lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon Feb 13 06:09:45 2006
From: very at unprivate.com (php0t)
Subject: Comment Spam: new trends,
	failing counter-measures and why it's a big deal

> And a friend of mine has already written a PHP class using GD that can

> beat 80-90% of common CAPTCHA implementations.


  Interested. Further info? Any online implementation that I can feed
images / url's to and receive results?


> It's not a particularly complex algorithm.


  This is all relative. It's supposed to be complex enough for bots to
not be able to do, that was the whole point from the beginning.
Naturally, if you say there's an application that gets 80-90% of them,
we/they can just make more complex images / different approaches for
telling between people and humans. That PHP class you were talking about
may solve some commonly used Turing tests but are you really saying it's
the global solution against word recognition based challenges? If it was
like that, it would mean that there is no way anybody could make an
image generator that would change its success rate from 90% to 0%...


> What's to stop the spammers investing a little more money.


  Sure, they can always invest more money, but that's less profit.
Spammers want the best results investing the smallest amount of money,
it's just a question of balance. That's why for a spammer it makes sense
to focus on the most low-cost ways of promoting their sites / products.
If the bigger percentage of the problem is currently because of sites
using weaker Turing tests that a software can solve with such a high
success rate as you said (or - as it is usually the case - none at all),
we can make the situation better by using captcha-like implementations.
This is all I said, but you're both right about pointing out the
problems of spammers having money / using people, etc as well.

php0t

Powered by blists - more mailing lists