MyBB CAPTCHA Pack - Various alternative CAPTCHAs

[RichardGv]

Thanks again for all your advices and guidance. I've followed all your suggestions, I hope, except for the capitalization of SQL statement keywords (really, I can't stand all caps) and the CAPTCHA clean up interval (will talk about that later).

By the way, this is the code I use for task insertion, removal, enabling, and disabling right now. I tried to make the functions as general as possible.

function captchapack_install() {
  // ...

  captchapack_task_add(array(
    "title"       => 'CAPTCHA Pack Cleanup',
    "description" => 'Clean up old CAPTCHA entries.',
    "file"        => 'captchapack',
    "minute"      => '0',
  ));

  // ...
}

// ...

function captchapack_uninstall() {
  // ...
  captchapack_task_drop('captchapack', 'CAPTCHA Pack Cleanup');
}
// ...

function captchapack_activate() {
  // ...
  captchapack_task_enable('captchapack');
  // ...

}

// ...
/**
 * Add a task.
 *
 * Code stolen from MyBB itself.
 */
function captchapack_task_add($task) {
  require_once MYBB_ROOT . 'inc/functions_task.php';

  global $db, $cache;

  // Merge default values
  $task_def = array(
    'title'       => '',
    'description' => '',
    'file'        => '',
    'minute'      => '*',
    'hour'        => '*',
    'day'         => '*',
    'month'       => '*',
    'weekday'     => '*',
    'enabled'     => 0,
    'logging'     => 1,
  );
  $task = array_merge($task_def, $task);

  if (!$task['file'] || !$task['title'])
    return false;

  // If there's a task with the same title or filename, drop it
  captchapack_task_drop($task['file'], $task['title']);

  // Escape all the things in the task
  $task = array(
    'title'       => $db->escape_string($task['title']),
    'description' => $db->escape_string($task['description']),
    'file'        => $db->escape_string($task['file']),
    'minute'      => $db->escape_string($task['minute']),
    'hour'        => $db->escape_string($task['hour']),
    'day'         => $db->escape_string($task['day']),
    'month'       => $db->escape_string($task['month']),
    'weekday'     => $db->escape_string($task['weekday']),
    'enabled'     => (int) $task['enabled'],
    'logging'     => (int) $task['logging'],
  );

  // Fill nextrun
  $task['nextrun'] = fetch_next_run($task);

  // Insert, and update cache
  $db->insert_query("tasks", $task);
  $cache->update_tasks();

  return true;
}

/**
 * Drop a task.
 *
 * Code stolen from MyBB itself.
 */
function captchapack_task_drop($file, $title) {
  global $db, $cache;

  $file = $db->escape_string($file);
  $title = $db->escape_string($title);

  $db->delete_query('tasks', "file = '$file' or title = '$title'");

  $cache->update_tasks();
}

/**
 * Enable a task.
 *
 * Code stolen from MyBB itself.
 */
function captchapack_task_enable($file) {
  global $db;

  $file = $db->escape_string($file);
  $db->update_query('tasks', array('enabled' => 1), "file = '$file'");
}

/**
 * Disable a task.
 *
 * Code stolen from MyBB itself.
 */
function captchapack_task_disable($file) {
  global $db;

  $file = $db->escape_string($file);
  $db->update_query('tasks', array('enabled' => 0), "file = '$file'");
}

@frostschutz:

While on the topic of tasks, I'd allow more than just one hour of time. People leave their tabs open and forget about them, so... you could make it a setting

Honestly, my original plan is let a CAPTCHA expire in 15 minutes. My plugin tries to be as strict as possible. (For example, the IP that requests for the CAPTCHA must be identical to the one which answers it.) If one leaves the page open for more than hour, I believe he should refresh it.

@euantor:

Thanks for your detailed guide on the translation part.

You are correct. The wiki needs some major work done on it. I'll likely modify the plugin page when I get time.

Awesome!

[frostschutz]

This user has been denied support.

Honestly, my original plan is let a CAPTCHA expire in 15 minutes. My plugin tries to be as strict as possible. (For example, the IP that requests for the CAPTCHA must be identical to the one which answers it.)

You have to keep in mind that for humans, captcha is a nuisance - when you add restrictions you have to consider whether those restrictions will actually stop bots, or whether it'll just annoy humans more.

The main weakness of the stock MyBB captcha is that it allows an infinite number of tries for a given solution. You can even reload the captcha image and it will generate a new one with the same solution for you. So a bot with lousy OCR can work with multiple input images, and just keep guessing the solution until it hits on the correct one. I don't know if any spambots do this, but it's what I'd go for, if I wanted to break MyBB's captcha.

For a strict captcha, you'd have to generate a new one, change the solution, every time the user makes a wrong guess. The time limit is not really that important - a spam bot won't care if it's 15 minutes, an hour, or just thirty seconds. Bots are fast enough either way (unless you force them to be slow, by refusing registration forms that were filled in less than 10 seconds or something). Same for the IP restriction - a spam bot will have no problem using just one IP. Restricting IP will primarily hurt humans who are in a company/university network situation where outgoing IP may change out of their control.

Just my opinion, you don't have to share it everyone has different ideas about what a captcha should be like, I guess.

[RichardGv]

@frostschutz:

Huh, excuse me, do you have a plan to add task-related operations to PluginLibrary, so?

You have to keep in mind that for humans, captcha is a nuisance - when you add restrictions you have to consider whether those restrictions will actually stop bots, or whether it'll just annoy humans more.

The main weakness of the stock MyBB captcha is that it allows an infinite number of tries for a given solution. You can even reload the captcha image and it will generate a new one with the same solution for you. So a bot with lousy OCR can work with multiple input images, and just keep guessing the solution until it hits on the correct one. I don't know if any spambots do this, but it's what I'd go for, if I wanted to break MyBB's captcha.

For a strict captcha, you'd have to generate a new one, change the solution, every time the user makes a wrong guess...

Thanks for your comments. Yeah, for most things you mentioned, I can't agree more.

The true mystery is why reCAPTCHA is failing, too... They could break it just by playing with odds?

I once wrote a Python script that uses tesseract -- known as one of the best open-source OCR engines, I guess -- to try to break two-digit pure numeric CAPTCHAs of a website. The images they give are slightly small, and the numbers are slightly rotated (at most 30'). To my surprise, tesseract seeming'y has an accuracy of less than 30% in identifying those simple CAPTCHAs. I'm really interested in how the hell those spambots break more puzzling CAPTCHAs.

My plugin destroys all records of CAPTCHA with the same hash once it receives an answer with the hash, regardless of whether it's right or wrong, so mostly my CAPTCHA does not have the very problem you described. (However, this poses a high risk of collision if the CAPTCHA pool is small -- the unrelated word CAPTCHA in the plugin has a very small pool right now -- and the number of simultaneous attempts of registrations are large.)

And after all, all my CAPTCHAs don't use images, and those plain text CAPTCHA are unreliable in nature. Give me 3 hours and I could write a script to break all those CAPTCHAs I implemented. As what I said in the README, the CAPTCHAs are secure as far as their usages are so limited that nobody bothers to break them.

...The time limit is not really that important - a spam bot won't care if it's 15 minutes, an hour, or just thirty seconds. Bots are fast enough either way (unless you force them to be slow, by refusing registration forms that were filled in less than 10 seconds or something). Same for the IP restriction - a spam bot will have no problem using just one IP. Restricting IP will primarily hurt humans who are in a company/university network situation where outgoing IP may change out of their control.

Yeah, I know all those don't help much. My philosophy is to insert whatever checks possible if I don't see it causing great troubles for users, just in case they stop a very small number of spambots. And I don't think frequent IP changes are really common, especially for large NAT networks -- correct me if I'm wrong -- since an IP change could break all existing incoming/outgoing connections.

... unless you force them to be slow, by refusing registration forms that were filled in less than 10 seconds or something..

Good idea.

[frostschutz]

This user has been denied support.

do you have a plan to add task-related operations to PluginLibrary, so?

I don't know. I'll have to take a closer look at the task system first. I probably won't get around to it this year.

I put it on the idea list for now so I won't forget about it: https://github.com/frostschutz/PluginLibrary/issues/6

[Euan T]

@frostschutz: I might submit a pull request for it again if I get time this week.

[RichardGv]

Huh, I plan to submit the plugin to mods.mybb.com. Just have a few questions regarding submission:

1. Is it acceptable to name the plugin version git-20121219, 0_pre20121219, or something similar, as I'm pretty uncertain about the quality of my plugin?
   
2. It's fine to include translations in the plugin pack, right?
   
3. It's mentioned in the sticky thread of the "Plugin & Modifications - Releases" forum that I may "request" my thread to be moved into the forum. But how? Should I post a request in "MyBB.com Community & Site Issues", or "Private Inquiries", or somewhere else?
   

[frostschutz]

This user has been denied support.

1) When checking for plugin updates, MyBB uses http://php.net/manual/en/function.version-compare.php - so you should use a version number scheme which version_compare() recognizes properly, otherwise the plugin update code will not work right. Other than that you can put whatever you like as version number.

2) You can choose whether to allow people to submit their own language packs for your plugin on the mods site.

3) Either way is fine I guess. You could probably even use the report post feature.

[RichardGv]

1) When checking for plugin updates, MyBB uses http://php.net/manual/en/function.version-compare.php - so you should use a version number scheme which version_compare() recognizes properly, otherwise the plugin update code will not work right. Other than that you can put whatever you like as version number.

2) You can choose whether to allow people to submit their own language packs for your plugin on the mods site.

3) Either way is fine I guess. You could probably even use the report post feature.

Thanks!

But now I found an annoying thing: mods.mybb.com cropped the plugin version I entered in the form, 0.0_dev20121219 was turned into 0.0_dev20121. And mods.mybb.com is doing this silently in the backend instead of specifying maxlength on the <input>. Huh, as 0.0_dev20121 is smaller than 0.0_dev20121219 it shouldn't cause an "infinite update" issue right now, I hope? And my plan is to use 0.1 for next version when it gets stable. But really they should at least tell me the version string will get cropped before form submission!