Mailing list home
  Find posts   Help

Latest messageRecent messages

In this thread:
 First
 Prev
 Next
 See whole thread
By msg id:
 Prev: 8 May 2002 21:57
 Next: 8 May 2002 21:54

Other threads:
 Prev: View beta changes - sliders
 Next: CORE 2.5.2 Bugs

Same author:
 Prev: 3 May 2002 14:32
 Next: 14 Nov 2001 17:40

 Random message

Indexes:
 By topic
 By date
 By author
 By subject
Join the Mailing List....
AccessibilityAbout / FAQ
Member's loungeContact/FeedbackOther REBOL links
Membership:
member name

password

Remember?

Not a member? Please join
2-Oct 4:22 UTC
[0.052] 10.628k
Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

[REBOL] Re: Preventing Automated Website Registrations

From: pwoodward:cncdsl at: 8-May-2002 17:38


Joel -

not a bad idea to eliminate the overhead of image generation.  However....
(there's always a however) having used web automation tools like the ones
from Orsus (http://www.orsus.com/) the mechanism for easy image generation
you describe is "easy prey".

For a previous employer I built a cross-registration system for site
members.  Essentially their business model was to partner with several
e-commerce sites, and then get their members cross-registered at them.  They
wanted it so that their members would only have to enter their user data
once, and it would be stored as a super-set of the data needed to cross
register them at any partner sight on demand.  We used Orsus's tools to do
this.  It took about a day per site.

For an example of a site that uses this type of web automation, check out
www.dealtime.com.  They use the Orsus product to preform aggregate searching
across a whole bunch of e-commerce sites.  The "buy it" button at dealtime,
actually automates the whole checkout process.  In a sense the Orsus product
is a "screen scraper" in that it actually browses to the target web site for
the user of your site.  In reality it's a pretty sophisticated piece of
work.

As it retrieves HTML data from sites, it converts them (if needed, on the
fly) to XHTML.  You can then use XQL (XML Query Language) against the page
data.  In turn, you can use regular expressions on that data.  If you are
familiar with ASP (VB) or JSP (Java) results of page data could be handed
back to your calling script as recordset or resultset objects, respectively.

Parsing for the named numbers of a set of generated images would be the work
of about 15 minutes with a tool like this.  It might take longer with some
of the free screen scraping Perl libraries - but not much.

In short - always generating an image named "imagecode.png" or something
would be better - especially if the contents of that image are generated on
the fly.  That way, the image name stays the same, and gives no clue as to
the content of the image.  While the cost of generating that image may be
expensive - the effort and computation required to automate interpretation
of that image is more expensive still.

A possible extension to security might be to have the user save that image
to their own hard disk.  Instead of using a standard username and password
to login - maybe use a multipart form, with an upload field...  Everytime
they want to login, they upload their image...  Again, there would be a
computing and bandwidth cost, but there's also the question of cost from
breached security.

- Porter

1 · 2 · 3 · [4] · 5 · 6 · 7 · 8 · 9 · 10 · 11 · See whole thread