rss
 
comment(s)

archives
J|F|M|A|M|J|J|A|S|O|N|D
(20##) 10 9 8 7 6 5 4 3 2 1 0 <
 
DesktopWeb FormText   /aiCaptcha aftermathSat, 12 Feb 2005 19:11:04 GMT # 

so i finally looked around last night to see what damage was done (since i was unplugged the last couple weeks). the 1st thing i noticed is that the article seems to have received more links than anything else i've done, in a short period of time. no, i'm not counting the comment spam links. blog posts were over 90% positive. there were some negative blog posts, but it was more likely that a negative response was a comment to a positive blog post. this was a surprise because i generally think people do alot of bitching in their blogs. or maybe thats just me? on the other hand, email responses were not so nice. the initial 24 hour email assult was mostly negative. after that 1st day ended, the email coming in has been positive

the nature of the emails has been really interesting. alot of them have been from people that have written CAPTCHA implementations. so they want my code to test their own stuff. my code is definitely not good for that purpose because i wrote it targeted for a specific implementation ... but it does raise some questions. how exactly are you supposed to unit test your CAPTCHA? the next group of emails that i have received are from the AI crew of people that are writing their own programs to do machine vision. some of them are even writing their own programs to beat CAPTCHA. one of them is even writing his own program to beat his own CAPTCHA implementation! which turns into a cat and mouse routine. write CAPTCHA, beat it, improve CAPTCHA, beat it, ... sounds like fun. and the odd part is that it brought people to my site that had never seen it before. out of the new visitors, they were mostly interested in the /barCode article. there are alot of articles about generating barcodes, but pretty much nothing when it comes to reading them

my current feeling is that a CAPTCHA implementation should offer numerous ways of obscuring the characters. then a blog owner (not the blog engine administrator) should just go down a checklist and choose some small # of those techniques to use when generating images for his blog. each blog that used the CAPTCHA would use their own unique combination of techniques. so even if they are on the same engine, then their images would be radically different. in this manner, every blog on the same site might not be vulnerable to the same attack. if somebody did write a bot to beat the way a blog had theirs configured, then the blog owner could just go and change that configuration to something new. at least until the bot could be made to beat that as well. i do not like the technique of CAPTCHA engines randomly choosing how to render the image each time. because the bot just has to keep trying, and eventually it will be served up an image that it can handle. e.g. my bot can beat a small percentage of the images that gimpy renders. instead, i think each individual blog should use some unique configuration until broken ... and then they just reconfigure