From owner-freebsd-chat@FreeBSD.ORG Sun Nov 30 21:36:54 2008 Return-Path: Delivered-To: chat@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 896301065675 for ; Sun, 30 Nov 2008 21:36:54 +0000 (UTC) (envelope-from kdk@daleco.biz) Received: from ezekiel.daleco.biz (southernuniform.com [66.76.92.18]) by mx1.freebsd.org (Postfix) with ESMTP id 3CCA08FC08 for ; Sun, 30 Nov 2008 21:36:53 +0000 (UTC) (envelope-from kdk@daleco.biz) Received: from localhost (localhost [127.0.0.1]) by ezekiel.daleco.biz (8.14.2/8.14.2) with ESMTP id mAULaolf040898; Sun, 30 Nov 2008 15:36:50 -0600 (CST) (envelope-from kdk@daleco.biz) X-Virus-Scanned: amavisd-new at daleco.biz Received: from ezekiel.daleco.biz ([127.0.0.1]) by localhost (ezekiel.daleco.biz [127.0.0.1]) (amavisd-new, port 10024) with LMTP id NPfXv6f27WnZ; Sun, 30 Nov 2008 15:36:45 -0600 (CST) Received: from archangel.daleco.biz (ezekiel.daleco.biz [66.76.92.18]) by ezekiel.daleco.biz (8.14.2/8.14.2) with ESMTP id mAULae0G040894; Sun, 30 Nov 2008 15:36:41 -0600 (CST) (envelope-from kdk@daleco.biz) Message-ID: <49330766.4010301@daleco.biz> Date: Sun, 30 Nov 2008 15:36:38 -0600 From: Kevin Kinsey User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.16) Gecko/20080719 SeaMonkey/1.1.11 MIME-Version: 1.0 To: Dan Langille , FreeBSD Chat References: <492DBCBA.40204@langille.org> <49315961.4070201@daleco.biz> <4931978A.1000903@langille.org> In-Reply-To: <4931978A.1000903@langille.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: using VPNs to cope with IP address changes X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Nov 2008 21:36:54 -0000 Dan Langille wrote: > Kevin Kinsey wrote: >> Incidentally, I note no responses on your blog just yet, and wondered >> if it had something to do with the CAPTCHA being Darn Near Impossible >> to read (IMHO)? Maybe it's just my eyes. > > Is this easier? > > http://dan.langille.org/wp-content/bot-check/bc-image.php?human=Wow83QpZ6AM= A little bit, yes. In particular, and again, it's just me [*blush*]... I just noted that it helps to be closer than 30" from the CRT if I want to read the image. And re: someone's comment (private to both of us) about machine reading, I've no idea how good the botz are at that, so I'd not let my comments affect your bot blocking unless you get more opinions on it. Or find the botz can read it ;-) I do appreciate what you do for the community at large, Dan. Kevin Kinsey -- A sine curve goes off to infinity, or at least the end of the blackboard. -- Prof. Steiner From owner-freebsd-chat@FreeBSD.ORG Mon Dec 1 10:48:14 2008 Return-Path: Delivered-To: freebsd-chat@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5CA421065670 for ; Mon, 1 Dec 2008 10:48:14 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id CE5498FC1A for ; Mon, 1 Dec 2008 10:48:13 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id mB1AltIp044050; Mon, 1 Dec 2008 11:47:55 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id mB1AlrgA044049; Mon, 1 Dec 2008 11:47:53 +0100 (CET) (envelope-from olli) Date: Mon, 1 Dec 2008 11:47:53 +0100 (CET) Message-Id: <200812011047.mB1AlrgA044049@lurza.secnetix.de> From: Oliver Fromme To: freebsd-chat@FreeBSD.ORG, dan@langille.org, kdk@daleco.biz In-Reply-To: <49330766.4010301@daleco.biz> X-Newsgroups: list.freebsd-chat User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.4-PRERELEASE-20080904 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Mon, 01 Dec 2008 11:47:56 +0100 (CET) Cc: Subject: Re: using VPNs to cope with IP address changes X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-chat@FreeBSD.ORG, dan@langille.org, kdk@daleco.biz List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2008 10:48:14 -0000 Kevin Kinsey wrote: > Dan Langille wrote: > > Is this easier? > > > > http://dan.langille.org/wp-content/bot-check/bc-image.php?human=Wow83QpZ6AM= That one is trivial to read by simple OCR software. > And re: someone's comment (private to both of us) about machine reading, > I've no idea how good the botz are at that, so I'd not let my comments > affect your bot blocking unless you get more opinions on it. Or find > the botz can read it ;-) The "botz" are very good at it, according to a recent article in the German c't magazine. It is very non-trivial to create captchas difficult to OCR but still readable by humans on all kinds of different screens. And they create problems for visually-challenged people (that's why some sites offer a link to download the captcha text as mp3, but I doubt it is very convenient and encourages people to sign up). Basically, captchas are last-century technology. There are several other ways to prevent bots from signing up or leaving "comments" in blogs, guestbooks etc. The avove mentioned article enumerated quite a few ways to do that. One of the clever ones is to provide a form input field labeled "street address" or whatever, but make it invisible so humans don't fill it in. Bots tend to fill in _all_ fields (because many forms require you to fill in all fields), so your CGI software can easily recognize bots. A similar trick is to hide an input field within a HTML comment. Many bots ignore comment delimiters and fill in the fields anyway. Another trick is the opposite: Use a bit of javascript to create a form input field on the fly which is not present in the HTML text. Bots usually don't execute javascript, so they don't fill in that field. Advanced bot blocking includes creating random field names (dynamically) and using time stamps and cryptographic signatures, and accept every submission only within a limited amout of time (and only once). There are more things you can do, and of course you should combine several of these. It also depends on whether you want to defend against occasional visits of bots that spider the web, or against bots specifically targeted against your site. The latter is much more difficult, obviously. All of those defensive measures have the advantage that your users don't have to decipher captchas anymore. > I do appreciate what you do for the community at large, Dan. Seconded! Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Share your knowledge. It is a way to achieve immortality." -- The Dalai Lama