Sujet : Re: Chinese downloads overloading my website
De : blockedofcourse (at) *nospam* foo.invalid (Don Y)
Groupes : sci.electronics.designDate : 15. Mar 2024, 00:38:00
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <usvu8g$1slrq$2@dont-email.me>
References : 1 2 3 4 5 6 7 8 9 10 11 12
User-Agent : Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2
On 3/14/2024 9:26 AM, Peter wrote:
Don Y <blockedofcourse@foo.invalid> wrote:
(Without having seen them...) Can you create a PNG of a group
of them arranged in a matrix. Then, a map that allows clicking
on any *part* of the composite image to provide a more detailed
"popup" to inspect?
>
I.e., each individual image is a trip back to the server to
fetch that image. A single composite could reduce that to
one fetch with other actions conditional on whether or not
the user wants "more/finer detail"
All of this "graphical captcha" stuff is easy to hack if somebody is
out to trash *your* site.
If you are *targeted*, then all bets are off. At the end of the
day, your adversary could put a REAL HUMAN to the task of hammering
away at it.
For example I run some sites and paid someone 1k or so to develop a
graphical captcha. It displayed two numbers as graphic images and you
had to enter their product e.g. 12 x 3 = 36.
A friend who is an expert at unix spent just a few mins on a script
which used standard unix utilities to do OCR on the page, and you can
guess the rest.
But a *bot* wouldn't know that this was an effective attack.
It would move on to the next site in its "list" to scrape.
If you use a canned/standard(ized) captcha, then a bot can
reap rewards learning how to defeat it -- because those
efforts will apply to other sites, as well.
[Some university did a study of the effectiveness of
captchas on human vs. automated clients and found the
machines could solve them better/faster than humans]
If you want to make something publicly accessible, then
you have to assume it will be publicly accessed!
I operate a server in stealth mode; it won't show up on
network probes so robots/adversaries just skip over the
IP and move on to others. Folks who *should* be able to
access it know how to "get its attention".
Prior to this "enhancement", I delivered content via email
request -- ask for something, verify YOU were the entity that
issued the request, then I would email it to you.
This was replaced with "then I would email a unique LINK
to it to you".