Building better CAPTCHA

This forum is now closed as part of retiring phpBB2.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

This forum is now closed due to phpBB2.0 being retired.
Mondego
Registered User
Posts: 129
Joined: Sun Jan 23, 2005 1:24 am
Location: 127.0.0.1
Contact:

Post by Mondego »

if you can somehow find a way to "verify" them as a certain user agent, such as find something a user agent has that a script wouldn't, and if true, display the image, than this could be a larger, and most importantly, a longer step in the right direction.

your idea is still worth pursuing, because as this may not be a huge step, it can potentially be a long step ahead becasue if any newb hackers make attempts at it, they have more to worry about than a simple image to decode.
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

Yes...
Thank you for your descriptive answer, Mondego.
It is normal - you lock, they brake.
But we never live the door open :D

I still think that there is way of beating the robots.
Nobody can make robot to think as human.
It is something very simple that we must offer them to chew forever ;-)

Love to All :-)
Test TruBar in my test forums.
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

Heh-heh :D
Second disapprove for TruBar...

Well, maybe it is not that good...
Or it is potentially too good to wave around

What really got me in the answer of the MOD team is:
In the same vein: we are not sure how much you have contributed; the script seems to be largely identical to the original version mentioned in the author's notes.


8O

I haven't seen MOD that is not largely identical to PHPBB2
Somebody few days ago pointed to me that MOD is MODIFICATION of the code.
So is TruBar

I'm done with the MOD submissions.

At the end I just want to leave here the two files for creating GD images:

AUTHORS code:

Code: Select all

<?php 
//Generate Reference ID 
if (isset($HTTP_GET_VARS["refid"]) && $HTTP_GET_VARS["refid"]!="") { 
   $referenceid = stripslashes($HTTP_GET_VARS["refid"]); 
} else { 
   $referenceid = md5(mktime()*rand()); 
} 

//Select Font 
$font = "C:\WINDOWS\Fonts\Century.ttf"; 

//Select random background image 
$bgurl = rand(1, 3); 
$im = ImageCreateFromPNG("images/bg".$bgurl.".png"); 

//Generate the random string 
$chars = array("a","A","b","B","c","C","d","D","e","E","f","F","g", 
"G","h","H","i","I","j","J","k", 
"K","l","L","m","M","n","N","o","O","p","P","q","Q", 
"r","R","s","S","t","T","u","U","v", 
"V","w","W","x","X","y","Y","z","Z","1","2","3","4", 
"5","6","7","8","9"); 
$length = 8; 
$textstr = ""; 
for ($i=0; $i<$length; $i++) { 
   $textstr .= $chars[rand(0, count($chars)-1)]; 
} 

//Create random size, angle, and dark color 
$size = rand(12, 16); 
$angle = rand(-5, 5); 
$color = ImageColorAllocate($im, rand(0, 100), rand(0, 100), rand(0, 100)); 

//Determine text size, and use dimensions to generate x & y coordinates 
$textsize = imagettfbbox($size, $angle, $font, $textstr); 
$twidth = abs($textsize[2]-$textsize[0]); 
$theight = abs($textsize[5]-$textsize[3]); 
$x = (imagesx($im)/2)-($twidth/2)+(rand(-20, 20)); 
$y = (imagesy($im))-($theight/2); 

//Add text to image 
ImageTTFText($im, $size, $angle, $x, $y, $color, $font, $textstr); 

//Output PNG Image 
header("Content-Type: image/png"); 
ImagePNG($im); 

//Destroy the image to free memory 
imagedestroy($im); 

//Insert reference into database, and delete any old ones 
mysql_connect("localhost", "username", "password") or die(mysql_error()); 
mysql_select_db("dw_php"); 
//Create reference 
mysql_query("INSERT INTO security_images (insertdate, referenceid, hiddentext) VALUES ( 
now(), '".$referenceid."', '".$textstr."')"); 
//Delete references older than 1 day 
mysql_query("DELETE FROM security_images 
WHERE insertdate < date_sub(now(), interval 1 day)"); 

//End Output 
exit; 

?>
Mymodification of the code:

Code: Select all

<?php 
/*Author Nathan Rohler (http://www.devshed.com/cp/bio/Nathan-Rohler/) */ 
/*Changes made by Truden (http://www.truden.com) */ 
  
//Generate Reference ID 
if (isset($HTTP_GET_VARS['refid']) && $HTTP_GET_VARS['refid']!="") { 
   $referenceid = stripslashes($HTTP_GET_VARS['refid']); 
} else { 
   $referenceid = md5(mktime()*rand()); 
} 

$pack = 0; //choose a pack (0 - skew letters, 1 - distort background) 

$fonturl = rand(1, 5); //5 is the number of the fonts. If you add new fonts, must do it in font and fonts directory and then change 5. 
$bgurl = rand(1, 6); //6 is the number of the background images. If you add new images, do it with two names (bd and bg) and then you can change 6. 
if ($pack == 0){ 
$font = "font/F".$fonturl.".TTF"; 
$im = ImageCreateFromPNG("images/bd".$bgurl.".png"); 
}else{ 
$font = "fonts/F".$fonturl.".TTF"; 
$im = ImageCreateFromPNG("images/bg".$bgurl.".png"); 
} 

//Generate the random string. You can take off some of the characters 

$chars = array("a","A","b","B","c","C","d","D","e","E","f","F","g","G", 
"h","H","i","j","J","k", 
"K","L","m","M","n","N","p","P","q","Q","r", 
"R","s","S","t","T","u","U","v", 
"V","w","W","x","X","y","Y","z","Z","2","3","4","5", 
"6","7","8","9"); 
$length = rand(5, 7); //chose lenght of the string - random between first and second number 
$textstr = ""; 
for ($i=0; $i<$length; $i++) { 
   $textstr .= $chars[rand(0, count($chars)-1)]; 
} 

//Create random size, angle, and dark color 
$size = rand(20, 24); 
$angle = rand(-3, 3); 
$color = ImageColorAllocate($im, rand(0, 100), rand(0, 100), rand(0, 100)); 

//Determine text size, and use dimensions to generate x & y coordinates 
$textsize = imagettfbbox($size, $angle, $font, $textstr); 
$twidth = abs($textsize[2]-$textsize[0]); 
$theight = abs($textsize[5]-$textsize[3]); 
$x = (imagesx($im)/2)-($twidth/2)+(rand(-20, 12)); 
$y = (imagesy($im))-($theight/2); 

function imagelinethick($image, $x1, $y1, $x2, $y2, $color, $thick = 1) { 
    if ($thick == 1) { 
        return imageline($image, $x1, $y1, $x2, $y2, $color); 
         } 
    $t = $thick / 2 - 0.5; 
    if ($x1 == $x2 || $y1 == $y2) { 
        return imagefilledrectangle($image, 
               round(min($x1, $x2) - $t), 
               round(min($y1, $y2) - $t), 
               round(max($x1, $x2) + $t), 
               round(max($y1, $y2) + $t), $color); 
         } 
    $k = ($y2 - $y1) / ($x2 - $x1); //y = kx + q 
    $a = $t / sqrt(1 + pow($k, 2)); 
    $points = array( 
        round($x1 - (1+$k)*$a), round($y1 + (1-$k)*$a), 
        round($x1 - (1-$k)*$a), round($y1 - (1+$k)*$a), 
        round($x2 + (1+$k)*$a), round($y2 - (1-$k)*$a), 
        round($x2 + (1-$k)*$a), round($y2 + (1+$k)*$a), 
        ); 
    imagefilledpolygon($image, $points, 4, $color); 
    return imagepolygon($image, $points, 4, $color); 
    } 

//Add text to image 
ImageTTFText($im, $size, $angle, $x, $y, $color, $font, $textstr); 
if ($pack == 0){ 
 imagelinethick($im, 10,10,100-11,28-11, $color, 2); 
 imagelinethick($im, 100,10,190-11,35-11, $color, 2); 
}else{ 
} 
//Output PNG Image 
header("Content-Type: image/png"); 
ImagePNG($im); 

//Destroy the image to free memory 
imagedestroy($im); 

//Insert reference into database, and delete any old ones 
mysql_connect('localhost', 'user', 'password') or die(mysql_error()); 
mysql_select_db('dbname'); 
//Create reference 
$sql = mysql_query("INSERT INTO security_images (insertdate, referenceid, hiddentext) VALUES ( 
now(), '$referenceid', '$textstr')"); 
//Delete references older than 1 day 
$sql = mysql_query("DELETE FROM security_images 
WHERE insertdate < date_sub(now(), interval 1 day)"); 

//End Output 
exit; 

?> 
I'm sure that somebody better than me can use them in better way ;)

You can still download my dissaproved mode from Truden Web Site
Love ot All :)

Truden
Test TruBar in my test forums.
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

I'd like to have your opinion, guys :-)

Do you think that the images below are easy for human and difficult for robots?
TruBar has been not defeated yet, but I'd like to have some good images, that will not stop anonymous from writhing in the forums and keeping bots away.

Those are few samples:

Image

Image

Image

Image

Image
Test TruBar in my test forums.
User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Post by Kellanved »

If you believe that your MOD was unfairly treated, please contact the validator and/or the MOD team leader.


The quoted section was just a comment regarding the copyright of the image-generation code. However, I believe the reasons for us to deny the MOD are pretty obvious from the code above.

~H
Nocando is in Idontwanna county. No support via PM
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

Kellanved wrote: If you believe that your MOD was unfairly treated, please contact the validator and/or the MOD team leader.


The quoted section was just a comment regarding the copyright of the image-generation code. However, I believe the reasons for us to deny the MOD are pretty obvious from the code above.

~H


I think that the PHPBB team is very professional and there is no reason not to trust the members of the team.

I don't believe that I was unfairly treated :lol:
Yet it could be better with some better attitude ;)

Any way...
I believe that I can still post here and ask for help.
Can I?
Test TruBar in my test forums.
User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Post by Kellanved »

Sure :D
Nocando is in Idontwanna county. No support via PM
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

Thank You, Kellanved :D

Now if you have time, as you had time to comfort me, would you please help me out here.
It would be helpful for all that are on my level in php.

Would you tell me please, what don't you like about the code in my modification of the above file? (I suppose it is HTTP_GET_VARS)
Where is the security hole?
What would a spammer do?
What would be achieved with that?

Thank you in advance :)
Test TruBar in my test forums.
User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Post by Kellanved »

Truden, we gave you a pretty short list of things that need to be done before submitting a MOD.

The very basic first thing is: your MOD is mysql specific and doesn't use the DBAL.

See here:
http://www.phpbb.com/phpBB/viewtopic.php?t=137321


The second thing is what you were told in the validation report: The basic image generation code you used is severely flawed.
Nocando is in Idontwanna county. No support via PM
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

Kellanved wrote: The second thing is what you were told in the validation report: The basic image generation code you used is severely flawed.


Well, that is my question - what is wrong, and where is the weak place.
How can a spammer crack it?
What will be the result of eventual SQL injection?
(deleting image ID is not a problem [they got deleted any way]. What would be the problem if you insert ID[if you can]?)

I'm learning here, my friend.
Most of you can be my teachers.
So give me a hint, please.

It is simple - what would you do to crack this code?
Test TruBar in my test forums.
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

I would like publicly to present my thanks to Kellanved for answering my question in PM.

Thank You, Kellanved!

You have just prove that PHPBB team is a team of professionals and people of good care.

Thank You once again.

Love to All :)
Test TruBar in my test forums.
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

Well, I dropped the idea with the java script viewer.
For now...
But I was thinking what is that thing that human can do, but robots can not.
You know the blind spot of human sight.
Something is there, but you don't see it.
And the other way round - something is not there, but you see it.

That idea came to me after I started to use the net that I through over the image (see the images in this post)

So what, I said, if the net is a bit thicker and hids part of the letters.
Human will see them, but robots will see only broken lines with different color.
And here it is.

Check THIS image, and refresh it to see more.
Do you find it easy to read by human?
And do you think that robot will read it?
Test TruBar in my test forums.
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

I would like to say few words about the attitude of the moderators in PHPBB forums.

If we come here with ideas that is because we hope that they will help PHPBB to be better and safer product.
I'm far away from the thinking that the team does not know what is needed and how to do it.
Yet, it is obvious that people are helping the team and making some great difference.

TruBar wasn't approved for some reasons and as I said I'll not submit it again, but it is not fair to make a statement like Techie-Micheal did in Anti-Spam Thread!

Techie-Micheal wrote:
Truden's mod is effective because it's really hard to read (by people and bots) so bots have trouble deciphering it and because it's not used enough. If it widely used the bot script authors would probably break it, but until then it should be pretty effective.

I haven't checked it lately, but last time I did, I was able to defeat it easily using automated processes. So unless he has really changed it from the original which was taken from another site, chances are it won't be very long until a bot is able to read it.


I haven't had two posts after each other or any SPAM in my test forums.
I don't know what Techie-Micheal means by "defeat" but we are talking here about robot spam going through captcha.

So let's be more fair and precise in our statements and more friendly in our attitude.

That will be the best way to build strong community.
And that is what PHPB should be all about.
Test TruBar in my test forums.
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

Hey, guys, I need some OCR spesialist here.
I know nothing about reading text from image.
Would you please tell me, should I concentrate on this image or rather save my efforts?

http://truden.com/sec_test_p.php

Refresh it to see more.
Test TruBar in my test forums.
User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Post by Kellanved »

No, that image is almost not human-solvable, but at the same time very easy for machines.

Image
Nocando is in Idontwanna county. No support via PM
Post Reply

Return to “[2.0.x] MOD Writers Discussion”