Re: [tlug] CAPTCHA on keitai

["Stephen J. Turnbull" <stephen@example.com>]

Curt Sampson writes:

 > > (1) As (dark-side) hackers, they take pride in their dirty deeds done
 > > dirt cheap.  They'll do this for hate, not money.
 > 
 > Do you have any evidence for this point?

Not for captchas, no.

 > Let me present some to the contrary. According to Jeff Attwood:

 >     The comment form of my blog is protected by what I refer to as
 >     "naive CAPTCHA", where the CAPTCHA term is the same every single
 >     time. This has to be the most ineffective CAPTCHA of all time, and
 >     yet it stops 99.9% of comment spam.

Are you seriously claiming this is evidence for anything?

I wouldn't be surprised if a captcha like this one:

<form action="login.cgi">
Please type the word "captcha": <input type="text" value="gotcha" />
</form>

worked just as well.

 > As another anecdote, ever since I switched the software on the
 > keitai-dev wiki from Meatball Wiki to something much less common,

Are you seriously arguing that because security through obscurity
works in the short run, it's worth very much effort?  (BTW, what is
Meatball Wiki?  At first I thought it was supposed to be a take off on
"Media Wiki", but it doesn't seem to be the case.)

 > > (2) My main point is that it's unlikely that the standard is all that
 > > standard that deviating from it in a "significant" way is all that
 > > easy.  Remember our side is fairly constrained in how we can hide
 > > stuff, because our users have to be able to see it.
 > 
 > Not at all. For example, you can freely change the names of your form
 > input fields to anything you like; your users never see those (except
 > perhaps in the URL of a GET request). That one change alone may well
 > stop a program, if few enough other people are doing it that they've
 > not bothered to try and work out some automated way of dealing with new
 > field names.

Why is any hacker with half a brain going to be looking for a field
name?  They just look for a type="text" INPUT element in a form
containing an IMG element.  That's probably halfway there.

 > They're not; they've all been beaten.

Really?  I've never heard an audio captcha, nor have I seen one that
asks for a picture of a common object, rather than distorted text, to
be identified.

 > If the common spam-sending programs are not defeating them, it's
 > merely because they're not widely enough used to make it
 > worthwhile.