Hacker News new | past | comments | ask | show | jobs | submit login

I work in medical IT. You'd be surprised how many government sites do similar.

An example would be https://sso.state.mi.us/som/dch/enroll/reg_page1.jsp (You can enter any fake name/email, this is only step one of the registration script. The next page has the captch in question.)

The captcha is plaintext, right on the page. The data from the captcha isn't even sent to the server, it is processed locally via JavaScript.

So, the bots don't even have to do anything, but humans have to input a meaningless number...

    <input type="text" name="inputNumber" class="entry-field" size="5" tabindex="3">

    <!-- ... -->

    document.write('<div id="layerNum" class="verifyNumber" align="center">');
    document.write('<b>'+str+'</b>');
    document.write('<img src="generateGIF.jsp?number='+str+'">');
    document.write('</div>');
    document.write('<input size="5" type="hidden" name="rdNumber"  value="'+str+'">');

    <!-- ... -->

    <input type="submit" value="Continue" name="submit" onclick="return Valid();">

    <!-- ... -->

    function Valid(){
    // ...
            if(chkRandomNumber()){
              return true;
            }else{
              return false;
            }
    // ...
    }

    function chkRandomNumber(){
      str1=document.all.rdNumber.value;
      str2=document.all.inputNumber.value;
      if(str1!=str2){
        alert("Please check and type the number as shown in the box");
        return false;
      }else{
        return true;
      }
    }



Wow, that is very surprising. Is it that the web development industry hurting that much for good programmers, or are just the wrong people being hired?


There is also a skills shortage in programmers. If people like this can get work then imagine if you actually knew about programming. Remember that next time your thinking about your unsatisfying job or at pay review time.


> If people like this can get work then imagine if you actually knew about programming.

You're assuming the client/employer can actually distinguish between the two. I'm not sure that's the case for many jobs.


For what it worth, I worked on a website that started receiving massive amounts of spam on its feedback page very shortly after it went live. We (as in the three programmers on the project) hated captchas with a assion. Instead we put in a field with the text "What is 1 + 1?" (If they missed it, we'd actually put in red next to it "Hint: the answer is '2'". (Granted, we checked the value server side.)

The end result, spam disappeared and we didn't add much pain to our customers.

Most spammers likely don't go check every website to see how they can break the captcha, they just set up a script to go fill out forms and submit them.

They're solution, while not being the "awesome, technologically advanced solution", if it prevented spam, was a working solution without the complexity of actual captchas.

Furthermore, as captchas have been known to be broken, who's to say that the spammers tool doesn't recognize valid, commly-used captchas and break them automatically? As opposed to a field that says "Type the following word", which the spammers don't (can't easily?) check for.


The second. They probably have scammed the client in other ways as well.


"Scammed" is probably not the right word here - at least to me, it conveys a malicious intent, while mistakes like this are merely ignorance. I'm sure most of us have made mistakes just as stupid as this, despite working hard to earn our pay.


"Scammed" is exactly the right word here.

When CAPTCHA is just simulated on the client, then it's clear indication of malicious intent (of getting paid for faking real job).

That said, CAPTCHA should not be used at all. But torturing users with CAPTCHA while allowing bypass access to bots is more advanced level of evil.


'Scammed' is not the right word. Ever heard the aphorism "never attribute to malice what can be attributed to incompetence"? Manager types (and unfortunately probably quite a few programmers) have no idea what CAPTCHAs do, and I would bet money that somewhere, somebody has vetoed a server CAPTCHA in favor of a client CAPTCHA because it sounded easier or something. I'm not saying that's what happened here, but don't say it was obviously malice when you just don't know.


Scam does not imply malice.

Usually scammers treat their victims as customers and wish them well.

In this particular example it was combination of technical incompetence [not being able to deliver proper CAPTCHA] with scam [of getting paid for project that did not deliver on promise].


Ehm, a scam with good intentions? Come on, are you a Nigerian prince?


Scammers are like parasites. They take from their victims, but aside from that they want their victims to be well.


How can this be a "mistake"? They created something that looks like a captcha to fool the client into believing it's an actual captcha. If they did't know how to make a proper captcha it's better to tell the client so someone else does it.


What if they don't know they don't know how to make a captcha? It's an obfuscated image, those are easy to make and check! If you don't know basic things like "never trust the client", and you don't know that they exist to know, then you may not know to tell the client to have someone else do it.

That doesn't excuse the programmer. As a web programmer, it is, to some extent, their job to know when they're out of their league. But second-order knowledge can be a rare skill.


Yes, this exactly. Donald Rumsfeld got no end of flack for his comment (distilled here) "there are known knowns, known unknowns, and unknown unknowns", but it's actually a great statement - in this case, there are some people who know they know how to make captchas, some people who know they don't, and some people who don't know that they don't know.


Many programmers have no idea how a CAPTCHA is supposed to work. It never occurs to them to think though how someone would break it. Someone tells them the client wants a CAPTCHA, they go "oh yeah, that's those weird letters on the screen", and are probably pretty proud of how they did it.

Don't believe me?

Think about how often you see obvious SQL injection problems - the same (lack of!) thought process is responsible for both.


You are assuming that the client knows what a CAPTCHA is. Probably the manager at the client-side said "Oh yeah, before I forget to mention it, add that funny image you see on websites - you know, the CAPTCHA thing, a guy at my gym said it improves security. We definitely want good security in this project!".




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: