Poor man's captcha: why wouldn't this work?

**pittendrigh** · Sep 20 '06, 12:15 AM

Re: Poor man's captcha: why wouldn't this work?

pittendrigh wrote:

Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.
>

....ok, the spammer is not sitting at a keyboard, it's a bot.
That's why we need a poor man's captcha.

**Benjamin Esham** · Sep 20 '06, 01:05 AM

Re: Poor man's captcha: why wouldn't this work?

pittendrigh wrote:

Now we echo the string of <btags. Six out of the 256 randomly generated
digits will be red, all the others some undetermined color. But we know
which ones are red.

Not if the user is colorblind. Perhaps it would be possible to make some of
the numbers bolded, italicized, or sized differently from the others.
Basing anything on color, though, is a big accessibility issue that is
easily avoided in this case.

--
Benjamin D. Esham
bdesham@gmail.c om | AIM: bdesham128 | Jabber: same as e-mail
"...English is about as pure as a cribhouse whore. We don't just
borrow words; on occasion, English has pursued other languages
down alleyways to beat them unconscious and rifle their pockets
for new vocabulary." â€” James Nicoll

**Jerry Stuckle** · Sep 20 '06, 01:35 AM

Re: Poor man's captcha: why wouldn't this work?

pittendrigh wrote:

Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.
>
1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.
>
2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.
>
We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.
>
3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.
>
4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a $dig it
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits
>
we get from the exploded comma-delimeted session var #2.
We set those 
5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.
>
6) Now we do another post, asking the user to tell us which
of the 256 digits are red.
>
7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.
>

It would work (other than the color-blindness Benjamin mentioned).

But why go to all that trouble when there are several captcha routines
out there for your use?

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**pittendrigh** · Sep 20 '06, 01:45 AM

Re: Poor man's captcha: why wouldn't this work?

But why go to all that trouble when there are several captcha routines
out there for your use?

Tell me tell me.
I spent about an hour surfing Google for cut-and-paste php captcha
stuff.
But nothing worked.

One died on my linux box because I didn't have truetype fonts.
Another died when I hadn't paid for a "registrati on key"
That pissed me off and I decided to try and roll my own.

If I knew the location of a useable captcha package I'd use it.

**Jerry Stuckle** · Sep 20 '06, 02:45 AM

Re: Poor man's captcha: why wouldn't this work?

pittendrigh wrote:

>>But why go to all that trouble when there are several captcha routines
>>out there for your use?

>
>
Tell me tell me.
I spent about an hour surfing Google for cut-and-paste php captcha
stuff.
But nothing worked.
>
One died on my linux box because I didn't have truetype fonts.
Another died when I hadn't paid for a "registrati on key"
That pissed me off and I decided to try and roll my own.
>
If I knew the location of a useable captcha package I'd use it.
>

There are any number of them around. You might try www.hotscripts.com
for a start. Also www.freshmeat.com, www.phpclasses.org...

Just searching google for

captcha php

came up with most of the above (except hotscripts) and more on the first
page. Most with usable code. But you generally have to have the gd
libs installed and running properly for any captcha to work.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Kimmo Laine** · Sep 20 '06, 06:05 AM

Re: Poor man's captcha: why wouldn't this work?

"pittendrig h" <Sandy.Pittendr igh@gmail.comwr ote in message
news:1158712064 .952149.317310@ k70g2000cwa.goo glegroups.com.. .

Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.
>
1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.
>
2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.
>
We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.
>
3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.
>
4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a $dig it
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits
>
we get from the exploded comma-delimeted session var #2.
We set those 
5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.
>
6) Now we do another post, asking the user to tell us which
of the 256 digits are red.
>
7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.

Instead of coloring certain numbers to random colors, why not just make the
invisible using visibility:hidd en; display:none; -works for colorblind
people as well. That leaves us just the blind. You should set the letters
inaudible as well for screenreader using volume:silent; speak:none;
So your hiding css mask would be:
..xx {
visibility:hidd en;
display:none;
volume:silent;
speak:none;
}

--
"Ohjelmoija on organismi joka muuttaa kofeiinia koodiksi" - lpk
http://outolempi.net/ahdistus/ - Satunnaisesti päivittyvä nettisarjis
spam@outolempi. net || Gedoon-S @ IRCnet || rot13(xvzzb@bhg byrzcv.arg)

**pittendrigh** · Sep 20 '06, 12:45 PM

Re: Poor man's captcha: why wouldn't this work?

Benjamin Esham wrote:

Not if the user is colorblind. Perhaps it would be possible to make some of
the numbers bolded, italicized, or sized differently from the others.
Basing anything on color, though, is a big accessibility issue that is
easily avoided in this case.
>

Bolded fonts would work for the color blind.
The blind would be out of luck. But this is a boat building site,
and (unfortunately) the blind can't build boats anyway.

My idea would be too easy to crack for widespread use.
But if I put it on my boat building forum only, no one would take
the time to crack it, just to post a few porno links on my site.

So I think I'll do it, instead of searching for a well-known captcha
package. Should take no more than a few hours to code.

Thanks for the feedback.

**Klaus Brune** · Sep 20 '06, 07:35 PM

Re: Poor man's captcha: why wouldn't this work?

I've always thought that the whole use of graphics images could be
avoided completely, and even keep text-readers for the blind happy, with
something like this...

Have a database of common questions and answers, and even allow
registered users to submit more questions, so it's a never-ending battle
for the spammer to try to predict ALL the questions, as loyal site
visitors contribute to the battle against spam.

Q: What type of plant is commonly found in a forest?
A: tree

Q: What is the sum of two plus three?
A: five

Q: What is the color of the sky?
A: blue

Q: What type of animal loves to chase cats and cars?
A: dog

You get the idea. Though I like the CSS route too. Very creative.

-GC

In article <1158712064.952 149.317310@k70g 2000cwa.googleg roups.com>,
Sandy.Pittendri gh@gmail.com says...

Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.
>
1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.
>
2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.
>
We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.
>
3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.
>
4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a $dig it
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits
>
we get from the exploded comma-delimeted session var #2.
We set those 
5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.
>
6) Now we do another post, asking the user to tell us which
of the 256 digits are red.
>
7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.
>

**Gordon Burditt** · Sep 21 '06, 12:45 AM

Re: Poor man's captcha: why wouldn't this work?

>Let's say we're trying to keep blog and forum spammers out

>of our site--we're not trying to protect fort knox.
>
>1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.
>
>2) We make a dynamically generated GET page that mods a random number
>to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.
>
We also randomly create 6 digits between 1 - 256 and concatenate
>them
into a comma delimeted string. We set that string
as a session variable.
>
>3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.
>
>4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a $dig it
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits

As I understand it, you're going to have a bunch of html like:
5
6
3
....

Exploit (although it does require some bot programming):
Spammer counts number of times urk, bog, kub, nom, val, and tov occur.
Whichever one appears 6 times, is the correct one. Use the corresponding
digits. If there's more than one, guess.

Actually, even a 1-in-6 guess on the colors with no counting isn't
bad for a spammer who's hammering your web server unless you've got
other traps like IP banning after so many bad tries.

Also, remember that the HTML tells the bot which css file is the
correct one, and it could fetch it and parse it.

**Joe Molloy** · Sep 21 '06, 01:55 AM

Re: Poor man's captcha: why wouldn't this work?

The blind can't build boats - I have to disagree my friend -

http://66.102.9.104/search?q=cache:hqgdCHbyRuUJ:www.uatpat.org/resources/empoyment_sheets/blind.pdf+blind+boat+building&hl=en&gl=ie&ct=clnk&cd=16

Joe

"pittendrig h" <Sandy.Pittendr igh@gmail.comwr ote in message
news:1158712064 .952149.317310@ k70g2000cwa.goo glegroups.com.. .

Let's say we're trying to keep blog and forum spammers out
of our site--we're not trying to protect fort knox.
>
1) Step one is a one-time-only step.
We create six different css files that define the
same six color names differently, but each such
css file assigns red to one and only
one of those same six color names, and then store
the six somewhere in the document_root.
>
2) We make a dynamically generated GET page that mods a random number
to
between 1 and 6 and sets that number as session variable.
That number will tell us in a later POST which of the six
css files to use when we generate a dynamic POST page.
>
We also randomly create 6 digits between 1 - 256 and concatenate
them
into a comma delimeted string. We set that string
as a session variable.
>
3) In the post we generate a page that specifies one
of the six css files in its header, according the value
of first session variable. Because we have that session
variable, and because we know which of the six different
css schemes we are now using, we know which css attribute
in the current scheme means red. We don't care about the other
colors.
>
4) Now we generate 256 random digits (between 1 - 256) into an array.
We loop through the array and concatenate a $dig it
onto a string. Foreachsuch <btag we randomly choose one of
the css colors known not to red, except for the N array index digits
>
we get from the exploded comma-delimeted session var #2.
We set those 
5) Now we echo the string of <btags. Six out of the
256 randomly generated digits will be red, all the others
some undetermined color. But we know which ones are
red.
>
6) Now we do another post, asking the user to tell us which
of the 256 digits are red.
>
7) if the post variable matches the session stuff, we proceed,
else we tell the client computer to chop the fingers off
the spammer's hands and smoke the seat of his pants.
>

**treehousetim@gmail.com** · Oct 11 '06, 01:45 PM

Re: Poor man's captcha: why wouldn't this work?

I have made a CAPTCHA that requires no GD library, TrueType fonts or
database.

see an example of it by visiting:

http://www.ThePhpPro.com/products/captcha/

- Tim

Jerry Stuckle wrote:

There are any number of them around. You might try www.hotscripts.com
for a start. Also www.freshmeat.com, www.phpclasses.org...
>
Just searching google for
>
captcha php
>
came up with most of the above (except hotscripts) and more on the first
page. Most with usable code. But you generally have to have the gd
libs installed and running properly for any captcha to work.
>

**arclight** · Oct 12 '06, 03:45 AM

Re: Poor man's captcha: why wouldn't this work?

Klaus Brune wrote:

I've always thought that the whole use of graphics images could be
avoided completely, and even keep text-readers for the blind happy, with
something like this...

<snip>

I've written an accessible captcha system, which asks random multiple
choice questions,
it's available under the gpl with all php source code

http://system-x.info/?pageid=18&menutree=47

Poor man's captcha: why wouldn't this work?

Poor man's captcha: why wouldn't this work?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment