Re: [PHP] Audio CAPTCHA review request
On 4/6/07, tedd <[EMAIL PROTECTED]> wrote: At 2:55 PM +0100 4/6/07, Tijnema ! wrote: >I know, but animated gifs are still quite easy to read with a bot. Really? What if I a created a box surrounded by letters, like so: A B C D E F G H I However, where "E" is located I have a gif (animated or not) pointing to a letter, which would be the key. How would a bot read that? Cheers, tedd Assuming you're using the same arrow the whole time, you could use md5 check for example. Save MD5 for all directions of the arrow and compare :) Tijnema -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 2:55 PM +0100 4/6/07, Tijnema ! wrote: I know, but animated gifs are still quite easy to read with a bot. Really? What if I a created a box surrounded by letters, like so: A B C D E F G H I However, where "E" is located I have a gif (animated or not) pointing to a letter, which would be the key. How would a bot read that? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 9:24 AM -0400 4/6/07, Robert Cummings wrote: What I'm saying is that's it's a fairly poor choice from an accessibility perspective. I thought that as well, but it seems that at least visually impaired users using screen readers don't have any problems with it. Not that I have any support for this claim, but perhaps relying on a screen reader requires it's use -- I don't know. My audio captcha relies on javascript, namely ajax. The problem I had was how to deliver the sound once the user requested it from the main page. I used and tags to accomplish that after browser sniffing. However, those tags had to be in a new page to play, which required a refresh. Why do you need to refresh? I had a DHTML/Ajax chat client I built and I just pumped flash tags into a div to play tones when new messages were detected. I didn't bother browser sniffing though, just made the assumption that flash existed. I tried flash, see: http://sperling.com/examples/assorted-captcha/ but that required that flash to be turned on and not all visually impaired users have a need for flash. In fact, if you do use flash, then you have to tell them or they don't know what you're trying to do. It was much simpler to do it the way I did with just html. I think in general, unless you're hosting a hugely popular site, few wil attempt to custom crack your site's captcha -- there's an expected value investment to going to the trouble. Perhaps a good system would be to treat captcha algorithms like passwords, and change the way it works every few weeks I've thought about creating a database that would provide questions and answers for my captcha's. That way I could add questions everyday creating thousands of different combinations of simple questions. However, this would require the user to have his own dB and update his dB from my site periodically -- thus, a bit more sophisticated user. I would be willing to do this once I'm convinced that this method would be more accessible than any other. However, it would be a simple matter for spammy to download all the keys from my site and use them thus defeating the whole idea, duh. So, if I was to support this method, then each capatcha user would have to come up with their own questions, which could be problematic. Need to think more. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 10:17 AM -0400 4/5/07, Jason Pruim wrote: There has to be some commonality -- any suggestions? Would it be possible to change the phrase in your audio captcha depending on the character set chosen by the user? In other words, if someone is using a chinese character set, could you have it say "3 5 7" in chinese? Certainly, that's possible. However, I don't speak any of those languages. I did think of a way if a user wanted to use my technique could speak a single phrase counting from zero to nine and my software could create the necessary files from that. So, that could be done -- however, I don't have the resources/people to distribute it. Or maybe just have a button to select to play it in chinese (Or french, dutch, spanish, etc. etc.) Interesting -- I had a lengthy discussion as to what that button would be. I thought a flag icon would do, but wouldn't work. The "best" solution was to use text of the language to spell the language. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On 4/6/07, tedd <[EMAIL PROTECTED]> wrote: At 7:54 PM +0200 4/5/07, Tijnema ! wrote: >About your dot-captcha program tedd, it's another trick, it hasn't >been used yet, so somebody needs to look at it to crack. Like Jochem >said, if someone really wants to break it, he will do it. Making a >real though CAPTCHA isn't that hard, it's hard to create a CAPTCHA >that's easy to the user, but very hard to bots. I realize that no captcha will be 100 percent successful in keeping spammy out for if it was then spammy would hire cheap human help to defeat them. However, that's more expensive than a bots and I like making spammy's job harder and more expensive. Side note -- I've actually had spammy single me out and do all sorts of nasty stuff, so my efforts are not going unnoticed. >I was thinking about animation, very simple like a moving dot. "Did it >move from left to right, right to left, top to bottom or bottom to >top?" What about the dyslexic? I had a similar idea in that I would present a string like "A7F3" where I would ask "Please enter the second character from the left." Unfortunately, those who are dyslexic would have problems with that. Nah, maybe clarify it with images, then nobody would have trouble seeing what it does,atleast everyone that still can see :) >As animated images/flash/movies are really though items to parse for a >bot. So just creating an AVI made up from a few simple frames. >Everyone can see if which side the dot moves. But yet, there's no >movie support in PHP, i discussed this on the internals list, but >nobody seems interested, and this is the case i need it again :). For animated images, I use gifs (like a spinning wait gif). Your idea could be done with that, but again asking someone which way the dot moves is not accessible -- it even narrows the numbers for the sighted group. I know, but animated gifs are still quite easy to read with a bot. >I was thinking about creating random frames from PHP(also a random >number, with different frame rates) and then creating an movie from >that frames. I prefer no compression then, because that would require >the user to install decoders. I think these days every user has a >browser supporting inline movies right? >I know, this wouldn't stop the semi-automatic bots, but i think these >are very hard to stop. (Unstoppable maybe?) Php animation could be done via ajax. You need to have something on the user's side to communicate when to run each php frame. This is similar to trying to write a php progress bar for up/down-loading -- it's a question of communication and timing. Cheers, tedd Also using this solution, it probably will work, but it will be easy to crack Tijnema -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 7:54 PM +0200 4/5/07, Tijnema ! wrote: About your dot-captcha program tedd, it's another trick, it hasn't been used yet, so somebody needs to look at it to crack. Like Jochem said, if someone really wants to break it, he will do it. Making a real though CAPTCHA isn't that hard, it's hard to create a CAPTCHA that's easy to the user, but very hard to bots. I realize that no captcha will be 100 percent successful in keeping spammy out for if it was then spammy would hire cheap human help to defeat them. However, that's more expensive than a bots and I like making spammy's job harder and more expensive. Side note -- I've actually had spammy single me out and do all sorts of nasty stuff, so my efforts are not going unnoticed. I was thinking about animation, very simple like a moving dot. "Did it move from left to right, right to left, top to bottom or bottom to top?" What about the dyslexic? I had a similar idea in that I would present a string like "A7F3" where I would ask "Please enter the second character from the left." Unfortunately, those who are dyslexic would have problems with that. As animated images/flash/movies are really though items to parse for a bot. So just creating an AVI made up from a few simple frames. Everyone can see if which side the dot moves. But yet, there's no movie support in PHP, i discussed this on the internals list, but nobody seems interested, and this is the case i need it again :). For animated images, I use gifs (like a spinning wait gif). Your idea could be done with that, but again asking someone which way the dot moves is not accessible -- it even narrows the numbers for the sighted group. I was thinking about creating random frames from PHP(also a random number, with different frame rates) and then creating an movie from that frames. I prefer no compression then, because that would require the user to install decoders. I think these days every user has a browser supporting inline movies right? I know, this wouldn't stop the semi-automatic bots, but i think these are very hard to stop. (Unstoppable maybe?) Php animation could be done via ajax. You need to have something on the user's side to communicate when to run each php frame. This is similar to trying to write a php progress bar for up/down-loading -- it's a question of communication and timing. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On Fri, 2007-04-06 at 09:08 -0400, tedd wrote: > At 6:36 PM -0400 4/5/07, Robert Cummings wrote: > >But still, relying on Javascript is a bit flakey IMHO. > > There's nothing wrong with javascript -- you just need to know it's > limitations. *lol* You misunderstood me, I'm in no way dissing on Javascript, in fact I love Javascript, I wish we could re-bind functions and stuff (without runkit :) and have closures in PHP. What I'm saying is that's it's a fairly poor choice from an accessibility perspective. > My audio captcha relies on javascript, namely ajax. The problem I had > was how to deliver the sound once the user requested it from the main > page. I used and tags to accomplish that after > browser sniffing. However, those tags had to be in a new page to > play, which required a refresh. Why do you need to refresh? I had a DHTML/Ajax chat client I built and I just pumped flash tags into a div to play tones when new messages were detected. I didn't bother browser sniffing though, just made the assumption that flash existed. > After that, the user had to be sent > back to the main page to enter the key, which required another > refresh. A screen reader will re-read each page out-loud upon each > refresh and that was unacceptable. > > So, I used ajax to change the main page without a refresh using an > iframe tag. That way the sound file was played without refreshing > anything. I thought that clever. :-) > > In this case, there was no way to get around using javascript. > However, that's not a problem for visually impaired users nor is it a > security issue. > > At 6:36 PM -0400 4/5/07, Robert Cummings wrote: > >Perhaps using two > >combined systems... more traditional obscured writing on image captcha, > >or a simple mathematical question for texties, or the system you > >presented with an audible ding for blind people to know they are within > >the field of success. > > That's the idea unless I can come up with a way that would be > accessible to all. I think simple captchas like "type in the number > seven four six" would be one, but that appears easy to crack. I think in general, unless you're hosting a hugely popular site, few wil attempt to custom crack your site's captcha -- there's an expected value investment to going to the trouble. Perhaps a good system would be to treat captcha algorithms like passwords, and change the way it works every few weeks :) On of the great things about the English language is that so many things can be written in so many ways. One of the bad things about the English language is that so many things can be written in so many ways. :B Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 6:36 PM -0400 4/5/07, Robert Cummings wrote: But still, relying on Javascript is a bit flakey IMHO. There's nothing wrong with javascript -- you just need to know it's limitations. My audio captcha relies on javascript, namely ajax. The problem I had was how to deliver the sound once the user requested it from the main page. I used and tags to accomplish that after browser sniffing. However, those tags had to be in a new page to play, which required a refresh. After that, the user had to be sent back to the main page to enter the key, which required another refresh. A screen reader will re-read each page out-loud upon each refresh and that was unacceptable. So, I used ajax to change the main page without a refresh using an iframe tag. That way the sound file was played without refreshing anything. I thought that clever. :-) In this case, there was no way to get around using javascript. However, that's not a problem for visually impaired users nor is it a security issue. At 6:36 PM -0400 4/5/07, Robert Cummings wrote: Perhaps using two combined systems... more traditional obscured writing on image captcha, or a simple mathematical question for texties, or the system you presented with an audible ding for blind people to know they are within the field of success. That's the idea unless I can come up with a way that would be accessible to all. I think simple captchas like "type in the number seven four six" would be one, but that appears easy to crack. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On Thu, 2007-04-05 at 18:14 -0400, tedd wrote: > Rob: > > Okay, nothing wrong with playing devil's advocate. I open to discussion. > > Note, that some of my blind testers report that there are ways for > them to move a mouse -- but I haven't a clue as to how they do it or > what they "see". > > However, I don't see how adding javascript to move the mouse around > presents a security issue -- can anyone explain? As I see it, > server-side can still filter out what's input. In the end, it's > either right or not. Part of the problem is relying on Javascript since many people don't enable it. Additionally it's not found in terminal system. I can't say how many times I've been stuck in a server room without a graphical desktop and all I've had is links or lynx to jump on some stupid manufacturer's site that decided to obliterate their pages by making pages only accessible via Javascript. I mean, for the blind people in your example you could easily generate a sound when the mouse passes over the appropriate area, thus they would have an audible cue to aid. But still, relying on Javascript is a bit flakey IMHO. Perhaps using two combined systems... more traditional obscured writing on image captcha, or a simple mathematical question for texties, or the system you presented with an audible ding for blind people to know they are within the field of success. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 10:59 AM -0400 4/5/07, Robert Cummings wrote: > If you're gonna do this, you probably need to remove a little piece in your security, which isn't wanted of course :) I'm just playing devil's advocate... (my mouse isn't really broken) this is about accessibility after all >:) Cheers, Rob. Rob: Okay, nothing wrong with playing devil's advocate. I open to discussion. Note, that some of my blind testers report that there are ways for them to move a mouse -- but I haven't a clue as to how they do it or what they "see". However, I don't see how adding javascript to move the mouse around presents a security issue -- can anyone explain? As I see it, server-side can still filter out what's input. In the end, it's either right or not. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
What can you do to make audio captcha's harder? Add more voice! This is exactly what google has done on their updated audio captcha. This really helps, you need a much more fine grained and larger voice model to trancribe that. I still think it is doable, but the amount of training work that is involved scares at least me away from actually doing it. This is the same for the latest image captchas, trying to segment them is hard (matching the broken segments to determine the charachter with a statistical model is relatively easy). tedd wrote: > > Perhaps I'm underestimating the capabilities of bots and > overestimating the abilities of humans. I suspect that the > distribution of both camps have an overlap and therein lies the > problem. The problem may not have a solution. > > But to bring this back to my intent -- my intent here is to provide a > simple audio CAPTCHA that could be used by anyone to provide some > degree of protection for their personal use THAT would also be > accessible to screen readers. It's not foolproof, but it appears to > work in that regard. > I think any captcha that is different from a standard library one will help, you should just know that if someone is really convinced to break it, he/she can. So think of a captcha and implement it quietly (no bragging how good it is, that will draw the wrong attention). Standard bots will not be able to parse it and only if you have a high profile site it will be economally viable for spammers to break it. What about semi-automatic bots? They load page and fill in all the details in the form, and they pass the captcha *shit* to you, you type over the code and the bot can start spamming right? About your dot-captcha program tedd, it's another trick, it hasn't been used yet, so somebody needs to look at it to crack. Like Jochem said, if someone really wants to break it, he will do it. Making a real though CAPTCHA isn't that hard, it's hard to create a CAPTCHA that's easy to the user, but very hard to bots. I was thinking about animation, very simple like a moving dot. "Did it move from left to right, right to left, top to bottom or bottom to top?" As animated images/flash/movies are really though items to parse for a bot. So just creating an AVI made up from a few simple frames. Everyone can see if which side the dot moves. But yet, there's no movie support in PHP, i discussed this on the internals list, but nobody seems interested, and this is the case i need it again :). I was thinking about creating random frames from PHP(also a random number, with different frame rates) and then creating an movie from that frames. I prefer no compression then, because that would require the user to install decoders. I think these days every user has a browser supporting inline movies right? I know, this wouldn't stop the semi-automatic bots, but i think these are very hard to stop. (Unstoppable maybe?) Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
tedd wrote:
>
> However, I'm not convinced that all sound methodologies can be
> resolved as simply as that. For example -- your method looks for
> pauses/high points and then capsulizes segments for comparison
> against known sounds. That's OK, but what if there is other meaning
> in the sound?
>
> I often wondered why simple CAPTCHA's like "Type the number seven
> four three", or "What is the sum of two plus three?", or "Spell cat",
> or "Spell two" wouldn't work? Certainly, one can create a routine
> coupled a dB to randomly produce thousands of different combinations
> of simple questions. Likewise, a sound file could be produced the
> same way.
>
That will not help much. I have seen this suggestions a lot, see for
example:
http://www.standards-schmandards.com/2005/captcha/ for a nicely written one.
But it makes breaking the captcha a two-step problem. First use speech to
text to make a sentence and then
parse the grammar. Both problems are studied a lot and have lots of
solution.
The segmentation I use in devoicecaptcha is very naive. I agree, but it
works! There are however better (and more complex) segmentation algorithms
readily available. To break your suggested captcha you just use
devoicecaptcha, but you also train the extra words into the model. So
besides statistics for '1' '2' '3' etc. you also add statistics for the word
'+', 'type' etc. Then you transcribe the voice to text ('add' '2' '3') and
parse that text output for example with a BNF parser. That solves the
problem and gives the solution '5'.
What can you do to make audio captcha's harder? Add more voice! This is
exactly what google has done on their updated audio captcha. This really
helps, you need a much more fine grained and larger voice model to trancribe
that. I still think it is doable, but the amount of training work that is
involved scares at least me away from actually doing it.
This is the same for the latest image captchas, trying to segment them is
hard (matching the broken segments to determine the charachter with a
statistical model is relatively easy).
tedd wrote:
>
> Perhaps I'm underestimating the capabilities of bots and
> overestimating the abilities of humans. I suspect that the
> distribution of both camps have an overlap and therein lies the
> problem. The problem may not have a solution.
>
> But to bring this back to my intent -- my intent here is to provide a
> simple audio CAPTCHA that could be used by anyone to provide some
> degree of protection for their personal use THAT would also be
> accessible to screen readers. It's not foolproof, but it appears to
> work in that regard.
>
I think any captcha that is different from a standard library one will help,
you should just know that if someone is really convinced to break it, he/she
can. So think of a captcha and implement it quietly (no bragging how good it
is, that will draw the wrong attention). Standard bots will not be able to
parse it and only if you have a high profile site it will be economally
viable for spammers to break it.
--
View this message in context:
http://www.nabble.com/Audio-CAPTCHA-review-request-tf3487541.html#a9859801
Sent from the PHP - General mailing list archive at Nabble.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On Thu, 2007-04-05 at 16:52 +0200, Tijnema ! wrote: > On 4/5/07, tedd <[EMAIL PROTECTED]> wrote: > > At 10:25 AM -0400 4/5/07, Robert Cummings wrote: > > > > However, I like my dot captcha (been fixed for IE 5 & IE 6) , see: > > >> > > >> http://sperling.com/examples/dot-captcha/index.php > > >> > > >> As you can "see", it's only for sighted users. > > > > > >My mouse is broken and I couldn't navigate to it using my keyboard! :B > > > > > >Cheers, > > >Rob. > > > > Rob: > > > > How do you do that? > > > > Is there a php or javascript solution? I'm open to suggestion. > > > > Cheers, > > > > tedd > > If you're gonna do this, you probably need to remove a little piece in > your security, which isn't wanted of course :) I'm just playing devil's advocate... (my mouse isn't really broken) this is about accessibility after all >:) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On 4/5/07, tedd <[EMAIL PROTECTED]> wrote: At 10:25 AM -0400 4/5/07, Robert Cummings wrote: > > However, I like my dot captcha (been fixed for IE 5 & IE 6) , see: >> >> http://sperling.com/examples/dot-captcha/index.php >> >> As you can "see", it's only for sighted users. > >My mouse is broken and I couldn't navigate to it using my keyboard! :B > >Cheers, >Rob. Rob: How do you do that? Is there a php or javascript solution? I'm open to suggestion. Cheers, tedd If you're gonna do this, you probably need to remove a little piece in your security, which isn't wanted of course :) Tijnema -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 10:25 AM -0400 4/5/07, Robert Cummings wrote: > However, I like my dot captcha (been fixed for IE 5 & IE 6) , see: http://sperling.com/examples/dot-captcha/index.php As you can "see", it's only for sighted users. My mouse is broken and I couldn't navigate to it using my keyboard! :B Cheers, Rob. Rob: How do you do that? Is there a php or javascript solution? I'm open to suggestion. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 3:39 PM +0200 4/5/07, Tijnema ! wrote: Still, I don't see any way that a computer could make the difference between a user and a computer. Because some computers can't be smarter then others. It's only the way they're programmed. Tijnema Tijnema: You may very well be correct. I've often said that anything a computer can generate another computer can interpret. However, there are differences between the two technologies with respect to timing (a technology lag) and cost. If one develops a better captcha, there will be a lag time between it's introduction and spammer's catch-up. Also, what's the cost involved between development of the captcha as compared to cost for it's solution? If the cost for development is less then it may simply cost the spammer too much to keep up. On these two points, I have to say it's possible to develop a captcha that will work. However, that isn't saying that the captcha will be accessible to all. We may find ourselves at a point of asking the disabled (or anyone) to take an alternate path for contributing. Such as, sending an email asking for a password allowing them to contribute to a blog for example. However, a spammer could do the same. But, if you pass all requesting emails through a spam filter, like spamcop.net, then that should reduce spam to an acceptable level. Perhaps I don't fully understand the problem, but there are many things here to consider before giving up. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On Thu, 2007-04-05 at 10:19 -0400, tedd wrote: > At 3:39 PM +0200 4/5/07, Tijnema ! wrote: > >Yes, but using a too hard protection where it isn't needed makes > >people irritated and they will hate your site. If you're using more > >then 1 CAPTCHA program on a simple board for example. But if you have > >a site like the NSA, yes, then it wouldn't be very strange to use 10 > >different CAPTCHA programs. > > > >Tijnema > > Tijnema: > > I sent this to Daevid off-list because I was trying not to continue a > topic that is not specifically php, but instead deals with a problem > that may be solvable/mitigated by a php script (I know very thin > thread there to keep this php related). > > However, I like my dot captcha (been fixed for IE 5 & IE 6) , see: > > http://sperling.com/examples/dot-captcha/index.php > > As you can "see", it's only for sighted users. My mouse is broken and I couldn't navigate to it using my keyboard! :B Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 3:39 PM +0200 4/5/07, Tijnema ! wrote: Yes, but using a too hard protection where it isn't needed makes people irritated and they will hate your site. If you're using more then 1 CAPTCHA program on a simple board for example. But if you have a site like the NSA, yes, then it wouldn't be very strange to use 10 different CAPTCHA programs. Tijnema Tijnema: I sent this to Daevid off-list because I was trying not to continue a topic that is not specifically php, but instead deals with a problem that may be solvable/mitigated by a php script (I know very thin thread there to keep this php related). However, I like my dot captcha (been fixed for IE 5 & IE 6) , see: http://sperling.com/examples/dot-captcha/index.php As you can "see", it's only for sighted users. Using that type of captcha coupled with asking questions (such as click the green dot while presenting several different colored dots) and providing several captchas in session to pass, could raise the level of security quite high while not inconveniencing the user too much -- or so I think. Remember, spam bots have no information as to what to present for entry and visual recognition routines would have a lot of trouble with these as my imagination and coding can change with much less effort. It makes for an interesting problem. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On Apr 5, 2007, at 10:08 AM, tedd wrote: That's a good point. Not only should a captcha be accessible by sighted, visually impaired, deaf-blind, cognitive impaired, and other disabilities not mentioned, but also deal with all languages as well. It certainly sounds impossible, but what are the commonalities of the above groups? Clearly specific languages won't work. However, similar problems arose in maritime and aviation industries where different nationality captains were/are required to know specific "English" words to pilot globally. So, the net may present some words that should be recognized by all, but that's not up to me, but rather to the consensuses of the net to develop. For example, perhaps "About" and "Home" may be good candidates, if yo see what I mean. If not language, what? Mathematical symbols, Dingbats, Miscellaneous symbols, General Punctuation from the Unicode dB may be candidates for a more universal basis for communication. But how does one convey that information to everyone? Hell, some current browsers still can't render Unicode correctly in the url's, let alone a way to "show" them to screen readers. In addition, even OS's make it hard for user to even enter/use those type of characters (except for Mac of course). There has to be some commonality -- any suggestions? Would it be possible to change the phrase in your audio captcha depending on the character set chosen by the user? In other words, if someone is using a chinese character set, could you have it say "3 5 7" in chinese? Or maybe just have a button to select to play it in chinese (Or french, dutch, spanish, etc. etc.) Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Jason Pruim [EMAIL PROTECTED] Production & Technology Manager MQC Specialist (2005 certified) 3251 132nd Ave Holland MI 49424 616.399.2355 www.raoset.com "We hold these truths to be self-evident. That all men are created equal, that they are endowed by their creator with certain unalienable rights, (and) that among these are Life, Liberty, and the pursuit of Happiness." smime.p7s Description: S/MIME cryptographic signature
Re: [PHP] Audio CAPTCHA review request
At 3:28 PM +0200 4/5/07, Tijnema ! wrote: I often wondered why simple CAPTCHA's like "Type the number seven four three", or "What is the sum of two plus three?", or "Spell cat", or "Spell two" wouldn't work? Certainly, one can create a routine coupled a dB to randomly produce thousands of different combinations of simple questions. Likewise, a sound file could be produced the same way. This could get hard for people, not everybody does understand a lot of English. So if you're asking a question, it does also get harder for some humans and that's not what we are looking for. Tijnema That's a good point. Not only should a captcha be accessible by sighted, visually impaired, deaf-blind, cognitive impaired, and other disabilities not mentioned, but also deal with all languages as well. It certainly sounds impossible, but what are the commonalities of the above groups? Clearly specific languages won't work. However, similar problems arose in maritime and aviation industries where different nationality captains were/are required to know specific "English" words to pilot globally. So, the net may present some words that should be recognized by all, but that's not up to me, but rather to the consensuses of the net to develop. For example, perhaps "About" and "Home" may be good candidates, if yo see what I mean. If not language, what? Mathematical symbols, Dingbats, Miscellaneous symbols, General Punctuation from the Unicode dB may be candidates for a more universal basis for communication. But how does one convey that information to everyone? Hell, some current browsers still can't render Unicode correctly in the url's, let alone a way to "show" them to screen readers. In addition, even OS's make it hard for user to even enter/use those type of characters (except for Mac of course). There has to be some commonality -- any suggestions? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
I often wondered why simple CAPTCHA's like "Type the number seven four three", or "What is the sum of two plus three?", or "Spell cat", or "Spell two" wouldn't work? Certainly, one can create a routine coupled a dB to randomly produce thousands of different combinations of simple questions. Likewise, a sound file could be produced the same way. This could get hard for people, not everybody does understand a lot of English. So if you're asking a question, it does also get harder for some humans and that's not what we are looking for. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Audio CAPTCHA review request
> I often wondered why simple CAPTCHA's like "Type the number seven > four three", or "What is the sum of two plus three?", or "Spell cat", > or "Spell two" wouldn't work? Certainly, one can create a routine > coupled a dB to randomly produce thousands of different combinations > of simple questions. Likewise, a sound file could be produced the > same way. HA! I was just about to write you that I just had this same "brainstorm". Seems like it would be pretty hard to have a bot figure out "what is the sum of two plus three?". I bet it would work like a champ (assuming you were helpful enough on your end to accept either "five" or "5"... It drives me insane trying to post on the PHP.net function comments and it asks me that irritating question and I forget to spell out the answer. UGH! BTW, I should mention, I'm no fan of CAPTCHA in any form. Digg uses it, and it pisses me off because they do it for login and for posting. Seems it's all the rage with the kids these days, and I wonder how effective it is compared to how many people just won't post because of it -- I know I don't. > But to bring this back to my intent -- my intent here is to provide a > simple audio CAPTCHA that could be used by anyone to provide some > degree of protection for their personal use THAT would also be > accessible to screen readers. It's not foolproof, but it appears to > work in that regard. Not sure you can make a "one size fits all drop in CAPTCHA killa app". I think you can give someone the tools to do it (like how do I play an audio file, and know that the webform submitted an answer and if it matches, etc.) But like most security mechanizms, "one is not enough". It's ultimately up to the developer to implement and extend the tools to fit their own needs for the project. If you want to prevent 30% of spambots, then your simple solution may be enough. If you're protecting a presidential candidates blog page, you probably need more protection in the 70%. If you're working for the NSA, then a secure login is going to be a first line of defense... Daevid. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 2:30 PM -0700 4/3/07, jochem wrote: Since you are asking for review: this audio captcha is almost certainly easily breakable. Tijnema is right with most of his comments, open source voice recognition software (the code he pointed to like spynx) will break this. I disagree with his point 3) below, obfuscating the speech with different bitrates etc. will in my opinion not work. How do I know? Unfortunately i do not have the time to properly test it, but I wrote a devoicecaptcha script to break the voice captchas of microsoft, google and paypal. You can download the code and test it with your code, see http://vorm.net/captchas. So unfortunately for you it will not work against spammers, but you are in good company of people trying ;-). Jochem: Thanks for the link, article (very interesting), and advice. The voice files that I am using could certainly be resolved by your method -- they are simple and your solution is pretty straightforward. However, I'm not convinced that all sound methodologies can be resolved as simply as that. For example -- your method looks for pauses/high points and then capsulizes segments for comparison against known sounds. That's OK, but what if there is other meaning in the sound? I often wondered why simple CAPTCHA's like "Type the number seven four three", or "What is the sum of two plus three?", or "Spell cat", or "Spell two" wouldn't work? Certainly, one can create a routine coupled a dB to randomly produce thousands of different combinations of simple questions. Likewise, a sound file could be produced the same way. Perhaps I'm underestimating the capabilities of bots and overestimating the abilities of humans. I suspect that the distribution of both camps have an overlap and therein lies the problem. The problem may not have a solution. But to bring this back to my intent -- my intent here is to provide a simple audio CAPTCHA that could be used by anyone to provide some degree of protection for their personal use THAT would also be accessible to screen readers. It's not foolproof, but it appears to work in that regard. Interesting discussion -- thanks for your perspective. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Audio CAPTCHA review request
At 4:59 PM -0700 4/3/07, Daevid Vincent wrote: > -Original Message- From: Daevid Vincent [mailto:[EMAIL PROTECTED] I will point you at http://www.cepstral.com/ for a possible solution to your .mp3 usage. You could use Cepstral's "swift" tool to say the text dynamically. Actually Ted, what I was referring to was that you could say actual "words" like "rainbow6", or even made up strings such as "A35SFX". Much like a text captcha does. As it stands, I think most audio captchas use simply digits, which means you only need to understand [0-9] in your voice-breaker-code (http://vorm.net/captchas). Mixing in letters means another 26 variants, and if you went with words (which 'swift' will 'speak'), then you're in another stratosphere all together... D. Vin: That's an interesting idea. As I said in my last post on this subject sound files can convey different meanings than just recognizing that the word "seven" means providing 7 as a solution. However, we run into the problem of those with cognitive disabilities who may not be able to resolve the CAPTCHA solution. As I see it, this is a double edged sword. If a blog, for example, requires cognitive skills to derive benefit from, is it unreasonable to present a cognitive problem for the user to solve? Let's take an extreme example -- What if you had a blog that discussed color arrangements, would be be acceptable for the blog owner to put up a color-blind CAPTCHA? Interesting topics for discussion, but probable not for this list. Thanks everyone. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Audio CAPTCHA review request
> -Original Message- > From: Daevid Vincent [mailto:[EMAIL PROTECTED] > > I will point you at http://www.cepstral.com/ for a possible > solution to your > .mp3 usage. You could use Cepstral's "swift" tool to say the text > dynamically. Actually Ted, what I was referring to was that you could say actual "words" like "rainbow6", or even made up strings such as "A35SFX". Much like a text captcha does. As it stands, I think most audio captchas use simply digits, which means you only need to understand [0-9] in your voice-breaker-code (http://vorm.net/captchas). Mixing in letters means another 26 variants, and if you went with words (which 'swift' will 'speak'), then you're in another stratosphere all together... D.Vin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
Since you are asking for review: this audio captcha is almost certainly easily breakable. Tijnema is right with most of his comments, open source voice recognition software (the code he pointed to like spynx) will break this. I disagree with his point 3) below, obfuscating the speech with different bitrates etc. will in my opinion not work. How do I know? Unfortunately i do not have the time to properly test it, but I wrote a devoicecaptcha script to break the voice captchas of microsoft, google and paypal. You can download the code and test it with your code, see http://vorm.net/captchas. So unfortunately for you it will not work against spammers, but you are in good company of people trying ;-). Regards, Jochem. Tijnema ! wrote: > > > > I would like to give a few comments on your script: > > 1) it looks like that > http://www.sperling.com/examples/captcha/tmp/access.mp3, without a > code, always returns the same value :) 284 > > 2) About the timeout, you should set it at least less then 24 hrs, i > should do about 6 hrs, that's enough for somebody to enter the code, > but a hacker doesn't want to update his code every 6 hrs. > > 3) Then about the cracking of audio, if you keep the audio files the > same, it shouldn't be too hard to crack once you can read the audio > frames. Store each few audio frames for each number, and compare them > once you want to crack it. > A very simple way to avoid this is that you generate audio on > different bit rates. and use VBR/CBR randomly. Speech recognition > isn't working very well, and i don't think it would be able to get > these numbers from the audio, but I have too less experience with > speech recognition. > > 4) You couldn't only depend on this audio thing inside a script. I > know this has been said before, but when you are using images here, it > probably makes your script more insecure. > > But it's surely nice done :) > > Tijnema > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- View this message in context: http://www.nabble.com/Audio-CAPTCHA-review-request-tf3487541.html#a9826752 Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Audio CAPTCHA review request
I think what you're doing is very interesting. I will point you at http://www.cepstral.com/ for a possible solution to your .mp3 usage. You could use Cepstral's "swift" tool to say the text dynamically. Another suggestion on your security: put in a random delay after unsuccessful attempts. This can help a DoS from hammering your box. And log how many attempts failed. After say 3 attempts, lock the user's account. If you're really clever/paranoid, add the cracker's IP to your firewall "deny" file. This of course is all dependant upon how secure/paranoid you want to be. > -Original Message- > From: tedd [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 29, 2007 9:41 AM > To: php-general@lists.php.net > Subject: [PHP] Audio CAPTCHA review request > > Hi gang: > > If you people would be so kind as to review this: > > http://sperling.com/examples/captcha/ > > and tell me what you think (ease of use, if it works, security, > etc.), I would appreciate it. > > The point is to be able to get to the "Congratulations" page by > hearing and entering the key. If you can get there some other way or > defeat the process, I sure would like to know about it. > > I've tested this with a couple of dozen blind users and they find no > problems with it. Now, I'll like to test it for the sighted. > > It's mixture of a several languages, but there is php in it, so I > guess it's on topic. > > Cheers, > > tedd > > -- > --- > http://sperling.com http://ancientstones.com http://earthstones.com > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 3:02 AM -0500 4/1/07, Richard Lynch wrote: On Fri, March 30, 2007 2:23 am, Tijnema ! wrote: Speech recognition isn't working very well, and i don't think it would be able to get these numbers from the audio, but I have too less experience with speech recognition. Put it this way: If Corporate America uses speech recognition on national 1-800 numbers successfully, with every accent from NYC to Alabama to Minnesota, what are the odds that Tedd's audio samples, even muddied up a bit, are going to be a challenge?... Is that true? I read an article about Japan's speech recognition as being very successful because of the purity of their language's phonetics and used English as an example of being problematic. Every time I'm asked to say my credit card number over the phone to some speech recognition algorithm, the human operator always asks for it again. But, in support of your claim, I think you are probably correct -- I just don't know for sure. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On Fri, March 30, 2007 2:23 am, Tijnema ! wrote: > Speech recognition > isn't working very well, and i don't think it would be able to get > these numbers from the audio, but I have too less experience with > speech recognition. Put it this way: If Corporate America uses speech recognition on national 1-800 numbers successfully, with every accent from NYC to Alabama to Minnesota, what are the odds that Tedd's audio samples, even muddied up a bit, are going to be a challenge?... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On Thu, March 29, 2007 3:50 pm, tedd wrote: >>And because you can't do anything on the internet without bumping >>into adult material. Don't worry, this is safe... no pics or bad >>words, just an article about using porn sites to break visual >>CAPTCHA. The spambots would take your visual CAPTCHA images and >>post it to their site which offers users free porn if they pass the >>CAPTCHA. And there's no lack of people wanting free porn so sounds >>like it was fairly effective: >>http://www.boingboing.net/2004/01/27/solving_and_creating.html > > Now that is clever. However, I am having difficulty seeing just how > they can obtain and use the information provided. For example, if I > say the key for a specific CAPTCHA is 123 -- then how can that help a > spammer because when he returns to the site, the CAPTCHA would have > changed? > > Can you explain how that works? They take your CAPTCHA in real-time, with curl, pass it on to their users, who give them the answer, and they give the answer, still in real-time, back to you, allowing their user in, only if you let them in. I.e., they make a "mirror CAPTCHA" of your CAPTCHA, and unlock their door, only if you unlock yours. [I think a bad joke on "You show me yours and I'll show you mine" is in order at this point...] The thing I find most interesting about this, however, is that it's URBAN LEGEND. This technique was DESCRIBED at a Conference as a way to beat CAPTCHA, and within days it's all over the Internet as "known technique". Guess that's the effect of having "porn" as the solution. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On Thu, March 29, 2007 6:46 pm, TG wrote: > On Thu, March 29, 2007 3:45 pm, Tijnema ! wrote: >> You're maybe on the right path, adding images as the background >> makes >> it really hard to read the code from the image. You could for >> example >> use random images as background. > > Some of the CAPTCHA methods listed as being difficult for the PWNtcha > guys > to break involved using a variety of colorful backgrounds and other > strong > mutations. The stronger the mutation and harder for a machine to > read, > tended to also mean that humans had a harder time reading it as well. > The > idea is to break the pattern enough to make it difficult on machines, > but > easy on people. But then we fall into the same old conundrum of > better > security versus a system that's more > difficult/cumbersome/tedious/annoying > to the user. As always, we have to find a balance between "good > enough" > and "easy enough". I think we are at the point in image/voice recognition that if you're at the stage where you are fighting against somebody trying to crack the CAPTCHA at that level, the difficulty for human versus computer is such a THIN line, that you might as well just give up. Truly, it is simply NOT that difficult to write something to crack a CAPTCHA at rates close to human error margin. This has been demonstrated for MOST of the CAPTCHAs out there. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
I am relatively certain that the QUICKTIME instructions are irrelevant on Linux... Unless they finally released QT for Linux while I wasn't paying attention... On Fri, March 30, 2007 1:15 am, Zoltán Németh wrote: > 2007. 03. 29, csütörtök keltezéssel 22.00-kor Tijnema ! ezt Ãrta: >> On 3/29/07, Zoltán Németh <[EMAIL PROTECTED]> wrote: >> > 2007. 03. 29, csütörtök keltezéssel 21.52-kor Tijnema ! ezt >> Ãrta: >> > > On 3/29/07, Zoltán Németh <[EMAIL PROTECTED]> wrote: >> > > > works fine on XP/IE7 >> > > > but still tells me to install some unknown plugin on >> ubuntu/firefox >> > > > >> > > > greets >> > > > Zoltán Németh >> > > >> > > That unknown plugin would probably some audio player. >> > >> > yes I was sure it is some kind of audio plugin :) >> > can you tell me exactly what to install? >> > >> > greets >> > Zoltán Németh >> >> I have actually no idea, but this might help you: >> http://www.boutell.com/newfaq/browser/reinstallquicktime.html > > ehh, actually an "apt-get install mozilla-mplayer" solved the problem > ;) > now the captcha works fine on my linux too > > greets > Zoltán Németh > >> >> Tijnema >> > >> > > >> > > Tijnema >> > > > >> > > > 2007. 03. 29, csütörtök keltezéssel 12.41-kor tedd ezt >> Ãrta: >> > > > > Hi gang: >> > > > > >> > > > > If you people would be so kind as to review this: >> > > > > >> > > > > http://sperling.com/examples/captcha/ >> > > > > >> > > > > and tell me what you think (ease of use, if it works, >> security, >> > > > > etc.), I would appreciate it. >> > > > > >> > > > > The point is to be able to get to the "Congratulations" page >> by >> > > > > hearing and entering the key. If you can get there some >> other way or >> > > > > defeat the process, I sure would like to know about it. >> > > > > >> > > > > I've tested this with a couple of dozen blind users and they >> find no >> > > > > problems with it. Now, I'll like to test it for the sighted. >> > > > > >> > > > > It's mixture of a several languages, but there is php in it, >> so I >> > > > > guess it's on topic. >> > > > > >> > > > > Cheers, >> > > > > >> > > > > tedd >> > > > > >> > > > > -- >> > > > > --- >> > > > > http://sperling.com http://ancientstones.com >> http://earthstones.com >> > > > > >> > > > >> > > > -- >> > > > PHP General Mailing List (http://www.php.net/) >> > > > To unsubscribe, visit: http://www.php.net/unsub.php >> > > > >> > > > >> > >> > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 8:20 PM -0400 3/29/07, TG wrote: > Not as hard as you might think. You don't have to identify it as a pig but rather as the spectral properties that a pig image displays. > It's like part recognition on an assembly line. Are you incinerating pigs and doing spectral analysis on them to see what they're composed of, again? No, it's a technique that I read about where an assembly line may have more than one type of object and the object can be in any orientation. The problem is that they need to identify and count each object that passes by automatically. Now, taking an image of the object in question and then comparing that image to every possible orientation would be very time consuming. As such, they developed another method. The method goes like this -- take picture of the object, run it through an FFT and get it's spectral properties (frequency envelope -- amp v frequency). Then compare that envelope with envelopes of unknown objects to see if they match. You see, with the correct lighting and such, the spectral properties of an object will be the same regardless of it's orientation. Neat huh? I did something like that many years ago using EKG's. It provided an intelligent system that would flag possible heart disease by comparing the unknown heart EKG (the patient) to known EKG anomalies (known heart diseases). Rather leading edge at the time -- but, old stuff now. However, there's still a lot to do if anyone wants to hire me for this type of research. I hate it when employers get something worthwhile, think that's all there is, and then vanish without investigating it further. There's so much more. Oh well, they have the money and I don't. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
Trivia: FedEx and UPS boxes use Simplex locks. Typically 5 digits that can only be pressed once each. You can press multiple buttons at once though, adding to the permutation a little bit. But in the end, this still only provides roughly 1000 unique combinations. The average child's Master Lock has over 64,000 combinations. I drop my packages off at the store. :) -TG TG: Further trivia -- as I understand it, most lock and even car manufactures use far less combinations in their locks. More than once I have been able to open someone else's Master Lock with one of my keys. And, there have been many stories about people driving away in a car they thought was theirs because their key worked. I do know that when I was a MP in the service, I saw towing services use a key chain with less than 100 keys to open every common car make made. So, I think we are less secure than we imagine. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
I would like to give a few comments on your script: 1) it looks like that http://www.sperling.com/examples/captcha/tmp/access.mp3, without a code, always returns the same value :) 284 2) About the timeout, you should set it at least less then 24 hrs, i should do about 6 hrs, that's enough for somebody to enter the code, but a hacker doesn't want to update his code every 6 hrs. 3) Then about the cracking of audio, if you keep the audio files the same, it shouldn't be too hard to crack once you can read the audio frames. Store each few audio frames for each number, and compare them once you want to crack it. A very simple way to avoid this is that you generate audio on different bit rates. and use VBR/CBR randomly. Speech recognition isn't working very well, and i don't think it would be able to get these numbers from the audio, but I have too less experience with speech recognition. 4) You couldn't only depend on this audio thing inside a script. I know this has been said before, but when you are using images here, it probably makes your script more insecure. But it's surely nice done :) Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
2007. 03. 29, csütörtök keltezéssel 22.00-kor Tijnema ! ezt írta: > On 3/29/07, Zoltán Németh <[EMAIL PROTECTED]> wrote: > > 2007. 03. 29, csütörtök keltezéssel 21.52-kor Tijnema ! ezt írta: > > > On 3/29/07, Zoltán Németh <[EMAIL PROTECTED]> wrote: > > > > works fine on XP/IE7 > > > > but still tells me to install some unknown plugin on ubuntu/firefox > > > > > > > > greets > > > > Zoltán Németh > > > > > > That unknown plugin would probably some audio player. > > > > yes I was sure it is some kind of audio plugin :) > > can you tell me exactly what to install? > > > > greets > > Zoltán Németh > > I have actually no idea, but this might help you: > http://www.boutell.com/newfaq/browser/reinstallquicktime.html ehh, actually an "apt-get install mozilla-mplayer" solved the problem ;) now the captcha works fine on my linux too greets Zoltán Németh > > Tijnema > > > > > > > > Tijnema > > > > > > > > 2007. 03. 29, csütörtök keltezéssel 12.41-kor tedd ezt írta: > > > > > Hi gang: > > > > > > > > > > If you people would be so kind as to review this: > > > > > > > > > > http://sperling.com/examples/captcha/ > > > > > > > > > > and tell me what you think (ease of use, if it works, security, > > > > > etc.), I would appreciate it. > > > > > > > > > > The point is to be able to get to the "Congratulations" page by > > > > > hearing and entering the key. If you can get there some other way or > > > > > defeat the process, I sure would like to know about it. > > > > > > > > > > I've tested this with a couple of dozen blind users and they find no > > > > > problems with it. Now, I'll like to test it for the sighted. > > > > > > > > > > It's mixture of a several languages, but there is php in it, so I > > > > > guess it's on topic. > > > > > > > > > > Cheers, > > > > > > > > > > tedd > > > > > > > > > > -- > > > > > --- > > > > > http://sperling.com http://ancientstones.com http://earthstones.com > > > > > > > > > > > > > -- > > > > PHP General Mailing List (http://www.php.net/) > > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On Thu, March 29, 2007 4:50 pm, tedd wrote: >>2. What you've created is a relatively simplistic audio captcha that >>HAS to be really succeptible to speech recognition. Spammers have >>gotten used to visual CAPTHCA so maybe they're not going to focus >>too much on detecting and breaking audio CAPTCHA, but that still >>comes down to "security through obscurity" which isn't a good >>practice. > > There isn't any good practice here -- it's all just an attempt to do > "the best the media will permit". Understood.. it's a good exercise and a good discussion I think. >>Once they had the software set up. Then they just have to fake the >>"Speak Key" submit and grab the "tmp/access.mp3?##" out of >>phone.php (submitting proper cookie/session data) and that's it. > > Two things: > > 1. There's no cookie data -- how does one access session data? I > thought outside of the sessionID, you couldn't -- am I wrong? Sessions, unless you pass the ID through the URL, require cookies to be enabled on the client's browser. They're not permanent cookies, but they're still cookies. I was just saying that the attacking spam bot would be manually emulating a browser by accepting the session cookie and passing it back and forth with the server (or however that technically works) to maintain the "this session id goes with this MP3 for CAPTCHA authentication". Otherwise there's no persistence and the CAPTCHA mechanism would probably try to issue a new MP3 when the bot when to log in. Challenge: sessionid 123 issued, MP3 "ABC" created Response: "ABC" sent back with no session ID, CAPTCHA assumes it's a new visiter and generates sessionid 456 and MP3 "DEF". Challenge response fails because response was not sessionid 123 and text "ABC". It was probably text "ABC" with no session id if the bot doesn't try to emulate browser behavior for sessions. > 2. I might be able to generate a sound file that can be accessed only > once. In other words, once you grab the file it's not there for a > second look (like is light a wave or particle thing). Now, put that > together with a hidden token in the form that accompanies the key, > then even typing the correct key wouldn't work unless it was > submitted via the form and not injected. I have to think about the > logic here -- but this is just of the top of my head. Anything stored in the form can be read by a bot, so whatever additional tokens you may put into the web form could also be read and posted back to your web server by the bot. Also, regarding accessing the file only once, a bot is either going to get it or not get it in one pass. So it doesn't matter if the audio file you create can only be accessed once. That's all a bot needs and it's either successful or not. A human, on the other hand, may need to hear it a few times. Sounds like you have a concept on the tip of your brain, so maybe this isn't exactly what you were aiming for. But those are my thoughts based on what you said. And let's not bring quantum mechanics into this mess. hah. you and your wacky waves and particles. "Checking the electron microscope... And the winner is three, in a quantum finish!" "No fair! You changed the outcome by observing it!" - Futurama >>And because you can't do anything on the internet without bumping >>into adult material. Don't worry, this is safe... no pics or bad >>words, just an article about using porn sites to break visual >>CAPTCHA. The spambots would take your visual CAPTCHA images and >>post it to their site which offers users free porn if they pass the >>CAPTCHA. And there's no lack of people wanting free porn so sounds >>like it was fairly effective: >>http://www.boingboing.net/2004/01/27/solving_and_creating.html > > > Now that is clever. However, I am having difficulty seeing just how > they can obtain and use the information provided. For example, if I > say the key for a specific CAPTCHA is 123 -- then how can that help a > spammer because when he returns to the site, the CAPTCHA would have > changed? > > Can you explain how that works? Because computers are very very fast. More importantly, they don't have to "return to the site" therefore generating a new CAPTCHA sequence. The bot can access the page it wants to log into, retrieve the CAPTCHA image, post it to the free porn site for all the amazingly fast 1 handed typists to decode, and respond to the CAPTCHA challenge within second, if even that long. Assumping there are humans accessing their site to do the decoding for them. It's no different than pulling up a message in french, copying and pasting it into Babelfish in another window, reading the translated version and going back to the first window to respond. Hell, toss in a english -> french translation of your response before switching back to window 1 and if a computer was doing it all, it could have it all done in a fraction of a second longer than it took to load the pages. Plenty of time to respond to the CAPTCHA challenge. But in t
Re: [PHP] Audio CAPTCHA review request
On Thu, March 29, 2007 3:45 pm, Tijnema ! wrote: > You're maybe on the right path, adding images as the background makes > it really hard to read the code from the image. You could for example > use random images as background. Some of the CAPTCHA methods listed as being difficult for the PWNtcha guys to break involved using a variety of colorful backgrounds and other strong mutations. The stronger the mutation and harder for a machine to read, tended to also mean that humans had a harder time reading it as well. The idea is to break the pattern enough to make it difficult on machines, but easy on people. But then we fall into the same old conundrum of better security versus a system that's more difficult/cumbersome/tedious/annoying to the user. As always, we have to find a balance between "good enough" and "easy enough". > But i have to say that breaking something isn't needed always, > re-using a human passed protection is a way to break through a lot of > things. > > For example, i would go to the page and save the number that the > CAPTCHA passed to my session. Then i would write down the code that i > need to enter. So, next time i need to pass, i set the session value > to the one i got first time, and i enter same code. Works for most > CAPTCHA programs :) Didn't test it out on your audio CAPTCHA yet, but > you really should care about a timeout for the session variable used. Are you saying that you'd want to make a note of the session ID, the "filename" for the audio file, listen to the audio then write down what it says so if that combination ever came up again, you'd have the answer? Couple of problems with this if that's what you're proposing: 1. Sessions usually time out. Ideally, you shouldn't be able to recall a session ID used a month ago and have it work. If the server kept every session ID ever created, it'd become a mess really fast. And if the programmer stored the session ID in a database and fails to create and store a new session ID when you re-visit, then that's a pretty big gaping hole. If it's part of a security mechanism and they don't time out or someone expire and get purged, chances are you should be looking for another job. 2. The "filename" number is most likely randomly generated and stored temporarily for use at that moment. So re-visiting the page and getting the same audio CAPTCHA sound clip probably won't give you an audio clip with the same "filename". Again, ideally. What you might be able to do is do an MD5 on the file you get and if it matches a previous audio clip, then that may work. All depends on how the sound file is generated and if it produced EXACTLY identical files using the same digits or if there's a slight variance. Much like the visual CAPTCHA devices, audio ones are going to work best if the pattern of audio is broken up somehow with additional noises injected into the mix (I'm paraphrasing something I saw on one of those sites I saw earlier.. but it's a really good point). Straight, plain, measured voice is going to be a lot easier to parse than voices with mixed pitches, volumes, accents and some background noise or something. Something like power tools, a vacuum cleaner, city sounds, etc. Things we, as humans, can conciously filter out fairly easy most of the time, but a computer would have a really hard time figure out "2 5 3" with a jackhammer and car horns going on behind it. That gets into some seriously sophisticated audio processing. Anyway, adding some mutation to the audio file would prevent an MD5 type hash check. Another potential attack on weak audio mechanisms just occured to me. Load the page a number of times, saving the audio files each time until you can determine what the "set" is that's being used. If it's all numbers, numbers + letters, etc. Eventually you should have a copy of each sample. If the spacing between each digit is regular, theoretically you could create a sound file for each digit and do a brute force compare of the new sound clip against every possible combination of the files you saved stacked together. Or again, create an MD5 hash for each combation and just do a lookup against the MD5 of the new audio clip. Probably wouldn't take long to get the fine-tuning down. But even a tiny bit of variance would blow that out of the water. Speech recognition tools are much more of a threat than something like this. -TG -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 7:32 PM +0200 3/29/07, Tijnema ! wrote: Yes, it's nice made, i see you didn't stored anything in sessions except PHPSESSID, which you probably use to verify the code entered. Atleast, that's what i think, i hope you didn't use IP ;) No, it's just uses sessions to keep track of the visitor. However, if two (or more) visitors were hitting the site at the same time, the key might unexpectedly change for them. But, this is crackable. To crack this, the cracker should get the audio file from the server, and parse it. Since you use the same audio piece for each number, you should get the voice part of each number, and then parse the downloaded file and check which number it matches :) I could throw some background noise into it that would make it difficult to crack that way, but then that would present the same problem as experienced in Graphic CAPTCHA's -- they become too noisy to resolve. Funny how this stuff is just variations of a theme. It won't be easy, and probably not everyone is able to crack this. But it is possible :) If you don't believe me, i am able to prove it, but that takes some time :) Tijnema Well.. that's the point, namely to make it difficult. As I've said before, anything a computer can generate another computer can interpret -- it just takes time and effort. Thanks for your review, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
At 9:45 PM +0200 3/29/07, Tijnema ! wrote: For example, i would go to the page and save the number that the CAPTCHA passed to my session. Then i would write down the code that i need to enter. So, next time i need to pass, i set the session value to the one i got first time, and i enter same code. Works for most CAPTCHA programs :) Didn't test it out on your audio CAPTCHA yet, but you really should care about a timeout for the session variable used. That sounds good -- I need to think about that. What time period would you suggest? Remember, there are people here with disabilities that may not type as "slow" as we do. :-) We didn't see your script yet, so i don't know what extra security you added. But it's good to have these things in mind. I plan on making the script public. I just need to stamp out these types of fires first. Thanks. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
tg: At 2:36 PM -0400 3/29/07, <[EMAIL PROTECTED]> wrote: 1. My biggest fear when relying on an audio CAPTCHA system is if the users doesn't have sound. No speakers, or can't play stuff at the office or something like that. I keep my system muted at work unless I'm playing music because some websites have dumb little flash things that make sounds and I don't feel like explaining what I'm surfing to my coworkers constantly. And just out of a general courtesy to them not to create undue distractions in the office. Yes, but this is just the Audio part -- more to follow. 2. What you've created is a relatively simplistic audio captcha that HAS to be really succeptible to speech recognition. Spammers have gotten used to visual CAPTHCA so maybe they're not going to focus too much on detecting and breaking audio CAPTCHA, but that still comes down to "security through obscurity" which isn't a good practice. There isn't any good practice here -- it's all just an attempt to do "the best the media will permit". Once they had the software set up. Then they just have to fake the "Speak Key" submit and grab the "tmp/access.mp3?##" out of phone.php (submitting proper cookie/session data) and that's it. Two things: 1. There's no cookie data -- how does one access session data? I thought outside of the sessionID, you couldn't -- am I wrong? 2. I might be able to generate a sound file that can be accessed only once. In other words, once you grab the file it's not there for a second look (like is light a wave or particle thing). Now, put that together with a hidden token in the form that accompanies the key, then even typing the correct key wouldn't work unless it was submitted via the form and not injected. I have to think about the logic here -- but this is just of the top of my head. And because you can't do anything on the internet without bumping into adult material. Don't worry, this is safe... no pics or bad words, just an article about using porn sites to break visual CAPTCHA. The spambots would take your visual CAPTCHA images and post it to their site which offers users free porn if they pass the CAPTCHA. And there's no lack of people wanting free porn so sounds like it was fairly effective: http://www.boingboing.net/2004/01/27/solving_and_creating.html Now that is clever. However, I am having difficulty seeing just how they can obtain and use the information provided. For example, if I say the key for a specific CAPTCHA is 123 -- then how can that help a spammer because when he returns to the site, the CAPTCHA would have changed? Can you explain how that works? It's definitely an interesting field. I think using the common sense techniques you (tedd) have used combined with a better CAPTCHA method, you could actually create something fairly user friendly and secure. My vote is still for asking a person to identify images. A bot is going to have a hard time identifying a pig that's photo'd from an odd angle and maybe colored blue instead of a standard pig-color. Not as hard as you might think. You don't have to identify it as a pig but rather as the spectral properties that a pig image displays. It's like part recognition on an assembly line. http://www.espgame.org/ That's more the brute force method -- but at some point, it would probably work. Thanks for your review and comments. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On 3/29/07, Zoltán Németh <[EMAIL PROTECTED]> wrote: 2007. 03. 29, csütörtök keltezéssel 21.52-kor Tijnema ! ezt írta: > On 3/29/07, Zoltán Németh <[EMAIL PROTECTED]> wrote: > > works fine on XP/IE7 > > but still tells me to install some unknown plugin on ubuntu/firefox > > > > greets > > Zoltán Németh > > That unknown plugin would probably some audio player. yes I was sure it is some kind of audio plugin :) can you tell me exactly what to install? greets Zoltán Németh I have actually no idea, but this might help you: http://www.boutell.com/newfaq/browser/reinstallquicktime.html Tijnema > > Tijnema > > > > 2007. 03. 29, csütörtök keltezéssel 12.41-kor tedd ezt írta: > > > Hi gang: > > > > > > If you people would be so kind as to review this: > > > > > > http://sperling.com/examples/captcha/ > > > > > > and tell me what you think (ease of use, if it works, security, > > > etc.), I would appreciate it. > > > > > > The point is to be able to get to the "Congratulations" page by > > > hearing and entering the key. If you can get there some other way or > > > defeat the process, I sure would like to know about it. > > > > > > I've tested this with a couple of dozen blind users and they find no > > > problems with it. Now, I'll like to test it for the sighted. > > > > > > It's mixture of a several languages, but there is php in it, so I > > > guess it's on topic. > > > > > > Cheers, > > > > > > tedd > > > > > > -- > > > --- > > > http://sperling.com http://ancientstones.com http://earthstones.com > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
2007. 03. 29, csütörtök keltezéssel 21.52-kor Tijnema ! ezt írta: > On 3/29/07, Zoltán Németh <[EMAIL PROTECTED]> wrote: > > works fine on XP/IE7 > > but still tells me to install some unknown plugin on ubuntu/firefox > > > > greets > > Zoltán Németh > > That unknown plugin would probably some audio player. yes I was sure it is some kind of audio plugin :) can you tell me exactly what to install? greets Zoltán Németh > > Tijnema > > > > 2007. 03. 29, csütörtök keltezéssel 12.41-kor tedd ezt írta: > > > Hi gang: > > > > > > If you people would be so kind as to review this: > > > > > > http://sperling.com/examples/captcha/ > > > > > > and tell me what you think (ease of use, if it works, security, > > > etc.), I would appreciate it. > > > > > > The point is to be able to get to the "Congratulations" page by > > > hearing and entering the key. If you can get there some other way or > > > defeat the process, I sure would like to know about it. > > > > > > I've tested this with a couple of dozen blind users and they find no > > > problems with it. Now, I'll like to test it for the sighted. > > > > > > It's mixture of a several languages, but there is php in it, so I > > > guess it's on topic. > > > > > > Cheers, > > > > > > tedd > > > > > > -- > > > --- > > > http://sperling.com http://ancientstones.com http://earthstones.com > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On 3/29/07, Zoltán Németh <[EMAIL PROTECTED]> wrote: works fine on XP/IE7 but still tells me to install some unknown plugin on ubuntu/firefox greets Zoltán Németh That unknown plugin would probably some audio player. Tijnema 2007. 03. 29, csütörtök keltezéssel 12.41-kor tedd ezt írta: > Hi gang: > > If you people would be so kind as to review this: > > http://sperling.com/examples/captcha/ > > and tell me what you think (ease of use, if it works, security, > etc.), I would appreciate it. > > The point is to be able to get to the "Congratulations" page by > hearing and entering the key. If you can get there some other way or > defeat the process, I sure would like to know about it. > > I've tested this with a couple of dozen blind users and they find no > problems with it. Now, I'll like to test it for the sighted. > > It's mixture of a several languages, but there is php in it, so I > guess it's on topic. > > Cheers, > > tedd > > -- > --- > http://sperling.com http://ancientstones.com http://earthstones.com > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
works fine on XP/IE7 but still tells me to install some unknown plugin on ubuntu/firefox greets Zoltán Németh 2007. 03. 29, csütörtök keltezéssel 12.41-kor tedd ezt írta: > Hi gang: > > If you people would be so kind as to review this: > > http://sperling.com/examples/captcha/ > > and tell me what you think (ease of use, if it works, security, > etc.), I would appreciate it. > > The point is to be able to get to the "Congratulations" page by > hearing and entering the key. If you can get there some other way or > defeat the process, I sure would like to know about it. > > I've tested this with a couple of dozen blind users and they find no > problems with it. Now, I'll like to test it for the sighted. > > It's mixture of a several languages, but there is php in it, so I > guess it's on topic. > > Cheers, > > tedd > > -- > --- > http://sperling.com http://ancientstones.com http://earthstones.com > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On 3/29/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Not bad. Seems to work nicely. No "OMGWTF!" obvious slips like naming the MP3 with the digits the user needs to enter. Worked fine in Firefox 1.5 too. Sometimes when audio is embedded in a page, it tries to load Windows Media Player or something which doesn't always work well in Firefox without some tweaking. But your implementation worked fine without any weirdness. Now.. on to the criticism. Keeping in mind, you're welcome to use whatever you want to use and exercises like this are always good for the practice and experience if anything else. Also, some of this is my opinion which you're welcome to ignore. 1. My biggest fear when relying on an audio CAPTCHA system is if the users doesn't have sound. No speakers, or can't play stuff at the office or something like that. I keep my system muted at work unless I'm playing music because some websites have dumb little flash things that make sounds and I don't feel like explaining what I'm surfing to my coworkers constantly. And just out of a general courtesy to them not to create undue distractions in the office. 2. What you've created is a relatively simplistic audio captcha that HAS to be really succeptible to speech recognition. Spammers have gotten used to visual CAPTHCA so maybe they're not going to focus too much on detecting and breaking audio CAPTCHA, but that still comes down to "security through obscurity" which isn't a good practice. Here's some open source Linux-based speech recognition software that could be used to turn your audio into the proper digits: http://freespeech.sourceforge.net/ http://cmusphinx.sourceforge.net/html/cmusphinx.php Once they had the software set up. Then they just have to fake the "Speak Key" submit and grab the "tmp/access.mp3?##" out of phone.php (submitting proper cookie/session data) and that's it. In the couple minutes I took to search for some examples, I found some interesting links: PWNtcha - http://sam.zoy.org/pwntcha/ - CAPTCHA defeating project. Focused on image captcha, but they give examples of different systems and which ones are hard and which ones are easy to break. WARNING: One of the images used is NSFW, but it's kind of subtle. I didn't notice it at first. So make sure nobody's looking over your shoulder first lookover. It's more than 1/2way down the page and I think the rest of the data on the page is worth the risk. W3C's recommendations for alternatives to visual CAPTCHA/turing tests: http://www.w3.org/TR/turingtest/ And because you can't do anything on the internet without bumping into adult material. Don't worry, this is safe... no pics or bad words, just an article about using porn sites to break visual CAPTCHA. The spambots would take your visual CAPTCHA images and post it to their site which offers users free porn if they pass the CAPTCHA. And there's no lack of people wanting free porn so sounds like it was fairly effective: http://www.boingboing.net/2004/01/27/solving_and_creating.html It's definitely an interesting field. I think using the common sense techniques you (tedd) have used combined with a better CAPTCHA method, you could actually create something fairly user friendly and secure. My vote is still for asking a person to identify images. A bot is going to have a hard time identifying a pig that's photo'd from an odd angle and maybe colored blue instead of a standard pig-color. Oh wait.. someone's working on breaking that kind of CAPTCHA too. Again using regular humans. Apparently The ESP Game is based on the concept of breaking this kind of CAPTCHA. Post the images and have people fill in key words that help classify the image. So that blue pig might end up in a database labeled as "blue" and "pig" and "farm" or something anyway. http://www.espgame.org/ There's no winning. hah -TG You're maybe on the right path, adding images as the background makes it really hard to read the code from the image. You could for example use random images as background. But i have to say that breaking something isn't needed always, re-using a human passed protection is a way to break through a lot of things. For example, i would go to the page and save the number that the CAPTCHA passed to my session. Then i would write down the code that i need to enter. So, next time i need to pass, i set the session value to the one i got first time, and i enter same code. Works for most CAPTCHA programs :) Didn't test it out on your audio CAPTCHA yet, but you really should care about a timeout for the session variable used. We didn't see your script yet, so i don't know what extra security you added. But it's good to have these things in mind. Tijnema = = = Original message = = = Hi gang: If you people would be so kind as to review this: http://sperling.com/examples/captcha/ and tell me what you think (ease of use, if it works, security, etc.), I would appreciate it.
Re: [PHP] Audio CAPTCHA review request
At 2:02 PM -0400 3/29/07, Jason Pruim wrote: Just a really quick check right now is all I have time for, but it looks good. The one thing you could do (And this is personal preference) Mark on it that they can replay the code if they didn't hear it the first time. I am in a loud environment at times and can't always hear things the first time. But like i said, personal preference :) Just click the "Speak Key" again -- it will repeat the same key as many times as you want. http://sperling.com/examples/captcha/ If you want a new key, just refresh the page. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
No, it replayed just fine. It just didn't seem to me to be obvious that hitting the "speak" button would replay the same code that I may have missed a digit out of. But then again, I've been trying to figure out how to do math with PHP and MySql all day so my brain is totally fried :P On Mar 29, 2007, at 2:36 PM, <[EMAIL PROTECTED]> [EMAIL PROTECTED]> wrote: It played the same sequence for me when I re-clicked the Play button.. until I went away for a min or two and my session probably timed out. Did it not play the same sequence for you? -TG = = = Original message = = = Just a really quick check right now is all I have time for, but it looks good. The one thing you could do (And this is personal preference) Mark on it that they can replay the code if they didn't hear it the first time. I am in a loud environment at times and can't always hear things the first time. But like i said, personal preference :) On Mar 29, 2007, at 12:41 PM, tedd wrote: Hi gang: If you people would be so kind as to review this: http://sperling.com/examples/captcha/ and tell me what you think (ease of use, if it works, security, etc.), I would appreciate it. The point is to be able to get to the "Congratulations" page by hearing and entering the key. If you can get there some other way or defeat the process, I sure would like to know about it. I've tested this with a couple of dozen blind users and they find no problems with it. Now, I'll like to test it for the sighted. It's mixture of a several languages, but there is php in it, so I guess it's on topic. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Jason Pruim [EMAIL PROTECTED] Production & Technology Manager MQC Specialist (2005 certified) 3251 132nd Ave Holland MI 49424 616.399.2355 www.raoset.com "We hold these truths to be self-evident. That all men are created equal, that they are endowed by their creator with certain unalienable rights, (and) that among these are Life, Liberty, and the pursuit of Happiness." ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Jason Pruim [EMAIL PROTECTED] Production & Technology Manager MQC Specialist (2005 certified) 3251 132nd Ave Holland MI 49424 616.399.2355 www.raoset.com "But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security." smime.p7s Description: S/MIME cryptographic signature
Re: [PHP] Audio CAPTCHA review request
Not bad. Seems to work nicely. No "OMGWTF!" obvious slips like naming the MP3 with the digits the user needs to enter. Worked fine in Firefox 1.5 too. Sometimes when audio is embedded in a page, it tries to load Windows Media Player or something which doesn't always work well in Firefox without some tweaking. But your implementation worked fine without any weirdness. Now.. on to the criticism. Keeping in mind, you're welcome to use whatever you want to use and exercises like this are always good for the practice and experience if anything else. Also, some of this is my opinion which you're welcome to ignore. 1. My biggest fear when relying on an audio CAPTCHA system is if the users doesn't have sound. No speakers, or can't play stuff at the office or something like that. I keep my system muted at work unless I'm playing music because some websites have dumb little flash things that make sounds and I don't feel like explaining what I'm surfing to my coworkers constantly. And just out of a general courtesy to them not to create undue distractions in the office. 2. What you've created is a relatively simplistic audio captcha that HAS to be really succeptible to speech recognition. Spammers have gotten used to visual CAPTHCA so maybe they're not going to focus too much on detecting and breaking audio CAPTCHA, but that still comes down to "security through obscurity" which isn't a good practice. Here's some open source Linux-based speech recognition software that could be used to turn your audio into the proper digits: http://freespeech.sourceforge.net/ http://cmusphinx.sourceforge.net/html/cmusphinx.php Once they had the software set up. Then they just have to fake the "Speak Key" submit and grab the "tmp/access.mp3?##" out of phone.php (submitting proper cookie/session data) and that's it. In the couple minutes I took to search for some examples, I found some interesting links: PWNtcha - http://sam.zoy.org/pwntcha/ - CAPTCHA defeating project. Focused on image captcha, but they give examples of different systems and which ones are hard and which ones are easy to break. WARNING: One of the images used is NSFW, but it's kind of subtle. I didn't notice it at first. So make sure nobody's looking over your shoulder first lookover. It's more than 1/2way down the page and I think the rest of the data on the page is worth the risk. W3C's recommendations for alternatives to visual CAPTCHA/turing tests: http://www.w3.org/TR/turingtest/ And because you can't do anything on the internet without bumping into adult material. Don't worry, this is safe... no pics or bad words, just an article about using porn sites to break visual CAPTCHA. The spambots would take your visual CAPTCHA images and post it to their site which offers users free porn if they pass the CAPTCHA. And there's no lack of people wanting free porn so sounds like it was fairly effective: http://www.boingboing.net/2004/01/27/solving_and_creating.html It's definitely an interesting field. I think using the common sense techniques you (tedd) have used combined with a better CAPTCHA method, you could actually create something fairly user friendly and secure. My vote is still for asking a person to identify images. A bot is going to have a hard time identifying a pig that's photo'd from an odd angle and maybe colored blue instead of a standard pig-color. Oh wait.. someone's working on breaking that kind of CAPTCHA too. Again using regular humans. Apparently The ESP Game is based on the concept of breaking this kind of CAPTCHA. Post the images and have people fill in key words that help classify the image. So that blue pig might end up in a database labeled as "blue" and "pig" and "farm" or something anyway. http://www.espgame.org/ There's no winning. hah -TG = = = Original message = = = Hi gang: If you people would be so kind as to review this: http://sperling.com/examples/captcha/ and tell me what you think (ease of use, if it works, security, etc.), I would appreciate it. The point is to be able to get to the "Congratulations" page by hearing and entering the key. If you can get there some other way or defeat the process, I sure would like to know about it. I've tested this with a couple of dozen blind users and they find no problems with it. Now, I'll like to test it for the sighted. It's mixture of a several languages, but there is php in it, so I guess it's on topic. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
It played the same sequence for me when I re-clicked the Play button.. until I went away for a min or two and my session probably timed out. Did it not play the same sequence for you? -TG = = = Original message = = = Just a really quick check right now is all I have time for, but it looks good. The one thing you could do (And this is personal preference) Mark on it that they can replay the code if they didn't hear it the first time. I am in a loud environment at times and can't always hear things the first time. But like i said, personal preference :) On Mar 29, 2007, at 12:41 PM, tedd wrote: > Hi gang: > > If you people would be so kind as to review this: > > http://sperling.com/examples/captcha/ > > and tell me what you think (ease of use, if it works, security, > etc.), I would appreciate it. > > The point is to be able to get to the "Congratulations" page by > hearing and entering the key. If you can get there some other way > or defeat the process, I sure would like to know about it. > > I've tested this with a couple of dozen blind users and they find > no problems with it. Now, I'll like to test it for the sighted. > > It's mixture of a several languages, but there is php in it, so I > guess it's on topic. > > Cheers, > > tedd > > -- > --- > http://sperling.com http://ancientstones.com http://earthstones.com > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Jason Pruim [EMAIL PROTECTED] Production & Technology Manager MQC Specialist (2005 certified) 3251 132nd Ave Holland MI 49424 616.399.2355 www.raoset.com "We hold these truths to be self-evident. That all men are created equal, that they are endowed by their creator with certain unalienable rights, (and) that among these are Life, Liberty, and the pursuit of Happiness." ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
Just a really quick check right now is all I have time for, but it looks good. The one thing you could do (And this is personal preference) Mark on it that they can replay the code if they didn't hear it the first time. I am in a loud environment at times and can't always hear things the first time. But like i said, personal preference :) On Mar 29, 2007, at 12:41 PM, tedd wrote: Hi gang: If you people would be so kind as to review this: http://sperling.com/examples/captcha/ and tell me what you think (ease of use, if it works, security, etc.), I would appreciate it. The point is to be able to get to the "Congratulations" page by hearing and entering the key. If you can get there some other way or defeat the process, I sure would like to know about it. I've tested this with a couple of dozen blind users and they find no problems with it. Now, I'll like to test it for the sighted. It's mixture of a several languages, but there is php in it, so I guess it's on topic. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Jason Pruim [EMAIL PROTECTED] Production & Technology Manager MQC Specialist (2005 certified) 3251 132nd Ave Holland MI 49424 616.399.2355 www.raoset.com "We hold these truths to be self-evident. That all men are created equal, that they are endowed by their creator with certain unalienable rights, (and) that among these are Life, Liberty, and the pursuit of Happiness." smime.p7s Description: S/MIME cryptographic signature
Re: [PHP] Audio CAPTCHA review request
It worked for you, Tij? My guess, then, since it's timing out, is it must be our corporate firewall blocking MP3s on my end. In which case, disregard my reponses with extreme prejudice. Yes it worked for me, it probably is a firewall, because it works for Jake too. On 3/29/07, Jake McHenry <[EMAIL PROTECTED]> wrote: Looks good to me... Had to use my laptop since none of my office sets have speakers, tested it, tried bunch of stuff and it only let me in when I typed in the code... So seems good :) Jake Yes, it's nice made, i see you didn't stored anything in sessions except PHPSESSID, which you probably use to verify the code entered. Atleast, that's what i think, i hope you didn't use IP ;) But, this is crackable. To crack this, the cracker should get the audio file from the server, and parse it. Since you use the same audio piece for each number, you should get the voice part of each number, and then parse the downloaded file and check which number it matches :) It won't be easy, and probably not everyone is able to crack this. But it is possible :) If you don't believe me, i am able to prove it, but that takes some time :) Tijnema > -Original Message- > From: tedd [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 29, 2007 12:41 PM > To: php-general@lists.php.net > Subject: [PHP] Audio CAPTCHA review request > > Hi gang: > > If you people would be so kind as to review this: > > http://sperling.com/examples/captcha/ > > and tell me what you think (ease of use, if it works, security, > etc.), I would appreciate it. > > The point is to be able to get to the "Congratulations" page by > hearing and entering the key. If you can get there some other way or > defeat the process, I sure would like to know about it. > > I've tested this with a couple of dozen blind users and they find no > problems with it. Now, I'll like to test it for the sighted. > > It's mixture of a several languages, but there is php in it, so I > guess it's on topic. > > Cheers, > > tedd > > -- > --- > http://sperling.com http://ancientstones.com http://earthstones.com > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.446 / Virus Database: 268.18.20/737 - Release > Date: 3/28/2007 4:23 PM > > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 268.18.20/737 - Release Date: 3/28/2007 4:23 PM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Audio CAPTCHA review request
Looks good to me... Had to use my laptop since none of my office sets have speakers, tested it, tried bunch of stuff and it only let me in when I typed in the code... So seems good :) Jake > -Original Message- > From: tedd [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 29, 2007 12:41 PM > To: php-general@lists.php.net > Subject: [PHP] Audio CAPTCHA review request > > Hi gang: > > If you people would be so kind as to review this: > > http://sperling.com/examples/captcha/ > > and tell me what you think (ease of use, if it works, security, > etc.), I would appreciate it. > > The point is to be able to get to the "Congratulations" page by > hearing and entering the key. If you can get there some other way or > defeat the process, I sure would like to know about it. > > I've tested this with a couple of dozen blind users and they find no > problems with it. Now, I'll like to test it for the sighted. > > It's mixture of a several languages, but there is php in it, so I > guess it's on topic. > > Cheers, > > tedd > > -- > --- > http://sperling.com http://ancientstones.com http://earthstones.com > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.446 / Virus Database: 268.18.20/737 - Release > Date: 3/28/2007 4:23 PM > > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 268.18.20/737 - Release Date: 3/28/2007 4:23 PM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Audio CAPTCHA review request
On 3/29/07, tedd <[EMAIL PROTECTED]> wrote: Hi gang: If you people would be so kind as to review this: http://sperling.com/examples/captcha/ and tell me what you think (ease of use, if it works, security, etc.), I would appreciate it. The point is to be able to get to the "Congratulations" page by hearing and entering the key. If you can get there some other way or defeat the process, I sure would like to know about it. I've tested this with a couple of dozen blind users and they find no problems with it. Now, I'll like to test it for the sighted. It's mixture of a several languages, but there is php in it, so I guess it's on topic. Cheers, tedd Let me take a deep look at it, i'm not a real cracker, but i'm very good at logic things so i will see if i can find a simple hole to bypass this CAPTCHA :) Tijnema -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
