Users running a non-download version of Vanilla (pulled from github), on branch release/2019.016 or master from the last 2 weeks should upgrade to release/2019.017 or latest master for security reasons. Downloaded official open sources releases are not affected.

New reCAPTCHA

Has anyone checked out the new reCAPTCHA by Google? What do you think of it? http://www.wired.com/2014/12/google-one-click-recaptcha/

Add Pages to Vanilla with the Basic Pages app

Tagged:
hgtonight

Comments

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    I thought about that already. That is why I added a checkbox like that to my contact plugin and it does seem to work well.

  • hgtonighthgtonight ∞ · New Moderator

    I used it when I was on www.humblebundle.com.

    I really like it and am interested in seeing how bots get around it.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited December 2014

    I think the point is to use a simple dumb checkbox which has a certain value , but here is some nice info

    https://www.kirsle.net/doc/submitter.html

    You can also check against a verified human whitelist

    http://areyouahuman.com/humanwhitelist.html

  • @vrijvlinder said:
    I thought about that already. That is why I added a checkbox like that to my contact plugin and it does seem to work well.

    It is a fair bit smarter than a check box, well see how it goes.

    I wrote details post on the requirements of a captcha. A lot of effort, simply don't understand the problem.

    Most DIY effort simplely haven't a big enough data set or permutations, have the wrong type of complexity which are rather trivial to exploit. There rely purely on unfamiliarity. This becuase a bot has to be programmed to do certain tasks, and they have tog get round to it. It is not becuase these are strong systems.

    grep is your friend.

    vrijvlinder
  • The machine learning of interaction is interesting. But in a way they are creating somethign that could defeat itself. If it that good at learning human interaction then potential something similar you be used to defeat it.

    grep is your friend.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    I wonder if spam bots are programmed to hit sites that have high traffic as opposed to sites with little traffic. Seems that it would be a waste of bot resources to hit sites without traffic. The purpose of spam is income generation as far as I know. So it would make sense to make spam bots target high traffic sites.

    Maybe if we knew the purpose of spam bots it could help. Besides the malicious aspect of course...

  • peregrineperegrine MVP
    edited December 2014

    The purpose of spam is income generation as far as I know

    there was spam before any income was generated on the web.

    look at google newsgroups. that got torn apart in the early 2000's if it wasn't moderated.

    spam could just be for the sake of spam.

    and a bot can be software that is on someone's personal computer and they don;t even know it.

    Maybe if we knew the purpose of spam bots

    as soon as you can explain the purpose for criminals,

    could be someone just want to see if they can.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
  • Spam comes with various degrees of sophistication. So you have absolutely

    Most exploit are used for spam, and also those exploits and bot nets are sold on the black marted as a paid for spam market. Often people who paid for so called "seo" don't know they have paid for spam.

    Some spam, the payload is simply there so they can test how effective the technique is in the wild, that is one of the main reason you get spam for no obvious purpose.

    grep is your friend.

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    There is software that recognizes my speech, other software than can distinguish individual persons on photos and software that I can lead a normal conversation with.
    I cannot imagine that there isn't a trivial solution to simulate some timed mouse and scroll movements that trick such a software easily.

    But I think it's funny that they also rely on finding out cat photos, when they themselves already developed a software that recognizes cat videos: http://www.wired.com/2012/06/google-x-neural-network/
    Maybe they think that adding dogs and gerbils is a great idea to increase the security aspect, but...
    class catCaptchaBot() {
    pretend to be mobile
    if captcha != cat get new captcha
    else find cat pics
    }

    But I highly welcome any effort to abandon hard to read letter/number combination captchas, which I truly hate!


  • These guy did the first viable cat Captcha

    http://research.microsoft.com/en-us/um/redmond/projects/asirra/

    But it has been shut down unfortunately.

    grep is your friend.

  • peregrineperegrine MVP
    edited December 2014

    @R_J said:
    There is software that recognizes my speech, other software than can distinguish individual persons on photos and software that I can lead a normal conversation with.
    I cannot imagine that there isn't a trivial solution to simulate some timed mouse and scroll movements that trick such a software easily.

    But I think it's funny that they also rely on finding out cat photos, when they themselves already developed a software that recognizes cat videos: http://www.wired.com/2012/06/google-x-neural-network/
    Maybe they think that adding dogs and gerbils is a great idea to increase the security aspect, but...
    class catCaptchaBot() {
    pretend to be mobile
    if captcha != cat get new captcha
    else find cat pics
    }

    But I highly welcome any effort to abandon hard to read letter/number combination captchas, which I truly hate!

    its a cat and mouse game (literally and figuratively). not too mention the bug dynamic. Two mammals and one insect rule the computer world.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    I've changed my mind, after playing around with it.

    I've opened https://wordpress.org/support/register.php in a private window of my browser. I have wiggled around with the cursor, put in real data in the fields, fake data in the fields, try to act as normal as possible and tried to act as unusual as possible. Enter all the information straight in or be hasty and correct typos, etc.
    Nothing works: I was not able to be recognized as a human.

    When I open up the same page on a normal browser tab, do a "page down" on my keyboard with the mouse pointer already placed on the right place, and simply hit the left mouse button, it accepts me as a human although I cannot act more robotic...

    Conclusion
    I strongly dislike that captcha now. It doesn't care for user behaviour at all and solely relies on browser meta data. My first reaction is „Instead of "I'm not a robot" it should read "I don't give a fuck on data privacy!"“. I don't know if that is true, but it is my first impression.
    I relate that to Google, because I know it is from Google. People using that captcha on my page will relate that impression to my site and I never ever want that!

    It is more simple than sending in my phone number and enter back a secret code that I get via SMS but it feels the same to me. I respect the private property of others (and data is property) and I don't want to force users to interact with software/services that does not respect their property.

    Google - ah what do I say - THE INTERNET! denies me being a human, as soon as I don't want to share my privacy - gloom and doom... :( ;)


  • hgtonighthgtonight ∞ · New Moderator

    @R_J said:

    Conclusion
    I strongly dislike that captcha now. It doesn't care for user behaviour at all and solely relies on browser meta data. My first reaction is „Instead of "I'm not a robot" it should read "I don't give a fuck on data privacy!"“. I don't know if that is true, but it is my first impression.

    This is an interesting take on it. I also visited the wordpress.org site and tried to register in both a private and a standard browser window. I never passed the "simple" captcha and was forced to pass the "traditional" captcha. Perhaps the strictness is variable/configurable?

    It seems to depend on some cookies existing as a signal, but I run some extensions that expunge those regularly. If privacy of of public facing data is important to you, that is the price to pay, I suppose. A reCAPTCHA won't stop me from using a site I want to use.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator
    edited December 2014

    It won't stop me either, because I know that most online whatever-service providers rely on Google Analytics. And I'm sure that when I visit a site that uses Google fonts, Google logs that visit, too. So I know that I pass my data over to Google, although I would prefer to have a choice.

    I'm able to set up Piwik, so that I am the only one who tracks my users if I think that his is needed.
    Using CDNs is great for speed, but to be honest: if you set up your htaccess right, your users only have to download js libraries or fonts one time for your site. So a CDN stops to be useful on each second visit and m users will not be trackable by any service that I use to make my life easier.
    There is already a plugin for Vanilla that adds a free text question to the registration. That is a great way to stop bots if you combine it with cleanser.

    By the way: adding facebooks like button or something like that also exposes your users data to another company. That's why I would implement Shariff if I had a forum.

    I think data privacy concerns are maybe too much stressed in Germany, but I think the other extreme isn't good, also. If you use all of Googles great services, you have an easy live - like every pet in his cage has. If you feel comfortable at that place, okay, but you should not expect that all your users do so, too.


  • peregrineperegrine MVP
    edited December 2014

    @R_J said:

    There is already a plugin for Vanilla that adds a free text question to the registration. That is a great way to stop bots if you combine it with cleanser.

    you really don't want to point to botstop plugin http://vanillaforums.org/addon/botstop-plugin

    @R_J Botstop doesn't have all the events in it and overrides views, and really is not a great choice for vanilla 2.1 and will conflict with mailchimp plugin and a few other plugins.

    Botstop was a great innovation in vanilla 2.0, but for vanilla 2.1 not the one I would recommend.
    Instead if you are using vanilla 2.1 use http://vanillaforums.org/addon/addregistrationquestion-plugin

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    R_JAdrian
  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    Too late to edit :(


  • hgtonighthgtonight ∞ · New Moderator

    @R_J said:
    Too late to edit :(

    I disagree ;)

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    R_Jperegrine
Sign In or Register to comment.