Ban Evasion

[Arantor]

Tor is a proxy solution, it runs through other people's computers in such a way you'd never know it was Tor. Easy to mask your IP through that - and unblockably, too.

Flash cookies store it separately to regular cookies, and yes in something of a stealthy way. But there were documented vulnerabilities - cookie leaking, amongst others, where sessions were compromised. But even that isn't really a solution, and it'll penalise those users who can't/won't have Flash on their PC.

[Tomás C.]

I think iesnare is 100% fiable right?

So for what i see we can only ban proxy's and ip's, and hope they don't use tor. Is tor legal? i mean someone acess a hacked account and then the ip appears has being another person? strange..

But coming but to the flash cookie option, those vulnerabilities.. Can't a good programmer build a mod to scriptlance that would flash cookies and then we would have the only solutions?

I see that flash cookies are the only solutions avaiable, and 99% of the users have flash.

[Arantor]

Tor is legal in some countries/some states and not in others. Offhand I don't know the full ins and outs of it.

But yeah, you've hit the problem.

The problem is in Flash itself - or at least it was. It may still be.

Flash cookies are a solution. Not the only solution. Besides they're still just as manipulatable as regular cookies; it doesn't take that much to modify them and abuse them a la regular cookies. Besides, IP ban would still catch users using Flash cookies or not.

I also strongly disagree on the 99% of users claim. Most big corporate machines do not allow Flash at all, due to security, and time-wasting, yet the forums themselves are allowed in breaktimes and in some cases regular working hours. Enforcing Flash cookies locks these users out. Plus, many users routinely use Flash blockers now to prevent ads.

Like I said, and I know I am not alone in this, if I were required by a forum to use Flash to authenticate myself I would not return to that forum.

[Tomás C.]

Flash cookies are a solution. Not the only solution. -> do you know any solution like that??

I don't know for example how to modify a flash cookie, but i know how to change my ip. The problem with ip is that i just need to reset my modem, so simple...

Ok but most of the users have flash i know that, and of course flash doesn't need to be an obligatory requirement, can't the cookie just install in the people that have flash?

And do you think it's difficult to build a cookie like iesnare does? Iesnare costs 200,000 Euros to implement, that's the problem.

Maybe a programmer doing the flash cookies would be a great solution.

Maybe the best we've come to yet, in this conversation.


Thanks!

[Arantor]

I said there were other solutions. I don't pretend they're any better or worse. If you want to avoid multi abuse, custom browser, SSH, biometric access. (Even that's abusable but it's a lot more work.)

If Flash isn't a requirement, you have to use regular cookies. So if I want to abuse, I see you're using the Flash/not Flash cookies, disable Flash and I get in because my browser has it disabled. Instantly this complex method is broken (just like most DRM systems; you end up inconveniencing regular users to prevent abuse)

The bottom line is this: no matter how complex and inventive a solution to multi abuse is, there will be a percentage of users who will be stopped by it. There are also a percentage of users who won't, because no matter how clever the solution is, there is someone smarter out there.

The ultimate solution is to find measures that don't inconveneince regular users too much whilst minimising what trolls and malicious users can do. The problem is that the more aggressive your measures are against spam, the less people are going to be interested.

You can implement whatever technical measures you like but it just cuts out the careless, stupid and lazy trolls. The smart and motivated trolls won't be put off by whatever methods you have.

2.0 helps with this, you can have people in groups where their posts are moderated before being displayed.

[Tomás C.]

Of course i just said flash cookies looks like a pretty good solution, hands with ip banning.

What's multi abuse, custom browser and ssh???

LOl biometric, i don't want to bother the normal users

But to pass the flash cookies you need to really understand a lot of informatics... Not every user know that and can't identify flash cookies e think!
DO you think it's difficult to implement flash cookies? And do you know the con's?

yes you are right, we always need to be careful with the solutions and all solutions can be broken. I have more stupid trolls than smart trolls i think.

""2.0 helps with this, you can have people in groups where their posts are moderated before being displayed. ""

Placing that just for the new users would be awesome, all users with less than 5 posts for example, need is a good moderation at all times.

[Arantor]

My point was that since you can't rely on the browser, the connection between it and your site, or that the user is who they say they are, the only options you have are a custom browser that the user can't tamper with, a connection encrypted the entire time, and biometric logging to ensure that each person only has one account! Any situation where someone creates a second account to circumvent restrictions on the first is 'multi abuse' - they have multiple accounts for the purpose of abusing the system.

You saying about bothering the normal users is precisely my point: for every more complex technical measure you inconvenience a segment of users. CAPTCHAs bother people, particularly those with bad vision, for example. Each successive barrier you put in to inconvenience abusers is a barrier you place in the path of contributing users too.

I don't know enough about Flash to implement Flash cookies; I'm a PHP+HTML+CSS+JS coder not an ActionScript one. Though the theory seems sound; but again any sufficiently determined abuser will bypass it, so to avoid inconveniencing other users I'd forego it entirely. There's a reason it costs €200k to implement.

I did actually describe in another thread how you could make most of it read-only except for one board that would be open to new users (like an introductory area) - once they hit 10 posts they would be able to post in the rest of the forum, this is something you can do in 1.1 as well as 2.0. The premise here is not to prevent new users, but to slow down trolls.

[Tomás C.]

LOL what an exaggerated aproach

Flash cookies looks very interesting. I think i'll try to find a programmer.

And how an user can have inconvenience with that?

"" There's a reason it costs €200k to implement."" -> maybe the software is too good, maybe a not so good software would be good. i think the best solution here is to search for a great mod for coookie flash on smf.

What do you mean by a one board? I think trolls won't slow down too much.

[Arantor]

It was intentionally an exaggerated approach. The point is that it really doesn't matter how clever your methods are, it's defeatable, and it will inconvenience legitimate users. There is yet to be a way developed that does so without affecting other users.

How can a user have an inconvenience? If they use NoScript, or AdBlock, or FlashBlock, to name three off the top of my head. The company I used to work for would not allow Flash on any of their machines, desktop or laptop. And if I wanted to use my PC to log in, I also had to disable Flash. A certain amount is demographic; if your forum is full of gamers, they're likely to have Flash. If it's full of security-conscious techies, odds are they won't have/want Flash.

And if you provide a non-Flash entry method you just inconvenience regular users at the price of not stopping determined trolls, since the minute a troll realises they can use a non-Flash entry, that's what they'll do - it's the path of least resistance.

You can try and find someone to implement it but I maintain that it won't actually prevent anyone who you would otherwise IP ban. If they're smart enough to get around an IP ban, they're smart enough to do precisely the same thing to defeat this. And seriously; that's all it will take. If you were to implement a Flash cookie login system, I could show you how to defeat it in less time than it would take to install.

Like I said, it is a solution. It's not the best solution. It's definitely not the best solution for this case.

My solution: create a single board/category that requires users to post 10 posts in before allowing them access to the rest of the forum to post in (though they can read it regardless). It won't stop a troll from doing damage but it means that if they want to go ranting, they have to post 10 posts in that specific board; and will have to do that again after a ban. So for each account they get banned, that's another 10 introductory posts they have to make. You could even do it so that they don't get moved to having access until you're satisfied with their posting attitude.

[Tomás C.]

Isn't possible to login with flash cookies and if the user don't have flash it logins with normal cookies? What's the incovenience of that?

There is any type of cookies that are better?

Yes It's a solutions, is not the best i had for now. I will think about the 10 posts thing

Thanks for all the great comments, it's good to discuss this things.

[Arantor]

Where's the inconvenience? Quite simple.

Regular user uses Flash. Spammer won't use Flash but will use the normal login. Instantly all the extra work that went into Flash cookies is *gone* because the spammer is evading the ban because you've provided normal cookies. If you provide Flash cookies *only* there is a vague chance it might deter a fraction of 1% of those people you'd already banned. The point is you implement this fantastic system but want to leave a loophole in - which gets abused. Remove the loophole and you inconvenience users who can't/won't use Flash.

[Tomás C.]

i see, thanks for the opinion.

But is easy to those users to detect that the problem is the flash? If they have flash the login isn't done smoothly without they noticing it?

They are not tech pros, they are just dumb people that know how to change an ip.

And another thing, iesnare for example hides in the registry, it's very difficult to catch...

http://www.blackhatworld.com/blackhat-seo/black-hat-seo/12822-mpsnare-iesnare.html#post115140

"
If it's a flash cookie, i.e. *.sol file, you need to delete it. If you use firefox install the "objection" plugin found here.

LSO objects never get cleaned with your standard clear cookies command."

[Arantor]

iesnare is sounding more and more like a tool I would be staying well away from. Registry injection? No thanks. Who knows what it is doing?

I still maintain that no amount of technical solution will actually prevent someone evading a ban. It doesn't matter how technical or magical it is, it can be defeated, usually with little work.

I would definitely notice a Flash login; I always use NoScript on sites I'm not familiar with. I'd see the login form change.

[Tomás C.]

Not everyone uses NoScript so i think it's a good hypothesis a flash login.

And even if the user uses NoScript that wouldn't make a huge difference for him,  you are a webmaster you now more than the average people.

Yep it's a complicated tool, messing with registry, but it works definatelly, but costs too much.

[Arantor]

Actually, many Firefox users use NoScript now.

If you have a system that requires that level of protection I can see its use, but for even large forums there are better solutions - as outlined above, plus having good mods.

[Tomás C.]

But no script warns users that the forum has flash cookies?

I don't see the deal of that if the users don't know too much about technology.

There something like flash cookies? an alternative?

Anyway one more time thanks for the good conversation, we really have pointed out great solutions for the members who will read this posts.

It's strange that we look like the two only ones that are reaellly interested about this.

[Arantor]

NoScript prevents the Flash from even loading until you allow the domain, meaning that for users who use NoScript, they have to opt-in to the site in a way even before they can log in.

It is odd that we are the only two interested in this avenue of discussion, at least. But I don't think anyone really wants to intervene...

The better solution as I see it is to slow the trolls down. Speaking as both a white-hat developer and on occasion a grey-hat (proving out vulnerabilities in systems via harmless demonstration) the more complex measures will at best deal with the careless and lazy trolls. Any sufficiently complex measure to prevent users causing havoc is likely to prevent less technically aware users from posting anyway, whether it's a technical prevention, or the complexity is enough for them to not bother.

Pitch it to the level of the users you're dealing with. If you have a forum full of people who aren't very technical, a Flash cookie solution might well deter the worst offenders, but for any forum where there are technical people around, they will take one look at the Flash cookie and start the equivalent of running round waving their arms in the air - they'll decry it as an awkward security measure.

Plus you are adding a barrier to get in; not every user has Flash. Some can't use it due to security policies on the machine, some won't use it out of paranoia (me, generally). What about users who have visual disability? What about users on platforms that don't have Flash/don't have reliable Flash? There are more platforms out there than people realise these days.

Cater to the group of users you're targetting. As an example: In my MMORPG+forum development, we took the decision to not support IE6. It simplifies things on a technical level, and because that the vast majority of users who use IE6 aren't the people who will play the game; but it's still a segment of the market I am cutting out. A similar argument applies here.

The thing is, the most determined trolls will *still* get around IP bans, Flash cookies or whatever. Maybe change the browser, browse from another computer, whatever. There are so many ways to get round even the most complex banning methods that the best you can truly hope for is to slow them down to the point of frustration and that they'll go away.

If you have a board that is the only board a new poster can post in, that's a limit to how much damage they can do. Odds are a troll will give themselves away quickly, so you can ban them there and then. I know one forum where the forumite has been banned 50 or 60 times but still comes back. But because of the measures they take to slow down users from posting, the visible posts are few and far between.

[Norv]

*interferes shamelessly*
You're not the only ones interested in the discussion
Some of us simply want to read and think it over when they have more time and perhaps knowledge. And I do use NoScript.

*hides back in the background*

[Arantor]

@Norv

I didn't see anyone else so I figured this avenue was of limited interest. Good to hear that others are interested. Maybe together we can solve it?

[Tomás C.]

Hi Norv, i understand that, but all opinions are welcome!

Speaking for myself and inexperienced in this matter so all opinions i can get are going to help get a solution.

That's bad... Hope i would know how many users of my forum use NoScript.

I'm more worried when i'm sleeping and the trolls attack the forum, that has happnened before!

I think cookie flash it's good for me following your way of thinking, because of the people i had in the forum, they see the website that is also in flash.
But i'm learning here, this could be a good add-on for me, but for some foruns don't.

And it's always a risk just for trolls. About the users that won't have flash they just login normally (if the programmer is able to do that off course).

I see what you know, and you are really right about the segment that you lost.

Ups    using another browser will do the trick, you are right..

"""I think a program to compare it's and double accounts would be more useful. I know one forum where the forumite has been banned 50 or 60 times but still comes back. But because of the measures they take to slow down users from posting, the visible posts are few and far between.
"""