In SMF 1.1 RC3, "Request another image" link in registration doesn't work for FireFox (tested in 1.5.0.6)
It does work but it is always same. Some times one of images doesn't show up, pressing it will help but it won't change. I think it's not meant to change code but layout of them if they are unreadable. So it's useless if theres no gd.
BonEcho (aka Firefox) 2.0 Beta 2
By the way captcha is not very strong since without gd every image is same so automatic bot could do simple crc check. So it
I tested it with 1.5.0.6 and it works, so I'll need a link to your particular forum to find out whats going on.
http://www.harzem.com/test/rc3/index.php
But it doesn't look like working in other RC3 sites also. I've tried three computers, two are XP and one is Win98. Still no luck. (Only FF of course)
Quote from: Thantos on August 22, 2006, 07:56:02 AM
I tested it with 1.5.0.6 and it works, so I'll need a link to your particular forum to find out whats going on.
Mike, just tested this with 1.1 CVS (todays) on my site and it is failing for me on IE and FFx.
HarzeM it worked for me using FF 1.5.0.6 on your site.
The problem is not particularly my site. I don't know the reason, but more than a few people says it is not working, including huwnet. I think it is browser-based, but not browser version based.
I'll try looking at the code and find a intercompatible js code.
Hmmm its possible that it's a caching issue also. Since it's basically just asking for the same image again....
Try this:
Find
if ($context['visual_verification'])
{
echo '
function refreshImages()
{';
if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = "', $context['verificiation_image_href'], '";';
else
echo '
document.getElementById("verificiation_image_1").src = "', $context['verificiation_image_href'], ';letter=1";
document.getElementById("verificiation_image_2").src = "', $context['verificiation_image_href'], ';letter=2";
document.getElementById("verificiation_image_3").src = "', $context['verificiation_image_href'], ';letter=3";
document.getElementById("verificiation_image_4").src = "', $context['verificiation_image_href'], ';letter=4";
document.getElementById("verificiation_image_5").src = "', $context['verificiation_image_href'], ';letter=5";';
echo '
}';
}
replace with
if ($context['visual_verification'])
{
echo '
function refreshImages()
{
// Make sure we are using a new rand code.
var new_url = new String("', $context['verificiation_image_href'], '");
new_url = new_url.substr(0, new_url.indexOf("rand=") + 5);
// Quick and dirty way of converting decimal to hex
var hexstr = "0123456789abcdef";
for(var i=0; i < 32; i++)
new_url = new_url + hexstr.substr(Math.floor(Math.random() * 16), 1);';
if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = new_url;';
else
echo '
document.getElementById("verificiation_image_1").src = new_url + ";letter=1";
document.getElementById("verificiation_image_2").src = new_url + ";letter=2";
document.getElementById("verificiation_image_3").src = new_url + ";letter=3";
document.getElementById("verificiation_image_4").src = new_url + ";letter=4";
document.getElementById("verificiation_image_5").src = new_url + ";letter=5";';
echo '
}';
}
That fixed it, thanks Thantos :)
Also, I find that I cannot read over 50% of the images - the letters are generally unclear, and the static/dots make things even harder to read. Even without the static/dots, one or two of the letters are too small/obscured to read, I find..
Quote from: Tau Online on August 22, 2006, 09:12:23 AM
That fixed it, thanks Thantos
Agreed :)
Quote from: Tau Online on August 22, 2006, 09:12:23 AM
Also, I find that I cannot read over 50% of the images - the letters are generally unclear, and the static/dots make things even harder to read. Even without the static/dots, one or two of the letters are too small/obscured to read, I find..
Agreed :(
I've posted a PM to you, Thantos, and Compuart, about this captcha image (seen in CVS boards of team members). But never got a response. I thought the image is too hard to read. There are ways to make it easier to read by humans, and harder to read by robots.
Another small bug with the CAPTCHA is that in Firefox 1.5.0.6 (Win XP) is that reading the letters doesn't work; however, in IE7beta3 the WMP Shim works perfectly for sounding the letters out. Firefox just gives you a short clip of 1 letter/number, and not the full CAPTCHA.
I also seem to get this error message when dealing with the audible captcha:
Quote[Exception... "'Permission denied to get property XULElement.accessKey' when calling method: [nsIDOMXULLabelElement::accessKey]" nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "JS frame :: http://domain.com/forum/Themes/default/script.js?rc2p :: reqWin :: line 99" data: no]
Haven't applied your patch yet THantos, but will later today I guess.
Quote from: Thantos on August 22, 2006, 08:53:00 AM
Try this:
Find
if ($context['visual_verification'])
{
echo '
function refreshImages()
{';
if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = "', $context['verificiation_image_href'], '";';
else
echo '
document.getElementById("verificiation_image_1").src = "', $context['verificiation_image_href'], ';letter=1";
document.getElementById("verificiation_image_2").src = "', $context['verificiation_image_href'], ';letter=2";
document.getElementById("verificiation_image_3").src = "', $context['verificiation_image_href'], ';letter=3";
document.getElementById("verificiation_image_4").src = "', $context['verificiation_image_href'], ';letter=4";
document.getElementById("verificiation_image_5").src = "', $context['verificiation_image_href'], ';letter=5";';
echo '
}';
}
replace with
if ($context['visual_verification'])
{
echo '
function refreshImages()
{
// Make sure we are using a new rand code.
var new_url = new String("', $context['verificiation_image_href'], '");
new_url = new_url.substr(0, new_url.indexOf("rand=") + 5);
// Quick and dirty way of converting decimal to hex
var hexstr = "0123456789abcdef";
for(var i=0; i < 32; i++)
new_url = new_url + hexstr.substr(Math.floor(Math.random() * 16), 1);';
if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = new_url;';
else
echo '
document.getElementById("verificiation_image_1").src = new_url + ";letter=1";
document.getElementById("verificiation_image_2").src = new_url + ";letter=2";
document.getElementById("verificiation_image_3").src = new_url + ";letter=3";
document.getElementById("verificiation_image_4").src = new_url + ";letter=4";
document.getElementById("verificiation_image_5").src = new_url + ";letter=5";';
echo '
}';
}
It worked wonderfully for me also..earlier in FF 1.5.0.6 it did not worked even in my forum also!
Thanks Thantos - that hack fixed the image refresh problem in FF for me too.
The audio reading works fine for me in FF.
I also agree that some of the dotted backgrounds are a little hard to read, but now that the image refresh option is working, I am not too worried about it, although I think an alternative background might be better for the future.
Thanks,
Adrian
I've only got Rc3 on my test site atm.
But will these and other bug fixes be made fixed in the download pages, or it will it mean I have to fix it myself? I'm pretty new to smf and this is the first upgrade I've gone through.
For me IE6 on a clean Rc3 install the image doesnt change. The captcha2speech works fine.
Quote from: bpat1434 on August 22, 2006, 10:13:09 AM
Another small bug with the CAPTCHA is that in Firefox 1.5.0.6 (Win XP) is that reading the letters doesn't work; however, in IE7beta3 the WMP Shim works perfectly for sounding the letters out. Firefox just gives you a short clip of 1 letter/number, and not the full CAPTCHA.
I also seem to get this error message when dealing with the audible captcha:
Quote[Exception... "'Permission denied to get property XULElement.accessKey' when calling method: [nsIDOMXULLabelElement::accessKey]" nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "JS frame :: http://domain.com/forum/Themes/default/script.js?rc2p :: reqWin :: line 99" data: no]
Haven't applied your patch yet THantos, but will later today I guess.
Running FF 2.0 Beta 1 I also have the short 1 letter clip issue. However the full alternate link does work, I suspect that some users will give up if they can't read the image then only get 1 letter out of the first audio prompt.
As already stated the letters are not human readably enough and need some tweaking.. If the over all size was increased it might help
Why can't you set some user configuration of captcha as in the present mod in use on 1.2
I just can't & won't update to 1.3 yet on any of my forums until this is sorted as too many people won't be able to use it
I allow guest posting on certain boards so that won't
be possible with this unworkable captcha version
Hi everybody,
I'm working on a better captcha. Please have a look at this:
http://www.harzem.com/test/rc3/index.php?action=register
You can request another image to see different fonts and modifications.
- There are more fonts.
- Some fonts are negative images, i.e., white fonts inside dark borders.
- One font is a 3D looking one, and still a negative font.
- Fonts are rotated more
- Fonts are waved, so they are different each time.
(Click on the thumbnails below to see them larger!)
I'm willing to release this as a mod. If developers want to add this as default, I'm willing to give away.
HarzeM,
I'm very interested in this... our upgrade is scheduled in less than 24 hrs, and I am having second thoughts about this registration CAPTCHA due to the size and visibility of the image.
Is this hack/mod easy to install?
edit: once this fix is installed.. I think we will cope.. been doing a bit more testing... ;)
HarzeM I'd love that as a mod - I think it'd be really handy. I just had a bot register at my forums (when I had CAPTHCA disabled), however I find that with it enabled it makes human registration too hard.
Quote from: HarzeM on August 23, 2006, 04:56:23 AM
You can request another image to see different fonts and modifications.
- There are more fonts.
- Some fonts are negative images, i.e., white fonts inside dark borders.
- One font is a 3D looking one, and still a negative font.
- Fonts are rotated more
- Fonts are waved, so they are different each time.
:) Fantastic!! I agree the existing captcha are too difficult for humans to read too - this is a great improvement.
Would it be possible for these variables to added to forum administration so that each SMF admin can set the letter rotation, fonts, image size, background noise, etc that they feel comfortable with?
@Thantos Good work on fixing the firefox bug :)
Quote from: bananaman on August 23, 2006, 06:52:56 AM
Would it be possible for these variables to added to forum administration so that each SMF admin can set the letter rotation, fonts, image size, background noise, etc that they feel comfortable with?
Yes it is possible, but I don't recommend it. Not every admin knows about captchas, which variables make it secure, which makes it weak. I'm trying to achieve the best combination of parameters to make it human readable, but not robot readable.
Love the work you are doing there HarzeM!
I agree that the RC 3's CAPTCHA image is really unusable. HarzeM version looks a lot better :).
I was just wondering if it's possible to write a custom CAPTCHA as a mod, or do I need to hack the sources? I was thinking of making a verification that displays small images of different objects. Then you would have to select one (or many) images to prove you are a human.
For example, theres images of car, train, house and cat. A text would instruct you to select a car from those images.
I'm new to SMF so... ???
I'm also working on another captcha image, here:
http://www.turkproje.org/proje/captcha/resim.php
This is somewhat different. It has nice gradiend backgrounds. But the main thing is, the characters are almost never the same. There are tons of fonts, rotations, waves etc.., in addition to multiple renders of the same character to make some of them "border-only", double border-only, bla bla... The best is when you see it :)
I'm inspiring from it, but I'm not thinking of integrating this to SMF directly. Because this should be unique to that site.
I'm not too educated with the whole CAPTCHA thing yet, but i do agree with everyone else that the RC3 letters are too difficult to read.
Is it just possible to replace all the letters in the default themes /fonts directory, or is there more to it than that?
If it is that simple, would it be possible for us to use the images you are using? would you be able to attach them to this thread please?!?
That's nice and readable. This should be adopted to SMF instead of the one added there now, which is mostly unreadable. Hope SMF team adopt it or buy it from you. Great creation. Seems all your works is excellent works :D ;)
i agree, this is much better
Quote from: Cache-man on August 23, 2006, 08:50:30 AM
Is it just possible to replace all the letters in the default themes /fonts directory, or is there more to it than that?
Replacing the fonts isn't just the whole thing. There are programming differences using different functions to create images. Also I waved the characters by some coding.
Quote from: Surferbird on August 23, 2006, 08:52:05 AM
That's nice and readable. This should be adopted to SMF instead of the one added there now, which is mostly unreadable. Hope SMF team adopt it or buy it from you. Great creation. Seems all your works is excellent works :D ;)
I won't attempt to sell it :P If the team wants, they can get it. If they don't, I'll release it as a mod.
Soon, I'll add some perturbation to make it harder to be read by robots.
And yes, I do like my own work too :P
there is already working captcha module,
http://mods.simplemachines.org/index.php?mod=277
covering both registration and guest posting, and i'm using it for months on a quite large board. it is good and pretty readable.
you can configure how much letters will be shown.
i've found that 3 (yes, only 3) are quite enough to stop the bots we've suffered from. take a look, this is from the registration page (just after password and confirm password):
(https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fmarvin.lirex.com%2Fcaptcha.jpg&hash=58746da0ad0caddefc0d989268a5b19075add031)
right now i'm looking if i can disable the built-in in RC3 and adapt it from RC2 - i desperately need the guest posting captcha.
edi
Quote from: Techdomain on August 23, 2006, 07:14:32 AM
Love the work you are doing there HarzeM!
Quote from: ediww on August 23, 2006, 10:14:38 AM
there is already working captcha module,
covering both registration and guest posting, and i'm using it, it is good and pretty readable. right now i'm looking if i can disable the built-in in RC3 and adapt it from RC2 - i desperately need the guest posting captcha.
RC2 version of that mod is insecure by means of the image created. That image is very easily readable by robots. No perturbation, no modification of characters, similar fonts etc...
About guest posting... I'm thinking about a mod for it in RC3.
Quote from: HarzeM on August 23, 2006, 10:19:35 AM
RC2 version of that mod is insecure by means of the image created. That image is very easily readable by robots. No perturbation, no modification of characters, similar fonts etc...
I thought hncaptcha can't be read by bots...
Quote from: HarzeM on August 23, 2006, 10:19:35 AM
About guest posting... I'm thinking about a mod for it in RC3.
This is what i'm missing at the moment, this would be very nice, i don't want to disable guest posting to prevent bots spamming the forum...
cheers,
Benson
I would also very much like a mod for image verification on guest posting. In my humble opinion, that is far more important than on registration. While bots registering on forums is a reasonably small problem (at least in my experience), bots trying to post topics and replies is a huge problem, which makes it pretty much impossible to enable guest posting without CAPTCHA these days.
This does not work on mine using the default theme.
Quote from: Thantos on August 22, 2006, 08:53:00 AM
Try this:
Find
if ($context['visual_verification'])
{
echo '
function refreshImages()
{';
if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = "', $context['verificiation_image_href'], '";';
else
echo '
document.getElementById("verificiation_image_1").src = "', $context['verificiation_image_href'], ';letter=1";
document.getElementById("verificiation_image_2").src = "', $context['verificiation_image_href'], ';letter=2";
document.getElementById("verificiation_image_3").src = "', $context['verificiation_image_href'], ';letter=3";
document.getElementById("verificiation_image_4").src = "', $context['verificiation_image_href'], ';letter=4";
document.getElementById("verificiation_image_5").src = "', $context['verificiation_image_href'], ';letter=5";';
echo '
}';
}
replace with
if ($context['visual_verification'])
{
echo '
function refreshImages()
{
// Make sure we are using a new rand code.
var new_url = new String("', $context['verificiation_image_href'], '");
new_url = new_url.substr(0, new_url.indexOf("rand=") + 5);
// Quick and dirty way of converting decimal to hex
var hexstr = "0123456789abcdef";
for(var i=0; i < 32; i++)
new_url = new_url + hexstr.substr(Math.floor(Math.random() * 16), 1);';
if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = new_url;';
else
echo '
document.getElementById("verificiation_image_1").src = new_url + ";letter=1";
document.getElementById("verificiation_image_2").src = new_url + ";letter=2";
document.getElementById("verificiation_image_3").src = new_url + ";letter=3";
document.getElementById("verificiation_image_4").src = new_url + ";letter=4";
document.getElementById("verificiation_image_5").src = new_url + ";letter=5";';
echo '
}';
}
i will not discuss the existence of the module (it does work) - the captcha image created is only part of the problem, and i guess that it will be easier (and opensource way) to modify the mod to include the "harder" captcha. and, please note (other readers of this post which have not installed the mod) that the number of letters is adjustable.
i will talk about the "proofstrength" of the captchas. i completely don't agree with your statement "insecure by means of the image created". heavy words, but i don't agree. see below why.
this is one thing that i've heard too much of, but, suddenly, it turns that 99.9% of the spammers do not posses and use such technology to spam. and the remaining .1 percent are quite not interested in smaller than yahoo sites:) because it is time consuming to launch such attack, even if you have the reader ready.
as you experienced, sophisticated (read: almost human unreadable) captchas screw up not only the robots but also the regualr users.
i do not have worldwide experience with hundred own sites, maybe you do, but i don't feel the captcha needs to be even this hard, as you propose. it goes as measure and countermeasure - i do hardly believe that small (<100000 users, mine is small) site is worth such sophisticated attack. for smaller (again, relatively, most of the sites are small from this point of view) site, it will be more efficient for the attacker to spam manually, instead of preparing the tool - even it takes only changes to reflect the html generated from eveln slightly modified templates.
my conclusion is that simple, readable captchas are better in most cases. and the hard ones are worse, as you notices criticizing SMF built-in captcha.
but, hell, why do not have choice between levels of captcha? or random "sets" of different captcha "styles" - adding some "Tarpitting" (artificial delays between two tries), it will make it safe and EASY for the user.
let's do not do it like the SMTP antispam - killing the "good-will" human users in some hypothetical threats. in fact, you did this work to alleviate SMF's captcha, and most of the comments i've seen in this thread was "this is good, cause it is more human readable".
i will be pretty hapy if you contact dev of the mod, and (both you together or just you) finish it with such thoughts in mind - firstly, give the users (forum admins:) a choice from 2-3 different models with different "strength". or at least to be easy replaceable, for example, a mod for implementing and maintaining the security with captcha, and other one, which actually generates the captcha - then, you can replace the captcha with audio or math formulas.
edi
PS please, DONT forget that every one single human is having different eye perception. what is "easy" for you can be very hard for small or bigger group of your users.
Quote from: HarzeM on August 23, 2006, 10:19:35 AM
Quote from: ediww on August 23, 2006, 10:14:38 AM
there is already working captcha module,
covering both registration and guest posting, and i'm using it, it is good and pretty readable. right now i'm looking if i can disable the built-in in RC3 and adapt it from RC2 - i desperately need the guest posting captcha.
RC2 version of that mod is insecure by means of the image created. That image is very easily readable by robots. No perturbation, no modification of characters, similar fonts etc...
About guest posting... I'm thinking about a mod for it in RC3.
Quote from: navjotjsingh on August 22, 2006, 11:46:27 AM
Quote from: Thantos on August 22, 2006, 08:53:00 AM
Try this:
Find
if ($context['visual_verification'])
{
echo '
function refreshImages()
{';
if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = "', $context['verificiation_image_href'], '";';
else
echo '
document.getElementById("verificiation_image_1").src = "', $context['verificiation_image_href'], ';letter=1";
document.getElementById("verificiation_image_2").src = "', $context['verificiation_image_href'], ';letter=2";
document.getElementById("verificiation_image_3").src = "', $context['verificiation_image_href'], ';letter=3";
document.getElementById("verificiation_image_4").src = "', $context['verificiation_image_href'], ';letter=4";
document.getElementById("verificiation_image_5").src = "', $context['verificiation_image_href'], ';letter=5";';
echo '
}';
}
replace with
if ($context['visual_verification'])
{
echo '
function refreshImages()
{
// Make sure we are using a new rand code.
var new_url = new String("', $context['verificiation_image_href'], '");
new_url = new_url.substr(0, new_url.indexOf("rand=") + 5);
// Quick and dirty way of converting decimal to hex
var hexstr = "0123456789abcdef";
for(var i=0; i < 32; i++)
new_url = new_url + hexstr.substr(Math.floor(Math.random() * 16), 1);';
if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = new_url;';
else
echo '
document.getElementById("verificiation_image_1").src = new_url + ";letter=1";
document.getElementById("verificiation_image_2").src = new_url + ";letter=2";
document.getElementById("verificiation_image_3").src = new_url + ";letter=3";
document.getElementById("verificiation_image_4").src = new_url + ";letter=4";
document.getElementById("verificiation_image_5").src = new_url + ";letter=5";';
echo '
}';
}
It worked wonderfully for me also..earlier in FF 1.5.0.6 it did not worked even in my forum also!
I Did the above and it gave me this
function refreshImages() { // Make sure we are using a new rand code. var new_url = new String("http://clergyaccess.iccec.org/index.php?action=verificationcode;rand=ff1e7ff6832c638da163d29c3a76d5ca"); new_url = new_url.substr(0, new_url.indexOf("rand=") + 5); // Quick and dirty way of converting decimal to hex var hexstr = "0123456789abcdef"; for(var i=0; i < 32; i++) new_url = new_url + hexstr.substr(Math.floor(Math.random() * 16), 1); document.getElementById("verificiation_image").src = new_url; }
Please Help
ediww,
You are right, most spammers don't prepare such tools to attack small sites. But when a captcha system becomes widely used, then there exist tools for these. For example, a spammer doesn't try to create a captcha reader to attack a forum of 100 users. But if that forum is vBulletin, and there are available *spammer* tools that break vBulletin captchas, then this spammer doesn't need to create individual tools for different forums.
If only one programmer on the earth can create a tool to break a widely used captcha, say vBulletin or phpBB captcha, then any spammer can use it, either for small forums or large communities. Those guys like redistribution.
Thus, a captcha system should be designed such that (1) no single human can create a reader, OR, (2) no human should need to create one.
If a website uses a unique captcha system, this means a tool to break that capthca will only work for that website. So probably no one will try to create a reader, it will be much effort than needed. This is case (2).
But if a website uses a widely used captcha system, like SMF capthca, then any tool to read it will result in spamming thousands of forum with each has only one thousand users. That's a total of a million users, then this tool deserves to be created.
So, we are left with option (1). This tool shouldn't exist, even if it was tried. This is called "hard to read by robots" captcha, which is my goal. SMF is widely used, probably a total of tens of millions of users (not admins, total members of SMF powered forums), so a good target for spamming. This is why such reader tool can be created, and why we should use stronger captchas.
Let me show you some examples of mine. You know the captcha I've just designed for SMF above. I have two other systems.
http://www.turkproje.org/yazilim/index.php?action=register
This is stonger than 1.1 RC2 captcha mod, because it has background perturbation. RC2 capthca mod doesn't have background perturbation, even if it claims to be. I've reported that already (here (http://www.simplemachines.org/community/index.php?topic=70807.msg484366#msg484366)) but didn't get a response. The one I have in turkproje.org forum registration has a better perturbation. It is almost fully secure, but still I'm not satisfied with it. (Though it is a unique captcha now, and won't get unique tool attacks.)
And I'm designing a better captcha, http://www.turkproje.org/proje/captcha/resim.php
This one doesn't have background perturbation (for decorative purposes, it looks cool 8)), so the characters should be modified. I've used a very strange technique to generate many different types of characters, some are empty in borders, some have double borders, etc... This is also a unique captcha, and won't get unique tools to decipher it. But I just like to be safe.
In short, SMF captcha will be widely used, thus can be a target for robot attacks. phpBB had a very poor captcha, and it was broken already. SMF shouldn't have such easy ones.
how do they do it, as far as i know its impossible to read the phpcode that create the image, offcource the source can be downloaded and looked up, but they, they can do that witch your catcha (or how its called)
and design a bot for that, what i was thinking, a mutch simpler method would be to create a sort of "password" or "seed", either admin chosen, or done auto, that will affect the way the pic is shown like colors, fonts, witch size(let it variate between 3 and 7 numbers/letters), so then you will have a system that would be tailor made for every single smf installation.... right, well i donnu mutch about gd, just my 2 cents
harzem,
you didn't get it right, definitely
the problem to the attacker is not the captcha image itself, but the need to adapt the system to every forum it wants to attack. so, if the captcha is (relatively) weak, it can be done (let's say it is easy with some tool). BUT this does not remove the problem for the attacker to the small sites - they need to adapt to the particular site. doing so is time consuming, and if you, say, want to spam 100 small sites and want to spam 1 bigger one, it can (i'm guessing, but so are you about weakness) be more consuming to do 100s of modifications than one - so, on the smaller sites (and most of the smf based boards are relatively small) it is not wise to make very complicated captcha. also, you're forgeting about something - attacker should use quite specifically installed machine with quite a few CPU to do image recognition. really, i do thing that all the fluff about "it can be done" is and will stay quite a time just not applicable in the "real world", so why'd we need to make our REAL users unhappy?
btw, there are quite many serious works about it, and the background is not the primary method of making captcha computer-nonreadable. playing with fonts is far more efficient and does not bother the user too much.
but again, it comes only to the generated image. what i'm saying, there is quite a few standart ready-made captcha scripts, and even an working mod (altough far from perfect) - so, why not:
1) get the mod and extend it to support more "image generators";
2) leave the admin to choose which is better for him - simpler images and happy users (+great but right now imaginary risks) or overburden image which causes pain in the azz for the user to read. yes, it is important if you will support captcha for guest posting. if the user is determined to use right and only your forum, the complexity does not matter, but if the user 2-3 times does not guess what to type-in, it can be effectively dissapointed and will not use your forum.
there are a few more ideas for you, if we're about to speak for the mod not for the image complexity, i think that adding "tarpiting", some smart auto-ban and mixing methods can be disastrous for the intruder.
edi
PS was your captcha apllauded for being more readable than SMF's?:) right now you're advocating complexity :) just joking.
PS2 no, i don't think that captcha is the ulitmate solution, futuremore - if we've overburden the images it will become similar to the anti-spam methods related to SMTP.
Quote from: ediww on August 24, 2006, 07:42:59 AM
harzem,
you didn't get it right, definitely
the problem to the attacker is not the captcha image itself, but the need to adapt the system to every forum it wants to attack. so, if the captcha is (relatively) weak, it can be done (let's say it is easy with some tool). BUT this does not remove the problem for the attacker to the small sites - they need to adapt to the particular site. doing so is time consuming, and if you, say, want to spam 100 small sites and want to spam 1 bigger one, it can (i'm guessing, but so are you about weakness) be more consuming to do 100s of modifications than one - so, on the smaller sites (and most of the smf based boards are relatively small) it is not wise to make very complicated captcha.
No, you didn't get me :)
There is no need for 100 modifications or 100 different scripts for 100 different sites. If they are using the same system of captcha, they are all broken with the 1 tool. And if they are all SMF, they
do share the same system. So, one single tool for all SMF sites in the world. This is why the captcha should be strong.
And, making it human readable and making it robot readable are different things. Something can be easy to be read by human, but impossible for a robot. Or it can be both impossible (as SMF's default captcha!), or it can be both possible. So, I'm advocating complexity AND human-readability :) We can have complex images and happy users at the same time. The captcha I've posted at the previous page is easily readable by humans (happy users) and still complex for robots.
I agree with the rest of your post. :)
Looking forward to seeing your mod completed HarzeM :)
harzem,
i do not want to argue more - you have your opinion, i stay with mine - this is still overkill and overburden. maybe you can make universal captcha smasher, but i guess it is possible to make the captcha module configurable enough so the forum admin can set up it as unique enough. this is about the module, not the image
about the images: pls, still, consider "weaker" (read: simpler to use) images. yours make me dizzy, several people i've shown feeling the same. maybe they are ... err.. futuristic but really, consider simpler ones and make the admin choose. right now i'll use such images only if i do not have other choice.
i'm also suprised to see how many users did not heard about the existing captcha, so - cudos to SMF for putting it in and making the admins think and ask for modules. and make you produce (another) one. maybe better - if you really do not put it too much theory in it.
edi.
Quote from: HarzeM on August 24, 2006, 08:06:16 AM
Quote from: ediww on August 24, 2006, 07:42:59 AM
harzem,
you didn't get it right, definitely
the problem to the attacker is not the captcha image itself, but the need to adapt the system to every forum it wants to attack. so, if the captcha is (relatively) weak, it can be done (let's say it is easy with some tool). BUT this does not remove the problem for the attacker to the small sites - they need to adapt to the particular site. doing so is time consuming, and if you, say, want to spam 100 small sites and want to spam 1 bigger one, it can (i'm guessing, but so are you about weakness) be more consuming to do 100s of modifications than one - so, on the smaller sites (and most of the smf based boards are relatively small) it is not wise to make very complicated captcha.
No, you didn't get me :)
There is no need for 100 modifications or 100 different scripts for 100 different sites. If they are using the same system of captcha, they are all broken with the 1 tool. And if they are all SMF, they do share the same system. So, one single tool for all SMF sites in the world. This is why the captcha should be strong.
And, making it human readable and making it robot readable are different things. Something can be easy to be read by human, but impossible for a robot. Or it can be both impossible (as SMF's default captcha!), or it can be both possible. So, I'm advocating complexity AND human-readability :) We can have complex images and happy users at the same time. The captcha I've posted at the previous page is easily readable by humans (happy users) and still complex for robots.
I agree with the rest of your post. :)
Don't worry, I'll make mine as readable as possible ;)
BTW, thanks for sharing your ideas with me, instead of saying "woot, your's great :P". I'm talking to developers about what can be done.
Cheers :)
The little I've read about CAPTCHA says that noise reduction and letter detecting is easily done by bots. The hard part is letter boundaries, which is seems like both SMF's and Harzem's fail at.
Quote from: eldacar on August 25, 2006, 08:42:00 AM
The little I've read about CAPTCHA says that noise reduction and letter detecting is easily done by bots. The hard part is letter boundaries, which is seems like both SMF's and Harzem's fail at.
Noise reduction is really easy. Letter detecting is easy as soon as the letter boundaries are detected.
The captcha I've shown is only a mockup created in half an hour. Still, the 3D characters and negative characters are pretty good at hiding letter boundaries. A robot can't detect whether the white part of a char is the actual character, or the dark part.
(https://www.simplemachines.org/community/index.php?acti%3Cbr%20/%3Eon=dlattach;topic=107633.0;attach=18132;image)
Have a look at the fourt character. The dark area is the letter. Now have a look at the light area at the third character. You see it is a "T", but it is a white character. A robot can't know whether the light areas are the chars, or the dark areas.
Aslo have a look at the fifth one. For a robot, it is a connected black line with a white gap inside it. That is either O, P, Q or R. Maybe even D. But probably not F.
I'll add background perturbation (random dark lines, not noise!) to make character borders even more difficult to detect.
Hmm you're right I suppose. But, wouldn't it be a little more difficult without flat colours too? Prehaps give noise to the reverse letters too.
Quote from: eldacar on August 25, 2006, 09:05:30 AM
Hmm you're right I suppose. But, wouldn't it be a little more difficult without flat colours too? Prehaps give noise to the reverse letters too.
Yes, I'll make it more difficult, that was just a mockup prepared in half an hour :)
(If I get enough response here (http://www.simplemachines.org/community/index.php?topic=108386.0))
i do have a couple more ideas, captcha and the plain spammers are only a part of the problems an administrator can encounter. if you do have the time i'll share.
btw, i've read about the "black borders". obivously you've played with the counterpart a bit or at least have done some reading. by the way, if not already done, take a look at this:
http://www.puremango.co.uk
they have quite fuzzy edges. and also, they do overlap the letters.
see like this (the example is not fully featured etc):
http://irchelp.unibg.org/killimmed/
i've played with this year or so ago, and it was really fun. but then, i've realized that the messier chars do much more irritation than simpler one. so, imagine a module with, say, 10 different (also with strength) capchas. in the config, which maj or may not be visible in the browser, you do choose which ones to use (more than one). if you do have more than one, the script randomly changes them. if you do not (only one selected) - uses only the selected. if you do not select anything (default setting:) - the developer's choice.
this will make me and my users happy. if smf, the mod and i do ever live to see such complicated attacks, i can easily switch the hardcore ones on.
edi
Quote from: HarzeM on August 25, 2006, 08:39:29 AM
Don't worry, I'll make mine as readable as possible ;)
BTW, thanks for sharing your ideas with me, instead of saying "woot, your's great :P". I'm talking to developers about what can be done.
Cheers :)
but... not to step on anybody's toe's, has ANYONE had trouble with spambots AFTER this release??
i should say just wait and see how things go....
I have still had some questionable registrations and posts since the upgrade to RC3, but I guess they could be human registrations - is there any real way to tell?
Quote from: Leipe Po on August 25, 2006, 11:05:19 AM
but... not to step on anybody's toe's, has ANYONE had trouble with spambots AFTER this release??
i should say just wait and see how things go....
There is no problem about it in term of preventing bots. But in most cases, it prevents humans too.
HarzeM I have a bit of a vision issue and can only make out maybe 1 in 10 of the captcha images from the RC3 version. I can at least make out most of yours so hope this development continues on and improves for 1.1 Gold ;D
I'm in contact with development team. I also hope we can improve things. :)
Hi, I don't have the section you quote in my default theme... What am I doing wrong?
Quote from: Thantos on August 22, 2006, 08:53:00 AM
Try this:
Find
if ($context['visual_verification'])
{
echo '
function refreshImages()
{';
if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = "', $context['verificiation_image_href'], '";';
else
echo '
document.getElementById("verificiation_image_1").src = "', $context['verificiation_image_href'], ';letter=1";
document.getElementById("verificiation_image_2").src = "', $context['verificiation_image_href'], ';letter=2";
document.getElementById("verificiation_image_3").src = "', $context['verificiation_image_href'], ';letter=3";
document.getElementById("verificiation_image_4").src = "', $context['verificiation_image_href'], ';letter=4";
document.getElementById("verificiation_image_5").src = "', $context['verificiation_image_href'], ';letter=5";';
echo '
}';
}
Do you have this at all?
if ($context['visual_verification'])
Quote from: Niko on August 22, 2006, 07:02:16 AM
It does work but it is always same. Some times one of images doesn't show up....
I often see several images fail to load. Here's an example of what was in Apache's access log when that happens:
"GET /forum/index.php?action=verificationcode;rand=aab978e1898cee9b0c41aa4629169a55;letter=1 HTTP/1.1" 200 120
"GET /forum/index.php?action=verificationcode;rand=aab978e1898cee9b0c41aa4629169a55;letter=2 HTTP/1.1" 400 38
"GET /forum/index.php?action=verificationcode;rand=aab978e1898cee9b0c41aa4629169a55;letter=3 HTTP/1.1" 200 119
"GET /forum/index.php?action=verificationcode;rand=aab978e1898cee9b0c41aa4629169a55;letter=4 HTTP/1.1" 200 128
"GET /forum/index.php?action=verificationcode;rand=aab978e1898cee9b0c41aa4629169a55;letter=5 HTTP/1.1" 400 38
The error code 400 corresponds to "Bad Request," so I'm guessing the code that generates the image is failing sometimes.
Quote from: HarzeM on August 23, 2006, 04:56:23 AM
Hi everybody,
I'm working on a better captcha. Please have a look at this:
http://www.harzem.com/test/rc3/index.php?action=register
You can request another image to see different fonts and modifications.
- There are more fonts.
- Some fonts are negative images, i.e., white fonts inside dark borders.
- One font is a 3D looking one, and still a negative font.
- Fonts are rotated more
- Fonts are waved, so they are different each time.
(Click on the thumbnails below to see them larger!)
I'm willing to release this as a mod. If developers want to add this as default, I'm willing to give away.
When I look at the registration page in the above quote, I can see the image using Opera, FF, and IE. However I cannot see the registration images for my own board, regardless of whether I use the SMF Default theme or my own customized theme. Any thoughts anyone? Thanks.
EDIT:
Its working for me now, http://www.simplemachines.org/community/index.php?topic=109276.0
About the negative/positive image can't be decided..why could not a script simply get the shape and test that first, then detect if it has "holes" in it, check those holes for matching letters, and finally decide which one was actually a valid letter? I have no idea if it can be done in code even lol.. but since humans make the bot scripts so..(..)
The 3d letters would be worse I reckon..since they are more or less just lines - which humans put togehter as a letter. If you use lines in there of varying thichness(randomly) and even dotted, it would be impossible to read a shape I imagine. Question is if its readable too. :)
Many positive chars also has holes in it, OPRDQAB 09864 , so having holes in them doesn't always mean they are negatives. I have a better explanation in Mod. Concerns, as you have already read it :)
Yes, I know..the OCR script needs to find first borders, then second ones to recognize out signs that have holes. If the shape found is match then its fine..but if not it could do the same search within shape it has, to check if the holes are also symbols or not.
But this is just guesswork of course.
i just want to see, whether I understood everything correctly about this topic,
i do have no problem about the "Request another image think" - it works at my forum,
but sure the piktures are not nice and readably at all,
because each day I have some unpleasant registrations i will have to use the captcha_funktion,
so - what was the point ? - somebody is working on new pictures_? or is it out already_? if so - where to find - if not - when it will be ready - and where to find_?
or do we have to whait for the next smf_Release
due to the reaction to my post, my conclusion is ..... i did not understand anything, but exactly that was the reason for my asks ......., thought I find assistance here, however, yet I thank you anyway .....
Hi,
We are aware of the concerns that some users express with the legibility issues surrounding the CAPTCHA images.
Hopefully this will not be an issue in the final release.
Thanks,
Quote from: Tony on September 01, 2006, 07:29:56 AM
Hi,
We are aware of the concerns that some users express with the legibility issues surrounding the CAPTCHA images.
Hopefully this will not be an issue in the final release.
Thanks,
Great news :) People are still registering to my forum fine, although I find it hard to read the CAPTCHA image personally.
And I've released my mod about visual verification:
http://mods.simplemachines.org/index.php?mod=474
(may be not approved yet while you are reading this.)