On 6/11/07, Tijnema <tijnema@xxxxxxxxx> wrote:
On 6/11/07, Robert Cummings <robert@xxxxxxxxxxxxx> wrote: > On Mon, 2007-06-11 at 14:29 -0400, Daniel Brown wrote: > > > > To be a bit easier, I whipped up a quick example on the web. It's > > > > just static images, not a working system, but you'll see what we're > > > > getting at here: > > > > http://pilotpig.net/captcha-example.php > > > > > > > > > > You could even use a color check here to see which color matches the best ;) > > > > > > > Ah, but that validates my exact point --- the system will see the > > overlay over the legitimate cigarette image as being image-synonymous > > with the snake as an option by color pattern, while the parent image > > matches best with the first child option image in shape. > > Not as easy as Tijnema thinks... all the icons are in a single image so > first he needs to find the icon boundaries to extract them to perform > colour analysis. And that can be more or less hard depending on how the > icons are merged. For instance using PNG images with alpha transparency > so that an overlay and merge looks right would make edge detection of > the icon difficult ths making colour analysis difficult. Sure, but what if I convert the image first to JPEG or GIF? GIF would be the easiest option I think, because if I convert both then I could easily count the color of each pixel and you can call the job done. :) > Also, the > colour analysis only works in the case where you're presented with an > image and asked to pick the same image form the set. It doesn't work in > the semantic example where you are asked "which of the following doesn't > belong?" :) Of course, it was just an easy example, as there could be images presented with exactly the same color. Different CAPTCHA program needs different kind of hack... Tijnema
Not to mention the fact that, by the time your processor was able to count the pixels and compare color similarities to be able to even get close enough to an educated guess (not counting the randomly-generated filter color pixels, which I think you're forgetting), my session would've expired and you'd have to start all over on a new series of images. Which actually brings up an excellent point, if I may say so myself --- it's not so much of what kind of obfuscation is used in the CAPTCHA image, as any good Turing robot or OCR software could detect the sequence almost as well as a human (if not better in some cases).... but it can take a while to do so. Why not shorten the session timeout for the page on which it's displayed? Have two separate areas --- area one is for registration, data submission, or whatever you're trying to de-automate; area two is your CAPTCHA area. Upon submitting the data, and to verify the authenticity as a human intending to submit said data, a page is displayed with four slightly skewed characters on a random background with a random filter. The user has 15 seconds to type in the characters he or she sees. The only characters which exist are UPPER-CASE letters ABCDEF. The user can then easily distinguish which letter is which, but a robot would only have those fifteen seconds to do the same. This means a combination of 6^4, which is 1,296 potential combinations to try to match in 15 seconds or less. Not bank-level security, by any means, but something to expand on, considering I don't think any existing CAPTCHA technology focuses on time limitations, but rather only on making it more annoying for the average user to submit form data. -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
