Simple Machines Community Forum

Archived Boards and Threads... => Archived Boards => SMF Feedback and Discussion => Topic started by: Unruler on November 12, 2012, 07:28:33 AM

Title: Capcha is useless?
Post by: Unruler on November 12, 2012, 07:28:33 AM
Bots could be programmed to recognize any capcha so it's only effective if you change it periodically.

However if you rely on security question for your forum, it's much more effective options since it's custom for every forum and could be changed at no time.

So question is why to use capcha at all? It's only additional inconvenience for users and it doesn't stop bots efficiently enough as it does security question.
Title: Re: Capcha is useless?
Post by: Kindred on November 12, 2012, 07:46:06 AM
Are you talking about *THIS* forum?   If so, then the reason we can not use questions is because the questions are not able to be localized/translated... and we support users in 30+ languages here...
Title: Re: Capcha is useless?
Post by: Unruler on November 12, 2012, 11:03:13 AM
Quote from: Kindred on November 12, 2012, 07:46:06 AM
Are you talking about *THIS* forum?   If so, then the reason we can not use questions is because the questions are not able to be localized/translated... and we support users in 30+ languages here...

Nah, I'm talking in general. My idea is if forum has security question there is no point in capcha because the first is more effective than the last.
Title: Re: Capcha is useless?
Post by: Kindred on November 12, 2012, 11:08:32 AM
ah, well, you might notice that this has been discussed several hundred times already...

Title: Re: Capcha is useless?
Post by: Antechinus on November 13, 2012, 03:11:00 AM
Quote from: Unruler on November 12, 2012, 11:03:13 AMNah, I'm talking in general. My idea is if forum has security question there is no point in capcha because the first is more effective than the last.

Yes, if you aren't worried about supporting a pile of languages you can do it that way. I don't use captcha myself. However, you will still need to be vigilant and to use IP bans, etc to keep the number of spammers down. No one solution is perfect.
Title: Re: Capcha is useless?
Post by: Unruler on November 13, 2012, 09:36:12 AM
Hmmm, how about different question for different languages, is that possible?
Title: Re: Capcha is useless?
Post by: IchBin™ on November 13, 2012, 11:12:34 AM
Nope. You'd have to have a way to determine what language someone is using on their computer, then have SMF call the questions in their language for them. That's not something I have seen anyone do yet.
Title: Re: Capcha is useless?
Post by: MrPhil on November 13, 2012, 12:06:48 PM
osCommerce attempts to do that, but I don't think it's consistently successful. It queries the browser for what language it's configured in, and selects that as the default store language to use (if installed/configured, otherwise fall back to a designated language, and finally English). Apparently a lot of people just leave their browsers configured in English.
Title: Re: Capcha is useless?
Post by: Matthew K. on November 13, 2012, 12:30:19 PM
It wouldn't be too difficult to throw together some solution that would change the language of the verification. Problem is, the forum administrators would have to have the strings translated, correctly.
Title: Re: Capcha is useless?
Post by: Unruler on November 13, 2012, 11:13:12 PM
I think select language dialog before registration could help.

Otherwise there are many ways to determine users' language, some sites do that via IP.
Title: Re: Capcha is useless?
Post by: mashby on November 13, 2012, 11:27:16 PM
Captcha seems to be broken in that it prevents humans from doing things that automated bots do with ease. Isn't that the exact opposite of its original purpose? Questions are certainly an issue for multi-lingual sites. I think my response here might be robotic in that it's been written before. Back to captcha and the topic title. I think captcha is more harmful than useless. I've registered on one site that had me put together a six piece puzzle with an image of what I was supposed to build. I imagine even that could eventually be broken by bots. It certainly seemed language agnostic. I'm not sure a blind person would be able to complete it though. But it seemed like a step in the right direction.
Title: Re: Capcha is useless?
Post by: Matthew K. on November 13, 2012, 11:29:00 PM
Slightly off topic, but for a chat software I was developing with a friend, we made a drag and drop "matching" game that was very simple to figure out and complete. If the user was not able to drag (iOS / Android, etc.) it would add number boxes to match the numbers.
Title: Re: Capcha is useless?
Post by: Antechinus on November 13, 2012, 11:47:34 PM
Those sorts of things are bad for a11y, so you can't really use them if you want to cater to everyone.
Title: Re: Capcha is useless?
Post by: mashby on November 13, 2012, 11:57:38 PM
Don't ya think we aren't really catering to anyone with the setup we have now? We sure spend time pruning spam messages which is what captcha was supposed to prevent. Time lost. We will never get that back. :)
Title: Re: Capcha is useless?
Post by: Antechinus on November 14, 2012, 12:02:34 AM
Oh sure, I'm not saying anyone should keep captcha. I reckon it has been obsolete for several years, which is why I disabled it some time back. All it does is annoy legitimate users.

What I'm saying is that visual puzzles are bad for a11y.
Title: Re: Capcha is useless?
Post by: Matthew K. on November 14, 2012, 12:05:18 AM
a11y?
Title: Re: Capcha is useless?
Post by: Antechinus on November 14, 2012, 12:17:46 AM
http://en.wikipedia.org/wiki/Computer_accessibility ;)

"Accessibility is often abbreviated a11y, where the number 11 refers to the number of letters omitted. This parallels the abbreviations of internationalization and localization as i18n and l10n respectively."
Title: Re: Capcha is useless?
Post by: Unruler on November 14, 2012, 07:57:49 AM
I don't think that puzzles is better than capcha because you can program bot to do any automatized action (including solving puzzles). They are effective now because they are not wide spread.

The advantage of question is that it can be easily customized making bots hard to adapt.

PS Never heard of abbreviations with number of committed letters in them, they should be hard to figure out.
Title: Re: Capcha is useless?
Post by: kat on November 14, 2012, 08:27:10 AM
What about a selection of pictures? You could display the picture and ask is this a:

House? Tree? Penguin? etc.

You could even make the pix quite intricate, as long as it's obvious as to what it's actually a picture of.
Title: Re: Capcha is useless?
Post by: MrPhil on November 14, 2012, 08:47:43 AM
K@, anything that is purely visible would be a problem for the visually impaired that use a screen reader. Does anyone know if an audio description ("This is a picture of a cat. Please type in what it is a picture of.") works for the visually impaired, but stops bots? Maybe the two could be combined in some way: "This is a picture of a cat. Please type in the animal that is their mortal enemy."
Title: Re: Capcha is useless?
Post by: kat on November 14, 2012, 08:49:25 AM
Quote from: MrPhil on November 14, 2012, 08:47:43 AM
K@, anything that is purely visible would be a problem for the visually impaired that use a screen reader.

Bugger. Good point.
Title: Re: Capcha is useless?
Post by: Kindred on November 14, 2012, 08:56:38 AM
but, what happens if you get a blind frenchman then?  O:)
Title: Re: Capcha is useless?
Post by: MrPhil on November 14, 2012, 09:07:16 AM
In the interest of decency and family friendliness, we won't go there ;)
Title: Re: Capcha is useless?
Post by: Unruler on November 14, 2012, 09:16:43 AM
What's the point in picture if you can go "what has 4 walls door and window?" kind of thing?

Also you have license agreement pending for acceptation, is it adopted for multiple languages?

EDIT: How about a function that allows to attach a picture to a security question?
Title: Re: Capcha is useless?
Post by: mrintech on November 14, 2012, 12:50:28 PM
Can bots be programmed to override Keycaptcha and moving images?:

(http://i.imgur.com/s1ipd.jpg)
...
(http://i.imgur.com/RKYK8.gif)
Title: Re: Capcha is useless?
Post by: Matthew K. on November 14, 2012, 01:10:07 PM
Quote from: Antechinus on November 14, 2012, 05:15:13 AM
^ ^ Spamtard alert. Please kill. Kthnx.
Are you talking about yourself...? :P
Title: Re: Capcha is useless?
Post by: Kindred on November 14, 2012, 01:11:16 PM
but, as we've said, with those you run into issues with visually impaired users...

any time there is a captcha with a verbal reading of the letters means the bots can break it. They actually wrote  a script which "listens" to the verbal letters and the parses it and uses them
Title: Re: Capcha is useless?
Post by: MrPhil on November 14, 2012, 03:13:49 PM
Re: moving images

I'll bet that not only could they still listen to the letters (the desired ones, not the background noise), but they might have an even easier time deciphering it visually. Take a number of snapshots (frames) from the video and use statistical analysis to filter out the fast changing stuff (background noise) and concentrate on the slowly changing stuff (desired letters).

Still, an interesting concept that might be taken somewhere with some work.
Title: Re: Capcha is useless?
Post by: mrintech on November 15, 2012, 03:39:49 AM
Thanks :)
Title: Re: Capcha is useless?
Post by: Unruler on November 15, 2012, 12:26:46 PM
Idk, guys, why are you so focused on capcha or other unified solutions. Because they may be good, but not necessarily for a forum. Because for a forum (that being usually themed community) security question may serve you more than just for filtering the spammers: it can also restrict access of undesired attendees like trolls or kids or clueless people.
Title: Re: Capcha is useless?
Post by: MrPhil on November 15, 2012, 05:55:23 PM
Well, CAPTCHAs were originally designed to filter out bots (signing up to spew spam) during signup and perhaps for a limited number of posts. As discussed, they're now usually harder for real people to solve than the bots! Filtering out real people that we suspect would be undesirable might be helped a bit by good questions, but you have to be careful about requiring such domain-specific knowledge up front (at registration) that you end up excluding good people who want to participate to learn. It's difficult to strike a good balance, and you will always end up having to ban and clean up after spammers. If you have some good moderators in different timezones, hopefully you can keep on top of it to the point where word gets around that your forum isn't worth spamming.

Any forum (SMF included), could certainly use filters to try to automatically weed out spam (hold it for review). It's not an easy problem to solve, but will become vital as automated "hard shell" defenses (stop 'em at registration) like CAPTCHAs and even Questions or Are You Human tests lose their effectiveness. Whatever we do, the spammers will go to work to defeat it (as they have with CAPTCHA), so it's a never-ending arms race. Some of the filters might also prove useful for stopping trolls and idiots, but nothing will be guaranteed.