[RFC] stop distributing worthless CAPTCHAS in 3.1

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
Post Reply
User avatar
Kamahl19
Registered User
Posts: 161
Joined: Thu Dec 27, 2007 10:31 am

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by Kamahl19 » Wed Jan 08, 2014 8:12 pm

It does not matter who ate the Red. I dont understand it anymore, it was some time ago. Of course, the Q is right, but I forgot it. Maybe it was Who did the wolf ate? It does not matter, my point is to use QaA as default captcha and use good Q.

leschek
Registered User
Posts: 163
Joined: Tue Aug 28, 2012 1:30 pm

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by leschek » Wed Jan 08, 2014 8:14 pm

Kamahl19 wrote:leschek, most difficult picture captcha is also able to broke and it is very annoying for people. Even I with good sight am not able to read many captchas. And reCaptcha is broken, so why should we keep it? I had reCaptcha on 2 my boards and I had 100 bots per day. Totally useless.
I know that good QaA is better than picture captcha (on my forum it's working very well), but I don't think that default QaA would be better than picture captcha. If it is used in phpBB it would be broken soon.

If there are on your forums 1000 spammers per day and 100 of them get through is not so bad to say it doesn't work.

OT ideas - would help to use two different questions/captchas at once, so spambots would have to solve two tasks? Or would be possible to write question into the picture, so user will not have to rewrite what he see on picture, but answer the question written on it and would help it?

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by Master_Cylinder » Wed Jan 08, 2014 8:33 pm

Kamahl19:
It DOES matter "who ate Red" because that's a good example of a bad Q&A pair if the answer was "wolf" as posted. If the Q was "who ate grandma in the story, Little Red Riding Hood?" then that would be a good pair but that brings us to the problem of making sure the pairs are good or it'll either be broken just like captcha or people won't be able to solve it due to the defined answer actually being wrong.

leschek:
Right, good Q&A pairs *are* better than the regular captchas but how do we make sure that the admins write good pairs? I don't think it's possible and default or random pairs would be broken too.


There has to be a solution for something better but I don't know what it is. I liked the java one because bots aren't going to drag anything with a mouse but the java issue eliminates that one as a default too. Can something similar be done with AJAX? Maybe instead of drag and drop it uses left/right arrow buttons to move the selections? I don't know...
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1822
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by DavidIQ » Wed Jan 08, 2014 11:10 pm

Why would we care if the question is good or not at this point? We are only interested in removing CAPTCHAs that will be broken by bots no matter what the settings are. Arguing about how to prevent an admin from entering a bad Q&A pair does not really belong in this topic.

If Q&A was to be made the default then the simplest thing to do is add it to the initial setup, ask the admin to fill out the needed information, and we leave it at that. Since we love giving people choices perhaps the admin can be presented with the option to use a different CAPTCHA at that point and we just reuse the entire CAPTCHA ACP area for that. Right now we do nothing of the sort. We simply set the default broken image CAPTCHA and continue on our merry way so a change there is really needed.

Further extending the Q&A CAPTCHA to have some built in artificial intelligence should be a separate topic of discussion.
Image

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by Master_Cylinder » Wed Jan 08, 2014 11:22 pm

DavidIQ wrote:Why would we care if the question is good or not at this point? We are only interested in removing CAPTCHAs that will be broken by bots no matter what the settings are. Arguing about how to prevent an admin from entering a bad Q&A pair does not really belong in this topic.

If Q&A was to be made the default then the simplest thing to do is add it to the initial setup, ask the admin to fill out the needed information, and we leave it at that. Since we love giving people choices perhaps the admin can be presented with the option to use a different CAPTCHA at that point and we just reuse the entire CAPTCHA ACP area for that. Right now we do nothing of the sort. We simply set the default broken image CAPTCHA and continue on our merry way so a change there is really needed.

Further extending the Q&A CAPTCHA to have some built in artificial intelligence should be a separate topic of discussion.
To me, we should care because bad Q&A is just as worthless as broken captchas but if *that* is beyond the scope of this RFC, I don't want to hijack it.

You do have a point that it's not for us to hold an admins hand and *make* them use good pairs though.
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

User avatar
Pony99CA
Registered User
Posts: 986
Joined: Sun Feb 08, 2009 2:35 am
Location: Hollister, CA
Contact:

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by Pony99CA » Thu Jan 09, 2014 2:03 am

Master_Cylinder wrote:Rehashing that isn't a bad thing since there wasn't agreement whether the random Q&A would be solvable by bots.
Yes, but if you want to rehash it, there's already a topic for that.
leschek wrote:
Kamahl19 wrote:leschek, most difficult picture captcha is also able to broke and it is very annoying for people. Even I with good sight am not able to read many captchas. And reCaptcha is broken, so why should we keep it? I had reCaptcha on 2 my boards and I had 100 bots per day. Totally useless.
I know that good QaA is better than picture captcha (on my forum it's working very well), but I don't think that default QaA would be better than picture captcha. If it is used in phpBB it would be broken soon.
I'm not sure that it would be broken that quickly. How long did it take Xrumer to add a database for Q&A CAPTCHAs? Q&A came into phpBB in 3.0.6, I believe, and the database didn't become available until 2012 or 2013.

And, even if it is broken eventually, so what? Blocking spammers is a cat-and-mouse game anyway, but if we don't do anything, the spammers have already won. As David said, pretty much any bot can get past the default CAPTCHA today. Yes, we may have to do something else later, but that's to be expected.
DavidIQ wrote:Further extending the Q&A CAPTCHA to have some built in artificial intelligence should be a separate topic of discussion.
Yes, like that Q&A topic that I linked to yesterday, where that discussion was already taking place. ;)
Master_Cylinder wrote:You do have a point that it's not for us to hold an admins hand and *make* them use good pairs though.
Not exactly. We could have some help text in there to suggest what "bad" questions are and what "good" questions are. In the end, though, the admin is responsible for this.

Anyway, as I probably said here before, I'm for getting rid of all current CAPTCHAs except for Q&A (obviously, which would be the default) and (possibly) ReCAPTCHA (in the hopes that Google can continue to work on it and boards that use it will see improvements automatically if they do). Maybe we could also put a link in the ACP that takes people to additional CAPTCHAs in the MOD DB.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

User avatar
emosbat
Registered User
Posts: 43
Joined: Fri Aug 24, 2012 8:49 am

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by emosbat » Sat Jan 11, 2014 3:08 pm

this is just an idea. an image captacha should use logic questions within image. a bot can not easily read an scrambled question and then find its answer. this can be very difficult for a bot.

Image

User avatar
Kamahl19
Registered User
Posts: 161
Joined: Thu Dec 27, 2007 10:31 am

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by Kamahl19 » Sat Jan 11, 2014 6:19 pm

That might be good idea but.. phpBB is widely used. All bots would be updated to break this captcha easily. They would read the instruction and they would know what letters to choose. The problem is that there would be limited amount of colors / shapes so it would be easy to learn the bot to understand this.

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by Master_Cylinder » Sat Jan 11, 2014 7:16 pm

Couldn't the Sortable CAPTCHA that was mentioned earlier be adapted to use AJAX instead of javascript? I know there is talk of drag and drop re-ordering of forums, custom profile fields and other "sortable" fields so maybe that would work with CAPTCHA too. I don't think that spambots can drag things with a mouse. I can make a "Sortable AJAX CAPTCHA" RFC, if we need to.

Or maybe even just left/right buttons to move the selections if drag and drop can't be done?
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: [RFC] stop distributing worthless CAPTCHAS in 3.1

Post by EXreaction » Sat Jan 11, 2014 8:31 pm

Ajax is javascript.

It might be possible to use buttons and refresh the page if the users do not have JS support.

Post Reply