Page 2 of 2 First 12
  • Jump to page:
    #16
  1. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,868
    Rep Power
    368
    Originally Posted by jack13580
    So lets say I send my bot to your website and it encounters your captcha, the first step I would have it is read the captchas question and if its math then do the math and submit, if it fails then second is search for any hidden fields and read the data then paste it in the captcha based upon the best result of the captchas question, third is to detect if it the captcha has a timed delay timer and delay the bot by 6 seconds, and fourth is to have the bot google up the question and submit the best result to the captcha

    All this can be done in milliseconds based on Internet speed and the response speed of the website

    Of course this is just a few simple methods of beating the captcha and my own real bot which I made for fun, is much better then this
    i don't think so. How would your bot know there is a timed delay timer? I could employ 100 of different type of things.

    Sure if you wanted to create a specific bot for my site then you would visit my forms and then create a bot to "mimic" my form. but i am talking about a generic bot.
  2. #17
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,921
    Rep Power
    1045
    Measuring the time is pretty much the most obvious idea you could come up with. Do you not think that a professional bot developer who makes a living from breaking spam protection would consider it?

    The problem is: Most people are not half as creative as they think they are. The coolest idea you may come up with trying to outsmart the spammers has been used thousands of times before. Spammers know this approach already, and they can probably break it with simple heuristics.

    Yes, you can fight off some bots with custom stuff. A primitive form filler can indeed be defeated by asking for the result of "1 + 1" or whatever. And the more effort you put into your spam protection, the higher your success rate can be. But why try to solve a problem that already has been solved? We know how to tell humans and machines apart: By forcing them to recognize text that current software couldn't recognize. Unlike any custom solution, this has proven itself in reality. It actually works (at least until now).

    I really don't understand why so many developers have such a hard time accepting and using standard solutions...
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #18
  5. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,868
    Rep Power
    368
    what is the standard solution? something like re-captcha? I have heard that it can be easily broken too
  6. #19
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,921
    Rep Power
    1045
    It can be easily broken? I'd love to hear about that (and I'm sure Google does as well).

    There are many indirect attacks against reCAPTCHA. The simplest (which affects all CAPTCHAs) is to have humans solve it for you. Either you pay some sweatshop to do it, or you put the CAPTCHAs onto some popular site (preferably p*rn). But this is very expensive compared to a simple bot doing all the work. Spammers need a good reason to use this.

    I'm not aware of any direct attack against reCAPTCHA, let alone that it was "easy to break". Recognizing text that other machines already failed to recognize is hard by definition.

    But let's say reCAPTCHA was broken. That still wouldn't mean everybody should come up with their own half-assed alternatives. The conclusion from this would be to find a better standard solution.
    Last edited by Jacques1; June 3rd, 2013 at 01:26 PM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #20
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,301
    Rep Power
    7170
    Are bots capable of "understanding" all of your approaches?
    I cover this to a greater degree in post #4, but no, a generic bot generally cannot understand even very simple questions, so if your goal is to protect against only generic bots then you should not implement a complicated solution that is difficult for humans to solve. A simple single field that says "enter this random number X:" will accomplish this, because in all likelihood the generic bot will fail to solve it. There are even techniques for doing this that don't involve intervention on the part of the human at all.

    Or in the case of this specific example, there is no reason to ask for 6 separate random numbers when asking for 1 accomplishes exactly the same thing. There is also no reason to have any sort of time restriction on it.

    If someone is writing a bot specifically for your form, then it makes no difference to them whether the bot has to answer 1 random number or 6, but to a human having to answer 6 random numbers is 6 times as much work.

    something like re-captcha? I have heard that it can be easily broken too
    There have been some reports of people making progress on cracking reCAPTCHA, but to say that it is easily broken would be a drastic overstatement. If I recall correctly, the attacks against it actually rely on solving the audio puzzle rather than the visual one. However, as far as I know, very few, if any, people have access to code that is even somewhat reliable at cracking it.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  10. #21
  11. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Sep 2006
    Posts
    1,803
    Rep Power
    529
    Hello jpmul,

    Are you passionate about creating your own version of a spam blocker?

    Do you learn better when you do so?

    If so, then I think you should do so.

    You might come up with a better mouse trap, but probably will not do so. But you will definitely know more than you did before.
  12. #22
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2012
    Posts
    33
    Rep Power
    2
    Well Yeah
    It's how I learn yes, and learning from others experiences as I'm reading these posts.
    But the best statement I got out of all of this was from E-Oreo
    Originally Posted by E-Oreo
    The problem is that it's hard to use a computer to generate a question that is easy for a human to answer but hard for a computer to answer.
    I don't have a very important site at the moment so I have the luxury to experiment for now, Thinking of ways to block a computer with another computer is actually fun and creative.
  14. #23
  15. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,868
    Rep Power
    368
    Originally Posted by Jacques1
    It can be easily broken? I'd love to hear about that (and I'm sure Google does as well).
    ok maybe not easily but I do remember finding sites that claim that re-captcha can be broken (when i first investigated my options of putting a captcha thing on my forms).
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo