Oh. And it's for wordpress. Isn't that just fucking wonderful. I would guess looking at the age of the account and the complete lack of documentation that it's a personal project he never really intended to get much scrutiny. I'm sure if someone looked at my github they could find some bad code too. Not that bad though.
A (extremely) large number of usual local network IP ranges are issued to the DOD. Including my local subnet as well. 11.1.11.0/24, if I ran a whois on that IP as well, it would return DOD, but that doesn't mean the DOD is snooping my network, it just means my router has all the routes for 11.1.11.0/24 associated with it and doesn't actually attempt to send traffic over the wire to that IP. I assume your Android phone is listening locally on that address for the VOIP communication, which would in return mean the DOD is NOT snooping on your phone. Much similar to apache or (insert other socket application) listening to 127.0.0.1:80 for local only traffic.
So you're saying that providers are using these address ranges where you'd usually expect to see something like 10., 172.16-31. or 192.168.*? That is, purely internal traffic that's not routed over the public net?
If so, I could buy that, but my question is "why?" That is, why not use an actual RFC1918 private address?
Or is your point actually something different, and I'm just missing it?
we are talking about an address IP range that happens to be DNS registered..it could be as simple as the DoD has some extra bandwidth/infrastructure that they are leasing out to say Sprint?
No, DOD is not leasing out IP addresses; ISPs are basically "stealing" them from DOD. This shouldn't be happening, but for some reason cellular carriers are complaining that ARIN won't give them IPv4 addresses even though addresses are available and the carriers clearly have enough devices to qualify. Something has gone wrong here, but I have not been able to find out why.
.it could be as simple as the DoD has some extra bandwidth/infrastructure that they are leasing out to say Sprint?
Ok, I get that in principle... but that particular combination sounds awfully suspicious. The DoD just happens to have extra IP space, and they just happen to lease it to cell phone carriers? Hmmmmmmmmm....
I mean, yeah, it could all be totally innocuous, but I'm still suspicious that there might be something else going on. I'm not exactly a card carrying member of the tinfoil-hat brigade, but I trust our government about as far as I can throw it... :-)
Do a control-f for "DOD". These guys have so much IP4 space its not even funny. Being the government, they'll never give it up. So a total of 200 million IP4 addresses:
So, when the country that starts the internet is also the country with the largest, by far, military and has obscene military spending, well, this is what happens.
The best part is that the DoD is working hard to limit the outgoing bandwidth to just a certain subset of IP addresses in an attempt to limit their attack surface, so most of those IP addresses are never going to be externally accessible and may simple be used internally for internal only networks.
As far as I can tell from the demo there is no server side validation on this captcha. Everything is handled on the client side. So really all your doing is making an annoyance for your honest target users. And allowing a spam bot to just totally ignore this 'captcha' to submit their POST regardless....
I've seen hundreds of these 'alternative' captchas. 'slide to unlock', 'sort images' ect. None yet have proven to be as effective at stopping a simple curl script.
Real captchas will store the value of the image or verification method on the first fetch in a session, and when the form is finally filled out the server will verify that the session value matches the submitted value. Without this component, the alternative captchas are pointless and just an annoyance to your real users.
Yeah, exactly. It's a proof of concept, with plans to turn it into a production-ready solution that relies on a typical difficult PHP Captcha, which is then replaced with the cooler MotionCAPTCHA on page load, if the user's browser supports.
