LearnWPF - continuing CAPTCHA discussions

Yesterday I updated my CAPTCHA code, however according to the websecurity.com.ua guys my “captcha still vulnerable” and I need a more reliable one. I say no I don’t, because the previous, less secure one had been quite effective up until then at preventing comment spam. Also the “proof” that is offered by the websecurity.com.ua guys is 4 test comments left in this post here. I’m somewhat suspicious of the level of automation they’re achieving because of the times that these comments were posted - they’re all between 10 and 20 seconds apart. You wouldn’t even need to be a daskeyboard wielding touch typing ninja to achieve that frequency of posting, unless my server is really, really, really slow. I will totally concede that my previous CAPTCHA implementation was “breakable” (or maybe even broken by design) - for all I know this one could also be, but I think it’s put-up-or-shut-up time for the websecurity.com.ua guys. All I’ve seen from them so far is a link to a form on my site with some pre-populated values (it looks like from the state of the form that it has just attempted an HTTP POST which has failed….funnily enough because of an invalid CAPTCHA), something I could cook up in about 30 seconds with WatiN/R, greasemonkey or whatever. I’d like to see from them one of the following:

  1. a textual description of how either the CAPTCHA can be bypassed altogether, or how the CAPTCHA value can be programmatically determined from the page/cookies/http traffic/phase of the moon/whatever - like “we take this value from the cookie your site sets, do an MD5 hash of it, salt the hash and then smoke it….”
  2. a script that will post comments to my site with no human intervention
  3. 50+ comments on a single page inside of 10 seconds, or some number that would be infeasible for a human to do, originating from a single IP address.

Unreasonable?

Comments

Douglas Stockwell
It certainly doesnt appear to be vulnerable in the method claimed…

Although, in addition to cookies, I think you made a second assumption: that the user will only comment on the most recent page that they have accessed.
14/11/2007 4:45:00 PM
JosephCooney
You are indeed correct Doug. I should have spent more time checking that. Worst case hopefully the person just has to reset the image and enter a new CAPTCHA phrase.
14/11/2007 6:45:00 PM
secretgeek
throw down that gauntlet Joe!
14/11/2007 8:25:00 PM
David H
JohnDoe X39CPR Your captcha sucks!
JohnDoe X39CPR Your captcha sucks!
JohnDoe X39CPR Your captcha sucks!
JohnDoe X39CPR Your captcha sucks!
JohnDoe X39CPR Your captcha sucks!

oh wait, my script’s not working.
14/11/2007 10:43:00 PM