Finger, a verification library to prove hommaannnnnness of a user

Yeah definitely, this is what I said on the blog post.

It is bespoke and good enough to deter the 99% and slow down the 1% - if they ever decide to bother with an already free and non-membership required services platform.

Well then in fingers case, it would work the first time and then not work again, you can’t cache the result, it changes every page load. (Unless you did something funky with the library)


GET /finger.jpg


> {answer, image} = Finger.generate(2)
> {"35", <<1, 3, 4, ... >>}
> session_put(answer)
> respond(image)

GET /important

important stuff template
<form action=important method-post>
<img src=finger.jpg>
<input type=number name=finger>

POST /important

important stuff controller
> if form.finger == session_get(finger) then do stuff

They can cache that jpg all they want it will be valid only first time and if it solved by a human.

you could define a random route for the finger controller also if you wanted them never caching that statically named dynamic picture.


<img src=finger/random_url_safe_string 32 >

If I were to actually deal with them I would send a zip bomb or corrupt chunked 100MB file everytime directly from nginx for their IP ranges when they wanted to cache something.

After I had my fun, I would drop the IP ranges at the FW perimeter

1 Like

Google’s recaptcha v3 (or was it v4… whichever was the one that uses an excess amount of JS to try to scan everything about you) is trying for that, I may not like all the tracking and JS stuff it does, but it works quite well at figuring out browser ‘usage’ and tracking and such to determine who’s a bot, all without showing a captcha to the actual person (unless certain criteria are met).

yes it does work quite well but unfortunately in the hands of an evil corp that snoops on everything you do.


You have others doing the same has Google reCAPTCHA V3, like:

Also a good alternative or addition is to use:


$100 a very good salary in Vietnam. :rofl:


unfortunately the reality of our world though

1 Like

They are not caching the image url or anything, they are probably just caching a simple fourier transform of it which will technically be a cache of that unique combination.

Those transforms are immune to resizing etc, and the only way you can break similarity scores is by warping the image, hence why a lot of the old captchas had words that looked like they were viewed through a lens.

You need to randomly (even inside what is technically the same permutation like 1-3-2-1) place the images and skew them in ratio and placement for such a caching to not work.


the famous FT hits us again :slight_smile:

Luckily very achievable with the way we stitch with ImageMagick. I am the only user so far, don’t think need to go to those levels just yet :slight_smile:

I am finding out people just enter the sums on the first try rather than reading the instructions.

changing to sums would drastically increase the possibility of a right guess from min 1/44 to 1/8 but that seems like human nature or conditioned internet-based behavior so far.

ps: given stats are for a set of n=2 images as I use on my website. the number gets smaller as you increase to max n=9