Forum: Ruby Turing 0.0.7 && cry for help

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
lists+rubytalk (Guest)
on 2005-11-26 23:53
(Received via mailing list)
Hello all,

I have just released a new library for Ruby:

http://turing.rubyforge.org/

Turing is implementation of Captcha (Completely Automated Public
Turing-Test
to Tell Computers and Humans Apart) that is both easy to use and easy to
customize/extend.


It makes use of the excellent Ruby/GD2 gem released by Robert Leslie.


At this time there are three levels of abstraction you can use:

* Turing::Image - Simple obfuscated image generator with plugin design.

  ti = Turing::Image.new(:width => 280, :height => 115)
  ti.generate(File.join(Dir.getwd, 'a.jpg'), "randomword")

* Turing::Challenge: Captcha challenge generator and verifier.

  tc = Turing::Challenge.new(:store => 'store', :outdir => '.')
  c = tc.generate_challenge

  system("xv", c.file)

  puts "Enter solution:"
  r = $stdin.gets.chomp

  if tc.valid_answer?(c.id, r)
      puts "That's right."
  else
      puts "I don't think so."
  end

* Turing::CGIHandler: Simple Turing::Challenge wrapper designed to run
as CGI.

  tcgi_config = {
      :imagepath => "/imgs",
      :outdir => '/home/wejn/ap/htdocs/imgs',
      :store => '/home/wejn/ap/data/turing.pstore',
      :redirect_to => 'http://localhost:8000/secured/',
  }
  tcgi_config[:on_success] = proc do
      out = {}
      out[:headers] = {
          "cookie" => CGI::Cookie.new({
              'name' => 'turing_passed',
              'value' => 'true',
              'path' => '/',
              'expires' => Time.now + 3600*24,
              }),
          "dude" => "you_rock!",
      }
      out
  end
  Turing::CGIHandler.new(tcgi_config).handle

You can find (r)doc, gem and samples via the site mentioned above.

Rg,
            Michal S.

PS: This is my cry for help: I'm looking for volunteer to help me
    perform end-user (and performance) test of Apache2 drop-in
replacement
    for mod_auth that prevents (among other things)
dictionary/bruteforce
    attacks against credentials. If it sounds like fun, please check out
    details: http://wejn.org/ta-rt.html
lists+rubytalk (Guest)
on 2005-11-27 00:45
(Received via mailing list)
Oh well :-/

Fixed bug in CGIHandler, so version 0.0.8 is out.

Also you can check out demo of CGIHandler here:

http://wejn.org/te/

M.
tom (Guest)
on 2005-11-27 04:23
(Received via mailing list)
On Sun, 2005-11-27 at 07:42 +0900, Michal wrote:
> Oh well :-/
>
> Fixed bug in CGIHandler, so version 0.0.8 is out.

Hm, you may want to do a 0.0.9... I think your gem was built with Ruby
1.8.3 and thus is experiencing this problem:

http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/...

Yours,

Tom
lists+rubytalk (Guest)
on 2005-11-27 12:55
(Received via mailing list)
Hi,

> Hm, you may want to do a 0.0.9... I think your gem was built with Ruby
> 1.8.3 and thus is experiencing this problem:
>
> http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/...

yeah, it was :-( Is this bug fixed in 1.8.4_preview1 ?
Or -- is there a way to diagnose/fix the problem for 1.8.3 ?
I would prefer not to downgrade to 1.8.2 if there's a way.

Rg,
           M.
sylvain.joyeux (Guest)
on 2005-11-27 13:40
(Received via mailing list)
> yeah, it was :-( Is this bug fixed in 1.8.4_preview1 ?
> Or -- is there a way to diagnose/fix the problem for 1.8.3 ?
> I would prefer not to downgrade to 1.8.2 if there's a way.
You can patch rubygems/builder.rb with
http://rubyforge.org/tracker/index.php?func=detail...
lists+rubytalk (Guest)
on 2005-11-27 14:08
(Received via mailing list)
Hi,

> You can patch rubygems/builder.rb with
> http://rubyforge.org/tracker/index.php?func=detail...

excellent! Thanks!

Just released 0.0.9:
http://rubyforge.org/frs/shownotes.php?release_id=3633

Oh, and I added it to Rakefile so no /usr/lib/ruby/.../rubygems changes
are necessary ;)

If anyone is interested, the trick is overriding to_yaml method:

def spec.to_yaml
       out = super
       out = '--- ' + out unless out =~ /^---/
       out
end

on Gem::Specification instance :-) God bless Ruby's open classes :-)

Rg,
         M.
zimba.tm (Guest)
on 2005-11-27 14:49
(Received via mailing list)
I hope your not using

"cookie" => CGI::Cookie.new({
             'name' => 'turing_passed',
             'value' => 'true',
             'path' => '/',
             'expires' => Time.now + 3600*24,
             }),

to test if the user is authenticated.

On 27/11/05, Michal <removed_email_address@domain.invalid> wrote:
> are necessary ;)
>
> Rg,
>          M.
> --
> # Michal Safranek, email:
> a=(("a".."z").to_a+["@","."]);p(("%b"%[0x645bbb83a6a496]
> ).scan(/...../).map{|x|a[Integer("0b"+x)]}.join.reverse)
>
>


--
Cheers,
  zimba

http://zimba.oree.ch
lists+rubytalk (Guest)
on 2005-11-27 15:01
(Received via mailing list)
Excerpt from http://turing.rubyforge.org/classes/Turing/CGIHandler.html
:

Please note: Using this script verbatim is like having no turing
challenge
at all -- any non-braindead attacker will get around it in no time.

M.
speechexpert (Guest)
on 2005-11-27 15:45
(Received via mailing list)
Can someone show me a code snippet, including require '...' for
deflating a
string with Zlib?
Thanks in advance
John B
lists+rubytalk (Guest)
on 2005-11-27 15:58
(Received via mailing list)
Hi,

> Can someone show me a code snippet, including require '...'
> for deflating a string with Zlib?

how about this:

require 'zlib'

Zlib::Deflate.deflate("abc")
# => "x\234KLJ\006\000\002M\001'"
Zlib::Deflate.deflate("a"*5000)
# =>
"x\234\355\3011\001\000\000\000\302\240\254\353_\302\024~@\001\000\000\000\000o\003Kof\362"

Zlib::Inflate.inflate(Zlib::Deflate.deflate("a"*5000)).size
# => 5000

M.
rosco (Guest)
on 2005-11-27 18:15
(Received via mailing list)
On Sun, 27 Nov 2005 12:05:35 -0000, Michal 
<removed_email_address@domain.invalid>
wrote:

> Oh, and I added it to Rakefile so no /usr/lib/ruby/.../rubygems changes
> on Gem::Specification instance :-) God bless Ruby's open classes :-)
>
> Rg,
>          M.

Amen to that :). I've been hit with this same problem I think, so thanks
all from me too :)
langstefan (Guest)
on 2005-11-27 18:39
(Received via mailing list)
On Sunday 27 November 2005 17:12, Ross B. wrote:
> On Sun, 27 Nov 2005 12:05:35 -0000, Michal <removed_email_address@domain.invalid>
wrote:
[...]
> >
> > Rg,
> >          M.
>
> Amen to that :). I've been hit with this same problem I think, so
> thanks all from me too :)

Great! Rant uses this trick now, too.

Thankfully,
  Stefan
tobias.luetke (Guest)
on 2005-11-28 01:28
(Received via mailing list)
Great work on the library!

On a semi-ontopic post i'd like to remind that if your page uses
captchas you should offer a alternative way of authenticating like
phone or email because they are also excellent at keeping out blind
people and people with other seeing disabilities.

E.g: don't use captchas, they are evil.
tsumeruby (Guest)
on 2005-11-28 01:48
(Received via mailing list)
On Monday 28 November 2005 08:27 am, Tobias L. wrote:
> Great work on the library!
>
> On a semi-ontopic post i'd like to remind that if your page uses
> captchas you should offer a alternative way of authenticating like
> phone or email because they are also excellent at keeping out blind
> people and people with other seeing disabilities.
>
> E.g: don't use captchas, they are evil.

Not really. Captchas which work properly are protection from automation
bots.
I recommend taking some time to explore security and how damage may be
caused
as an effect of not having any protection at all. This is the real world
we
live in, not Pleasantville.

>
> On 11/26/05, Michal <removed_email_address@domain.invalid> wrote:
> > Hello all,
> >
> > I have just released a new library for Ruby:
> >
> > http://turing.rubyforge.org/

Great! :) This is a nice library to have for protecting sites.

Tsume
mental (Guest)
on 2005-11-28 02:33
(Received via mailing list)
Quoting T. <removed_email_address@domain.invalid>:

> Not really. Captchas which work properly are protection from
> automation bots.

Indeed.  Everybody knows the blind eat old people's medicine for
fuel.

For many sites, excluding the blind doesn't constitute "working
properly".

-mental
lists+rubytalk (Guest)
on 2005-11-28 10:32
(Received via mailing list)
Hi,

> On a semi-ontopic post i'd like to remind that if your page uses
> captchas you should offer a alternative way of authenticating like
> phone or email because they are also excellent at keeping out blind
> people and people with other seeing disabilities.

well, I'm aware of this issue ... I just didn't need to solve it right
away because the site(s) I'll be deploying this on are mostly "visual",
so having seeing disabilities is deal breaker anyway.

I'm willing to implement any reasonable protocol that will help disabled
people to successfully pass this authentication -- right now I'm just
a tad confused what it should be? Any good ideas/references?

Rg,
         Michal

PS: This is my cry for help again: I'm still looking for volunteer to
    help me perform end-user (and performance) test of Apache2 drop-in
    replacement for mod_auth that prevents (among other things)
dictionary
    (and bruteforce) attacks against credentials. If it sounds like fun,
    please check out details: http://wejn.org/ta-rt.html
hgs (Guest)
on 2005-11-28 14:03
(Received via mailing list)
On Mon, 28 Nov 2005, Michal wrote:

> Hi,
>
> > On a semi-ontopic post i'd like to remind that if your page uses
> > captchas you should offer a alternative way of authenticating like
> > phone or email because they are also excellent at keeping out blind
> > people and people with other seeing disabilities.
>
> well, I'm aware of this issue ... I just didn't need to solve it right
> away because the site(s) I'll be deploying this on are mostly "visual",
> so having seeing disabilities is deal breaker anyway.

I don't quite understand this.

You appear to be saying: "It's OK for my package to discriminate
against blind people, because I'm going to be doing that anyway."

So I must have misunderstood you, surely?
        Hugh
lists+rubytalk (Guest)
on 2005-11-28 14:39
(Received via mailing list)
Hi,

> > > On a semi-ontopic post i'd like to remind that if your page uses
> > > captchas you should offer a alternative way of authenticating like
> > > phone or email because they are also excellent at keeping out blind
> > > people and people with other seeing disabilities.
> >
> > well, I'm aware of this issue ... I just didn't need to solve it right
> > away because the site(s) I'll be deploying this on are mostly "visual",
> > so having seeing disabilities is deal breaker anyway.
>
> I don't quite understand this.

it might be b/c English is not my first language?

> You appear to be saying: "It's OK for my package to discriminate
> against blind people, because I'm going to be doing that anyway."

Nah, what I really mean is something like:

I developed this for my Master's thesis and I expect it to be used
(by me) at servers that have mostly "visual" content, thus I didn't
have to work on this issue in the first version.

Since I released it to public, I'm more than willing to make necessary
changes to the code to support other authentication methods -- I'm
just not sure what it should be (or how to implement "aural" captcha
for example).

I'm open to any suggestions and/or patches.

Sounds better?

Rg,
           Michal
hgs (Guest)
on 2005-11-28 15:08
(Received via mailing list)
On Mon, 28 Nov 2005, Michal wrote:

> Hi,
>
> > You appear to be saying: "It's OK for my package to discriminate
> > against blind people, because I'm going to be doing that anyway."
>
> Nah, what I really mean is something like:
>
> I developed this for my Master's thesis and I expect it to be used
> (by me) at servers that have mostly "visual" content, thus I didn't
> have to work on this issue in the first version.

Some consideration of accessibility issues might be a good thing to
write up, even if you don't have time to address them.  ["Audio
description", "tactile maps", "Living Paintings Trust" ] is probably
a sufficient list to get you started on accessibility techniques for
visual media.
>
> Since I released it to public, I'm more than willing to make necessary
> changes to the code to support other authentication methods -- I'm
> just not sure what it should be (or how to implement "aural" captcha
> for example).

Well, one possiblity is textual only, accessible to deafblind people
as well:

http://www.rubyquiz.com/quiz48.html


I don't know what your website is for but there has been quite a bit
of work on voice browsers, and that is for sighted people.
http://www.w3.org/Voice/
>
> I'm open to any suggestions and/or patches.
>
> Sounds better?
>
> Rg,
>            Michal

        HTH
        Hugh
Pingu P. (Guest)
on 2007-03-20 20:11
What am i doing wrong? the text being rendered is very very small.
I have posted an example on www.reapfuels.co.uk,

any ideas?

Thank you
Matthew M. (Guest)
on 2007-03-21 00:31
(Received via mailing list)
On 3/20/07, Pingu P. <removed_email_address@domain.invalid> wrote:
> What am i doing wrong? the text being rendered is very very small.
> I have posted an example on www.reapfuels.co.uk,

Maybe explaining what you are trying to do would help?
Pingu P. (Guest)
on 2007-03-21 09:38
Hi Mathew, I am using the turing package to try and create captcha
images, i use the code:

ti = Turing::Image.new(:width => 280, :height => 115)
  ti.generate(File.join(Dir.getwd, 'a.jpg'), "randomword")


The image is generated fine, but the text is unreadably small.
unknown (Guest)
on 2007-03-21 12:39
(Received via mailing list)
Pingu P. wrote:
> Hi Mathew, I am using the turing package to try and create captcha
> images, i use the code:
>
> ti = Turing::Image.new(:width => 280, :height => 115)
>   ti.generate(File.join(Dir.getwd, 'a.jpg'), "randomword")
>
>
> The image is generated fine, but the text is unreadably small.
>

RTFM:
http://turing.rubyforge.org/classes/Turing/Image.html
Pingu P. (Guest)
on 2007-03-21 12:44
Thats exactly what i followed.
Daniel -. (Guest)
on 2007-03-21 12:53
(Received via mailing list)
On 3/21/07, Pingu P. <removed_email_address@domain.invalid> wrote:
>
> Thats exactly what i followed.
>
> --
> Posted via http://www.ruby-forum.com/.


never used this, but have you tried playing with the
req_size option in the write_string method?   it's about the only thing
I
could see in the manual in my 2 sec look
Pingu P. (Guest)
on 2007-03-21 12:58
Thanks Daniel, i have looked at that method, but its private, i dont
think i am supposed to use it.
Bertram S. (Guest)
on 2007-03-21 15:41
(Received via mailing list)
Hi,

Am Mittwoch, 21. Mär 2007, 19:59:21 +0900 schrieb Pingu P.:
> Thanks Daniel, i have looked at that method, but its private, i dont
> think i am supposed to use it.

See section "plugins".

Bertram
David M. (Guest)
on 2007-03-21 19:46
(Received via mailing list)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pingu P. wrote:
> Hi Mathew, I am using the turing package to try and create captcha
> images, i use the code:
>
> ti = Turing::Image.new(:width => 280, :height => 115)
>   ti.generate(File.join(Dir.getwd, 'a.jpg'), "randomword")
>
>
> The image is generated fine, but the text is unreadably small.
>

Hence, a better subject line would be:  "Captcha generated by Turing
package is
unreadably small"  which might catch the attention of people who can
help.

See also: http://www.catb.org/~esr/faqs/smart-questions.html


- --
David M.
Maia Mailguard                        - http://www.maiamailguard.com
Morton Software Design and Consulting - http://www.dgrmm.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGAWkUUy30ODPkzl0RAlmWAJ9cUJFwMr3MVyBG7EmeGb1cco3KiwCgzZtE
ookYUHc+fa5oY7e/DVsiXFU=
=Cich
-----END PGP SIGNATURE-----
This topic is locked and can not be replied to.