Medo's Home Page

Captcha This

A few weeks ago Google introduced No CAPTCHA reCAPTCHA. It is a new approach to recognizing whether we are dealing with robots or humans. It should be a modern alternative to good old CAPTCHA. And I say it was about the time.

Captcha was a good idea a few years ago. They give you garbled text and you write it down to prove that you are a human. State of OCR was such that no program could pass this with any meaningful accuracy. There was a further improvement with ReCaptcha where your input would be used to help with book OCR which also caused warm and fuzzy fillings.

But robots got smarter and captchas got more complicated to keep up. I don’t know about you but I average about 75% captcha accuracy on a good day. According to Google, most advanced robots reach 99.8% accuracy. If robots have a higher success rate than humans on a system that was designed to keep them out I believe it is a time for change.

New system aims to recognize behavior and to give various quiz tasks only if there is any doubt. This new API hasn’t been widely implemented yet so it is hard to know how good it really is. But, if it removes at least one stupid letter entering dialog, I will consider it a success.

So far I personally haven’t been presented by a single new dialog. However, I am not a robot so that is pretty much expected result by design. Based on examples Google has provided, it will be based on image recognition so hopefully robots will endure more pain than humans. Depending from where images are coming from, I also expect quite a lot of funny combinations.

Of course, there is a work involved for any site that is to support this. And my guess is that it will be a bit more difficult to implement than older ReCaptcha. Considering that even ReCaptcha didn’t take web world by storm although it was superior to self-created ones, it is pretty much safe bet that we will see old style captchas for a while.

But new captcha king is in town. May it stop our robot overlords.

PS: No, “abicl” was not correct answer for a picture above.

PPS: If 99.8% figure is for ReCaptcha captchas, I imagine that it is all but 100% for all those self-rolled captchas that think that having a line or two is protection enough.

Humble Bundle and One Order Too Many

I am a fan of Humble Bundle so when they announced their winter sale, I of course had to buy something. As anybody with small kids will tell you, it is hard to go wrong with LEGO Harry Potter.

I used PayPal to pay gift purchase for one kid and tried to get the same for another only to be faced with “Sorry, your Humble Store order has been canceled. We have received too many purchase requests from you in a short period of time, so we have canceled your order (you will not be charged). We are very sorry for the inconvenience.” Well, I did try to buy second game less than another so I gave it a few minutes. Same again. Gave it 30 minutes, same again. Than 2 hours, same again.

At that time I decided to contact Humble Bundle support, the only website that gives you Forbidden error when you try to create a new account. At least their support system sends responses via e-mail so I could afford to give up on setting the proper account.

Talking with the Peter, their support guy, didn’t gain me much: “The purchase limits are part of anti-fraud measures”; “unusually large wave of traffic from one person”; “Sadly I am unable to lift the fraud protection”; and my favorite “Unfortunately I am unable to reveal that information”. I have been Humble’s customer since their very first Bundle. I have bought multiple games before (in one instance three of them). But now, two orders in a row are considered too many.

I understand that there was a need for some automated protections so people would not buy bunch of games and resell them. But I cannot believe that anybody would think a proper limit would be a single game per person, especially since they do offer option of a gift. And even if that is a decision, why would you not give possibility of an override to your own support staff? And why don’t you tell your customers how long they need to wait between purchasing two games? A day? A month? A year?

I did solve it at the end by using my credit card instead of PayPal. Somehow I am not considered a fraud if I use different payment method…

Beware of Magic in AES CBC

In case of encrypted text I commonly see “magic” footer being used as a sole verification method for AES CBC; i.e. assumption is that, if last bytes were decrypted correctly, all previously decrypted bytes are valid too. However, that assumption can fail horribly.

Once case when it fails is when configurable IV is used. You can have nonsense for a IV vector and decryption will succeed. Even worse, while first few bytes will be invalid, 8-byte blocks following it will look just fine. If you validate content only by last few bytes, your program might happily continue to work without any issue.

But lets assume you have static IV and that this issue doesn’t affect you. And you are worried only about stream errors anyhow. Well, I hate to inform you but CBC mode is self-synchronizing, i.e. any recoverable errors in one block will go away after certain number of blocks. For example, if you have an error in first byte of a stream, next fifteen bytes will be corrupted but rest of stream (including your footer) will look just fine.

Corruption in the middle of stream will cause exception most of the time, but not always. If it passes unnoticed you can have valid header, valid footer and garbage in between.

As you can see from the two examples above, you cannot rely purely on fact that some stream bytes were decrypted as a proof that some other part of stream is not corrupted. Only way to be sure about stream validity is to use hash/CRC functions that were actually designed to detect corruption.

Example of both these behaviors is available for download. Below is example output with both valid and invalid decryption having a same footer (FF-FF-FF-FF):

Decrypted (OK) ..........: 00-01-02-03-04-05-06-07-08-09-0A-0B-0C-0D-0E-0F-10-11-12-13-FF-FF-FF-FF
Decrypted (invalid IV) ..: FF-01-02-03-04-05-06-07-08-09-0A-0B-0C-0D-0E-0F-10-11-12-13-FF-FF-FF-FF
Decrypted (invalid input): 31-33-7C-D9-A9-91-47-DD-52-3A-64-08-FD-2F-D4-C8-1D-11-12-13-FF-FF-FF-FF

Bon Voyage

For almost five years now I had a Kindle 2 as my companion. Other Kindles came and went and I saw no reason to replace something still working. But there was one thing bugging me for a while now - reading by night. I was pretty much looking to upgrade to Paperwhite when Amazon announced Voyage. So I jumped onto that train.

I decided upon Voyage 3G since I still fondly remember my Kindle 2 keeping me in touch with a world in a foreign expensive land before the age of WiFi. First shock happened when I tried to browse. Amazon actually doesn’t allow browsing on 3G anymore. You can visit Amazon, you can visit Wikipedia, but nothing else is reachable without WiFi. Compared to unrestricted Kindle 2 this seemed as a step backward.

I was also stunned by the fact I could not access my own web site. Since I could access it at an alternate address I would tend to blame this on the lack of SSL Server Name Indication support which I find really strange since Kindle advertises it as an WebKit browser. My guess would be that they’re using quite an older version of SSL code when it manages to fail at thing even Internet Explorer 7 supports.

WiFi itself is 2.4 GHz only which is a bit of disappointment. This is quite literally the newest device I own and only one that has no 5 GHz radio. Yes, 2.4 GHz is more common choice for consumers also but I find 5 GHz a blessing in a crowded environment (e.g., in cities).

Build quality is quite good with a glass front and a magnesium back with a soft finish plastic over it. Only disappointment was a slight misalignment of plastic hiding the antennas with the rest of the body. Fortunately it is not in place where you can easily touch it and it might be only an issue with my device anyhow.

In order to turn the device on you need to reach button on the back. Without cover this operation is annoying at the best. Fortunately, as soon as you get some cover on, things get easier and comfortable. Also annoying is “Swipe to unlock Kindle” gesture at every damn turn on. It is completely unnecessary and serves absolutely no purpose other than showing off the fact you have a touchscreen. This is also solved by putting a cover on (but only if you have version without special offers). As you might deduce, this Kindle is less than enjoyable without a cover.

Since Voyage is a really young device only original Amazon cover is Origami I personally find annoying at best. I’m hoping that Amazon will start selling just a simple leather cover too as same one is available for their other devices. Of course you can always opt for a third-party cover.

On other hand I just adore PagePress buttons. Lack of physical buttons on Paperwhite was what was keeping me back on Kindle 2. Sadly, due to a touchscreen controls, lefties might not really enjoy buttons as they would otherwise. Bezel is really thin so my page turning finger naturally tends to rest at the edge of the screen. This means that each touch to left PagePress button also probably touches screen where that same gesture is interpreted as going one page back.

In the end my page turn occasionally gets interpreted either as nothing at all or as a turn backward. It doesn’t happen often but it kills my flow immediately. Software solution would be simple - just disable touch screen page turns when PagePress is enabled but I doubt that anything will be done since 90% of right-handed people will be just fine with this.

Speaking of page turns, I find it a slightly unnecessary to have a PagePress back button on both sides. Since going backward is a pretty rare operation, having second back button replaced with Home (again, as on Kindle 2) would make more sense to me.

Missing when compared to the Kindle 2 is also any form of audio. While I used read-aloud functionality rarely enough that I won’t miss it, I do miss capability of getting my audio books on it. I dream of a day when I will be able to switch between listening to unabridged audio book and reading it on screen. A beautiful thing when you prefer reading but occasionally want audio (e.g., when driving a car).

Another surprise came when I tried charging Voyage. It would only pull around 500 mA from wall chargers. Compared to 900 mA Kindle 2 could pull this is a real disappointment. I tried using the original Amazon 5W charger but current usage remained the same. Unless Amazon’s fast charger (9W) does better job, I can only deduce that somebody in engineering did a shoddy job and 500 mA is the maximum.

Regardless of all these annoyances I covered in the last few paragraphs, I really enjoy this Kindle. Screen is gorgeous, backlight really pleasant, and it does feel as an upgrade coming from Kindle 2. Even if you are coming from the latest generation Paperwhite you will find new Kindle enjoyable and a quality device. Biggest issue for it will probably be the price since $200 for the basic model and $270 for the 3G one is quite a premium.

All in all I really love this Kindle. Yes, it is not perfect but it is a great companion.

PS: Due to such a crippled 3G, I returned my original purchase and got myself a WiFi-only Voyage.

Visual Studio Community 2013

A bit over a week ago a new Visual Studio edition has appeared pretty much out of blue. For all practical purposes you can look at it as a cross between Visual Studio Professional (has same features) and Express editions (it’s free).

Unlike Express editions, Community can only be used by an individual developer, for open source, for learning/teaching, and in a small non-enterprise settings. If you are working for enterprise company, you’re out of luck.

Since Community is essentially the same as a Professional edition, there is not much new things that can be said about it. It can slice, it can dice, and it is an almost perfect development environment. Yes, there are Premium and Ultimate and they do offer some advantages (e.g. IntelliTrace is a gem) but most of the time one can live without those features just fine. Unlike with the Express editions you won’t feel constrained with the Community.

Surprisingly you cannot really install Community edition side-by-side with any other paid Visual Studio. Official explanation is that this is because Community is the part of a same line as other editions but I still find it an unfortunate decision. Developers wearing two hats in BYOD scenarios (e.g. enterprise by day, open source by night) might get into some conflicting situations. Side-by-side with the Express editions will still be supported so not all is black.

Speaking of Express editions, it is not really clear to me what is their destiny. Currently they do stand together with Community but they do overlap quite a bit. If we learned anything from the past, their days are numbered. I would like to be wrong since I do love them. Even with all their shortcomings, I can still see them useful in multiple scenarios (mostly due to their quite permissive licence). I will miss them.

If you currently don’t have anything better than Express on your machine and you fit into the restrictions, it is definitely worth checking out.

1 … 132 133 134 135 136 … 272