Suspecting RC1 very soon!

[Lastof]

If you look around, you can actually find quite a few topics that we debated this issue in (those three are the tip of the iceberg). Despite our best efforts, we can't seem to find a better method for a generic bot stopper.

Uniqueness is the only way we can beat them. Supposedly the current captcha is easy to replace with an alternative, such as one of the ones from when we had many (it was also said that there would be released as mods once we hit gold. I hope this is still so). What I would like to see for 3.2/3.4 (probably 3.4, since 3.2 is feature frozen already, but I can hope) is this being taken to the next level. A unified system for adding new anti-bot methods to forums easily. Similar to the way adding new authentication methods is supposed to be easy now. Kind of like a limited "hooks" system. The easier it it to add new methods, the more people that will do it. If it is as easy as downloading a file, dropping it in a directory, and then activating it in the acp (which would detect it just like it does new styles), then we would really be able to scupper the bots. If it was officially encouraged on install to head to phpBB.com and download one or two approved ones from the mods section, then a reasonable number of people would. I think this is the only way we can effectively fight them. Make it as easy as possible to be different to everyone else. Make it too much effort for them to beat us.

[Drew***]

Really? Thing is, question and answer approaches have these major problems:

• [*] no way to release a default set of questions/answer

  
  If you used the image approach the only question would be “What do you see in the image”? You could then set up the phpbb logo as the default. Or you could use captcha as a default and offer Image and response as an option.
  

  [*] language problems (If I try to register on a board that speaks Dutch for example, although I can read Dutch, I can't write it, and thus such a "solution" prevents me from registering)

  
  The Image and response would solve that issue and if need be you could include a link to http://babelfish.altavista.com .
  
  What do you see in the image? Answer _ _ _ _ _ _ (Flower)
  
  Wat ziet u in het beeld? Antwoord _ _ _ _ _ (Bloem)
  
  ¿Qué ves en la imagen? Respuesta _ _ _ _ (Flor)
  
  Was siehst du in das Bild? Antwort _ _ _ _ _ (Blume)
  
  Che cosa vedete nell'immagine? Risposta _ _ _ _ _ (Fiore)
  

  [*] High workload for the admin. They have to come up with a set of questions and answers that are not easy to google for, and that are easy enough for a wide range of people to know

  
  Again using an image means the admin would select an image ( http://images.google.com ) and up-load it, the same as you would an avatar. Then enter the correct response in a field. As a bonus it is very easy to change the image and response
  
  Contrast that with manually setting up all the accounts from people who can’t read the captcha.
  

  [*] Reply problems. Thing is, some questions can have more than one correct answer, or the answer might have more than one correct spelling (grey/gray, colour/color, centre/center, etc).

  
  Ok so use an _ for each letter or use a hint f l _ _ _ r . These should be variables that can set by the Admin
  
  

  [*] Assuming there's questions which only one answer exists, then it would be somewhat trivial for someone to program a bot to obtain the answer via searches.

  
  Again this is why I am suggesting the use of an image

Those are just a few very good reasons why a Q&A captcha won't work. This is why a random letters captcha works, it avoids basically all of those problems.

NeoThermic

Those are just a few very good reasons why a Q&A image will work.


You can make your image and response as simple or as complex as you like. As long as the Admin is able to set the correct response then any image can be used. For example: An Equestrian forum can use horse related images, an entomology forum can use insect related images, Star Trek related forums could use a image of Picard; the possibilities are limitless

Conceivably no two forums would have the same image Therefore no default response. The sheer randomness of the responses would make it almost impossible for bots to crack ...and if they crack 1 image, big whoop-di-do. Since each forum uses an image of their choice they (bots) don't gain access to any other forums.

Drew

[NeoThermic]

[*] no way to release a default set of questions/answer

If you used the image approach the only question would be “What do you see in the image”? You could then set up the phpbb logo as the default. Or you could use captcha as a default and offer Image and response as an option.

Under the consideration that the majority of the users do not touch the admin panel that much, this "default" question would exist in the majority of boards. Hey, look, you've just given a spammer a free pass. They'll thank you for that later.

[*] language problems (If I try to register on a board that speaks Dutch for example, although I can read Dutch, I can't write it, and thus such a "solution" prevents me from registering)

The Image and response would solve that issue and if need be you could include a link to http://babelfish.altavista.com .

Machine translations are no match for proper ones. At all. If anything, it'll confuse the issue. Plus, "leaves" fits for the space given in the English example. On top of that, you've not addressed the issue with the fact that people might not be able to write in the given language. While I can read the broken Dutch given, I would not be able to reply as I do not know how to spell "bloem". If the question required me to spell a harder word, then I've got problems. If you have a word that has language-specific characters in it, then I would also have problems (umlaut, accents, cedillas, bars, etc). With a captcha, all I need is a Latin letter based keyboard, and I can answer it, without having to know how to spell anything.

[*] High workload for the admin. They have to come up with a set of questions and answers that are not easy to google for, and that are easy enough for a wide range of people to know

Again using an image means the admin would select an image ( http://images.google.com ) and up-load it, the same as you would an avatar. Then enter the correct response in a field. As a bonus it is very easy to change the image and response

Again, this is far more work than having a captcha that works outright. This is far too much configuration for the end user who just wants some forums, not to have to spend hours finding images and asking a clear cut question about what someone should see in the image.

Contrast that with manually setting up all the accounts from people who can’t read the captcha.

The whole point of a captcha is so that people can read it, but bots can't. If you're having to set up many accounts due to the captcha, then the captcha is failing already. Hours of work have gone into the captchas that we are providing so that it's readable but hard to break.

[*] Reply problems. Thing is, some questions can have more than one correct answer, or the answer might have more than one correct spelling (grey/gray, colour/color, centre/center, etc).

Ok so use an _ for each letter or use a hint f l _ _ _ r . These should be variables that can set by the Admin

More config! Boy, these forum admins will *love* you. Don't forget, for each language you're making the admin do (as per above), the hint will have to change. Plus, if you give any letters, it can be googled (yes, google is powerful), or a bot could go around with a common word dictionary and select a word from it that matches the characters given. On top of that, languages have rules. For example, lets assume the word was "quality", and you've given the Q the A and the Y. Immediately you've also given the 'u' since there's basically no common word that doesn't have a 'u' after the 'q'. So I would then have Qua__y. Statistically, a constant should follow the 'a', since few common words have run-on vowel usage, so this will limit the possibilities of the word being anything else. From that, I'm 100% sure that I could search through my common word file and find the word "quality". An admin should not have to sit there for a few hours to come up with images, questions and hints that do not give away the answer to automated processes.

[*] Assuming there's questions which only one answer exists, then it would be somewhat trivial for someone to program a bot to obtain the answer via searches.

Again this is why I am suggesting the use of an image[/list]

See above.

Those are just a few very good reasons why a Q&A image will work.

No, they're horrible reasons that involve an admin having to spend hours thinking of a captcha image and question set. Contrast that to a captcha that works out the box with zero config.

This is why a letter based captcha has the edge. No configuration, can be enabled by default, doesn't require knowledge of anything, and automatically alters itself every time accessed to provide a unique combination of letters and noise so that no catalogue of answers could be conceived.

NeoThermic

[Drew***]

Thank you for the thought out response, I disagree with some of your points but my better half says I have to wait until tomorrow for a n in depth response.

Btw I realize that it is too late for inclusion in 3.0 or maybe even 3.2. But if it works as I think it will, trying it as a mod first will most likely be the best way to go.

[CoS]

Nice reasons. Now I see that a Q&A system won't be useful as an universal method for every language and admins. Too much work that people won't do.

Anyway, i think Q&A will work better as a mod than if it's included in the official package (the one that spambots will try to crack first). IMO, it's better to have an unique solution for your board than the solution everybody has.

[Gumfuzi]

Q&A works perfectly - but the problem with this ist the language and the uniqueless (no sense which thing they will implemente as standard, the mass of the boards will use this and so it is worth for the bots to get through it)

let the dev's put the standard captcha or whatever - then some mod-writers maybe will code mods for this - and the more different mods are available for this, the difficulter it is for the bots.

[Drew***]

No way to release a default set of questions/answer

If you used the image approach the only question would be “What do you see in the image”? You could then set up the phpbb logo as the default. Or you could use captcha as a default and offer Image and response as an option.

Under the consideration that the majority of the users do not touch the admin panel that much, this "default" question would exist in the majority of boards. Hey, look, you've just given a spammer a free pass. They'll thank you for that later. .

You said users but I think you mean Administrators, or are you just playing devils advocate? The image and response should be no harder than creating a signature and uploading an avatar. I can’t imagine any administrator that wouldn’t put that tiny modicum of effort into protecting their forum from spam.

Language problems (If I try to register on a board that speaks Dutch for example, although I can read Dutch, I can't write it, and thus such a "solution" prevents me from registering)

The Image and response would solve that issue and if need be you could include a link to http://babelfish.altavista.com .

Machine translations are no match for proper ones. At all. If anything, it'll confuse the issue. Plus, "leaves" fits for the space given in the English example. On top of that, you've not addressed the issue with the fact that people might not be able to write in the given language. While I can read the broken Dutch given, I would not be able to reply as I do not know how to spell "bloem". If the question required me to spell a harder word, then I've got problems. If you have a word that has language-specific characters in it, then I would also have problems (umlaut, accents, cedillas, bars, etc). With a captcha, all I need is a Latin letter based keyboard, and I can answer it, without having to know how to spell anything.

Let me play devils advocate. What about all these people whose language is not based on the Latin alphabet. Chinese, Arabic, Japanese, Russian, Hindi, Cherokee, are just some examples many more can be found here
I would also suggest that it should be possible to eliminate umlaut, accents, cedillas, abd similar items image identification purposes.
Nothing is perfect, captchas are likely to cause problems for people with color blindness and a large portion of the male population, including me, has a red–green color deficiency.

High workload for the admin. They have to come up with a set of questions and answers that are not easy to google for, and that are easy enough for a wide range of people to know

Again using an image means the admin would select an image ( http://images.google.com ) and up-load it, the same as you would an avatar. Then enter the correct response in a field. As a bonus it is very easy to change the image and response

Again, this is far more work than having a captcha that works outright. This is far too much configuration for the end user who just wants some forums, not to have to spend hours finding images and asking a clear cut question about what someone should see in the image.

Again you use the word “end user” which to me = forum member. I think for most administrators this is not a hard task. They do not have to come up with a question; the question is "What do you see in the image". Hours finding images, that’s a bit of hyperbole don’t you think? But yes, it is more work than an out of the box solution.

Contrast that with manually setting up all the accounts from people who can’t read the captcha.

The whole point of a captcha is so that people can read it, but bots can't. If you're having to set up many accounts due to the captcha, then the captcha is failing already. Hours of work have gone into the captchas that we are providing so that it's readable but hard to break.

I am sure that is true that a lot of hard work has gone in to this. However as others have said it is a cat and mouse game and there will also be a lot of hard work going into breaking the captcha. I believe it is important to consider alternatives and not have all the eggs in one basket so to speak.

Reply problems. Thing is, some questions can have more than one correct answer, or the answer might have more than one correct spelling (grey/gray, colour/color, centre/center, etc).

Ok so use an _ for each letter or use a hint f l _ _ _ r . These should be variables that can set by the Admin

More config! Boy, these forum admins will *love* you. Don't forget, for each language you're making the admin do (as per above), the hint will have to change. Plus, if you give any letters, it can be googled (yes, google is powerful), or a bot could go around with a common word dictionary and select a word from it that matches the characters given. On top of that, languages have rules. For example, lets assume the word was "quality", and you've given the Q the A and the Y. Immediately you've also given the 'u' since there's basically no common word that doesn't have a 'u' after the 'q'. So I would then have Qua__y. Statistically, a constant should follow the 'a', since few common words have run-on vowel usage, so this will limit the possibilities of the word being anything else. From that, I'm 100% sure that I could search through my common word file and find the word "quality". An admin should not have to sit there for a few hours to come up with images, questions and hints that do not give away the answer to automated processes.

I will have to break this up a bit to do it justice:
Again the set up should be no more difficult than setting up a profile.
Administrators only have to set up the image and response in the language in which the board operates.
Yes a bot could use a common word dictionary combined with spelling rules to try to crack the code, but the number of tries should be limited just as you would limit the number of tries at entering a password.
Again you suggest that it will take hours to set up and I’m not sure why you think that way: pick a word, go to google images, select a suitable image and up load it as you would an avatar, enter the word in the expected response field and you are done.

Assuming there's questions which only one answer exists, then it would be somewhat trivial for someone to program a bot to obtain the answer via searches.

Again this is why I am suggesting the use of an image

See above.

See my response above

Those are just a few very good reasons why a Q&A image will work.

No, they're horrible reasons that involve an admin having to spend hours thinking of a captcha image and question set. Contrast that to a captcha that works out the box with zero config.

This is why a letter based captcha has the edge. No configuration, can be enabled by default, doesn't require knowledge of anything, and automatically alters itself every time accessed to provide a unique combination of letters and noise so that no catalogue of answers could be conceived.

NeoThermic

No, they're not horrible reasons
I will agree that if the captcha works out of the box it will require less effort.
I don’t agree that it will take hours to set up an image and response.

Both solutions have their strong points and weak points:
True captcha operates right out of the box.
However, with captcha it is a cat and mouse game ( http://www.ocr-research.org.ua/teabag.html )
and once broken all forums are vulnerable.

With images you have to rely on the common sense of administrators not to make the image so difficult that neither bots nor humans can gain access. However cracking one image does not provide access to all other forums.

Getting a mod written as a first step in proving the image response solution is probably the best way to go, but I believe this is a viable alternative to Captcha.

Drew

[Rotsblok]

sorry to interupt but can you two get a room of your own???. Its kinda getting off topic here

BTW will suspect rc1 end of may middle of june

[Drew***]

I was thinking a while back someone would fork this thread

captcha commentary http://www.ocr-research.org.ua/list.html


Besides Rotsblok, I thought you would have seen it already on the pre-release page.

[Rotsblok]

read lots of stuff today. Havent slept last night so brains arent functioning correctly at moment. Its a bit lagging