RubyForge has been slow today because...

[Markus]

Here's my 9 Colons (that would be two cents--but my heart is still
in Costa Rica):

Multiple small, partial fixes will work better than one
uber-defense, especially if they are complementary. The problem with
fix-it-for-all-time monoliths is that if they fall you are back to
square one. If there are lots of little things each of which is
different it is easier for the good guys (more modular) and harder for
the bad guys (make _them_ play whack-a-mole for a change).

-- Markus

Jamis,

What did you use to do that captcha? That captcha I might actually
support using; I just don't want to do an image-based captcha because
of accessibility issues.

-austin

Just Ruby. In my blog-comments.rb file, I've got a method 'captcha' that
returns the captcha block as HTML, expecting to be wrapped in a form:

def captcha
source = "23456789abdefghijkmnpqr" +
"stuvwxyzABDEFGHJKLMNPQR" +
"STUVWXYZ!?%\#@&*:\"<>".split(//)
source = source.sort_by { rand }
chars = (1..10).collect { source.shift }

string = chars.join
md5hash = MD5.hexdigest( string )

captcha_string = chars.reverse.collect { |i|
"<span>#{i}</span> " }.join

<<-EOF
<p>
Type the following characters <strong>in reverse
order</strong> into the text box. Spaces are optional.
</p>
<div class="captcha">
#{captcha_string}
</div>
<input type="hidden" name="checksum" value="#{md5hash}" />
What characters did you see:
<input type="text" name="captcha" value="" />
EOF
end

Then, when the form is submitted, I call 'validate_captcha':

def validate_captcha
checksum = @session['checksum']
captcha = @session['captcha']
sum = MD5.hexdigest( captcha.gsub(/\s/,"") )

sum == checksum
end

If this returns true, they entered the captcha string correctly. Like I
said, it's pretty simple, and easily circumvented, but it's worked well
for me so far.

(The above code is in the public domain, so do with it as you will.)

 

[Austin Ziegler]

Someone in the Blosxom community added CAPTCHA support to Blosxom using
figlet, which is a unix program to draw letters in ascii art. It worked
pretty well. You might could adapt the Perl code that does it to your
needs. The URL is http://varg.dyndns.org/psi/pub/code/misc/wbcaptcha.html

Mmm. Neat idea, but problems:

1) Requires figlet. This kills it, because Ruwiki must be able to run
without any problem without requiring something like figlet. However,
when I get a captcha-preauth setup finalised in Ruwiki, I will make it
so that people who want that can implement it themselves.

2) Requires fixed font display. This also means that screenreaders
can't see it reliably, either. I'd prefer something purely text-based,
which is why I asked Jamis what he was doing for that.

-austin

 

[trans. (T. Onoma)]

On Monday 25 October 2004 11:35 am, Jamis Buck wrote:
|
| ASCII art will still suffer from accessibility issues, since a screen
| reader will not be able to read the ASCII art in any intelligible way to
| the user. However, it is an ingenious approach...I'm tempted to look
| into that, JFTHOI.

There is no way to do otherwise for a captcha system. How would a blind person
every be able to use a captcha system?

And a poor man's captcha is hardly a defense at all.

T.

 

[Peter Hickman]

On Monday 25 October 2004 11:35 am, Jamis Buck wrote:
|
| ASCII art will still suffer from accessibility issues, since a screen
| reader will not be able to read the ASCII art in any intelligible way to
| the user. However, it is an ingenious approach...I'm tempted to look
| into that, JFTHOI.

There is no way to do otherwise for a captcha system. How would a blind person
every be able to use a captcha system?

And a poor man's captcha is hardly a defense at all.

T.

I realise that this has probably been said before but the worse spam on
a wiki / blog that I have seen has added a large number of links to a
page to just a handful of sites. This has got to be atypical user
behaviour (who wants to create a large page with loads of links).
Couldn't this be a metric for spamming?

 

[trans. (T. Onoma)]

On Monday 25 October 2004 12:07 pm, Peter Hickman wrote:
| I realise that this has probably been said before but the worse spam on
| a wiki / blog that I have seen has added a large number of links to a
| page to just a handful of sites. This has got to be atypical user
| behaviour (who wants to create a large page with loads of links).
| Couldn't this be a metric for spamming?

Spammer could just hit the site multiple times adding one link at a time.

T.

 

[Phlip]

1) Requires figlet.

figlet + ImageMagick to twist the letters around just a little would work
great.

 

[Markus]

On Monday 25 October 2004 11:35 am, Jamis Buck wrote:
|
| ASCII art will still suffer from accessibility issues, since a screen
| reader will not be able to read the ASCII art in any intelligible way to
| the user. However, it is an ingenious approach...I'm tempted to look
| into that, JFTHOI.

There is no way to do otherwise for a captcha system. How would a blind person
every be able to use a captcha system?

Think creatively. You could fairly easily come up with a text
based captcha system that was screen reader friendly and had no external
dependencies. For example test riddles / story problems that would be
dirt simple for a human but next to impossible for a program "in the
general case" could be rather easily generated in pure ruby.

For example:

Three things that go "quack" landed in a circular pond
that was 10 meters across. They found fourteen early shoes
and each of them ate as many as he wanted. How many shoes
were left?

Most humans could get this on their first try, but I'd hate to have to
write a bot to do it. The key is to build up from a small set of parts
such that recognising what is expected is not doable from looking at the
parts (for example, the last line could have (randomly) been "how many
ducks were there?" or "how many pairs were there?" or "how many did they
eat?" or "how far where they (at most) from the shore?" or "what word
doesn't belong?" or ...)

And a poor man's captcha is hardly a defense at all.

I don't think so. It's like the story of the two campers who see a
bear*; we don't need to be impenetrable, just more trouble than it's
worth, so they'll go elsewhere.

-- Markus

* One of the campers takes off running, and the other quickly follows.
So does the bear. The second camper calls out "I don't think this was
such a good idea; we'll never outrun that bear." To which, the first
responds, "I don't need to outrun the bear, I just need to outrun you."

 

[Hal Fulton]

ASCII art will still suffer from accessibility issues, since a screen
reader will not be able to read the ASCII art in any intelligible way to
the user. However, it is an ingenious approach...I'm tempted to look
into that, JFTHOI.

Some sound-savvy person could write a routine to turn a string into a
sound file via text-to-speech. Then the visually impaired could click
on a link and have the text read to them.

Overkill for us perhaps, but it's been done.


Hal

 

[Austin Ziegler]

On Monday 25 October 2004 11:35 am, Jamis Buck wrote:
| ASCII art will still suffer from accessibility issues, since a screen
| reader will not be able to read the ASCII art in any intelligible way to
| the user. However, it is an ingenious approach...I'm tempted to look
| into that, JFTHOI.
There is no way to do otherwise for a captcha system. How would a blind person
every be able to use a captcha system?

And a poor man's captcha is hardly a defense at all.

That's not true.

The defence is in the wide variability available. Specifically, while
Jamis' instructions might be "type the following string in reverse:
foo" (where foo is randomly generated), my instructions might be "type
the first and last characters of the following string: foo".

Jamis can also change his captcha instructions and examination very
quickly and easily without unduly inconveniencing his users. If he
encrypts the captcha as a parameter using a key known only to his
installation, then it's not even something that is even visible to a
spammer, ultimately.

-austin

 

[Austin Ziegler]

figlet + ImageMagick to twist the letters around just a little would work
great.

Again -- two external dependencies I don't want to introduce for my
Ruby-only wiki.

-austin

 

[Markus]

Some sound-savvy person could write a routine to turn a string into a
sound file via text-to-speech. Then the visually impaired could click
on a link and have the text read to them.

Overkill for us perhaps, but it's been done.

An add-on to my privious thought: random phonetic speling mistakes
in the puzles would not hindder a humen nearly as much as they woud a
bott--even if the human was useing a text-too-speach tool.

-- Markus

P.S. Although I suspect the technique should be used sparingly for
aesthetic reasons.

 

[Markus]

That's not true.

The defence is in the wide variability available. Specifically, while
Jamis' instructions might be "type the following string in reverse:
foo" (where foo is randomly generated), my instructions might be "type
the first and last characters of the following string: foo".

Jamis can also change his captcha instructions and examination very
quickly and easily without unduly inconveniencing his users.

Ah ha! Here's an idea:

Step one. Define an internal plug-in interface, such that any
member of a pool of captchinos can be called upon in it's hour of need.
When called, they must provide the text of a randomly generated
readable-text captcha challenge, and a function that will judge
attempted responses. The interface could be dirt simple; in fact, this
paragraph is close to half way there.

Step two: propose writing a captchino as the ruby quiz some week
(with the clear statement that this is the purpose).

Step three: Collect the best of the submissions, & there you go.

-- Markus

 

[David G. Andersen]

On Monday 25 October 2004 11:35 am, Jamis Buck wrote:
|
| ASCII art will still suffer from accessibility issues, since a screen
| reader will not be able to read the ASCII art in any intelligible way to
| the user. However, it is an ingenious approach...I'm tempted to look
| into that, JFTHOI.

There is no way to do otherwise for a captcha system. How would a blind person
every be able to use a captcha system?

And a poor man's captcha is hardly a defense at all.

If it's effective, it's a great defense. You're falling prey
to "the perfect is the enemy of the good" -- while you're sitting
around worrying about an attacker one-upping a simple captcha
system, the RubyGarden webpages are being turned into an utterly
useless cesspool of spam. This discussion has been going on
for literally months, during which the majority of the updates
to RubyGarden look like:

(diff) JavaWorld 12:47 pm (8 changes) [restore from spam] . . . . . ChrisHulan
(diff) JEdit 12:46 pm (3 changes) [restore from spam] . . . . . ChrisHulan
(diff) JEditExtensions 12:45 pm (3 changes) [restore from spam] . . . . . ChrisHulan
(diff) OldHomePage 12:44 pm (3 changes) [restore from spam] . . . . . ChrisHulan
(diff) ZeusForWindows 12:44 pm (3 changes) [restore from spam] . . . . . ChrisHulan

http://www.rubygarden.org/ruby?RecentChanges

Throw in a simple captcha. If it works, great. If it doesn't,
then go with something stronger. This is not rocket science, it's
a bloody car alarm -- make the other guy's website an easier
target and they'll go away rather than waste the time to try to
figure out how to automatically work around the RubyGarden captcha.
Most wiki spam is crawler-based and automated; they're not going
to adapt to one annoying website that wants a captcha. Jamis's
captcha fills this space admirably. Easy to implement. The
only thing I might change with it is using a keyed MD5 digest
(or a poor-man's keyed MD5 digest -- prepend a local key to
the string you feed into md5) instead of a plain MD5:

mylocalkey = "MyLocalKey,Yo"
string = chars.join
md5hash = MD5.hexdigest( mylocalkey + string )

...

sum = MD5.hexdigest ( mylocalkey + captcha.gsub(/\s/, "") )

On the presumption that others will reuse this code and change it
slightly; can't hurt to remove one easily scripted hack.

-Dave

 

[trans. (T. Onoma)]

random phonetic speling mistakes
| in the puzles would not hindder a humen nearly as much as they woud a
| bott--even if the human was useing a text-too-speach tool.
|
| -- Markus

Oo oo! I may have just the thing! [Tom reaches into his big bag of tricks and
pulls out...]

class String
# Scramble the inner characters of words leaving the text still readable
# (research at Cambridge University, code by KurtDresner)
#
# -eg.
#
# Srblamce the iennr cchrteaars of wodrs lvenaig the txet stlil rbeaadle
# (rreceash at Cbamigdre Uverintisy, cdoe by KrneruestDr?)
#
def dresner
self.gsub(/\B\w+\B/){$&.split(//).sort_by{rand}}
end
# In place #dresner method.
def dresner!
self.replace(dresner)
end
end

How's that for creative?

Thanks Markus,
T.

 

[mark sparshatt]

random phonetic speling mistakes
| in the puzles would not hindder a humen nearly as much as they woud a
| bott--even if the human was useing a text-too-speach tool.
|
| -- Markus

Oo oo! I may have just the thing! [Tom reaches into his big bag of tricks and
pulls out...]

class String
# Scramble the inner characters of words leaving the text still readable
# (research at Cambridge University, code by KurtDresner)
#
# -eg.
#
# Srblamce the iennr cchrteaars of wodrs lvenaig the txet stlil rbeaadle
# (rreceash at Cbamigdre Uverintisy, cdoe by KrneruestDr?)
#
def dresner
self.gsub(/\B\w+\B/){$&.split(//).sort_by{rand}}
end
# In place #dresner method.
def dresner!
self.replace(dresner)
end
end

How's that for creative?

It's very creative but anyone using a screen reader would be stumped and
since accessability was the whole reason for using a text captcha I'm
not sure this idea would work.

 

[trans. (T. Onoma)]

54:57AM +0900, trans. (T. Onoma) scribed:
| > On Monday 25 October 2004 11:35 am, Jamis Buck wrote:
| > | ASCII art will still suffer from accessibility issues, since a screen
| > | reader will not be able to read the ASCII art in any intelligible way
| > | to the user. However, it is an ingenious approach...I'm tempted to
| > | look into that, JFTHOI.
| >
| > There is no way to do otherwise for a captcha system. How would a blind
| > person every be able to use a captcha system?
| >
| > And a poor man's captcha is hardly a defense at all.
|
| If it's effective, it's a great defense. You're falling prey
| to "the perfect is the enemy of the good" -- while you're sitting
| around worrying about an attacker one-upping a simple captcha
| system, the RubyGarden webpages are being turned into an utterly
| useless cesspool of spam. This discussion has been going on
| for literally months, during which the majority of the updates
| to RubyGarden look like:

No no. You misunderstand me. I fully agree. I have already offered to do it
myself, in fact. But if I'm doing it, I may as well go ahead and do something
that I know will hold the fort --it's not that much more trouble. I fear
Garden has some intent spammers. I looked at this poor man's captcha system
and it can be hacked in about 3 seconds. So something better is needed. No
sense in doing something twice when it can be done the first time.

But like I said, I don't know what the hold up is either. There are a couple
of clear choices that will help lots --even full moderation would be better
the current situation.

T.

 

[Curt Hibbs]

trans. (T. Onoma) wrote

No no. You misunderstand me. I fully agree. I have already
offered to do it
myself, in fact. But if I'm doing it, I may as well go ahead and
do something
that I know will hold the fort --it's not that much more trouble. I fear
Garden has some intent spammers. I looked at this poor man's
captcha system
and it can be hacked in about 3 seconds. So something better is
needed. No
sense in doing something twice when it can be done the first time.

But like I said, I don't know what the hold up is either. There
are a couple
of clear choices that will help lots --even full moderation would
be better
the current situation.

If I'm not mistaken, RubyGarden is a UseMod wiki. If so I would recommend getting Jim Weirich's UseMod patch that simply rejects external links with a lower-case http (i.e., requires HTTP://<some-url-here>).

Since Jim already did the development work, it could be up and working in less than an hour and it will put an immediate stop to the spam (it has on my 5 RubyForge wikis). It may not last forever, but it will certainly stop the spam long enough to get something else in place.

If you want to see it in action go here and try inserting a lowercase url:

http://installer.rubyforge.org/

Curt

PS
I guess you can't try the above link at this very moment, as RubyForge is giving me server errors. I'll let Tom know about this... you can try it later.

 

[James Edward Gray II]

Most humans could get this on their first try, but I'd hate to have to
write a bot to do it.

Sounds like a joyous Ruby Quiz to me...

James Edward Gray II

 

[Mark Hubbart]

On Monday 25 October 2004 11:35 am, Jamis Buck wrote:
|
| ASCII art will still suffer from accessibility issues, since a screen
| reader will not be able to read the ASCII art in any intelligible way to
| the user. However, it is an ingenious approach...I'm tempted to look
| into that, JFTHOI.

There is no way to do otherwise for a captcha system. How would a blind person
every be able to use a captcha system?

http://mookitty.co.uk/devblog/archives/2004/06/01/captchas-for-the-blind/

This is a simple captcha system that works for both blind and sighted
people. It got good reviews from the blind people who tried it; It was
said that it worked much better than audio versions.

a simple implementation (warning - untested):

class AccessibleCaptcha
attr :string, :instructions
def initialize
char_bank = [*("3".."9"),*("A".."H"),*("J".."N"),*("P".."Z")]
@string = ""
8.times{ @showstr << char_bank[rand(char_bank.size)]
methods = {
"remove all letters" => [/[a-z]/i, ""],
"remove all numbers" => [/\d/, ""]
}
@method_str, @gsub_args = methods.sort_by{rand}.first
end
def valid?(str)
@string.gsub(*@gsub_args) == str
end
end

Adding more obfuscation methods would make it more robust, but for
simple jobs, I think this could work nicely.

cheers,
Mark

 

[gabriele renzi]

Markus ha scritto:

Think creatively. You could fairly easily come up with a text
based captcha system that was screen reader friendly and had no external
dependencies. For example test riddles / story problems that would be
dirt simple for a human but next to impossible for a program "in the
general case" could be rather easily generated in pure ruby.

For example:

Three things that go "quack" landed in a circular pond
that was 10 meters across. They found fourteen early shoes
and each of them ate as many as he wanted. How many shoes
were left?

imho they could be even simpler, just have an array of question/answer
things like
"enter 2 plus 2" "4"
"the color of a white horse" "white"
"4 letters, Read The Fricking Manual" "RTFM"
"the thing after 1 and 2 " "3"
no standard way for a bot to guess, and totally dumb for a user

I don't think so. It's like the story of the two campers who see a
bear*; we don't need to be impenetrable, just more trouble than it's
worth, so they'll go elsewhere.

-- Markus

* One of the campers takes off running, and the other quickly follows.
So does the bear. The second camper calls out "I don't think this was
such a good idea; we'll never outrun that bear." To which, the first
responds, "I don't need to outrun the bear, I just need to outrun you."

I recall a t-shirt over thinkgeek that was "if you're with an halfing
and a dragon, remember, you don't have to outrun the dragon, you have to
outrun the halfling"