

Sony's Captcha. View source to see why they don't "get" security - bluesmoon
http://pro.sony.com/bbsc/jsp/forms/generateCaptcha.jsp

======
emilsedgh
Why are they disabling right click? I mean, captcha is there to stop bots.
Bots have no 'right click'.

My guess is that the programmer didnt really know the reason for using a
captcha. He has seen captcha's in other places (and how irritating they are)
and has tried to copy them.

Or am I missing a certain point?

~~~
palish
I was about to complain that Chrome wasn't popping up the context menu on
right-click.

So the .js file is disabling right click? How exactly do I look at the source
without it? Hmm.

Aha: "Wrench icon" -> Tools -> View Source

~~~
gregschlom
Or Ctrl+U :)

~~~
InclinedPlane
Or _wget (url)_

~~~
RyanKearney
Or curl (url)

Or telnet to port 80

Are we really going to list every possible method?

~~~
InclinedPlane
Well no, the point is that there are many, it's trivial to get the source of a
web page. "Disabling" the context menu on a web page is nothing more than a
giant billboard shouting to the world that you are childish, ignorant, and
unsophisticated.

------
rimantas
No, submitters don't get neither security nor what captcha is for.

codinghorror.com (iirc) was using "captcha" which never changed, you just had
to enter "orange". Or was it tbray.org? Anyway, Atwood claims, that naive
approach was 99.9% effective:
[http://www.codinghorror.com/blog/2006/10/captcha-
effectivene...](http://www.codinghorror.com/blog/2006/10/captcha-
effectiveness.html)

My position is that ANY form of captcha which requires some action by visitor
is broken by design and should not be used at all.

Simple captcha like this will stop most of the automattic not targeted attacs.
And if someone decides to write CAPTHCA breaker specifically for this site,
nothing can help—then you either degrade to the level than even humans cannot
say what characters are on the screen or it is cheeper to hire Mechanical Turk
to do the job.

~~~
seanalltogether
My blog simply fills in a hidden value using javascript when you press the
submit button, it has stopped 99% of all spam for me.

You're right, captchas aren't supposed to be difficult, they're just supposed
to prevent automation.

~~~
InclinedPlane
Captchas have 2 purposes. First, prevent simple fly-by bots from spamming
sites. Case in point, blog software is dominated by a few big players (e.g.
wordpress) and many blogs allow anonymous comments, without something like a
captcha it's a simple matter to create a spam bot that runs through a list of
site's and spams ads or what-have-you in comments.

Second, captchas are designed to prevent automation entirely, including custom
made automation targeted to a specific site. This sort of thing is less
important for, say, blog comments since the value of a typical blog comment is
extremely low. But there are lots of free accounts out there, for example, and
if you use automation to set up new accounts you may be able to game certain
systems to your advantage, corrupting the normal process of the market.

------
wccrawford
Just for fun, I decided to see how hard it would be to solve this catpcha with
jQuery. It's worse than I thought.

answer = $("#captchdiv span b").text();

... OMG.

~~~
AltIvan
you dont even need jquery:
document.getElementsByTagName("tbody")[1].innerText.replace(/\s/gi,"")

------
timmyd
For

tl;dr - <http://i52.tinypic.com/2hpjg5v.jpg>

;)

Edit: Disable right click ? Surely not ....
<http://i54.tinypic.com/2mzjcl3.jpg>

~~~
sek
I was thinking these were individual images what would be stupid enough, but
this....

~~~
romland
Heh. I took the advice, went in and checked source expecting to see the
captcha string in a hidden form element.

I use NoScript and Sony.com is not on my whitelist (read: I could just
select/copy the string).

This was worse than I imagined.

------
biot
Previous discussion: <http://news.ycombinator.com/item?id=2755716>

------
VonGuard
Pure fucking gold:

<td width="34" align="center" valign="top"><span style="font-family:cursive;
FONT-SIZE:13.2 pt; color:#FFFFFF; text-decoration:none;"> <b>P</b></span></td>
<td width="34" align="center" valign="bottom"><span style="font-family:
cursive; FONT-SIZE:13.2 pt; color: #FFFFFF; text-decoration: none;">
<b>U</b></span></td> <td width="34" align="center" valign="top"><span
style="font-family: cursive; FONT-SIZE:13.2 pt; color: #FFFFFF; text-
decoration: none;"> <b>W</b></span></td> <td width="34" align="center"
valign="bottom"><span style="font-family: cursive; FONT-SIZE:13.2 pt; color:
#FFFFFF; text-decoration: none;"> <b>W</b></span></td> <td width="34"
align="center"><span style="font-family: cursive; FONT-SIZE:13.2 pt; color:
#FFFFFF; text-decoration: none;"> <b>Q</b></span></td>

------
clord
This is an excellent example of cargo cult thinking. If we build the airports
and control towers that look right, the cargo will flow!

------
xentronium
On the bright side, users with terminal browsers, like Lynx, can enter the
captcha text :)

------
sek
I hope Sony is building a centralized IT division after the PSN outage and all
these embarrassing websites will be gone soon. If they don't then their CEO
should be fired for ignorance.

I would be interested in the internal structure that leads to these incredible
unprofessional results, there has to be something fundamentally wrong.

I make a guess, because when you think about it, this whole thing is generated
with css and html. It is so funny that with all these horizontal lines it
looks like a real Captcha but it isn't. This was just built to satisfy some
manager who didn't accept/know that their team isn't trained in image
generation techniques. There was some deadline who needed to be satisfied and
they were forced to do this.

~~~
sesqu
I seem to recall a comment somewhere from a Sony employee about how they
already have one, it's just that many websites are built by the individual
product teams (often marketing).

------
extension
Or just cut and paste:

D F T L F

And they use a goofy font that is hard for humans to read but would be trivial
for a machine to recognize, if it actually had to. Too funny.

------
d0ne
All CAPTCHA's are nothing more than a cat and mouse game where the mice are
/always/ faster than the cats.

The point CAPTCHA developers always seems to miss is that you must render the
visual to the screen, or the audio to the speakers, so that the end user can
process the information and pass the test.

These tests, by design, are finite in the case of human generation or
algorithmic in the case of random text / pictures.

No matter the case, automation developers have more available options to pass
the tests than the CAPTCHA developers have to generate. Why?

Because an automation developer who deems an applications data valuable enough
to acquire will not rely on technology alone to solve the problem. If they are
unable to develop an efficient and reliable technology to pass the test for
the intended application they will employ a semi-automated approach that
involves real live humans.

If the automation developer outsources this semi-automated component there
exist services who employ hundreds of individuals per shift to do nothing but
solve CAPTCHA challenges through an API with the automation developer's
system. These services cost less than $2 per 1,000 /solved/ CAPTCHAs. If the
automation developer is of any stature they will have their own facility and
the price comes down to $1.50 or less per 1,000 /solved/ CAPTCHAs.

The feedback loop for CAPTCHA developer is plain broken. The security
mechanism is designed to validate that the request is from a real human and
the automation developer, when presented with a technical challenge not worth
technically innovating around, will just employ low cost real humans.

~~~
reso
Human labour is thousands of times slower and thousands of times more
expensive (even at $2.00 per 1000) than automated solving. The fact that
spammers have been forced to use such inefficient solution techniques is proof
of the captcha technique's efficacy.

Consider if these captcha's were not in place. By the above logic, there would
be thousands of times more spam on sites like Google and Facebook.

~~~
d0ne
While I agree that human labor is thousands of times slower and thousands of
times more expensive than an all computational solution that is not the point
most of the time for automated systems.

In the case of messages and wall post on Google or Facebook, once a CAPTCHA is
solved you get to send N messages before the next one is popped up. Without
the CAPTCHA you could only go so fast anyway due to general rate limits so the
impact on spam, for either service, is minimal.

In the case of account creation in general the limit for automated systems is
more heavily dependent on diversified proxy access more than anything else.
Additionally, you can only effectively manage so many accounts at one time
depending on your needs and CAPTCHA do not add more than a few % time delay to
the overall account creation process.

------
NSMeta
It's funny because this captcha probably required more work (disable right
clicks, render tables, etc.) in contrast to a proper one, i.e. assuming they
were allowed to use an image generation library.

------
reve
They just don't get the right people to do this kind of things, I used to work
for Japanese company, for me it's seems like they don't consider skilled IT
worker is important.

------
bbaugh
Does anyone have a link to a page where this is actually used? It seems too
ignorant (even for Sony) to contain the actual captcha value within the
source.

~~~
Leynos
It's used on this page here:

[http://pro.sony.com/bbsc/ssr/mkt-
security/support.form.bbscc...](http://pro.sony.com/bbsc/ssr/mkt-
security/support.form.bbsccms-support-securityaecompsignup.shtml)

Which redirects you to a "down for maintenance" notice.

~~~
lachenmayer
Very ironic that this is on a site for "Sony Security"...

------
cfontes
Yeah Lame... now I get why that guy alone could hack the PS3 unhackable lock.

------
dlikhten
Heres the problem with sony's captcha. If you are dealing with a small site
that nobody gives a shit about, asking users to answer "what is one plus two"
and ALWAYS accept an answer of 3 is enough. If you are sony, you need better
because there are many visitors and thus its an issue. I implemented a
honeypot/time analysis/js assembly tool in a few hrs, im sure sony engineers
can do better in a day. But I guess not since sony is not exactly known for
its good web developers.

------
canadaduane
I wonder if this is the result of divvying up the work and outsourcing to
various groups? i.e. no individual group knows what is going on, they just
have certain objectives they must do in order to get paid. Such as, "Create a
web page with 5 random letters that a person needs to type in order to get to
the next page..." Perhaps "CAPTCHA" wasn't even in the design description?

~~~
JoeCortopassi
No reason for this to be downvoted

------
rch
How about a version that asks users to enter highlighted text out of a short
paragraph?

The portion of text that would be perceived as highlighted __would be
subjective enough to avoid non-specific, casual attacks, but wouldn't
sacrifice readability or ctrl-c-ctrl-v.

 __e.g. red adjacent magenta vs. magenta adjacent blue

------
prasunsen
I use captchas that set a hidden field value through javascript (the user does
not enter anything). It takes a second to view source and figure out what
should you enter. Despites this, the captcha works 100% and spam stops. Unless
spammers target your own site manually, such a solution is good enough.

------
slyall
The point of the Captcha is to block fraud and bots. If it is good enough to
do this then who cares how it is implemented.

Obviously it is useless against a bot written to spam the specific sites this
is on but I assume it will stop a generic bot (eg forum spamming one).

~~~
emilsedgh
"Come on, thats good enough" is probably the root of most security issues ;)

"Sorry. Security is not optional". -- A kde developer whom I cant remember

Edit: added the quote.

~~~
geon
Spam prevention is not a matter of security. It is completely orthogonal.

------
vhackish
I like the 13.2pt font - 12 or 16 would just be too obvious. But 13.2? Now
_that_ is security!

------
wccrawford
I'm horrified every time I see this.

------
rbanffy
I once encountered a

<img src="captcha.cgi?v=ABCDEF">

I laughed a lot.

------
rossriley
That cannot be for real? Anyone know where this is used in context?

------
bugsy
This is not really a security issue, it's an anti-spam issue.

------
singular
Right click works in chrome 12.0.742.122 / os x and when you right click on
letter x it comes up with an option "Search Google for 'x'"...

------
greg_gti
That's the funniest thing i've seen all week

------
insraq
They only disable right click and selection and they think people will never
know?

~~~
watmough
"Browser security. It does nothing!"

------
senthilnayagam
IBM Software Development Platform, what development tool they use?

------
draftable
Didn't someone already share this like 2 weeks ago?

------
btraut
So this is why PSN was hacked? Were the user passwords also served to users in
plain-text and evaluated in Javascript?

------
alz
wow... that is really bad

------
alimoeeny
Unbelievable!

