Re: [PHP] ASCII Captcha
At 9:27 PM + 8/28/08, Ólafur Waage wrote: Has anyone tried a ASCII Captcha method. To use a similar method like this ASCII generator (http://www.network-science.de/ascii/) Or even gone the next level and have an ASCII based simple math question? I know this isnt strictly a PHP question but spam free sites are very dear to us. Ólafur Waage [EMAIL PROTECTED] These are what I've come up with: http://webbytedd.com/aa/assorted-captcha/ Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
> Has anyone tried a ASCII Captcha method. To use a similar method like > this ASCII generator (http://www.network-science.de/ascii/) > > Or even gone the next level and have an ASCII based simple math question? My advice is to stick with what works. Though if you really wanted to you could investigate using Figlet to generate some ASCII and use that in a basic CAPTCHA. -- Richard Heyes HTML5 Graphing: http://www.phpguru.org/RGraph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On 29 Aug 2008, at 03:45, tedd wrote: These are what I've come up with: http://webbytedd.com/aa/assorted-captcha/ Just curious tedd, but what do you mean by "CAPTCHA's show the world that you really haven't thought this out". If you have a better alternative I'd love to hear about it. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
> CAPTCHA's don't work. Don't depend upon them for any of your projects. Sure they do. My blog comments were getting spammed to death. Now I've put a captcha on I rarely have to deal with spam. I'd say that's working. > CAPTCHA's present accessibility problems for people with disabilities. These can be alleviated by, for example, adding a sound option like Recapture has. Not perhaps a 100% solution, but it does help tremendously. > CAPTCHA's show the world that you really haven't thought this out. Actually my captchas show the world some funky coloured text... :-) -- Richard Heyes HTML5 Graphing: http://www.phpguru.org/RGraph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
Hello there, > Actually my captchas show the world some funky coloured text... :-) I just wondering. What if we show captcha using ASCII ART format. like ||| ||| `||| |||`|||`````|||||` ` || ||||| ||` |. |`... | ||` .|| | | .|||||``|.|.```|.|| |. `||||| | |||.. ..`| ||| |||`` |. ```||`||.|` `||.. | ```. . .|`. ```.| |||. S ..... I ... R . I .|||.. K . ||| BUCES BBS|| ||| (I'm not sure it was showed correct) Even coloured one. What is your opinions ? Regards Sancar -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
> > ||| > ||| > `||| |||`|||`````|||||` ` || > ||||| ||` |. |`... | > ||` .|| | | .|||||``|.|.```|.|| > |. `||||| | |||.. ..`| > ||| |||`` |. ```||`||.|` `||.. | > ```. . .|`. ```.| > |||. S ..... I ... R . I .|||.. K . > ||| > BUCES BBS|| > ||| > > > (I'm not sure it was showed correct) It didn't, but pasting it into notepad made everything OK... Even after that though, it wasn't particularly readable. -- Richard Heyes HTML5 Graphing: http://www.phpguru.org/RGraph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
Thats exactly what i am talking about Richard. Ólafur Waage [EMAIL PROTECTED] 2008/8/29 Richard Heyes <[EMAIL PROTECTED]>: >> >> ||| >> ||| >> `||| |||`|||`````|||||` ` || >> ||||| ||` |. |`... | >> ||` .|| | | .|||||``|.|.```|.|| >> |. `||||| | |||.. ..`| >> ||| |||`` |. ```||`||.|` `||.. | >> ```. . .|`. ```.| >> |||. S ..... I ... R . I .|||.. K . >> ||| >> BUCES BBS|| >> ||| >> >> >> (I'm not sure it was showed correct) > > It didn't, but pasting it into notepad made everything OK... Even > after that though, it wasn't particularly readable. > > -- > Richard Heyes > > HTML5 Graphing: > http://www.phpguru.org/RGraph > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
I just realized that i should have said ASCII Art but not just ASCII, it was so clear in my head but i notice now how it could have been misunderstood. Ólafur Waage [EMAIL PROTECTED] 2008/8/29 Ólafur Waage <[EMAIL PROTECTED]>: > Thats exactly what i am talking about Richard. > > Ólafur Waage > [EMAIL PROTECTED] > > 2008/8/29 Richard Heyes <[EMAIL PROTECTED]>: >>> >>> ||| >>> ||| >>> `||| |||`|||`````|||||` ` || >>> ||||| ||` |. |`... | >>> ||` .|| | | .|||||``|.|.```|.|| >>> |. `||||| | |||.. ..`| >>> ||| |||`` |. ```||`||.|` `||.. | >>> ```. . .|`. ```.| >>> |||. S ..... I ... R . I .|||.. K . >>> ||| >>> BUCES BBS|| >>> ||| >>> >>> >>> (I'm not sure it was showed correct) >> >> It didn't, but pasting it into notepad made everything OK... Even >> after that though, it wasn't particularly readable. >> >> -- >> Richard Heyes >> >> HTML5 Graphing: >> http://www.phpguru.org/RGraph >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 9:07 AM +0100 8/29/08, Stut wrote: On 29 Aug 2008, at 03:45, tedd wrote: These are what I've come up with: http://webbytedd.com/aa/assorted-captcha/ Just curious tedd, but what do you mean by "CAPTCHA's show the world that you really haven't thought this out". If you have a better alternative I'd love to hear about it. -Stut -Stut : I claim that for most web sites, they don't need a CAPTCHA -- so why use one? CAPTCHA's carry a lot of accessibility baggage. There are many of high profile sites that don't use CAPTCHA (i.e., Eric Meyers, Chris Shiflett). Instead they have developed other methods, such as attending to their sites and monitoring post. I concede that if an evil-doer wants to make things hard on you by automated posting, then it's an uphill battle that can be effectively fought by using a CAPTCHA. But I claim there has to be a better way. While I've been working on the problem (on/off) for several years, I haven't found an acceptable solution. Of course, better minds than mine have tried and failed, but I always think that I might do better -- a flaw in my personality, I just don't know any better. In any event, I've approached on the problem from two sides: 1. To create a CAPTCHA that would be difficult for automated systems to break but easy for the user to navigate -- my Arrow CAPTCHA is the best I could create. However, I'm sure with a little effort from someone like you or Rob, it can be broken. In addition, my arrow CAPTCHA is for the sighted and that leaves out a lot of people. My Audio CAPTCHA works well for the blind, but that too can be broken. 2. To create a server-side method that monitors who's making the post, frequency of the posts, and content of the post before allowing the post. While I'm not finished, this is something that I continue to work on. I think that direction shows the most opportunity for success. So, when I say "CAPTCHA's show the world that you really haven't thought this out", that's what I mean. I still haven't thought this out either. But I think there'a better solution and I'll keep working trying to find one. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 10:00 AM +0100 8/29/08, Richard Heyes wrote: > CAPTCHA's don't work. Don't depend upon them for any of your projects. Sure they do. My blog comments were getting spammed to death. Now I've put a captcha on I rarely have to deal with spam. I'd say that's working. Yes, it's working for you -- but what about the people who can't navigate your CAPTCHA? They can't even tell you they are having problems. In addition, all CAPTCHA's can be broken. If someone really wants to spam your site, they will. You're not flying below the radar, you're just not a big enough target to waste a missile on. > CAPTCHA's present accessibility problems for people with disabilities. These can be alleviated by, for example, adding a sound option like Recapture has. Not perhaps a 100% solution, but it does help tremendously. If you will notice, I do include an audio CAPTCHA in my assorted CAPTCHA's: http://webbytedd.com/aa/assorted-captcha/ But, that doesn't solve the problem of accessibility, it just reduces the problem, and actually increases the possibility of your site getting spammed by providing two doors for entry. > CAPTCHA's show the world that you really haven't thought this out. Actually my captchas show the world some funky coloured text... :-) Now you throw possible contrast problems into the mix. Will your colors pass this test: http://webbytedd.com/c/access-color/ No matter how many times you cut this rope, it's still too short. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On 29 Aug 2008, at 15:15, tedd wrote: At 9:07 AM +0100 8/29/08, Stut wrote: On 29 Aug 2008, at 03:45, tedd wrote: These are what I've come up with: http://webbytedd.com/aa/assorted-captcha/ Just curious tedd, but what do you mean by "CAPTCHA's show the world that you really haven't thought this out". If you have a better alternative I'd love to hear about it. -Stut -Stut : I claim that for most web sites, they don't need a CAPTCHA -- so why use one? CAPTCHA's carry a lot of accessibility baggage. There are many of high profile sites that don't use CAPTCHA (i.e., Eric Meyers, Chris Shiflett). Instead they have developed other methods, such as attending to their sites and monitoring post. I concede that if an evil-doer wants to make things hard on you by automated posting, then it's an uphill battle that can be effectively fought by using a CAPTCHA. But I claim there has to be a better way. While I've been working on the problem (on/off) for several years, I haven't found an acceptable solution. Of course, better minds than mine have tried and failed, but I always think that I might do better -- a flaw in my personality, I just don't know any better. In any event, I've approached on the problem from two sides: 1. To create a CAPTCHA that would be difficult for automated systems to break but easy for the user to navigate -- my Arrow CAPTCHA is the best I could create. However, I'm sure with a little effort from someone like you or Rob, it can be broken. In addition, my arrow CAPTCHA is for the sighted and that leaves out a lot of people. My Audio CAPTCHA works well for the blind, but that too can be broken. 2. To create a server-side method that monitors who's making the post, frequency of the posts, and content of the post before allowing the post. While I'm not finished, this is something that I continue to work on. I think that direction shows the most opportunity for success. So, when I say "CAPTCHA's show the world that you really haven't thought this out", that's what I mean. I still haven't thought this out either. But I think there'a better solution and I'll keep working trying to find one. I agree with some of what you're saying here, but only to a certain extent. CAPTCHA's are a tool that can be applied to any number of different situations, so a blanket statement like that cannot possibly apply. For some situations they are absolutely required (example coming up), for others they're certainly not the best answer. The main project I work on at the moment is a classified ad site and it has CAPTCHA's in three places. The first is when you place an ad. If this wasn't there we'd have a much more difficult job dealing with scam and spam ads, something we can't currently afford to throw more effort at. This is an example of making it a little bit harder for automated posting to happen, but we know it's not 100% effective and we have other mechanisms in place to catch stuff that gets past it, but it's a good first step and knocks out the really stupid attempts. The other two places are when a user contacts us for support, and when someone sends a message to another user about one of their ads. Without the CAPTCHA both of these suffer from a huge amount of aimless automated postings. This is the main thing a CAPTCHA does for any site. Out there in the wide wide world there are numerous scripts that simply crawl the web looking for forms to post to on the off-chance it's going to turn out to be unprotected. Depending on the form handler this can result in anything from them posting content on a website with a view to getting SEO juice to being able to use the form as a mail proxy. These scripts don't care if each post works, they just try because it's nearly free to do so. In the above scenarios not having the CAPTCHA there to stop them would result in spam in our support system and even worse than that, spam in users mailboxes. So I agree that CAPTCHA's do not and cannot solve the problem of unwanted form submissions, but they're a damn good start. Whatever we do, the simple fact that we want users to be able to do something means that anyone can do it whether they have good intentions or bad, but we can put up as many obstacles to automation as normal users can live with. CAPTCHA's are only a defence against automation, not bad people and that's a very important thing to understand. As for attending to sites and monitoring posts, that's all very well until you end up dealing with >10k posts a day. Our CAPTCHA's stop over 70% of form submissions on my site and I thank $DEITY they're there because otherwise I'd never sleep (not that I do that much anyway). The reason I asked the question is that your comments on that page imply that only lazy developers use them when this is far from the truth. They are a valuable tool and until something better comes alon
Re: [PHP] ASCII Captcha
On Aug 29, 2008, at 10:30 AM, tedd wrote: No matter how many times you cut this rope, it's still too short. So, I'm curious, what do you suggest? As near as I can tell, even with all of the problems (many of which can be mitigated with enough effort) associated with the use of Captcha's, a good implementation is currently the best solution to the problem. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 3:41 PM +0100 8/29/08, Stut wrote: -Stut: I agree with some of what you're saying here, but only to a certain extent. CAPTCHA's are a tool that can be applied to any number of different situations, so a blanket statement like that cannot possibly apply. Of course blanket statements can't apply to everything, but they can generate debate and thus the reason why I wrote it that way -- to generate discussion. --- The main project I work on at the moment is a classified ad site and it has CAPTCHA's in three places. -snip- I understand there are different reasons behind the use of CAPTCHA's, but in the end they still present accessibility problems. And their use is a trade-off that you accept. In essence you are saying I understand the problems and this is my best solution. You are cutting out a segment of the population due to the fact that you cannot create a better solution. Don't get me wrong -- I fully understand the problems involved and there may not be a better solution. But to employ CAPTCHA's, means that there isn't. --- So I agree that CAPTCHA's do not and cannot solve the problem of unwanted form submissions, but they're a damn good start. I agree with most of that, but I think the "they're a damn good start" is really "this works and that's that." It's like the saying "Why are the things I'm looking for always in the last place I find them?" They are because once you find them, you stop looking. Likewise, the CAPTCHA is a good place to stop. --- Whatever we do, the simple fact that we want users to be able to do something means that anyone can do it whether they have good intentions or bad, but we can put up as many obstacles to automation as normal users can live with. CAPTCHA's are only a defence against automation, not bad people and that's a very important thing to understand. That's a very good point. I often think that people who employ these tactics (spam automation) actually know what they are doing when in fact they may not. They may be ignorant of the harm they cause. --- The reason I asked the question is that your comments on that page imply that only lazy developers use them when this is far from the truth. They are a valuable tool and until something better comes along I'm gonna use them as part of my sites defences, unless you're volunteering to moderate >7k messages for me for free? Didn't think so ;) I didn't mean to imply laziness, but now that you mentioned it -- on one hand we say that CAPTCHA is good enough until something else comes along, but on the other hand, because we are using CAPTCHA, there's no need to develop something else. I realize that this problem is difficult and may be one of those thing that can't be solved with current technology -- I may be Don Quixote looking at windmills differently than others. Thanks for your comments, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 10:45 AM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 10:30 AM, tedd wrote: No matter how many times you cut this rope, it's still too short. So, I'm curious, what do you suggest? As near as I can tell, even with all of the problems (many of which can be mitigated with enough effort) associated with the use of Captcha's, a good implementation is currently the best solution to the problem. Read my other replies. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Fri, 2008-08-29 at 10:38 +, Ólafur Waage wrote: > I just realized that i should have said ASCII Art but not just ASCII, > it was so clear in my head but i notice now how it could have been > misunderstood. You do realize that the ascii rendering below is just a bitmap. Most captcha crackers can handle bitmaps. The cracker would just need a little tweaking to first convert to a real bitmap. Cheers, Rob. > > Ólafur Waage > [EMAIL PROTECTED] > > 2008/8/29 Ólafur Waage <[EMAIL PROTECTED]>: > > Thats exactly what i am talking about Richard. > > > > Ólafur Waage > > [EMAIL PROTECTED] > > > > 2008/8/29 Richard Heyes <[EMAIL PROTECTED]>: > >>> > >>> > >>> ||| > >>> > >>> ||| > >>> `||| |||`|||`````|||||` ` > >>> || > >>> ||||| ||` |. |`... > >>> | > >>> ||` .|| | | .|||||``|.|. > >>> ```|.|| > >>> |. `||||| | |||.. .. > >>> `| > >>> ||| |||`` |. ```||`||.|` `||.. > >>> | > >>> ```. . .|`. ``` > >>> .| > >>> |||. S ..... I ... R . I .|||.. K > >>> . > >>> > >>> ||| > >>> BUCES BBS > >>> || > >>> > >>> ||| > >>> > >>> > >>> (I'm not sure it was showed correct) > >> > >> It didn't, but pasting it into notepad made everything OK... Even > >> after that though, it wasn't particularly readable. > >> > >> -- > >> Richard Heyes > >> > >> HTML5 Graphing: > >> http://www.phpguru.org/RGraph > >> > >> -- > >> PHP General Mailing List (http://www.php.net/) > >> To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > > > -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On 29 Aug 2008, at 16:33, tedd wrote: At 3:41 PM +0100 8/29/08, Stut wrote: The main project I work on at the moment is a classified ad site and it has CAPTCHA's in three places. -snip- I understand there are different reasons behind the use of CAPTCHA's, but in the end they still present accessibility problems. And their use is a trade-off that you accept. In essence you are saying I understand the problems and this is my best solution. You are cutting out a segment of the population due to the fact that you cannot create a better solution. Don't get me wrong -- I fully understand the problems involved and there may not be a better solution. But to employ CAPTCHA's, means that there isn't. That's putting words in other people's mouths. Use of CAPTCHA's isn't the same as stating the Earth is flat and refusing to entertain alternative theories. CAPTCHA's are a first line of defence and as such I'll use them until I ro someone else comes up with something better. I don't see that as defeat, but in the real world I can't say "I don't have a 100% effective defence so I'm not going to use the 70% defence I do have". Seem to me to be a very odd position to take. So I agree that CAPTCHA's do not and cannot solve the problem of unwanted form submissions, but they're a damn good start. I agree with most of that, but I think the "they're a damn good start" is really "this works and that's that." It's like the saying "Why are the things I'm looking for always in the last place I find them?" They are because once you find them, you stop looking. Likewise, the CAPTCHA is a good place to stop. Who ever said we've stopped? Again, it's one tool in a toolbox, but certainly not one that should be ignored. Whatever we do, the simple fact that we want users to be able to do something means that anyone can do it whether they have good intentions or bad, but we can put up as many obstacles to automation as normal users can live with. CAPTCHA's are only a defence against automation, not bad people and that's a very important thing to understand. That's a very good point. I often think that people who employ these tactics (spam automation) actually know what they are doing when in fact they may not. They may be ignorant of the harm they cause. I highly doubt that. There may be a few who use off-the-shelf scripts without really knowing what they're doing, but I would bet the majority fully understand what they're doing and most of them don't care. I *know* some of them thing they're "adding value". The reason I asked the question is that your comments on that page imply that only lazy developers use them when this is far from the truth. They are a valuable tool and until something better comes along I'm gonna use them as part of my sites defences, unless you're volunteering to moderate >7k messages for me for free? Didn't think so ;) I didn't mean to imply laziness, but now that you mentioned it -- on one hand we say that CAPTCHA is good enough until something else comes along, but on the other hand, because we are using CAPTCHA, there's no need to develop something else. I think this is very naive and coming from you tedd it surprises me. Very few developers have time to put everything on hold because the tools they have are not 100% effective - I certainly don't. I really wish I did, but this is the real world where the almighty pound is king. I'd love to see the faces at the next board meeting when I say "no progress this month because we've been trying to come up with something better than CAPTCHA's". The community as a whole is trying to come up with something better but these things take time, money and a good dose of unpredictable inspiration. Something better will arrive, until then I'm using the tools I have to do the best job I can. I realize that this problem is difficult and may be one of those thing that can't be solved with current technology -- I may be Don Quixote looking at windmills differently than others. Most of the problems CAPTCHA's are intended to protect against are social rather than technological. This is also important to understand. As I mentioned earlier, if you want your normal users to be able to do something, the evil ones will also be able to do it. The best defence against dodgy inputs I've seen so far has been having a good community on the site who pro-actively look for and take action against it. Best example I can think of this late in the day is Wikipedia. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Aug 29, 2008, at 11:33 AM, tedd wrote: I understand there are different reasons behind the use of CAPTCHA's, but in the end they still present accessibility problems. And their use is a trade-off that you accept. Nonsense. There is no reason why the usage of Captcha's would need to present accessibility problems. I didn't mean to imply laziness, but now that you mentioned it -- on one hand we say that CAPTCHA is good enough until something else comes along, but on the other hand, because we are using CAPTCHA, there's no need to develop something else. Nonsense. There are people constantly working on better systems to fight spam, etc. Need proof? Just lift your head up and look around a little. At a minimum, a better system that everyone uses could mean billions to the inventor that patent's the system...that is reason enough to keep working to the next best thing. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Fri, 2008-08-29 at 11:33 -0400, tedd wrote: > > I understand there are different reasons behind the use of CAPTCHA's, > but in the end they still present accessibility problems. And their > use is a trade-off that you accept. Not using CAPTCHAs and allowing the amount of spam posted to a site to exist presents an accessibility problem for all. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 1:15 PM -0400 8/29/08, Robert Cummings wrote: On Fri, 2008-08-29 at 11:33 -0400, tedd wrote: I understand there are different reasons behind the use of CAPTCHA's, but in the end they still present accessibility problems. And their use is a trade-off that you accept. Not using CAPTCHAs and allowing the amount of spam posted to a site to exist presents an accessibility problem for all. Cheers, Rob. That's another side of the coin -- the problem is complex. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 12:17 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 11:33 AM, tedd wrote: I understand there are different reasons behind the use of CAPTCHA's, but in the end they still present accessibility problems. And their use is a trade-off that you accept. Nonsense. There is no reason why the usage of Captcha's would need to present accessibility problems. No offense, but please look into it. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 5:06 PM +0100 8/29/08, Stut wrote: On 29 Aug 2008, at 16:33, tedd wrote: I didn't mean to imply laziness, but now that you mentioned it -- on one hand we say that CAPTCHA is good enough until something else comes along, but on the other hand, because we are using CAPTCHA, there's no need to develop something else. I think this is very naive and coming from you tedd it surprises me. From my perspective, I think it naive to look at this in any other way. For example, how much time have you invested in finding a better way? I'm not pointing a finger at you and saying "You need to drop everything and come up with a solution before moving on." But I am saying that you are using a CAPTCHA until someone else comes up with a better way. Is that not true? So, in essence my statement above is not naive but rather factual. Factual is not naive. Very few developers have time to put everything on hold because the tools they have are not 100% effective - I certainly don't. I really wish I did, but this is the real world where the almighty pound is king. I'd love to see the faces at the next board meeting when I say "no progress this month because we've been trying to come up with something better than CAPTCHA's". You are missing the point. I'm not telling you to stop anything. I am saying -- however -- that we continue (myself included) to use technology that hurts others. That does not justify our actions -- it only provides an excuse. The best defence against dodgy inputs I've seen so far has been having a good community on the site who pro-actively look for and take action against it. Best example I can think of this late in the day is Wikipedia. As I see it, I could be wrong, but that's just an example of "developers" who are not taking the easy way out, but rather trying to solve the problem by using something other than CAPTCHA, like the ones I posted earlier. Look, we are not in disagreement -- I understand that you have deadlines and projects that can't be put on hold and all the other excuses you cite -- actually, so do I. But in the end, we are doing this at the cost of accessibility for others. We shouldn't lose sight of that. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
>> I understand there are different reasons behind the use of CAPTCHA's, but >> in the end they still present accessibility problems. And their use is a >> trade-off that you accept. > > Nonsense. There is no reason why the usage of Captcha's would need to > present accessibility problems. CAPTCHAs are intentionally not the easiest thing to read. If they were, there wouldn't be a great deal of point having them. -- Richard Heyes HTML5 Graphing: http://www.phpguru.org/RGraph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Aug 29, 2008, at 2:42 PM, Richard Heyes wrote: I understand there are different reasons behind the use of CAPTCHA's, but in the end they still present accessibility problems. And their use is a trade-off that you accept. Nonsense. There is no reason why the usage of Captcha's would need to present accessibility problems. CAPTCHAs are intentionally not the easiest thing to read. If they were, there wouldn't be a great deal of point having them. There are many forms of captcha's. The concept can easily be extended beyond the need to read something. You may want to read: http://en.wikipedia.org/wiki/Captcha -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Aug 29, 2008, at 1:56 PM, tedd wrote: At 12:17 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 11:33 AM, tedd wrote: I understand there are different reasons behind the use of CAPTCHA's, but in the end they still present accessibility problems. And their use is a trade-off that you accept. Nonsense. There is no reason why the usage of Captcha's would need to present accessibility problems. No offense, but please look into it. You are welcome to explain, rather then just assert, what is inherent about the concept of a Captcha that would force accessibility problems upon a website. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 2:48 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 2:42 PM, Richard Heyes wrote: I understand there are different reasons behind the use of CAPTCHA's, but in the end they still present accessibility problems. And their use is a trade-off that you accept. Nonsense. There is no reason why the usage of Captcha's would need to present accessibility problems. CAPTCHAs are intentionally not the easiest thing to read. If they were, there wouldn't be a great deal of point having them. There are many forms of captcha's. The concept can easily be extended beyond the need to read something. You may want to read: http://en.wikipedia.org/wiki/Captcha While you're at it, why don't you read it yourself. The reference clearly says why your statement -- "Nonsense. There is no reason why the usage of Captcha's would need to present accessibility problems." -- is nonsense. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 2:51 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 1:56 PM, tedd wrote: At 12:17 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 11:33 AM, tedd wrote: I understand there are different reasons behind the use of CAPTCHA's, but in the end they still present accessibility problems. And their use is a trade-off that you accept. Nonsense. There is no reason why the usage of Captcha's would need to present accessibility problems. No offense, but please look into it. You are welcome to explain, rather then just assert, what is inherent about the concept of a Captcha that would force accessibility problems upon a website. Read your own reference: http://en.wikipedia.org/wiki/Captcha That says: Accessibility See also: Web accessibility Because CAPTCHAs rely on visual perception, users unable to view a CAPTCHA (for example, due to a disability or because it is difficult to read) will be unable to perform the task protected by a CAPTCHA. As such, sites implementing CAPTCHAs may provide an audio version of the CAPTCHA in addition to the visual method. The official CAPTCHA site recommends providing an audio CAPTCHA for accessibility reasons. Why should I have to explain something that is widely known and easy to find? Please do the reading before telling people such things are nonsense. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com
Re: [PHP] ASCII Captcha
On Aug 29, 2008, at 3:11 PM, tedd wrote: At 2:48 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 2:42 PM, Richard Heyes wrote: I understand there are different reasons behind the use of CAPTCHA's, but in the end they still present accessibility problems. And their use is a trade-off that you accept. Nonsense. There is no reason why the usage of Captcha's would need to present accessibility problems. CAPTCHAs are intentionally not the easiest thing to read. If they were, there wouldn't be a great deal of point having them. There are many forms of captcha's. The concept can easily be extended beyond the need to read something. You may want to read: http://en.wikipedia.org/wiki/Captcha While you're at it, why don't you read it yourself. The reference clearly says why your statement -- "Nonsense. There is no reason why the usage of Captcha's would need to present accessibility problems." -- is nonsense. Where? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Aug 29, 2008, at 3:15 PM, tedd wrote: At 2:51 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 1:56 PM, tedd wrote: At 12:17 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 11:33 AM, tedd wrote: I understand there are different reasons behind the use of CAPTCHA's, but in the end they still present accessibility problems. And their use is a trade-off that you accept. Nonsense. There is no reason why the usage of Captcha's would need to present accessibility problems. No offense, but please look into it. You are welcome to explain, rather then just assert, what is inherent about the concept of a Captcha that would force accessibility problems upon a website. Read your own reference: http://en.wikipedia.org/wiki/Captcha That says: Accessibility See also: Web accessibility Because CAPTCHAs rely on visual perception, users unable to view a CAPTCHA (for example, due to a disability or because it is difficult to read) will be unable to perform the task protected by a CAPTCHA. As such, sites implementing CAPTCHAs may provide an audio version of the CAPTCHA in addition to the visual method. The official CAPTCHA site recommends providing an audio CAPTCHA for accessibility reasons. Why should I have to explain something that is widely known and easy to find? So, I'm curious, what prevents a website from providing a good implementation of both an audio and visual captcha to prevent accessibility problems which you claim are impossible to avoid with every use of a captcha? Personally, my favorite implementation to date is: http://recaptcha.net/learnmore.html and not only is it well designed, but all that brain power which goes into solving captcha's goes into helping out with a very worthwhile project. Remember, the concept of a captcha is this: A test to prove one is human in order perform some action. There is no reason why a blind or deaf person absolutely cannot be presented with such a test. Now, if you wish to continue to argue to the contrary, you are more then welcome to do so. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 3:17 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 3:11 PM, tedd wrote: http://en.wikipedia.org/wiki/Captcha While you're at it, why don't you read it yourself. The reference clearly says why your statement -- "Nonsense. There is no reason why the usage of Captcha's would need to present accessibility problems." -- is nonsense. Where? Is this a joke? Are we doing one of those "Who's on first" skits? Read this: http://en.wikipedia.org/wiki/Captcha and look for what it says about accessibility. And while you're at it, try reading this: http://en.wikipedia.org/wiki/Web_accessibility Maybe then you'll start understanding the problems people with certain disabilities have in navigating and using web sites. Instead of calling all this nonsense, try to understand what's being discussed. This ain't rocket science. It's not all that hard to understand. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On 29 Aug 2008, at 19:03, tedd wrote: At 5:06 PM +0100 8/29/08, Stut wrote: On 29 Aug 2008, at 16:33, tedd wrote: I didn't mean to imply laziness, but now that you mentioned it -- on one hand we say that CAPTCHA is good enough until something else comes along, but on the other hand, because we are using CAPTCHA, there's no need to develop something else. I think this is very naive and coming from you tedd it surprises me. From my perspective, I think it naive to look at this in any other way. For example, how much time have you invested in finding a better way? I'm not pointing a finger at you and saying "You need to drop everything and come up with a solution before moving on." But I am saying that you are using a CAPTCHA until someone else comes up with a better way. Is that not true? So, in essence my statement above is not naive but rather factual. Factual is not naive. Not at all. I spend a fair amount of time thinking about ways to make my work more secure. I would hope that goes for most developers, especially if they realise that a CAPTCHA is not 100% effective. However, this is the way research works. Most people (i.e. the work-a- day folk) spend most of their time making stuff. The few people who are lucky enough to either work for a company that gives them time to do research or actually does it for a living are the ones more likely to hit upon a new solution. I don't think this makes us lazy, or wrong, for continuing to use the current tool - it makes us practical. If I have a eureka moment at any point rest assured I will put some personal time aside to look into it (as I have in other areas) and if something comes of it I'd publish it on my blog. So, in essence your statement is assumptive, judgemental and sweeping. That's not factual. Very few developers have time to put everything on hold because the tools they have are not 100% effective - I certainly don't. I really wish I did, but this is the real world where the almighty pound is king. I'd love to see the faces at the next board meeting when I say "no progress this month because we've been trying to come up with something better than CAPTCHA's". You are missing the point. I'm not telling you to stop anything. I am saying -- however -- that we continue (myself included) to use technology that hurts others. That does not justify our actions -- it only provides an excuse. When you say it hurts others I assume you mean excludes users who, for whatever reason, cannot pass the CAPTCHA test. I completely agree, but as far as I know it's only (and I use that word carefully) people with both visual and audio impairments that you cannot cater for. If you could you'd render all CAPTCHA implementations I'm aware of pointless. I completely agree that this is less than ideal, and I really don't like preventing legitimate potential users from using my sites, but I'd rather have a usable and clean (yes, most automated posts are dirty in some way) site than one that nobody wants to use. This is a choice we have to make otherwise there's no point creating the site at all. Holding my hand up now as a lazy developer, the CAPTCHA I have on my sites is not accessible what with it being simply an image with no audio alternative. We have plans to switch it to using recaptcha or implement our own but in terms of priorities it's pretty low for my 2- man team (myself included). The best defence against dodgy inputs I've seen so far has been having a good community on the site who pro-actively look for and take action against it. Best example I can think of this late in the day is Wikipedia. As I see it, I could be wrong, but that's just an example of "developers" who are not taking the easy way out, but rather trying to solve the problem by using something other than CAPTCHA, like the ones I posted earlier. Yes and no. Wikipedia has its share of problems with spammers, but they have such a large community of users who are willing and able to put time into keeping the site clean it works. The same site with a different type of user profile may not be able to work this way. As far as it being down to the developer I think you're giving credit where little is due. It's the user response to the completely open nature of the original product that prevented them from having to implement CAPTCHA's to prevent automated posting. Had the community of users not been so proactive I don't doubt they would have ended up using them. Look, we are not in disagreement -- I understand that you have deadlines and projects that can't be put on hold and all the other excuses you cite -- actually, so do I. But in the end, we are doing this at the cost of accessibility for others. We shouldn't lose sight of that. I think we do disagree on a fundamental level. You think we've all given up because we have CAPTCHA's, I believe in the
Re: [PHP] ASCII Captcha
On Aug 29, 2008, at 3:41 PM, Stut wrote: I completely agree, but as far as I know it's only (and I use that word carefully) people with both visual and audio impairments that you cannot cater for. I cannot see any reason why a person with both visual and audio impairments could not be presented with a test to prove they are human. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Fri, 2008-08-29 at 15:52 -0400, Eric Gorr wrote: > On Aug 29, 2008, at 3:41 PM, Stut wrote: > > > I completely agree, but as far as I know it's only (and I use that > > word carefully) people with both visual and audio impairments that > > you cannot cater for. > > > I cannot see any reason why a person with both visual and audio > impairments could not be presented with a test to prove they are human. Go on, I'm all eyes and ears... describe such a test. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 8:41 PM +0100 8/29/08, Stut wrote: So, in essence your statement is assumptive, judgemental and sweeping. I certainly did not mean it to be taken assumptive or judgmental. --- Holding my hand up now as a lazy developer, the CAPTCHA I have on my sites is not accessible what with it being simply an image with no audio alternative. We have plans to switch it to using recaptcha or implement our own but in terms of priorities it's pretty low for my 2-man team (myself included). If you ever want to add an audio CAPTCHA, I will provide mine. I have done significant blind testing to get it approved by blind testers. But, I say this from one developer to another and not to the general public. When dealing with another developer, it's much less problematic to share code because we speak a common language. You see, I provide free things on my site, such as my drop-down menu, and I have people daily failing to implement those correctly because they cannot follow simple directions. I don't want to complicate my life further without good reason. --- As I see it, I could be wrong, but that's just an example of "developers" who are not taking the easy way out, but rather trying to solve the problem by using something other than CAPTCHA, like the ones I posted earlier. Yes and no. Wikipedia has its share of problems with spammers, but they have such a large community of users who are willing and able to put time into keeping the site clean it works. The same site with a different type of user profile may not be able to work this way. As far as it being down to the developer I think you're giving credit where little is due. That's the reason why I quoted "developer" -- the developer in this case IS the user. --- I think we do disagree on a fundamental level. You think we've all given up because we haveCAPTCHA's, I believe in the innovative potential of most developers. We're using CAPTCHA's a lot, and we're doing it because none of us have come up with anything better yet, but that certainly doesn't mean we've given up trying. If your site is free to use I would modify your statement to say... "CAPTCHA's show the world that you care about the quality of the content on your site without needing to charge for its use, but remember that we haven't given up trying to find a better way" Not quite as catchy as yours, but more accurate. If people need to pay to use your site then the need for CAPTCHA's is reduced but I'd argue that in some cases they're still needed. You bring up good points and I'm not so head-strong that I can't listen and learn. Is this better? http://webbytedd.com/aa/assorted-captcha/ Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Aug 29, 2008, at 4:09 PM, Robert Cummings wrote: On Fri, 2008-08-29 at 15:52 -0400, Eric Gorr wrote: On Aug 29, 2008, at 3:41 PM, Stut wrote: I completely agree, but as far as I know it's only (and I use that word carefully) people with both visual and audio impairments that you cannot cater for. I cannot see any reason why a person with both visual and audio impairments could not be presented with a test to prove they are human. Go on, I'm all eyes and ears... describe such a test. http://en.wikipedia.org/wiki/Captcha#Attempts_at_more_accessible_CAPTCHAs discusses this. And, I look forward to see what those doing research in this area come up with in the future. It does seem obvious that since they are human, that a good test can be designed which does not rely on security through obscurity. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 3:27 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 3:15 PM, tedd wrote: Why should I have to explain something that is widely known and easy to find? So, I'm curious, what prevents a website from providing a good implementation of both an audio and visual captcha to prevent accessibility problems which you claim are impossible to avoid with every use of a captcha? If you are curious, then please research it. There is plenty of documentation. Personally, my favorite implementation to date is: http://recaptcha.net/learnmore.html Arrggg. I can't even pass it. and not only is it well designed, It's designed well enough to keep me out and I'm neither deaf, blind, nor whatever. Remember, the concept of a captcha is this: A test to prove one is human in order perform some action. My memory is just fine, thank you. At some point, you should do some reading on the subject. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On 29 Aug 2008, at 20:52, Eric Gorr wrote: On Aug 29, 2008, at 3:41 PM, Stut wrote: I completely agree, but as far as I know it's only (and I use that word carefully) people with both visual and audio impairments that you cannot cater for. I cannot see any reason why a person with both visual and audio impairments could not be presented with a test to prove they are human. Show me a test that you can read with a braille reader, that doesn't assume more than minimal intelligence on the part of the user and that cannot be easily parsed and answered programatically. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 4:21 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 4:09 PM, Robert Cummings wrote: I cannot see any reason why a person with both visual and audio impairments could not be presented with a test to prove they are human. Go on, I'm all eyes and ears... describe such a test. http://en.wikipedia.org/wiki/Captcha#Attempts_at_more_accessible_CAPTCHAs discusses this. And, I look forward to see what those doing research in this area come up with in the future. It does seem obvious that since they are human, that a good test can be designed which does not rely on security through obscurity. Maybe a blood test? Nope, that could be faked. Back to thinking (ponder, ponder, ponder...) Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On 29 Aug 2008, at 21:21, Eric Gorr wrote: On Aug 29, 2008, at 4:09 PM, Robert Cummings wrote: On Fri, 2008-08-29 at 15:52 -0400, Eric Gorr wrote: On Aug 29, 2008, at 3:41 PM, Stut wrote: I completely agree, but as far as I know it's only (and I use that word carefully) people with both visual and audio impairments that you cannot cater for. I cannot see any reason why a person with both visual and audio impairments could not be presented with a test to prove they are human. Go on, I'm all eyes and ears... describe such a test. http://en.wikipedia.org/wiki/Captcha#Attempts_at_more_accessible_CAPTCHAs discusses this. And, I look forward to see what those doing research in this area come up with in the future. It does seem obvious that since they are human, that a good test can be designed which does not rely on security through obscurity. CAPTCHA's are *not* a security mechanism, no matter what Wikipedia says. They do nothing more than protect from automated form submissions. That's it. Anyway, as that article states... "Often, email or telephone support is used to manually provide access to users who are unable to solve a CAPTCHA" That's ultimate accessibility, assuming it supports all types of telephone, but it's also a major expense needing 24/7 coverage. Not something my company of 5 people could hope to support on a free-to- use site. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Aug 29, 2008, at 4:21 PM, tedd wrote: At 3:27 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 3:15 PM, tedd wrote: Why should I have to explain something that is widely known and easy to find? So, I'm curious, what prevents a website from providing a good implementation of both an audio and visual captcha to prevent accessibility problems which you claim are impossible to avoid with every use of a captcha? If you are curious, then please research it. There is plenty of documentation. I am curious as to what your answer would be as I cannot find what does not exist. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Fri, 2008-08-29 at 16:21 -0400, Eric Gorr wrote: > On Aug 29, 2008, at 4:09 PM, Robert Cummings wrote: > > > On Fri, 2008-08-29 at 15:52 -0400, Eric Gorr wrote: > >> On Aug 29, 2008, at 3:41 PM, Stut wrote: > >> > >>> I completely agree, but as far as I know it's only (and I use that > >>> word carefully) people with both visual and audio impairments that > >>> you cannot cater for. > >> > >> > >> I cannot see any reason why a person with both visual and audio > >> impairments could not be presented with a test to prove they are > >> human. > > > > Go on, I'm all eyes and ears... describe such a test. > > > http://en.wikipedia.org/wiki/Captcha#Attempts_at_more_accessible_CAPTCHAs > discusses this. > > And, I look forward to see what those doing research in this area come > up with in the future. It does seem obvious that since they are human, > that a good test can be designed which does not rely on security > through obscurity. I said describe such a test... I didn't say describe current thoughts about such a test that have no practical implementation. Pay special attention to the word "practical" used above before shooting something back off the top of your head. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 9:32 PM +0100 8/29/08, Stut wrote: That's ultimate accessibility, assuming it supports all types of telephone, but it's also a major expense needing 24/7 coverage. Not something my company of 5 people could hope to support on a free-to-use site. -Stut -Stut: I hesitated before writing this because I don't want to get into another debate with you, but accessibility means that all people (disabled or not) can access the data they want in a similar fashion. Accessibility does NOT mean "If you have a problem with our web site, please call" This is no different than any other accessibility issue. People in wheelchairs should not have to call someone to get them over an unaccessible curb or to be able to make their way to a product or service, or anything else that could be made accessible to them by some accommodating manner. Do you not agree? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 4:37 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 4:21 PM, tedd wrote: At 3:27 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 3:15 PM, tedd wrote: Why should I have to explain something that is widely known and easy to find? So, I'm curious, what prevents a website from providing a good implementation of both an audio and visual captcha to prevent accessibility problems which you claim are impossible to avoid with every use of a captcha? If you are curious, then please research it. There is plenty of documentation. I am curious as to what your answer would be as I cannot find what does not exist. There is more than enough documentation regarding accessibility issue for you to find your answer. All you need to do is read. Just because you had a run-in with me off-list where I apologized for my comment does not mean that I won't repeat it publicly for everyone to decide if what I said was appropriate or not -- your call. As I see it, you're just being argumentative and playing word games and I'm not going to play. So either read-up on the subject and ask a honest question or I'll stop answering your questions all together. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Aug 29, 2008, at 5:19 PM, tedd wrote: At 4:37 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 4:21 PM, tedd wrote: At 3:27 PM -0400 8/29/08, Eric Gorr wrote: On Aug 29, 2008, at 3:15 PM, tedd wrote: Why should I have to explain something that is widely known and easy to find? So, I'm curious, what prevents a website from providing a good implementation of both an audio and visual captcha to prevent accessibility problems which you claim are impossible to avoid with every use of a captcha? If you are curious, then please research it. There is plenty of documentation. I am curious as to what your answer would be as I cannot find what does not exist. There is more than enough documentation regarding accessibility issue for you to find your answer. All you need to do is read. There is no documentation anywhere which claims, as you do, that it is impossible to design a captcha which deals with accessibility issues. It has been done and the research into doing it better continues - even with those who are both blind and deaf. So, again, remember, the concept of a captcha is this: A test to prove one is human in order perform some action. There is no reason why a blind or deaf person absolutely cannot be presented with such a test. Now, if you wish to continue to argue to the contrary, you are more then welcome to do so. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
tedd schreef: At 9:32 PM +0100 8/29/08, Stut wrote: That's ultimate accessibility, assuming it supports all types of telephone, but it's also a major expense needing 24/7 coverage. Not something my company of 5 people could hope to support on a free-to-use site. -Stut -Stut: I hesitated before writing this because I don't want to get into another debate with you, but accessibility means that all people (disabled or not) can access the data they want in a similar fashion. Accessibility does NOT mean "If you have a problem with our web site, please call" This is no different than any other accessibility issue. People in wheelchairs should not have to call someone to get them over an unaccessible curb or to be able to make their way to a product or service, or anything else that could be made accessible to them by some accommodating manner. Do you not agree? yes and no. in the wild a lion with hip atrophy will be forced to crawl away and die ... no more eating gazelles for him, more to the point there are millions (billions?) of people without the right to free speech , or say clean water let alone have the money for a PC or an internet connection. my point being we have a long long long way to go before we can say much positive about accessibility for everyone. I think both tedd and Stut make good points, I guess we'll all be hacking away at such issues for a long time to come. in the mean time, here's wishing more clean water and internet access for everyone (and less bombs). Cheers, tedd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
Eric Gorr schreef: On Aug 29, 2008, at 5:19 PM, tedd wrote: ... There is no documentation anywhere which claims, as you do, that it is impossible to design a captcha which deals with accessibility issues. a lack of evidence proving the impossible ... there is a logic flaw there somewhere. It has been done and the research into doing it better continues - even with those who are both blind and deaf. So, again, remember, the concept of a captcha is this: A test to prove one is human in order perform some action. so orthogonal to the turing test ... I'd wager that research in turing test passing technology is moving faster that captcha tech. so in the long run captcha is plain dead in the water. really the basic concept of captcha is this: A test to prove that the interacting agent is legitimate, whether it be Bot, Cat, Human or otherwise. oh, and nobody's yet mentioned that anyone can bust any captcha on an automated scale without any programming intelligence, it takes nothing more than a setting up a pr0n affliate site with a redirector form that sneakily grabs captcha images from whatever the target of the day is ... and in such a case you'd be quite happy if someone's bot came along a repeated cracked "your" captcha There is no reason why a blind or deaf person absolutely cannot be presented with such a test. Now, if you wish to continue to argue to the contrary, you are more then welcome to do so. on behalf of the list, please accept our "Crayon of the Week" award. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
Eric Gorr schreef: On Aug 29, 2008, at 5:51 PM, Jochem Maas wrote: Eric Gorr schreef: On Aug 29, 2008, at 5:19 PM, tedd wrote: ... There is no documentation anywhere which claims, as you do, that it is impossible to design a captcha which deals with accessibility issues. a lack of evidence proving the impossible ... there is a logic flaw there somewhere. Considering that it has been done, why do you assert anyone would claim (such as tedd), who wants to remain credible, that it hasn't? Do you wish to make such a claim? ... huh? I really can't even be bothered to try and grok this nonsense of yours. real trolls use less pronouns. PS. I a lot less kind than tedd, I bounce everything straight back to the list if you try to tackle me offlist ... If I wanna pick a fight I'll do it in public, I have no shame ... I'm dutch. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On 29 Aug 2008, at 22:39, Jochem Maas wrote: in the mean time, here's wishing more clean water and internet access for everyone (and less bombs). Hear hear, except that I'd put food above internet access. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On 29 Aug 2008, at 22:07, tedd wrote: At 9:32 PM +0100 8/29/08, Stut wrote: That's ultimate accessibility, assuming it supports all types of telephone, but it's also a major expense needing 24/7 coverage. Not something my company of 5 people could hope to support on a free-to- use site. -Stut -Stut: I hesitated before writing this because I don't want to get into another debate with you, but accessibility means that all people (disabled or not) can access the data they want in a similar fashion. Why hesitate? If I'm putting you off debating with me then I'm doing it wrong so please enlighten me to my faults so I can correct them. Accessibility does NOT mean "If you have a problem with our web site, please call" This is no different than any other accessibility issue. People in wheelchairs should not have to call someone to get them over an unaccessible curb or to be able to make their way to a product or service, or anything else that could be made accessible to them by some accommodating manner. Do you not agree? Sort of. I think most disabled people accept that they are different and that special provisions sometimes need to be made. In this case I would hope people would understand that the current technology we have for verifying that users of a website are people do not allow us to cover every possible case and that we do try to make things as accessible as possible. To me accessibility means that everyone is able to use something to achieve a goal regardless of their physical or mental condition. Nothing about it says that everyone should be able to reach that goal without assistance and that said assistance should be readily available and easy to request. But I'll be the first to say that I don't know enough about this subject, or enough differently abled people to know how they view the world. What I can say is that one persons definition of accessibility is not necessarily the same as anyone else's. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Aug 29, 2008, at 6:56 PM, Stut wrote: On 29 Aug 2008, at 22:39, Jochem Maas wrote: in the mean time, here's wishing more clean water and internet access for everyone (and less bombs). Hear hear, except that I'd put food above internet access. Indeed. Although, I might include shelter, clothing and private property (see Locke) as well... :-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Fri, 2008-08-29 at 23:51 +0200, Jochem Maas wrote: > > on behalf of the list, please accept our "Crayon of the Week" award. *lol* I have seen Crayon in months. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Fri, 2008-08-29 at 21:38 -0400, Robert Cummings wrote: > On Fri, 2008-08-29 at 23:51 +0200, Jochem Maas wrote: > > > > on behalf of the list, please accept our "Crayon of the Week" award. > > *lol* I have seen Crayon in months. Err... haven't! :) > > Cheers, > Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Fri, 2008-08-29 at 23:05 -0400, Eric Gorr wrote: > On Aug 29, 2008, at 9:40 PM, Robert Cummings wrote: > > > On Fri, 2008-08-29 at 17:28 -0400, Eric Gorr wrote: > >> On Aug 29, 2008, at 5:19 PM, Robert Cummings wrote: > >> > >>> On Fri, 2008-08-29 at 16:54 -0400, Eric Gorr wrote: > On Aug 29, 2008, at 4:42 PM, Robert Cummings wrote: > > > On Fri, 2008-08-29 at 16:21 -0400, Eric Gorr wrote: > >> On Aug 29, 2008, at 4:09 PM, Robert Cummings wrote: > >> > >>> On Fri, 2008-08-29 at 15:52 -0400, Eric Gorr wrote: > On Aug 29, 2008, at 3:41 PM, Stut wrote: > > > I completely agree, but as far as I know it's only (and I use > > that > > word carefully) people with both visual and audio impairments > > that > > you cannot cater for. > > > I cannot see any reason why a person with both visual and audio > impairments could not be presented with a test to prove they > are > human. > >>> > >>> Go on, I'm all eyes and ears... describe such a test. > >> > >> > >> http://en.wikipedia.org/wiki/Captcha#Attempts_at_more_accessible_CAPTCHAs > >> discusses this. > >> > >> And, I look forward to see what those doing research in this area > >> come > >> up with in the future. It does seem obvious that since they are > >> human, > >> that a good test can be designed which does not rely on security > >> through obscurity. > > > > I said describe such a test... I didn't say describe current > > thoughts > > about such a test that have no practical implementation. > > I pointed to such tests. > > > Pay special attention to the word "practical" used above before > > shooting > > something back off the top of your head. > > Of course they have a practical implementation. They have been > implemented. > >>> > >>> Implementation does not imply practicallity. > >>> > >>> Implementations for space travel exist. Does it make space travel > >>> for > >>> everyone practical? > >>> > >>> Now please return to paying special attention to the word practical. > >>> Feel free to dust off a dictionary if you must. > >> > >> What is impractical about about an implementation asking a question > >> such as: > >> > >> what is 3 + 5? > >> what color is the sky? > >> > >> and then processing the answer entered? > > > > The answer lies in the very article to which you referred me. These > > are > > easily crackable, and thus impractical. > > By that illogical conclusion, all captcha's are impractical for all > are easily crackable and yet they have the very practical ability to > prevent an amount of spam that is quite beyond comprehension. > > Care to try again? All CAPTCHA's are not easily crackable. Some are quite difficult. It's quite likely that all are crackable, but the same can be said for any encryption scheme too. Practicality brings into play such high minded concepts as time, space, and cost. I just noticed btw that you've taken this off list. Please keep it on the list for all to read. If you want private lessons I can be reached for pricing at this address. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Fri, 2008-08-29 at 23:24 -0400, Eric Gorr wrote: > On Aug 29, 2008, at 11:16 PM, Robert Cummings wrote: > > > On Fri, 2008-08-29 at 23:05 -0400, Eric Gorr wrote: > >> On Aug 29, 2008, at 9:40 PM, Robert Cummings wrote: > >> > >>> On Fri, 2008-08-29 at 17:28 -0400, Eric Gorr wrote: > On Aug 29, 2008, at 5:19 PM, Robert Cummings wrote: > > > On Fri, 2008-08-29 at 16:54 -0400, Eric Gorr wrote: > >> On Aug 29, 2008, at 4:42 PM, Robert Cummings wrote: > >> > >>> On Fri, 2008-08-29 at 16:21 -0400, Eric Gorr wrote: > On Aug 29, 2008, at 4:09 PM, Robert Cummings wrote: > > > On Fri, 2008-08-29 at 15:52 -0400, Eric Gorr wrote: > >> On Aug 29, 2008, at 3:41 PM, Stut wrote: > >> > >>> I completely agree, but as far as I know it's only (and I > >>> use > >>> that > >>> word carefully) people with both visual and audio > >>> impairments > >>> that > >>> you cannot cater for. > >> > >> > >> I cannot see any reason why a person with both visual and > >> audio > >> impairments could not be presented with a test to prove they > >> are > >> human. > > > > Go on, I'm all eyes and ears... describe such a test. > > > http://en.wikipedia.org/wiki/Captcha#Attempts_at_more_accessible_CAPTCHAs > discusses this. > > And, I look forward to see what those doing research in this > area > come > up with in the future. It does seem obvious that since they are > human, > that a good test can be designed which does not rely on > security > through obscurity. > >>> > >>> I said describe such a test... I didn't say describe current > >>> thoughts > >>> about such a test that have no practical implementation. > >> > >> I pointed to such tests. > >> > >>> Pay special attention to the word "practical" used above before > >>> shooting > >>> something back off the top of your head. > >> > >> Of course they have a practical implementation. They have been > >> implemented. > > > > Implementation does not imply practicallity. > > > > Implementations for space travel exist. Does it make space travel > > for > > everyone practical? > > > > Now please return to paying special attention to the word > > practical. > > Feel free to dust off a dictionary if you must. > > What is impractical about about an implementation asking a question > such as: > > what is 3 + 5? > what color is the sky? > > and then processing the answer entered? > >>> > >>> The answer lies in the very article to which you referred me. These > >>> are > >>> easily crackable, and thus impractical. > >> > >> By that illogical conclusion, all captcha's are impractical for all > >> are easily crackable and yet they have the very practical ability to > >> prevent an amount of spam that is quite beyond comprehension. > >> > >> Care to try again? > > > > All CAPTCHA's are not easily crackable. Some are quite difficult. > > All someone has to do is hire someone to sit there and solve the > captcha's. There are places in this world which, unfortunately, employ > slave or virtually slave labor. If someone wants to fire that missile, > it is certainly possible. > > They are _all_ easily crackable. A human tending to a CAPTCHA is not cracked, the human is performing the action for which the CAPTCHA was intended. While CAPTCHA's may be weak to this kind of exploitation, this exploitation does not constitute a crack. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Fri, 2008-08-29 at 23:27 -0400, Eric Gorr wrote: > > btw, why are you bothering the mailing list with this pointless > conversation? For the archives. This way the arguments for and against may be known and the next time a trolling idiot makes a run for gold I can direct them to the archives. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Fri, 2008-08-29 at 23:39 -0400, Eric Gorr wrote: > On Aug 29, 2008, at 11:31 PM, Robert Cummings wrote: > > > On Fri, 2008-08-29 at 23:24 -0400, Eric Gorr wrote: > >> On Aug 29, 2008, at 11:16 PM, Robert Cummings wrote: > >> > >>> On Fri, 2008-08-29 at 23:05 -0400, Eric Gorr wrote: > On Aug 29, 2008, at 9:40 PM, Robert Cummings wrote: > >>> > >>> All CAPTCHA's are not easily crackable. Some are quite difficult. > >> > >> All someone has to do is hire someone to sit there and solve the > >> captcha's. There are places in this world which, unfortunately, > >> employ > >> slave or virtually slave labor. If someone wants to fire that > >> missile, > >> it is certainly possible. > >> > >> They are _all_ easily crackable. > > > > A human tending to a CAPTCHA is not cracked, the human is performing > > the > > action for which the CAPTCHA was intended. While CAPTCHA's may be weak > > to this kind of exploitation, this exploitation does not constitute a > > crack. > > Remember, the purpose of a captcha is to prevent a spammer from > performing some kind of action. Anything that would allow the spammer > to perform that action is cracking that thing which was put into place > to prevent it. No, circumvention is not necessarily cracking. You have described the "relay attack". See wikipedia section called "Human Solvers": http://en.wikipedia.org/wiki/Captcha Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
This is called the "Relay Attack" and is not a crack. Cheers, Rob. On Fri, 2008-08-29 at 23:57 -0400, Eric Gorr wrote: > p.s. I cannot claim credit for this piece of info and since you will > reject out of hand anything I might say, I am quoting it > directlybut thought you might be interested in learning about just > how easily captcha's can be cracked. > > - > To whoever said you could hire a programmer for $5/hour to break > CAPTCHAs, spammers have demonstrated a cheaper way to get someone to > do the dirty work for them. And it can work for just about any CAPTCHA > in existence because it uses the one things CAPTCHAs depends on: > actual human intervention. > > All you need is a porn server or something else decidedly tempting. > > When the unsuspecting visitor makes a request for free stuff, the > server can then make an attempt to break a CAPTCHA. It makes the > attempt innocuously like any ordinary web client, but it downloads the > necessary CAPTCHA and data locally (so no offsite addressing)…and then > passes it along to the user, challenging him/her to solve the CAPTCHA > in order to obtain the goods. > > The user solves the CAPTCHA, the web server passes along the results. > If the CAPTCHA is passed, the user gets the reward (so does the > server, though). > > It’s a human proxy, and the actual attempt can be made to look exactly > like any ordinary person making the attempt, so there’s no way for the > CAPTCHA to distinguish between this and a real attempt. It would be > only moderately difficult to implement the proxy but mostly automatic > once implemented. > - > > > Simple google searches can come up with similar statements from > apparently credible sources, whose veracity I have no reason to doubt, > about people being hired to sit there and break captcha's if it is > important enough the evil doer to do so. > > -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Sat, 2008-08-30 at 00:05 -0400, Eric Gorr wrote: > Oh, here's an interesting story: > > http://bits.blogs.nytimes.com/2008/03/13/breaking-google-captchas-for-3-a-day/ This was written by a journalist, not a technology expert. Even the person to which he was talking needed to clarify the meaning of "crack". >From the article: "If by cracked, you are saying that a machine can solve the captcha as easily as a human being, I’m confident that is not the case," Interestingly the word crack only appears in the article in two places. In the above quote and in the following excerpt: Another piece of evidence that sheds light on the mystery was uncovered by Websense, one of the security firms that suggested that spammers are having at least some success using bots to crack Google’s captchas. I really don't see how this story supports your arguments in the least and as such I will not be answering anymore of your drivel. You appear to have nothing of usefulness to add to the conversation. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Sat, 2008-08-30 at 00:25 -0400, Eric Gorr wrote: > On Aug 30, 2008, at 12:19 AM, Robert Cummings wrote: > > > On Sat, 2008-08-30 at 00:05 -0400, Eric Gorr wrote: > >> Oh, here's an interesting story: > >> > >> http://bits.blogs.nytimes.com/2008/03/13/breaking-google-captchas-for-3-a-day/ > > > > This was written by a journalist, not a technology expert. Even the > > person to which he was talking needed to clarify the meaning of > > "crack". > >> From the article: > > > >"If by cracked, you are saying that a machine can solve the > > captcha as easily as a human being, I’m confident that is > > not the case," > > > > Interestingly the word crack only appears in the article in two > > places. > > In the above quote and in the following excerpt: > > > >Another piece of evidence that sheds light on the mystery > >was uncovered by Websense, one of the security firms that > >suggested that spammers are having at least some success > >using bots to crack Google’s captchas. > > > > I really don't see how this story supports your arguments in the least > > and as such I will not be answering anymore of your drivel. You appear > > to have nothing of usefulness to add to the conversation. > > I didn't think it would take very long for you to begin the fear the > intervention of the moderators. I sure the rest of the list will > appreciate your silence as well. But since I doubt you are telling the > truth and have the habit of quoting everything I write back to the list: > > Please, would all of the other readers of this mailing list write to [EMAIL > PROTECTED] > and ask them to shut Robert Cummings down? Thank you. I'm sorry list *lol* But this one made me laugh so hard I had to share this last one with you. I'm gonna be grinning for days *giggle*. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 12:05 AM +0100 8/30/08, Stut wrote: On 29 Aug 2008, at 22:07, tedd wrote: I hesitated before writing this because I don't want to get into another debate with you, but accessibility means that all people (disabled or not) can access the data they want in a similar fashion. Why hesitate? If I'm putting you off debating with me then I'm doing it wrong so please enlighten me to my faults so I can correct them. Oh, there's nothing that you're doing wrong -- you're a great debater and you're usually right. I'm just getting tired of having my ass handed to me each time I disagree with you -- that's meant in a good way. You know your stuff and have excellent communication skills -- that's a hard combination to debate against. :-) But in fairness to both, we're not that far apart on the things we debate -- except you usually win. That's the real reason why I hesitate, understand? :-) Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On 30 Aug 2008, at 13:00, tedd wrote: At 12:05 AM +0100 8/30/08, Stut wrote: On 29 Aug 2008, at 22:07, tedd wrote: I hesitated before writing this because I don't want to get into another debate with you, but accessibility means that all people (disabled or not) can access the data they want in a similar fashion. Why hesitate? If I'm putting you off debating with me then I'm doing it wrong so please enlighten me to my faults so I can correct them. Oh, there's nothing that you're doing wrong -- you're a great debater and you're usually right. I'm just getting tired of having my ass handed to me each time I disagree with you -- that's meant in a good way. You know your stuff and have excellent communication skills -- that's a hard combination to debate against. :-) But in fairness to both, we're not that far apart on the things we debate -- except you usually win. That's the real reason why I hesitate, understand? :-) Wait, am I blushing? :) Seriously though, don't ever hesitate. It's healthy and fun to disagree, the value is in the debate - it's how our knowledge continues to evolve regardless of who "wins". All opinions are valid and valuable, and over the years I've learned that most of mine are wrong, it just happens that my success rate in the field of software engineering is higher than on other topics. And rest assured I've learned just as much from you as I hope you have from me in the past few years. Now, about that recommendation for my linked in profile... ;) -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 11:51 PM +0200 8/29/08, Jochem Maas wrote: Eric Gorr schreef: There is no documentation anywhere which claims, as you do, that it is impossible to design a captcha which deals with accessibility issues. on behalf of the list, please accept our "Crayon of the Week" award. Oh, and please realize we have the sharpest Crayon and dullest Crayon of the Week awards, which do you think you've won with your ASCII Captcha and performance thus far on this list? That's a rhetorical question -- I don't care what your answer may be. As I said privately -- As for me, your ASCII art Captcha does nothing to advance the use/ease of Captcha's -- the problem remains except you have made it even more difficult for people to read without making it harder for automated systems to break. No offense meant, but this were a class I was teaching and you were a student, I would give you a C for originality, a D for solving the problem at hand, and an F for not doing the required reading. -- and that gang was what he took offence to off-list AND I apologized to him for saying it. But as you can see, he continues. The problem here Eric is that you've waded into a list that has a lot of very smart people on it who give freely of their time and effort to help others. Instead of appreciating that fact and taking advantage of what we have to offer, you take offense at an honest evaluation and then start throwing your weight around as if your ASCII art Captcha has given you some measure of credibility. Well, it hasn't. So, continue to rattle on you may, but welcome to my kill file. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On 30 Aug 2008, at 05:32, Robert Cummings wrote: On Sat, 2008-08-30 at 00:25 -0400, Eric Gorr wrote: On Aug 30, 2008, at 12:19 AM, Robert Cummings wrote: On Sat, 2008-08-30 at 00:05 -0400, Eric Gorr wrote: Oh, here's an interesting story: http://bits.blogs.nytimes.com/2008/03/13/breaking-google-captchas-for-3-a-day/ This was written by a journalist, not a technology expert. Even the person to which he was talking needed to clarify the meaning of "crack". From the article: "If by cracked, you are saying that a machine can solve the captcha as easily as a human being, I’m confident that is not the case," Interestingly the word crack only appears in the article in two places. In the above quote and in the following excerpt: Another piece of evidence that sheds light on the mystery was uncovered by Websense, one of the security firms that suggested that spammers are having at least some success using bots to crack Google’s captchas. I really don't see how this story supports your arguments in the least and as such I will not be answering anymore of your drivel. You appear to have nothing of usefulness to add to the conversation. I didn't think it would take very long for you to begin the fear the intervention of the moderators. I sure the rest of the list will appreciate your silence as well. But since I doubt you are telling the truth and have the habit of quoting everything I write back to the list: Please, would all of the other readers of this mailing list write to [EMAIL PROTECTED] and ask them to shut Robert Cummings down? Thank you. I'm sorry list *lol* But this one made me laugh so hard I had to share this last one with you. I'm gonna be grinning for days *giggle*. Thanks Rob, this was my first chuckle of the day. Eric... 1) Quoting an NYT blog as an authority on technical matters is both naive and asking for it. The mainstream press have never used industry- specific terminology correctly, and they probably never will. Hacker vs. cracker is the best example of this. 2) CAPTCHA's have one single purpose... to prevent automated form posting. Any system that uses humans to get past them is not "breaking the CAPTCHA", or cracking it or any other terminology you decide to use. 3) This list is self-moderating so your pleas to the PHP webmaster, list moderator and $DEITY (you'd have gotten to her in the end) are pointless beyond their comedic value. 4) Rob is one of the most valuable members of this mailing list ... don't take him on, you'll lose!! Have a great weekend folks! -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 11:39 PM +0200 8/29/08, Jochem Maas wrote: tedd schreef: Do you not agree? yes and no. in the wild a lion with hip atrophy will be forced to crawl away and die ... no more eating gazelles for him I hope I don't get finger atrophy. --- my point being we have a long long long way to go before we can say much positive about accessibility for everyone. Not that you said otherwise, but that doesn't mean we shouldn't do what we can when we can. And, we CAN do more currently. Of course, all change take time and money to implement. But once the need and solutions are exposed, the general tendency of people is to help. The more known, the more help. These discussions are part of that process -- we all walk away better informed and better equipped to deal with the problems. --- I think both tedd and Stut make good points, I guess we'll all be hacking away at such issues for a long time to come. That's the nature of the beast (no not Stut!), but rather the evolution of our species in all venues. We've been hacking away on things for a long time -- did I ever tell you about how we used to program with rocks? :-) --- in the mean time, here's wishing more clean water and internet access for everyone (and less bombs). Amend to that. It's one thing to have the greatest military force that's ever existed, but it's another to use that for every solution. Like the engineer with only a hammer, not everything is a nail -- we need to look deeper into our toolbox to solve problems. Don't get me started about political issues. :-) Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 11:51 PM +0200 8/29/08, Jochem Maas wrote: so orthogonal to the turing test ... I'd wager that research in turing test passing technology is moving faster that captcha tech. so in the long run captcha is plain dead in the water. I agree with that. Creating a better captcha is a losing proposition. The problem has to solved differently. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 12:14 AM +0200 8/30/08, Jochem Maas wrote: I have no shame ... I'm dutch. That's obvious. :-) What we (i.e., USA Government) needs to do is to get you people (yeah I said you people) down to New Orleans to teach us how to make a dike. Seriously, your countrymen are the world's leading experts on hydrology -- I don't understand why we're not seeking your expertise as to how to keep the ocean out. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
Oh look, you forgot to include the list again. On 30 Aug 2008, at 13:54, Eric Gorr wrote: On Aug 30, 2008, at 8:26 AM, Stut wrote: Eric... 1) Quoting an NYT blog as an authority on technical matters is both naive and asking for it. The mainstream press have never used industry-specific terminology correctly, and they probably never will. Hacker vs. cracker is the best example of this. It is entirely legitimate to use words like crack or cracked in either a narrow or broad sense. That you would assert they can or should only be used in their narrowest sense is, well, ignorant. I used the article, not as an authority on technical matters, but only to show that there are people out there will to pay others to crack captcha's. That you do not recognize this only demonstrates a severe lack of intelligence on your part. Wow, straight in there with the personal insults. Please take a moment to consider the possibility that you're wrong. If they're paying others to develop software to get past CAPTCHA's then I'd agree with you. Using humans to get past a CAPTCHA test is not breaking it, it's solving it in the way it was meant to be solved. The fact that it's being done for evil purposes doesn't enter into it. 2) CAPTCHA's have one single purpose... to prevent automated form posting. Any system that uses humans to get past them is not "breaking the CAPTCHA", or cracking it or any other terminology you decide to use. Captcha's have one single purpose... to make it that much more difficult for an evil doer to spam a site or use it to spam. Any system that uses humans to get past them is "breaking the Captcha" despite your need to limit the use of english words and phrases to only their narrowest sense. You see what you did there? You completely ignored my definition of what a CAPTCHA is and went back to your definition. Where's the wiggle room? I'll say it one more time... when a human gets past a CAPTCHA test they have "solved" it. When a machine does it they've "broken" it. One word, big difference. 3) This list is self-moderating so your pleas to the PHP webmaster, list moderator and $DEITY (you'd have gotten to her in the end) are pointless beyond their comedic value. Then, hopefully the other list members will take it upon themselves to request these pointless public posts come to an end. I doubt he would listen, but there is always hope. Hold on to the hope Eric, and don't forget your daily prayer to the fairies at the bottom of your garden. 4) Rob is one of the most valuable members of this mailing list ... don't take him on, you'll lose!! That only makes it even more interesting to watch him spam a mailing list and attempt to provoke a public flame war on a mailing list that he would now falsely claim to care about. Rob is the last person I would expect to intentionally provoke a flame war, in public or in private. If someone disagrees with you it's not necessarily because they're trying to pick a fight, it's almost certainly because they think differently. Nothing more, nothing less. This discussion is no longer adding value publicly or privately so don't expect another response from me. If you feel you need to use this opportunity to have the last word feel free. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 11:56 PM +0100 8/29/08, Stut wrote: On 29 Aug 2008, at 22:39, Jochem Maas wrote: in the mean time, here's wishing more clean water and internet access for everyone (and less bombs). Hear hear, except that I'd put food above internet access. -Stut Yep, right up there with health care (not advocating government doing it). Once a society has food/water/shelter and health care, their productivity increases exponentially and technology leads. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
Robert Cummings schreef: ... using bots to crack Google’s captchas. I really don't see how this story supports your arguments in the least and as such I will not be answering anymore of your drivel. You appear to have nothing of usefulness to add to the conversation. I didn't think it would take very long for you to begin the fear the intervention of the moderators. I sure the rest of the list will appreciate your silence as well. But since I doubt you are telling the truth and have the habit of quoting everything I write back to the list: Please, would all of the other readers of this mailing list write to [EMAIL PROTECTED] and ask them to shut Robert Cummings down? Thank you. 1. you can't shut Cummings up, period. 2. you can't shut him down either, he does'nt have an off button. 3. there is no moderator. 4. we welcome Rob's input. (well sometimes I hate it we he's right ... again!) 5. see point 3. I'm sorry list *lol* But this one made me laugh so hard I had to share this last one with you. I'm gonna be grinning for days *giggle*. share the joy :-) Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On 30 Aug 2008, at 14:05, tedd wrote: At 11:39 PM +0200 8/29/08, Jochem Maas wrote: I think both tedd and Stut make good points, I guess we'll all be hacking away at such issues for a long time to come. That's the nature of the beast (no not Stut!) I am Stut - hear me Roar!! CAPTCHA's are not a magic bullet, and I'm definitely of the opinion no such bullet exists. Each problem is different and we need to think about them differently. We all know there has to be a better way, and I think we all agree that if possible we wouldn't be using them at all. However, while we must recognise that each site we create will present different opportunities for validating UGC without needing to "fall back" to CAPTCHA's we must also recognise that CAPTCHA's work to a certain extent and should not be avoided simply because they're not perfect. I can't remember who said it and I apologise for that, but someone mentioned that the person who comes up with a better replacement for CAPTCHA's will make billions. Unfortunately this is not true. Any idea that has the potential to change the way the world works or plays will not reach that potential if it comes with prohibitive licenses or royalty fees attached. If it works make it free or adoption will be severely restricted which makes it essentially worthless. That's all I've got to say about that. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 12:05 AM +0100 8/30/08, Stut wrote: On 29 Aug 2008, at 22:07, tedd wrote: Do you not agree? Sort of. I think most disabled people accept that they are different and that special provisions sometimes need to be made. In this case I would hope people would understand that the current technology we have for verifying that users of a website are people do not allow us to cover every possible case and that we do try to make things as accessible as possible. I am sure many disabled do understand, partly because they have no choice. When confronted with barriers that cannot be moved, then you look at the problem a little differently (a personal observation). The problem I see with the net is that much of the technology that can make their life better is either being ignored or passed off as "sorry about that." For example, all the clients who I have worked give lip-service to disability issues but at every point when they have to make a decision re accessibility or what they want -- they get what they want. It can be something very simple thing like color contrast, but if the client doesn't want a shade darker to comply, then accessibility loses. I don't meant to sound negative, but it sure feels like an uphill battle. It's almost comical when I see web sites who claim care and compassion for the disabled, but then refuse to make accessibility changes when they are pointed out to them -- this includes local, state and the federal government. To me accessibility means that everyone is able to use something to achieve a goal regardless of their physical or mental condition. Nothing about it says that everyone should be able to reach that goal without assistance and that said assistance should be readily available and easy to request. Yes, I agree with that too -- but what I was commenting about was the "Call us if you're disabled" comment as being the ultimate in accessibility because that's far from it. Too many sites simply say "If you have problems, call us" and that's their total effort to improve conditions for the disabled AND they think they did their part -- but the truth is they haven't. But I'll be the first to say that I don't know enough about this subject, or enough differently abled people to know how they view the world. What I can say is that one persons definition of accessibility is not necessarily the same as anyone else's. That's true. But it's not that hard to put yourself in the other's shoes and see what problems they face AND how easy it is to mitigate some of those problems. The simple use of the alt attribute comes to mind -- this is something that everyone can take the time to fill out, but few do. Clearly there are many things to consider, but I claim that as one becomes aware of the problem, it becomes easier to comply. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 12:32 AM -0400 8/30/08, Robert Cummings wrote: On Sat, 2008-08-30 at 00:25 -0400, Eric Gorr wrote: > Please, would all of the other readers of this mailing list write to [EMAIL PROTECTED] and ask them to shut Robert Cummings down? Thank you. I'm sorry list *lol* But this one made me laugh so hard I had to share this last one with you. I'm gonna be grinning for days *giggle*. Cheers, Rob. Rob: I've been saying that for years. :-) But fortunately smarter minds prevailed. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 3:27 PM +0200 8/30/08, Jochem Maas wrote: 2. you can't shut him down either, he does'nt have an off button. Yeah, he's a lot like his blow-up dolls except you can't deflate him. :-) Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On 30 Aug 2008, at 15:02, tedd wrote: At 12:05 AM +0100 8/30/08, Stut wrote: To me accessibility means that everyone is able to use something to achieve a goal regardless of their physical or mental condition. Nothing about it says that everyone should be able to reach that goal without assistance and that said assistance should be readily available and easy to request. Yes, I agree with that too -- but what I was commenting about was the "Call us if you're disabled" comment as being the ultimate in accessibility because that's far from it. Too many sites simply say "If you have problems, call us" and that's their total effort to improve conditions for the disabled AND they think they did their part -- but the truth is they haven't. There's a big difference in my mind between "If you have problems getting past this CAPTCHA please call us" and "If you have problems, call us". I had assumed, perhaps incorrectly, that in the first instance the phone call would result in the user being able to get past the CAPTCHA. In this instance special steps need to be taken to technically enable a phone conversation to get a user past the CAPTCHA. In more general terms we are in complete agreement. Websites should do everything they can to make their sites as accessible as possible. I can count on one hand the number of companies I've worked with who took colour blindness into consideration when (re)designing their site. What I find particularly daft is that when you look at requirements for accessibility most of them are the same as requirements for good SEO, so I don't understand why more sites don't have alt tags everywhere, and text-only optimisation. CAPTCHA's are a special case due to the problem it's trying to solve. The very things they're trying to prevent are enabled by making them accessible. I'm sure in time progress will be made in this area but in the meantime I stand by my assertion that a 'phone number people can call with any type of telephone to interact with another human who can get them past the check without compromising the protection the check affords is ultimate accessibility. -Stut -- http://stut.net// -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 3:25 PM +0100 8/30/08, Stut wrote: in the meantime I stand by my assertion that a 'phone number people can call with any type of telephone to interact with another human who can get them past the check without compromising the protection the check affords is ultimate accessibility. Well, even you can't be right all of the time. :-) That's not bad out of all we discussed to have only one difference of opinion. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
tedd schreef: At 3:25 PM +0100 8/30/08, Stut wrote: in the meantime I stand by my assertion that a 'phone number people can call with any type of telephone to interact with another human who can get them past the check without compromising the protection the check affords is ultimate accessibility. Well, even you can't be right all of the time. :-) That's not bad out of all we discussed to have only one difference of opinion. obviously Cummings' brainwashing program is not 100% effective ;-) Cheers, tedd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
http://blogs.zdnet.com/security/?p=1835 That was great. Human captcha resolvers. $2 per 1000 resloved captchas... ouch... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Sat, 2008-08-30 at 15:02 +0100, Stut wrote: > On 30 Aug 2008, at 14:05, tedd wrote: > > At 11:39 PM +0200 8/29/08, Jochem Maas wrote: > >> I think both tedd and Stut make good points, I guess we'll all be > >> hacking away at such issues for a long time to come. > > > > That's the nature of the beast (no not Stut!) > > I am Stut - hear me Roar!! > > CAPTCHA's are not a magic bullet, and I'm definitely of the opinion no > such bullet exists. Each problem is different and we need to think > about them differently. We all know there has to be a better way, and > I think we all agree that if possible we wouldn't be using them at > all. However, while we must recognise that each site we create will > present different opportunities for validating UGC without needing to > "fall back" to CAPTCHA's we must also recognise that CAPTCHA's work to > a certain extent and should not be avoided simply because they're not > perfect. > > I can't remember who said it and I apologise for that, but someone > mentioned that the person who comes up with a better replacement for > CAPTCHA's will make billions. Unfortunately this is not true. Any idea > that has the potential to change the way the world works or plays will > not reach that potential if it comes with prohibitive licenses or > royalty fees attached. If it works make it free or adoption will be > severely restricted which makes it essentially worthless. > > That's all I've got to say about that. Unfortunately I see a convergence of conventional email spam technologies and online web form spam technologies. Basically this means wasted time and computer energy filtering out all the crap. As Stut has pointed out already, the best filter for spam I've encountered is to reject posts with links :/ Another approach in a similar vein is to calculate the link to non-link content ratio. I've noticed most spammers just post a block of links or a sinle link without any content. Unfortunately, ratio measuring will not be a lasting measure for reducing spam and we may end up employing full on measures of the likes of spamassasin once CAPTCHA becomes more weak to automated attacks. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Sat, 2008-08-30 at 10:17 -0400, tedd wrote: > At 3:27 PM +0200 8/30/08, Jochem Maas wrote: > > > >2. you can't shut him down either, he does'nt have an off button. > > Yeah, he's a lot like his blow-up dolls except you can't deflate him. :-) WHOOA... "my" blow-up dolls? Since when did they become mine? I expressly said I was just borrowing them from you. :) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Sat, 2008-08-30 at 19:22 +0200, Jochem Maas wrote: > tedd schreef: > > At 3:25 PM +0100 8/30/08, Stut wrote: > >> in the meantime I stand by my assertion that a 'phone number people > >> can call with any type of telephone to interact with another human who > >> can get them past the check without compromising the protection the > >> check affords is ultimate accessibility. > > > > Well, even you can't be right all of the time. :-) > > > > That's not bad out of all we discussed to have only one difference of > > opinion. > > obviously Cummings' brainwashing program is not 100% effective ;-) It all began to fall apart when they refused to look into my eyes while I waved my hands around and used a low monotone voice. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
Well, I don't know how, but google folks @ gmail are doing a great job with anti-spam tecnology... i believe that is has something to do with the massive user base that can more accuratly say what is spam and blacklist it plus mispelling 'spam' words and the original ones, plus that '1000's from the same guy with same content' wow. I really get so less spam comparing with all other webmail clients... I love gmail :) On Sun, Aug 31, 2008 at 10:42 AM, Robert Cummings <[EMAIL PROTECTED]> wrote: > On Sat, 2008-08-30 at 19:22 +0200, Jochem Maas wrote: >> tedd schreef: >> > At 3:25 PM +0100 8/30/08, Stut wrote: >> >> in the meantime I stand by my assertion that a 'phone number people >> >> can call with any type of telephone to interact with another human who >> >> can get them past the check without compromising the protection the >> >> check affords is ultimate accessibility. >> > >> > Well, even you can't be right all of the time. :-) >> > >> > That's not bad out of all we discussed to have only one difference of >> > opinion. >> >> obviously Cummings' brainwashing program is not 100% effective ;-) > > It all began to fall apart when they refused to look into my eyes while > I waved my hands around and used a low monotone voice. > > Cheers, > Rob. > -- > http://www.interjinn.com > Application and Templating Framework for PHP > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Thanks for your attention, Diogo Neves Web Developer @ SAPO.pt by PrimeIT.pt -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Sun, 31 Aug 2008 05:35:42 -0400, Robert Cummings wrote: >[...] As Stut has >pointed out already, the best filter for spam I've encountered is to >reject posts with links :/ This also is what works for me. However, this is for commercial websites, not blogs / forums, so links are not expected in posts to these websites. If they were, well... :/ -- Ross McKay, Toronto, NSW Australia "The chief cause of problems is solutions" -Eric Sevareid -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Sun, 2008-08-31 at 10:58 +0100, Diogo Neves wrote: > Well, I don't know how, but google folks @ gmail are doing a great job > with anti-spam tecnology... i believe that is has something to do with > the massive user base that can more accuratly say what is spam and > blacklist it plus mispelling 'spam' words and the original ones, plus > that '1000's from the same guy with same content' wow. > > I really get so less spam comparing with all other webmail clients... > I love gmail :) I think you hit the nail on the head thought when you mention massive user base. Probably at the outset of a spam campaign a bunch of users get the spam, flag it as spam and then google just marks the rest as spam for the several other million users :) That said, gmail isn't perfect either which indicates a measure of the difficulty of this problem. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
Maybe a protocol of SPAM notifications can do da trick... Something like a system, more or less central that smtp server should use to exchange information about SPAM, like that u get not only the gmail base, but a yet bigger set off it... that whould do the trick, and possible take the internet routers down :) And even with a more global system it would not be perfect, but @ least I only should need too mark 2/3 mails as spam a day, instead of 10, and with other web clients 100 or more... Maybe google wanna do it in is 'we are the good folks, not the biggest monopoly on da world' opensource developement... ;) On Sun, Aug 31, 2008 at 11:26 AM, Robert Cummings <[EMAIL PROTECTED]> wrote: > On Sun, 2008-08-31 at 10:58 +0100, Diogo Neves wrote: >> Well, I don't know how, but google folks @ gmail are doing a great job >> with anti-spam tecnology... i believe that is has something to do with >> the massive user base that can more accuratly say what is spam and >> blacklist it plus mispelling 'spam' words and the original ones, plus >> that '1000's from the same guy with same content' wow. >> >> I really get so less spam comparing with all other webmail clients... >> I love gmail :) > > I think you hit the nail on the head thought when you mention massive > user base. Probably at the outset of a spam campaign a bunch of users > get the spam, flag it as spam and then google just marks the rest as > spam for the several other million users :) > > That said, gmail isn't perfect either which indicates a measure of the > difficulty of this problem. > > Cheers, > Rob. > -- > http://www.interjinn.com > Application and Templating Framework for PHP > > -- Thanks for your attention, Diogo Neves Web Developer @ SAPO.pt by PrimeIT.pt -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 9:52 AM +0300 8/31/08, Sancar Saran wrote: http://blogs.zdnet.com/security/?p=1835 That was great. Human captcha resolvers. $2 per 1000 resloved captchas... ouch... At least I know where I can find work. :-) Just an example of how the human element can out-smart itself. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 5:35 AM -0400 8/31/08, Robert Cummings wrote: and we may end up employing full on measures of the likes of spamassasin once CAPTCHA becomes more weak to automated attacks. Cheers, Rob. Agreed -- that's where I think this is all going. The CAPTCHA solution is not THE solution and it's effectiveness is reducing everyday. That's the reason why I've turned my attention to posts analysis. It's not so much identifying IF the post is human but rather is it automated? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 5:39 AM -0400 8/31/08, Robert Cummings wrote: On Sat, 2008-08-30 at 10:17 -0400, tedd wrote: At 3:27 PM +0200 8/30/08, Jochem Maas wrote: > >2. you can't shut him down either, he does'nt have an off button. Yeah, he's a lot like his blow-up dolls except you can't deflate him. :-) WHOOA... "my" blow-up dolls? Since when did they become mine? I expressly said I was just borrowing them from you. :) Yes, but you never give them back! :-) Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
At 10:58 AM +0100 8/31/08, Diogo Neves wrote: Well, I don't know how, but google folks @ gmail are doing a great job with anti-spam tecnology... i believe that is has something to do with the massive user base that can more accuratly say what is spam and blacklist it plus mispelling 'spam' words and the original ones, plus that '1000's from the same guy with same content' wow. I really get so less spam comparing with all other webmail clients... I love gmail :) I like the idea behind spamcop If you're a member, like I am, you can report the spam you receive. Those reports go into making a spam filter by which all subscribers can pass their email through. It's like an ever-changing and constantly-improving spam filter. It would be nice if organizations like that also provided a service we could use instead of a Captcha. Just food for thought. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Sun, 2008-08-31 at 10:46 -0400, tedd wrote: > At 5:39 AM -0400 8/31/08, Robert Cummings wrote: > >On Sat, 2008-08-30 at 10:17 -0400, tedd wrote: > >> At 3:27 PM +0200 8/30/08, Jochem Maas wrote: > >> > > >> >2. you can't shut him down either, he does'nt have an off button. > >> > >> Yeah, he's a lot like his blow-up dolls except you can't deflate him. :-) > > > >WHOOA... "my" blow-up dolls? Since when did they become > >mine? I expressly said I was just borrowing them from you. > > > >:) > > Yes, but you never give them back! :-) I gave them back... Jochem came by on Wednesday to pick them up for you. >:) Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
I guess I'll chime in with my experience on this problem. For the
past 2 years I've been using a form processor script I wrote on all
the client sites for my company. I developed it at first to handle a
simple set of functionality that hit 90% of the requirements of
contact forms. It can handle any input field and will send emails,
log the results, or anything else you want with a simple plugin hook
architecture. It is deployed on hundreds of contact forms across
dozens of different websites.
I'm happy to report that most of the spam across the board has been
stopped. All without a single CAPTCHA. When we spot a problem, I can
update our one form processor and then all of the scripts are
protected against the new attack vector. Plus when there is a very
specific case I can use the plugin setup to really get specific in my
rules.
Here are some of the concepts that it employs. Please keep in mind
none of this is a 100% and each can be easily bypassed, but together
they are fairly good. If a human is doing the spam manually, then
there's nothing you can do. :) Also it should be noted that if any of
these requirements fail, then I simply re-display the form with a
message that explains why to the user so that legitimate users will
see what went wrong. Again this aids in allowing spammers to find a
way around, but that is always our burden.
Valid Email
I require an email address in a specific input field and use the
PEAR_Validate function to validate the existance of the domain name.
Also there is another thing where I can say do not allow email from
this domain as some spam software will auto fill in the current
hostname.
Honey Pots
This is a two step process. First I have a hidden form field that has
a specific value in it. If this value is tampered with, then I reject
the form. The second form field is inside of an html comment. If
that value is posted, then I reject the form since it shouldn't exist.
Blacklisting
There are a key set of words that I block.
array('to:','from:','cc:','bcc:','href=','url=')
Require Cookies/Sessions
Most spamming programs I've seen are stateless. So by simply
requiring it accept a cookie foils quite a bit of them.
Max @ limit
Another little trick is to limit the number of @ characters that can
exist within the contents of the post variables. This catches quite a
few submissions.
Define form fields
An optional feature is to enable something to define each input field
that should exist in the post array. Then when the form is posted I
check the defined post array against what has been posted. If there
are extra post fields, then I re-display the form since it is probably
a spam bot just blanket testing forms.
One thing to keep in mind is that this is in use across a lot of
different sites. Not one specific type of site or service is in use
here. Perhaps if someone had more incentive to crack on one of our
forms I'd have more issues. It is hard to say. All I know is that it
has worked really well for my needs, maybe it'll work for someone else
too.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
Good points all, but I'd add two more from my own collection...
Field names
Don't name fields things like name, email, address, postcode, message,
etc. Instead name them a, b, c, d, e, etc but name your hidden field
email. That should provoke most bots into changing that value and
leaves others unsure what to put where so they ignore the form.
Time it
If you have a session or cookies availble, store the time that you
displayed the form and check to see how long it took the "user" to
submit it. If it's less than a couple of seconds you can bet it's a bot.
-Stut
On 31 Aug 2008, at 18:25, Eric Butera wrote:
I guess I'll chime in with my experience on this problem. For the
past 2 years I've been using a form processor script I wrote on all
the client sites for my company. I developed it at first to handle a
simple set of functionality that hit 90% of the requirements of
contact forms. It can handle any input field and will send emails,
log the results, or anything else you want with a simple plugin hook
architecture. It is deployed on hundreds of contact forms across
dozens of different websites.
I'm happy to report that most of the spam across the board has been
stopped. All without a single CAPTCHA. When we spot a problem, I can
update our one form processor and then all of the scripts are
protected against the new attack vector. Plus when there is a very
specific case I can use the plugin setup to really get specific in my
rules.
Here are some of the concepts that it employs. Please keep in mind
none of this is a 100% and each can be easily bypassed, but together
they are fairly good. If a human is doing the spam manually, then
there's nothing you can do. :) Also it should be noted that if any of
these requirements fail, then I simply re-display the form with a
message that explains why to the user so that legitimate users will
see what went wrong. Again this aids in allowing spammers to find a
way around, but that is always our burden.
Valid Email
I require an email address in a specific input field and use the
PEAR_Validate function to validate the existance of the domain name.
Also there is another thing where I can say do not allow email from
this domain as some spam software will auto fill in the current
hostname.
Honey Pots
This is a two step process. First I have a hidden form field that has
a specific value in it. If this value is tampered with, then I reject
the form. The second form field is inside of an html comment. If
that value is posted, then I reject the form since it shouldn't exist.
Blacklisting
There are a key set of words that I block.
array('to:','from:','cc:','bcc:','href=','url=')
Require Cookies/Sessions
Most spamming programs I've seen are stateless. So by simply
requiring it accept a cookie foils quite a bit of them.
Max @ limit
Another little trick is to limit the number of @ characters that can
exist within the contents of the post variables. This catches quite a
few submissions.
Define form fields
An optional feature is to enable something to define each input field
that should exist in the post array. Then when the form is posted I
check the defined post array against what has been posted. If there
are extra post fields, then I re-display the form since it is probably
a spam bot just blanket testing forms.
One thing to keep in mind is that this is in use across a lot of
different sites. Not one specific type of site or service is in use
here. Perhaps if someone had more incentive to crack on one of our
forms I'd have more issues. It is hard to say. All I know is that it
has worked really well for my needs, maybe it'll work for someone else
too.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Sun, 2008-08-31 at 18:49 +0100, Stut wrote: > Good points all, but I'd add two more from my own collection... > > Field names > Don't name fields things like name, email, address, postcode, message, > etc. Instead name them a, b, c, d, e, etc but name your hidden field > email. That should provoke most bots into changing that value and > leaves others unsure what to put where so they ignore the form. Following allong with Stut's comment... another thing might be to create a session based randomizer for fields names. Then map the random generated field names to the real field names internally. This would difficult for those manually creating forms, but I'd imagine any kind of form management class like my own could do this transparently. BTW, something I've noticed in a few sites where I do spam filtering (and forward myself the spam submission) is that some crappy bots will even stick URLs in fields like the zip code, or name. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Sun, Aug 31, 2008 at 1:49 PM, Stut <[EMAIL PROTECTED]> wrote:
> Good points all, but I'd add two more from my own collection...
>
> Field names
> Don't name fields things like name, email, address, postcode, message, etc.
> Instead name them a, b, c, d, e, etc but name your hidden field email. That
> should provoke most bots into changing that value and leaves others unsure
> what to put where so they ignore the form.
This one would be a little difficult for the team I work with.
Basically I do all back-end type stuff and show front-end people how
to do stuff. The front end team uses Dreamweaver for doing all their
design, etc. I'm not really into making more work for myself than I
need to. ;) Perhaps a little output buffer/using dom to manipulate
the names could work so it is transparent to the team. I'd have to
give this a little more thought. Perhaps this could just be a
technique on the more popular sites that get spammed more. At least
the idea is in my head moving forward.
>
> Time it
> If you have a session or cookies availble, store the time that you displayed
> the form and check to see how long it took the "user" to submit it. If it's
> less than a couple of seconds you can bet it's a bot.
That is a great idea and I'll see what I can do to put this into the
code. Should be easy enough.
Thanks for the tips!
>
> -Stut
>
> On 31 Aug 2008, at 18:25, Eric Butera wrote:
>
>> I guess I'll chime in with my experience on this problem. For the
>> past 2 years I've been using a form processor script I wrote on all
>> the client sites for my company. I developed it at first to handle a
>> simple set of functionality that hit 90% of the requirements of
>> contact forms. It can handle any input field and will send emails,
>> log the results, or anything else you want with a simple plugin hook
>> architecture. It is deployed on hundreds of contact forms across
>> dozens of different websites.
>>
>> I'm happy to report that most of the spam across the board has been
>> stopped. All without a single CAPTCHA. When we spot a problem, I can
>> update our one form processor and then all of the scripts are
>> protected against the new attack vector. Plus when there is a very
>> specific case I can use the plugin setup to really get specific in my
>> rules.
>>
>> Here are some of the concepts that it employs. Please keep in mind
>> none of this is a 100% and each can be easily bypassed, but together
>> they are fairly good. If a human is doing the spam manually, then
>> there's nothing you can do. :) Also it should be noted that if any of
>> these requirements fail, then I simply re-display the form with a
>> message that explains why to the user so that legitimate users will
>> see what went wrong. Again this aids in allowing spammers to find a
>> way around, but that is always our burden.
>>
>> Valid Email
>> I require an email address in a specific input field and use the
>> PEAR_Validate function to validate the existance of the domain name.
>> Also there is another thing where I can say do not allow email from
>> this domain as some spam software will auto fill in the current
>> hostname.
>>
>> Honey Pots
>> This is a two step process. First I have a hidden form field that has
>> a specific value in it. If this value is tampered with, then I reject
>> the form. The second form field is inside of an html comment. If
>> that value is posted, then I reject the form since it shouldn't exist.
>>
>> Blacklisting
>> There are a key set of words that I block.
>> array('to:','from:','cc:','bcc:','href=','url=')
>>
>> Require Cookies/Sessions
>> Most spamming programs I've seen are stateless. So by simply
>> requiring it accept a cookie foils quite a bit of them.
>>
>> Max @ limit
>> Another little trick is to limit the number of @ characters that can
>> exist within the contents of the post variables. This catches quite a
>> few submissions.
>>
>> Define form fields
>> An optional feature is to enable something to define each input field
>> that should exist in the post array. Then when the form is posted I
>> check the defined post array against what has been posted. If there
>> are extra post fields, then I re-display the form since it is probably
>> a spam bot just blanket testing forms.
>>
>>
>> One thing to keep in mind is that this is in use across a lot of
>> different sites. Not one specific type of site or service is in use
>> here. Perhaps if someone had more incentive to crack on one of our
>> forms I'd have more issues. It is hard to say. All I know is that it
>> has worked really well for my needs, maybe it'll work for someone else
>> too.
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
> --
> http://stut.net/
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
tedd schreef: At 10:58 AM +0100 8/31/08, Diogo Neves wrote: Well, I don't know how, but google folks @ gmail are doing a great job with anti-spam tecnology... i believe that is has something to do with the massive user base that can more accuratly say what is spam and blacklist it plus mispelling 'spam' words and the original ones, plus that '1000's from the same guy with same content' wow. I really get so less spam comparing with all other webmail clients... I love gmail :) I like the idea behind spamcop spamcop has idealogical issues in much the same vein as anti-virus software makers. watch the multi-billion dollar anti-virus market evaporate if virus ever became past tense. if I was raking in billions on AV software I'd likely have a big-ass slush fund to prop up starving VX writers ... tell me every global corporation doesn't have a slush fund for off-the-books transactions :-) Also spamcop is in the position of completely outcasting legit businesses ... in fact I read about them blacklisting a german anti-spam outfit years ago, basically because of difference of opinion. this feels rather like google+adwords can completely destroy anyone's online presence if they want (and also competitors can game the system to screw each other). I don't believe this kind of thing should be in the hands of commercial entities, much like I don't believe that the US government should 'control' the internet (yes I know the ceded control to their sock puppet ICANN, but I don't feel that changes anything in a fundamental way) If you're a member, like I am, you can report the spam you receive. Those reports go into making a spam filter by which all subscribers can pass their email through. It's like an ever-changing and constantly-improving spam filter. It would be nice if organizations like that also provided a service we could use instead of a Captcha. Just food for thought. Cheers, tedd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
Robert Cummings schreef: On Sun, 2008-08-31 at 10:46 -0400, tedd wrote: At 5:39 AM -0400 8/31/08, Robert Cummings wrote: On Sat, 2008-08-30 at 10:17 -0400, tedd wrote: At 3:27 PM +0200 8/30/08, Jochem Maas wrote: > >2. you can't shut him down either, he does'nt have an off button. Yeah, he's a lot like his blow-up dolls except you can't deflate him. :-) WHOOA... "my" blow-up dolls? Since when did they become mine? I expressly said I was just borrowing them from you. :) Yes, but you never give them back! :-) I gave them back... Jochem came by on Wednesday to pick them up for you. and I got mugged on the way over by some guy called Stut ... no idea what he wanted with tedd blow-up dolls though. btw having 1 blow-up doll is bad enough, having a whole troop of them, that's plain scary. :) Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
Stut schreef:
Good points all, but I'd add two more from my own collection...
nice posts, both of you! it's time I rewrote my general form submission
routines ... I'll be taking all your suggestions and putting them into
practice (in so far as I don't do so already).
free specs for better code, nice :-)
I have another trick to add, off the top of my head: namely checking all
submitable field values for the existence of things that look like email headers
(for those bots that try to massspam via header injection), no real
user will ever send you a comment (or anything else) that contains email
headers as legit content ... if you ask me anyway.
Field names
Don't name fields things like name, email, address, postcode, message,
etc. Instead name them a, b, c, d, e, etc but name your hidden field
email. That should provoke most bots into changing that value and leaves
others unsure what to put where so they ignore the form.
Time it
If you have a session or cookies availble, store the time that you
displayed the form and check to see how long it took the "user" to
submit it. If it's less than a couple of seconds you can bet it's a bot.
-Stut
On 31 Aug 2008, at 18:25, Eric Butera wrote:
I guess I'll chime in with my experience on this problem. For the
past 2 years I've been using a form processor script I wrote on all
the client sites for my company. I developed it at first to handle a
simple set of functionality that hit 90% of the requirements of
contact forms. It can handle any input field and will send emails,
log the results, or anything else you want with a simple plugin hook
architecture. It is deployed on hundreds of contact forms across
dozens of different websites.
I'm happy to report that most of the spam across the board has been
stopped. All without a single CAPTCHA. When we spot a problem, I can
update our one form processor and then all of the scripts are
protected against the new attack vector. Plus when there is a very
specific case I can use the plugin setup to really get specific in my
rules.
Here are some of the concepts that it employs. Please keep in mind
none of this is a 100% and each can be easily bypassed, but together
they are fairly good. If a human is doing the spam manually, then
there's nothing you can do. :) Also it should be noted that if any of
these requirements fail, then I simply re-display the form with a
message that explains why to the user so that legitimate users will
see what went wrong. Again this aids in allowing spammers to find a
way around, but that is always our burden.
Valid Email
I require an email address in a specific input field and use the
PEAR_Validate function to validate the existance of the domain name.
Also there is another thing where I can say do not allow email from
this domain as some spam software will auto fill in the current
hostname.
Honey Pots
This is a two step process. First I have a hidden form field that has
a specific value in it. If this value is tampered with, then I reject
the form. The second form field is inside of an html comment. If
that value is posted, then I reject the form since it shouldn't exist.
Blacklisting
There are a key set of words that I block.
array('to:','from:','cc:','bcc:','href=','url=')
Require Cookies/Sessions
Most spamming programs I've seen are stateless. So by simply
requiring it accept a cookie foils quite a bit of them.
Max @ limit
Another little trick is to limit the number of @ characters that can
exist within the contents of the post variables. This catches quite a
few submissions.
Define form fields
An optional feature is to enable something to define each input field
that should exist in the post array. Then when the form is posted I
check the defined post array against what has been posted. If there
are extra post fields, then I re-display the form since it is probably
a spam bot just blanket testing forms.
One thing to keep in mind is that this is in use across a lot of
different sites. Not one specific type of site or service is in use
here. Perhaps if someone had more incentive to crack on one of our
forms I'd have more issues. It is hard to say. All I know is that it
has worked really well for my needs, maybe it'll work for someone else
too.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On 31 Aug 2008, at 22:17, Jochem Maas wrote: Robert Cummings schreef: On Sun, 2008-08-31 at 10:46 -0400, tedd wrote: At 5:39 AM -0400 8/31/08, Robert Cummings wrote: On Sat, 2008-08-30 at 10:17 -0400, tedd wrote: At 3:27 PM +0200 8/30/08, Jochem Maas wrote: > >2. you can't shut him down either, he does'nt have an off button. Yeah, he's a lot like his blow-up dolls except you can't deflate him. :-) WHOOA... "my" blow-up dolls? Since when did they become mine? I expressly said I was just borrowing them from you. :) Yes, but you never give them back! :-) I gave them back... Jochem came by on Wednesday to pick them up for you. and I got mugged on the way over by some guy called Stut ... no idea what he wanted with tedd blow-up dolls though. btw having 1 blow-up doll is bad enough, having a whole troop of them, that's plain scary. That's the idea, they're for my army. I'm taking on Dr Horrible and he'll never see this one cumming!! -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Sun, 31 Aug 2008 13:25:52 -0400, Eric Butera wrote: >[...] >Honey Pots >This is a two step process. First I have a hidden form field that has >a specific value in it. If this value is tampered with, then I reject >the form. The second form field is inside of an html comment. If >that value is posted, then I reject the form since it shouldn't exist. Nice idea, I'll try that one. Have not heard of any customers with problems lately, but it happens from time to time... this sounds like a good buster for automated spam injectors. thanks! -- Ross McKay, Toronto, NSW Australia "Before enlightenment: chop wood, carry water; After enlightenment: chop wood, carry water" - Wu Li -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
On Sun, 31 Aug 2008 18:49:15 +0100, Stut wrote: >Field names >Don't name fields things like name, email, address, postcode, message, >etc. Instead name them a, b, c, d, e, etc but name your hidden field >email. That should provoke most bots into changing that value and >leaves others unsure what to put where so they ignore the form. The downside of this one is that auto-fill in Firefox will not know how to populate an email field, a name field, and address field, etc. so these frequently typed fields will need to be entered by a (now aggravated) visitor who normally gets to just press down arrow, tab. -- Ross McKay, Toronto, NSW Australia "It doesn't matter if the Rock wants to go get diamond rings or not!" - The Rock -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
Ross McKay schreef: On Sun, 31 Aug 2008 18:49:15 +0100, Stut wrote: Field names Don't name fields things like name, email, address, postcode, message, etc. Instead name them a, b, c, d, e, etc but name your hidden field email. That should provoke most bots into changing that value and leaves others unsure what to put where so they ignore the form. The downside of this one is that auto-fill in Firefox will not know how to populate an email field, a name field, and address field, etc. so these frequently typed fields will need to be entered by a (now aggravated) visitor who normally gets to just press down arrow, tab. any idea as to whether auto-fill can recognize stuff like: foo[email] or email[foo] or email_foo and fill them appropriately? if auto-fillers are generally that smart, then one could obfuscate the field names (even bind them to the user session) by replacing 'foo' with some dynamic string, without breaking autofill ... me I like to have my cake and eat. ;-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ASCII Captcha
Jochem Maas wrote: >any idea as to whether auto-fill can recognize stuff like: > > foo[email] or email[foo] or email_foo >[...] AFAIK, the auto-fill form stuff works off previously entered field names. If a user enters their email address into a field called 'email' on one site, then another site asks for 'email', Firefox will oblige by remembering the email address(es) from previous entry. Thus, if every form used 'foo[email]' then yes, it should work. But most forms use 'email', so that's what Firefox remembers. >... me I like to have my cake and eat. ;-) I've always thought cake was over-rated... -- Ross McKay, Toronto, NSW Australia "Read beans and rice, I could eat a plate twice" - Spearhead -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
