to be real per the captcha ideal and goal

[andrewhodel]

You must create a number of points on the path of each letter and randomize each point's X and Y position by a random value (with a range based on the font size) that overlaps with only the next point or the previous point.

Then you can have a trustable captcha.

[andrewhodel]

You need to use a number of points not bezier curve points.

The letter path's with bezier curves can be guessed based on the font because they are very prominent, you should use points selected from a path created by the bezier curve.

Here is code I wrote to create an array of points representing a path from a bezier curve - https://github.com/andrewhodel/millcrum/blob/17be95dd104f78670794d372681fd5d3bbebfdca/inc/svg.js#L297

[andrewhodel]

The points in the image shown by the opentype.js library are certainly prominent points of bezier curves, not all points required to draw that shape of a line at that zoom.

[andrewhodel]

Then you can train the AI data set with the image classifier data and every font with every random line point pixel possibility and have the same dilemma you wrote about.

Or you can use google's captcha v3 that claims to read the browser data to solve trust, really just reading a cookie and your IP address of websites you've been to.

It seems purposeless but the reality is that it's simply excluding most data sets for a time.

@mthoodlum I wonder why Stripe would require it.

It's sad because the card companies could simply have you email them a 5 digit code to verify practically any transaction on the planet.

[andrewhodel]

All you really can do is only allow a small number of transactions per day or per hour from each IP address.

Then IPv6 and published ISP customer hierarchy really does work excluding TOR.

It's the same type problem, really it's astounding that the card companies are unable to implement because of burden.

What's terrible is that the card processors would prevent small companies with development teams that don't understand all of this from growing a business by blaming them for people creating google accounts or using TOR instead of implementing message from a known sender based authorization with a published protocol.

@mthoodlum

[andrewhodel]

@stripe why magic cookies instead of IP:email pairs or message based authorization with card issuers?

The ISPs are more important than the services that run on top of them. Nobody must run TOR.

@mthoodlum

[andrewhodel]

It's not difficult to make a company or a crypto currency that maintains a list of email:IP pairs of the past 24 hours with a list of authenticated domains.