28 December 2004

DNS Attacks: What to do when the letter-recognition-bots recognize handwritten text

Tired of those spam accounts signing up for your XML RSS feed?

That's right. DNS attacks are related to those crazy bots that like to sign-up automatically. They just can't get enough feed. Or blogs. Or OPML for that matter.

The old plan was to write nifty code requiring users to enter letters. Small problem. The bots can recognize the type-fronts.

The next step was to go to the "handwritten fonts" on the notion that it will be years before the bots can translate this.

The future has arrived. The bots can translate even the handwriting.

What to do?

Ever thought of including sequences of handwritten images, and then requiring the user to correctly state "which order" the image is sequenced?

Give me a selection of say 5 options, and make me choose the correct order:



Correct: House, bat-bear, gingerbread

Distractors:

A. Gingerbread, bear, green
B. Kermit, floor, bathroom
C. Goldilocks, ants, chicken
D. Bandaid, light, mouse OR moose
E. Ladder, poultry, rock
F. Chocolate, lettuce, Barney

Think of your list in del.icio.us: You may have thousands of key words. Users could scroll along the list to find the correct image-designation.

If you have enough of these hurdles, you can reduce the probability the bot will randomly choose the correct combination.

The computer picks the handdrawn images from an image bank, and then randomly sequences them.

Requiring a freeze

An added measure of security-conformation [that you're dealing with a human that can actually absorb advertising], is to require the user to hold the chosen selection over the images for a specified period of time.

Think of it as the light-game in Close Encounters.

Randomizing the portion of the image

Also, consider this. Think random images, and random order.

See how Joi's image has a box around it. You could change the location of the pointer so that the bot would have a harder time guessing "what the item of interest is."

Have several pointers, but change the "pointer to look at" from one shape to another. Ask the user to choose the shape that is "not like the others" -- one that is different by color, shape, or thickness of the box.

The next round might be another question, requiring the user to perhaps focus on a different section of the same image, but for different reasons.

Essentially, you're trying to make the bot integrate two different sets of data. As we all know, even multiple historical XML feeds cannot be integrated into a single stream, user-defined.

Yet.

Thanks anyways, PubSub.

Flaws

The random number generator used to sequence the images could have a non-random pattern. A bot could check the responses to identify the pattern.

The bot could also randomly guess the correct sequence.

Summary

Move away from thinking of a user-hurdle as something that has to be confined to a simple sequence of letters.

Sure, you can keep the current bot-check in place. But don't be afraid to add new twists. Even google-search makes mistakes.

The way to confuse the bot is to require the user to translate visual information into text. Bots can't figure out something as diverse as the human's ability to draw universally unrecognizable symbols.

Yet.
Tired of those spam accounts signing up for your XML RSS feed?

That's right. DNS attacks are related to those crazy bots that like to sign-up automatically. They just can't get enough feed. Or blogs. Or OPML for that matter.

The old plan was to write nifty code requiring users to enter letters. Small problem. The bots can recognize the type-fronts.

The next step was to go to the "handwritten fonts" on the notion that it will be years before the bots can translate this.

The future has arrived. The bots can translate even the handwriting.

What to do?

Ever thought of including sequences of handwritten images, and then requiring the user to correctly state "which order" the image is sequenced?

Give me a selection of say 5 options, and make me choose the correct order:



Correct: House, bat-bear, gingerbread

Distractors:

A. Gingerbread, bear, green
B. Kermit, floor, bathroom
C. Goldilocks, ants, chicken
D. Bandaid, light, mouse OR moose
E. Ladder, poultry, rock
F. Chocolate, lettuce, Barney

Think of your list in del.icio.us: You may have thousands of key words. Users could scroll along the list to find the correct image-designation.

If you have enough of these hurdles, you can reduce the probability the bot will randomly choose the correct combination.

The computer picks the handdrawn images from an image bank, and then randomly sequences them.

Requiring a freeze

An added measure of security-conformation [that you're dealing with a human that can actually absorb advertising], is to require the user to hold the chosen selection over the images for a specified period of time.

Think of it as the light-game in Close Encounters.

Randomizing the portion of the image

Also, consider this. Think random images, and random order.

See how Joi's image has a box around it. You could change the location of the pointer so that the bot would have a harder time guessing "what the item of interest is."

Have several pointers, but change the "pointer to look at" from one shape to another. Ask the user to choose the shape that is "not like the others" -- one that is different by color, shape, or thickness of the box.

The next round might be another question, requiring the user to perhaps focus on a different section of the same image, but for different reasons.

Essentially, you're trying to make the bot integrate two different sets of data. As we all know, even multiple historical XML feeds cannot be integrated into a single stream, user-defined.

Yet.

Thanks anyways, PubSub.

Flaws

The random number generator used to sequence the images could have a non-random pattern. A bot could check the responses to identify the pattern.

The bot could also randomly guess the correct sequence.

Summary

Move away from thinking of a user-hurdle as something that has to be confined to a simple sequence of letters.

Sure, you can keep the current bot-check in place. But don't be afraid to add new twists. Even google-search makes mistakes.

The way to confuse the bot is to require the user to translate visual information into text. Bots can't figure out something as diverse as the human's ability to draw universally unrecognizable symbols.

Yet.
" />