Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • Personally, I think the images are a waste of time. merlyn (Randal Schwartz) did a column in Web Techniques for the same basic thing.

    Never one to resist a pointless challenge, before the article hit print, I wrote a "cracker" for it. The write-up is here [], for those that may be interested.

    You're going to have to get a lot more tricky than 3 letters with a consistent font to stop a 'bot. Most of the time is invested in creating the font table, but once you've got that, the pattern matching is trival.

    • No, mostly because I'd have to build the font maps. But in loading the images several times, the fonts all appear consistent, along with their positioning. The slight color in the background is easily worked around.

      The down side to the images is that it makes posting with lynx pretty darn impossible. And considering that a great many Perl users are *nix users, that doesn't seem like a nice thing to do. Even if lynx *does* represent a small viewer-shared.


      • As to whether it is not nice for the users, that's not relevant to anything in particular that we're doing right now. Sites don't have to use this. As I said, we are testing it. I don't know of any site that we are working on that will turn it on for posting comments on a regular basis.

        And I do doubt how "easily" you could work around things. What if every letter were a different color with a different background, with dithering all throughout? As Jamie notes, it's trivial to add things like that, and
        • Could somebody shoot Tim Berners Lee so he can turn in his grave!

          Am I missing something or is this a big two fingers to blind users? Maybe you could put the letters in the ALT tag ;-)

          Helping put this in slashcode is just as bad as Adobe allowing publishers to disable "Read Aloud" on their e-books. The argument that sites/publishers don't actually have to use it is no more a defense for slashcode than it is for Adobe.
          • We're not happy about its effect on blind users, but images are not the only possibility for this kind of verification. We hope in future to offer alternate methods -- I'm thinking audio snippets, in particular. We can also set up a method for admins to exempt particular accounts. Etc.

            The nature of the internet is that it's trivial to DDoS any site that allows anonymous or semi-anonymous postings. Some Slash sites are actively targeted by hostile users for scripted attacks, and those sites need defenses.

            • I wrote a long (constructive) response to this but the combination of IE and the absolutely shit bag of a Chinese internet cafe I'm in just ate it on me!

              Basically it amounted to doing a few checks on the recent history of the IP address an account is being registered from or a check on the history of a doubtful account (all new accounts being doubtful until they prove themselves). If the checks fail, then get them to pass a humanity test.

              This should mean that a blind person would have to be unlucky when j
          • It's like the ability for an administrator to remove comments. It's probably a bad idea to use in most implmentations, but some possible uses of Slash might need it.

            From what I understand about Slash (having no more experience than reading the book) the code base isn't intended to enforce any policy on the admins of Slash systems. That policy is up to the admins - the code gives them the freedom to make their own decisions.

            • I just think it's a bad solution to the problem. Jcwren has already very quickly cracked it and making it harder to crack just excludes an even larger section of sight-impaired users.

              And when a DOSer does finally crack the latest version. you're goosed again until you can find some other way of obscuring the letters and thus exclude even more people!

              Monitoring account creation activity and the posting activity of accounts that have yet to prove themselves would be a much sturdier way of doing things and d
      • Don't forget links [] (which I've come to like better than lynx; handles tables better) and w3m.

        As a sugguestion, maybe have an option / configuration value / something that it gets turned off after you get x karma. That way you get the benefit of suppressing automation from new accounts, but long time users aren't inconvenienced.

      • Maybe Slash could have an option to display the image as a text based image so that lynx can render it - run it through aalib or something.

        Doesn't really help blind users though.