[BUG - 1.1 RC3] request another captcha image

Started by Harzem, August 22, 2006, 04:42:52 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions

ThomasJ

#40
August 24, 2006, 06:33:43 PM
Looking forward to seeing your mod completed HarzeM :)
Whoops! Did i break that?

ediww

#41
August 25, 2006, 08:31:37 AM
harzem,

i do not want to argue more - you have your opinion, i stay with mine - this is still overkill and overburden. maybe you can make universal captcha smasher, but i guess it is possible to make the captcha module configurable enough so the forum admin can set up it as unique enough. this is about the module, not the image

about the images: pls, still, consider "weaker" (read: simpler to use) images. yours make me dizzy, several people i've shown feeling the same. maybe they are ... err.. futuristic but really, consider simpler ones and make the admin choose. right now i'll use such images only if i do not have other choice.

i'm also suprised to see how many users did not heard about the existing captcha, so - cudos to SMF for putting it in and making the admins think and ask for modules. and make you produce (another) one. maybe better - if you really do not put it too much theory in it.

edi.

Quote from: HarzeM on August 24, 2006, 08:06:16 AM
Quote from: ediww on August 24, 2006, 07:42:59 AM
harzem,

you didn't get it right, definitely

the problem to the attacker is not the captcha image itself, but the need to adapt the system to every forum it wants to attack. so, if the captcha is (relatively) weak, it can be done (let's say it is easy with some tool). BUT this does not remove the problem for the attacker to the small sites - they need to adapt to the particular site. doing so is time consuming, and if you, say, want to spam 100 small sites and want to spam 1 bigger one, it can (i'm guessing, but so are you about weakness) be more consuming to do 100s of modifications than one - so, on the smaller sites (and most of the smf based boards are relatively small) it is not wise to make very complicated captcha.

No, you didn't get me :)
There is no need for 100 modifications or 100 different scripts for 100 different sites. If they are using the same system of captcha, they are all broken with the 1 tool. And if they are all SMF, they do share the same system. So, one single tool for all SMF sites in the world. This is why the captcha should be strong.

And, making it human readable and making it robot readable are different things. Something can be easy to be read by human, but impossible for a robot. Or it can be both impossible (as SMF's default captcha!), or it can be both possible. So, I'm advocating complexity AND human-readability :) We can have complex images and happy users at the same time. The captcha I've posted at the previous page is easily readable by humans (happy users) and still complex for robots.

I agree with the rest of your post. :)
Beep-beep-beep. Beep-woop-woo. Beep-boop.

Harzem

#42
August 25, 2006, 08:39:29 AM
Don't worry, I'll make mine as readable as possible ;)

BTW, thanks for sharing your ideas with me, instead of saying "woot, your's great :P". I'm talking to developers about what can be done.

Cheers :)

Dannii

#43
August 25, 2006, 08:42:00 AM
The little I've read about CAPTCHA says that noise reduction and letter detecting is easily done by bots. The hard part is letter boundaries, which is seems like both SMF's and Harzem's fail at.
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

Harzem

#44
August 25, 2006, 08:59:21 AM Last Edit: August 25, 2006, 09:01:27 AM by HarzeM
Quote from: eldacar on August 25, 2006, 08:42:00 AM
The little I've read about CAPTCHA says that noise reduction and letter detecting is easily done by bots. The hard part is letter boundaries, which is seems like both SMF's and Harzem's fail at.

Noise reduction is really easy. Letter detecting is easy as soon as the letter boundaries are detected.

The captcha I've shown is only a mockup created in half an hour. Still, the 3D characters and negative characters are pretty good at hiding letter boundaries. A robot can't detect whether the white part of a char is the actual character, or the dark part.




Have a look at the fourt character. The dark area is the letter. Now have a look at the light area at the third character. You see it is a "T", but it is a white character. A robot can't know whether the light areas are the chars, or the dark areas.

Aslo have a look at the fifth one. For a robot, it is a connected black line with a white gap inside it. That is either O, P, Q or R. Maybe even D. But probably not F.

I'll add background perturbation (random dark lines, not noise!) to make character borders even more difficult to detect.

Dannii

#45
August 25, 2006, 09:05:30 AM
Hmm you're right I suppose. But, wouldn't it be a little more difficult without flat colours too? Prehaps give noise to the reverse letters too.
"Never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise."

Harzem

#46
August 25, 2006, 09:12:38 AM
Quote from: eldacar on August 25, 2006, 09:05:30 AM
Hmm you're right I suppose. But, wouldn't it be a little more difficult without flat colours too? Prehaps give noise to the reverse letters too.

Yes, I'll make it more difficult, that was just a mockup prepared in half an hour :)
(If I get enough response here)

ediww

#47
August 25, 2006, 10:04:33 AM Last Edit: August 25, 2006, 10:16:02 AM by ediww
i do have a couple more ideas, captcha and the plain spammers are only a part of the problems an administrator can encounter. if you do have the time i'll share.

btw, i've read about the "black borders". obivously you've played with the counterpart a bit or at least have done some reading. by the way, if not already done, take a look at this:

http://www.puremango.co.uk

they have quite fuzzy edges. and also, they do overlap the letters.
see like this (the example is not fully featured etc):

http://irchelp.unibg.org/killimmed/


i've played with this year or so ago, and it was really fun. but then, i've realized that the messier chars do much more irritation than simpler one. so, imagine a module with, say, 10 different (also with strength) capchas. in the config, which maj or may not be visible in the browser, you do choose which ones to use (more than one). if you do have more than one, the script randomly changes them. if you do not (only one selected) - uses only the selected. if you do not select anything (default setting:) - the developer's choice.

this will make me and my users happy. if smf, the mod and i do ever live to see such complicated attacks, i can easily switch the hardcore ones on.

edi
Quote from: HarzeM on August 25, 2006, 08:39:29 AM
Don't worry, I'll make mine as readable as possible ;)

BTW, thanks for sharing your ideas with me, instead of saying "woot, your's great :P". I'm talking to developers about what can be done.

Cheers :)
Beep-beep-beep. Beep-woop-woo. Beep-boop.

Leipe Po

#48
August 25, 2006, 11:05:19 AM
but... not to step on anybody's toe's, has ANYONE had trouble with spambots AFTER this release??
i should say just wait and see how things go....
There is only one thing more importend to me then coding:
My Girlfriend

Microsoft - "You've got questions.  We've got dancing paperclips."

adrianbj

#49
August 25, 2006, 11:24:17 AM
I have still had some questionable registrations and posts since the upgrade to RC3, but I guess they could be human registrations - is there any real way to tell?

Harzem

#50
August 25, 2006, 12:35:11 PM
Quote from: Leipe Po on August 25, 2006, 11:05:19 AM
but... not to step on anybody's toe's, has ANYONE had trouble with spambots AFTER this release??
i should say just wait and see how things go....

There is no problem about it in term of preventing bots. But in most cases, it prevents humans too.

Skipdawg

#51
August 25, 2006, 03:11:14 PM
HarzeM I have a bit of a vision issue and can only make out maybe 1 in 10 of the captcha images from the RC3 version. I can at least make out most of yours so hope this development continues on and improves for 1.1 Gold  ;D
Skipdawg's Community

Powered by SMF 1.1.3

Harzem

#52
August 25, 2006, 03:18:14 PM
I'm in contact with development team. I also hope we can improve things. :)

GaryS

#53
August 25, 2006, 04:49:37 PM
Hi, I don't have the section you quote in my default theme... What am I doing wrong?

Quote from: Thantos on August 22, 2006, 08:53:00 AM
Try this:
Find
Code (Register.template.php) Select

if ($context['visual_verification'])
{
echo '
function refreshImages()
{';
if ($context['use_graphic_library'])
echo '
document.getElementById("verificiation_image").src = "', $context['verificiation_image_href'], '";';
else
echo '
document.getElementById("verificiation_image_1").src = "', $context['verificiation_image_href'], ';letter=1";
document.getElementById("verificiation_image_2").src = "', $context['verificiation_image_href'], ';letter=2";
document.getElementById("verificiation_image_3").src = "', $context['verificiation_image_href'], ';letter=3";
document.getElementById("verificiation_image_4").src = "', $context['verificiation_image_href'], ';letter=4";
document.getElementById("verificiation_image_5").src = "', $context['verificiation_image_href'], ';letter=5";';
echo '
}';
}


Harzem

#54
August 25, 2006, 04:50:53 PM
Do you have this at all?

Code Select


if ($context['visual_verification'])

placebo3

#55
August 26, 2006, 10:15:26 PM Last Edit: August 26, 2006, 10:20:38 PM by placebo3
Quote from: Niko on August 22, 2006, 07:02:16 AM
It does work but it is always same. Some times one of images doesn't show up....

I often see several images fail to load. Here's an example of what was in Apache's access log when that happens:

Code Select
"GET /forum/index.php?action=verificationcode;rand=aab978e1898cee9b0c41aa4629169a55;letter=1 HTTP/1.1" 200 120
"GET /forum/index.php?action=verificationcode;rand=aab978e1898cee9b0c41aa4629169a55;letter=2 HTTP/1.1" 400 38
"GET /forum/index.php?action=verificationcode;rand=aab978e1898cee9b0c41aa4629169a55;letter=3 HTTP/1.1" 200 119
"GET /forum/index.php?action=verificationcode;rand=aab978e1898cee9b0c41aa4629169a55;letter=4 HTTP/1.1" 200 128
"GET /forum/index.php?action=verificationcode;rand=aab978e1898cee9b0c41aa4629169a55;letter=5 HTTP/1.1" 400 38


The error code 400 corresponds to "Bad Request," so I'm guessing the code that generates the image is failing sometimes.

~dragonfly~

#56
August 27, 2006, 02:57:34 AM Last Edit: August 27, 2006, 03:40:36 PM by ~dragonfly~
Quote from: HarzeM on August 23, 2006, 04:56:23 AM
Hi everybody,

I'm working on a better captcha. Please have a look at this:
http://www.harzem.com/test/rc3/index.php?action=register
You can request another image to see different fonts and modifications.

- There are more fonts.
- Some fonts are negative images, i.e., white fonts inside dark borders.
- One font is a 3D looking one, and still a negative font.
- Fonts are rotated more
- Fonts are waved, so they are different each time.

(Click on the thumbnails below to see them larger!)

I'm willing to release this as a mod. If developers want to add this as default, I'm willing to give away.


When I look at the registration page in the above quote, I can see the image using Opera, FF, and IE.  However I cannot see the registration images for my own board, regardless of whether I use the SMF Default theme or my own customized theme.  Any thoughts anyone?  Thanks.

EDIT:

Its working for me now, http://www.simplemachines.org/community/index.php?topic=109276.0

bloc

#57
August 27, 2006, 06:32:31 AM
About the negative/positive image can't be decided..why could not a script simply get the shape and test that first, then detect if it has "holes" in it, check those holes for matching letters, and finally decide which one was actually a valid letter? I have no idea if it can be done in code even lol.. but since humans make the bot scripts so..(..)

The 3d letters would be worse I reckon..since they are more or less just lines - which humans put togehter as a letter. If you use lines in there of varying thichness(randomly) and even dotted, it would be impossible to read a shape I imagine. Question is if its readable too. :)

Harzem

#58
August 27, 2006, 06:38:06 AM
Many positive chars also has holes in it, OPRDQAB 09864 , so having holes in them doesn't always mean they are negatives. I have a better explanation in Mod. Concerns, as you have already read it :)

bloc

#59
August 27, 2006, 06:57:55 AM
Yes, I know..the OCR script needs to find first borders, then second ones to recognize out signs that have holes. If the shape found is match then its fine..but if not it could do the same search within shape it has, to check if the holes are also symbols or not.

But this is just guesswork of course.
Print
Go Up Pages 1 2 3 4
User actions
Advertisement: