As far as I understand, ReCAPTCHA uses standard images... which means it simply cannot be secure. I posted about this a little while ago, but here's what I do as a spammer:
- Spam lots of people offering free porn - only catch is they have to prove they're not a bot (wouldn't want those bots to see my exclusive porn)
- When somebody clicks on my link, I immediately go to gmail, start creating an account, and get their captcha
- I pass this captcha on to my would-be porn viewer
- And pass his answer back to google - presto, free account
Kitten Auth and every other practical, free, unintrusive solution I have ever heard of can be broken this way as well.
Back in the day, I interned at Google on the Checkout project when it was just starting up. The opinion of their security experts on stopping bots? Only way to do it reliably at account creation time is to demand a valid credit card number or a small payment.
What I said:
Not sure if that's what he meant, but it comes across as a gratuitous insult. I just think you phrased your point badly, and that's why you got modded troll. Shrug. I wasn't the one who modded you.
Oh and if you believe gangster rap causes a lot of real-life violence, I hope you believe many video games also cause real-life violence. After all, both claims are based on the same "logic".
It's troll because it isn't politically correct. Factuality be damned. There is more than mild political incorrectness in that post.
If you're filling your head with fantasies about rape, robbery, murder, and obscene materialism (bling bling) on a 24x7 basis, it's no wonder that you turn out violent and illiterate." Since he's talking about the wealth of black people as a whole, the implication here is that black people as a whole are likely to be violent and illiterate. Not sure if that's what he meant, but it comes across as a gratuitous insult. Which would be trolling.
And if you work 48, I'll work 56 etc. And someone will have more as a result of it. But I doubt if it will ultimately be either of us. Where in this endless competition to work more do our lives actually improve? It won't until we choose cooperation over competition. Good luck with that. If capitalism, communism, and economics have taught us anything, it is that this kind of cooperation is impossible.
Leveling in WoW is easy; getting the best equipment from raid dungeons or pvp can be very, very hard. If there were no more expansions, the vast majority of players would never be able to finish the existing content, so that's not the real problem.
No, even if you had permadeath (like that's a fun idea in an RPG that takes hundreds of hours to get through), you'd still get bored of the same old content, and want something new.
I'm a little confused by what this has to do with Google. They aren't getting hacked are they?
It sounds like other random sites are getting hacked and you can still find them on Google search. This doesn't seem too surprising, so perhaps I'm missing something?
Sorry, no. Rules like "don't use sprintf" don't produce quality or security. There is a difference between a culture of writing secure code and a culture of not writing non-secure code. The former can be successful, the latter is a constant exercise in patching and turd polishing. You are saying that good coding will not save an insecure overarching design. This is obvious. Just as obvious is the fact that bad coding will ruin a secure design.
Enforcing the use of snprintf instead of sprintf helps prevents the latter from happening. Seems obvious, no? But somehow, plenty of other companies (hello Microsoft) still have problems with this stuff.
How many buffer overrun exploits have been found in other people's software because the coders are just lazy? Google also tries to prevent this by explicit rules that everyone must follow no matter what: for example, you are not allowed to check in code using sprintf instead of snprintf.
A little thing to be sure... until you realize that it's one of many such rules, and they actually are followed.
Slashdot Mirror
And now because of your evil lies, the next digitized version of A Tale of Two Cities will begin with:
"It was the best of times, it was the blurst of times."
I hope you're happy!
As far as I understand, ReCAPTCHA uses standard images... which means it simply cannot be secure. I posted about this a little while ago, but here's what I do as a spammer:
- Spam lots of people offering free porn - only catch is they have to prove they're not a bot (wouldn't want those bots to see my exclusive porn)
- When somebody clicks on my link, I immediately go to gmail, start creating an account, and get their captcha
- I pass this captcha on to my would-be porn viewer
- And pass his answer back to google - presto, free account
Kitten Auth and every other practical, free, unintrusive solution I have ever heard of can be broken this way as well.
Back in the day, I interned at Google on the Checkout project when it was just starting up. The opinion of their security experts on stopping bots? Only way to do it reliably at account creation time is to demand a valid credit card number or a small payment.
Oh and if you believe gangster rap causes a lot of real-life violence, I hope you believe many video games also cause real-life violence. After all, both claims are based on the same "logic".
Leveling in WoW is easy; getting the best equipment from raid dungeons or pvp can be very, very hard. If there were no more expansions, the vast majority of players would never be able to finish the existing content, so that's not the real problem.
No, even if you had permadeath (like that's a fun idea in an RPG that takes hundreds of hours to get through), you'd still get bored of the same old content, and want something new.
I'm a little confused by what this has to do with Google. They aren't getting hacked are they? It sounds like other random sites are getting hacked and you can still find them on Google search. This doesn't seem too surprising, so perhaps I'm missing something?
Enforcing the use of snprintf instead of sprintf helps prevents the latter from happening. Seems obvious, no? But somehow, plenty of other companies (hello Microsoft) still have problems with this stuff.
Because distinguishing bots from humans is an unsolved problem. Even before Captcha's were broken by computers, there was an easier solution:
If you are stuck on a Captcha or equivalent, spam people, pretend the Captcha is yours, and offer free porn to anyone who solves it.
Preventing this is virtually impossible.
How many buffer overrun exploits have been found in other people's software because the coders are just lazy? Google also tries to prevent this by explicit rules that everyone must follow no matter what: for example, you are not allowed to check in code using sprintf instead of snprintf.
A little thing to be sure... until you realize that it's one of many such rules, and they actually are followed.
Perhaps. Or perhaps it brings on suggestions from security experts that will prevent virii.