> On the other hand, if what you're trying to protect has no real
significance, then no one is going to brother breaking your CAPTCHA.
Wrong. If you are protecting something completely worthless and your
using a popular blog or forum software then you will undoubtedly inherit
it's deficiencies regardless of the content of your site.
If you mean that your blog software inherits security deficiencies
and thus open for spam injection and other such evil stuff, then I
see your point. But, that's like putting makeup on a pig -- you can
only cover up so much. The problem remains regardless.
---
Or constantly adapt. Sounds like fun :)
I agree -- fun and money. My only derivation from your path is trying
to accommodate the visually disabled along the way.
---
> However, if you insist on making a CAPTCHA for your site (as clients,
not knowing better, sometimes insist), then also add an alternative
"way in" for the visually disabled like so:
Now I'm not going to argue this point to any real depth. You obviously
don't have statistics for the efficacy of CAPTCHA and I don't want to
invoke erroneous logic by pointing out that if Slashdot, Yahoo, Google,
etc are all using it then it must have some usefulness :)
First, I would listen and consider your thoughts far more than I
would follow after Slashdot, Yahoo, and Google practices. You're in
the front lines and have first hand experience. They have their
ultimate decisions diluted by management -- the brightest ideas have
to pass through the dimmest minds to be implemented. The cutting edge
is not sharpened by the dullest minds.
Second, as for the efficacy of CAPTCHA, true I don't have any
statistics. But the following does give rise for concern:
http://sam.zoy.org/pwntcha/
Do graphic CAPTCHA's really work? I dunno, but from this it appears not.
So, in my mind, if you're going to do something that doesn't work
anyway, then why punish the disabled?
----
> http://sperling.com/examples/captcha/
If you want the code, just ask and I'll provide.
My thought is if you want to do image alteration, you might put your
skills to better use by writing routines for various photographic
effects, such as "Fish-Eye" or "Oval Cut-Outs" or whatever -- rather
than beating the dead horse CAPTCHA.
I'm in a time crunch right now, I'll explore more options later ;)
Cheers,
Rob.
Arrgggg -- please don't release the Cracken.
I think we're pretty much all in agreement about the problem and what
can, and cannot, be done. Your multi-CAPTCHA approach is certainly
more difficult for a bot to crack than a single one, like changing
session ID's in the middle of a user's visit to deter session
high-jacking. But even that can be broken, am I not correct?
My point was not about the security of my method, but rather the
accessibility of it.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
