Re: Going from simple to super CAPTCHA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2007-06-10 at 16:19 -0400, tedd wrote:
> >  > On the other hand, if what you're trying to protect has no real
> >>  significance, then no one is going to brother breaking your CAPTCHA.
> >
> >Wrong. If you are protecting something completely worthless and your
> >using a popular blog or forum software then you will undoubtedly inherit
> >it's deficiencies regardless of the content of your site.
> 
> If you mean that your blog software inherits security deficiencies 
> and thus open for spam injection and other such evil stuff, then I 
> see your point. But, that's like putting makeup on a pig -- you can 
> only cover up so much. The problem remains regardless.
> 
> ---
> 
> >Or constantly adapt. Sounds like fun :)
> 
> I agree -- fun and money. My only derivation from your path is trying 
> to accommodate the visually disabled along the way.

Ah, but you suggest an auditory captcha in replacement of a visual
captcha, when in fact you should be suggesting both if at all so that
the deaf people of the world aren't left out while the blind and able
listen with glee ;)

> ---
> 
> >  > However, if you insist on making a CAPTCHA for your site (as clients,
> >>  not knowing better, sometimes insist), then also add an alternative
> >>  "way in" for the visually disabled like so:
> >
> >Now I'm not going to argue this point to any real depth. You obviously
> >don't have statistics for the efficacy of CAPTCHA and I don't want to
> >invoke erroneous logic by pointing out that if Slashdot, Yahoo, Google,
> >etc are all using it then it must have some usefulness :)
> 
> First, I would listen and consider your thoughts far more than I 
> would follow after Slashdot, Yahoo, and Google practices. You're in 
> the front lines and have first hand experience. They have their 
> ultimate decisions diluted by management -- the brightest ideas have 
> to pass through the dimmest minds to be implemented. The cutting edge 
> is not sharpened by the dullest minds.

Well, you can be certain they are on the front lines also. Management,
as slow moving as they can be, still moves quickly when pr0n and
expletives show up in the wrong places :D

> Second, as for the efficacy of CAPTCHA, true I don't have any 
> statistics. But the following does give rise for concern:
> 
> http://sam.zoy.org/pwntcha/
> 
> Do graphic CAPTCHA's really work? I dunno, but from this it appears not.

>From this it appears that some don't and some do. He lists them and
states which ones work well and which ones do not. As such, we can learn
from his site as to what constitutes difficult captcha. Preferably
difficult for computers and not so difficult for homo sapiens.

> So, in my mind, if you're going to do something that doesn't work 
> anyway, then why punish the disabled?

Because it does work... and we're not punishing the disabled, we're
hopefully giving them representative weight. By representative weight, I
mean that if 1% of your visitors are unable to work with captcha, then
really you have a 1% incentive to improve the situation. I think that 1%
needs to be addressed, but it needs to be in context. Yes I know,
something like 17% or so people have some kind of disability, but we're
focusing right now on visual disability that makes captcha infeasible.

> ----
> 
> >  > http://sperling.com/examples/captcha/
> >>
> >>  If you want the code, just ask and I'll provide.
> >>
> >>  My thought is if you want to do image alteration, you might put your
> >>  skills to better use by writing routines for various photographic
> >>  effects, such as "Fish-Eye" or "Oval Cut-Outs" or whatever -- rather
> >>  than beating the dead horse CAPTCHA.
> >
> >I'm in a time crunch right now, I'll explore more options later ;)

> Arrgggg -- please don't release the Cracken.

Was that a cracker pun on Kraken? I remember Clash of the Titans, all we
need is Medusa's head >:)

> I think we're pretty much all in agreement about the problem and what 
> can, and cannot, be done. Your multi-CAPTCHA approach is certainly 
> more difficult for a bot to crack than a single one, like changing 
> session ID's in the middle of a user's visit to deter session 
> high-jacking. But even that can be broken, am I not correct?
> 
> My point was not about the security of my method, but rather the 
> accessibility of it.

I understand that, but as with viruses, and malware in general, the
problem is most likely always going to be an arms race. As such
solutions will most likely always be in some need of adaptation to the
changing techniques of the black hats.

Cheers,
Rob.
-- 
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for       |
| creating re-usable components quickly and easily.          |
`------------------------------------------------------------'

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux