Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Funny Little Images 14 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.

  • Personally, I think the images are a waste of time. merlyn (Randal Schwartz) did a column in Web Techniques for the same basic thing.

    Never one to resist a pointless challenge, before the article hit print, I wrote a "cracker" for it. The write-up is here [perlmonks.org], for those that may be interested.

    You're going to have to get a lot more tricky than 3 letters with a consistent font to stop a 'bot. Most of the time is invested in creating the font table, but once you've got that, the pattern matching is trival.

    --jcwren

    • Did you try it on the images here?

    • No, mostly because I'd have to build the font maps. But in loading the images several times, the fonts all appear consistent, along with their positioning. The slight color in the background is easily worked around.

      The down side to the images is that it makes posting with lynx pretty darn impossible. And considering that a great many Perl users are *nix users, that doesn't seem like a nice thing to do. Even if lynx *does* represent a small viewer-shared.

      --jcwren

      • As to whether it is not nice for the users, that's not relevant to anything in particular that we're doing right now. Sites don't have to use this. As I said, we are testing it. I don't know of any site that we are working on that will turn it on for posting comments on a regular basis.

        And I do doubt how "easily" you could work around things. What if every letter were a different color with a different background, with dithering all throughout? As Jamie notes, it's trivial to add things like that, and
        • Could somebody shoot Tim Berners Lee so he can turn in his grave!

          Am I missing something or is this a big two fingers to blind users? Maybe you could put the letters in the ALT tag ;-)

          Helping put this in slashcode is just as bad as Adobe allowing publishers to disable "Read Aloud" on their e-books. The argument that sites/publishers don't actually have to use it is no more a defense for slashcode than it is for Adobe.
          • We're not happy about its effect on blind users, but images are not the only possibility for this kind of verification. We hope in future to offer alternate methods -- I'm thinking audio snippets, in particular. We can also set up a method for admins to exempt particular accounts. Etc.

            The nature of the internet is that it's trivial to DDoS any site that allows anonymous or semi-anonymous postings. Some Slash sites are actively targeted by hostile users for scripted attacks, and those sites need defenses.

            • I wrote a long (constructive) response to this but the combination of IE and the absolutely shit bag of a Chinese internet cafe I'm in just ate it on me!

              Basically it amounted to doing a few checks on the recent history of the IP address an account is being registered from or a check on the history of a doubtful account (all new accounts being doubtful until they prove themselves). If the checks fail, then get them to pass a humanity test.

              This should mean that a blind person would have to be unlucky when j
          • It's like the ability for an administrator to remove comments. It's probably a bad idea to use in most implmentations, but some possible uses of Slash might need it.

            From what I understand about Slash (having no more experience than reading the book) the code base isn't intended to enforce any policy on the admins of Slash systems. That policy is up to the admins - the code gives them the freedom to make their own decisions.

            • I just think it's a bad solution to the problem. Jcwren has already very quickly cracked it and making it harder to crack just excludes an even larger section of sight-impaired users.

              And when a DOSer does finally crack the latest version. you're goosed again until you can find some other way of obscuring the letters and thus exclude even more people!

              Monitoring account creation activity and the posting activity of accounts that have yet to prove themselves would be a much sturdier way of doing things and d

      • Don't forget links [mff.cuni.cz] (which I've come to like better than lynx; handles tables better) and w3m.

        As a sugguestion, maybe have an option / configuration value / something that it gets turned off after you get x karma. That way you get the benefit of suppressing automation from new accounts, but long time users aren't inconvenienced.

      • Maybe Slash could have an option to display the image as a text based image so that lynx can render it - run it through aalib or something.

        Doesn't really help blind users though.

    • You've probably noticed there is noise in the background of the Slash images. Any thoughts on how difficult that makes the problem?

      If misregistration, dithering, etc. would make things harder to crack, the Slash team can do those things too. In this case, the arms race advantage goes to the server side. Tweaking text to make it less computer-readable is easy; recoding OCR algorithms is comparatively extremely difficult. The Slash code doesn't have such things yet but it would be a matter of minutes to add

      • Perhaps it's time, then. I wrote a small utility to take the images and extract the characters. Out of the 24 images or so I pulled, I was able to decode them 100%

        Mind you, all this program does is take the image, convert it to a bitmap, run a simple threshold comparison, and if the RGB value is less than a certain value, it's black, otherwise it's white. I output this as an ASCII image comprised of '#' and '.' in the 24 x 19 array.

        All the images I tested were perfectly legible, which means they can be

        • "All the images I tested were perfectly legible, which means they can be OCR'ed at this point."

          I agree with part 1 and part 2 of the above statement, but not the "which means" part that bridges them -- there exist some legible images which can't be OCR'd.

          Example: http://www.captcha.net/cgi-bin/ez-gimpy [captcha.net]

          The Slash plugin could move to using something like this, if there's a need for it, without too much trouble. The current model is really just infrastructure to allow things like that to happen, plus o

Stories, comments, journals, and other submissions on use Perl; are Copyright 1998-2006, their respective owners.