[RFC] Q&A plugin by default

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] Q&A plugin by default

Post by imkingdavid »

stevemaury wrote:A default set of questions is no good, as no matter how many you have, they can be broken by anyone with access to the phpBB installation files, which is everyone.

Admittedly making an installation requirement of configuring Q&A would make the process longer and perhaps more difficult. Perhaps an override?
By default, phpBB must be configured to require a question at registration to combat spam. The method offered, if properly used, is very effective. However, if this is a local installation, or an intranet or one with closed registration, or for any other reason you wish to override that, you can do so by by checking the box below that says "I love spam" (just kidding - "I do not want to enable spambot countermeasures at this time")
Or maybe just make filling it out optional, and if they don't give a question, there won't be anti-spam enabled.
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

Oleg
Posts: 1150
Joined: Tue Feb 23, 2010 2:38 am
Contact:

Re: [RFC] Q&A plugin by default

Post by Oleg »

I think a nag in acp index would be sufficient.

User avatar
MichaelC
Development Team
Development Team
Posts: 889
Joined: Thu Jan 28, 2010 6:29 pm

Re: [RFC] Q&A plugin by default

Post by MichaelC »

I think I've changed my mind on this and that Q&A CAPTCHA should be added as an installation step with a Skip button.
Formerly known as Unknown Bliss
psoTFX wrote: I went with Olympus because as I said to the teams ... "It's been one hell of a hill to climb"
No unsolicited PMs please except for quotes.

User avatar
callumacrae
Former Team Member
Posts: 1046
Joined: Tue Apr 27, 2010 9:37 am
Location: England
Contact:

Re: [RFC] Q&A plugin by default

Post by callumacrae »

Unknown Bliss wrote:I think I've changed my mind on this and that Q&A CAPTCHA should be added as an installation step with a Skip button.
+1
Made by developers, for developers!
My blog

User avatar
brunoais
Registered User
Posts: 964
Joined: Fri Dec 18, 2009 3:55 pm

Re: [RFC] Q&A plugin by default

Post by brunoais »

Why not just place multiple input@type=checkbox or input@type=radio for the user to choose?
Just make a warning (in red and bold) if the user chooses not to use any captcha.
If the user chooses Q&A, ask for Q's and A's to add.
If the user chooses ReCaptcha, state that there's a need for an application key and also show the instructions about how that application key can be obtained.
If the user chooses one of the other 3 (default) captcha, show the lack of security it means.
If the user chooses none, warn that it's a ludicrous option unless it's a test forum.

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: [RFC] Q&A plugin by default

Post by imkingdavid »

EDIT: Ticket

I believe the best way to go about this is:
- New page following server settings with a "Skip" button at the top and a "Next" button at the bottom. Skip never takes any input on that page into account, it just moves to the next page.
- If no question/answer is entered, use current default captcha (or no captcha)
- If only question or only answer is entered, error to ask for the empty one
- Otherwise, continue.

And a Skip button should be similarly added to the Server Settings page, since that page generally needs no changes to it anyway.

Would it be possible to find/write code for a spam bot and have it test the question that is entered, both during install and later on? If it can crack the question, we could warn the admin that the question is too easy. Of course I have no idea how spam bots work, what language they are programmed in, etc, but I figured I'd toss this out there.
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

stevemaury
Support Team
Support Team
Posts: 40
Joined: Sat Aug 30, 2008 12:44 am

Re: [RFC] Q&A plugin by default

Post by stevemaury »

I think the way to handle question difficulty is to give a couple of examples, making it clear that the examples should not actually be used.

Like this:
BAD

What is 2 + 2

What color is the sky?

Who is President of the USA?

_________________________________-

GOOD

Q: Type the (first, last, middle) three (or 4 or 5) characters of the following string: )kT53@x

Q: Type the (first, last, middle) three (or 4 or 5) characters in the name of this Board

Q: What are the (first, last, middle) 3 characters in the fifth word of the message in smaller type just below this question?

Q: Click this link and type the name of the animal in the picture.

Marshalrusty
Project Manager
Project Manager
Posts: 273
Joined: Thu Oct 27, 2005 1:45 am

Re: [RFC] Q&A plugin by default

Post by Marshalrusty »

Oleg wrote:I think a nag in acp index would be sufficient.
In the short term, I tend to agree with Oleg.

The best solution would be a refactor of the installer to add optional pages (with a "Skip" option) to the end. This would also make it possible to change some of the currently required fields to optional. Without significantly refactoring the installer, however, the simple solution is to display a nag on the ACP index telling administrators that their forum is currently susceptible to spam. Something this simple could even be done in the 3.0 line, I think.

I also recently created an anchor to information on spam (which may eventually turn into a dedicated page): http://www.phpbb.com/support/spam/

Marshalrusty
Project Manager
Project Manager
Posts: 273
Joined: Thu Oct 27, 2005 1:45 am

Re: [RFC] Q&A plugin by default

Post by Marshalrusty »

stevemaury wrote:GOOD

Q: Type the (first, last, middle) three (or 4 or 5) characters of the following string: )kT53@x

Q: Type the (first, last, middle) three (or 4 or 5) characters in the name of this Board

Q: What are the (first, last, middle) 3 characters in the fifth word of the message in smaller type just below this question?
It should be noted that:
"Type the last three characters of the following segment: fy7g3yd"
is equivalently difficult for a bot to do as:
"Type '3yd' into the box"

Unless a large portion of phpBB administrators use the exact syntax, bots will be unable to figure out what is being asked. On the other hand, if we make this a default recommendation, someone will write a bot to target these kinds of questions, looking specifically for keywords like "one, two, three, four" and "first, last, middle", which, even with a 25% success rate, will result in a breach.

If these kinds of sample questions are offered, they should be generic enough that people don't use them as-is or with minor variations, else we'll end up with the problem above.

User avatar
Vinny
Style Customisations
Style Customisations
Posts: 129
Joined: Thu May 20, 2010 4:01 am
Location: Brazil
Contact:

Re: [RFC] Q&A plugin by default

Post by Vinny »

Maybe this is a crazy idea, but Q&A should parse BBcode (only [ b], [ i], [ u] and [color]) to create more complex questions. Examples:
The sky is blue, but this text is ...?
------------------------
I the sentence: "Choose what is right, not what is easy." What words are bold?

Post Reply