Re: Audio CAPTCHA review request

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Not bad. Seems to work nicely.  No "OMGWTF!" obvious slips like naming the MP3 with the digits the user needs to enter.

Worked fine in Firefox 1.5 too. Sometimes when audio is embedded in a page, it tries to load Windows Media Player or something which doesn't always work well in Firefox without some tweaking.  But your implementation worked fine without any weirdness.

Now.. on to the criticism.  Keeping in mind, you're welcome to use whatever you want to use and exercises like this are always good for the practice and experience if anything else.  Also, some of this is my opinion which you're welcome to ignore.

1. My biggest fear when relying on an audio CAPTCHA system is if the users doesn't have sound.  No speakers, or can't play stuff at the office or something like that.  I keep my system muted at work unless I'm playing music because some websites have dumb little flash things that make sounds and I don't feel like explaining what I'm surfing to my coworkers constantly.  And just out of a general courtesy to them not to create undue distractions in the office.

2. What you've created is a relatively simplistic audio captcha that HAS to be really succeptible to speech recognition.  Spammers have gotten used to visual CAPTHCA so maybe they're not going to focus too much on detecting and breaking audio CAPTCHA, but that still comes down to "security through obscurity" which isn't a good practice.

Here's some open source Linux-based speech recognition software that could be used to turn your audio into the proper digits:

http://freespeech.sourceforge.net/
http://cmusphinx.sourceforge.net/html/cmusphinx.php

Once they had the software set up. Then they just have to fake the "Speak Key" submit and grab the "tmp/access.mp3?##########" out of phone.php (submitting proper cookie/session data) and that's it.

In the couple minutes I took to search for some examples, I found some interesting links:

PWNtcha - http://sam.zoy.org/pwntcha/ - CAPTCHA defeating project.  Focused on image captcha, but they give examples of different systems and which ones are hard and which ones are easy to break. WARNING: One of the images used is NSFW, but it's kind of subtle. I didn't notice it at first.  So make sure nobody's looking over your shoulder first lookover.  It's more than 1/2way down the page and I think the rest of the data on the page is worth the risk.

W3C's recommendations for alternatives to visual CAPTCHA/turing tests:
http://www.w3.org/TR/turingtest/

And because you can't do anything on the internet without bumping into adult material. Don't worry, this is safe... no pics or bad words, just an article about using porn sites to break visual CAPTCHA.  The spambots would take your visual CAPTCHA images and post it to their site which offers users free porn if they pass the CAPTCHA. And there's no lack of people wanting free porn so sounds like it was fairly effective:
http://www.boingboing.net/2004/01/27/solving_and_creating.html

It's definitely an interesting field.   I think using the common sense techniques you (tedd) have used combined with a better CAPTCHA method, you could actually create something fairly user friendly and secure.

My vote is still for asking a person to identify images.  A bot is going to have a hard time identifying a pig that's photo'd from an odd angle and maybe colored blue instead of a standard pig-color.

Oh wait.. someone's working on breaking that kind of CAPTCHA too.  Again using regular humans.  Apparently The ESP Game is based on the concept of breaking this kind of CAPTCHA.  Post the images and have people fill in key words that help classify the image.   So that blue pig might end up in a database labeled as "blue" and "pig" and "farm" or something anyway.

http://www.espgame.org/

There's no winning. hah

-TG

= = = Original message = = =

Hi gang:

If you people would be so kind as to review this:

http://sperling.com/examples/captcha/

and tell me what you think (ease of use, if it works, security, 
etc.), I would appreciate it.

The point is to be able to get to the "Congratulations" page by 
hearing and entering the key. If you can get there some other way or 
defeat the process, I sure would like to know about it.

I've tested this with a couple of dozen blind users and they find no 
problems with it. Now, I'll like to test it for the sighted.

It's mixture of a several languages, but there is php in it, so I 
guess it's on topic.

Cheers,

tedd

-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux