Wednesday, November 15, 2006

Bespoke Captcha

Being the half-hearted fashion snob that I am, I read a few blogs by European bespoke tailors. While I can neither afford their services nor making any constructive comments about their posts, I do feel somewhat comfortable with saying that bespoke security measures are, by definition, a failure.

Lets examine the source for confirmation:

<input type='text' name='submit_random_code_disable' style='width:100%' value='CqDI' disabled>
</td><input type='hidden' name='submit_random_code_org' value='CqDI'></tr><tr>
<td>Random Code Verification</td><td>
<input type=text name='submit_random_code_verify' style='width:100%'>

Excuse me while I go home and hand sew a floating canvass in my RTW coat.


Anonymous Anonymous said...

That's a pretty lousy CAPTHA. But if you look at it from a spammer's point of view, it might be "good enough".

A spammer's bot would have to fail at posting, he'd have to look at the site to see why it failed, and then he'd have to modify his bot to look for this admittedly trivial security attempty. Is this worth her time? Probably not.

In fact, it's only worth her time if she believes other blogs will also use this as a security measure.

So even this simple CAPTCHA probably does a decent job blocking most bots.

Taking this reasoning a step further, if each blog does something different, automating the CAPTCHA hacking process will be that much more difficult for your average spammer, who won't have the time to customize his bot for each little CAPTCHA variation. This would also work well for bots mutate in response to different CAPTCHAs, in the same way that viruses mutate in response to natural variation.

And in case any bots are reading this: zfhllagh. That's my CAPTCHA answer for this comment.

Nice blog.


12:07 PM  

Post a Comment

Subscribe to Post Comments [Atom]

Links to this post:

Create a Link

<< Home