I assure you I’m taking this seriously

Joseph, it is good that you taking this serious (but it can be more serious). I am glad that you improved your captcha (fix one of two vulnerabilities). And as I see you are interested (slightly, but still interested) in additional improving of your captcha. For this time only four man (including you) from participants responded me (those people who more seriously attend to security of their sites).

About fsck command. It is good that you like this system utility, but the phrase which you used in your new captcha looks provoking for me. So it’s better to not use such phrase.

In all seriousness though, posting spam to my site does annoy me a little.

Man, I was not spamming at your site. Only informed you about the hole and made some test posts to test captcha bypass methods (for 1st and 2nd versions of captcha). It’s sad to hear that my posts with alert about holes in your captcha and time which I spent to inform you was count by you as spam. From my side was no spam activity.

So before we continue to speak about your captcha you need to do the next required steps:

1. Become more serious - this mean that you must stop saying userious things about me and my site (stop blaming me in those things which I didn’t do).

2. Make excuses about blaming me as spammer - which I am not (never was occupied with such activity).

3. Remove “fsck phrase” from your new captcha.

Unreasonable?

It’s quite possible. But, Joseph, before we continue you need to do aforesaid required steps. It is better to respect other’s time.

I assure you I’m taking this seriously - otherwise why would I have taken the time to change my implementation? As for my new CAPTCHA…fsck is a unix command, I can’t imagine what you were thinking about. In all seriousness though, posting spam to my site does annoy me a little. If you’re going to do stuff like that at least expect a little push back.

1. a textual description of how either the CAPTCHA can be bypassed altogether, or how the CAPTCHA value can be programmatically determined from the page/cookies/http traffic/phase of the moon/whatever - like “we take this value from the cookie your site sets, do an MD5 hash of it, salt the hash and then smoke it….”
2. a script that will post comments to my site with no human intervention
3. 50+ comments on a single page inside of 10 seconds, or some number that would be infeasible for a human to do, originating from a single IP address.

Unreasonable?

As I looked at your new captcha and tested it, I can establish that your captcha still vulnerable.

It’s good that you remade your captcha. Main object of my project Month of Bugs in Captchas is to inform web developers and Internet community about vulnerabilities in captchas, and to push web developers to make more secure captchas (to remake current or to make new ones). So you did that you need to do. And now your captcha not vulnerable for one of two bypass method. But it’s still vulnerable.

Like I wrote in my article, your captcha is vulnerable for two methods: Guessing from URL bypass method and MustLive CAPTCHA bypass method (Advanced version). You fixed first bypassing method in you captcha, but there is the second. So the same exploit is still work (because it was made with second bypass method). As I wrote, better to use not first method (guessing), but my advanced method to hack this captcha (which shown in the exploit). And this method easily bypass your new captcha, like old one - it’s very effective method.

So you need more reliable captcha.

P.S.

Joseph if you continue to talk unserious things about me and my site (especially vulgar things, like in your new captcha), I’ll stop speaking with you - to not waste your time, nor my time. So try to be serious man.

Captcha at your site is very unsecure (it is vulnerable for two methods of bypassing as I wrote). So you and Darren need to develop new (or remade current) more secure one. In any case use only reliable captcha at your site.

It was temporary that your captcha was effective in blocking spam. Untill spammers would make solutition for your specific captcha or made advanced bot which will be bypassing all captchas with such holes. And it will not save from direct attack by bad guys. It’s vulnerability if you have no or poor anti-automation protection at your site. And I’m informing you and whole Internet community about such vulnerabilities.

Captcha doesn’t have to be very sophisticated to be effective

Captcha must be secure, to be effective (from spammers and others bad guys). As I wrote in comment, there are three types of bypassing: work force, OCR and insecure implementation (vulnerabilities). In my Month of Bugs in Captchas I’m talking only about vulnerabilities in captchas.

Besides, captcha at codinghorror.com is vulnerable for constant values bypass method (this captcha has only one value). They also need more reliable captcha.