Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
Hello, on 02/17/2006 05:10 PM tedd said the following: Manuel: Your points are well taken. A good CAPTCHA must be fuzzy. If you know other fuzzy CAPTCHA besides these, it may help to sharing that knowledge. The CAPTCHA I was primarily referring to was the image one -- however, it's just another barrier. I am sure there are all sorts of ways to fool a computer while making it easy for a human to comply, like Enter the third word of the first paragraph; or What is the color of an orange?; or presenting an easy question from a vast lists of questions provided at random. That is not hard to beat because it does not make it difficult to determine what is the question, like image and audio captchas. Therefore that solution is vulnerable to dictionary attacks. While computers could be designed to answer such questions, the amount of time required would be better spent going after those sites that don't have any CAPTCHA. It depends on the purpose of the attackers. If they want to attack specific sites, soon or later they will figure a way to defeat them if they have weak protection schemes. As for me, I'm trying to understand both sides and see if there is a midway solution. However, it appears that both sides are steadfastly rooted in their opinion. One side wants barriers and the other side doesn't -- mutually exclusive positions. I can't help but think there must be a software solution. Maybe, but this is not a trivial solution. Research and development costs time and money to those that need to invest on it to find better protection . People that complain against CAPTCHAs should also consider these aspects before blaming people for not using better CAPTCHA schemes. -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
Hello, on 02/19/2006 09:12 PM tedd said the following: Manuel: A good CAPTCHA must be fuzzy. If you know other fuzzy CAPTCHA besides these, it may help to sharing that knowledge. Try this: http://xn--ovg.com/no_bot The point of CAPTCHA is to provide something that a bot can't figure out, but a human can, right? Well, for a bot to figure out the answer, the bot must be able to get at the source code, right? Take a look at this source code and from it determine the answer. Also, try to view the content source code from any page on this site. I think this data is bot-proof, isn't it? Or have I blundered? I think you are missing the point. The role of robots is to find the solutions to hack the sites. Hackers find the solutions and develop robots to attack the sites. For an hacker, this site is easy to hack. -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
A bot could find it if it parses (and executes) javascript. Andrew - Original Message - From: Gerry Danen [EMAIL PROTECTED] To: comex [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Monday, February 20, 2006 3:58 AM Subject: Re: [PHP] HN CAPTCHA at http://www.phpclasses.org How would a bot find it though? On 2/19/06, comex [EMAIL PROTECTED] wrote: You got me. Where are you hiding it? In test.js: http://www.xn--ovg.com/no_bot/rpc.php?action=one Unless you hide it in a different place each time, how useful is that? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
Manuel: A good CAPTCHA must be fuzzy. If you know other fuzzy CAPTCHA besides these, it may help to sharing that knowledge. Try this: http://xn--ovg.com/no_bot The point of CAPTCHA is to provide something that a bot can't figure out, but a human can, right? Well, for a bot to figure out the answer, the bot must be able to get at the source code, right? Take a look at this source code and from it determine the answer. Also, try to view the content source code from any page on this site. I think this data is bot-proof, isn't it? Or have I blundered? Many thanks for any review and/or suggestions. tedd -- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
You got me. Where are you hiding it? Gerry On 2/19/06, tedd [EMAIL PROTECTED] wrote: Manuel: A good CAPTCHA must be fuzzy. If you know other fuzzy CAPTCHA besides these, it may help to sharing that knowledge. Try this: http://xn--ovg.com/no_bot The point of CAPTCHA is to provide something that a bot can't figure out, but a human can, right? Well, for a bot to figure out the answer, the bot must be able to get at the source code, right? Take a look at this source code and from it determine the answer. Also, try to view the content source code from any page on this site. I think this data is bot-proof, isn't it? Or have I blundered? Many thanks for any review and/or suggestions. -- Gerry http://portal.danen.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
You got me. Where are you hiding it? In test.js: http://www.xn--ovg.com/no_bot/rpc.php?action=one Unless you hide it in a different place each time, how useful is that? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
How would a bot find it though? On 2/19/06, comex [EMAIL PROTECTED] wrote: You got me. Where are you hiding it? In test.js: http://www.xn--ovg.com/no_bot/rpc.php?action=one Unless you hide it in a different place each time, how useful is that? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
on 02/17/2006 01:55 AM tedd said the following: Most of those who are aware of disability issues, don't use any barriers at all. CAPTCHA is often used to prevent abuses from people using automated robot programs. To solve the problem of visually impaired people, there are audio CAPTCHA solutions. Regards, Manuel Lemos -snip- http://www.access-matters.com/2005/05/22/quiz-115-did-a-captcha-catch-ya/ -- before installing a CAPTCHA. Accessibility matters. I am not sure what you mean. Are you saying that nobody should use audio CAPTCHA because one user was not able to configure his browser to play the audio CAPTCHA? I am sure that it is something easier to achieve than screen reader software that many blind users use to access read Web pages loud. Manuel Lemos Manuel: As a friend of mine, who is very knowledgeable/experienced in these matters, said: The audio variants are still barriers because there are too may reasons why they might fail to work. As I said before, there are many other simple methods that robots don't do well. Use those instead. CPATCHAs are dead and should be buried. Anyone still using them is either too cheap to learn how to use an alternative well, or simply doesn't care about accessibility. It's time to move on. Now, perhaps you don't agree with his assessment, but I think that finding other methods to accomplish what you want has merit. You know, even with audio CPATCHA's visually impaired and other disabled groups are still against it -- what does that say? tedd -- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
Hello, on 02/17/2006 01:19 PM tedd said the following: I am not sure what you mean. Are you saying that nobody should use audio CAPTCHA because one user was not able to configure his browser to play the audio CAPTCHA? I am sure that it is something easier to achieve than screen reader software that many blind users use to access read Web pages loud. Manuel Lemos Manuel: As a friend of mine, who is very knowledgeable/experienced in these matters, said: The audio variants are still barriers because there are too may reasons why they might fail to work. As I said before, there are many other simple methods that robots don't do well. Use those instead. CPATCHAs are dead and should be buried. Anyone still using them is either too cheap to learn how to use an alternative well, or simply doesn't care about accessibility. It's time to move on. Now, perhaps you don't agree with his assessment, but I think that finding other methods to accomplish what you want has merit. You know, even with audio CPATCHA's visually impaired and other disabled groups are still against it -- what does that say? I think there are some misunderstandings . First, CAPTCHA means completely automated public Turing test to tell computers and humans apart. Any automated method on which robots don't do well, is a CAPTCHA. Therefore, to be accurate the person that wrote your quote is in contradiction. There may be better solutions, than the image or audio based, but those solutions are still CAPTCHAs because the goal is to halt robots. Another, point, blind people or people with other disabilities need all the sympathy they can get to make their lives better. Calling everybody that use image or audio CAPTCHAs too cheap does not seem to get them much more sympathy. These complaints seem to be too selfish. If somebody employs a CAPTCHA in a site is because he needs to solve a problem of abuse. It seems that somebody that complains against CAPTCHA does not care about the losses that the abuses may cause to site maintainers if the CAPTCHAs are removed or replaced by other easier to defeat CAPTCHAs. Nobody knows everything, starting by me. If there are better CAPTCHAs than the image or audio based, I would like to know about them. It would certainly be more constructive than calling too cheap to everybody using common CAPTCHA. I understand that the life of blind people is already very painful and slow. So I imagine the frustration of not getting enough attention to their cause because their are often a neglected minority. OTOH, that minority must also try to understand that CAPTCHA are necessary and must be effective. A CAPTCHA attempt that still permits abuses is not effective and sites may be still victims of extensive abuse. Consider this site that has a text based CAPTCHA at the bottom. It is very easy for a robot to read the numbers, make the calculations an enter the result without human intervention. Basically, it becomes very easy to abuse this CAPTCHA. In this aspect, this CAPTCHA is worse than image or audio based. http://pooteeweet.org/blog/329 A good CAPTCHA must be fuzzy. If you know other fuzzy CAPTCHA besides these, it may help to sharing that knowledge. -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
Manuel: Your points are well taken. A good CAPTCHA must be fuzzy. If you know other fuzzy CAPTCHA besides these, it may help to sharing that knowledge. The CAPTCHA I was primarily referring to was the image one -- however, it's just another barrier. I am sure there are all sorts of ways to fool a computer while making it easy for a human to comply, like Enter the third word of the first paragraph; or What is the color of an orange?; or presenting an easy question from a vast lists of questions provided at random. While computers could be designed to answer such questions, the amount of time required would be better spent going after those sites that don't have any CAPTCHA. As for me, I'm trying to understand both sides and see if there is a midway solution. However, it appears that both sides are steadfastly rooted in their opinion. One side wants barriers and the other side doesn't -- mutually exclusive positions. I can't help but think there must be a software solution. tedd -- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
I am currently testing HN CAPTCHA and noticed that the range of alphabets that were produced ranges from A..F only. My PHP skill is quite limited to change that to A..Z so if ppl here have any experience with that class, appreciate your thoughts. TIA. HN CAPTCHA: http://www.phpclasses.org/browse/package/1569.html --roger --roger: Why use CAPTCHA? It is very problematic for the visually impaired. If you must use a barrier, then you can make it less difficult (but doesn't solve the problem) for the visually impaired by using something like: http://xn--ovg.com/captcha If you want the code, just ask. Most of those who are aware of disability issues, don't use any barriers at all. Perhaps if you would share with us the problem you're trying to solve and we could come up with a different solution. tedd -- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
Hello, on 02/16/2006 01:20 PM tedd said the following: I am currently testing HN CAPTCHA and noticed that the range of alphabets that were produced ranges from A..F only. My PHP skill is quite limited to change that to A..Z so if ppl here have any experience with that class, appreciate your thoughts. TIA. HN CAPTCHA: http://www.phpclasses.org/browse/package/1569.html --roger --roger: Why use CAPTCHA? It is very problematic for the visually impaired. If you must use a barrier, then you can make it less difficult (but doesn't solve the problem) for the visually impaired by using something like: http://xn--ovg.com/captcha If you want the code, just ask. Most of those who are aware of disability issues, don't use any barriers at all. CAPTCHA is often used to prevent abuses from people using automated robot programs. To solve the problem of visually impaired people, there are audio CAPTCHA solutions. -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
Most of those who are aware of disability issues, don't use any barriers at all. CAPTCHA is often used to prevent abuses from people using automated robot programs. To solve the problem of visually impaired people, there are audio CAPTCHA solutions. Regards, Manuel Lemos Manuel: No offense meant, but please review this -- http://www.access-matters.com/2005/05/22/quiz-115-did-a-captcha-catch-ya/ -- before installing a CAPTCHA. Accessibility matters. tedd -- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
Hello, on 02/17/2006 01:55 AM tedd said the following: Most of those who are aware of disability issues, don't use any barriers at all. CAPTCHA is often used to prevent abuses from people using automated robot programs. To solve the problem of visually impaired people, there are audio CAPTCHA solutions. Regards, Manuel Lemos Manuel: No offense meant, but please review this -- No offense taken. http://www.access-matters.com/2005/05/22/quiz-115-did-a-captcha-catch-ya/ -- before installing a CAPTCHA. Accessibility matters. I am not sure what you mean. Are you saying that nobody should use audio CAPTCHA because one user was not able to configure his browser to play the audio CAPTCHA? I am sure that it is something easier to achieve than screen reader software that many blind users use to access read Web pages loud. -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
Roger Thomas wrote: I am currently testing HN CAPTCHA and noticed that the range of alphabets that were produced ranges from A..F only. My PHP skill is quite limited to change that to A..Z so if ppl here have any experience with that class, appreciate your thoughts. TIA. HN CAPTCHA: http://www.phpclasses.org/browse/package/1569.html --roger --- Sign Up for free Email at http://ureg.home.net.my/ --- How about sending us the code so that we can have a look? If not we have to register there... Cheers, J_K9 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
Quoting J_K9 [EMAIL PROTECTED]: How about sending us the code so that we can have a look? If not we have to register there... Cheers, J_K9 OK. Attached. --roger --- Sign Up for free Email at http://ureg.home.net.my/ --- hn_captcha-2004-04-20.tar.gz Description: GNU Zip compressed data -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
On Thu, Feb 16, 2006 at 09:44:33AM +0800, Roger Thomas wrote: I am currently testing HN CAPTCHA and noticed that the range of alphabets that were produced ranges from A..F only. My PHP skill is quite limited to change that to A..Z so if ppl here have any experience with that class, appreciate your thoughts. TIA. HN CAPTCHA: http://www.phpclasses.org/browse/package/1569.html I'd say contact the author about this. Curt. -- cat .signature: No such file or directory -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
On 2/16/06, Roger Thomas [EMAIL PROTECTED] wrote:
I am currently testing HN CAPTCHA and noticed that the range of alphabets
that were produced ranges from A..F only. My PHP skill is quite limited to
change that to A..Z so if ppl here have any experience with that class,
appreciate your thoughts. TIA.
The reason this CAPTCHA class only returns letters between A-F is
because it uses the md5() function in php to get a (more or less)
random string. MD5 hashes contains of a 32-character hexadecimal
numbers, which in turn ranges from 0 to F.
To solve your problem, replace the generate_private() function in
hn_captcha.class.php - starting at row 756 - with this code:
function generate_private($public=)
{
$letters = 1234567890abcdefghijklmnopqrstuvwxyz;
$maxsize = strlen($letters)-1;
for($i=0;$i6;$i++){
$rstring .= $letters{mt_rand(0, $maxsize)};
}
return $rstring;
}
This should yield a 6 char random string containing digits 0-9 and
letters a-z.
Good luck!
--
Kim Christensen
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
Quoting Curt Zirzow [EMAIL PROTECTED]: On Thu, Feb 16, 2006 at 09:44:33AM +0800, Roger Thomas wrote: I am currently testing HN CAPTCHA and noticed that the range of alphabets that were produced ranges from A..F only. My PHP skill is quite limited to change that to A..Z so if ppl here have any experience with that class, appreciate your thoughts. TIA. HN CAPTCHA: http://www.phpclasses.org/browse/package/1569.html I'd say contact the author about this. Curt. I did. Waited for a week. No response. Hence this list :( --roger --- Sign Up for free Email at http://ureg.home.net.my/ --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HN CAPTCHA at http://www.phpclasses.org
Quoting Kim Christensen [EMAIL PROTECTED]:
To solve your problem, replace the generate_private() function in
hn_captcha.class.php - starting at row 756 - with this code:
function generate_private($public=)
{
$letters = 1234567890abcdefghijklmnopqrstuvwxyz;
$maxsize = strlen($letters)-1;
for($i=0;$i6;$i++){
$rstring .= $letters{mt_rand(0, $maxsize)};
}
return $rstring;
}
This should yield a 6 char random string containing digits 0-9 and
letters a-z.
Good luck!
--
Kim Christensen
[EMAIL PROTECTED]
Thank you Kim.
--roger
---
Sign Up for free Email at http://ureg.home.net.my/
---
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
