[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4280: ob_start(): output handler 'ob_gzhandler' conflicts with 'zlib output compression'
Oolite Bulletins • The Wiki. Any PHP coders want to try something...
Page 1 of 1

The Wiki. Any PHP coders want to try something...

Posted: Mon May 03, 2010 12:55 pm
by winston
I've been mulling over an idea for the signup for the wiki.

The problem:
All CAPTCHAs have been broken by the spammers. They have OCR engines far better (as far as I can tell) than commercially available OCR (damn, sometimes I wish they'd share, we use OCR a lot at work).

So even with reCAPTCHA and similar, I can't prevent the spammers from creating accounts and the cleanup work needed is very tiresome. The authors of xrumer (ratware used by spammers) need to be shot with a military laser. Then a hardhead missile. And Q-Bombed for good measure.

So now the administrators have to approve each new user, and this does not make for instant signup.

The solution:
I've been mulling an idea, and it should be relatively simple to implement.
Show a picture of a Cobra Mk.3 and ask the user to enter what kind of ship it is. So long as the word "Cobra" and the number "3" appear, regardless of case, or regardless of "Mark" or "mk" or whatever (this should be clear to the users, so they can be confident so long as they type the ship type and its version they get in) it allows account creation. This will defeat all spamming software, and it will even defeat the spammers who induce humans to enter captchas for other sites (by giving free porn and the like) since a human will have to know at least the most basic thing about Elite.

Now the reCAPTCHA thing works as a plug-in to MediaWiki, so this sort of thing can be plugged in.

The problem:
I'm getting ready for the VCF-GB and simply do not have time to work on it.

The solution:
I'm sure there's a PHP coder around here who can write the plug-in to MediaWiki :-) Of course payment for this will be, erm, the thanks of all new Wiki users everywhere :-) So if you fancy a project that can help with the wiki, then please feel free.

Re: The Wiki. Any PHP coders want to try something...

Posted: Mon May 03, 2010 1:46 pm
by hacht
winston wrote:The solution:
I've been mulling an idea, and it should be relatively simple to implement.
Show a picture of a Cobra Mk.3 and ask the user to enter what kind of ship it is. So long as the word "Cobra" and the number "3" appear, regardless of case, or regardless of "Mark" or "mk" or whatever (this should be clear to the users, so they can be confident so long as they type the ship type and its version they get in) it allows account creation. This will defeat all spamming software, and it will even defeat the spammers who induce humans to enter captchas for other sites (by giving free porn and the like) since a human will have to know at least the most basic thing about Elite.
Hmm, if the spammer got the solution to that one picture (in exchange for free porn, of course), the forum is really open. You can change the image to a picture of a Thargoid, and then to one of an Adder, then maybe to one of a Viper. I guess, this is the end of the most basic things a human knows about Elite.

Alas, I have no better idea. Maybe it would be more effective if you use a dummy confirmation field with "Enter your credit card no. here:".

Posted: Tue May 04, 2010 5:39 am
by ADCK
I know Php, but not enough to help.

And having only one picture with one solution is a bad idea, it won't take long for them to figure it out.

The easiest way to not get bots is to tell no one (especially google) the address for the site, they can't spam it it they don't know it exists.
But that's not really an ideal solution.

So my suggestion is get yourself some moderators, (not full access of course) who can approve accounts.

Posted: Tue May 04, 2010 7:43 am
by Phantom Hoover
Or even give account creation to any autoconfirmed unblocked users.

Posted: Tue May 04, 2010 7:52 am
by Selezen
Some comic sites use a system that gives the viewer three picture options, one of which has an indicator on it to tell which is correct, and asks a question about the pictures. Maybe something like that would work?

Again, although I know some PHP I probably don't know enough about MediaWiki's structure (or have enough time) to be able to write something.

Posted: Tue May 04, 2010 9:32 am
by Commander McLane
ADCK wrote:The easiest way to not get bots is to tell no one (especially google) the address for the site.
Not an option, because google knows it already.

Posted: Tue May 04, 2010 8:48 pm
by winston
And in any case, I want Google to be able to find it too :-)

I suspect the Elite pics thing will work (especially if it's type-a-text-string rather than multiple choice) simply because the spammers aren't going to bother to do the research for just one site, when there's plenty of other sites they can be spamming. For Joe Random Spammer, who likely comes from Russia and likely wasn't born when BBC Elite came out, it's going to be too much effort to try to find a ship identification chart and program it all in. As opposed to breaking reCAPTCHA which is used on thousands of sites (so once you've broken it, you can spam thousands of sites).

On the other hand, a limited selection of ship images and text strings to match is easy to be programmed.

Posted: Wed May 05, 2010 3:46 pm
by McDjanoff
Hello,

There is a patch for phpbb2, and a guide to use recaptcha with php :
http://recaptcha.net/plugins/php/

The idea about Elite ship isn't a good idea. The question/answer challenge is feeble in security point of view as only one identified question/answer is sufficient for a spammer.

I may help about php coding.

Regards,
B.

Posted: Thu May 06, 2010 11:11 am
by winston
McDjanoff wrote: The idea about Elite ship isn't a good idea. The question/answer challenge is feeble in security point of view as only one identified question/answer is sufficient for a spammer.
The idea isn't that it provides strong security (hopefully, users themselves are using decent passwords), the idea is that it erects enough of a barrier to entry that the spammers won't bother.

With reCAPTCHA (which I *used* to use with the wiki - there already is a reCAPTCHA mediawiki plugin) the problem is that it's used with tens of thousands of sites. Although reCAPTCHA is difficult to break, the rewards for breaking it are immense for a spammer as it now means they can automatically sign up on tens of thousands of bulletin boards/wikis/etc and spam them. So it was broken and now it is utterly useless, the spammers came back again. Word based CAPTCHA methods are now so thoroughly broken that they are pointless.

A bespoke solution, however trivial, isn't going to be worth it to the authors of ratware like xrumer and the like - it works with only one site and they are going to have to read up on Elite to know what the correct answer is, and it's certain that the single site that uses it will just change it if it gets broken. It will also defeat the spammers using humans ("get free porn by entering this CAPTCHA") because the porn-desperate are unlikely to know anything about Elite.

So it doesn't need to be very secure, merely obscure and not widely used, and easy to develop, and easy to answer for anyone with an interest in Elite. Of course if it's rock solid security and also only used on one site, better still - but that will take a highly significant development effort (meaning it probably won't happen).

Posted: Thu May 06, 2010 12:45 pm
by JazHaz
If you do this, and I suggest that you do, you need to limit the ships to the most identifiable ones, as many of the Elite ships look kind of similar.

I suggest using the Cobra mk3, thargoid, viper, and the krait.

Posted: Thu May 06, 2010 3:05 pm
by Kaks
One possible spanner in the works, though: if future spammers see this thread, it might become extremely easy for them to find out what to write as a response... :(

Posted: Thu May 06, 2010 3:17 pm
by maik
Yes, but as others pointed out earlier already: a spammer with even just half a brain will not waste time to write a custom script that only works on one wiki, especially if he has to spend time researching answers first. There are targets that are more worth his while, see above.

There is always the risk that a spammer with no brain does invest the time though. But I think one can ignore that. ;-)

Posted: Thu May 06, 2010 4:07 pm
by Micha
As an advanced solution, if a spammer ever -does- show interest and builds himself a solution database for the captcha, we can auto-generate the image of the ship with random rotation and skinning instead of just selecting it from a fixed set.

A human will recognise the ship from any angle / colour / skin. A computer can only compare is image1 == image2 (unless you start getting into image recognition software).