Building better CAPTCHA

This forum is now closed as part of retiring phpBB2.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

This forum is now closed due to phpBB2.0 being retired.
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Building better CAPTCHA

Post by Truden »

Hi everybody :-)

I'm still busy with refining my TruBar, but I need some help from you guys ;)
As I already said, I'm not a programmer and the coding sometimes is coming too hard on me.

By now TruBar uses random backgrounds, random fonts, random string colors, random character numbers, random string angle and random off center position.
It stores the image ID in the DB and does the check through the DB.

That makes it one of the most difficult to brake, but I don't want it to be difficult.
I want it unbreakable.

Here is an idea.

As you can see the code is hidden, and there is no way to see the same code in a browser or any image viewer, but with the provided viewer.
The moment you go for it, the image will regenerate (it is already destroyed)

Before I go for your help, I would like to know:

- is it difficult or possible to write a bot script that will drag the viewer on top of the image in order to see it?
Can some one write so clever spam script which will drag the small viewer two times if it needs to see the whole code?

My opinion is that there is no productive scripts that brake captcha code by recognizing picture.
It is possible, but not in production use.
The most common way of braking captcha is by posting one and the same form, with different content. (A human fills up the code and the script just changes the content and the destination)
That is possible if the image ID is not stored in the DB and deleted after is used.

So, is the idea with the viewer good enough to put an effort on it?
If "YES" I'll need a little help ;)
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53400
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Post by Brf »

Is there supposed to be something in that little window? It was empty for me...
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

Under the image - click on small or big
crossmr
Registered User
Posts: 37
Joined: Thu Feb 09, 2006 6:14 am
Location: Seoul, South Korea

Post by crossmr »

The only issue I see right now, from my initial reaction, is that formatting is off in both mozilla and IE. I see what you're trying to do though, and it doesn't look interesting/easy to use.
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

crossmr wrote: The only issue I see right now, from my initial reaction, is that formatting is off in both Mozilla and IE. I see what you're trying to do though, and it doesn't look interesting/easy to use.

Not easy for human use or for bot use?
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53400
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Post by Brf »

Truden wrote: Under the image - click on small or big


Yes. I clicked both big and small... All it made was a little empty square. That was what I was asking... if something was supposed to be inside that square.
crossmr
Registered User
Posts: 37
Joined: Thu Feb 09, 2006 6:14 am
Location: Seoul, South Korea

Post by crossmr »

Truden wrote:
crossmr wrote:The only issue I see right now, from my initial reaction, is that formatting is off in both Mozilla and IE. I see what you're trying to do though, and it doesn't look interesting/easy to use.

Not easy for human use or for bot use?


Sorry that was supposed to be "does" not "doesn't". It looks easy to use for humans. I'm not sure how a bot would react to it, I've no real experience with them or how they work, other than the end result of them flooding my forums.
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

Brf wrote:
Truden wrote:Under the image - click on small or big


Yes. I clicked both big and small... All it made was a little empty square. That was what I was asking... if something was supposed to be inside that square.


:D Yes, if you point your mouse over the square you'll see that you can drag it. Then drag it on top of the image.
Test TruBar in my test forums.
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53400
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Post by Brf »

Truden wrote: :D Yes, if you point your mouse over the square you'll see that you can drag it. Then drag it on top of the image.


Sometimes I get an image. Most of the time I am getting an "invalid argument" Javascript error.
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

Brf wrote:
Truden wrote: :D Yes, if you point your mouse over the square you'll see that you can drag it. Then drag it on top of the image.


Sometimes I get an image. Most of the time I am getting an "invalid argument" Javascript error.


Interesting...
I've never had that.
It is tested with Opera 9.02, IE 6, IE 7 and FireFox 1.5.0.7

Is your Windows with Service Pack 2, Brf.
Test TruBar in my test forums.
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53400
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Post by Brf »

LOL. Windows ME doesnt have a servicepack-2. :P
Mondego
Registered User
Posts: 129
Joined: Sun Jan 23, 2005 1:24 am
Location: 127.0.0.1

Post by Mondego »

Brf wrote: LOL. Windows ME doesnt have a servicepack-2. :P


i don't get the JavaScript error. i get something that looks really cool when you drag it over the picture.

scripts like PWNtcha aren't able to "see what you see". they process algorithms by decoding the image file. i would have to know about your script to determine how it's displayed "as I see it".

if the text on the image is not really "on" the image, than this could be a little more difficult to break, potentially a lot more difficult to break if i knew how it was done. if it's simply placing one image over another, it may not be any harder to break by one of those scripts.

if you want to make this really easy to use, i suggest not making the box moveable at all, but just simply surround the real image with it, because as i stated earlier, it does not matter how it looks onscreen; decoding scripts don't look at actual pixels, at least, not the way your or I do.

did you write this yourself? i'm extremely interested in seeing this completed.
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

[quote=""Mondego"]
did you write this yourself? i'm extremely interested in seeing this completed.
[/quote]
The base for png generating code I took from another guy.
The code for the viewer is from another one (I put a link for it on the viewer page).
I got the idea and join them.

I'm not that good to right such a thing, specially the java script.
I'm just a carpenter, my friend.

I hope that the work will be completed in few days ;)

I'm editing this entry - forgot to ask something.
Of course everything that I see on the screen is stored in my PC.
I can find it in the temp directory.
Is the SPAM script working with the Internet temporary directory or with the current page view?
Test TruBar in my test forums.
Truden
Registered User
Posts: 70
Joined: Sun Jun 15, 2003 11:40 pm
Location: Johannesburg/South Africa
Contact:

Post by Truden »

OK, I don't know how effective is against spam robots this change with the hidden image effect, but I did it.
I still have to fix the alignment.

Now (please bear with me), I would like to know something more about the way spam robots work.
What I meant with the "temp dir" question is: is the robot seeing the page with all served content. Which means that the robot sees regardless the code instructions.
If so, then any hidden content is useless against them.
If I load the image on click, that wont improve anything, because the robot will be instructed to click, and then it will "see" the image.

What robots can not do?
Test TruBar in my test forums.
Mondego
Registered User
Posts: 129
Joined: Sun Jan 23, 2005 1:24 am
Location: 127.0.0.1

Post by Mondego »

if captcha breaking robots can act like email spyders, than some can even interpret JavaScript. the only files in the temp dir that can be seen are the ones in the http request. most consist of the html page, javascript docs, css docs, all images, stylesheets, etc. but only for that request. it can't see your entire temp internet dir afaik.

you might be able to get away with allowing only certain "user agents" to be allowed to view the image (user agents like firefox, internet explorer, googlebot, etc), but some scripts can spoof it, so even that's not 100%.

the best way around spam registration is to use as many tricks as can be afforded without sacrificing useability. you can use a captcha that follows as many inconsistancies as you can draw out (random patterns, random fonts, random placements of each glyph, run the text slightly off the image, etc), use a "white list" of user agents, even use multiple captchas and randomly make the user pick the right one, rollover captchas, etc. hiding the "real" captcha is clever and will probably work for a while, until some hacker figures it out and modifies their code to get around it.

there will never be 100% way of stopping it. basically, if it can be coded one way, it can also be coded to block it.

on my phpBB2 board, i changed the wording of the variables in the html and such because those scripts pick that up too. i've gotten way less spam registrations when i made that simple touch.
Post Reply

Return to “[2.0.x] MOD Writers Discussion”