my Easter egg -- is that not enough? No. If the egg is visible to a human, a computer program can be crafted to see the egg as well. Again. I am talking about MD5 and you're talking about something else. Please read. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 8:36 PM -0500 4/10/07, Richard Lynch wrote: With millions of different images and more being added, it presents a considerable challenge to crack. I think not... You only have to find 10,000 people who hate MS and give each of them 200 unique images to identify. Well actually, all one would need to do is to setup a asirra captcha and have people solve it. Then in the background tag which is cat/dog and store. I estimate that one could easily identify 12 images in 20 seconds, 36 per minute. As such, identification of two million pictures would take less than 1000 man hours. So you are right -- it's not the formidable problem I thought. FOr that matter, the images are coming from Petfinder, according to their blurb... How tough could it be to find the same bytes in an image in Petfinder and then detect the cat or dog tag on their website -- assuming they have categorized their Petfinder images by species/genus? Good point. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Wed, April 11, 2007 7:30 am, tedd wrote: At 7:50 PM -0500 4/10/07, Richard Lynch wrote: On Sun, April 8, 2007 11:12 am, tedd wrote: chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? You are wrong. The Tijnema! solution of memorizing every single image would fail. Then I'm right, because that's what I was saying. You're right that it can't be broken WITH THAT TECHNIQUE, which is not what you actually typed... Your wrong that it can be broken, without massive computer resources, which is what you actually typed. :-) By all means, publish a bunch of differnt nifty CAPTCHAs and re-name to Assira or whatever so you can claim to be doing something new and different, but do not for an instant delude yourself that a dedicated attack won't succeed no matter what you do. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Wed, April 11, 2007 8:09 am, tedd wrote: -- that's all. See the subject line. I'm sorry that I thought the thread had spilled over beyond the scope of the Subject. Since we rarely do that here in PHP General, I should have known better. :-) I don't think your work is lame I think it's lame to say it can't be broken without massive computer resources. And, actually, even with the MD5 technique... An MD5 is 32 bytes. 2 million images, sauteed down to 32 bytes each, is 64 Meg, plus some DB overhead. Plus an index on the MD5 field, for speed, but that cannot exceed the original 64Meg, almost-for-sure. So, a machine with 128 Meg DB is massive resources? I think not. True, you would use a lot of bandwidth and time to compute the MD5 hashes. But what do you think zombie bot Windows computers are for? This is an IDEAL problem-space for massive parallel computation, distributed across as many machines as a Bad Guy can control. So the massive computing resources turns out to be readily available cracked Windows boxes, if you even need it, which I doubt. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 8:10 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 17:14 -0400, tedd wrote: At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. No, you're wrong. Read the part about I mentioned about virus signatures. A small portion of the whole can be used as an identifier where that portion is unique to the overall entity. For instance, I can throw a tub of tar over you, then a tub of feathers ;) ;) and if one of your fingers doesn't get covered, I can still identify your chicken ass ;) Cheers, Rob. Rob: Your use of metaphor is quite colorful, but if you if change a single pixel in an image, then you change the MD5 signature -- that is what I was talking about -- and that is not wrong. Plus, if you: [A] Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself or [B] Similarly watermarking the image using fractal patterns should also provide good noise. You would still leave at least one pixel the same as it was before so your chicken ass would still be exposed, right? Or does your ripple/watermark application alter every pixel by changing its alpha channel or something? And if so, then why is it that you are required to change every pixel? I am sure that there are images that have at least one pixel in common, so I don't see the point you're trying to make -- please explain. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
You were talking about an OCR reader for the arrows to see what letters it is pointing to. If the arrow would be at a random location in the actual image, the arrow being not an arrow but ie. a man pointing and the arm being flexible (so even if the man himself would move around randomly, the arm would always face the right direction for the image. I like the idea of a pointing arrow, it could be quick, pretty effective (not 100% since nothing is) and easy for the user to identify. If there was a miniature version of this available, i would use it on my site. Since i hate the text versions. - Olafur W 2007/4/10, tedd [EMAIL PROTECTED]: At 8:10 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 17:14 -0400, tedd wrote: At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. No, you're wrong. Read the part about I mentioned about virus signatures. A small portion of the whole can be used as an identifier where that portion is unique to the overall entity. For instance, I can throw a tub of tar over you, then a tub of feathers ;) ;) and if one of your fingers doesn't get covered, I can still identify your chicken ass ;) Cheers, Rob. Rob: Your use of metaphor is quite colorful, but if you if change a single pixel in an image, then you change the MD5 signature -- that is what I was talking about -- and that is not wrong. Plus, if you: [A] Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself or [B] Similarly watermarking the image using fractal patterns should also provide good noise. You would still leave at least one pixel the same as it was before so your chicken ass would still be exposed, right? Or does your ripple/watermark application alter every pixel by changing its alpha channel or something? And if so, then why is it that you are required to change every pixel? I am sure that there are images that have at least one pixel in common, so I don't see the point you're trying to make -- please explain. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 10:46 PM +0100 4/9/07, Tijnema ! wrote: On 4/9/07, tedd [EMAIL PROTECTED] wrote: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. Cheers, tedd But then OCR would still work, as when somebody scans a document, there are also some not white pixels. Tijnema Tijnema: An OCR is an Optical Character Reader -- it's design is to recognize characters (A-Z 0-9), not images. That's the reason why I previously used the term OCR-like application -- meaning that it would be designed/programmed to see the differences between images and then make a decision as to what to do. That requires more effort than an OCR program. Add to that, that every image could present a new problem to decipher and you have the makings of a formidable deterrent. That's what asirra is all about, see: http://www.asirra.com/examples/ExampleService.html With millions of different images and more being added, it presents a considerable challenge to crack. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 12:55 PM + 4/10/07, Ólafur Waage wrote: You were talking about an OCR reader for the arrows to see what letters it is pointing to. If the arrow would be at a random location in the actual image, the arrow being not an arrow but ie. a man pointing and the arm being flexible (so even if the man himself would move around randomly, the arm would always face the right direction for the image. I like the idea of a pointing arrow, it could be quick, pretty effective (not 100% since nothing is) and easy for the user to identify. If there was a miniature version of this available, i would use it on my site. Since i hate the text versions. - Olafur W Olafur: I don't have a miniature version yet, but that's not a real problem because it's simply changing the css file. If you want the code as-is just ask. http://sperling.com/a/arrows/ Otherwise, I will eventually have it on my site as a style of visual captcha and will have this audio version as well: http://sperling.com/examples/captcha/index.php My intent is to provide several different types of captchas for public use. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Tue, 2007-04-10 at 08:47 -0400, tedd wrote: At 8:10 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 17:14 -0400, tedd wrote: At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. No, you're wrong. Read the part about I mentioned about virus signatures. A small portion of the whole can be used as an identifier where that portion is unique to the overall entity. For instance, I can throw a tub of tar over you, then a tub of feathers ;) ;) and if one of your fingers doesn't get covered, I can still identify your chicken ass ;) Cheers, Rob. Rob: Your use of metaphor is quite colorful, but if you if change a single pixel in an image, then you change the MD5 signature -- that is what I was talking about -- and that is not wrong. Yes but you completely missed the point of my metaphor :) The point is, I can take an md5 signature of subset of the image's pixels and still identify it if the subset is representative (this is the point about still ID'ing someone with their finger print despite the rest of them being tarred and feathered :) This is how many virus detection systems work. They find a single portion of virus' binary program that is representative and can use it as a search within other binaries to detect the presence of the virus. So if you only change a few pixels, there is a high likelyhood of a subset set md5 signature still being recognized. Plus, if you: [A] Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself or [B] Similarly watermarking the image using fractal patterns should also provide good noise. You would still leave at least one pixel the same as it was before so your chicken ass would still be exposed, right? Or does your ripple/watermark application alter every pixel by changing its alpha channel or something? These would alter every pixel, without generally affecting a human's perception of the object... this is the point since now subset of the images pixels would be representative. And if so, then why is it that you are required to change every pixel? I am sure that there are images that have at least one pixel in common, so I don't see the point you're trying to make -- please explain. Explanation above :) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Tue, 2007-04-10 at 13:13 -0400, Robert Cummings wrote: On Tue, 2007-04-10 at 08:47 -0400, tedd wrote: Rob: Your use of metaphor is quite colorful, but if you if change a single pixel in an image, then you change the MD5 signature -- that is what I was talking about -- and that is not wrong. Yes but you completely missed the point of my metaphor :) The point is, I can take an md5 signature of subset of the image's pixels and still identify it if the subset is representative (this is the point about still ID'ing someone with their finger print despite the rest of them being tarred and feathered :) This is how many virus detection systems work. They find a single portion of virus' binary program that is representative and can use it as a search within other binaries to detect the presence of the virus. So if you only change a few pixels, there is a high likelyhood of a subset set md5 signature still being recognized. Plus, if you: [A] Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself or [B] Similarly watermarking the image using fractal patterns should also provide good noise. You would still leave at least one pixel the same as it was before so your chicken ass would still be exposed, right? Or does your ripple/watermark application alter every pixel by changing its alpha channel or something? These would alter every pixel, without generally affecting a human's perception of the object... this is the point since now subset of the That should have read: ... since no subset of... images pixels would be representative. And if so, then why is it that you are required to change every pixel? I am sure that there are images that have at least one pixel in common, so I don't see the point you're trying to make -- please explain. Explanation above :) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 1:17 PM -0400 4/10/07, Robert Cummings wrote: -snip- That should have read: ... since no subset of... Oh well, now it makes sense ! :-) Actually, I see exactly what you are saying. If you take a small portion of a file and MD5 it, it will give you a signature. If I simply change a single pixel in the image and that pixel is NOT included in the small portion you use for your MD5, then the MD5 check will return the same signature as before the alteration. However, if your portion includes the pixel change, then the resultant MD5 will be different. That's the reason why you need to alter a significant portion of the image so that smaller portions will probably contain some alteration. Thanks for explaining that. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/10/07, tedd [EMAIL PROTECTED] wrote: At 1:17 PM -0400 4/10/07, Robert Cummings wrote: -snip- That should have read: ... since no subset of... Oh well, now it makes sense ! :-) Actually, I see exactly what you are saying. If you take a small portion of a file and MD5 it, it will give you a signature. If I simply change a single pixel in the image and that pixel is NOT included in the small portion you use for your MD5, then the MD5 check will return the same signature as before the alteration. However, if your portion includes the pixel change, then the resultant MD5 will be different. That's the reason why you need to alter a significant portion of the image so that smaller portions will probably contain some alteration. Thanks for explaining that. tedd That just means that you should store about 10-20 MD5 summed parts, and then take the same 10-20 parts (and MD5 sum) and compare, and if a few (or maybe just 1) match, then you know it's same image :) Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
You only have 9 arrows. How tricky can it be to detect which of the 9 images you are displaying? Even if the URL is the same every time, it's a no-brainer to use OCR to detect which array is there. How many variations on this theme are we going to go through? On Sat, April 7, 2007 10:59 am, tedd wrote: At 11:56 PM +0100 4/6/07, Tijnema ! wrote: On 4/6/07, tedd [EMAIL PROTECTED] wrote: At 2:55 PM +0100 4/6/07, Tijnema ! wrote: I know, but animated gifs are still quite easy to read with a bot. Really? What if I a created a box surrounded by letters, like so: A B C D E F G H I However, where E is located I have a gif (animated or not) pointing to a letter, which would be the key. How would a bot read that? Cheers, tedd Assuming you're using the same arrow the whole time, you could use md5 check for example. Save MD5 for all directions of the arrow and compare :) Tijnema: Okay, here's an example: http://sperling.com/a/arrows/ How would someone MD5 that? Furthermore, how would a bot decipher anything different from that? From my perspective, no matter which way the arrow is pointing, the code remains the same. The only thing that changes is the arrow and a screen reader would have to be programmed to recognize the change -- am I wrong? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sat, April 7, 2007 7:02 pm, Jim Lucas wrote: This would make things almost impossible for a computer to see, but the chances of a human screwing it up would be almost impossible. Sigh. Look. If a HUMAN can see the differen, then a program can be written to detect the difference. This stopped being rocket sience a couple decades ago when AI researchers started doing optical recognition in the field, with 98% success rates. Think of it this way: You know how a barcode reader works? All I have to do is write a custom barcode reader that works for your images. Game Over. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sun, April 8, 2007 7:48 am, Robert Cummings wrote: On Sun, 2007-04-08 at 05:41 -0700, benifactor wrote: indeed. i was just throwing out the idea of ever changing values. Except IP addresses aren't ever changing ;) Unless the visitor is on AOL. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sun, April 8, 2007 11:12 am, tedd wrote: chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? You are wrong. The Tijnema! solution of memorizing every single image would fail. The attacker would then simply swith to another technique, of recognizing the image as an image, rather than as a random collection of bytes to be memorized. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sun, April 8, 2007 11:26 am, tedd wrote: The way I figure it, in an image I have 72 dot per square inch -- so, in one square inch that's 5,184 places for me to store a 24 bit key. To me, that's a lot of places to hid my Easter egg -- is that not enough? No. If the egg is visible to a human, a computer program can be crafted to see the egg as well. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sun, April 8, 2007 11:46 am, Jochem Maas wrote: in theory it's all crackable - but somewhere along the line the problem becomes too hard to make it worth the effort to try (unless your securing Fort Knox or something) In REALITY, 99.9% of the Bad Guys will be kept out by *ANY* CAPTCHA/defese no matter how lame it seems. In REALITY, if you are guarding Fort Knox, then a CAPTCHA is the wrong way to go, for a total solution, as it can be cracked by a determined individual. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Tue, April 10, 2007 7:47 am, tedd wrote: Your use of metaphor is quite colorful, but if you if change a single pixel in an image, then you change the MD5 signature -- that is what I was talking about -- and that is not wrong. Unless I look at enough images to figure out that you are just changing N random pixels, and I construct a distance function to compute how different image A is from image X, where I already know X points up http://php.net/imagecolorat can be used to do exactly this. In fact, I've done that to break a CAPTCHA that had random noise pixels added to the text. Actually, I was able to remove the noise first and then compute distance function for character by character analysis of the text on the image. I do not understand why you are obsessing on the MD5 crack when it's probably not the weapon that would be chosen, unless your CAPTCHA is so lame that it's susceptible to an MD5 crack... If it's not that lame, then the attacker just doesn't use an MD5 signature, and employs another technique. Have we not been through this whole thread enough times already? -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
A) 2 million MD5s is chump-change. B) Telling a cat from a dog is probably a homework exercise for AI Vision grad students. On Mon, April 9, 2007 3:35 pm, tedd wrote: At 1:04 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. I'm not out to validate, or invalidate, what you said. I'm just making the point that a finite number of pictures is different than an almost infinite number of on the fly generated graphic images. The new captcha M$ is trying, is to use pictures of objects and have the user identify which are cat pictures, like so: http://research.microsoft.com/asirra/ The web site states that it has over two million pictures of cats and dogs. This captcha requires that you simply to select ALL the cat photos leaving the dog photos unchecked. After doing so, it checks your score to allow entry. This one is different than the first one I saw, which presented only one cat picture in several dog pictures -- I think I could break that. But, this one is more difficult. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Tue, April 10, 2007 8:01 am, tedd wrote: An OCR is an Optical Character Reader -- it's design is to recognize characters (A-Z 0-9), not images. That's the reason why I previously used the term OCR-like application -- meaning that it would be designed/programmed to see the differences between images and then make a decision as to what to do. That requires more effort than an OCR program. It requires more or less effort depending on the problem space and how well the computer has to see the image... I'm sure there are simple and harder OCR-like problems. Add to that, that every image could present a new problem to decipher and you have the makings of a formidable deterrent. That's what asirra is all about, see: http://www.asirra.com/examples/ExampleService.html With millions of different images and more being added, it presents a considerable challenge to crack. I think not... You only have to find 10,000 people who hate MS and give each of them 200 unique images to identify. FOr that matter, the images are coming from Petfinder, according to their blurb... How tough could it be to find the same bytes in an image in Petfinder and then detect the cat or dog tag on their website -- assuming they have categorized their Petfinder images by species/genus? Methinks a dedicated cracker could defeat this in very short order. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, tedd [EMAIL PROTECTED] wrote: At 4:38 AM -0700 4/8/07, benifactor wrote: hmm, why don't you md5 more then once.. I read somewhere that MD5'ing anything more than once, does not increase security. Cheers, tedd Not in this case, as it doesn't goes about decrypting the key here, that's impossible with MD5, you can only bruteforce. But that's totally not of interest, a cracker doesn't want to implement a MD5 bruteforcer in his bot that brute forces the MD5 key each time (which can take up to several years to complete on regular PCs). Tijnema -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
Tijnema ! wrote: You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M -- Wishlists: http://snipurl.com/vrs9 Switch: http://browsehappy.com/ BCC?: http://snipurl.com/w6f8 My: http://del.icio.us/mhulse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. As for Flash, the only problems it presents is IF it's installed, or not. But, it has pretty good saturation. Of course, the major problem with Flash, and all this thread, is that visually impaired users can't use graphic images unless some other information accompanies it -- that's the reason for the alt attribute. Thanks, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 08:46 -0400, tedd wrote: At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 8:49 AM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 08:46 -0400, tedd wrote: At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. I doubt that their image repository infinite. Plus, I envision a method where a bot could: 1. Scan the site, gather the images and key phrase. 2 MD5 the images. 3. Place all the MD5's with the associate key phrase in a dB. 4. Refresh and repeat. With repeated refreshes (not attempts at trying to enter), the key phrases associated with the MD5's will build and the bot will learn. It works like this -- the phrase find the kitty or key word kitty will always be associated with the picture of the kitty WHEN kitty is the solution. All other key phrases/words associated with the kitty picture will eventually stack out as just be background noise as data is gathered. As such, a bot could have a foundation at making an intelligent guess. Also, every guess (successful or not) provides even more data to be considered. The more data gathered, the better the guess. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 09:45 -0400, tedd wrote: At 8:49 AM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 08:46 -0400, tedd wrote: At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. I doubt that their image repository infinite. Plus, I envision a method where a bot could: 1. Scan the site, gather the images and key phrase. 2 MD5 the images. 3. Place all the MD5's with the associate key phrase in a dB. 4. Refresh and repeat. With repeated refreshes (not attempts at trying to enter), the key phrases associated with the MD5's will build and the bot will learn. It works like this -- the phrase find the kitty or key word kitty will always be associated with the picture of the kitty WHEN kitty is the solution. All other key phrases/words associated with the kitty picture will eventually stack out as just be background noise as data is gathered. As such, a bot could have a foundation at making an intelligent guess. Also, every guess (successful or not) provides even more data to be considered. The more data gathered, the better the guess. Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 09:45 -0400, tedd wrote: At 8:49 AM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 08:46 -0400, tedd wrote: At 1:21 AM -0700 4/9/07, Micky Hulse wrote: Maybe use flash for this... harder to crack? (Of course, Flash will open door to other problems.) Sorry, coming in on this late. Good work Tedd! Very interesting. M: Tijnema showed how MD5 could be used to identify an image file and crack my arrow captcha. That's really what this thread was about. I finally came up with enough variations to make it impractical. However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. I doubt that their image repository infinite. Plus, I envision a method where a bot could: 1. Scan the site, gather the images and key phrase. 2 MD5 the images. 3. Place all the MD5's with the associate key phrase in a dB. 4. Refresh and repeat. With repeated refreshes (not attempts at trying to enter), the key phrases associated with the MD5's will build and the bot will learn. It works like this -- the phrase find the kitty or key word kitty will always be associated with the picture of the kitty WHEN kitty is the solution. All other key phrases/words associated with the kitty picture will eventually stack out as just be background noise as data is gathered. As such, a bot could have a foundation at making an intelligent guess. Also, every guess (successful or not) provides even more data to be considered. The more data gathered, the better the guess. Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. And then not to mention that md5 has a limitation, and that there probably would be 2 different images, with the same MD5... Using MD5 on the normal write the key CAPTCHAs isn't gonna work, they are mostly generated on the fly, and even if they weren't, then there probably a lot solutions, and not just 8 that i had with your arrow captcha. Those write the key CAPTCHAs are the best crackable with an OCR reader. But that's why they are so transformed these days. So that requires extra steps to make it readable. I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Tijnema -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. Uhm, blind people can't even view your page :P I think you mean visual impaired people :) Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. Uhm, blind people can't even view your page :P I think you mean visual impaired people :) Yes they can... http://www.webaim.org/articles/visual/blind.php -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Stut [EMAIL PROTECTED] wrote: Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. Uhm, blind people can't even view your page :P I think you mean visual impaired people :) Yes they can... http://www.webaim.org/articles/visual/blind.php -Stut Interesting... Didn't know that... :) Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 17:28 +0200, Tijnema ! wrote: On 4/9/07, Stut [EMAIL PROTECTED] wrote: Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:39 +0200, Tijnema ! wrote: On 4/9/07, Robert Cummings [EMAIL PROTECTED] wrote: On Mon, 2007-04-09 at 16:27 +0200, Tijnema ! wrote: I think that we can conclude that a non-crackable CAPTCHA doesn't exist, but also that there doesn't exist a real hard to crack CAPTCHA. All current CAPTCHAs can be broken quite easy. MD5 can help in some cases, but only if the CAPTCHA uses static images/audio/video/etc. Just about your Audio CAPTCHA, you could use MD5 to crack it, as the number has the same MD5 sum each time. Similar methods could be applied to sound as to images to distort the sound enough to make it difficult for speech recognition software to understand, but not so much that real humans couldn't understand it. At any rate, it could be enough to prevent md5 indexing... but then again, that would require the audio be mutated on each request, and enough audio be mutated to prevent md5 indexing based on partial signatures -- similar to how viruses are detected - this is especially important if using dictionary words since the sample space is so small (could always use sentences though) :) Cheers, Rob. But well, you can't have a audio only CAPTCHA on your site, a lot people don't have speakers on there PC. And some people can't recognize english numbers... So then you have an write the key CAPTHCA or smiliar on your site, and the cracker would use that :) Yep, like I said to Tedd before... kinda need multiple forms of captcha tailored to particular special needs audiences. Visual is good for pretty much all but the blind. Blind people can use audio captcha. Beyond that... is it worth the cost to target diminishing audiences? Cheers, Rob. Uhm, blind people can't even view your page :P I think you mean visual impaired people :) Yes they can... http://www.webaim.org/articles/visual/blind.php -Stut Interesting... Didn't know that... :) By blind though I meant both visually impaired and as Stut pointed out for you, completely blind :) They sort of need the same solution unless the visual impairment is minor. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 9:58 AM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 09:45 -0400, tedd wrote: However, this did make me wonder about the images that M$ and others are using for captchas -- like find the kitty in a set of pictures. The MD5 application could be used to identify as many pictures as any spammer would need. So, I think MD5 method, as described in this thread, would work very well to crack those type of captchas. I doubt Microsoft is using a static image repository for captchas. Cheers, Rob. I doubt that their image repository infinite. Plus, I envision a method where a bot could: 1. Scan the site, gather the images and key phrase. 2 MD5 the images. 3. Place all the MD5's with the associate key phrase in a dB. 4. Refresh and repeat. With repeated refreshes (not attempts at trying to enter), the key phrases associated with the MD5's will build and the bot will learn. It works like this -- the phrase find the kitty or key word kitty will always be associated with the picture of the kitty WHEN kitty is the solution. All other key phrases/words associated with the kitty picture will eventually stack out as just be background noise as data is gathered. As such, a bot could have a foundation at making an intelligent guess. Also, every guess (successful or not) provides even more data to be considered. The more data gathered, the better the guess. Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: At 9:58 AM -0400 4/9/07, Robert Cummings wrote: Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: At 9:58 AM -0400 4/9/07, Robert Cummings wrote: Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. Cheers, Rob. Steganography has been able to hide text in images for quite some time now. Basically you cram whatever info you want into the 'unused' or 'less used' bytes of the image. With this in mind I imagine even if you did have an image repository of only 8 images you could add some random bytes to the right spots in the image without distorting it beyond recognition/corrupting it, and therefore get a hybrid of static/on-the-fly images, that hashing couldn't break so simply. 2 cents... Travis Doherty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, Travis Doherty [EMAIL PROTECTED] wrote: Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: At 9:58 AM -0400 4/9/07, Robert Cummings wrote: Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. Cheers, Rob. Steganography has been able to hide text in images for quite some time now. Basically you cram whatever info you want into the 'unused' or 'less used' bytes of the image. With this in mind I imagine even if you did have an image repository of only 8 images you could add some random bytes to the right spots in the image without distorting it beyond recognition/corrupting it, and therefore get a hybrid of static/on-the-fly images, that hashing couldn't break so simply. 2 cents... Travis Doherty This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 1:04 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. I'm not out to validate, or invalidate, what you said. I'm just making the point that a finite number of pictures is different than an almost infinite number of on the fly generated graphic images. The new captcha M$ is trying, is to use pictures of objects and have the user identify which are cat pictures, like so: http://research.microsoft.com/asirra/ The web site states that it has over two million pictures of cats and dogs. This captcha requires that you simply to select ALL the cat photos leaving the dog photos unchecked. After doing so, it checks your score to allow entry. This one is different than the first one I saw, which presented only one cat picture in several dog pictures -- I think I could break that. But, this one is more difficult. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 4:19 PM -0400 4/9/07, Travis Doherty wrote: Steganography has been able to hide text in images for quite some time now. Basically you cram whatever info you want into the 'unused' or 'less used' bytes of the image. With this in mind I imagine even if you did have an image repository of only 8 images you could add some random bytes to the right spots in the image without distorting it beyond recognition/corrupting it, and therefore get a hybrid of static/on-the-fly images, that hashing couldn't break so simply. Yes, that's the conclusion I came to in this experiment. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: On 4/9/07, Travis Doherty [EMAIL PROTECTED] wrote: Robert Cummings wrote: On Mon, 2007-04-09 at 12:51 -0400, tedd wrote: At 9:58 AM -0400 4/9/07, Robert Cummings wrote: Hi Tedd, Put down the crack pipe please... captcha images are usually generated on the fly. Their image repository is 0. Their image universe is all of the permutations of an image containing all of the range of serial codes embedded in the images according to their morphing routine. I highly doubt the US Government could afford the space required to store all of the permutations. Considering the number of bytes available to a dynamically generated image, it is highly likely that the images would be capable of exhausting the entire md5 universe. Cheers, Rob. Rob: Duh -- put down the joint and stay on the subject. We were talking about M$'s picture captcha where they show pictures and ask a question like Pick the picture that shows a kitty and NOT an on the fly graphic captcha. There are different types of captchas. Ah, I see. I was too lazy to go check since I don't use Microsoft except insofar as to make things work in their crappy browser. Either way, can you verify the images are static? See if getting two kitty cats produces the same md5 signature :) Just because it's a picture doesn't invalidate what I said. Cheers, Rob. Steganography has been able to hide text in images for quite some time now. Basically you cram whatever info you want into the 'unused' or 'less used' bytes of the image. With this in mind I imagine even if you did have an image repository of only 8 images you could add some random bytes to the right spots in the image without distorting it beyond recognition/corrupting it, and therefore get a hybrid of static/on-the-fly images, that hashing couldn't break so simply. 2 cents... Travis Doherty This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/9/07, tedd [EMAIL PROTECTED] wrote: At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. Cheers, tedd But then OCR would still work, as when somebody scans a document, there are also some not white pixels. Tijnema -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
tedd wrote: ...snip... that's the reason for the alt attribute. Thanks for clarification! :) You are doing some great work with captchas... I also really like your audio captcha experiments. Keep up the great work! Cheers, Micky -- Wishlists: http://snipurl.com/vrs9 Switch: http://browsehappy.com/ BCC?: http://snipurl.com/w6f8 My: http://del.icio.us/mhulse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Mon, 2007-04-09 at 17:14 -0400, tedd wrote: At 4:39 PM -0400 4/9/07, Robert Cummings wrote: On Mon, 2007-04-09 at 22:27 +0200, Tijnema ! wrote: This is exactly what tedd did in his last arrow example. He edited the header of the GIF image, and so that would result in different MD5. Finding this part and skipping it in the MD5 check would do the job. :) Yep, that's an obvious solution since it's the same way virus signatures are matched. The entire image needs some kind of permutation. Passing a couple of curved ripples across the image as a transformation, and in different directions should suffice to obfuscate the image signature without obfuscating the image itself :) Similarly watermarking the image using fractal patterns should also provide good noise. Cheers, Rob. Rob: It doesn't need to be complicated, just random placed pixels on the image from a selection of colors would provide millions of permutations. No, you're wrong. Read the part about I mentioned about virus signatures. A small portion of the whole can be used as an identifier where that portion is unique to the overall entity. For instance, I can throw a tub of tar over you, then a tub of feathers ;) ;) and if one of your fingers doesn't get covered, I can still identify your chicken ass ;) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/8/07, tedd [EMAIL PROTECTED] wrote: Well, I cracked it for you :) http://86.86.80.41/dev/debug/tedd.php At the bottom it shows you the MD5 code of your arrow image, and it shows you which way it points to :) If you're interested in the code: http://86.86.80.41/dev/debug/tedd.txt Tijnema Tijnema: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Cheers, tedd Looks interesting. It generates a different MD5 each time I'll take a deeper look at it today, and hope to find a way to crack it :) Tijnema -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/8/07, Tijnema ! [EMAIL PROTECTED] wrote: On 4/8/07, tedd [EMAIL PROTECTED] wrote: Well, I cracked it for you :) http://86.86.80.41/dev/debug/tedd.php At the bottom it shows you the MD5 code of your arrow image, and it shows you which way it points to :) If you're interested in the code: http://86.86.80.41/dev/debug/tedd.txt Tijnema Tijnema: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Cheers, tedd Looks interesting. It generates a different MD5 each time I'll take a deeper look at it today, and hope to find a way to crack it :) Tijnema You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) and of course i show you the code: http://86.86.80.41/dev/debug/tedd.txt Waiting for your next try :P Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
hmm, why don't you md5 more then once.. for example, use a condition that will change with every visitor. like the third num in $_SERVER['REMOTE_ADDR']; or something of the sort. then make a loop.. say the third num in my ip address is 5 the person that visits after me would get my value, and say you were right before me and yours was a 7 the md5 check for me would look like md5(md5(md5(md5(md5(md5(md5($value))); and for the person right after me md5(md5(md5(md5(md5($value); this way for each visitor, a piece of the puzzle is changed. just an idea, and have no idea if it would even work for what your doing... Tijnema ! wrote: On 4/8/07, Tijnema ! [EMAIL PROTECTED] wrote: On 4/8/07, tedd [EMAIL PROTECTED] wrote: Well, I cracked it for you :) http://86.86.80.41/dev/debug/tedd.php At the bottom it shows you the MD5 code of your arrow image, and it shows you which way it points to :) If you're interested in the code: http://86.86.80.41/dev/debug/tedd.txt Tijnema Tijnema: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Cheers, tedd Looks interesting. It generates a different MD5 each time I'll take a deeper look at it today, and hope to find a way to crack it :) Tijnema You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) and of course i show you the code: http://86.86.80.41/dev/debug/tedd.txt Waiting for your next try :P Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sun, 2007-04-08 at 04:38 -0700, benifactor wrote: hmm, why don't you md5 more then once.. for example, use a condition that will change with every visitor. like the third num in $_SERVER['REMOTE_ADDR']; or something of the sort. then make a loop.. say the third num in my ip address is 5 the person that visits after me would get my value, and say you were right before me and yours was a 7 the md5 check for me would look like md5(md5(md5(md5(md5(md5(md5($value))); and for the person right after me md5(md5(md5(md5(md5($value); this way for each visitor, a piece of the puzzle is changed. just an idea, and have no idea if it would even work for what your doing... Ugh, don't do that... it's no more differentiated than doing the following which is cleaner: md5( $_SERVER['REMOTE_ADDR'].$value ); The above uses the IP address as a salt. But better yet, since the above is still prone to abuse by the same server making repeat attempts, create a multi-salt system... $salt1 = 'YoUR SeKreT SaLT'; $salt2 = time(); $salt3 = uniqid(); $md5 = md5( $salt1.'__'.$salt2.'__'.$salt3.'__'.$value ); Then in your form you include the value of $salt2, $salt3, and $md5. In this way only those who know the secret salt can rebuilt the md5 to check validity. Presumably you won't allow the same md5 to be used twice. The time is tracked so that you can limit validity of the salt for a period of time. So if the time on your server is more than 20 minutes ahead of the time for the submission, you can feel free delete entries ion your database since the time has expired. This allows you to not need to track all md5s ever generated. Only the last X minutes of md5s. If you implement this, Tijnema won't be able to break it. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
indeed. i was just throwing out the idea of ever changing values. Robert Cummings wrote: On Sun, 2007-04-08 at 04:38 -0700, benifactor wrote: hmm, why don't you md5 more then once.. for example, use a condition that will change with every visitor. like the third num in $_SERVER['REMOTE_ADDR']; or something of the sort. then make a loop.. say the third num in my ip address is 5 the person that visits after me would get my value, and say you were right before me and yours was a 7 the md5 check for me would look like md5(md5(md5(md5(md5(md5(md5($value))); and for the person right after me md5(md5(md5(md5(md5($value); this way for each visitor, a piece of the puzzle is changed. just an idea, and have no idea if it would even work for what your doing... Ugh, don't do that... it's no more differentiated than doing the following which is cleaner: md5( $_SERVER['REMOTE_ADDR'].$value ); The above uses the IP address as a salt. But better yet, since the above is still prone to abuse by the same server making repeat attempts, create a multi-salt system... $salt1 = 'YoUR SeKreT SaLT'; $salt2 = time(); $salt3 = uniqid(); $md5 = md5( $salt1.'__'.$salt2.'__'.$salt3.'__'.$value ); Then in your form you include the value of $salt2, $salt3, and $md5. In this way only those who know the secret salt can rebuilt the md5 to check validity. Presumably you won't allow the same md5 to be used twice. The time is tracked so that you can limit validity of the salt for a period of time. So if the time on your server is more than 20 minutes ahead of the time for the submission, you can feel free delete entries ion your database since the time has expired. This allows you to not need to track all md5s ever generated. Only the last X minutes of md5s. If you implement this, Tijnema won't be able to break it. Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On Sun, 2007-04-08 at 05:41 -0700, benifactor wrote: indeed. i was just throwing out the idea of ever changing values. Except IP addresses aren't ever changing ;) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
but most people have different ones :) you could also use a random position :) fooeee. Robert Cummings wrote: On Sun, 2007-04-08 at 05:41 -0700, benifactor wrote: indeed. i was just throwing out the idea of ever changing values. Except IP addresses aren't ever changing ;) Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 9:42 AM +0200 4/8/07, Tijnema ! wrote: You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) and of course i show you the code: http://86.86.80.41/dev/debug/tedd.txt Waiting for your next try :P Tijnema: I might not be able to stop you, but I am sure I can wear you out. Here's my latest: http://sperling.com/a/arrows/ But before you spend too much time tying to figure it out, which with a HEX editor you should be able to easily discover -- this is what I did. 1. All my arrow GIF files range in size from about 500 bytes to 1.1 KB (it's not important to the solution, just a matter of range); 2. Between DEC 64 (HEX 40) to DEC 109 (HEX 6C) in the header exist all zeros. They don't provide any information regarding this image; 3. I simply used this area to store a single HEX number ranging from 0 to 255 DEC (HEX 0-255); 4. This gave me 11,475 different combinations for each GIF by changing a single bye in the header. If I used two bytes in the header, then the combinations would square. If I used all available space, then the possible combinations would be 11,475 to the 255 power (if my math is right) for each GIF. True, you could: 1. Record every MD5 of every combination for every GIF (8 x 11,475^255 different combinations) and then use those to crack this; 2. OR, simply zero out the area from DEC 64 to DEC 109 and use that. Either case would break my code. However, I am positive if I generated the image on the fly OR merged the image with a single randomized placement pixel I could generate an image that would be easily recognized by a human but not resolved by a MD5 solution. Remember, I could also use a jpeg file and have millions of colors to chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? Cheers, tedd PS: I love these types of discussions -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 12:38 AM +0100 4/8/07, Stut wrote: tedd wrote: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Give up now, while you're still sane. Think about what you're trying to do. You're trying to do something different on the client every time, but without letting that client know something is different. It really really really can't be done. Something needs to be visually different, therefore something in what the client gets needs to be different. Do you see why it's not possible now? -Stut -Stut: With all due respect, I figure that you've probably forgot more about php than I know, but sometimes people have to find out for themselves. That's what I'm doing. However, in the past I have gone up against conventional theory and changed it. I don't think this is one of those times, but who knows? Perhaps you know better, but I don't know yet. The way I figure it, in an image I have 72 dot per square inch -- so, in one square inch that's 5,184 places for me to store a 24 bit key. To me, that's a lot of places to hid my Easter egg -- is that not enough? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/8/07, tedd [EMAIL PROTECTED] wrote: At 9:42 AM +0200 4/8/07, Tijnema ! wrote: You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) and of course i show you the code: http://86.86.80.41/dev/debug/tedd.txt Waiting for your next try :P Tijnema: I might not be able to stop you, but I am sure I can wear you out. Here's my latest: http://sperling.com/a/arrows/ But before you spend too much time tying to figure it out, which with a HEX editor you should be able to easily discover -- this is what I did. 1. All my arrow GIF files range in size from about 500 bytes to 1.1 KB (it's not important to the solution, just a matter of range); 2. Between DEC 64 (HEX 40) to DEC 109 (HEX 6C) in the header exist all zeros. They don't provide any information regarding this image; 3. I simply used this area to store a single HEX number ranging from 0 to 255 DEC (HEX 0-255); 4. This gave me 11,475 different combinations for each GIF by changing a single bye in the header. If I used two bytes in the header, then the combinations would square. If I used all available space, then the possible combinations would be 11,475 to the 255 power (if my math is right) for each GIF. True, you could: 1. Record every MD5 of every combination for every GIF (8 x 11,475^255 different combinations) and then use those to crack this; 2. OR, simply zero out the area from DEC 64 to DEC 109 and use that. Either case would break my code. Since you're already telling how to break, i'm not gonna break it anymore :) Btw, also you should be able to convert it to JPEG/PNG/BMP/TIFF and then convert it back to GIF. That should clean up the header :) However, I am positive if I generated the image on the fly OR merged the image with a single randomized placement pixel I could generate an image that would be easily recognized by a human but not resolved by a MD5 solution. Remember, I could also use a jpeg file and have millions of colors to chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? Maybe... What about OCR programs? they can read letters from images, if you could transfrom that to an program that could read arrows instead of characters. then you probably could crack it, also if you store random pixels in it. And that doesn't use massive computer resources :) That's why i wanted to go for movies, because they are a lot harder to process, but still they are processable by a bot, and so it could be cracked I don't think any of us will ever find a code that's not crackable, but the amount of time needed to crack needs to be as high as possible, so that crackers will stay away because it takes way too much time, and maybe also too much computer resources. But while doing this, it should never disturb the normal user from using your site. Cheers, tedd PS: I love these types of discussions Me too :) -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
just a few random thought on how to make it even more painful to crack. random colored borders, random border width, slight changes in width/height, random pixel noise or varying colors, animated gifs (where does the arrow stop), animated gifs (where does the red/pink/blue/green arrow point to), make the letters random with regard to character and position [and make the letters generated images them selves] that way know where the arrow is pointing is only half the solution. or may rather take this technique and combine it with std captcha such that you output an image with a stack of [freaky] letters in it and one of them has an arrow pointing at it. yadda yadda. in theory it's all crackable - but somewhere along the line the problem becomes too hard to make it worth the effort to try (unless your securing Fort Knox or something) Tijnema ! wrote: On 4/8/07, tedd [EMAIL PROTECTED] wrote: At 9:42 AM +0200 4/8/07, Tijnema ! wrote: You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) and of course i show you the code: http://86.86.80.41/dev/debug/tedd.txt Waiting for your next try :P Tijnema: I might not be able to stop you, but I am sure I can wear you out. Here's my latest: http://sperling.com/a/arrows/ But before you spend too much time tying to figure it out, which with a HEX editor you should be able to easily discover -- this is what I did. 1. All my arrow GIF files range in size from about 500 bytes to 1.1 KB (it's not important to the solution, just a matter of range); 2. Between DEC 64 (HEX 40) to DEC 109 (HEX 6C) in the header exist all zeros. They don't provide any information regarding this image; 3. I simply used this area to store a single HEX number ranging from 0 to 255 DEC (HEX 0-255); 4. This gave me 11,475 different combinations for each GIF by changing a single bye in the header. If I used two bytes in the header, then the combinations would square. If I used all available space, then the possible combinations would be 11,475 to the 255 power (if my math is right) for each GIF. True, you could: 1. Record every MD5 of every combination for every GIF (8 x 11,475^255 different combinations) and then use those to crack this; 2. OR, simply zero out the area from DEC 64 to DEC 109 and use that. Either case would break my code. Since you're already telling how to break, i'm not gonna break it anymore :) Btw, also you should be able to convert it to JPEG/PNG/BMP/TIFF and then convert it back to GIF. That should clean up the header :) However, I am positive if I generated the image on the fly OR merged the image with a single randomized placement pixel I could generate an image that would be easily recognized by a human but not resolved by a MD5 solution. Remember, I could also use a jpeg file and have millions of colors to chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? Maybe... What about OCR programs? they can read letters from images, if you could transfrom that to an program that could read arrows instead of characters. then you probably could crack it, also if you store random pixels in it. And that doesn't use massive computer resources :) That's why i wanted to go for movies, because they are a lot harder to process, but still they are processable by a bot, and so it could be cracked I don't think any of us will ever find a code that's not crackable, but the amount of time needed to crack needs to be as high as possible, so that crackers will stay away because it takes way too much time, and maybe also too much computer resources. But while doing this, it should never disturb the normal user from using your site. Cheers, tedd PS: I love these types of discussions Me too :) -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 6:33 PM +0200 4/8/07, Tijnema ! wrote: On 4/8/07, tedd [EMAIL PROTECTED] wrote: Remember, I could also use a jpeg file and have millions of colors to chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? Maybe... What about OCR programs? they can read letters from images, if you could transfrom that to an program that could read arrows instead of characters. then you probably could crack it, also if you store random pixels in it. And that doesn't use massive computer resources :) Yes, I was excluding that -- I was dealing only with MD5 solutions. Of course, OCR-like programs can decipher and interpret an arrow. It would not be too hard to find the center of the square and then determine in which one of eight zones the majority of contrasting pixels were. I did similar stuff many years ago detecting movement by comparing frames to see what was areas in a frame were changing and then direct stepping motors to control the camera. Neat stuff. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 6:46 PM +0200 4/8/07, Jochem Maas wrote: just a few random thought on how to make it even more painful to crack. random colored borders, random border width, slight changes in width/height, random pixel noise or varying colors, animated gifs (where does the arrow stop), animated gifs (where does the red/pink/blue/green arrow point to), make the letters random with regard to character and position [and make the letters generated images them selves] that way know where the arrow is pointing is only half the solution. or may rather take this technique and combine it with std captcha such that you output an image with a stack of [freaky] letters in it and one of them has an arrow pointing at it. yadda yadda. in theory it's all crackable - but somewhere along the line the problem becomes too hard to make it worth the effort to try (unless your securing Fort Knox or something) My attempt here was only to show that a MD5 solution could become so vast that there would be no point in pursuing that avenue. As for other ways to crack this, of course there ARE other easier ways. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 4:38 AM -0700 4/8/07, benifactor wrote: hmm, why don't you md5 more then once.. I read somewhere that MD5'ing anything more than once, does not increase security. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
On 4/7/07, tedd [EMAIL PROTECTED] wrote: At 11:56 PM +0100 4/6/07, Tijnema ! wrote: On 4/6/07, tedd [EMAIL PROTECTED] wrote: At 2:55 PM +0100 4/6/07, Tijnema ! wrote: I know, but animated gifs are still quite easy to read with a bot. Really? What if I a created a box surrounded by letters, like so: A B C D E F G H I However, where E is located I have a gif (animated or not) pointing to a letter, which would be the key. How would a bot read that? Cheers, tedd Assuming you're using the same arrow the whole time, you could use md5 check for example. Save MD5 for all directions of the arrow and compare :) Tijnema: Okay, here's an example: http://sperling.com/a/arrows/ How would someone MD5 that? Furthermore, how would a bot decipher anything different from that? From my perspective, no matter which way the arrow is pointing, the code remains the same. The only thing that changes is the arrow and a screen reader would have to be programmed to recognize the change -- am I wrong? Cheers, tedd Well, I cracked it for you :) http://86.86.80.41/dev/debug/tedd.php At the bottom it shows you the MD5 code of your arrow image, and it shows you which way it points to :) If you're interested in the code: http://86.86.80.41/dev/debug/tedd.txt Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
At 10:33 PM +0200 4/7/07, Tijnema ! wrote: On 4/7/07, tedd [EMAIL PROTECTED] wrote: At 11:56 PM +0100 4/6/07, Tijnema ! wrote: On 4/6/07, tedd [EMAIL PROTECTED] wrote: At 2:55 PM +0100 4/6/07, Tijnema ! wrote: I know, but animated gifs are still quite easy to read with a bot. Really? What if I a created a box surrounded by letters, like so: A B C D E F G H I However, where E is located I have a gif (animated or not) pointing to a letter, which would be the key. How would a bot read that? Cheers, tedd Assuming you're using the same arrow the whole time, you could use md5 check for example. Save MD5 for all directions of the arrow and compare :) Tijnema: Okay, here's an example: http://sperling.com/a/arrows/ How would someone MD5 that? Furthermore, how would a bot decipher anything different from that? From my perspective, no matter which way the arrow is pointing, the code remains the same. The only thing that changes is the arrow and a screen reader would have to be programmed to recognize the change -- am I wrong? Cheers, tedd Well, I cracked it for you :) http://86.86.80.41/dev/debug/tedd.php At the bottom it shows you the MD5 code of your arrow image, and it shows you which way it points to :) If you're interested in the code: http://86.86.80.41/dev/debug/tedd.txt Tijnema Tijnema: You did more than crack it for me -- you broke my brain. Now I have to figure out what the heck is going on. It's one of those love/hate things -- on one hand a love a challenge and on the other I hate the idea that I was clueless about it. So what you did was to load in each arrow image, md5() the image file, get the results and manually match them to the solution, place that in an array, and then use those results to crack it. Damn, that's sweet! I never thought about an image file producing an unique hash string. I learn something new every day, and I'm getting damned tired of it. :-) Thanks for the education. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
Well, I cracked it for you :) http://86.86.80.41/dev/debug/tedd.php At the bottom it shows you the MD5 code of your arrow image, and it shows you which way it points to :) If you're interested in the code: http://86.86.80.41/dev/debug/tedd.txt Tijnema Tijnema: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
tedd wrote: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Give up now, while you're still sane. Think about what you're trying to do. You're trying to do something different on the client every time, but without letting that client know something is different. It really really really can't be done. Something needs to be visually different, therefore something in what the client gets needs to be different. Do you see why it's not possible now? -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 bot Question
Stut wrote: tedd wrote: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Give up now, while you're still sane. Think about what you're trying to do. You're trying to do something different on the client every time, but without letting that client know something is different. It really really really can't be done. Something needs to be visually different, therefore something in what the client gets needs to be different. Do you see why it's not possible now? -Stut ah, but it is possible, if he could change the color of the background and arrow on each page refresh, then it would be pretty damn hard to cache all the possible combinations of that, plus toss in a few random degrees of difference with say 3 arrows that point to the right, but one is at 90 deg's while another is at 88 and another yet at 92. This would make things almost impossible for a computer to see, but the chances of a human screwing it up would be almost impossible. Jim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5
El Wed, 17 Jan 2007 15:27:27 - Ross [EMAIL PROTECTED] escribió: Hi, Does md5 really offer much in terms of protection? The algorithm is really well known. I would like to hear your thoughts and poosible alternatives (mcrypt?) R. It works for me. Althought is possible (theorically) to have two strings with the same MD5 is practically impossible to guess one ;-). You can also use sha1 if you prefer. -- Miguel J. Jiménez Área de Internet/XSL [EMAIL PROTECTED] ISOTROL Edificio BLUENET, Avda. Isaac Newton nº3, 4ª planta. Parque Tecnológico Cartuja '93, 41092 Sevilla. Teléfono: 955 036 800 - Fax: 955 036 849 http://www.isotrol.com ¿Cuántas lecciones más necesitaremos para aprender cuántas lecciones más necesitaremos para acertar? Juan José Ibaretxe (13/01/2007) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5
MD5 is a hasing algorithm.. one-way.. really only good for checking known values and keeping them 'private', like storing passwords in a database. That way, if someone breaks into your database, they don't get the passwords, only the non-reversible MD5 hashes of the passwords. To check a user's login credentials, you take the database value for password and you compare it to md5($password) that the user entered and see if they match. So the fact that MD5 is a well known algorithm doesn't really make a difference as far as security goes. Then again, RSA, Blowfish, etc are well known algorithms and are considered at least fairly secure too.. and are reversible. -TG = = = Original message = = = Hi, Does md5 really offer much in terms of protection? The algorithm is really well known. I would like to hear your thoughts and poosible alternatives (mcrypt?) R. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5
Ross wrote: Hi, Does md5 really offer much in terms of protection? can you STFW? http://search.yahoo.com/search;_ylt=A0oGkkQsQ65FTlkBrTVXNyoA?p=does+md5+offer+any+protectionei=UTF-8fr=moz2x=wrt The algorithm is really well known. do you work for microsoft? strength of a crypto algorithm has nothing to do with whether it's definition known or not. security through obscrurity ... isn't. I would like to hear your thoughts and poosible alternatives (mcrypt?) an alternative might be to first STFM?: http://php.net/sha1 (also read the user notes) R. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5
[EMAIL PROTECTED] wrote: MD5 is a hasing algorithm.. one-way.. really only good for checking known values and keeping them 'private', like storing passwords in a database. That way, if someone breaks into your database, they don't get the passwords, only the non-reversible MD5 hashes of the passwords. To check a user's login credentials, you take the database value for password and you compare it to md5($password) that the user entered and see if they match. So the fact that MD5 is a well known algorithm doesn't really make a difference as far as security goes. Except for the fact of the growing number of databases that will map the hashes back to the clear text (for example: http://md5.benramsey.com/) Of course it is nice because it is a common implementation, and can be done on the server side, as well as the client side. Then again, RSA, Blowfish, etc are well known algorithms and are considered at least fairly secure too.. and are reversible. -TG = = = Original message = = = Hi, Does md5 really offer much in terms of protection? The algorithm is really well known. I would like to hear your thoughts and poosible alternatives (mcrypt?) R. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5
Be warned, crypto isn't a strength of mine, so any/all of this may be total BS. Ross wrote: Does md5 really offer much in terms of protection? Depends on what you're doing with it. AFAIK, md5's weakness comes in the form of collisions - it has been cryptanalysed to the point where it is no longer reasonable for high security purposes. It is possible to create two different strings (i.e. documents, passwords) that result in identical md5 hashes. It is likely possible to find alternate passwords if the md5 is known - if a user can get a hold of your md5'ed passwords, they may be able to come up with another password that will create the same MD5 hash, thus would be capable of logging in to the system. If what you're trying to protect is reasonably sensitive, don't use it to verify that a document hasn't been tampered with, and don't use it to hash passwords though salting may help. The algorithm is really well known. IMO, that's a good thing. I'd much rather have an algorithm that is well known, well analysed and *still* secure over an unknown and untested algorithm. I would like to hear your thoughts and poosible alternatives (mcrypt?) sha1 has also been cryptanalysed but should be more secure than md5. I think sha256 is believed to be secure. PHP 5.2 seems to have a 'hash' function that can generate many atypical hashes like sha256. jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5
Still.. that has nothing to do with how well known MD5 is (so I stand by my point).All these databases are is a giant list of pre-MD5'd strings. Brute force stuff, no magic behind it that allows for reversing MD5. You could technically do that with just about any crypto or hashing system. Just happens that MD5 is one that's been focused on and more complicated systems would require exponentially more variables in what you'd have to enter. For instance, you could do this with PGP, but I'm guessing you'd have to have at least two pass phrases and how many things go into generating the public and private keys, plus the message/file that was encrypted. So for one short text string, you could possibly have a database as large as all the MD5 projects put together... but you could potentially do the same thing. At that point it's highly prohibitive though. I got the idea that MD5 really wasn't what he was looking for anyway, so going into detail about the security of it didn't seem fruitful. I talk too much as it is. hah This is a good point though. MD5 isn't great security, particuarly with the databases like the one you mentioned, but most of us aren't storing national security documents. As with security since the dawn of time, it's all a matter of how valuable is what you're protecting versus the cost of implementing a protection scheme. 7-11 doesn't hire secret service to protect against midnight robberies. -TG = = = Original message = = = [EMAIL PROTECTED] wrote: So the fact that MD5 is a well known algorithm doesn't really make a difference as far as security goes. Except for the fact of the growing number of databases that will map the hashes back to the clear text (for example: http://md5.benramsey.com/) Of course it is nice because it is a common implementation, and can be done on the server side, as well as the client side. ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5
[EMAIL PROTECTED] wrote: Still.. that has nothing to do with how well known MD5 is (so I stand by my point). Was not trying to refute your point. Just pointing something out with regards to the security of MD5 hashes, and what being well known or at least popular does for you. What you say is true...and at the end of the day locks only keep honest people out... (but something like this could be a decent way to check for strength of passwords..) -B All these databases are is a giant list of pre-MD5'd strings. Brute force stuff, no magic behind it that allows for reversing MD5. You could technically do that with just about any crypto or hashing system. Just happens that MD5 is one that's been focused on and more complicated systems would require exponentially more variables in what you'd have to enter. For instance, you could do this with PGP, but I'm guessing you'd have to have at least two pass phrases and how many things go into generating the public and private keys, plus the message/file that was encrypted. So for one short text string, you could possibly have a database as large as all the MD5 projects put together... but you could potentially do the same thing. At that point it's highly prohibitive though. I got the idea that MD5 really wasn't what he was looking for anyway, so going into detail about the security of it didn't seem fruitful. I talk too much as it is. hah This is a good point though. MD5 isn't great security, particuarly with the databases like the one you mentioned, but most of us aren't storing national security documents. As with security since the dawn of time, it's all a matter of how valuable is what you're protecting versus the cost of implementing a protection scheme. 7-11 doesn't hire secret service to protect against midnight robberies. -TG = = = Original message = = = [EMAIL PROTECTED] wrote: So the fact that MD5 is a well known algorithm doesn't really make a difference as far as security goes. Except for the fact of the growing number of databases that will map the hashes back to the clear text (for example: http://md5.benramsey.com/) Of course it is nice because it is a common implementation, and can be done on the server side, as well as the client side. ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5
At 10:40 AM -0500 1/17/07, [EMAIL PROTECTED] wrote: MD5 is a hasing algorithm.. one-way.. really only good for checking known values and keeping them 'private', like storing passwords in a database. That way, if someone breaks into your database, they don't get the passwords, only the non-reversible MD5 hashes of the passwords. To check a user's login credentials, you take the database value for password and you compare it to md5($password) that the user entered and see if they match. That's also the way hackers break it, namely take the hash and use a reverse dictionary to look-up the password. While the MD5 hash is non-reversible, it produces a unique string. If people use simple passwords, then the hash is pretty simple to break. As people become more aware of how simple it is to break their passwords, their passwords will become more complex. However, reverse dictionaries will also become larger as processing speeds increase -- and the cycle continues. So, the amount of security that MD5 provides is really dependant upon the user. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5
Instead of hashing the password, i prefer to use the following procedure: $user = ... $password = ... $hash = md5($user . $password); Using this method, it will be very dificult guess the password if you get the hash because it depends also on the user name. When you are going to login a user you have to check the hash stored in the database against the result of applying the md5 function on the result of concatenating the user name and the password provided by the user. if ($db_hash == md5($user . $password)) { // logged } else { //error } On 1/17/07, tedd [EMAIL PROTECTED] wrote: That's also the way hackers break it, namely take the hash and use a reverse dictionary to look-up the password. While the MD5 hash is non-reversible, it produces a unique string. If people use simple passwords, then the hash is pretty simple to break. As people become more aware of how simple it is to break their passwords, their passwords will become more complex. However, reverse dictionaries will also become larger as processing speeds increase -- and the cycle continues. So, the amount of security that MD5 provides is really dependant upon the user. -- Saludos Oscar -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5
On Wed, 2007-01-17 at 13:51 -0500, Oscar Gosdinski wrote: Instead of hashing the password, i prefer to use the following procedure: $user = ... $password = ... $hash = md5($user . $password); Using this method, it will be very dificult guess the password if you get the hash because it depends also on the user name. When you are going to login a user you have to check the hash stored in the database against the result of applying the md5 function on the result of concatenating the user name and the password provided by the user. if ($db_hash == md5($user . $password)) { // logged } else { //error } Yep, never a good idea to just rote md5() the password. Best to add a sprinkle of salt, that way you avoid precomputed lookups. For instance if you're server ever got compromised and the attacker got your md5 passwords, if they already had a precomputed database then finding the reverse of the hash would be trivial. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5 passwords to db
On Thu, 17 Feb 2005 11:33:45 +0200, William Stokes [EMAIL PROTECTED] wrote: Hello, I need to make a script/form that can create username and md5 password and save the info to mysql db. You can use: http://www.php.net/md5 to make MD5 hashes from strings, or you can just the format of the database field to MD5, which IIRC will automagically store whatever's assigned to it as an MD5 hash. -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Hashing Comparison
On Sat, Nov 20, 2004 at 05:49:04PM -0500, Gregori Halsiber wrote: Hi, I'm trying to write a md5 hash to auth users... And before I get flamed about md5 not being a crypt system but a hashing system I know... Security is not a problem.. I'm trying to build a standalone Message Update Center intranet with PHP The problem I'm having is comparing a user inputed word or passphrase and comparing the code to the hash on a mysql database here's the code ?php // connect to database $connection = mysql_connect(localhost,root); mysql_select_db(forum); $result = mysql_query('Select username, password from users'); Right here, why not do: $username = $_POST['givenuser']; $result = mysql_query(Select password from users where username='$username'); That way you don't have to go through the loop for every user in the users table. while($row = mysql_fetch_array($result, MYSQL_ASSOC)) { // start while fetch loop // This is now guaranteed: if($_POST['givenuser'] == $row['username']) { // Begin user check if( md5($_POST['givenpassword']) == $row['password'] ) print(Welcome!); // The problem I'm having is the comaprisons are not accurate. // If I display --- print(md5($_POST['givenpassword']); // and $row['password'] to the browser all 32 char are identical // No longer needed } // end user check } // end while fetch loop ? Any Ideas at all? I was thinking that there could be somesort of WHITESPACE problem in the hashing of the passed var givenpassword How is 'password' defined in the 'users' table? Is it a char(32) or a varchar(32)? I would suspect a whitespace issue. Try rtrim on the password. if( md5($_POST['givenpassword']) == rtrim($row['password']) ) or possible a problem with a wierd floting point calculation at the comparision level? thanks in advance -- Jim Kaufman Linux Evangelist public key 0x6D802619 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Hashing Comparison
On Sat, 20 Nov 2004 17:49:04 -0500, Gregori Halsiber [EMAIL PROTECTED] wrote: Hi, I'm trying to write a md5 hash to auth users... And before I get flamed about md5 not being a crypt system but a hashing system I know... Security is not a problem.. I'm trying to build a standalone Message Update Center intranet with PHP The problem I'm having is comparing a user inputed word or passphrase and comparing the code to the hash on a mysql database here's the code ?php // connect to database $connection = mysql_connect(localhost,root); mysql_select_db(forum); $result = mysql_query('Select username, password from users'); while($row = mysql_fetch_array($result, MYSQL_ASSOC)) { // start while fetch loop if($_POST['givenuser'] == $row['username']) { // Begin user check if( md5($_POST['givenpassword']) == $row['password'] ) print(Welcome!); // The problem I'm having is the comaprisons are not accurate. // If I display --- print(md5($_POST['givenpassword']); // and $row['password'] to the browser all 32 char are identical } // end user check } // end while fetch loop $connection = mysql_connect(localhost,root); mysql_select_db(forum); $result = mysql_query(' SELECT 1 FROM `users` WHERE `username` = \'' . mysql_real_escape_string($_POST['givenuser')) . '\' AND `password` = \'' . md5($_POST['givenpassword'] . '\''); if(mysql_num_rows($result)) print 'Welcome!'; -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ http://www.smempire.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() with rand() || Strange results, need help....
It doesn't appear to be cookie settings either, nor auto-fill in. I do not have auto-complete running; when I log in under an affected users account, the stored md5($plain_password) does not match the submitted md5($plain_password). Could it be perhaps that md5() works differently with integers vs. a text string? God knows at this point, --Noah Travis Low [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Besides checking the browser cookie settings, have one of the affected users turn off the auto-fill form feature, then tell the browser to forget all saved form information. Let us know what happens. cheers, Travis CF High wrote: Re: the browser track, it looks like all adversely affected users; i.e. those who can no longer log in, have a browser of I.E. 6.0. I know that in many cases I.E. 6.0 has session and cookie vars disabled by default. Is it possible, a long, long shot, that rand() behaves differently in I.E. 6.0 -- I know PHP is server side, but I'm looking for any clues --Noah John W. Holmes [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] CF High wrote: If anyone has any clues as to what might be happening; i.e. why the md5'd submitted plain text password does not match the stored md5'd password, please, please let me know. md5() results in a 32 character string. What kind of field are you storing it in? -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- Travis Low mailto:[EMAIL PROTECTED] http://www.dawnstar.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() with rand() || Strange results, need help....
* Thus wrote CF High ([EMAIL PROTECTED]): $username = strip_illegals($_POST['email']); $plain_pass = rand(); $password = md5($plain_pass); I then insert their login info into our member's table. Unexpectedly, when users attempt to login no matching record is found. Are you sending them the $plain_pass or $password? Their login submits two post fields (username password): $username = trim(strtolower($_POST['username'])); $password = trim(strtolower($_POST['password')); $password = md5($password); The username matches, but the password does not -- I've echoed the md5'd submitted password maddenlingly, it doesn't match. Other wise I'm reading this to say your system is evaluating md5('foo') != md5('foo') as being true. Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() with rand() || Strange results, need help....
Their receiving the $plain_pass $plain_pass is md5'd on login submit, so we should get md5($plain_pass ) = db stored md5'd($plain_pass ). Makes no sense at all. Got a couple hundred emails in my inbox from users not able to login -- I'm basically screwed ;--( --Noah Curt Zirzow [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] * Thus wrote CF High ([EMAIL PROTECTED]): $username = strip_illegals($_POST['email']); $plain_pass = rand(); $password = md5($plain_pass); I then insert their login info into our member's table. Unexpectedly, when users attempt to login no matching record is found. Are you sending them the $plain_pass or $password? Their login submits two post fields (username password): $username = trim(strtolower($_POST['username'])); $password = trim(strtolower($_POST['password')); $password = md5($password); The username matches, but the password does not -- I've echoed the md5'd submitted password maddenlingly, it doesn't match. Other wise I'm reading this to say your system is evaluating md5('foo') != md5('foo') as being true. Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() with rand() || Strange results, need help....
CF High wrote: If anyone has any clues as to what might be happening; i.e. why the md5'd submitted plain text password does not match the stored md5'd password, please, please let me know. md5() results in a 32 character string. What kind of field are you storing it in? -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() with rand() || Strange results, need help....
password field is char (32) Strange that the usernames are all properly set to the submitted email address, but the password is not properly updated. Correct me if I'm wrong here, but $plain_pass = rand(); /* plain pass should be a random # */ md5($plain_pass); /* plain pass is a random # here and not another call to rand() */ I went ahead and created a test user account for myself -- no problem at all. Received the login email, and logged in fine with the generated test user username password. Perhaps it's a browser issue -- I am completely clueless at this point these hockey fanatics are filling up my admin inbox. --Noah John W. Holmes [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] CF High wrote: If anyone has any clues as to what might be happening; i.e. why the md5'd submitted plain text password does not match the stored md5'd password, please, please let me know. md5() results in a 32 character string. What kind of field are you storing it in? -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() with rand() || Strange results, need help....
Re: the browser track, it looks like all adversely affected users; i.e. those who can no longer log in, have a browser of I.E. 6.0. I know that in many cases I.E. 6.0 has session and cookie vars disabled by default. Is it possible, a long, long shot, that rand() behaves differently in I.E. 6.0 -- I know PHP is server side, but I'm looking for any clues --Noah John W. Holmes [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] CF High wrote: If anyone has any clues as to what might be happening; i.e. why the md5'd submitted plain text password does not match the stored md5'd password, please, please let me know. md5() results in a 32 character string. What kind of field are you storing it in? -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() with rand() || Strange results, need help....
Besides checking the browser cookie settings, have one of the affected users turn off the auto-fill form feature, then tell the browser to forget all saved form information. Let us know what happens. cheers, Travis CF High wrote: Re: the browser track, it looks like all adversely affected users; i.e. those who can no longer log in, have a browser of I.E. 6.0. I know that in many cases I.E. 6.0 has session and cookie vars disabled by default. Is it possible, a long, long shot, that rand() behaves differently in I.E. 6.0 -- I know PHP is server side, but I'm looking for any clues --Noah John W. Holmes [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] CF High wrote: If anyone has any clues as to what might be happening; i.e. why the md5'd submitted plain text password does not match the stored md5'd password, please, please let me know. md5() results in a 32 character string. What kind of field are you storing it in? -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- Travis Low mailto:[EMAIL PROTECTED] http://www.dawnstar.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() and string-length?
It's always a 32 character string. http://us4.php.net/manual/en/function.md5.php -Peter On Fri, 2004-01-09 at 11:30, Michael Mller wrote: Hi, is anybody here who knows the max_length of a string which is encoded by md5()? thx, Michael Berlin, Germany -- perl -e 'print pack(H*, 70766572746573406E79632E72722E636F6D0A)' signature.asc Description: This is a digitally signed message part
Re: [PHP] md5() and string-length?
mhm, I think there was a missunderstanding ;) I want to know, how long the input-string could be (so that the encoded strings, that you get, are unique) Michael
Re: [PHP] md5() and string-length?
On Fri, 2004-01-09 at 10:29, Michael Mller wrote: mhm, I think there was a missunderstanding ;) I want to know, how long the input-string could be (so that the encoded strings, that you get, are unique) I don't think there is a limit, theoretically. In practice you might have other constraints that make very large input impractical. - Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() and string-length?
On Saturday 10 January 2004 01:29, Michael Müller wrote: mhm, I think there was a missunderstanding ;) I want to know, how long the input-string could be (so that the encoded strings, that you get, are unique) Basically, as long as you like (within memory constraints). -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Win98 error 009: Erroneous error: Nothing is wrong. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] md5() and string-length?
No limit for the input string -Message d'origine- De : Michael Müller [mailto:[EMAIL PROTECTED] Envoyé : vendredi 9 janvier 2004 18:29 À : [EMAIL PROTECTED] Objet : Re: [PHP] md5() and string-length? mhm, I think there was a missunderstanding ;) I want to know, how long the input-string could be (so that the encoded strings, that you get, are unique) Michael -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() and string-length?
mhm, I think there was a missunderstanding ;) I want to know, how long the input-string could be (so that the encoded strings, that you get, are unique) In theory, you are limited by the fact that the MD5 message digest is 128 bits long, so collisions are /possible/, but not /probable/. In practice, you should be able to throw any two large pieces of text at MD5 and wind up with different hashes every time. Which is to say... [The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit fingerprint or message digest of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. - http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() and string-length?
Sorry my bad; I read your post but I didn't understand it fully. I agree with the others; there is no theoretical limit (only physical like available memory, disk space, etc..) to the size of a string which you can pass to the md5() function. -Pete On Fri, 2004-01-09 at 12:29, Michael Mller wrote: mhm, I think there was a missunderstanding ;) I want to know, how long the input-string could be (so that the encoded strings, that you get, are unique) Michael -- perl -e 'print pack(H*, 70766572746573406E79632E72722E636F6D0A)' signature.asc Description: This is a digitally signed message part
Re: [PHP] MD5 System Password check with PHP
First store the password in the DB as $passwd=md5($passwd) insert into table values( $passwd); get the user password and check by comparing if(md5($password)==$fetchedpasswdfromDB) { ... } -murugesan - Original Message - From: Chinmoy Barua [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 11:34 AM Subject: [PHP] MD5 System Password check with PHP Hello everybody, I want to authenticate my user from web with PHP script. The user's passwords are stored in System as MD5 format (in /etc/shadow). Can anybody help me? - Chinmoy __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 System Password check with PHP
On Tuesday, August 26, 2003, at 04:04 PM, Chinmoy Barua wrote: Hello everybody, I want to authenticate my user from web with PHP script. The user's passwords are stored in System as MD5 format (in /etc/shadow). Can anybody help me? Which part do you want help with? The form? The SQl query? The whole lot? My guess is the query $sql = SELECT id FROM users WHERE username='.$_POST['username']}' AND password='.md5($_GET['password']).'; It (MD5) can also be done directly in the query as a MySQL function. Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 System Password check with PHP
Quoting Justin French [EMAIL PROTECTED]: On Tuesday, August 26, 2003, at 04:04 PM, Chinmoy Barua wrote: Hello everybody, I want to authenticate my user from web with PHP script. The user's passwords are stored in System as MD5 format (in /etc/shadow). Can anybody help me? See http://www.zend.com/zend/tut/authentication.php -- Burhan phplist[at]meidomus[dot]com http://www.meidomus.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 System Password check with PHP
Burhan, Please try to quote the right person when replying to a thread -- your messages was, I assume, intended for Chinmoy Barua, not me. It saves confusion, and keeps the thread more useful and easier to follow. Thanks, Justin French On Tuesday, August 26, 2003, at 04:17 PM, Burhan wrote: Quoting Justin French [EMAIL PROTECTED]: On Tuesday, August 26, 2003, at 04:04 PM, Chinmoy Barua wrote: Hello everybody, I want to authenticate my user from web with PHP script. The user's passwords are stored in System as MD5 format (in /etc/shadow). Can anybody help me? See http://www.zend.com/zend/tut/authentication.php -- Burhan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 System Password check with PHP
Quoting Justin French [EMAIL PROTECTED]: Burhan, Please try to quote the right person when replying to a thread -- your messages was, I assume, intended for Chinmoy Barua, not me. It saves confusion, and keeps the thread more useful and easier to follow. My apologies Justin, I realized that when you pointed it out :( -- Burhan phplist[at]meidomus[dot]com http://www.meidomus.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 in PHP and MD5 in Perl dont match up.
In PHP.. $data = Cheese\n; - trailing newline char Steven Carr wrote: Hello All, Im having trouble with compatibility between MD5 Digest in Perl and in PHP. They dont give the same results. Perl #!/usr/local/bin/perl use strict; use Digest::MD5 (); my $to_be_hashed = Cheese; my ($hash) = Digest::MD5-md5_hex($to_be_hashed); print to_be_hashed : '$to_be_hashed' P\n; print hash : '$hash' P\n; Gives to_be_hashed : 'Cheese' P hash : '0a2a1678f4189d19a08396d9af56b4bb' P In PHP.. $data = Cheese\n; print Data: '$data' P\n; $new_hash = md5($data); print RE HASH ' $new_hash ' P\n; Gives Data: 'Cheese ' RE HASH ' c69f543f8f2ab31d5b8f148f55b56c56 ' I also tried a command line of echo -n 'Cheese' | md5sum Which gives me the same hash as Perl. PHP seems to give me different results. Any Ideas what I am doing wrong? Has anyone else experienced this? Many Thanks in advance, Steven Carr. -- Steven Carr, ISP Engineering, [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php