|
I thought about making this thread in a code forum, but it doesn't apply to PHP or ASP, it's really a more general thing. And before you go taking talk-u-pation away, I'm posting this so that web masters who want to secure parts of their site can know how these things are commonly broken, and avoid that. There are two security mechanisms people have talked about how to implement in these forums, so those are the two I'm going to write about.
The first are artificial stupidity tests. These are the opposite of artificial intelligence test, where a person tries to figure out if they're talking to a computer or a human - Craig's List makes you type in those letters so the computer can tell whether you're a human or a computer robot worm.
All you need to laugh at these tests is a very simple database, xml will do. Two columns is all you truly need, but for the ambitious you can have three. The binary file, the "answer" that needs to be sent, and a hash value for the file if you want. So you answer one, put it in the database, answer another, put it in the database, then pretty soon, when they challenge you with a file, you can just find that file in the database, and there's the answer. At that point, your spam bot is set loose. You can get people to sit there and answer the files for almost free by giving them a hosting account, or access to porn sites in exchange for their labor solving riddles. How do you fix this? Have lots and lots and lots of test images, or better yet, a script that generates them on the fly. Also put a short time limit on.
The other one is so obvious I shouldn't have to point it out. But people who have sites with part open to everyone and part under lock and key, sometimes just use one password and send it out to users who pay for access. So, you buy one of those, and sell the password for half price. How do you fix that? Unique passwords for each user.
|
