Friday, December 14, 2007

RAPTCHA

Well, we talked more in FGIJ about this Spam problem, and Sam made a new post proposing something he is calling RAPTCHA. It's a pretty good idea, but I'm about to head off to work so I'll leave a full write up until later on.

Spam

Sam made a post about some of the problems he's been having with spam on sites that we all use that he runs. It's caused some discussion and debate on the topic in FGIJ and elsewhere. He and I have actually debated this topic before, as early as when he taught the security courses and I was consulting with him on topics for them.

Spam, specifically website spam, seems like an almost impossible thing to prevent.

Captcha is the most common way to fight website spam today. The problem is, captcha that is easily read by humans can also be easily read by OCR technology. More complicated captchas still have software that can break them as well as potential vulnerabilities in implimentation. The end result is that captcha, while looking good in theory, tends to only act as a minor barrier to determined spammers.

There's the other non-image captcha solutions such as basic math ("What is 4+4?") or
logic questions, but they all can be beaten by the spammers just as easily as image captchas.

One alternative is animated captchas. Here, we generate some sort of animated GIF of the captcha which makes it that much more difficult to crack. The problem is, this can be ugly (great, takes me 10 years to purge all animated GIFs from my site and now I get to add flashy ones back to fight spam) and it still isn't perfect. An animated GIF can be torn apart frame-by-frame just as easily as normal image captchas. All this does is make the entire process more resource intensive, for both the spammer and the website.

Another alternative is multiple choice logic questions as mentioned here and used here. This can be a nice alternative, and has the upside of being more accessible to the blind, but it is language centric and can still be hard for people with dyslexia (like me).

Something I found that I like is ASCII captcha which has the benefit of still being mostly accessable (the blind will still have a hard time) while being moderately difficult to crack.

So what other options out there? And what can we do to continue the fight against spammers?

Valgrind 3.3.0 released

I know it's a week old now, but it's news to me!

Valgrind 3.3.0 has been released.

I don't do much coding any more, but when I did, I was a big Valgrind fan.

Wednesday, December 12, 2007

Denial ain't just a river in Egypt

Sam made a good post on the problems he's encountered working from home full-time. I don't work from home, don't think I ever could, but it was an interesting read anyway. There were some comments that followed his post, mainly from someone I guess he used to work with who took offense over something Sam said. It seemed kind of silly to me, but also seemed familier.

The issue at hand was whether or not this person had done the things Sam claimed he had (babysat his kids while he was "working from home"). It all seemed pretty silly to me, and probably seems silly to anyone who knows Sam. He's not the type of person to ever make wild allegations that aren't founded in reality. In fact, he can be quite infuriating to argue anything with as he normally has tons of evidence to back up his side... usually a lot more than anyone else. So, for him to claim something like this you naturally will assume he's not pulling made up issues out of his ass.

Anyway, this exchange caused me to search through some old IRC logs I had from a couple of years ago, and I discovered that not only was Sam correct, the person arguing the point actually said exactly what Sam said he had in IRC.

Seeing as my site is called "Tin Foil" I probably should mention something about being careful what you say in public forums like IRC because you never know when it may come back to haunt you, but I wont.

Thursday, December 6, 2007

FreeBSD 7.0 and ZFS

People who know me know that I am a longtime BSD-fan who mainly works in Linux (Gentoo) simply for hardware support and ease of install. I do dual boot FreeBSD, but use it fairly rarely any more (which makes me sad).

Well, this may all change with FreeBSD 7.0 when it finaly comes out as it will ship with Sun's ZFS natively supported. I'll post more on this later on today since this is something I'm really excited for.

Testing

So it's high time I started having a blog again. Welcome to it.

For those who don't know me, I'm a pretty paranoid person. I used to work in the computer security industry, but it was too stressful and I started getting ulcers. I now work night shifts at a support call center, which many of my friends say is beneath me, but which I really like because of how low stress it is.

What you will find here are my ramblings and rants, as well as some security related stuff that I find interesting.