Path: ...!news.mixmin.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Don Y Newsgroups: sci.electronics.design Subject: Re: Chinese downloads overloading my website Date: Thu, 14 Mar 2024 15:38:00 -0700 Organization: A noiseless patient Spider Lines: 55 Message-ID: References: <7qujui58fjds1isls4ohpcnp5d7dt20ggk@4ax.com> <6lekuihu1heui4th3ogtnqk9ph8msobmj3@4ax.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Date: Thu, 14 Mar 2024 22:38:09 -0000 (UTC) Injection-Info: dont-email.me; posting-host="11f1a6c097d5e8318048522ef22246c2"; logging-data="1988474"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18SaGEYbqTj++MF3ANnJ8cj" User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2 Cancel-Lock: sha1:Lx0cYziHG2Wr2AoyuC7/wCm/jxY= Content-Language: en-US In-Reply-To: Bytes: 3705 On 3/14/2024 9:26 AM, Peter wrote: > > Don Y wrote: > >> (Without having seen them...) Can you create a PNG of a group >> of them arranged in a matrix. Then, a map that allows clicking >> on any *part* of the composite image to provide a more detailed >> "popup" to inspect? >> >> I.e., each individual image is a trip back to the server to >> fetch that image. A single composite could reduce that to >> one fetch with other actions conditional on whether or not >> the user wants "more/finer detail" > > All of this "graphical captcha" stuff is easy to hack if somebody is > out to trash *your* site. If you are *targeted*, then all bets are off. At the end of the day, your adversary could put a REAL HUMAN to the task of hammering away at it. > For example I run some sites and paid someone 1k or so to develop a > graphical captcha. It displayed two numbers as graphic images and you > had to enter their product e.g. 12 x 3 = 36. > > A friend who is an expert at unix spent just a few mins on a script > which used standard unix utilities to do OCR on the page, and you can > guess the rest. But a *bot* wouldn't know that this was an effective attack. It would move on to the next site in its "list" to scrape. If you use a canned/standard(ized) captcha, then a bot can reap rewards learning how to defeat it -- because those efforts will apply to other sites, as well. [Some university did a study of the effectiveness of captchas on human vs. automated clients and found the machines could solve them better/faster than humans] If you want to make something publicly accessible, then you have to assume it will be publicly accessed! I operate a server in stealth mode; it won't show up on network probes so robots/adversaries just skip over the IP and move on to others. Folks who *should* be able to access it know how to "get its attention". Prior to this "enhancement", I delivered content via email request -- ask for something, verify YOU were the entity that issued the request, then I would email it to you. This was replaced with "then I would email a unique LINK to it to you".