tg:
At 2:36 PM -0400 3/29/07, <tg-php@xxxxxxxxxxxxxxxxxxxxxx> wrote:
1. My biggest fear when relying on an audio CAPTCHA system is if the
users doesn't have sound. No speakers, or can't play stuff at the
office or something like that. I keep my system muted at work
unless I'm playing music because some websites have dumb little
flash things that make sounds and I don't feel like explaining what
I'm surfing to my coworkers constantly. And just out of a general
courtesy to them not to create undue distractions in the office.
Yes, but this is just the Audio part -- more to follow.
2. What you've created is a relatively simplistic audio captcha that
HAS to be really succeptible to speech recognition. Spammers have
gotten used to visual CAPTHCA so maybe they're not going to focus
too much on detecting and breaking audio CAPTCHA, but that still
comes down to "security through obscurity" which isn't a good
practice.
There isn't any good practice here -- it's all just an attempt to do
"the best the media will permit".
Once they had the software set up. Then they just have to fake the
"Speak Key" submit and grab the "tmp/access.mp3?##########" out of
phone.php (submitting proper cookie/session data) and that's it.
Two things:
1. There's no cookie data -- how does one access session data? I
thought outside of the sessionID, you couldn't -- am I wrong?
2. I might be able to generate a sound file that can be accessed only
once. In other words, once you grab the file it's not there for a
second look (like is light a wave or particle thing). Now, put that
together with a hidden token in the form that accompanies the key,
then even typing the correct key wouldn't work unless it was
submitted via the form and not injected. I have to think about the
logic here -- but this is just of the top of my head.
And because you can't do anything on the internet without bumping
into adult material. Don't worry, this is safe... no pics or bad
words, just an article about using porn sites to break visual
CAPTCHA. The spambots would take your visual CAPTCHA images and
post it to their site which offers users free porn if they pass the
CAPTCHA. And there's no lack of people wanting free porn so sounds
like it was fairly effective:
http://www.boingboing.net/2004/01/27/solving_and_creating.html
Now that is clever. However, I am having difficulty seeing just how
they can obtain and use the information provided. For example, if I
say the key for a specific CAPTCHA is 123 -- then how can that help a
spammer because when he returns to the site, the CAPTCHA would have
changed?
Can you explain how that works?
It's definitely an interesting field. I think using the common
sense techniques you (tedd) have used combined with a better CAPTCHA
method, you could actually create something fairly user friendly and
secure.
My vote is still for asking a person to identify images. A bot is
going to have a hard time identifying a pig that's photo'd from an
odd angle and maybe colored blue instead of a standard pig-color.
Not as hard as you might think. You don't have to identify it as a
pig but rather as the spectral properties that a pig image displays.
It's like part recognition on an assembly line.
http://www.espgame.org/
That's more the brute force method -- but at some point, it would
probably work.
Thanks for your review and comments.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
