× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. September 2008

Re: CAPTCHA image validation in web form

Ralph- In some cases the people are not paid at all, they are just
given porn as a reward. From the wikipedia article at
http://en.wikipedia.org/wiki/Captcha:

<quote>
Another variation of this technique involves copying the CAPTCHA
images and using them as CAPTCHAs for a high-traffic site owned by the
attacker. With enough traffic, the attacker can get a solution to the
CAPTCHA puzzle in time to relay it back to the target site.[22] In
October 2007, a piece of malware appeared in the wild which enticed
users to solve CAPTCHAs in order to see progressively further into a
series of striptease images.

</quote>

Who would of thought of harnessing the power of porn websites to solve
such an issue? :-)

-Sarah



On Mon, Sep 1, 2008 at 2:45 PM, Ralph Daugherty <rdjfc@xxxxxxxxxxxxx> wrote:

There was a slashdot thread or two on CAPTCHA's a few weeks ago, but
no one really offered anything very helpful about what is going on out
there.

Lots of quibling over how certain MSFT entities practice it in a
substandard way, but for the most part that's just /. being /. However,
when I looked at the example CAPTCHA images, they were trivially
straightfoward letters for OCR'ing, relatively lined up and well separated.

Displaying in different colors including pastels really screws OCR
up, but it's not necessary. The key is to overlap the characters
somewhat with characters tossed and turned.

I agree with the suggestion to just generate these images with
random number of characters (from three to five, for example) generated
at positions that overlap at least two of the characters and store a set
of them on IFS with answers in a file keyed by the file name as
suggested (by Nathan I think).

My vague understanding from lots of /. references is an implication
that CAPTCHA's are forwarded to very, very low paid people assisting URL
spammers (not necessarily worded that way elsewhere, my description) to
reply to the CAPTCA's. Given that most spamming attempts come from bot
networks of random owned PO's, and that responses are fairly quick, it
is onconcievable to me that OCR software algorithms have been downloaded
to owned bot PC's or that the CAPTCHA images are forwarded and OCR'd
elsewhere.

In any event, as I suggest here to do, most CAPTCHA's are not
OCR'able anyway due to overlapping and/or very difficult to separate
from background characters.

Nathan's suggestion is really quite simple and the way to go.

rd


Nathan Andelin wrote:
Quoting from the Wikipedia article on CAPTCHA:

"Breaking a CAPTCHA generally requires some effort specific to that
particular CAPTCHA implementation, and an abuser may decide that the
benefit granted by automated bypass is negated by the effort required
to engage in abuse of that system in the first place."

With that quote in mind, a hacker might be more willing to spend the time to break a CAPTCHA algorithm offered via popular web service, thinking that it would automatically compromise all the sites that relied on that particular Web service. If that matters.

Nathan.




--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.