Overhead of precalculating figlet captchas

After recent news item on slashdot considering easy defeatability of certain type CAPTCHA I set out to investigate risk of easy defeatability of wbcaptcha, figlet based captcha.

First, pixelized image based approach. This could be feasible, but it needs some kind of a rendering system. Probably 'lynx --dump' would do the trick, then searching for something that looks like a captcha and rendering that with suitable, most easily identified font and processing that as a regular image. Most likely selecting color of font and expanding that to make insignificant spaces disappear.

With that approach, there's a snag. Visual text identifying has very big problems with overlapping characters. And with figlet that means option called smushing (and used in probability P(0.5)). I'd say that limits it to at most 50% hit rate, with heavy (at this point of time) calculations and rather complex image analysis. I kinda hope that people capable of doing it are doing better things :)

Another approach would be to simply pregenerate all the letter combinations captcha has, get MD5 sum of them and make database of combination (dictionary attack).

As for the feasibility: wbcaptcha uses 60 different characters in captcha and subsequent characters are independent of eachother (eg. it could be 'aaaa' as well as 'abcd'). It can use 2 different renderings of characters (smushed or plain) and there're several fonts available (I have 5 listed). Default length of captcha is 4 characters (not limited to). This means that there are 60^4*2*5 ~= 13*10^6 possible renderings of captcha with figlet. MD5 checksum is 16bytes in length when stored, if we add to this length of corresponding captcha, this becomes 20 bytes. In total this database would weigh at approximately 260 Megabytes.

That's little. It would probably take little time for some zombiefication software to generate that size of file and query it locally.

Againg, there's a snag. Upping the word length to 5 characters makes database 144Gigabytes in size, 6 characters makes that 8 Terabytes and 7 characters takes 509 Terabytes.

My conclusion is that at this time, with current default settings wbcaptcha can be a push-over defense, but with little hardening it could be rather formidable, if not entirely equivalent to image based captchas.

The equation for database size is 60^(number_of_characters)*2*5*20 bytes. You can easily evaluate it's size in google, for example: 60^8*2*5*20 bytes in terabytes.

CAPTCHA plugin for blosxom

Today's piece of code is a CAPTCHA plugin for blosxom. This one is based on ASCII art (there already is one that generates images) generating 'figlet' program.

You can see the effect by using the 'Post Comment' button below.

Things of note are that you will need to have 'figlet' installed, or alternatively just use the venerable BSD 'banner' program. Second thing is that you should configure wbcaptcha to be loaded before writeback (or other writeback -acting plugin, like wbnotify). So if your writeback is called '1writeback', call wbcaptcha '05wbcaptcha'.

The story.html setup can be tricky unless you use interpolate_fancy, with which it really isn't. Here is sample story.html for wbcaptcha. Look for things having wbcaptcha. Best of all, read documentation for plugin with 'perldoc wbcaptcha'.

You can download wbcaptcha - 2004-10-11 here.

Please note that this plugin only affects incoming comments/writebacks, not trackbacks. For more information please look at blosxom spam prevention wiki page.

I recently pondered wbcaptcha security in a short piece, it may be of interest.

Edit 2004-10-18: Bill Ward made his captcha plugin available.

Edit 2005-8-25: Warning about trackbacks and spam prevention link.

Packaged libgmail for Debian

I packaged libgmail, a python library handling messaging with Gmail for Debian.

Ok, did it actually quite a few days ago, but now took the plunge and arranged it so it could be apt-get install:ed.

To install and keep updated on this package, do following:

1. Add deb http://psavo.iki.fi/debian ./ to your /etc/apt/sources.list
2. apt-get update
3. apt-get install libgmail
4. (install some package that uses libgmail and use it)

The reason I packaged it is so that I can develop wmgmail, a DockApp gmail notifier with it.

Update: python-libgmail package has now entered Debian/unstable, I suggest using it. As of version 0.0.8-3 it has the patch that wmgmail relies on. My repo still has local versions, but they're unlikely to be updated.

Humanized dates/ages for blosxom

After seeing some places implementing humanized dates and ages (Gmail impressed me most :), I coded fluffydates -plugin for blosxom.

It's output is age of certain date or date's shorter/more readable form. It most often looks like this for dates: 0:02; Yesterday 9:44; Thursday 9:44; February 18; February 18, 2003. For age it would look something like this: 20 minutes; 9½ hours; 0¾ day; 1¼ days; 7½ months; 1¾ years.

It supports multilingual sites, a primary language can be chosen and other languages used via interpolate_fancy blosxom plugin. interpolate_fancy can also be used for accessing date translating functions to have more interesting effects.

Usage/installation is simple: drop it into your plugin folder, and place $fluffydate::story_date and/or $fluffydate::story_age in your story.html. For fancier accessing you'll need interpolate_fancy.

With interpolate_fancy, you can use four additional functions, human_storydate, human_storyage, short_date and date_to_age. Two former are almost same as those provided via variables, but these can be localized.

All four functions take two parameters, lang and short. lang tells which language to use (English and Finnish so far :) and short tells if shorter form of date should be used (Mon instead of Monday, etc.)

Example with interpolate_fancy:

• <@fluffydate.human_storydate output="Yes" lang="fi" short="1" /> This function is story-specific, so it's use makes any sense only for story.html. It doesn't take any input, so it's a singular tag.
• <@fluffydate.human_storyage output="Yes" lang="en" /> This is also singular tag.
• <@fluffydate.short_date output="Yes">10/15/2004 00:02:14</@fluffydate.short_date>
  <@fluffydate.date_to_age output="Yes">10/15/2004 00:02:14</@fluffydate.date_to_age> These are non-singular functions, they take input. They can be used as counters (For example 'always-correct' age counter :), or as I do, in writebacks.html (this works for writebackplus, by Fletcher T. Penney):
  

  ...
   <span class="writeback-date" title="$writeback::date">
      <@humandate.short_date output="Yes" short="1">$writeback::date</@humandate.short_date>
   </span>

Download fluffydate.

Updated 2004-10-18: fixed typo, fixed one close-shaved moment cutoff, fixed handling with not found dates (again, typo).

wmgmail, Yet another Gmail notifier.

Update: Available for download!
This one is a DockApp, intended for use with WindowMaker or fluxbox -window managers. It has a graphical configuration interface using GTK+.

Functionality includes:

• Checking for new mail in Gmail (strictly speaking it's using "is:unread" -query)
• Variable checking time (from 2min to several hours)
• GUI for settings
• Mail contents preview (shows same snippets that Gmail inbox does)

Download

Source distribution: wmgmail-0.5.0.tar.gz.
Debian users are welcome to use the repository I've set up at http://psavo.iki.fi/debian.

Dependencies

wmgmail has four dependencies. For absolute minimum utility you'll need python, pywmgeneral and libgmail. If you want graphical configuration and mail preview, you will also need reasonably recent (for GTK version 2) pygtk.

• python: Most distributions have it.
• pywmgeneral.
• libgmail.
• pygtk (Most distros have reasonably new).

Installation

Non-debian:

1. tar xvfz wmgmail-0.5.0.tar.gz
2. cd wmgmail-0.5.0
3. python setup.py install
4. Done. After this you should be able to start wmgmail by typing wmgmail.

Technoblabber

wmgmail is written in python and uses libgmail for interfacing gmail, pygtk for dialog interfaces and pywmgeneral for dockapp business. Great thanks to all respective authors.

By popular request

I updated the amd76x_pm module for linux-2.6.0-test4, as there was some pci_dev brokage.

Tried to get it into 2.6 via Alan Cox, but he went studying, so now I try to use the Dave Jones route.

Download: amd76x_pm-2.6.0-test4.patch.bz2

Update: 2.6.9-rc1-mm5 changed a thing and patch didn't apply cleanly. This version below is fixed in that regard.

Download: amd76x_pm-2.6.9-rc1-mm5.bz2

Small update to amd76x_pm

I updated the amd76x_pm module to work with amd_k7_agp -module. It's now rediffed against linux-2.6.0-test9, but should apply to earlier kernels as well.

Update: applies and works at least up to 2.6.5-rc3 and 2.6.5-rc3-mm3 (both are newest at the moment of writing this).

Download: amd76x_pm-2.6.0-test9.patch.bz2

Update2: 2.6.9-rc1-mm5 changed a thing and patch didn't apply cleanly. This version below is fixed in that regard.

Download: amd76x_pm-2.6.9-rc1-mm5.bz2

Python DockApp interface package for Debian

Packaged pywmgeneral, a DockApp python library for Debian.

DockApps are small applications that sit on the edge of your screen and display semiseful information. DockApps are supported at least by WindowMaker, fluxbox and blackbox.

To install and keep updated on this package, do following:

1. Add deb http://psavo.iki.fi/debian ./ to your /etc/apt/sources.list
2. apt-get update
3. apt-get install python-wmgeneral
4. (install some package that uses pywmgeneral and use it)

Last item in list is actually my own project, a gmail notifier as a DockApp. The're also some interesting applications on pywmgeneral upstream site.

Timestamping standard input

I was a bit surprized to learn that there is no timestamping tool for standard input in UNIX. So I wrote one.

It takes a parameter, which is in a format that 'strftime(3)' -function understands ('date --help' will show you a quick cheatsheet :). Then it takes all standard input (STDIN) and outputs those lines prepended with timestamp determined by parameter.

Example:

# default is "%H:%M:%S ", which outputs "HH:MM:SS "
$ du -hcs linux-2.6.3/ mm41/ | timestamp
22:51:56 213M   linux-2.6.3
22:52:00 82M    mm41
22:52:00 295M   total

# some other timestamp format
/usr$ du -hcs bin/ share/ include/ lib/ | timestamp "%x %X - "
03/07/04 22:54:34 - 219M        bin
03/07/04 22:58:33 - 1.7G        share
03/07/04 22:58:41 - 43M include
03/07/04 22:59:25 - 1.2G        lib
03/07/04 22:59:25 - 3.1G        total

Download timestamp-1.0.tar.bz2, unpack (tar xvjf timestamp-1.0.tar.bz2) and 'make'. Place resulting binary in path.

Writeback/comment notification for blosxom

Got tired with missing all the comments coming into less obvious/fresh parts of this site and made a small plugin.

Here comes... *Fanfares* wbnotify. :) You need working writeback plugin from Rael Dornfest. (And, of course, you must be using blosxom blogging software, as this plugin plugin is for it only)

So, adjust the 'wbaddr' variable to the email address you want receive notifications into, and off you go.

Download wbnotify here: wbnotify.

mrtg-meminfo

Couldn't get any sleep last night, so coded this up.
This gets (fast, written in C) various memory information, and outputs it in mrtg -suitable way, so long-time observation is easy.

mrtg-info can display following information: total ram, free ram, total swap, free swap and memory used by buffers.

Sample mrtg -config is included.

Example image from my workstation (512MB, and buffer stats in question):

Download: mrtg-meminfo-1.0.tar.gz.