news || headlines || arhcives || search

November Meeting
Due to bad planning, we'll be getting together on the third Wednesday this month, so that's 2013-11-20. See ya then! 
Sept. Meeting on hold
Going to be holding off on this month's little get together thanks to some untimely manufacturer defects and user error with the human body. Keep an eye out for updates here and @DC949Meetings on the twitter. 
August meeting pushed back.
Due to some unforseen circumstances, this month's get together is being postponed by a week, so that's August 21. Shoot an email to sintax_error  [at] dc949 [dot] org  for info. 
Meeting Schedule Update
Due to ever changing schedules, we're going to the second Wednesday of the month, same time, same place, different day. Come by, have a drink, let's talk. 
Stiltwalker v3
We released v3 of Stiltwalker on Wed. which defeats the system they deployed earlier this week.  Humans seem to be able to get between 25% and 50% accuracy with this version, and we've got that beat.  So head on over to the stiltwalker page, download it and see if you can beat the machine.
Stiltwalker vs reCAPTCHA: Round 2
If you recall, Google pulled some fantastic timing last month when they pushed a new version of reCAPTCHA just prior to our talk at LayerOne.
The only problem is, the version they pushed out was basically unusable to humans, and prompted a good amount of complaints.

Cut to earlier this week, Google pushed another new version of their audio reCAPTCHA service.
Good! This version is undoubtedly easy for humans to use, and hard to solve with computers, right?

Nope.

It's even easier to beat than the versions it replaces.

They moved from a lexicon of 58 words, to one of only 10. The numbers 0-9. (Those of you playing at home may remember this is not the first time they have done this.)
The background noise was changed from dynamic sounds to a steady static, easy to remove.

But, ultimately, we used the EXACT same methodology to defeat this version, as the last version.

This time around, Stiltwalker has an accuracy of 60.95%, this is lower than last time since we decided to hang up our perfectionist hats for the time being.
The technical information, as well as the working (for now!) downloads are on the Stiltwalker project page.

UPDATE:
Sometime today (6/1/2012) reCAPTCHA was rolled back to the previous, and almost unusable (by humans anyway...) version.

Stiltwalker release
The time has come to reveal Codename Stiltwalker.

Stiltwalker is a proof of concept tool that defeats Google's reCAPTCHA with an insanely high accuracy (99%).
We are releasing all of our research, code, tools and examples used in the reCAPTCHA domination.
You can start that process here.

We accomplished this with a combination of Machine Learning, hashing methods, keyspace reduction tactics, and taking advantage of an overall limited number of captchas. Specifically, Stiltwalker goes head to head against reCAPTCHA'S audio captcha system and defeats all but a sliver of it's challenges.

In addition to the code release above, a video of our talk at this years LayerOne conference will be posted later. Detailed within will be the concepts and methodologies used in Stiltwalker, fully explained.

For all questions, comments, and fuckyous, please email the team at stiltwalker@dc949.org

FOOTNOTE:

In the hours before our presentation, Google pushed a new version of reCAPTCHA. Which fully nerfs our attack.

Well Played. The Game is on.

New Meeting Schedule
Meetings have moved to the second Saturday of every month in Huntington Beach.
Projects abound
We've been busy updating the skynet scripts to be more user friendly, work more smoothly on the N900, automatically handle a few small driver specific quirks (e.g. setting the channel on an interface in monitor mode so injection will work).  If you'd like to help us test out the changes or improve support for whatever chipset is in your card, just e-mail me (adam).

There's also another major project we're working on, and if we can accomplish the things we expect, we'll be talking about it at an upcoming con.  It's not exactly an 0-day in the traditional sense, but it'll be fun none-the-less.  Tool release is expected as well.  Will post back again when we're a little further along in our research.  The target will remain unnamed for now, but I promise you that you use this company's product on a daily basis.
Meeting March 13 2012
Meeting moves to Huntington Beach location (16241 Beach Blvd. Huntington Beach CA) at 1900. We'll see you there.
Shmoocon 2012
There's no 4ft snow storm planned this year, but perhaps the snow Gods will change their mind and bless us with skylight breaking fun.  Either way, the 949 crew will be there and in full effect.  If you've already printed out a lame, stock barcode, then you need print out another one and make it more awesome.  Seriously, Barcode Shmarcode isn't a difficult contest, it's actually a lot of fun, and the prizes are no joke (e.g. free admission to next Shmoocon).  So hack together a novel barcode and stop by our table after registration.
Content Management Powered by CuteNews