[Owasp-leaders] Good Code Advice Requested

Dennis Groves dennis.groves at owasp.org
Tue Dec 11 09:17:05 UTC 2012


I know I am a bit extreme - however, for my part I can almost always 
takes me 3-4 attempts to solve captcha's because they have become so 
convoluted and extreme in their attempts to defeat the many automated 
resolvers. As such, when I encounter a captcha I often will not join 
your site or purchase your product as I didn't really need it that badly 
in the first place.

Dennis

-- 
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 
meeting](http://goo.gl/8sPIy).

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 
software](http://www.fsf.org/campaigns/secure-boot/statement).

On 11 Dec 2012, at 9:05, Eoin wrote:

> +1
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 9 Dec 2012, at 20:31, Jim Manico <jim.manico at owasp.org> wrote:
>
>> One other note, CAPTCHA is not a security control - it's just a cost 
>> barrier. Threat agents can easily leverage "mechanical Turk" services 
>> where underneath the hood of malware or other attacks is a large team 
>> of people resolving CAPTCHA's by hand all day. There is no way to 
>> defeat this.
>>
>> Also, some CAPTCHA systems, even audio, are vulnerable to automated 
>> resolution.
>>
>> Now a lot of folks use it, it IS a cost barrier for attackers.
>>
>> But please never use CAPTCHA for things like access control, 
>> authentication or other more robust security controls in code.
>>
>> Fair?
>>
>> Regards,
>> Jim Manico
>> OWASP Volunteer
>> @Manicode
>>
>>> Hi Petr, it sounds very interesting, but I'm not sure what the
>>> sub-project is or what type of feedback you are requesting.  It is
>>> going to be an opensource tool project?  It appears that its being
>>> offered as a service right now.  Also, I'm not sure how this is
>>> implemented.  The three examples you have on your website show how
>>> Good Code can be implemented with a CAPCHA, but its not clear how 
>>> the
>>> process works or if Good Code provides both the CAPCHA and the Email
>>> Service, or only the Email Service allowing people to use any CAPCHA
>>> they want.  Could you provide a more detailed explanation of what 
>>> Good
>>> Code does?
>>>
>>> Also, one other technical point.  Words and audio in CAPCHAs are not
>>> "encrypted".  It would be more correct to say they are "distorted".
>>> Justin Searle
>>> Managing Partner - UtiliSec
>>> 801-784-2052
>>>
>>>
>>> On Wed, Dec 5, 2012 at 9:00 AM, Samantha Groves
>>> <samantha.groves at owasp.org> wrote:
>>>> Hello Leaders,
>>>>
>>>> This e-mail is from Petr Zavodsky from the OWASP Czech Republic. 
>>>> See below:
>>>>
>>>>
>>>> -------------------
>>>> Hi Leaders,
>>>>
>>>> New subproject "Dobry kod" (in english: "Good Code" :)) (a followup 
>>>> part of
>>>> OWASP Web Application Security Accessibility Project):
>>>>
>>>> http://www.dobrykod.cz/en/
>>>>
>>>> Users with sight impairment, dyslexia, and other similar conditions 
>>>> may
>>>> experience difficulties with reading the encrypted characters in 
>>>> the picture
>>>> of a CAPTCHA code.
>>>>
>>>> For this reason picture-based security tests can be supplemented 
>>>> with audio
>>>> version, where the sound is distorted to prevent unwanted bots form
>>>> accessing the information. Unfortunately, safely encrypted audio 
>>>> recordings
>>>> are less discernible or almost indiscernible even for users with 
>>>> perfect
>>>> hearing. Further difficulties can arise due to different phonetic 
>>>> systems of
>>>> the user's language and the language of the recording.
>>>>
>>>> Please, send me your questions, objections etc.
>>>>
>>>> Thanks,
>>>>
>>>> Petr Zavodsky
>>>>
>>>> OWASP Czech Republic
>>>> -------------------
>>>>
>>>> --
>>>>
>>>> Samantha Groves, MBA
>>>>
>>>> OWASP Project Manager
>>>>
>>>>
>>>> The OWASP Foundation
>>>>
>>>> London, United Kingdom
>>>>
>>>> Email: samantha.groves at owasp.org
>>>>
>>>> Skype: samanthahz
>>>>
>>>>
>>>> Book a Meeting with Me
>>>>
>>>> OWASP Contact US Form
>>>>
>>>> New Project Application Form
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list