|
16 Jul 2004, 13:14
|
#1
|
Enjoying life ...
Join Date: Jun 2001
Location: Touring the world
Posts: 26
|
A way to bypass the bot-stopper
Just a matter of interest to the development community and maybe a wake up call to the PA-crew to enhance the bot-stopper system.
In R9.5 the free round, I did a program to crack the bot-stopper and to some extent it worked. Use Visual Basic' Internet Explorer component and incorporate it into the form. Use the IE program to login into PA then when the bot-stopper page is displayed, loop through all the image tags in the page to search for the name of the bot-stopper image file. When you find the image tag information, compare the image size and send the answer for the bot-stopper question.
Of course, beforehand you have to build up a database of the existing bot-stopper questions and answers and their respective bot-stopper image size. Due to the question type and the lines in the bot-stopper image, the image sizes vary. But specific image sizes refer to specific bot-stopper questions, thus the program can be set to send back the predetermined answer.
To PA-crew, when I joined up today just out of sheer boredom at work, what a surprise that that same bot-stopper system is still being used. To stop such program like the one described above, its time to either introduce more questions; or implement a dynamic question that can dynamically create lines in the image therefore preventing my program from functioning.
__________________
R4: 152:6:24 General Arclight of Carida [Tokra]
R5: 23:12:24 Tuhan of Syurga [ACID] - Sinners of Society
R6: 22:10:1 Chairman of I.O. Group of Companies [ACID][Olympus] - Draco Domiens
R7: 30:24:2 Director of Genting Highlands [VtS] - Kriminally Insane
R8 - R9: [Retired][Real Life]
R9.5: 34:3:15 Tuhan of Syurga [BoredOfRL][Fun] - Hidden Paradise
|
|
|
16 Jul 2004, 13:27
|
#2
|
Ball
Join Date: Oct 2001
Posts: 4,410
|
Re: A way to bypass the bot-stopper
:-/
|
|
|
17 Jul 2004, 01:29
|
#3
|
Friendly geek of GD :-/
Join Date: Nov 2000
Location: On my metal roid
Posts: 923
|
Re: A way to bypass the bot-stopper
Quote:
Originally Posted by Tuhan
Of course, beforehand you have to build up a database of the existing bot-stopper questions and answers and their respective bot-stopper image size.
|
Well, exactly that is the only catch. If the base of questions is too small and doesn't get update frequently, well, the system is "broken".
Another "scaringly" good OCR is www.myfonts.com/whatthefont ... You can abuse this service for advanced character detection...
(edit: dunno if there is a session timeout, but try http://www.myfonts.com/WhatTheFont/O...3a785bddc96aa3 ... if you tweak around a bit, it might as well even select some chars in question)
Or, as everything has been done before, refer to http://www.reconstructor.com/pabot/index.html
__________________
[ »] Entropy increases! :-/
Last edited by JetLinus; 17 Jul 2004 at 01:36.
|
|
|
17 Jul 2004, 04:22
|
#4
|
Klaatu barada nikto
Join Date: Mar 2000
Location: St. Paul, Minnesota
Posts: 3,237
|
Re: A way to bypass the bot-stopper
Quote:
Originally Posted by JetLinus
Well, exactly that is the only catch. If the base of questions is too small and doesn't get update frequently, well, the system is "broken".
|
That's pretty much been the rap on PA's bot-stopper question database: too small and not updated frequently enough. :/
__________________
The Ottawa Citizen and Southam News wish to apologize for our apology to Mark Steyn, published Oct. 22. In correcting the incorrect statements about Mr. Steyn published Oct. 15, we incorrectly published the incorrect correction. We accept and regret that our original regrets were unacceptable and we apologize to Mr. Steyn for any distress caused by our previous apology.
|
|
|
17 Jul 2004, 23:54
|
#5
|
Friendly geek of GD :-/
Join Date: Nov 2000
Location: On my metal roid
Posts: 923
|
Re: A way to bypass the bot-stopper
Quote:
Originally Posted by Tactitus
That's pretty much been the rap on PA's bot-stopper question database: too small and not updated frequently enough. :/
|
And after that, it's just a question which side puts in more effort: Questionmakers or hackers? What's the point of new questions, if the bot-database is updated instantly anyways...
__________________
[ »] Entropy increases! :-/
|
|
|
20 Jul 2004, 09:21
|
#6
|
Registered User
Join Date: Jun 2000
Posts: 8,476
|
Re: A way to bypass the bot-stopper
I dont understand why they use questions rather than a dynamic 'enter the pictured letters in this box' type thing
|
|
|
20 Jul 2004, 16:27
|
#7
|
Shai Halud
Join Date: Aug 2001
Location: Sunny Leeds \o/
Posts: 2,127
|
Re: A way to bypass the bot-stopper
Probably the accessibility issue of having awkward-to-read images that can't have meaningful names or alt text.
|
|
|
21 Jul 2004, 15:24
|
#8
|
Friendly geek of GD :-/
Join Date: Nov 2000
Location: On my metal roid
Posts: 923
|
Re: A way to bypass the bot-stopper
Quote:
Originally Posted by Nodrog
I dont understand why they use questions rather than a dynamic 'enter the pictured letters in this box' type thing
|
Probably as it's "dynamic", i.e. would a) afford scripts and b) cpu power to create those pics at runtime. The current system is static, pictures once generated are lying around (waiting to be added to bot-databases).
I know, you could pre-generate the "enter letters"-pictures as well - but you'd need many of them, to have the advantage over purly static methods (I guess like 10k pics => 4 digits).
Actually, I agree, this is a far better method.
Quote:
Originally Posted by sayonara
Probably the accessibility issue of having awkward-to-read images that can't have meaningful names or alt text.
|
Oh yeah, as opposed of having purely english (and maybe dodgy formulated) questions that foreign players have to answer?
__________________
[ »] Entropy increases! :-/
|
|
|
21 Jul 2004, 15:37
|
#9
|
Shai Halud
Join Date: Aug 2001
Location: Sunny Leeds \o/
Posts: 2,127
|
Re: A way to bypass the bot-stopper
Quote:
Originally Posted by JetLinus
Oh yeah, as opposed of having purely english (and maybe dodgy formulated) questions that foreign players have to answer?
|
Under European law you are liable to be sued or prosecuted under the Disabilities Discrimination Act (that pretty much every country in the EU enforces in one form or another) if you sell a service but do not provide accessible content. It's also bad design.
The same cannot be said for providing multi-lingual content. I guess it's easy to see which priority takes precedence here.
|
|
|
21 Jul 2004, 15:42
|
#10
|
Friendly geek of GD :-/
Join Date: Nov 2000
Location: On my metal roid
Posts: 923
|
Re: A way to bypass the bot-stopper
Quote:
Originally Posted by sayonara
Under European law you are liable to be sued or prosecuted under the Disabilities Discrimination Act (that pretty much every country in the EU enforces in one form or another) if you sell a service but do not provide accessible content. It's also bad design.
The same cannot be said for providing multi-lingual content. I guess it's easy to see which priority takes precedence here.
|
What? Huh?
If I do WHAT? Do you mean when putting up english-only versions, or when using akward-to-read-letters?
What priority?
Also, how can anybody sue me, if I provide a service for a) english-speaking people only, or b) for people with "good sight // good hearing // overall cleverness" (chose appropriate)? Who forces me to provide accessability for let's say blind people?
There're clothes for thin people only, and thick people don't the manufacturers, or do they?
__________________
[ »] Entropy increases! :-/
|
|
|
21 Jul 2004, 15:44
|
#11
|
Shai Halud
Join Date: Aug 2001
Location: Sunny Leeds \o/
Posts: 2,127
|
Re: A way to bypass the bot-stopper
Quote:
What? Huh?
If I do WHAT? Do you mean when putting up english-only versions, or when using akward-to-read-letters?
What priority?
|
If the options are "single-language questions that can be eventually broken by bots but don't break discrimination laws" or "numeric images that can be eventually broken by bots and do break discrimination laws" I'm thinking the current choice indicates their priorities are:
1 - Have bot blocker in place
2 - Don't get sued
3 - Accessible site for all
The first option gives them two out of three, the latter gives them one out of three. This apparent dichotomy is due to the non-inclusive nature of accessibility legislation.
Quote:
Originally Posted by JetLinus
Also, how can anybody sue me, if I provide a service for a) english-speaking people only, or b) for people with "good sight // good hearing // overall cleverness" (chose appropriate)? Who forces me to provide accessability for let's say blind people?
|
I didn't mean you personally, but for the sake of argument what country are you in?
Last edited by sayonara; 21 Jul 2004 at 16:00.
|
|
|
21 Jul 2004, 16:16
|
#12
|
Hamster
Join Date: Apr 2000
Location: Crewe, England
Posts: 3,606
|
Re: A way to bypass the bot-stopper
Quote:
Originally Posted by Nodrog
I dont understand why they use questions rather than a dynamic 'enter the pictured letters in this box' type thing
|
Because such things can actually be broken without any human input after the things been coded. Questions cant be answered by a bot without first knowing whats being asked and what is the answer hence it makes things that little bit harder which lets be honest with systems like this is all your after. The determined will always find a way around them its just a case of making it as hard as you can so those who can and can be bothered is at the smallest amount possible
__________________
Wakey
PD and Suggestions Moderator
Co-founder of [F-Crew]
The Farnborough Crew
Cos anything else is just an alliance
Join our public channel at #f-crew
|
|
|
21 Jul 2004, 21:19
|
#13
|
Friendly geek of GD :-/
Join Date: Nov 2000
Location: On my metal roid
Posts: 923
|
Re: A way to bypass the bot-stopper
Quote:
Originally Posted by sayonara
I didn't mean you personally, but for the sake of argument what country are you in?
|
Germany...
Nobody can force me to provide content which is legible for any handicapped person, right? I know it sounds harsh if you put it that way.
Couldn't I just address a certain target group? Noone does "rely" on my service! It's not public. If they don't WANT or are not ABLE to use it, well, ok...
What's this discrimination law? It's not like people gonna start that damn "sue everybody for nothing" stuff just like in USA... I hope...
__________________
[ »] Entropy increases! :-/
|
|
|
21 Jul 2004, 23:57
|
#14
|
Shai Halud
Join Date: Aug 2001
Location: Sunny Leeds \o/
Posts: 2,127
|
Re: A way to bypass the bot-stopper
Quote:
Originally Posted by JetLinus
Germany...
Nobody can force me to provide content which is legible for any handicapped person, right? I know it sounds harsh if you put it that way.
Couldn't I just address a certain target group? Noone does "rely" on my service! It's not public. If they don't WANT or are not ABLE to use it, well, ok...
What's this discrimination law? It's not like people gonna start that damn "sue everybody for nothing" stuff just like in USA... I hope...
|
No, you can't be forced to as such.
However if someone who was partially sighted or blind attempted to log in to a game like Planetarion, having paid for their credits, and using every reasonable method at their disposal (which excludes the use of expensive cutting-edge intelligent screen readers or true tactile interfaces, we're talking basic screen readers here), then they would be within their rights under EU or US law (delete as applicable) to bring a case of discrimination against the owners.
In the UK this is enforced under the 1995 Disability Discrimination Act which requires information providers to make their services accessible to all. In the USA it is enforced under Section 508 of the 1973 Rehabilitation Act, although I am not sure how this applies to non-Federal organisations.
In Germany I believe this is covered by ammendments to the Behindertengleichstellungsgesetz (BGG) law, although as of 2002 that was - like in the US - mandatory only for Gov organisations. I would expect that since then it has been expanded to include public organisations, since the EU in 1999 committed itself to make all public Web sites and their content accessible to people with disabilities by 2001 (that worked well didn't it?)
It's now legally no different to failing to provide a wheelchair ramp or what have you. You won't get into trouble for not having them, but if you exclude people based on their abilities they now have legal recourse to bite back.
It's quite a good thing as far as the web goes, because accessible design is usually better design for all users. The only real problems that crop up are for things like this, where a bit more effort is required.
[edit]
So the short answer is don't panic
|
|
|
22 Jul 2004, 17:36
|
#15
|
Street Tramp
Join Date: Apr 2000
Location: Street Gutter
Posts: 341
|
Re: A way to bypass the bot-stopper
I had a blind person ask if they could plan 'another online game with Sphere in it'. Said game also includes a bot stopper, but along the lines of the randomly generated sequence of letters and numbers.
I merely asked them to send me a photocopy/scan of their disability certificate (UK people have them, I don't know about foreigners), and then disabled the bot checker for them. They seemed quite happy about.. I mean I'm sure they found it an extra hassle to have to deal with, but they also understood why the checker was there in the 1st place.
__________________
Chimney Pots.
|
|
|
22 Jul 2004, 19:45
|
#16
|
Shai Halud
Join Date: Aug 2001
Location: Sunny Leeds \o/
Posts: 2,127
|
Re: A way to bypass the bot-stopper
Quote:
Originally Posted by Raging.Retard
II merely asked them to send me a photocopy/scan of their disability certificate (UK people have them, I don't know about foreigners), and then disabled the bot checker for them. They seemed quite happy about.. I mean I'm sure they found it an extra hassle to have to deal with, but they also understood why the checker was there in the 1st place.
|
That's not a bad idea, especially if more sites take up the call and make it known that they can do that.
What is turning developers and admins off however are the hardcore evangelists who say such methods are still a form of discrimination (even though they still advocate the use of accessiblity features that sighted people don't use, which are no different in functional terms to alternate services.)
|
|
|
10 Aug 2004, 20:30
|
#17
|
Love's Sweet Exile
Join Date: May 2001
Location: Living on a Stair (Now Sword-less)
Posts: 2,371
|
Re: A way to bypass the bot-stopper
PA did the same a few rounds back for a (at least one I know of...) player then, (s)he contacted Spinner and the checker wasn't shown to them when they logged in.
__________________
--SYMM--
Ba Ba Ti Ki Di Do
|
|
|
11 Aug 2004, 08:40
|
#18
|
Heh, Leeds !
Join Date: Apr 2000
Location: In The Redfern
Posts: 3,790
|
Re: A way to bypass the bot-stopper
How does a blind person know when they have incoming on Planetarion ?
~Vaio~
__________________
The George Harrison of BlueTuba
Yes, I know he is dead !
|
|
|
11 Aug 2004, 09:11
|
#19
|
Inactive peon
Join Date: Jan 2003
Posts: 6,050
|
Re: A way to bypass the bot-stopper
just to point out here that there isn't a library of images they are auto generated when u load the page.
we don't use a random sequence of letters simply becuase then all bot stoppers need is to read the question then they have the answer.
we do probably need more questions - will look into it
we have ideas to prevent some of the methods described in the complete pattern recognition based bot design
|
|
|
11 Aug 2004, 15:58
|
#20
|
Friendly geek of GD :-/
Join Date: Nov 2000
Location: On my metal roid
Posts: 923
|
Re: A way to bypass the bot-stopper
- Well, ok, you don't have a real library of generated images, but you're using a library of questions, which is essentially the same (apart from the fact that auto-generation takes processing time).
- You say "simply because" -- actually, it wouldn't be that simple, which is the whole point. Try to write pattern recognition / OCR for samples from driverguide.com or icq.com (I hope the linked pics won't time out -- if you need a login for driverguide.com, use temp / 512).
- In this case, you have to weighten up: Is it easier for an attacker (botmaker) to "crack" your auto-generation of letters / digits, or is it easier to break your library of whatever you got (faces, questions, images, etc). If your base isn't large enough or not updated too frequently, a pattern-thingy might beat the library (as it's virtually "always updated").
- I know, I'm currently ignoring the fact that you put lines over the questions and have JPEG-artefacts, but I consider those things not to be a barrier...
- I'm of course assuming, that all methods above (being either a question from a library or an automatically generated piece of whatever) do NOT discriminate handicapped people. I.e. the text still needs to be readable etc. But this would apply to either method.
- What about a task to recognize faces? Just distinguish between male / female. I.e. binary, so, hm, 8 faces per login would be enough? Maybe just count the males / females in a given row? Dunno if this would be too annoying for the user, but it would be nearly impossible for a botmaker to create an algorithm (although I don't know how good neural networks are ATM).
OFC, problem: Where to get a base with let's say > 10k pictures of single faces and the additional information of their sex?
__________________
[ »] Entropy increases! :-/
|
|
|
11 Aug 2004, 22:09
|
#21
|
Mr. Blobby
Join Date: Nov 2000
Location: Belgium
Posts: 8,271
|
Re: A way to bypass the bot-stopper
Quote:
Originally Posted by Vaio
How does a blind person know when they have incoming on Planetarion ?
|
Their screen reader informs them.
|
|
|
15 Sep 2004, 13:28
|
#23
|
Idiot
Join Date: Jun 2004
Posts: 133
|
Re: A way to bypass the bot-stopper
Lets make a braille monitor, and then they can read the anti bot images and PAteam won't be sued.
__________________
Anyone for rofltrifle?
|
|
|
30 Sep 2004, 13:12
|
#24
|
Shai Halud
Join Date: Aug 2001
Location: Sunny Leeds \o/
Posts: 2,127
|
Re: A way to bypass the bot-stopper
Braille display devices exist. There's even functionality in CSS to accomodate them.
|
|
|
|
All times are GMT +1. The time now is 18:38.
| |