captchas: The Good, the Bad and the Ugly

Some months ago, I commented about a weak implementation in a fancy captcha. Today I would like to comment about other bad implementations, but in other ways.

The good

A captcha should have big Shannon entropy, finite, but big. The session ID and the challenge must not be reused. The images must be resistant to OCR but should be understandable by a human.

The bad

Here is the first example:

Believe it or not.. This is a real case. So incredible eh?

The ugly

The victim, in this case, is this one:
This is an implementation of captchanumbers, by Hadar Porat. This captcha and many others generated by captchanumbers are weak and can be read with this script.

The idea is simple. As the numbers are nearly in the same place, they can be cut. Those parts can compared independently, reducing the entropy. May be the script and this image would be more enlightening than my limited English:

The 10,000 possibilities was reduced to 159. No OCR, 100% deterministic.

Second moral: Understand the fundamentals first, write code later.


In Spanish, occurrence and stupid idea are the same word.
j=`w3m -dump -no-graph -l 200 | tr -d -C [:alpha:] | tr [:upper:] [:lower:]`; for i in `seq ${#j}`; do echo $j | cut -b $i; done | sort | uniq -c | while read w; do y=`echo $w | cut -f 1 -d ' '`; echo -n $(echo "scale=5; $y/${#j}" | bc); echo " `echo $w | cut -f 2 -d ' '`" ;done | sort -rn

fancy /mathematical /insecure /unofuscated /reused captchas

Few days ago, Gunnar told me about a quite curious captcha:

But, in the other hand, it had been implemented insecurely. With just one answer, you can submit many times:

Furthermore, I notice that the captcha was precomputed and, therefore, finite and reused. I made more than 15,000 requests and I had less than 5% unique (there is no motivation to solve 700 differential equations :P).

Moral: Sometimes, extravagance goes against security.

cuasi-custom kernel in a non-traditional way

I'm averse to compile programs for productive machines. Lot's of developers and maintainers have been working (and work) hard to make a wonderful binary for you. But sometimes you need a customization. Especially if it's about a kernel. I was needed support for 8GB ram.

Most of the people would download a kernel from, would configure it and would compile it.

If it's about a Debian user, he would probably compile it by-the-Debian-way, with make-kpkg.

But I only needed a really small change from the debian official kernel image. So, I tried to made a custom kernel image, without wasting the work from the kernel team, making as less changes as possible.

$ apt-get source kernel-image-2.6.8-3-686-smp
$ vi kernel-image-2.6.8-i386-2.6.8/config/686-smp

Add support for HighMem64G:



In order to not generate all the images for all the platforms (I'm not sure that i386, k7, etc. are platforms) I delete those files from kernel-image-2.6.8-i386-2.6.8/config:

$ rm 386 686 k7 k7-smp

Then... let's bulid a package (compile in a DD-way :P)!


And now I have a package with my non-too-much-custom-kernel-image, ready to be used.

the WTF survey

Sometimes, if you don’t blog for a while, you need a good excuse for do it. Today I have one.

Click to see the whole page

You don’t speak Spanish? You should :P.

It’s a survey (or an opinion poll, i’m not sure). The newspaper La Razón ask to the readers: Are you agree that the tubal ligation and the vasectomy are allowed?. The answers are: between 9 and 7 hours (49.8%), between 6 and 4 hours (46.1%), ten or more (2.6%) and neither, I can’t sleep (1.5%).

Soccer geeks at DebConf6

Get ready for the first Debian Soccer Cup in Oaxtapec. :P

As we all know, sports are good for geeks.... that's why I'm organizing a Debconf Football Championship/Match. I would like to invite you all (yes, girls included) to join this championship/match.

Depending of how many people we will be and the field size that will be a single match or a championship.

All DebConf6 attendees are invited!

Happy Anniversary, Pyro!

Today is an special day.

One year ago we (yes, you and me), started a beautiful path together. A long path with wisdoms and mistakes. I learned about Debian and you about correcting me, but both learned to wait each other.

Dear Pyro, for not to many years together, with this wonderful relation ApplicationManager-Applicant, I say you: Happy Anniversary!

PD: don't get angry, I'm just joking (c: