Yeah, that's a good way to do it, but don't block cell phones and voip
providers. I heard on some voip news site that they block certain providers
by exchange on the outgoing calls you have to verify posts on parts of
craigslist that require phone verification, whatever those are.
----- Original Message -----
From: "Chris Blouch" <[EMAIL PROTECTED]>
To: "General discussions on all topics relating to the use of Mac OS X by
theblind" <[email protected]>
Sent: Wednesday, June 25, 2008 3:58 PM
Subject: Re: Please Join Me In Making Craigslist Accessible Again
Yes, it's a hard problem. I was talking with some folks about alternative
accessible solutions to Captcha and one possibility was to have the
ability to enter a phone number and then have them call you with an
automated series of letters/numbers read on the phone which you would type
into the web page. This has some of the same benefits of cost to the
hacker and can be rate limited to prevent repeated attacks. As you say, it
also requires some trust and good privacy policy that they won't be using
your number for anything else. Of course I also pointed out that any
school kid would love this service as a prank to ring up somebody's house
at the wee hours of the morning via any web browser. I think this issue
pretty much put an end to that solution.
CB
Jacob Schmude wrote:
The problem with that is the issue of privacy. I'd prefer not to allow
any old forum moderator to have my phone number, for example. Even
getting past that, phone numbers can be faked, and I'd imagine the phone
system would have to be automated, which means that once the
counter-response is figured out it could be cracked rather easily. On top
of that, what if the web site in question isn't in your country of
residence? Some of those international rates can get nasty, at least in
the U.S.
This is a problem with no easy solution, unfortunately, though I
personally believe that questions structured in an odd way that the human
brain could figure out is the best compromise. It has its problems, such
as needing to be familiar with the language in question, but at the same
time I believe it to resolve most of the other problems. Let's face it,
no matter what security measure anyone comes up with there will always be
someone to break it. And the ones trying to make things secure wind up
playing catch-up as their security measures are broken. The question in
my mind is how much security will the end users tolerate? Hopefully it's
a question we won't ever have to actually see answered.
On Jun 20, 2008, at 9:25, Chris Blouch wrote:
This is another example of how to avoid hackers getting in. Add some
real expense and traceable communications to the authentication process.
A hacker doesn't care if they have to try 10000 times to crack one
captcha since they are doing though some botnet. The bandwidth and
compute power are essentially free and they can hide behind a shield of
relative anonymity. If they have to make a phone call that raises the
bar. For one that call is traceable so if something funny happens it
comes back to a phone number under somebody's name. It also has a real
cost as the phone line or cell phone account costs real money and they
can't automate it so some real human will have to make the call. The
10000 tries now isn't such a great deal.
CB
Dan Eickmeier wrote:
And that is good for those who are on cell phone providers that support
that verrification. Mine didn't, and I had to email their support to
get it fixed.
On 19-Jun-08, at 12:21 AM, Chelsea wrote:
Well, that is good for those who have talking cell phones. :(
On Jun 18, 2008, at 9:17 PM, John Moore wrote:
They should do it like Facebook, where they take the Captcha away
when you varify your cell phone number with a code they send you via
text message. When you type the code in right, Captcha becomes
nonexistent.
