
G-WAN Captcha Decode - samuirai
https://gist.github.com/2932918
======
qxcv
This is something I find absolutely bizarre: for every person who is willing
to make ridiculously exaggerated claims about something, there are _thousands_
willing to believe them. One example which springs to mind is the "spam free
wordpress" plugin[0], which claims to use "anonymous password authentication
to block 100% of all comment spam with zero false positives."

As it turns out, "anonymous password authentication" means that it gives you a
randomly generated string which you have to copy and paste into another box
each time you submit a comment. It sounds like something a machine could do
because _it is something a machine could do_ with ease. And yet nobody seems
to have noticed this for two reasons:

1) The author deletes all the comments on his blog questioning _why_ the
system works

2) It has a 4.5 star rating on the WordPress plugin DB

As a result, the author is _still_ making ridiculously exaggerated claims
about the capability of his system, like "If Gawker had been using the
anonymous password authentication built into Spam Free WordPress this incident
[the Gawker break-in in 2010] would not have happened." Another gem is
"CAPTCHA is not used because it is hard to read, unnecessary, easily cracked,
and reduces the number of real comments substantially."

So there it is, another snake-oil salesman spreading FUD and making users (of
some very popular websites[1]) suffer.

[0]: <http://www.toddlahman.com/spam-free-wordpress/> [1]:
<http://www.raspberrypi.org/>

~~~
unimpressive
> [1]: <http://www.raspberrypi.org/>

If I had not witnessed that, I would never believe that it happened. _The
Raspberry Pi team fell for something that any kid who can write a python
script should have known had the utility of a voodoo incantation?_ I'm
floored.

------
degenerate
Pierre (the sole G-WAN author) says some funny things. He also defends G-WAN
using dummy accounts all over the internet (StackOverflow, Reddit, Wikipedia,
etc). You can respect his coding knowledge if you can force yourself to ignore
his high claims and self-importance. But good job tearing the captcha apart!

~~~
tylermenezes
> You can respect his coding knowledge if you can force yourself to ignore his
> high claims and self-importance.

Still seems totally insane to me. The extent of his features are things like
"DNS lookups are asynchronous in all libraries".

------
dewiz
I was looking at gwan with some friends a year ago, at that time it was
presented as a C-script-page server. The idea of scripting with C was
intriguing. But then, it just didn't work, unstable and the author claiming to
be a victim of some odd spy-movie-like conspiracy.. that was really weird..
and funny somehow.

And the company name "TrustLeap" ... seriously ? <http://trustleap.ch>
disappeared by the way.. here you go
[http://web.archive.org/web/20110707004226/http://www.trustle...](http://web.archive.org/web/20110707004226/http://www.trustleap.ch/)

[http://web.archive.org/web/20091028041609/http://trustleap.c...](http://web.archive.org/web/20091028041609/http://trustleap.ch/en_timeline.html#finama)

[http://web.archive.org/web/20110707004059/http://www.trustle...](http://web.archive.org/web/20110707004059/http://www.trustleap.ch/en_technology.html)

Now it looks that they redesigned the site, changing target and adding new
buzz words here and there (removing the obsolete buzz no one is using anymore)

see also <http://news.ycombinator.com/item?id=2776927>

And to be honest this king of restriction on a web server, sounds crazy:

=== “Server identification field” means the field in the response header which
contains the text “Server: G-WAN/x.x.x” where “x.x.x” is the program version
number.

You agree not to remove or modify the server identification field contained in
the response header. ===

Funny stuff!

------
readme
Well done.

Except, I'm pretty sure the gwan guys are just a very sophisticated group of
trolls.

I'm going to go out on a limb and say if you test their web server yourself
you'll find that their claims are false, and that the reason it's closed
source is because the joke would be too obvious if we could simply take a
quick look.

In any event this is all hilarious.

Now, I hope someone with the time and curiosity will do this.. and publish
some actual benchmarks of gwan so this controversy can finally end.

~~~
merlincorey
In the last GWAN thread[1] a user[2] who said they have been using it for a
year claimed it was all quite true. The intimation in this thread is that was
actually the author himself sockpuppeting. Indeed, the account has only had 3
comments in the last year[3] until the whole GWAN thing, which is certainly
suspicious, though certainly no proof.

[1] <http://news.ycombinator.com/item?id=4109698>

[2] <http://news.ycombinator.com/user?id=ers35>

[3] <http://news.ycombinator.com/threads?id=ers35>

------
ElliotH
The more I see of 'original' captchas, the more I think people should be
taking the same attitude towards captchas as they do to cryptography. Just use
a well known library that has proved to be hard to break by the test of time
and heavy use.

~~~
merlincorey
Like ReCaptcha? Man, I was signing up for something last night and failed to
solve it 3 times. Captchas are getting harder for humans to solve than bots -
is this really a good thing?

~~~
ElliotH
(is your ReCaptcha reference to it being broken? If so then I think my point
is proved by how quickly it was fixed)

As for making it harder for humans, I very much see your point, but the
solution isn't to come up with some of the trivial captchas that many come up
with by themselves.

------
ers35
[Reposted from <http://news.ycombinator.com/item?id=4113609>]

That example is easy to solve because it is not using any of the provided
techniques that makes it more difficult for robots to solve the CAPTCHA:
"changing the HTML background color based on: mouse cursor hovering, previous
state or input or shared secret"

The purpose of the example is to give you a basis on which you could implement
an effective CAPTCHA.

The claim of "difficult or even completely impossible for robots" applies to
CAPTCHAs using the above techniques, which are not used in the example.

~~~
Animus7
So you're implying that if you changed the HTML colors based on mouse events,
the claim of "difficult or even completely impossible for robots" would hold?

Such a claim would be no less ludicrous.

I'd put my money on there being hundreds of people on Hacker News alone that
could script a DOM-monkeying cracker for such a system. That runs with ~100%
accuracy. And in under an hour of coding.

This Captcha strategy is so absolutely terrible in light of modern libraries
that I'm honestly shocked you feel the need to defend it.

~~~
ers35
The best way for me to solve this dispute is to implement a CAPTCHA using some
of the proposed techniques. If I fail, then I was mistaken. If I succeed, then
maybe people will given G-WAN a try.

------
danso
I didn't read through all his code...but wouldn't OP's approach only work if
they used the same GIF over and over?

In any case, it seems trivially easy to break. Just capture the image. Read
the background color value. Generate the image (with the background color) in
ImageMagick and run through your OCR of choice. Obviously, that's not the
fastest way to do it if you're trying to do thousands of attempts at once, but
it's the least brainpower-involved.

~~~
3JPLW
No, he just hard-coded the number shapes. As long as the numbers used the same
font as the example (and don't overlap), it should work just fine.

OCR would probably be more robust in general (for varying fonts and number
shapes)... but it's simply absurd to call G-WAN's scheme a better captcha.
More obscure and less targeted? Perhaps.

~~~
samuirai
I thought about using OCR - just to over-engineer it. But I wanted to show how
the characters are perfectly aligned and how clear the font is. I would like
to understand, what he thought, why this Captcha is so special.

~~~
merlincorey
I need two more points to make up for the haters.

Come find us?

------
nechtan
I think this algorithm Captcha is optional. I'm using G-WAN, and I implemented
another CAPTCHA algorithm in C. I like it when someone proves that something
is unsafe. It's inspiring to improve our applications.

------
epoxyhockey
I've never even heard of G-WAN until now, so I guess it's working..

~~~
Ygg2
G-Wan is like the Great Old ones. It's time to forget it again...

------
ewebbuddy
How about using NoCaptcha technique?

------
jakislogin
All the people who make something fantastic in some part were crazZzyYy

But G-wan author i think need chillout and start re-thinking

G wan should be OK for eq CDN

For hosters * need options to turn off script language * Support modules like
in Apache * Support .httacess For me * Add fcgid but something better and more
faster its posibble. Show that PHP on gwan can be balizing fast * add modules
session mongodb redis etc * should be OK replacement for apache * recode
version for windows for developer

Go to some IT conference run 2 machine NginX full optimized for speed +
Gigagbyte network and show people how its work CPU usage request per second to
compare

------
merlincorey
For Fabian Fäßler, from DC949 chat:

    
    
      <@merlin_> do we know this guy?
      ... snip ...
      <@merlin_> """Today I had my first lightning talk at #BerlinSides_0x3"""
      <@Kos> OH YEAH
      <@Kos> that adude started following me a few weeks ago
      <@C-Ps> berlin sids is pretty slick
      ... snip ...
      <@Kos> I probably  meat that dude at berlinsides
      <@Kos> erm
      <@Kos> met
      <@savant42> meat, eh?
       ... snip ...
      <@C-Ps> do you often meat men in berlin?
    

Thank you for providing the lulz, as well as the link to stiltwalker!

~~~
merlincorey
Haters gonna hate! At least he replied above -- mission accomplished.

~~~
samuirai
I feel a bit observed and I don't know whether I should feel fear or joy...
I'm confused.

~~~
merlincorey
It was appreciation for your work and your link to ours, as well as an
invitation. So I would go more on joy, unless of course you are afraid of
hackers that like to drink and break things, not necessarily in that order,
but often.

