the_dan wrote:
From what I could read on that website, it should be fairly easy to defeat the detection mechanism by changing the colours for each letter, rotating them, and maybe altering their transparancy?
And then someone just tweaks the adversary code a little bit to understand alternating colors and rotations. Transparencies? ...depends on how you do it.
(I <3 the "posts since i started posting" feature)
(what's a soupbox?)
code reader wrote:
[soupbox="mount"]
the same piece of logic goes for the captcha.
No, no it doesn't
1) by choosing a live project, which keeps on improving, you get a "free ride": whenever they add something to improve performance, functionality or security, your project can assimilate the advantage with very little effort.
One of the core reasons why phpbb is under a lot of criticism right now is because people see it to be a big security hole. the biggest problem we encounter, however, is not people getting attacked using the latest version of phpbb, but people using earlier versions. Getting a "free ride" isn't going to help when people don't upgrade anyway.
2) this way, you "support" another open-source project, and help make it a standard.
Just because a project is open source does not imply it should become standard. "Open source" does by no means imply "standards-quality code". Even if it is (or a significant portion of teh intarweb thinks it is) the best thing out there. I don't mean to rag on Wordpress, but i think it's a good example of this concept.
3) any security issue with this part of the code stands a good chance of being discovered earlier, and handled quicker by a team dedicated to this part
This doesn't help your argument at all.
- The issues we'll be dealing with primarily are not security, but complexity. If someone breaks the captcha, it's not because of any fault in the programming... someone just wrote a better AI to handle what got thrown at it. This isn't a bug... the programmer did nothing wrong.
- When it's open source, it's much easier to break a captcha, since the adversary programmer can look and see exactly what measures are in place to confound her, and work to circumvent them much more easily, since they can therefore make assumptions about what cases they don't have to deal with
- When a captcha is at it's peak of operability, a team of people is not guaranteed to be able to make it better. a broken captcha is not a buggy program. There is no guaranteed fix. And if the team operating it can't come up with something better, you're pretty much stuck with it
4) save the time and effort of re-inventing something that works, and the bother of finding and solving bugs
I'm sure any potential exploiter/spammer would look at this statement with glee. If everyone uses the same captcha, then once that captcha is broken, everyone is vulnerable.
The strength of captcha is in diversity: if someone else's captcha gets broken, i'm still safe
phpBB has it's work cut out for it in that regard. Whatever captcha phpbb ends up with, a lot of people will be using it. I look forward to seeing how phpBB will rise to this challenge =)