Wednesday, April 21, 2010

CAPTCHAs are less secure than you think

captcha-math Quick! What does CAPTCHA stand for (without consulting Wikipedia)? Completely Automated Public Turing…and then things get foggy. Try again. Completely Automated Public Turing test to tell Computers and Humans Apart. Yes, they cheated a little with the acronym (it should be CAPTTTCHA), but regardless of what it stands for, we all know what a CAPTCHA looks like. Those little, often hard to decipher, images on a form designed to only be readable by humans so as to prevent bots from submitting forms.

But are those images really unreadable by computers?

I was prompted to consider this after reviewing a blog post by one of the Telerik ASP.NET AJAX Team Leads about RadCaptcha and OCR software. The nature of the blog post was not meant to be a definitive test of RadCaptcha’s security, but it was clear through the comments that people are interested in that information. In the blog post, it is demonstrated that RadCaptcha cannot be understood by off-the-shelf OCR software, which is a fun test, but clearly not a definitive measure of security. In the “real world,” algorithms are custom tailored for attacking CAPTCHAs.


As it turns out, for years now, computers have been able to automatically parse many of the CAPTCHA images you find on the web. Research done by various universities, such as Simon Fraser University and UC Berkeley, has produced algorithms capable of “seeing” almost all CAPTCHAs that rely on simple text transformation and “busy backgrounds” to stump computer character recognition. Take the following CAPTCHA image examples:

captcha-18 captcha-71

Each of these CAPTCHAs can be successfully read by algorithms developed by university researchers with a 92% success rate! I’m sure you’ve seen a few forums or web forms that have CAPTCHAs that look a lot like this. (You may be the owner of one of those sites today.)

In short: CAPTCHAs that rely on background noise, color, and text distortion are generally ineffective at stopping modern CAPTCHA bots.

Stronger CAPTCHAs

If you must use a visual CAPTCHA today, the much more effective technique for spoiling bots is visual segmentation. When a CAPTCHA bot tries to understand an image, it will first try to remove all background noise and “obviously” unnecessary image data (think about what you’d do in Photoshop to clean-up an old damaged photo – that’s what the bots do). Then, bots will go about trying to “segment” the remaining data in to areas that can be eventually parsed in to characters. With sufficient overlapping and thick cross-cutting lines, bots are unable to accurately translate segments in to characters. For example, the following image is much more effective at blocking bots than the previous images even though there is no background noise or color:


Of course, even strong CAPTCHA images like this are being broken with advanced research, but in the current cat and mouse chase of CAPTCHA security, this is among the best options for balancing human readability and computer bot blocking.

Optimizing RadCaptcha

Given this new understanding about the current state of CAPTCHA bots, there are some easy takeaways for configuring RadCaptcha for maximum bot blocking:

  1. Don’t rely on visual CAPTCHA protection only
    Bots often give away their identity by trying to submit forms too quickly or by trying to submit a form too many times. Take advantage of RadCaptcha’s non-visual protections to maximize bot prevention.
  2. Maximize Line Noise Level, Eliminate Background Noise Level
    Research says background noise is first thing a CAPTCHA bot throws-out, so it offers little value to your image. Instead, maximize your CAPTCHA image line noise and font warp factor to make segmentation hard for bots. Set properly, RadCaptcha can produce very secure CAPTCHA images like this:

  3. Use a Custom Character Set
    Many bots rely on encountering a predictable set of characters or words to accurately parse a website’s CAPTCHA image. By using a custom character set with RadCaptcha that includes non-alphanumeric characters (like @, !, #, $), you can increase your odds of beating the bots.

No visual CAPTCHA image is perfect, and with the modern trend of employing humans to beat CAPTCHAs, a CAPTCHA is a road bump at best. Still, they prevent the casual spam bot from infiltrating your site and protect your forms from the script kiddies.

Telerik will continue to add improved security features to RadCaptcha in future releases, but by following these simple guidelines, you can confidently get the most value out of a CAPTCHA today that a CAPTCHA can provide.

Tuesday, April 20, 2010

JustMock unofficial FAQs (update)

justmock-faq With all of the attention on the just announced TeamPulse and WebUI Test Studio QA Edition, the JustMock Beta is over due for more face blog time. Hopefully you managed to attend today’s JustMock introduction webinar (if you did, you are now a proud license holder) and start to learn more about how JustMock benefits your unit testing. But whether you attended that event or not, I figured I’d start to round-up and address some of the most burning questions about Telerik’s newest developer tool.

In the same vein as the Unofficial FAQs for the MVC Extensions, here is round-one for JustMock. If I missed a question you want answered, let me know in the comments.

JustMock Unofficial FAQs

Q: What is JustMock?
JustMock is a new Visual Studio productivity tool from Telerik that helps you create unit tests more quickly by automatically mocking, or “faking,” objects in your tests. Mocking helps you break dependencies in your unit tests so that you can focus on testing a single concern and provide more complete unit test coverage. You can read a complete intro to JustMock from the Product Team on the Telerik Blogs.

[NEW] Q: What is mocking and why do I need it?
Mocking (Wikipedia) is a concept in unit testing where real objects and substituted with fake objects that imitate the behavior of the real deal. Mocking is done so that a test can focus on the code being tested and not on the behavior or state of external dependencies. For example, if you have a data repository class that runs business logic and then saves information to a database, you want your unit test to focus on the business logic and not on the database. Mocking the “save” calls to your database ensures your tests run quickly and do not depend on the availability or state of your database.

When you’re ready to make sure the “save” calls are working, then you’re moving on to integration testing. Unit tests should not cross system boundaries, but integration tests are allowed to cross boundaries and make sure everything works together (your code, your database, your web services, IIS, etc.).

Wikipedia does a good job explaining additional reasons for using mock objects, such as working with objects that have non-deterministic results (like DateTime.Now), have states that are difficult to reproduce (like testing how your code behaves if a web service is unavailable), or have operations that are slow to test (like using a test database with setup/teardown scripts).

[NEW] Q: How does JustMock help with mocking?
Mock objects can be created and maintained manually, but this is time consuming and ultimately unproductive approach. A tool like JustMock allows you to focus on writing tests and forget about the mocking details. Mock objects are created automatically in memory when the tests run based on your simple configuration in the unit test. There are no “physical” mock objects that have to be maintained as your project changes.

JustMock goes even further and does not force you to distinguish between “mocks,” “fakes,” and “stubs.” You have a single API for mocking and JustMock handles the rest.

[NEW] Q: Why not mock everything with JustMock?
It is possible to overuse mocking. The goal of mocking is to isolate the code you want to test from other components in the system. There are two rules of thumb that should be followed to ensure mocking is done properly:

  1. Only test (and thus mock) the external behavior of any object
    Mocking the internal behavior of objects can make unit tests brittle and hard to maintain during refactoring.
  2. Mock all objects and external dependencies that are not being actively tested
    Mocking all objects obviously produces meaningless test results. Use mocking to keep unit tests focused the behavior of the method you’re testing. Nothing more. Nothing less.

Q: Is JustMock included in the Telerik Premium Collection?
No, JustMock will not be part of the Premium Collection. Instead, it is one of the new tools included in the recently introduced Ultimate Collection (along with WebUI Test Studio Developer Edition).

Q: Is JustMock available as a standalone product?
Not today, but it will be when it is officially released. Final pricing is not yet set, but you can expect it to be very price competitive with other commercial mocking tools. We currently expect pricing to fall somewhere between $299 and $399.

Q: Is JustMock free and open source?
The beta (which is available now) is free, but the final product will be commercial. JustMock is not an open source product, nor does it derive from an open source library. It’s built from the ground-up by Telerik.

Q: When will JustMock be released?
JustMock is currently in beta, and it will be officially released with our Q2 2009 release (slated for July). The beta is free, though, so download it today and take it for a spin.

Q: How is JustMock different from existing mocking frameworks?
We are well aware that there are many great mocking frameworks available for .NET developers, both open source and commercial. In our experience as a software development company, though, none are perfect and we see room to fill in some gaps and create a better competitive environment around mocking tools. Among the many features in the JustMock beta, here are areas we aim to provide unique value:

  • Performance – We provide both “simple” (aka, Proxy) and Profiler API-based (aka, Elevated) approaches for mocking so that you can use the technique best suited for your code. The simple method is comparable to many open source frameworks and is fast and easy to setup/deploy. The Profiler-based approach is what commercial mocking frameworks tend to employ, and it is more powerful, capable of mocking just about everything. Our hybrid approach is unique and gives you the best of both worlds.
  • Simplicity – We know that mocking is still new for many of you, so we are providing simple to use strongly-typed, fluid API that employs the AAA Patern- Arrange/Act/Assert. There is one simple way to use JustMock, based on the latest framework features, so no “legacy” concepts pollute the API.
  • Integration – Of course, one of the advantages of a Telerik mocking tool is that it’s part of the legendary Telerik stack that includes great support. We plan to really build on the integration story with other tools like JustCode in future releases.

Q: Why does JustMock use the Arrange/Act/Assert pattern? What about Record/Replay?
The Arrange/Act/Assert pattern is a more logical and clean approach to unit testing than the legacy Record/Replay. With AAA, you group your testing actions by function, making it clear what part of your test is involved in setup versus verification. The pattern can be applied to all unit testing, but it is especially useful when mocking is involved.

Record/Replay is an older pattern and it is similar to using GOTO statements in your unit tests. This makes the pattern more difficult to follow and clearly less ideal from a programming perspective. Therefore, JustMock is focused on supporting the AAA pattern.

Q: Is there any JustMock documentation?
Of course! Even in the beta release there is documentation, though most of it exists as “learn by example.” When you download the beta, you’ll find a demo project that shows you through code all of the various ways you can use JustMock. For the final release, we’ll be updating and providing complete product documentation.

You can (and should) also follow Team Lead Mehfuz Hossain’s blog, where he is posting regularly on JustMock.

Looking ahead to Q2 2010, Part 1

futureExit I know, I know. You’ve just started looking at the Q1 service packs, you’re still trying to digest all of last week’s announcements, and now we’re already talking about Q2?! Time marches on, and Q2, believe or not, will be here in less than three months. With three major releases every year, things move fast at Telerik. What can you expect to find in the next major release?

Fortunately, there are road maps for that, and many of the Developer Tools road maps are now available on Here are some direct links and highlights from the Q2 2010 road maps:

  • RadControls for ASP.NET AJAX
    • [NEW CONTROL] TagCloud
    • [FEATURE] RadAsyncUpload – New Flash/Silverlight upload modes
    • [FEATURE] RadEditor – Option to have DIV content area instead of IFRAME
    • [FEATURE] RadGrid – New GridDragDropColumn
    • [FEATURE] RadListView – Client template support
    • [FEATURE] RadScheduler – Reminders + time zone support
    • [MAJOR UPDATE] RadRotator – Load-on-demand support + carousel mode
    • SharePoint 2010 web parts for Grid and Editor
  • Telerik Extensions for ASP.NET MVC
    • [NEW CONTROL] Combobox
    • [NEW CONTROL] Editor
    • [NEW CONTROL] Window
    • [FEATURE] Grid – Hierarchy, edit form, and resizable column support
  • RadControls for WinForms
    • [MAJOR UPDATE] RadGridView – new data engine + many new UI features
    • [NEW CONTROL] Desktop Alert
    • [NEW CONTROL] TabView
    • [FEATURE] RadScheduler – Reminders, Time Zones, + many new features
    • [FEATURE] RibbonBar – New Office 2010 UX
    • 30% performance improvement in TPF thanks to new optimizations and caching

Be sure to click on the links to examine the full road maps in detail. There is obviously much more happening in Q2 than I highlighted here, so read the road maps if you want all of the nitty-gritty.

There are also clearly some “missing” road maps today. They will be published towards the end of this week and early next. Stay tuned for part two of “looking ahead” for the links and highlights for XAML, ORM, Reporting, and JustCode. Until then, set your alarms and start dreaming of the ways you can use the new controls and features when they ship in July.

Monday, April 19, 2010

Q1 2010 Service Packs Available

telerikDrill While April has become a big month for more new products and announcements from Telerik, the bits released about a month ago as part of Q1 2010 are already receiving the first round of service packs. Of course, with the official VS 2010, .NET 4, and Silverlight 4 releases last week, SP1 is a perfect time for Telerik to ship official support for Microsoft’s latest platforms. And that’s definitely part of what you find in Q1 2010 SP1.

Available now are service packs for (with selected highlights):

  • RadControls for ASP.NET AJAX (2010.1.415)
    • VS 2010/.NET RTM support
    • [RadCaptcha] Audio captchas now embedded in page!
    • [RadEditor] Improved Paste from Word support
    • [RadRotator] New cross fade animation
  • Telerik Extensions for ASP.NET MVC (2010.1.416)
    • A few breaking changes: Grid, Treeview
    • OSS NOTE: Remember, only the “commercial” license gets updated for SPs and hotfixes. The OSS branch is updated for major releases.
  • RadControls for WinForms (2010.1.409)
    • VS 2010/.NET 4 RTM support
    • Client profile support
    • New Office 2010 & Breeze Extended themes
    • Major improvements to new Visual Style Builder
  • JustCode (2010.1.415)
    • VS 2010/.NET 4 RTM support
    • Significantly improved/enhanced typing assistance
    • Additional memory/performance optimizations

Service packs for the remaining developer tools- Telerik Reporting, OpenAccess ORM, and the RadControls for Silverlight and WPF- will be available very soon, too. These SPs will all focus on delivering official support for VS 2010 and .NET 4, in addition to polishing some of the features introduced in Q1 2010. For example:

Stay tuned for the last of the service packs this week and get started now downloading the four SP1s available today!

Another Webinar Week starts Tuesday, License giveaways

webcastPeople As many of you know, at Telerik we like to run “Webinar Weeks” around the time of a release to help you quickly get up-to-speed with all of the new features, controls, and (increasingly) products that are part of a Quintessential release. Most recently, we hosted the Q1 2010 Webinar Week and hundreds of you joined us live to learn. This week, we are hosting another new Webinar Week!

With all of last week’s announcements, April is almost as big- if not equally big- as our “official” Q1 Release Week. That means you’ve probably got tons of questions, and it definitely means we’ve got tons to share. A Webinar Week is the perfect solution.

Everything starts on Tuesday, April 20th at 11 AM Eastern with lots of chances to win free software:

  1. Introduction to JustMock, Tuesday, April 20th
    Co-hosted by Josh Holt and Lead Developer Mehfuz Hossain. A great introduction to mocking and how JustMock makes it easy. Everyone attending live will get a FREE JustMock license.
  2. Introduction to TeamPulse, Wednesday, April 21st
    Hosted by Joel Semeniuk, EVP Team Productivity Tools. Come learn more about what TeamPulse does for teams and how it creates a planning sandbox for TFS. Everyone attending live will get a FREE TeamPulse license.
  3. Introduction to WebUI Test Studio QA Edition, Thursday, April 22nd
    Hosted by Chris Eyhorn, EVP Testing Tools. An introduction to the brand new QA edition of WebUI Test Studio. One Test Studio QA Edition license ($2500 value) will be raffled to live attendees.
  4. Introduction to WebUI Test Studio Developer Edition, Friday, April 23rd
    Also hosted by Chris Eyhorn. Learn what’s new in the developer-oriented version of WebUI Test Studio. One Test Studio Dev Edition license ($1500 value) will be raffled to live attendees.

Clearly, you don’t want to miss these webinars. Each starts at 11 AM Eastern, and, of course, we’ll be recording for those that can’t attend live. Register for each using the links above and we’ll see you on Tuesday!

Friday, April 16, 2010

In Case You Missed It, Part VIII

incaseyoumissed It has been more than a year since I last provided an update in the ICYMI series, but now more than ever it’s time to make sure you haven’t missed some important news. As a reminder, ICYMI posts are designed to highlight some of the important posts that are flying by on the very active Telerik Blogs that you might have missed. With all of the recent Telerik and Microsoft announcements, there are more than a few great posts to share that you shouldn’t miss, but here’s the most important you definitely must read:

New products. New releases. It’s all great Telerik reading. With an average of 50 posts per month over the last 12 months, the Telerik Blogs are a great resource for what’s new with Telerik products. Subscribe today and don’t miss the next round of important news!

New divisions at Telerik, DevConnections wrap-up

vs2010-yellow-ninja In case you weren’t watching the Telerik Blogs, or the Telerik Twitter account, or the Telerik Facebook Page, we were in Las Vegas this week celebrating the launch of Visual Studio 2010, Silverlight 4, and…the introduction of two new divisions at Telerik! A busy week to say the least. We also re-launched and launched a beta of the new Telerik TV (more details soon).

On Monday, we introduced two new divisions at Telerik:

  • Team Productivity Tools
  • Automated Testing Tools

Team Productivity Tools
This brand new division has been created to focus on building tools that help teams better collaborate and work efficiently through the entire application lifecycle. At Telerik, we recognize that building great software doesn’t start with writing code, it starts with capturing ideas, planning requirements, and managing the software development process. As a software development company ourselves, we see gaps in the tools available today for accomplishing these tasks and we aim to fill those gaps with the tools coming out of this division. This division is based in Winnipeg, Canada and headed by ALM and TFS expert (and Microsoft RD) Joel Semeniuk.

We introduced the beta of the first new tool out of this division this week:

  1. TeamPulse (licensing TBA)
    TeamPulse is best described as a planning sandbox for TFS. It helps teams quickly capture project requirements, define application personas, and plan the work that must be done to build software. It’s an innovative tool built on Silverlight 4 that we think will be essential to any TFS shop.

Automated Testing Tools
This division is the result of a merger with ArtOfTest, the company Telerik has been partnered with for the last year to provide WebUI Test Studio. Now that we can operate as one company, we can more effectively combine our efforts and bring new solutions to the automated testing and QA world. This new division establishes a Telerik office in Austin, Texas (my neighbor), and it is headed by Christopher Eyhorn and Faris Sweis.

At the same time, we’re introducing two new versions of WebUI Test Studio:

  1. WebUI Test Studio QA Edition ($2499)
    Aimed at the non-technical QA, this is a standalone version of WebUI Test Studio that does not require Visual Studio. It’s brand new and super easy to use. It sports TFS integration to ensure dev teams can easily collaborate with QA teams.
  2. WebUI Test Studio Developer Edition ($1499)
    This is the “replacement” for the original WebUI Test Studio edition. It’s aimed at developers and it is a Visual Studio plug-in that provides all of the features found in the QA edition.

Clearly, with news this big, it dominated our time at DevConnections and demanded that we do something special. Something like our in-your-face green .NET Ninja shirts that over 200 people wore to the Silverlight 4 keynote, our Telerik VIP Lounge party bracelets, our green Telerik guitars given away by Carl Franklin and his band (that we flew to Vegas to perform), and no less than 4 unique t-shirt designs given away at the booth! It was a big week and everyone that engaged with Telerik went home a winner.

Stay tuned for much more news about our new products, our new divisions, and new things happening across all of the existing areas where Telerik is working hard! Also, be sure to visit our Facebook page for more photos from DevConnections and new videos coming soon.