The Wiki. Any PHP coders want to try something...

General discussion for players of Oolite.

Moderators: winston, another_commander

Post Reply
User avatar
winston
Pirate
Pirate
Posts: 731
Joined: Mon Sep 27, 2004 10:21 pm
Location: Port St. Mary, Isle of Man
Contact:

The Wiki. Any PHP coders want to try something...

Post by winston »

I've been mulling over an idea for the signup for the wiki.

The problem:
All CAPTCHAs have been broken by the spammers. They have OCR engines far better (as far as I can tell) than commercially available OCR (damn, sometimes I wish they'd share, we use OCR a lot at work).

So even with reCAPTCHA and similar, I can't prevent the spammers from creating accounts and the cleanup work needed is very tiresome. The authors of xrumer (ratware used by spammers) need to be shot with a military laser. Then a hardhead missile. And Q-Bombed for good measure.

So now the administrators have to approve each new user, and this does not make for instant signup.

The solution:
I've been mulling an idea, and it should be relatively simple to implement.
Show a picture of a Cobra Mk.3 and ask the user to enter what kind of ship it is. So long as the word "Cobra" and the number "3" appear, regardless of case, or regardless of "Mark" or "mk" or whatever (this should be clear to the users, so they can be confident so long as they type the ship type and its version they get in) it allows account creation. This will defeat all spamming software, and it will even defeat the spammers who induce humans to enter captchas for other sites (by giving free porn and the like) since a human will have to know at least the most basic thing about Elite.

Now the reCAPTCHA thing works as a plug-in to MediaWiki, so this sort of thing can be plugged in.

The problem:
I'm getting ready for the VCF-GB and simply do not have time to work on it.

The solution:
I'm sure there's a PHP coder around here who can write the plug-in to MediaWiki :-) Of course payment for this will be, erm, the thanks of all new Wiki users everywhere :-) So if you fancy a project that can help with the wiki, then please feel free.
hacht
Average
Average
Posts: 9
Joined: Fri Jul 17, 2009 11:46 am

Re: The Wiki. Any PHP coders want to try something...

Post by hacht »

winston wrote:
The solution:
I've been mulling an idea, and it should be relatively simple to implement.
Show a picture of a Cobra Mk.3 and ask the user to enter what kind of ship it is. So long as the word "Cobra" and the number "3" appear, regardless of case, or regardless of "Mark" or "mk" or whatever (this should be clear to the users, so they can be confident so long as they type the ship type and its version they get in) it allows account creation. This will defeat all spamming software, and it will even defeat the spammers who induce humans to enter captchas for other sites (by giving free porn and the like) since a human will have to know at least the most basic thing about Elite.
Hmm, if the spammer got the solution to that one picture (in exchange for free porn, of course), the forum is really open. You can change the image to a picture of a Thargoid, and then to one of an Adder, then maybe to one of a Viper. I guess, this is the end of the most basic things a human knows about Elite.

Alas, I have no better idea. Maybe it would be more effective if you use a dummy confirmation field with "Enter your credit card no. here:".
User avatar
ADCK
---- E L I T E ----
---- E L I T E ----
Posts: 771
Joined: Thu Dec 24, 2009 12:30 am
Location: Sydney
Contact:

Post by ADCK »

I know Php, but not enough to help.

And having only one picture with one solution is a bad idea, it won't take long for them to figure it out.

The easiest way to not get bots is to tell no one (especially google) the address for the site, they can't spam it it they don't know it exists.
But that's not really an ideal solution.

So my suggestion is get yourself some moderators, (not full access of course) who can approve accounts.
User avatar
Phantom Hoover
Dangerous
Dangerous
Posts: 100
Joined: Mon Mar 22, 2010 9:06 pm

Post by Phantom Hoover »

Or even give account creation to any autoconfirmed unblocked users.
User avatar
Selezen
---- E L I T E ----
---- E L I T E ----
Posts: 2530
Joined: Tue Mar 29, 2005 9:14 am
Location: Tionisla
Contact:

Post by Selezen »

Some comic sites use a system that gives the viewer three picture options, one of which has an indicator on it to tell which is correct, and asks a question about the pictures. Maybe something like that would work?

Again, although I know some PHP I probably don't know enough about MediaWiki's structure (or have enough time) to be able to write something.
User avatar
Commander McLane
---- E L I T E ----
---- E L I T E ----
Posts: 9520
Joined: Thu Dec 14, 2006 9:08 am
Location: a Hacker Outpost in a moderately remote area
Contact:

Post by Commander McLane »

ADCK wrote:
The easiest way to not get bots is to tell no one (especially google) the address for the site.
Not an option, because google knows it already.
User avatar
winston
Pirate
Pirate
Posts: 731
Joined: Mon Sep 27, 2004 10:21 pm
Location: Port St. Mary, Isle of Man
Contact:

Post by winston »

And in any case, I want Google to be able to find it too :-)

I suspect the Elite pics thing will work (especially if it's type-a-text-string rather than multiple choice) simply because the spammers aren't going to bother to do the research for just one site, when there's plenty of other sites they can be spamming. For Joe Random Spammer, who likely comes from Russia and likely wasn't born when BBC Elite came out, it's going to be too much effort to try to find a ship identification chart and program it all in. As opposed to breaking reCAPTCHA which is used on thousands of sites (so once you've broken it, you can spam thousands of sites).

On the other hand, a limited selection of ship images and text strings to match is easy to be programmed.
User avatar
McDjanoff
Competent
Competent
Posts: 33
Joined: Fri Apr 16, 2010 11:13 am
Location: Space Bars or somewhere in space

Post by McDjanoff »

Hello,

There is a patch for phpbb2, and a guide to use recaptcha with php :
http://recaptcha.net/plugins/php/

The idea about Elite ship isn't a good idea. The question/answer challenge is feeble in security point of view as only one identified question/answer is sufficient for a spammer.

I may help about php coding.

Regards,
B.
"In the space bar, the barbarians of all races"
User avatar
winston
Pirate
Pirate
Posts: 731
Joined: Mon Sep 27, 2004 10:21 pm
Location: Port St. Mary, Isle of Man
Contact:

Post by winston »

McDjanoff wrote:
The idea about Elite ship isn't a good idea. The question/answer challenge is feeble in security point of view as only one identified question/answer is sufficient for a spammer.
The idea isn't that it provides strong security (hopefully, users themselves are using decent passwords), the idea is that it erects enough of a barrier to entry that the spammers won't bother.

With reCAPTCHA (which I *used* to use with the wiki - there already is a reCAPTCHA mediawiki plugin) the problem is that it's used with tens of thousands of sites. Although reCAPTCHA is difficult to break, the rewards for breaking it are immense for a spammer as it now means they can automatically sign up on tens of thousands of bulletin boards/wikis/etc and spam them. So it was broken and now it is utterly useless, the spammers came back again. Word based CAPTCHA methods are now so thoroughly broken that they are pointless.

A bespoke solution, however trivial, isn't going to be worth it to the authors of ratware like xrumer and the like - it works with only one site and they are going to have to read up on Elite to know what the correct answer is, and it's certain that the single site that uses it will just change it if it gets broken. It will also defeat the spammers using humans ("get free porn by entering this CAPTCHA") because the porn-desperate are unlikely to know anything about Elite.

So it doesn't need to be very secure, merely obscure and not widely used, and easy to develop, and easy to answer for anyone with an interest in Elite. Of course if it's rock solid security and also only used on one site, better still - but that will take a highly significant development effort (meaning it probably won't happen).
User avatar
JazHaz
---- E L I T E ----
---- E L I T E ----
Posts: 2991
Joined: Tue Sep 22, 2009 11:07 am
Location: Enfield, Middlesex
Contact:

Post by JazHaz »

If you do this, and I suggest that you do, you need to limit the ships to the most identifiable ones, as many of the Elite ships look kind of similar.

I suggest using the Cobra mk3, thargoid, viper, and the krait.
JazHaz

Gimi wrote:
drew wrote:
£4,500 though! :shock: <Faints>
Cheers,
Drew.
Maybe you could start a Kickstarter Campaign to found your £4500 pledge. 8)
Thanks to Gimi, I got an eBook in my inbox tonight (31st May 2014 - Release of Elite Reclamation)!
User avatar
Kaks
Quite Grand Sub-Admiral
Quite Grand Sub-Admiral
Posts: 3009
Joined: Mon Jan 21, 2008 11:41 pm
Location: The Big Smoke

Post by Kaks »

One possible spanner in the works, though: if future spammers see this thread, it might become extremely easy for them to find out what to write as a response... :(
Hey, free OXPs: farsun v1.05 & tty v0.5! :0)
User avatar
maik
Wiki Wizard
Wiki Wizard
Posts: 2028
Joined: Wed Mar 10, 2010 12:30 pm
Location: Ljubljana, Slovenia (mainly industrial, feudal, TL12)

Post by maik »

Yes, but as others pointed out earlier already: a spammer with even just half a brain will not waste time to write a custom script that only works on one wiki, especially if he has to spend time researching answers first. There are targets that are more worth his while, see above.

There is always the risk that a spammer with no brain does invest the time though. But I think one can ignore that. ;-)
User avatar
Micha
Commodore
Commodore
Posts: 815
Joined: Tue Sep 02, 2008 2:01 pm
Location: London, UK
Contact:

Post by Micha »

As an advanced solution, if a spammer ever -does- show interest and builds himself a solution database for the captcha, we can auto-generate the image of the ship with random rotation and skinning instead of just selecting it from a fixed set.

A human will recognise the ship from any angle / colour / skin. A computer can only compare is image1 == image2 (unless you start getting into image recognition software).
The glass is twice as big as it needs to be.
Post Reply