You’re completely missing out on the real purpose of a captcha like Christian’s. It relies on the fact that no spammer is going to tailor his spamming scripts to suit one particular site with an unusual captcha.

Dude, I’m not missing out real purpose of logical capchas. I understand what purposes Christian and many others people have when using this type of captcha, but I’m talking about other side - a security side of this captcha (because security is object of any captcha). And in case of logical captchas security is very poor. So I’m talking about security, not accessibility, because MoBiC is security project and it’s security site.

Accessibility and security is double-edged sword, and people need to choose right solution. But balance can be achived. And independently of what you chose, you always need to attend to security. In case of such logical captchas it’s not possible, because they are insecure. Spammers can make solution for single site, if it’s popular enough, and spammers can make database of unusual captchas, to share their knowledge about bypassing such captchas (and in logical type it is very easy to do). Also for spammers not hard to make advanced bot which will be hacking many logical captchas by content analysis (because they are easy ones). And in case if not spammers, but others bad guys will go to your site, they easily bypass your logical captcha (independently of its originality). And they’ll attack your site hard with automated requests, because it’s vulnerability if you have no or poor anti-automation protection. So like I’m trying to tell you and Internet community - attend to security of your site.

And just to finish this off: Your captcha is vulnerable as well because human labour is cheap. And yours is dead easy to beat in software as well.

Marco, I know that my captcha can be bypassed by cheap work force and by OCR, but the main thing, that my version has no bypassing vulnerabilities (after I remade it). And it’s still very effective solution (which proved itself).

As I wrote at my site before and as said Wikipedia there are three types of bypassing: Human solvers (work force), Computer character recognition (OCR) and Insecure implementation (vulnerabilities). In my Month of Bugs in Captchas I’m talking only about third type of bypassing - vulnerabilities in captchas. So you missed main idea of my project - insecure implemented captchas. Which can be bypassed (with my methods) more quickly and cheaper, and so more effective, than with using work force or OCR.

Gonna write a bulletin about that as well?

No. I’ll not write about work force and OCR methods of bypassing, only about vulnerabilities in captchas directly. Which allow bots to bypass captchas for different automated activity. The topic about insecure implemented captchas is little known, so I’m reminding about it to Internet community.

Do you really think anyone (including Christian) thought this ‘captcha’ is unbeatable?

Marco

There are many vulnerable captchas in Interent. They are different types: image, text and logical, but every of them if have holes can be bypassed. So I’m talking in Month of Bugs in Captchas about vulnerabilities in different captchas. Including logical (as I wrote in this article).

Most people think captcha is effective solution (different types of captchas - people like different captchas, and use various ones for different porposes, but protection is main object of any captcha). In reality there are a lot of vulnerable captchas. Which can be byppased by bad guys - to spam at your site and to do any automated activity. So in my project I’m openning eyes of Internet community (and Christian and every user of logical captchas also) on this situation.

And if you don’t like any post at my site, just don’t read it. No need to write dissatisfactions in comments. It’s your decision.

You’re completely missing out on the real purpose of a captcha like Christian’s. It relies on the fact that no spammer is going to tailor his spamming scripts to suit one particular site with an unusual captcha. And guess what? That approach works remarkably well!

And just to finish this off: Your captcha is vulnerable as well because human labour is cheap. And yours is dead easy to beat in software as well.

Gonna write a bulletin about that as well?

If I have to spend 90% of my time securing this system I might as well not do it.

You just use insecure captcha, because of lack of knowledge. And I opened your eyes on that. This is main task of my project - to help people to understand, that captchas not so secure and there are a lot of unreliable captchas. And for protecting from bad guys they need more reliable protection.

On the other hand, if you tell me what can be done to avoid this automated submission, I’ll be happy to write about it and give you the credit advertising you as a security expert in this case.

Chris I will certainly help you - it’s my work to make Web more secure and I’ll give you required information. For you, because you are not captcha developer, I give info how to protect yourself and your site from spam - you just need more reliable captcha. Man, don’t worry - all spammers who will attack your site will have to do with me. We’ll kick out them from your site.

I give up things for free to make the web a better place, do you?

Yes, I do. All my security work (published at my site) and social security audit that I do every day is doing for free - to make Internet better and secure place. And my previous project Month of Search Engines Bugs and my new project Month of Bugs in Captchas also designed for this purpose.

So, Chris, if you want, I’ll suggest you real solutions (on which you can look) for protecting from spammers and recommend you reliable captcha.

This is a project. And you (with your old captcha) became participant of it after you started to use that vulnerable captcha. If you look at the project description you’ll see, that participation in the project are voluntary - I voluntarily chose participants for the project . So it’s a fate, man. And all info posted in full disclosure, so you have all details freely available.

I can understand you Chris, that you not too happy with this (you don’t need additional spam at your site after details of hole was posted), but you chose this way after you put that lame captcha at your site. And after I informed you about that, you removed that vulnerable captcha (when upgraded your site’s engine) and now you need new and secure one. So now you in even more risk because you have no captchas at all.

And now my disclosure not giving any new info for bad guys to spam your comments, because there are no more that capctha. Now this is just educational material. But you need to protect your site. And I’ll help you.

I am paid to share my knowledge and I am using my blog as a free outlet to give to people what I consider should be free. You are pissing all over this attacking a system I didn’t develop.

I’m also mostly do all my work for free - share my knowledge and informing people and web app developers about holes in their sites and software. And working everyday to make Web more secure. I’m not talking about attacking you directly, but holes in software that you use (about such type of captchas - your site is just an example). So your fault is that you used that bad captcha, and I’ll help you to fix this.

I am paid to share my knowledge and I am using my blog as a free outlet to give to people what I consider should be free. You are pissing all over this attacking a system I didn’t develop.

If I have to spend 90% of my time securing this system I might as well not do it.

On the other hand, if you tell me what can be done to avoid this automated submission, I’ll be happy to write about it and give you the credit advertising you as a security expert in this case.

I give up things for free to make the web a better place, do you?