More Casey Worship

Published Sun, Jan 30 2005 16:07 | William
One of the best things about being the leader of the Casey Chesnut Sycophant Cult is that he makes it increasingly easy to recruit members.  Like much of his stuff - the coolness of it doesn't just come from the tech stuff it takes to write it - it comes from the idea behind it.  This absolutely positively kicks total a33 .  KC - as far as someone getting mad about it - let me assure you it wasn't me.  Getting spammed by anything this cool is an honor ;-).

Comments

# William said on January 30, 2005 4:25 PM:

Ridiculous. I wish I were one-eighth as smart as him. Or at least one tenth as motivated. I've been *saying* that you could do that with CAPTCHA for some time, but I've never had the balls to try to back it up. The guy is prolific. Can I join the club?

# William said on January 30, 2005 4:32 PM:

Yes, membership is open. Basically accoding to the lame a33hole that dubbed people who are impressed with KC - and ostensibly me in particular, Sycohpants - because we don't give a rat3 a33 that he uses profanity on his site kux his stuff rocks - well, that's where the cult started. All you have to do is think strip clubs are cool - be pro booth babe, have a sense of humor - and enjoy kick a33 technology.

# William said on January 30, 2005 4:33 PM:

I think it was awesome too but do you remember how badly the Rory at the MVP thing went over? Some of your fellow MVP's have zero sense of humor and take themselves way to seriously so I can already see the firestorm coming. He pissed in their pool and they are going to howl much like they did over the Rory thing. I am definitely not saying all of them are like that by any means I think the language and hardcore tech ones will see it as pretty cool after all it wasn't really spam, it was proof of a very cool concept in a very low key way. The other ones are going to cry to high heaven though. Just watch I bet you they call for his head on a platter, like when Rory pissed them off. I read the article a bit before lunch and posted on it here:
http://www.cadencoding.net/blogs/users/cornbread/permalink.aspx?id=131


Then I had the hotty read it and she thought it was f#cking cool and asked if I could do something like that too. I of course answered honestly and said "why yes dear of course I can" neglecting to mention that the contractor I would hire to do it would be Casey.

# William said on January 30, 2005 4:53 PM:

strip clubs cool? check
doesn't care about profanity? hell damn check
likes technology? check
sense of humor? check.

When should I expect my membership packet?

# William said on January 30, 2005 4:54 PM:

also...it's slightly humbling to know that casey's hack is better at figuriing out CAPTCHA than I am...invalid human proof my ass.

# William said on January 30, 2005 4:58 PM:

Scott - I just got some emails that have induced nausea. I really don't believe I'm hearing what I'm hearing. Not about you but about the issue above. I'll fill you in about the cult a little more later.

# William said on January 30, 2005 6:37 PM:

Bill,
I read your comment on my site. I agree with you.

I'm not sure who's all in the MVP program. I'm actually only aware that the program exists because of you and Casey and reading about the Rory episode on Rory's blog. Heh so that Roy guy wasn't even an MVP huh? That f#cking awesome.

As soon as I read who Casey had done this to I knew there would be fireworks. Like I said on my blog not all MVP's are cut from the same cloth, some are very cool and some are very uncool.

Like you said being an MVP doesn't change anything about them it's simply a recognition of something they have done. First thing I thought to myself was "I bet they get so mad they try and remove him from the program or make him publicly apologize or some other really stupid nonsense".

The article was undeniably cool but we all know there are more than a few in the group he posted his link to that have a very big ego and a very small sense of humor.

You spent hours removing spam from your blog you said before they put in the controls. So I imagine the others did as well. Then they get peeved about one little link back to a fellow MVP's really cool article showing the weaknesses of the control?!?

It would be far more humorous if it wasn't Casey because I know he probably took a ton of heat over this one.

You are right they need to come out as individuals with their suggestions and comments and not try and act like they are representing the program as a whole. Casey did it as an individual and was open about why and how he did it. They could at least give him the curtisy of responding the same way and not trying to drag that whole program through the mud while they air their dirty laundry. But big ego + small sense of humor + publicly had their punk card pulled = very pissed of people. just watch and see if I'm not right.

I know it won't be you or any of the other cool MVP's but I have no doubt that a bunch of them will be far less cool about this. I'm sure Casey can handle the heat but I have no doubt you will see some folks true colors come out because of this too.

Let me know if I'm wrong and 100% of them are totally cool with it because that would surprise me most of all.

# William said on January 30, 2005 6:51 PM:

Andy - I think you're right. The sh1t with Roy blew my f***** mind b/c he wasn't even an MVP so it was like 'Dude, what's your problem' - but it looked a lot like jealousy, smelled like it, walked like it - because it was.

As far as MVPs go - I mean think about it. You have people from 300 different product groups in 20 zillion different countries - it's inconceivable that they could all have one thing that defined them first and foremost.

The point I'd make about this is that 1) 1 email == spam. See, I'm allowed to write you an email - it's only spam if I don't give you a way to tell me to f--- off and/or I ingore your requests to stop or if I misrepresent who I am. NONE of the above apply here.

Second, the notion that this exposes some security flaw and will encourage spamming - come on. For months there wasn't a captcha and we dealt with the spam. Casey didn't even post the code- he just proved it was possible - and who didn't know that? It was just a matter of how much work it would take. He wasn't the first with the idea...... Also, it's called a CAPTCHA for a reason - so if the computer fooled it - I guess it didn't differentiate at all.

Not to mention that I personally don't get it right as high as Casey's bot did. I'm probably 50% tops.

IN NO WAY AM I putting down the person that wrote it or criticizing - I just think that some perspective is needed here. He wasn't exactly busting into our medical records and showing people how to extract our bank account information. I just can't see what the big deal is - and more to the point - who wouldn't be interested in learning how he pulled it off?

# William said on January 30, 2005 8:40 PM:

What did I miss?

# William said on January 30, 2005 8:46 PM:

Casey wrote a BOT to read the CAPTCHA image and posted one (1) - comment on the blogs here at this site. It indicated what it was, and where the article was. Apparently not everyone was as impressed with it as I was. http://www.brains-n-brawn.com/default.aspx?vDir=aicaptcha

# William said on January 30, 2005 10:31 PM:

I think Casey's stunt was immature. Just because he's smart enough to figure out how to do that doesn't mean he's got the wisdom to know what to do or not.

Executing his code and actually spamming a bunch of blogs does NOTHING to show that his stuff works.

The thing is, there are others who could have done this. Maybe they didn't need/want the publicity. Or perhaps they have just learned restraint.

# William said on January 30, 2005 10:47 PM:

Michael - well, you're definitely not the only one that feels that way. I personally am amazed at the techincal aspect b/c it apparently interprets it correctly more often than I do. I don't know - I think one email - with a link back to the article - I really don't think it's a big deal b/c I can't see where the 'offense' is in it. I sort of got the opposite impression - that unless you really executed the code you wouldn't really know if it was working or not. Maybe I'm just desensitized b/c I've gotten spam on my blog - every forum I run and more in my emails boxes than I care think of - so one blog entry just didn't seem like a big deal.

I don't know Michael- I've just never gotten the impression that Casey is an attention whore- and I can't speak for him - but I'm guessing his thinking was that it no one would have gotten pissed about it.

But I have a feeling that the fallout over this is just beginning.

# William said on January 30, 2005 11:25 PM:

I disagree completely Michael - What better way to prove the point than to defeat the CAPTCHA? And it's not like he DDOS'd these people either, he proved his code worked, with a rather polite note I might add, in the place where people who care about these things (you know, us code geeks) are sure to find it - blog comments. I don't think it's immature or unwise. And I certainly wouldn't call it a "stunt", at least not in the pejorative.

I think what he did was brilliant, both from a technical and communication standpoint.

I'm just hoping that I, supposedly possessed of intelligence, correctly interpret the CAPTCHA to get this comment posted...I usually have to try twice on Bill's blog :(

try # 2...

# William said on January 30, 2005 11:28 PM:

Scott- I respect the h3ll out of Michael although I respectfully disagree with him on this one too.

At least as far as I'm concerned - I just realized I'm way on the left hand side of the bell curve - and I need to up my game...........

# William said on January 30, 2005 11:34 PM:

Hey, me too. I was just disagreeing. Lovely thing about discourse among intellectuals (and me)...we can argue many sides of an argument, see the points in another's side of an argument (which I do), and not have it turn into an episode of Jerry Springer.

Seriously though, I just am saying, as a technologist, I'm just starstruck over this thing casey did...and maybe it wouldn't be unfair to say that I wouldn't criticize him if he hacked every news channel and posted the code on the headline banners...I think something this breakthrough needs to be out there.

I do see your point though Michael...I just disagree with your position.

...okay honestly bill, I really think there's something wrong with your captcha...it really does make me try twice every time and there's no way I screwed that last one up.

# William said on January 30, 2005 11:42 PM:

Scott- Yah - I know dude. I'm with you. The problem with the captcha I think is the Time restriction...

# William said on January 31, 2005 1:23 AM:

What a load of sh*t.

First, there was absolutely no need to send 90+ for proof of concept, --> attention seeking

Secondly, the implementation is very weak and relies on multiple flaws in the CAPTCHA implemented here. If you look on most other sites with CAPTHCA you will see features that blow his approach.

Finally, why bother ? The truth is the CAPTCHA used here is totally by-passable, and has been for ages. But unlike Casey, I haven't spammed 90+ blogs telling them taht or publicised it all over the web. I have though talken to the blog site administrators, and hopefully we can expect to see a fix before the hack is made public.... yeh responsible disclosure... damn shame a MVP would forget that just to get a bit of limelite

# William said on January 31, 2005 7:47 AM:

Bill - I respectfully disagree with you on this. If Attention seeking was the objective, then I can't think of too many worse ways to accomplish the objective.

As far as other sites that blow away his approach - I'm not sure which you are talking about and most of the ones I'm familiar with would not blow it away - but that's not really the issue.

I didn't know it was by-passable though - and I never realized there was a time limit on the thing. Again not the issue.

Did you read his article though? He's not makign the code public. It was one post - 1. He didn't CC the world or do any such thing. And the sad part is that as soon as someone from Slashdot finds out about this - well, you can do the math.

I guess a lot of people are mad though and it almost looks like I'm in the minority on this one. I don't think there was any showboating on his part which seems to be the crux of why people are upset over it - but oh well.

I'm still pretty amazed with the idea in the first place and the implementation afterward. I guess I'll have to respectfully disagree with you on this one.

# William said on January 31, 2005 8:48 AM:

>And the sad part is that as soon as someone from
>Slashdot finds out about this - well, you can do the
>math.

Don't blame slashdot, instead have a good hard look at yourself and at Casey. Casey put the info up on his blog, and you also linked to it. Of course, if he hadn't spammed 90+ blogs, well there would be less reaction, less limelite, and less likelyhood of slashdot reporting it.

I think the real issue here is that there was no need to spam as many sites as he did, just for his POC.
The work he did was limited.. very limited, and was not new. hell, if you search google for CAPTCHA I am sure you will quickly find various good implementations that do break them, e.g:
http://www.cs.berkeley.edu/~mori/gimpy/gimpy.html


Oh, as for other CAPCHTA blowing his algorithm out of the water, well you either have your eyes closed or didn't read his article carefully ;)
Here's one that has been around for ages:
http://www.geektools.com/whois.php
and of course there's yahoo's as well.

So really, truth be told, even if he did release his code, it would just a temporary hiccup, because his code is based on a bad CAPCHTA implementation.
Sure it's a pity this site uses such a crappy CAPCHTA control, and it's timeout is a pain. But does that justify writing a hack to try to break it ?

Bill, you do realize that Casey spent 3 days solid coding this ( 3 x 8 = 24 hours). Now if he had instead spent that time writign a better CAPTCHA plugin... well you do the math ;)







# William said on January 31, 2005 9:05 AM:

Well, as a matter of policy I don't argue with people named Bill that have Irish Surnames because that alone proves thier intellecutal eliteness.

When I linked to it it was b/c I thought it was cool. It honestly never dawned on me that someone would be pissed off by it.

I'm not at all complaining about the CAPTCHA - becuase even though it's frustrating, it's better than spam. I got nothing but love for Susan and I appreciate the space here and all she does for us. She has every reason to get mad b/c it's her bandwidth - her server space etc. But I have a hard time swallowing that any one that got the post was in any way an aggrieved party.

I'm not blaming slashdot although it wouldn't surprise me. But their angle wouldn't be that he did it but how mad some people got over it. However, and no - I'm not pulling this out of the air - the NON MVP consensus that I've read so far is that we're acting like babyies over this. If you want a few links - I'll be glad to zing them to you.

I follow Casey's stuff a lot and this is totally inline with work he already did - this was intellectual curiousity and there was no malice - I just can't buy that. And as far as being an attention whore - I just don't see it at all. There would have been a LOT more effective ways to accomplish getting a lot more attention with this same exact exploit.

I spent 3 hours last night just trying to see if I could recognize the pixels in the middle of an image. Yes, other ones could cause it a problem - I did read his article, but you could use very similar logic - and that's the point really, how do you go about defeating any given CAPTCHA

He could have done the same thing - without sending the emails - sent the code to MSDN magazine , got it published, handed out the code - and people would be talking about how kick a33 it was even though 1) it would have attracted a lot more attention 2) it would have put the code out there.

But I guess I"m in the minority on this one ;-)

# William said on January 31, 2005 9:30 AM:

LOL ! Well if MSDN did publish articles on how to hack I can assure you they'd get plenty of flack ;)

But back to the point, there simply was no need to spam so many, with a LINK to his article for his POC. It meant over 90 peopel had to delete his spam or else it'd end up being pushed up there on google etc, etc.

And as I said, it was totally pointless as not only can his code be easily broken, the site he based his approach on is wide open anyway, CAPTCHA or not. But hey, you don't see me spamming 90+ people to prove that now do you ?

Anyway, really CAPTCHA's suck. The yare a pain, they intefere with communication, and they are inaccessible to may folks (visual CAPTCHAs like this one here aren't very friendly to the visually impaired)

thankfully we haven't gone down the track of CAPTCHA for email communication as well ;) Filters is probably a far better

# William said on January 31, 2005 10:04 AM:

its funny how bill mccarthys arguments rely entirely on information that is already in the article. the gimpy break that he linked was already in the article, and i admitted that its much better than mine. but he says that you can quickly find other implementations ... and you cant ... i looked for them. if i were to release the code, the useful parts would be the image processing algorithms and my neural network code. the other CAPTCHA that he links would break my algorithm ... but that doesnt mean i couldnt spend a couple more hours and beat that one too ... it actually looks pretty easy. as far as spending 24 hours writing a better CAPTCHA ... that is a waste of time. somebody could just use AI to beat that as well. the point is you cannot stop comment spam (period). there is no fix. people can do it manually ... or use some sort of social engineering. as far as the attention getting ... people are giving it way too much. the people that have the right to be mad are the people that i actually spammed. and how mad should they be ... however mad 1 comment spam makes them. as far as the site i beat being wide open ... they are wide open to me, but not many others. of course there are alot more blog sites that are even more wide open because they dont have CAPTCHA at all. anybody could slam those sites in less than an hour ... but we'd rather talk about this. oh well ... people are funny

# William said on January 31, 2005 10:08 AM:

how to beat this CAPTCHA ...
http://www.geektools.com/whois.php
just scan the image and find the horizontal and vertial lines. then scan the image for characters taking into consideration the horizontal and vertial lines you already found. then just do straight char reco.

# William said on January 31, 2005 10:13 AM:

Casey - Bill's a good dude but I'm not agreeing with him here. I know that I can hold my own in .NET and just reading the pixels took me a while. I'm sure there are others that can do it - but I don't think it's greasy kids stuff by any means.

And the thing that seems to come up is that you were being an attention whore or a show off. I just don't see it - because if you were, then youre a total dumb a33 that couldn't tie his own shoes - there's a lot better ways to get attention and you could have gotten a lot more bang for the buck - and somehow I don't think you missed that point. If you were looking for attention - you'd have done it in a much more compelling fashion - no doubt about that. Plus the 40 disclaimers you wrote about it....

No harm, no foul - and the article is kick a33 - If someone wants to prove me wrong -fine, write one that's more accurate in less time but I think it's a lot easier to say how easy it is to do something than actually do it.

# William said on January 31, 2005 10:46 AM:

I just wanted to make a formal apology for my earlier words on Casey's comment section on his website. I realize that not everyone wants to live in a world that I fully control. Further, I have come to understand that a resource that I place on the internet has a certain degree of public ownership in addition to private responsibility. As such, I have come to the conclusion that I have been arrogant and conceited in my dealings with the MVP community. You are not my children, and I am not your "Mom", rather, you are able, thinking adults, and have the free will to serve the community as you see fit. Please accept my apologies.

Susan Bradly [MVP]

# William said on January 31, 2005 10:49 AM:

hey casey,

There's two different issues here, one is your spamming folks, and the other is the usefulness of captcha. Yes we agree that Captcha is bad (although at present it has reduced spammers, be it only temporary)

But I think you are missing the point. There was no need for you to spam so many for your POC. Simple fact.
And I really don't think because soemone critices that action, that you should then say they got mad and try to belittle the wrongness of your action. SPAM is SPAM.

And as to your 24 hours, well you could have spent that far more productively... I'm amazed you limit yourself to CAPTCHA when you could have written a filter, or implemented a simple conversation key.
http://msmvps.com/bill/archive/2005/02/01/34478.aspx

So when all is said and done, what have you added ? AHve you fixed the problem, had any cool code you could or should share ? Anything constructive ??
And no spamming 90+ people is NOT constructive ;)


# William said on January 31, 2005 10:55 AM:

Susan:

You are the only one that had any right to be pissed IMHO - it's your site, bandwidth etc and you were just looking out for people. I haven't been wronged by anyone and no apologies are necessary.

# William said on January 31, 2005 3:33 PM:

Bill, so how 'Susan' doesn't sound authentic to me. She commented on KC's article and signed 'Susan Bradley', yet here it is 'Susan Bradley [MVP]'. Also, what is written doesn't makes sense to me. Maybe someone is trying to proof to her that you can steel identity as well. And, if she really meant it, and be a 'man' about it, she would make an entry on her own blog.

If it gets through, then this message is spam is well. I used the CommentAPI via RSS Bandit and didn't even had to add an e-mail address. But as KC said, using the CommentAPI is too simple. :-)

# William said on January 31, 2005 3:35 PM:

'So how' --> 'some how'. Shoot, RSS Bandit doesn't check my grammer.

# William said on January 31, 2005 3:46 PM:

Well Randall - it looks like it came from her address but it's possibly a spoof. I don't know - I've known Susan to be a really cool lady and well - this whole thing sucks b/c Casey was just trying to do something cool and it's turned into a mess. Maybe it's a spoof - maybe it's not. I appreciate you looking out for me my man.

I just want to know what Casey is going to do now to top this feat ;-)

# William said on January 31, 2005 4:38 PM:

Aha! Casey found the timeout problem. 1 minute to download the image, 1 minute to post and submit? O-U-C-H. Of course he only used this CAPTCHA and there are a couple of others out there. His point is valid that any generated image can be trained to be read. Using a computer to make the image doesn't mean you can't use the computer to decode the same image.

Spamming 94 people may have been excessive but without a proper (semi) high test case, how can you prove the algorithm? I find in my coding that I often miss test cases (where I can't unit test) and if I were to simply test EVERYTHING I'd have found a couple major bugs. I don't get the number 94 though. Sounds like he used 100 but 6 of them didn't go through. Why choose that specific number? I would have chosen an odd number or possibly a rounded one like 100, not 94.

Casey did the right thing by exposing the "security through obscurity" that has been presented through CAPTCHA. It's not the best answer to comment spam nor do I propose it be an answer at all. It's just an extra layer that people don't even want to deal with. Introduce better techniques like filtering SQL input or dealing with the problem directly. Patching symptoms with small bandaids isn't going to solve this one.

To be thorough nofollow doesn't solve or attempt to address comment spam. It simply keeps commenters from being as relevant as the bloggers which is only one incentive to comment spam (not the only one, nor will it ever be). Spam has to be plugged as the holes are found as there's really no holy grail. Even baysian filters are proving to be inadequate so there really is no single reliable method for preventing spam. We can only hope for a decent layered approach.

# William said on January 31, 2005 5:11 PM:

Scott: "I disagree completely Michael - What better way to prove the point than to defeat the CAPTCHA"

Do you work in security at all?

"What better way to show that SQL had problems than Slammer?"

"What better way to show you don't follow safe computing practices than send $1 from your account to mine?"

Scott and Bill:

The REASON we 'overreact' to small things is to set the standard. There are lines when it comes to investigating and publishing and executing. In this case, it's not a "hole", as in an overflow. So it's fine for Casey to write about AI.

However, he ran a bot against someone elses server without permission. Is it illegal? Hopefully not. Is it correct/ethical or mature? Nope.

When I was in my mid-teens, I hacked my ISP, downloaded their customer DB, and then printed stuff out on their printer telling them to call me. It did a good job of "showing they had issues". But it was the wrong way.

Also, his attitude about the whole things show's that he's acting rather immature and foolish. "OK, I'll stop unless you spam me and then I'll blow you out of the water"? WTF?

Want to act all cool and write cool software? Go ahead. Want to publish how you do things? Fine. Just don't overstep your bounds (other's peoples systems are not in your bounds).

Today it's "I posted a comment to show your image protect didn't work". Tomorrow it's "I modified your articles to show you had an error in your authentication module."

Bill, it's an HONOUR to get spammed like this? What if it had been the same software spamming 100 male 'enhancement' products?

For the record, I'm annoyed at Casey's immature attitude about it, and that he didn't bother asking anyone for permission first. He would have still got the "cool points" for being so smart and writing AI if he had just emailed everyone and shown them, as well as posting the same article to his blog. Going and executing the attack just shows that while his tech skills are great, his judgement skills need some refinement.

# William said on January 31, 2005 5:33 PM:

<<However, he ran a bot against someone elses server without permission. Is it illegal? Hopefully not. Is it correct/ethical or mature? Nope. >>

To that end, Susan has a right to be upset - it's her servers, bandwidth et al. But for most of us - it's one email.

<<Today it's "I posted a comment to show your image protect didn't work". Tomorrow it's "I modified your articles to show you had an error in your authentication module." >> I guess it's a matter of where you draw boundaries - and if it was I modified your articles that's clearly vandalism.

<<Bill, it's an HONOUR to get spammed like this? What if it had been the same software spamming 100 male 'enhancement' products? >> If it was 100 of anything I'd be pissed about it. But that distinction is the difference between someone flipping me off and someone punching me.

I think what the boundaries are varies depending on who's involved. Would I be pissed off if it was my server and it was someone I didn't know or wasn't friends with? No, if it was the exact same thing. Some people get insulted for instance, over everything. Some folks don't get insulted over anything. Where is that line? I don't know. This is the same thing. But honestly, if you would have asked me "Bill, do you think that this will upset a lot of people or really upset anyone, two days ago I would have said "No way". Obvsiously I'd have been wrong though.

There are no doubt other people who wouldn't care about stuff that would piss me off. To that end, I've maintained that Susan - who's the owner of this site has the right to be mad. But what about me for instance. At worst it would take me all of 10 seconds to delete the post. Maybe I'm just too impressed with the technical content of it - in comparison to the 'inconvenience'.

I see what your point Michael - I really do. I just don't think that what he did was a big enough deal to matter but I see I'm in the minority.

So how in the h3ll did you hack your ISP? That takes some serious cojones.

# William said on January 31, 2005 5:39 PM:

You security guys want there to be a patch before you publish a security break. Thats fine for the products you work with, but CAPTCHA is a flawed concept ... you cant patch it ... its the best we have now, but we need to move to something else. And the web site has BIGGER problems. Note the comments above on how Roland used the CommentAPI to post ... totally bypassing CAPTCHA. Never mind people manually doing it or social engineering ... or that most blogs dont have CAPTCHA at all.

It is definitely not illegal ... how do you even think that it might be? What I did was post a single comment to 94 different public web logs. Totally legal ... just because you dont like it ... is moot. The 'blow you out of the water' has 'just kidding' right after it. Its meant to be funny. Have a sense of humor (period). Overstep my bounds? ... what bounds? What permission? ... the web pages are open to the public for comments. Legality is the only bound ... and its clear that this was not illegal. There is nothing wrong with my judgement at all.

# William said on January 31, 2005 5:47 PM:

Michael: I don't work *in* security, but I have a fair amount of exposure to it. I'm not sure that's the point, and I'm not sure I like being harpooned, but okay. No I don't work in security and I wouldn't call myself a security professional by any stretch of the imagination.

Maybe I was irresponsible in my choice of words, but I don't think that comparing this thing to Slammer is fair. My position, simply put, is that the code he wrote was cool. I mean..i'm a total geek, and this is just a technically cool hack. I don't care if someone else has a way to beat it, or if it doesn't work on some CAPTCHA implementations. This was a quick and dirty, targeted to one CAPTCHA, hack. Having no expertise in neural networks or character recognition, there's a wow factor. And the fact of the matter is that I thought it was a succinct way to point out what may have been the obvious, that captca sucks. But sometimes we need the obvious pointed out.

I think you and some others are looking too hard to find some evil ulterior motive in casey, and it's just not right. I don't know...maybe you don't read his blog and have never been exposed to his sense of humor, but the quote you cite about "blowing you out of the water with comment spam" was clearly (I know bill loves that word) tongue-in-cheek jesting if you are at all familiar with the way he writes.

Anyway, it's cool. Bill doesn't think it's a big deal about the spam, I didn't get spammed so I don't have an opinion on that either way. As someone above pointed out it was a good test bed, pick a bunch of blogs and run it, but maybe he should have asked permission first. Hindsight being 20/20 and all I guess we can say he did it poorly. But is it really the important thing, and worth all the fighting and pissing and moaning? Or should the focus be on the technical part, and what can be done to build a better mousetrap in light of this?

Just my two cents. And thanks for your comments on my blog earlier...it's why we do this blog thing, to get other input you know?

# William said on January 31, 2005 5:50 PM:

For what it's worth - I don't think it's a judgement issue at all. Like I said - I personally never would have thought people would have gotten mad. Maybe I just have poor judgement too - but again - I don't know that this means someone has bad judgement. First, he pointed to the article he wrote - sent 1 message and explained himself in the article. Put it this way - he did the absolute least intrusive way he could do it - didn't hide who he was or anything like that, did it to fellow MVPS. I mean, don't you get away with stuff in your own house or amongst your own friends that may be over the line elsewhere? And being that he took every step to be cool about it - I just don't see what the issue was.

If you're Susan and you got 20 emails from people who were pissed off , then ok - she was inconvenienced. But heck, we've all spent more time talking about it then it ever cost to deal with.

No harm no foul - especially if you do something cool and no foul. If it was lame, then it might be annoying - but you have to admit, it was pretty damned cool. I've heard the stuff about other folks can do it - but I don't know I buy that - sure some people can but from a tech perspective - it's impressive. From figuring out how the captcha worked to analyzing it. I didn't even know that there were only x number of letters there and I sure as hell didn't know about the timing issue. THat explains a lot. At worst the 'offense' rises to the level of jaywalking - and I just don't see the big deal.

# William said on January 31, 2005 5:52 PM:

And if Casey really wants to be cool - he'll write something to strip the word 'clearly' from all posts (actually, that's one of the things I'm including in the new site).

# William said on January 31, 2005 10:16 PM:

OK, I should clarify that I'm personally not pissed at Casey ('cause it's not my server, and I don't have a blog there, and in fact, my blog is quite open to comment spamming since I haven't connected my turing code to dasBlog), and it's *not that big a deal like slammer etc.*. Really. Just a few comments. The point is that you run it against someone's site without their permission, and taunt them along with it. The point is that it starts moving the line of what's acceptable.

It's nothing I can mathematically prove. It's just about where good taste and good decision is.

The reason to overreact still stands. You agreed that if the content was modified, it's clearly vandalism. "Clearly" -- see, judgement call.

And Casey, no, it's not asking for a patch for an inherently flawed design. Everyone here understands (I hope) that. The point is how you go about telling people, and as far as I (and many, many, others) are concerned, actually running it against someone's site is a rude and childish way to go about it. Everyone is welcome to their own opinion. If you guys go join MVPSecTalk (a good list for MVPs btw) you'll see.

So, just to make myself clear, I'm all in favour of talking about, showing, discussing, etc. At my site, I teach people how to go about cracking software. I don't think it's illegal at all (nor what Casey did, that's why I said "hopefully not", but I can envision some wierd reading of DCMA / antihacking laws that can make ANYTHING illegal).

I *don't* go around downloading sample programs, cracking them, and sending them back saying "see!". I don't go around connecting to people's shared printers and printing out "You're insecure fool! lolo1l1!!"

So if Casey wants to even post a bloody library that does awesome OCR... whatever. Spammers are pro operations, and they'll hire 5 guys like Casey to write AI code day and night. So I'm not worried that there's a proof of concept or some leaked info (this isn't a security hole). I just think it's tasteless and sets a bad precedent.

# William said on January 31, 2005 10:17 PM:

BTW, this has prompted me to revisit the code I posted on my site (Turing test) and look into doing something a bit stronger. The nice thing is, GDI+ makes it SO EASY to write up this kind of code (generating images, that is).

# William said on January 31, 2005 10:33 PM:

DAMN!! I take one Monday off and look what I missed!

I for one am on KC's side - mostly because I think what he did was not all that bad since it was only one post on less than 100 blogs (how many is that compared to the number of blogs that are on the 'net right now?) and he didn't release the code so it's not like some script kiddie can get his hands on it and go banana's with it...I also am on KC's side because I'm a proud member of the Casey Chesnut Sycophant Cult.

# William said on February 7, 2005 4:33 PM:

Is this the lineup for the cult? Where do I sign up?

# William said on February 7, 2005 8:16 PM:

Peter:

The criteria are easy:
1) Promise to always never take yourself too seriously
2) Push your boundaries and never be afraid to do something that's cool becuase you might ruffle feathers
3) Always be willing to knock over the apple cart
4) Send pictures of stippers!

# William said on November 16, 2005 1:12 AM:

What music prefer?

Search

This Blog

Tags

Community

Archives

News

My other sites

Cool Stuff

Book Stuff

Security

ORM

Data Access

Funny Stuff

Compact Framework Stuff

Web Casts

My KnowledgeBase Articles

My MVP Profile

Design Patterns

Performance

Debugging

Remoting

My Fellow Authors

My Books

LINQ

Misc

Speech

Syndication

Email Notifications