sda captcha (was: guest posting temporarily disabled)

Edit history:

Enhasa: 2008-12-22 08:14:52 pm

2008-11-11 09:12:14 am

... due to the rash of spambots. i think you may still be able to reply to existing topics. yes, i know they're not all guests.

Thread title:

Sir VG

2008-11-11 09:31:36 am

Fucking Weeaboo

Is there anyway that a catcha could be used before guests can post a topic/post? That would be a way around it. Kinda like how it's required right now before using search.

MortyreR45

(user is banned)

MortyreR45

Edit history:

MortyreR45: 2013-05-27 10:10:22 pm

MortyreR45: 2013-05-27 09:13:16 am

2008-11-11 10:02:34 am

I AM FUCKED ANGRY

This day was very terrible of spam posts and the team must find a way to stop this spam.
I had watch all spam posts on this day and this is not good for SDA.

Enhasa

2008-11-11 10:33:38 am

everybody wanna tell you the meaning of music

Quote from Lord_VG:

Is there anyway that a catcha could be used before guests can post a topic/post? That would be a way around it. Kinda like how it's required right now before using search.

We already had a captcha for search, post new topic, post reply, register, and basically anything a guest can do besides just read. This actually required a mod because smf sucks donkey balls. This is one area of the areas where yabb is actually better. The captcha we have sucks ass (I did a term project on captchas, so I could go into stupid detail but I won't), but at least it's there. I think bots finally came that had it figured out.

MortyreR45, I think that disabling guest posting is far worse for SDA than any spam. Spam doesn't reflect poorly on us. Disabling guest posting, besides obviously eliminating some good posts, does look bad when we're trying to be welcoming.

Sir VG

2008-11-11 11:14:56 am

Fucking Weeaboo

Quote from Enhasa:

Quote from Lord_VG:

Is there anyway that a catcha could be used before guests can post a topic/post? That would be a way around it. Kinda like how it's required right now before using search.

We already had a captcha for search, post new topic, post reply, register, and basically anything a guest can do besides just read. This actually required a mod because smf sucks donkey balls. This is one area of the areas where yabb is actually better. The captcha we have sucks ass (I did a term project on captchas, so I could go into stupid detail but I won't), but at least it's there. I think bots finally came that had it figured out.

Seriously? Damn.

Enhasa

2008-11-11 11:42:00 am

everybody wanna tell you the meaning of music

Ok, I installed a mod to use recaptcha (by the CMU guys themselves, who invented/popularized the original captcha idea... as a funny note, Radix was there at the CS department at the time), which is basically the industry standard. If this isn't good enough, then we're screwed, and also we know it's not a captcha weakness problem. Like all security though, and especially all captchas, this is cat and mouse, and honestly text-based captchas are all fundamentally crap and will die in several years. (They are computer generated and computers are already better at solving them than people are.) Also I'm wondering when we'll have to install an openid mod, gawd.

I saw this recaptcha mod before, but I am really reluctant to install mods because they almost all suck, and break compatibility with each other. Since we already have a captcha mod, now we have two, which sucks because that's definitely not orthogonal, lol. But it seems to be working alright.

Oh yeah, so guest posting is back, now it's finger crossing time.

Ok, I installed a mod to use [url=http://en.wikipedia.org/wiki/Recaptcha]recaptcha[/url] (by the CMU guys themselves, who invented/popularized the original captcha idea... as a funny note, Radix was there at the CS department at the time), which is basically the industry standard. If this isn't good enough, then we're screwed, and also we know it's not a captcha weakness problem. Like all security though, and especially all captchas, this is cat and mouse, and honestly text-based captchas are all fundamentally crap and will die in several years. (They are computer generated and computers are already better at solving them than people are.) Also I'm wondering when we'll have to install an openid mod, gawd.

I saw this recaptcha mod before, but I am really reluctant to install mods because they almost all suck, and break compatibility with each other. Since we already have a captcha mod, now we have two, which sucks because that's definitely not orthogonal, lol. But it seems to be working alright.

Oh yeah, so guest posting is back, now it's finger crossing time.

Carcinogen

2008-11-11 11:46:20 am

Hopefully it should weed out the ones that were able to register as well.

Enhasa

2008-11-11 11:46:52 am

everybody wanna tell you the meaning of music

Ok, that's pretty hilarious. It uses recaptcha when you try to register apparently, but not any of the other times it shows a captcha. I'm really busy right now but I'll take a look at it.

Quote from Carcinogen:

Hopefully it should weed out the ones that were able to register as well.

Nah, once you register, you're home free. Unless you want everyone to have to solve a captcha before you can do anything, which would be hella not worth it. However it's not bad, if a bot is registered, we can ban it and then it's blocked again because it can't sign back up.

Sir VG

2008-11-11 11:59:49 am

Fucking Weeaboo

I think he meant the capcha would block the bots from registering in the first place.

Carcinogen

2008-11-11 12:03:11 pm

Quote from Enhasa:

Quote from Carcinogen:

Hopefully it should weed out the ones that were able to register as well.

Nah, once you register, you're home free. Unless you want everyone to have to solve a captcha before you can do anything, which would be hella not worth it. However it's not bad, if a bot is registered, we can ban it and then it's blocked again because it can't sign back up.

I know that. Probably should've said "are" instead of "were", but whatevers. As long as those Viagra chuckers aren't showing up on my front lawn, I'll be happy. =]

nate

2008-11-11 12:04:33 pm

could require captcha if number of posts = 0.

Enhasa

2008-11-11 12:48:48 pm

everybody wanna tell you the meaning of music

You'd think the recaptcha would be a drop-in replacement for the normal captcha, but no, that would make too much sense. Then you'd think that if you wanted to manually switch them all to recaptcha, that would be trivial to search and copy and paste, but I tried for a little bit and somehow it's not.

I found out that the mod to use captchas for post/search/etc and the recaptcha mod were written by the same guy. This makes it even more incredible that they don't work together. Amazingly, we're using 3/5 of this guy's total mods, and one of the two we don't use doesn't even apply to us because we have the forum news disabled. And this guy's mods are 3/5 of the ones we use. All of this out of the thousands of mods out there. Anyway this is from a post of his on July 16, 2008:

Quote:

Hello, is there any chance to add reCaptcha to guest posting and guest searching ?
I think it will be very usefull on forums where guest writing is allowed.

It's a great thought, but I haven't had a chance to extend it yet. If so, it would depend on Visual Verification Options to be installed (for support on guest posts and searches in 1.1). If you don't mind a weaker test, use Visual Verification Options directly.

This means that the author himself (of both mods) had the idea but it was nontrivial for even him to add it. How wacky is that? It's above my threshold for caring right now so screw it.

I turned up the default captcha difficulty from medium to hard, but I'm pretty sure there isn't going to be any benefit. The default one is terrible because the characters are all distinct, even on hard. Computers destroy humans at being able to discern perturbations like slanting the letters, adding noise, different colors, etc. They are relatively bad at separating characters (where one ends and the next begins). So a simple "lo" is harder to a computer (because it could be "b") than anything the smf default captcha can throw at it on even the highest difficulty.

I'm trying it for lulz though. Who knows, maybe it will work?

You'd think the recaptcha would be a drop-in replacement for the normal captcha, but no, that would make too much sense. Then you'd think that if you wanted to manually switch them all to recaptcha, that would be trivial to search and copy and paste, but I tried for a little bit and somehow it's not.

I found out that the mod to use captchas for post/search/etc and the recaptcha mod were written by the same guy. This makes it even more incredible that they don't work together. Amazingly, we're using 3/5 of this guy's total mods, and one of the two we don't use doesn't even apply to us because we have the forum news disabled. And this guy's mods are 3/5 of the ones we use. All of this out of the thousands of mods out there. Anyway this is from a post of his on July 16, 2008:

[quote]
    Hello, is there any chance to add reCaptcha to guest posting and guest searching ?
    I think it will be very usefull on forums where guest writing is allowed.

It's a great thought, but I haven't had a chance to extend it yet. If so, it would depend on Visual Verification Options to be installed (for support on guest posts and searches in 1.1). If you don't mind a weaker test, use Visual Verification Options directly.
[/quote]

This means that the author himself (of both mods) had the idea but it was nontrivial for even him to add it. How wacky is that? It's above my threshold for caring right now so screw it.

I turned up the default captcha difficulty from medium to hard, but I'm pretty sure there isn't going to be any benefit. The default one is terrible because the characters are all distinct, even on hard. Computers destroy humans at being able to discern perturbations like slanting the letters, adding noise, different colors, etc. They are relatively bad at separating characters (where one ends and the next begins). So a simple "lo" is harder to a computer (because it could be "b") than anything the smf default captcha can throw at it on even the highest difficulty.

I'm trying it for lulz though. Who knows, maybe it will work?

nate

2008-11-11 01:30:16 pm

i think it's more likely that it will work, but only for a short period of time.

Enhasa

2008-11-11 01:39:20 pm

everybody wanna tell you the meaning of music

Well I saw some more spam immediately, so it doesn't work at all. Sad

I put back the recaptcha on the registration (because it still has a purpose now) and disabled guests from making new threads. This recent spambot's MO is making new threads, so for now guests can still reply in a thread.

I tried the hard default captcha btw and it is absolutely mental. I went 1/3, and I remember back when I installed the other mod months ago, Mike tried it out and started off by missing it 5x in a row. Spam (false negative) is better than a false positive rate like that.

It's funny looking at sites with captchas (I don't read blogs so for me, file download sites) and noticing how much they suck or how they use a new one every couple months or so. I forget which, but I remember there was one that stuck out by looking easy, but yet I failed it most of the time.

moooh

Edit history:

moooh: 2008-11-11 02:27:23 pm

2008-11-11 02:19:30 pm

Exoray

Time to try Asirra or something similar?

Asirra is an image based captcha which presents several pictures of cats and dogs and opts the user to select all cats for instance.
Image recognition is by far harder than text recognition so a customized solution of it will probably shut out all generic bots. They would have to specifically break this forums solution to be able to continue spamming. Even if someone set out to target this particular site they would have to do alot of work to break it.

The main drawback with the Asirra solution is that you need a large database with images that others can't obtain by searching the web.
I guess we could accomplish this by using screenshots from all the videos SDA currently has and make something similar to the cats/dogs thing but more game related. It will require some work getting all those images for a customized solution so the question is if getting this place bot free is worth all that effort.

We could just use Asirra as it is since it's free to use. It's still in beta stadium and I bet alot of spammers are working on trying to break it. It will still hold up for pretty long by itself so it might be what we need since it would be alot faster implementing rather than a customized solution.

You can read more about Asirra here: http://research.microsoft.com/asirra/

Time to try Asirra or something similar?

Asirra is an image based captcha which presents several pictures of cats and dogs and opts the user to select all cats for instance.
Image recognition is by far harder than text recognition so a customized solution of it will probably shut out all generic bots. They would have to specifically break this forums solution to be able to continue spamming. Even if someone set out to target this particular site they would have to do alot of work to break it.

The main drawback with the Asirra solution is that you need a large database with images that others can't obtain by searching the web.
I guess we could accomplish this by using screenshots from all the videos SDA currently has and make something similar to the cats/dogs thing but more game related. It will require some work getting all those images for a customized solution so the question is if getting this place bot free is worth all that effort.

We could just use Asirra as it is since it's free to use. It's still in beta stadium and I bet alot of spammers are working on trying to break it. It will still hold up for pretty long by itself so it might be what we need since it would be alot faster implementing rather than a customized solution.

You can read more about Asirra here: http://research.microsoft.com/asirra/

Enhasa

Edit history:

Enhasa: 2008-11-13 10:08:50 pm

2008-11-11 02:51:27 pm

everybody wanna tell you the meaning of music

Yep, image-based captchas are the next thing at least until those are figured out. Asirra is based off the original KittenAuth which had something incredibly small like 40 pictures. Microsoft was like hey we can do the same thing but with millions of pictures since we got tons of money, so they paid money to this pet adoption site to use their pics.

Asirra doesn't work for us though, because it's too much work to integrate it with smf. There isn't a single image-based captcha mod for smf.

Since it's related, I'll tell you the captcha system I created (for a project, not SDA). It has a self-generating dictionary and gets past the problem of a small (ie finite) dictionary. Basically it's distributed computing and leverages the people solving the captcha to build it up. The system is constantly looking online for new images and incorporating them into its database. The trick is that it asks you 2 images. One is the actual captcha (obviously already solved), and the other is an unsolved image. If the user gets it right, the system notes their response to the unsolved image. Whenever enough people have given the "same" response to an image, it gets incorporated into the dictionary of solved/usable images. Unusable images (because many images have no obvious answer) get classified as such.

The best part is it's resistant to not just OCR attacks, but even brute force attacks (since each question is almost boundless instead of simply a binary decision) and "porn attacks" (harvesting human solvers) since the number of legitimate solvers will always outnumber malcreant solvers. The speed and accuracy are also a lot higher than with text-based or binary image-based captchas. Also images don't need to be manually given definitions. That's a lot of effort saved, plus it automatically builds up dictionaries for each language. That's another advantage over "logic"-based captchas (asking "what is 2+2" or "who is the president elect") which are very lanuage-specific and sometimes hard to answer, and have to be manually populated.

Yep, image-based captchas are the next thing at least until those are figured out. Asirra is based off the original KittenAuth which had something incredibly small like 40 pictures. Microsoft was like hey we can do the same thing but with millions of pictures since we got tons of money, so they paid money to this pet adoption site to use their pics.

Asirra doesn't work for us though, because it's too much work to integrate it with smf. There isn't a single image-based captcha mod for smf.

Since it's related, I'll tell you the captcha system I created (for a project, not SDA). It has a self-generating dictionary and gets past the problem of a small (ie finite) dictionary. Basically it's distributed computing and leverages the people solving the captcha to build it up. The system is constantly looking online for new images and incorporating them into its database. The trick is that it asks you 2 images. One is the actual captcha (obviously already solved), and the other is an unsolved image. If the user gets it right, the system notes their response to the unsolved image. Whenever enough people have given the "same" response to an image, it gets incorporated into the dictionary of solved/usable images. Unusable images (because many images have no obvious answer) get classified as such.

The best part is it's resistant to not just OCR attacks, but even brute force attacks (since each question is almost boundless instead of simply a binary decision) and "porn attacks" (harvesting human solvers) since the number of legitimate solvers will always outnumber malcreant solvers. The speed and accuracy are also a lot higher than with text-based or binary image-based captchas. Also images don't need to be manually given definitions. That's a lot of effort saved, plus it automatically builds up dictionaries for each language. That's another advantage over "logic"-based captchas (asking "what is 2+2" or "who is the president elect") which are very lanuage-specific and sometimes hard to answer, and have to be manually populated.

Enhasa

Edit history:

Enhasa: 2008-12-22 03:46:12 pm

2008-11-11 04:00:21 pm

everybody wanna tell you the meaning of music

I modified the default captcha to be totally awesome and retarded at the same time. Security by obscurity ftw. Lips Sealed

Check it out for yourself or hey, finally a use for the spoiler tag:

Enabling guests making new threads again to see if this works. Also I guess non-English speakers are screwed although they could possibly figure it out given that there's a letter and a number. Or, they could just register using the familiar recaptcha and then they don't have to deal with it at all.

nate

2008-11-11 04:37:54 pm

yeah, that'll probably never be broken. no one cares enough about spamming sda.

Quote from Enhasa:

the number of legitimate solvers will always outnumber malcreant solvers

curious what you base this on.

Enhasa

2008-11-11 04:47:53 pm

everybody wanna tell you the meaning of music

That means legitimate human solvers vs "illegitimate" human solvers.

I mean, the recaptcha people at CMU argue that porn solvers are entirely negligible. I don't know if they're right, but I'm not going anywhere near that far, I just hoped to say porn solvers < legit solvers.

nate

2008-11-11 04:52:41 pm

yeah lol ... china has over four times as many people as the us and their gdp per capita is over 18 times smaller.

dunno if you've seen the stuff on slashdot about the whole businesses set up just to solve captchas.

Poesta

2008-11-12 12:56:47 am

Yarr

Can't we do something like 'count the amount of red dots in this picture' and then throw in other colors and shapes? Or the captcha that Enhasa has implemented, only mirrored horizontally? Or you could ask the user to type in the series of presented characters, except for the vowels. I don't see any spam threads now though, so Enhasa's method might be sufficient.

Carcinogen

2008-11-13 09:24:22 pm

Enhasa, you are the shit. That is all. <3

Enhasa

2008-12-22 08:15:16 pm

everybody wanna tell you the meaning of music

I don't know if this is really worth saying, but I guess it's better to solicit feedback so someone can tell me if there's something really obvious I missed.

There was one bot that got past the recaptcha maybe last week (not exactly a crisis, I know), so I ditched that and made a new captcha for all forum functions:

I think I mainly wanted to go all the way down to 4 mods, lol, but to use this for registration as well, I wanted to be completely sure that non English speakers can figure this one out. Which I really hope they can. Originally I went with 3 blanks and _peed_emos_rchive.com to be cute and reinforce SDA domination, but then I noticed that is "peed emos rchive", rofl. This way is hopefully more obvious you should fill in blanks, plus now people might know once and for all we are speed demos archive and not speed demons archive. Shocked

NoiseCrash

2008-12-22 08:37:41 pm

@_@

Quote from Enhasa:

Originally I went with 3 blanks and _peed_emos_rchive.com to be cute and reinforce SDA domination, but then I noticed that is "peed emos rchive", rofl.

I quite share in your rofl-ing. Grin

Thanks for the preventative measures you've taken. The world is a better place when you can browse a forum for speedrun discussion without seeing "look at this HOT CHICK SEXY PICS ZOMG" and "click here and make your penis larger!!1"

Adilor

2008-12-24 02:26:53 am

Quote from Enhasa:

I don't know if this is really worth saying, but I guess it's better to solicit feedback so someone can tell me if there's something really obvious I missed.

There was one bot that got past the recaptcha maybe last week (not exactly a crisis, I know), so I ditched that and made a new captcha for all forum functions:

I think I mainly wanted to go all the way down to 4 mods, lol, but to use this for registration as well, I wanted to be completely sure that non English speakers can figure this one out. Which I really hope they can. Originally I went with 3 blanks and _peed_emos_rchive.com to be cute and reinforce SDA domination, but then I noticed that is "peed emos rchive", rofl. This way is hopefully more obvious you should fill in blanks, plus now people might know once and for all we are speed demos archive and not speed demons archive. Shocked

Except it doesn't work. I've been trying to register an account tonight, and nothing appears to be working for it. Mind taking a look at it?

[quote="Enhasa"]
I don't know if this is really worth saying, but I guess it's better to solicit feedback so someone can tell me if there's something really obvious I missed.

There was one bot that got past the recaptcha maybe last week (not exactly a crisis, I know), so I ditched that and made a new captcha for all forum functions:

[spoiler][img]http://speeddemosarchive.com/forum/captcha.png[/img][/spoiler]

I think I mainly wanted to go all the way down to 4 mods, lol, but to use this for registration as well, I wanted to be completely sure that non English speakers can figure this one out. Which I really hope they can. Originally I went with 3 blanks and _peed_emos_rchive.com to be cute and reinforce SDA domination, but then I noticed that is "peed emos rchive", rofl. This way is hopefully more obvious you should fill in blanks, plus now people might know once and for all we are speed demos archive and not speed demons archive. :o
[/quote]

Except it doesn't work. I've been trying to register an account tonight, and nothing appears to be working for it. Mind taking a look at it?