Try my new CAPTCHA circle test

lax.slash · December 08, 2008, 04:20:18 PM

Some bad news. A SPAM bot using the IP 78.110.175.11 got through.

Akyhne · December 08, 2008, 04:24:41 PM

Then it must be a human

Akyhne · December 08, 2008, 04:28:45 PM

I've had hundrets of spam bots on the forum where I developed the test in the last few days. No one got through.

lax.slash · December 08, 2008, 04:36:10 PM

It has to have been. I'll watch registrations closely for the next few days.

Akyhne · December 08, 2008, 04:41:29 PM

Or else they have a program that have cracked the "listen to the letters" sounds.
As it is now, it reads the ok code and not the fake one. It's pretty easy to change. Just one string.

lax.slash · December 08, 2008, 04:47:32 PM

Quote from: akyhne on December 08, 2008, 04:41:29 PM
Or else they have a program that have cracked the "listen to the letters" sounds.
As it is now, it reads the ok code and not the fake one. It's pretty easy to change. Just one string.

Speech to text - it is possible. I remember I said something about having "Y 5 T NOT X NOT R 6" for the audio, where it says "not" before the letters that shouldn't be included. Why didn't you do that again? Is it just to complicated to code?

Akyhne · December 08, 2008, 04:53:39 PM

I really didn't concider it because the high captcha level is using the same method. And the high level captcha hasn't been broken yet as far as I know. And if they break the audio, it's one string to change so that they can't hear the real code. Then they will hear the complete fake code.

Akyhne · December 09, 2008, 10:55:34 AM

The next beta that just need some more testing, will add btw. 2 and 4 false letters instead of just 2. This makes it much more difficult to guess for bots.
I will attach it here when I'm done testing.

spearfish · December 09, 2008, 11:44:03 PM

Umm... I hate to break the bad news, but:
http://blog.recaptcha.net/2008/12/new-audio-recaptcha.html

Your visual CAPTCHA might be secure as hell. It's the audio portion which is letting bots through:

Quote
We now believe that even such heavy distortions are not enough when the audio CAPTCHAs are restricted to only spoken digits or letters.
...
audio CAPTCHAs based solely on distorted digits (or even letters) can be broken using machine learning techniques. This includes all commonly used audio CAPTCHAs.

Akyhne · December 10, 2008, 04:50:48 AM

The audio is easy solved. just replace

Code Select



if (!createWaveFile($_SESSION['visual_verification_code']))

with

Code Select




if (!createWaveFile($_SESSION['visual_fake_verification_code']))

in Register.php. Then all letters are read including the fake ones.

My captcha is based on this: Letters will always be breakable, so I'm not doing anything about making that part harder than it already is. Only that I make sure my shapes are very close and even touching the letters to confuse even more.
So the sequrity is the shapes themself.

By the way my captcha has an issue! Every 7-10 times people press the "Listen.." link, the verification shape shown is not the right one. It is a session cookie issue of some kind. I have the same issue in my beta 2 version. That's the reason I didn't release it yet.

ディン1031 · December 10, 2008, 07:55:55 AM

About the captcha

There is a small thinking bug in it

.

If you create an new image (because you could not read it ;P), than the site with the information what is need to be read is not updated. If this not needed and will be the same than you can easy bypass it

. If it change than how will the user know what he need to read.

Bye
DIN1031

Akyhne · December 10, 2008, 08:02:09 AM

Hi ディン1031

You will have to explain two things for me:
1) I can see my beta1 is only downloaded one time and I know who that was. So where did you get the .zip file.
2) I'm not sure I understand what it is you are trying to explain.

Akyhne · December 10, 2008, 10:28:46 AM

New beta 2:

lax.slash · December 10, 2008, 10:30:46 AM

If you right click and use save as, I don't think it tracks the download. Or, she went to your site and tried it.

I'll test for that bug on my site to.

EDIT: See you posted right before me. I'll download BETA 2 as soon as I have time.

lax.slash · December 10, 2008, 10:55:32 AM

Two things:

1) What was changed in this version?
2) I remember you posting about AJAX earlier. Here's a good tutorial link:
w3schools.com/ajax/default.asp

Akyhne · December 10, 2008, 12:00:30 PM

The developement has been moved to another site. Therefore smf.e-debatten.dk does not contain the newest version, but actually a pretty old one.

1) Instead of two fake letters, there are now btw. 2 and 4. With only two fake ones, the chance was ~1:10 to get through by guessing. Now it's much harder.
I had big trouble with sessions, therefore there's now a one second pause in the code to be sure the browser gets the latest session. It can still happen that the figure that shows the new shape will show a wrong shape, but it's rare and I don't suppose people will click more than a few times.
The "request new image" text is also hided for a few seconds when people click on it, to make sure they don't clcik many times to stress the progress.
Basically the code has been rewritten with functions to make the code shorter.

2) Hmm, did I ask about Ajax?

lax.slash · December 10, 2008, 12:18:20 PM

Quote from: akyhne on December 04, 2008, 01:29:28 PM
When I click "Request another image", I don't know how to get the new shape and color to the browser. I think the only possability is via Ajax, but I know nothing about Ajax. Any help?

Yup!

Akyhne · December 10, 2008, 12:22:03 PM

Hmm, yeah. But I solved that.

lax.slash · December 10, 2008, 12:28:00 PM

Oh! OK... lol

Akyhne · December 10, 2008, 12:36:45 PM

Did anyone else get through your forum? I think the bot that got through had already opened your forum before you installed the captcha... or it was a human.

News:

Try my new CAPTCHA circle test

spearfish