Suspecting RC1 very soon!

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Locked
DocBoum
Posts: 29
Joined: Thu Jul 20, 2006 10:43 am

Re: Suspecting RC1 very soon!

Post by DocBoum »

IMHO we have to be careful with the assumption that a mod which works perfectly on single installations will also work if it ships with phpBB3! Firstly, all the blackhats will also have that "mod" in that case. Secondly, they will pump all their efforts to circumvent that new way of preventing bots from registering in order to sell their crap. I agree that the question/answer solution sounds great at the moment - but I am afraid that after a few weeks, the first registration bots will come with huge dictionaries of question/answer pairs. Not to mention that if there's any default set of questions, it will be best to leave it off altogether, because that will be no obstacle for the bots if it ships with phpBB. Just my 2ct...
billabong13138
Registered User
Posts: 3
Joined: Thu May 03, 2007 10:28 pm
Contact:

Re: Suspecting RC1 very soon!

Post by billabong13138 »

Suspecting RC1 very soon!
by profpete on Sat Jan 06, 2007 2:42 pm


yeah, very soon (Since it's May). :mrgreen:
Image
asinshesq
Registered User
Posts: 156
Joined: Fri May 14, 2004 10:32 pm
Location: NYC

Re: Suspecting RC1 very soon!

Post by asinshesq »

Kevin Clark wrote: The beauty of a question/answer is that it can be completely configurable through the admin panel

What is 3+2?
Which one of these is a colour? House, blue, car, hat


What is your favorite color? Red, no blue aaaaaaahhhhhh.

What is the average flying velocity of a sparrow?
European or african?
I don't know....aaaaaahhhhhh
Alan
User avatar
Kevin Clark
Support Team
Support Team
Posts: 751
Joined: Thu Feb 10, 2005 5:34 pm
Location: UK
Contact:

Re: Suspecting RC1 very soon!

Post by Kevin Clark »

DocBoum wrote: IMHO we have to be careful with the assumption that a mod which works perfectly on single installations will also work if it ships with phpBB3! Firstly, all the blackhats will also have that "mod" in that case. Secondly, they will pump all their efforts to circumvent that new way of preventing bots from registering in order to sell their crap. I agree that the question/answer solution sounds great at the moment - but I am afraid that after a few weeks, the first registration bots will come with huge dictionaries of question/answer pairs. Not to mention that if there's any default set of questions, it will be best to leave it off altogether, because that will be no obstacle for the bots if it ships with phpBB. Just my 2ct...

But, it doesn't have to be a real word, which kills the dictionary hunters and also, I think, isn't there a registration flood protection to stop multiple attempts in a short period? If so, that would also severely restrict the use of dictionary searches.

I agree nothing is ever fool proof but if the ability is there to change the wording, either in the registration setting or in the now easily accessible language entries, the default can easily be changed by the end user. If the bots don't know the exact wording of the question, that will take some time to beat.

Also I guess one way you could use the custom registration options is to get people to match a code to a set of 4 or 5 you can add to a drop box. Problem is the bots tend to try them all until they strike it lucky.
Image
code reader
Registered User
Posts: 653
Joined: Wed Sep 21, 2005 3:01 pm

Re: Suspecting RC1 very soon!

Post by code reader »

DocBoum wrote: IMHO we have to be careful with the assumption that a mod which works perfectly on single installations will also work if it ships with phpBB3! Firstly, all the blackhats will also have that "mod" in that case. Secondly, they will pump all their efforts to circumvent that new way of preventing bots from registering in order to sell their crap. I agree that the question/answer solution sounds great at the moment - but I am afraid that after a few weeks, the first registration bots will come with huge dictionaries of question/answer pairs. Not to mention that if there's any default set of questions, it will be best to leave it off altogether, because that will be no obstacle for the bots if it ships with phpBB. Just my 2ct...
the beauty of this mode of operation is that every board operator will prepare a different set of questions and answers.
of course you are right in that shipping the thing with a default set of questions/answers is self defeating, and i can't imagine anyone doing that.
what i suggested was half a step forward: have the board owner supply a set of questions/answers, and at the first suspected bot registration scrap the question/answer that was used, and switch to the next.
in addition, if your board is dedicated to a specific area of interest or specific community, you can choose questions which will be trivial for your potential users but quite difficult even for a person outside this area: say, in a fan board dedicated to a specific singer or actor you will ask for some well known piece of trivia regarding this person, or in a geeks' board ask "which of the following is not a computer language" or "which letter denotes a gigabyte" etc.
for these specific boards, which comprise very large portion of all bbs, this may even help keep out some human spammers, although you can't expect to block them completely...

i agree that it's conceivable that some clever bot-designer/cracker will find a way around this method also.
the problem is that the current captcha has already run it's course, and something else is needed: the computer algorithms can decipher patterns which are quite difficult even for humans. if made any more complex, many people will be unable to register.
even if we'll find some clever distortion that defeats current bots, experience and common sense teach us that the bots will overcome this hurdle relatively quickly.
you are probably right that if/when bot designers will crack the question/answer thing, someone will have to come up with something better, but either way, i don't think the correct answer at this point in time is: "we need a better captcha".
Last edited by code reader on Fri May 04, 2007 8:31 pm, edited 1 time in total.
NeilUK
Registered User
Posts: 88
Joined: Mon May 01, 2006 7:55 pm
Contact:

Re: Suspecting RC1 very soon!

Post by NeilUK »

Why does it have to be a question? I use a code in most of my forums
They can have a database of all the questions and answers they want but if its a nine digit code how can they have a database of answers for that

Eg. A Code of - 129423A223A Just for instance would be very hard for a bot to crack I would say, much harder than what is the capital of wherever!
"Life Is What Happens To You When You Are Busy Making Other Plans" - John Lennon
ImTheMan
Registered User
Posts: 15
Joined: Thu Jul 14, 2005 12:50 pm

Re: Suspecting RC1 very soon!

Post by ImTheMan »

and how will new visitors to the forum who wants to register get that code?
User avatar
ChrisRLG
Registered User
Posts: 160
Joined: Wed Oct 11, 2006 9:47 am
Contact:

Re: Suspecting RC1 very soon!

Post by ChrisRLG »

various ways.

One I have seen is the 'code' is the domain name as displayed on the main index page - other have it displayed in other places.

So long as a URL to the code is available it does not matter.
CoS
Registered User
Posts: 9
Joined: Wed Mar 29, 2006 11:05 am

Re: Suspecting RC1 very soon!

Post by CoS »

I like the question/answer system too. Each site would have its own questions, in its own language, so I think that spambots could not find a way to break the system for every phpbb3 forum available worldwide (a thing that could happen with a captcha system). I really like the idea, even if the answer is logical or if it's like the vip code mod (where you have to search the answer in one page of the forum).

Thinking a bit about it, you would need to create different sets of questions in different languages if you have a multilanguage forum...

A captcha system will be fine until it's cracked. Then, an update with another captcha system will be needed. And when this new system is cracked, we'll need another one more complex. Maybe so complex that humans can't understand it.
User avatar
MasterZ
Registered User
Posts: 28
Joined: Sat Jan 29, 2005 8:23 pm

Re: Suspecting RC1 very soon!

Post by MasterZ »

asinshesq wrote:
Kevin Clark wrote: The beauty of a question/answer is that it can be completely configurable through the admin panel

What is 3+2?
Which one of these is a colour? House, blue, car, hat


What is your favorite color? Red, no blue aaaaaaahhhhhh.

What is the average flying velocity of a sparrow?
European or african?
I don't know....aaaaaahhhhhh


:roll: no it's "What is your favorite color? Blue... no yeloooooowww" come on man get it right :) (i love that movie)

I hate spam bots (as I'm sure most of you do too)... it doesn't even accomplish anything except annoying people and making people spend their precisous time trying to block them. Maybe we should just somehow associate a finger-print scanner with phpBB... then to join you must present your finger-print....

okay it's dumb, but someone needs to start thinking outside the box on these types of things.
Locked