Re: [PHP] Re: I-worm/Klez and a GIF query/question
On Saturday 04 May 2002 22:18, Hugh Bothwell wrote: > "Jason Wong" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED]... > > > On Saturday 04 May 2002 04:58, Hugh Bothwell wrote: > > > NOTE that for someone sufficiently persistent, they could still > > > pattern-match the generated image to retrieve the number and > > > auto-register that way. (I could write a PHP file to do that, too :-) > > > > The pics generated by services like Yahoo are distorted and thus are > > extremely difficult to OCR. > > Yahoo apparently uses a mixture of static, marble, grid, > colored background, ripple, and warp to obfuscate images. > They don't seem to vary the typeface, size, spacing, or > alignment of their font, although they do randomize the > location. Of these, only ripple and warp seem inherently > difficult to OCR. They also weaken it by using only short > dictionary words; this could be useful in an attack (ie if the > result is not a word in the dictionary, scrap it and > start fresh). There are many variations on the theme. Altavista use random letters and numbers and different fonts and at varying degrees of rotation. Something like that would probably be the easiest to implement in PHP. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* Give me a fish and I will eat today. Teach me to fish and I will eat forever. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: I-worm/Klez and a GIF query/question
"Jason Wong" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]... > On Saturday 04 May 2002 04:58, Hugh Bothwell wrote: > > NOTE that for someone sufficiently persistent, they could still > > pattern-match the generated image to retrieve the number and > > auto-register that way. (I could write a PHP file to do that, too :-) > > The pics generated by services like Yahoo are distorted and thus are > extremely difficult to OCR. Yahoo apparently uses a mixture of static, marble, grid, colored background, ripple, and warp to obfuscate images. They don't seem to vary the typeface, size, spacing, or alignment of their font, although they do randomize the location. Of these, only ripple and warp seem inherently difficult to OCR. They also weaken it by using only short dictionary words; this could be useful in an attack (ie if the result is not a word in the dictionary, scrap it and start fresh). Yahoo links to an interesting page at Carnegie-Mellon: http://www.captcha.net/ They use a different scheme here; they show a set of six images and ask for a 'theme' word that describes them. Me being a skeptic, I wonder how many image sets they actually have and guess not more than 200 or so; it seems that a sufficiently determined person could catalog a decent-sized subset and automate an attack that way (of course, they could always obfuscate their images to some degree...). ... and the race continues ;-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: I-worm/Klez and a GIF query/question
"R" <[EMAIL PROTECTED]> wrote in message 001501c1f369$060a52a0$0a6da8c0@lgwezec83s94bn">news:001501c1f369$060a52a0$0a6da8c0@lgwezec83s94bn... > Hey, > Thanks for replying, > Do you by any chance have the code or functions that i can use to do this? > even to output on jpeg should be ok. > Cheers, > -Ryan If outputting a JPEG is ok, why bother? I guess you could up the output quality to prevent blurring... I don't have code to hand, but I can tell you how to go about it: Look up the Gif89a format spec; it will tell you how to write the header (desired bits-per- pixel, size, etc). Count the number of different colors you use. Set the bits-per-pixel to the lowest value such that 2^bpp>= numcols+1, and encode at bpp+1 actual bits per pixel, always referring to entries in the _existing_ palette, one entry per pixel. This is obviously less efficient than the LZW expanding-dictionary scheme, but avoids patent infringement. I recommend writing this as a PHP function that accepts an image structure and returns a bit-string; that will make it very easy to integrate into your scripts. ... if this sounds too complicated, you could always hire me to do it instead (hint, hint). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: I-worm/Klez and a GIF query/question
Hey, Thanks for replying, Do you by any chance have the code or functions that i can use to do this? even to output on jpeg should be ok. Cheers, -Ryan - Original Message - From: "Jason Wong" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 03, 2002 2:21 PM Subject: Re: [PHP] Re: I-worm/Klez and a GIF query/question > On Saturday 04 May 2002 04:58, Hugh Bothwell wrote: > > "R" <[EMAIL PROTECTED]> wrote in message > > 007501c1f304$3c1607a0$0a6da8c0@lgwezec83s94bn">news:007501c1f304$3c1607a0$0a6da8c0@lgwezec83s94bn... > > > > > at the end of the form he wants a "key" gif...(A gif with a number) > > > that is automatically generated and that number has to be entered into > > > the text boxthe idea is that it prevents automaited > > > registerations. > > > > I've seen code that puts out an image that is .gif-compatible > > (ie can be viewed in any browser) but is not LZH-compressed, > > ie does not fall under the patents. I could write a PHP file > > to do it... > > > > The drawback, of course, is no compression; but for a small > > image that shouldn't be a problem. > > > > NOTE that for someone sufficiently persistent, they could still > > pattern-match the generated image to retrieve the number and > > auto-register that way. (I could write a PHP file to do that, too :-) > > The pics generated by services like Yahoo are distorted and thus are > extremely difficult to OCR. > > -- > Jason Wong -> Gremlins Associates -> www.gremlins.com.hk > Open Source Software Systems Integrators > * Web Design & Hosting * Internet & Intranet Applications Development * > > /* > It is Mr. Mellon's credo that $200,000,000 can do no wrong. Our > offense consists in doubting it. > -- Justice Robert H. Jackson > */ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: I-worm/Klez and a GIF query/question
On Fri, 3 May 2002, Hugh Bothwell wrote: > NOTE that for someone sufficiently persistent, they could still > pattern-match the generated image to retrieve the number and > auto-register that way. (I could write a PHP file to do that, too :-) The standard procedure is to vary the offset, rotation, color, background, and scaling by random amounts. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: I-worm/Klez and a GIF query/question
On Saturday 04 May 2002 04:58, Hugh Bothwell wrote: > "R" <[EMAIL PROTECTED]> wrote in message > 007501c1f304$3c1607a0$0a6da8c0@lgwezec83s94bn">news:007501c1f304$3c1607a0$0a6da8c0@lgwezec83s94bn... > > > at the end of the form he wants a "key" gif...(A gif with a number) > > that is automatically generated and that number has to be entered into > > the text boxthe idea is that it prevents automaited > > registerations. > > I've seen code that puts out an image that is .gif-compatible > (ie can be viewed in any browser) but is not LZH-compressed, > ie does not fall under the patents. I could write a PHP file > to do it... > > The drawback, of course, is no compression; but for a small > image that shouldn't be a problem. > > NOTE that for someone sufficiently persistent, they could still > pattern-match the generated image to retrieve the number and > auto-register that way. (I could write a PHP file to do that, too :-) The pics generated by services like Yahoo are distorted and thus are extremely difficult to OCR. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* It is Mr. Mellon's credo that $200,000,000 can do no wrong. Our offense consists in doubting it. -- Justice Robert H. Jackson */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php