Posted by tom pester on 09/08/05 03:10

Hi Phil,

> Now I have the answer to your addition sum, and the session ID from
> your "hidden" field. That wasn't difficult, was it?

> Turing numbers are nowhere near as vulnerable. Implemented properly,
> they are impossible for computers to read successfully without a lot
> of hard work targeted at each specific implementation.

I asked for another way but thx for the script anyway...
I know it's easy to parse the numbers but can you think of another way to
abuse that page.

Again, my point is that turing numbers are a good solution _now_ and I will
use them in a commercial site.
But it's only a matter of time before computers can read turing numbers as
easily as tehy do addition now.

And this page isn't easily exploitable by a bot either. The spammer's bots
won't find this page automaticaly and if he stumbles upon it he has to do
some custom coding. I think he will go and look for an eaiser alternative
(which are plentyful).

There are other alternatives that are cost based in which the difficulty
of parsing a test outweighs the profit a spammer makes.
I remember reading a good article in scientific american about it.

Anyway, this is an exercice of me in making it as secure as possible with
the known limitation that a simple parsing circomvents it if the spammer
takes the trouble (which he won't ;)
Can you look at my question this way and see if there is a flaw in it?

[Back to original message]