Quantcast

TikiGraffiti

TikiGraffiti: Using Graffiti and Street Art to combat WordPress spam

Overview

TikiGraffiti is a WordPress plugin that implements a CAPTCHA to block comment spam. TikiGraffiti is similar to other captcha plugins, but instead of using a computer-generated image with obfuscated text, it uses images of graffiti and street art.

Examples

Standard captcha image:
captcha.png

TikiGraffiti captcha images:
[photos by: Rafael Rubira, nevernevermind, Cassidy Curtis, and Bright Tal]
(click to see orginals)

Download

Download it here! This plugin has NOT been tested with WP 2.1!
Place tikigraffiti.php and tikigraffiti_imgs in your WordPress plugin directory.
You can browse the source code here.

Installation

The tikigraffiti.php script and the tikigraffiti_imgs directory should both be placed in your wp/wp-content/plugins directory. To add images, place them inside the tikigraffiti_imgs directory, and add attribution information in credits.xml (also located in the tikigraffiti_imgs directory). Images should be named with the codeword they contain, e.g. codeword.jpg.

Acknowledgments

The TikiGraffiti plugin is licensed under the GPL and is based on the SecureImage plugin.

All street art photos are licensed under a Creative Commons license that premits derivative works. All images were found on Flickr using the Creative Commons search feature.

All images distributed with TikiGraffiti are attributed to the photographer in an XML file distributed with the plugin. Also, when an image is displayed as a captcha, a link back to the original Flickr page for the photo is provided. A full list of photographer attributions is in the following section.

Although I can display photographer credits for these images, in some cases I do not know who the original artist was. Please leave a comment on this page if you have artist information so that I can properly attribute these works!

Default Images and Photo Credits

[photo: nevernevermind] [artist: ALIAS]
[photo: nevernevermind] [artist: Glenda GlitaGrrl]
Removed due to OCR spambot attack
[photo: Rafael Rubira] [artist: unknown]
[photo: nevernevermind] [artist: SP 38]
[photo: Trois Têtes] [artist: WK]
[photo: nevernevermind] [artist: unknown]
[photo: Bright Tal] [artist: Klone]
[photo: Cassidy Curtis] [artist: Lime]
[photo: Trois Têtes] [artist: unknown]
[photo: Trois Têtes] [artist: NOMAD]
[photo: filip42] [artist: unknown]
[photo: Ben Cumming] [artist: unknown]
[photo: Trois Têtes] [artist: unknown]
[photo: Trois Têtes] [artist: STOK]
[photo: Kim Laughton] [artist: TEK13]
Removed due to OCR spambot attack

OCR, Image Processing, Pattern Recognition, and other CAPTCHA Attacks

Everyone seems to want to talk about how effective or ineffective this captcha is at providing security. When talking about CAPTCHAs and security, it is important to remember three things:

  1. CAPTCHAs do not provide security.
  2. CAPTCHAs do not provide security.
  3. CAPTCHAs do not provide security.

The purpose of this plugin is to slow down spambots and make our blog more fun. Right now, it does both.

There are many ways to break this CAPTCHA, many of them fairly trivial. This is not the point.

If you are interested in captcha attacks, check out PWNtcha, an impressive captcha decoder. From a strict image processing/pattern recognition point of view, well-chosen graffiti images would be very hard break algorithmically while still being human-solvable, but attackers could build a dictionary of all the graffiti images you were using. Our implementation makes dictionary attacks even easier, because we provide a link to the original image on flickr in the attribution info :)

If you are actually concerned that a spam bot is trying to algorithmically solve your CAPTCHAs (TikiGraffiti captchas or any other kind), please let me know! Our logs show that right now there are no spambots using algorithmic captcha attacks on our blog.

Update: Well, that didn’t take long. We encoutered a spambot that was trying to OCR the captchas! I removed the Authorised image because the OCR attack was successful. The OCR result that the spambot was passing for the TEK 13 image was “TEKI3″ (i instead of 1), which was pretty close, so I removed that one too! Here are the images:
authorised.jpgtek13.jpg

* 5 Comments

5 Responses to “TikiGraffiti”

  1. shag
    February 19th, 2007 | 10:59 pm

    duude. sweeet.

  2. Frank
    February 28th, 2007 | 5:53 am

    Hello,

    very nice plugin :)

    Unfortunately there is no further documentation. How exactly can I define where in the commentform the captcha will apear? Without using any tag it shows up under the form…

    Thanks for help

    Frank

  3. rajbot
    February 28th, 2007 | 6:44 pm

    Hi Frank,

    The plugin places the captcha underneath the comment form, just below the submit button. It then uses javascript to move the captcha to appear below the website field, and above the comment text area.

    This has two problems:

    • If javascript is disabled, then the captcha appears at the very bottom
    • Some browsers, like firefox on the mac, are really slow in moving the captcha to the proper location. Sometimes it moves while you are typing in the captcha. If some part of your page hangs, then Firefox doesn’t seem to move it at all.

    I wish that the plugin api let us insert content somewhere other than the bottom of the form.

    If things are working properly, here is how it should look:

  4. Frank
    March 1st, 2007 | 5:02 am

    Thanks a lot for help!

    I guess that would explain why it broke my table-layout ;)

    However after knowing what the problem was I was able to fix it. I really love the ability to use self-made images for the captcha!

    Btw. if youre looking for ideas for an update: it would be great if it were possible to use selfmade errorpages instead of just letting the script die *s

    Best regards

    Frank

  5. WordPress Plugins Database » Plugin Details » TikiGraffiti
    April 2nd, 2008 | 12:16 am

    [...] Visit [...]

Leave a reply