Thread Rating:
  • 17 Vote(s) - 3.94 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[For 1.6] Registration Security Question v1.2 (Updated: 07/27/2011)
#31
(02-20-2011, 06:59 PM)Alex Smith Wrote: G33K first of great plugin Wink. Just to let you know though with MySQL 5.5 an error gets thrown at people when they try to activate it. Mainly due to MyISAM not being the default table type anymore. However it's easy to correct.

In /inc/plugin/regsecureq.php you just need to change line 73 from
PHP Code:
                Type=MyISAM;"); 

To
PHP Code:
                ENGINE=MyISAM;"); 

Yes I am aware of this and have fixed it in my internal repositories and will release it soon.
FYI, its not because MyISAM is not the default table but its because starting from MySQL 5.5 "TYPE" has been dropped so "ENGINE" has to be used.
Reply
#32
Although I don't really care, I should point out that using static links between questions and answers isn't exactly good design.
The correct way is to use a dynamic link, similar to MyBB's captcha system.
See this thread for more info: http://mybbhacks.zingaburga.com/showthread.php?tid=627
Reply
#33
This user has been denied support. This user has been denied support.
Yes, but funnily enough, I haven't had a single spammer register since I installed this plugin. So it seems the spambots are only looking at the captcha - for the time being anyway.

The captcha itself is definitely cracked, so it's entirely useless by now - MyBB's current code not only is a weak captcha but also allows multiple tries in solving it, and generates multiple images for the same solution, that alone gives OCR attempts a huge leg up...

I started working on an alternative captcha plugin some time back, but as long as something as simple as this works, I'll stick to the simple solution. The time I can spend on coding new crap is limited... Wink
Reply
#34
(02-24-2011, 10:27 AM)Yumi Wrote: Although I don't really care, I should point out that using static links between questions and answers isn't exactly good design.
The correct way is to use a dynamic link, similar to MyBB's captcha system.
See this thread for more info: http://mybbhacks.zingaburga.com/showthread.php?tid=627

Clearly any kind of question/answer strategy stands no chance against any bot that is specifically targeting a site.

During the designing of this I did consider having it load the question using a random key associated to the question id just like the captcha is loaded but then at the end of the day with all the extra overhead of maintaining the random keys the bots will still be able to crack that. All the bot would have to do is take one question/answer and keep loading the registration page until it comes to the question/answer its coded for then go ahead and register.
Believe it or not I even went as far as to try and generate the question as an image, in addition to the random key so that the bot wouldn't know what question is loaded but if they cracked captcha, straight text in an image would be a piece of cake for them to crack.

The only protection such a system provides is against the standard bots that have not been customized to any one site and can only be effective if the questions are changed often.
Reply
#35
This user has been denied support. This user has been denied support.
yes g33k. no security plugin can stand against the spammers. here or then, they will find the way to get access.

i had a few suggestions that can stop spammers in efficient way. why cant we make something like "displaying three to four images and ask the user to select the correct pic which is connected to the submit / verify option internally. we can do this, but there is draw back in this also, as spammer can write the code to select the random pic until the question coincides with the random pic."

another solution is, as mybb uses prototype and drag'drop feature in acp, we should implement something similar at registration and login page.
display 3-4 random pics and ask the user to drag drop the required pic on to the submit button or similar image verification option. so that no spammer can break this with programming until he is a human spammer.
MyPlugins:1-2-3-4-5
MyTutorials:AddBots
Reply
#36
(02-24-2011, 11:12 AM)frostschutz Wrote: Yes, but funnily enough, I haven't had a single spammer register since I installed this plugin. So it seems the spambots are only looking at the captcha - for the time being anyway.
In other words, just making your registration process unique, so automated attempts won't detect this uniqueness. See below.

(02-24-2011, 11:12 AM)frostschutz Wrote: I started working on an alternative captcha plugin some time back, but as long as something as simple as this works, I'll stick to the simple solution. The time I can spend on coding new crap is limited... Wink
reCAPTCHA might be a solution.
But all my spam seems to originate from India or similar, and it appears that it's done by humans (unless the bots replicate human behaviour fairly well).

(02-24-2011, 11:38 AM)- G33K - Wrote: During the designing of this I did consider having it load the question using a random key associated to the question id just like the captcha is loaded but then at the end of the day with all the extra overhead of maintaining the random keys the bots will still be able to crack that. All the bot would have to do is take one question/answer and keep loading the registration page until it comes to the question/answer its coded for then go ahead and register.

The only protection such a system provides is against the standard bots that have not been customized to any one site and can only be effective if the questions are changed often.
Lolwot?
If the sole addition to security is the uniqueness factor, then having multiple questions is pointless. If you're arguing that dynamic linking is too much additional load (and the fact that it actually makes it more difficult for a bot to use, which your plugin is trying to protect against), then surely having multiple questions is adding a fair amount of load and not increasing protection against bots at all. In other words, WTF?

The idea of multiple questions is that it increases the complexity of bots required to defeat the system. Your implementation does not do this. If you're going to use multiple questions, then implement it correctly.

If anything, using multiple questions without dynamic linking actually makes it easier for bots to bypass, at it provides bots with a larger pool of questions from which they only require one answer to.

Changing the question regularly is mostly pointless, again, unless the spammer is targeting the website.

It's not like the system cannot be bypassed in general by an automated bot either, though this may depend on the creativity of the questions.
Taking some examples from frostschutz' forum's registration page:

Wie heißt der höchste Berg von Japan?
Google Translate: What is the highest mountain in Japan?
http://www.wolframalpha.com/input/?i=Wha...n+Japan%3F

Um welches Land geht es hier?
Google Translate: Which country are we talking about?
cannot be answered by this method

^ Only seems to be 2 questions from the quick tries I did.

(02-24-2011, 01:28 PM)TheGodFather Wrote: i had a few suggestions that can stop spammers in efficient way. why cant we make something like "displaying three to four images and ask the user to select the correct pic which is connected to the submit / verify option internally. we can do this, but there is draw back in this also, as spammer can write the code to select the random pic until the question coincides with the random pic."

another solution is, as mybb uses prototype and drag'drop feature in acp, we should implement something similar at registration and login page.
display 3-4 random pics and ask the user to drag drop the required pic on to the submit button or similar image verification option. so that no spammer can break this with programming until he is a human spammer.
Uh, no. But there are solutions like this, but they're all breakable anyway, but I'd say more effective than a question.
Reply
#37
(02-24-2011, 10:59 PM)Yumi Wrote:
(02-24-2011, 11:38 AM)- G33K - Wrote: During the designing of this I did consider having it load the question using a random key associated to the question id just like the captcha is loaded but then at the end of the day with all the extra overhead of maintaining the random keys the bots will still be able to crack that. All the bot would have to do is take one question/answer and keep loading the registration page until it comes to the question/answer its coded for then go ahead and register.

The only protection such a system provides is against the standard bots that have not been customized to any one site and can only be effective if the questions are changed often.
Lolwot?
If the sole addition to security is the uniqueness factor, then having multiple questions is pointless. If you're arguing that dynamic linking is too much additional load (and the fact that it actually makes it more difficult for a bot to use, which your plugin is trying to protect against), then surely having multiple questions is adding a fair amount of load and not increasing protection against bots at all. In other words, WTF?

The idea of multiple questions is that it increases the complexity of bots required to defeat the system. Your implementation does not do this. If you're going to use multiple questions, then implement it correctly.

If anything, using multiple questions without dynamic linking actually makes it easier for bots to bypass, at it provides bots with a larger pool of questions from which they only require one answer to.

Changing the question regularly is mostly pointless, again, unless the spammer is targeting the website.

It's not like the system cannot be bypassed in general by an automated bot either, though this may depend on the creativity of the questions.
Taking some examples from frostschutz' forum's registration page:

Wie heißt der höchste Berg von Japan?
Google Translate: What is the highest mountain in Japan?
http://www.wolframalpha.com/input/?i=Wha...n+Japan%3F

Um welches Land geht es hier?
Google Translate: Which country are we talking about?
cannot be answered by this method

^ Only seems to be 2 questions from the quick tries I did.

I didn't go the dynamic route not because of too much load, I decided against it because even after the addition of dynamic ids the questions will still be crackable for a bot that is customized to the site. Bots that are not customized to a particular site will not go through even without dynamic linking so when the end result is going to be the same why not keep it simple?

As far as the multiple questions go, its more of a user convenince than a protection against bots which is why I included the ajax call to change the question. If the user does not know the answer to the question, they can choose another.

Also changing the question often will invalidate the bots that are customized for a particular site causing them to have to reprogram for the new question.

(02-24-2011, 01:28 PM)TheGodFather Wrote: yes g33k. no security plugin can stand against the spammers. here or then, they will find the way to get access.

i had a few suggestions that can stop spammers in efficient way. why cant we make something like "displaying three to four images and ask the user to select the correct pic which is connected to the submit / verify option internally. we can do this, but there is draw back in this also, as spammer can write the code to select the random pic until the question coincides with the random pic."

another solution is, as mybb uses prototype and drag'drop feature in acp, we should implement something similar at registration and login page.
display 3-4 random pics and ask the user to drag drop the required pic on to the submit button or similar image verification option. so that no spammer can break this with programming until he is a human spammer.

While better than a question/answer they would still be crackable
Reply
#38
This user has been denied support. This user has been denied support.
reCaptcha: While the interface can be translated, the captcha itself is usually English, and that alone can be a barrier for non-english speaking forums, and sometimes it asks for very odd words... I was hoping to use something simpler, and so far this question plugin works for the intended purpose. I'm aware of its weaknesses (was aware of them from the start), but even so. Smile

Dynamic route: in my own (unfinished) Captcha plugin I simply hooked into MyBB's captcha. So instead of generating my own dynamics I simply use the random captcha string generated and stored by MyBB, for my own means and purposes. So as long as you don't want to show a question where there is no MyBB captcha, you can just use what MyBB already provides to you for free.

But it's not really worth the effort; when a bot goes so far to send a specific answer to a question, they can also cope with specific questions... sure you could add 1000 different ones to make it harder then but, who's really going to do that.
Reply
#39
Many have been complaining now that reCaptcha can hardly be read these days "by legitimate users wanting to register". I agree with that, they seem to have changed things with it after getting cracked, it's very hard indeed to read what the letters actually say displayed by reCaptcha now, making it fairly useless and no longer a good option for using if it's only going to hamper new registrations because other people are the same way, they can make-out what it reads half the time.
Reply
#40
(02-24-2011, 11:32 PM)- G33K - Wrote: I didn't go the dynamic route not because of too much load, I decided against it because even after the addition of dynamic ids the questions will still be crackable for a bot that is customized to the site. Bots that are not customized to a particular site will not go through even without dynamic linking so when the end result is going to be the same why not keep it simple?
The idea is to make it as difficult for a bot to be customised for a site, as well as reduce the effectiveness of bots (ie require multiple tries).
As you've said, no system is uncrackable, so really, the only thing you can do is make it as difficult as possible to bots, which your system isn't really doing.

(02-24-2011, 11:32 PM)- G33K - Wrote: As far as the multiple questions go, its more of a user convenince than a protection against bots which is why I included the ajax call to change the question. If the user does not know the answer to the question, they can choose another.
I find it amusing that you think you can make it a user convenience over something that is entirely controlled by the forum administrator. One would assume that the forum administrator should be able to pick an appropriate question/answer which all the users they care about should be able to answer.
But oh well, let's take your assumption on board. Your plugin design is still questionable. Why are the questions randomised? If it's for user convenience, surely it would make more sense to allow the admin to select an order in which questions are displayed? The admin can choose a question they think most users will be able to answer, and order it first, then when the user chooses to try a different one, your AJAX script will select the next one. Surely this is simpler, and also fixes up issues such as your plugin potentially selecting duplicate questions, which is anything but user friendly.

BTW, does this code even work if there's only one question?
PHP Code:
        $query $db->query("
            SELECT q.*
            FROM "
.TABLE_PREFIX.$prefix."questions q
            WHERE q.qid != 
{$regq_id}
            ORDER BY RAND()
            LIMIT 1
        "
);
        
$q $db->fetch_array($query);
        
$regsecureq_id $q['qid'];
        
$regsecureq $q['question']; 

(02-24-2011, 11:32 PM)- G33K - Wrote: Also changing the question often will invalidate the bots that are customized for a particular site causing them to have to reprogram for the new question.
No reprogramming necessary, the only thing that needs to be done is to add in a new question/answer combo. But if the bot has already been targeting your website, I don't think it would take much for the person running the bot to do this.

(02-25-2011, 12:27 PM)frostschutz Wrote: reCaptcha: While the interface can be translated, the captcha itself is usually English, and that alone can be a barrier for non-english speaking forums, and sometimes it asks for very odd words... I was hoping to use something simpler, and so far this question plugin works for the intended purpose. I'm aware of its weaknesses (was aware of them from the start), but even so. Smile
Fair point, though for non-English readers, it would just be random characters like the MyBB captcha.
Still, one point which makes reCAPTCHA a bit easier to read is the fact that it uses words.


I find reCAPTCHA readable enough, but maybe others don't think so.
Still, I'm not recommending the system per-se, rather, it might be more effective to use a more complex system maintained externally.

Anyway, I'm wasting my time over something I don't even care about...
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)