Date: Mon, 1 Dec 2008 11:47:53 +0100 (CET) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-chat@FreeBSD.ORG, dan@langille.org, kdk@daleco.biz Subject: Re: using VPNs to cope with IP address changes Message-ID: <200812011047.mB1AlrgA044049@lurza.secnetix.de> In-Reply-To: <49330766.4010301@daleco.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
Kevin Kinsey wrote: > Dan Langille wrote: > > Is this easier? > > > > http://dan.langille.org/wp-content/bot-check/bc-image.php?human=Wow83QpZ6AM= That one is trivial to read by simple OCR software. > And re: someone's comment (private to both of us) about machine reading, > I've no idea how good the botz are at that, so I'd not let my comments > affect your bot blocking unless you get more opinions on it. Or find > the botz can read it ;-) The "botz" are very good at it, according to a recent article in the German c't magazine. It is very non-trivial to create captchas difficult to OCR but still readable by humans on all kinds of different screens. And they create problems for visually-challenged people (that's why some sites offer a link to download the captcha text as mp3, but I doubt it is very convenient and encourages people to sign up). Basically, captchas are last-century technology. There are several other ways to prevent bots from signing up or leaving "comments" in blogs, guestbooks etc. The avove mentioned article enumerated quite a few ways to do that. One of the clever ones is to provide a form input field labeled "street address" or whatever, but make it invisible so humans don't fill it in. Bots tend to fill in _all_ fields (because many forms require you to fill in all fields), so your CGI software can easily recognize bots. A similar trick is to hide an input field within a HTML comment. Many bots ignore comment delimiters and fill in the fields anyway. Another trick is the opposite: Use a bit of javascript to create a form input field on the fly which is not present in the HTML text. Bots usually don't execute javascript, so they don't fill in that field. Advanced bot blocking includes creating random field names (dynamically) and using time stamps and cryptographic signatures, and accept every submission only within a limited amout of time (and only once). There are more things you can do, and of course you should combine several of these. It also depends on whether you want to defend against occasional visits of bots that spider the web, or against bots specifically targeted against your site. The latter is much more difficult, obviously. All of those defensive measures have the advantage that your users don't have to decipher captchas anymore. > I do appreciate what you do for the community at large, Dan. Seconded! Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Share your knowledge. It is a way to achieve immortality." -- The Dalai Lama
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812011047.mB1AlrgA044049>