digitalmars.D - Could forum.dlang.org remember how many captchas I filled out?
- cy (17/19) May 23 2016 I've filled out one of these for every post I've made here. Yet
- Joakim (4/9) May 23 2016 Hmm, I almost never get that CAPTCHA, and I don't log in to the
- cy (11/14) May 23 2016 I login here, not with them. They can't tell who I'm logged in
- jmh530 (2/3) May 23 2016 I often get a CAPTCHA when I'm using a VPN at home.
- Basile B. (5/23) May 24 2016 One thing that could be done is to disable the spam checker when
- cy (23/27) May 24 2016 Yes, that's the reason the spam checker shouldn't just be
- Basile B. (9/16) May 25 2016 Never mind it was a bad idea because a noob spammer can still
- Vladimir Panteleev (5/10) May 25 2016 Sorry about that. I'm a bit backlogged at the moment, but I could
Akismet thinks your post looks like spam. Please solve a CAPTCHA to continue.I've filled out one of these for every post I've made here. Yet I'm logged in, with a persistent state on the server side. Could something be implemented along the lines of: ALTER TABLE users ADD COLUMN num_captchas_solved INTEGER DEFAULT 0 NOT NULL ETC; I can understand if even an ordinary user like myself could be suspected of spam. The Internet doesn't make it easy to distinguish in a lot of cases. But my account login status does. If you made it so someone solving 12 captchas didn't get asked any more (until they actually start sending spam), that'd be really nice. You could even award achievements! (Achievement unlocked: On Fire. 100 posts in a week? Jeezus!) Not sure if this is the right place to ask, but this is regarding the posting server on forums.dlang.org, which I use to access all these mailing lists and such, without getting all the messages in all the lists sent to my email inbox.
May 23 2016
On Monday, 23 May 2016 at 17:56:17 UTC, cy wrote:Hmm, I almost never get that CAPTCHA, and I don't log in to the forum. Could be something else about your profile that Akismet flags: have you tried taking it up with them?[...]I've filled out one of these for every post I've made here. Yet I'm logged in, with a persistent state on the server side. Could something be implemented along the lines of: [...]
May 23 2016
On Monday, 23 May 2016 at 18:54:47 UTC, Joakim wrote:Hmm, I almost never get that CAPTCHA, and I don't log in to the forum. Could be something else about your profile that Akismet flags: have you tried taking it up with them?I login here, not with them. They can't tell who I'm logged in here as, I would assume. I can't expect them to make an exception for me if I'm not even logging in with them. Also, they're a huge, faceless corporation that heuristically targets spammers worldwide, and I don't like the idea of my activity being profiled worldwide. They do heuristic profiling anyway. They're not supposed to be relied upon as an ultimate authority on who's a spammer. A simple counter for how many captchas solved in a given login is way more reliable than pinging them for the answer every time.
May 23 2016
On Monday, 23 May 2016 at 20:46:01 UTC, cy wrote:On Monday, 23 May 2016 at 18:54:47 UTC, Joakim wrote:I know, I think you'd want to take up the fact that they think you're a spammer up with them though. :)Hmm, I almost never get that CAPTCHA, and I don't log in to the forum. Could be something else about your profile that Akismet flags: have you tried taking it up with them?I login here, not with them. They can't tell who I'm logged in here as, I would assume. I can't expect them to make an exception for me if I'm not even logging in with them.Also, they're a huge, faceless corporation that heuristically targets spammers worldwide, and I don't like the idea of my activity being profiled worldwide.It's run by the company behind Wordpress, which has less than 500 employees. Maybe they could sort out why this is hitting you so hard, when it doesn't affect others as much. If you don't want to be profiled, you shouldn't use the web, as it's not hard to track you: https://panopticlick.eff.orgThey do heuristic profiling anyway. They're not supposed to be relied upon as an ultimate authority on who's a spammer. A simple counter for how many captchas solved in a given login is way more reliable than pinging them for the answer every time.I agree that captchas, particularly the D ones used here, are better. The forum is OSS and written in D, you can submit a PR or at least file an issue: https://github.com/CyberShadow/DFeed
May 25 2016
On Wednesday, 25 May 2016 at 20:24:50 UTC, Joakim wrote:It's run by the company behind Wordpress, which has less than 500 employees.Okay fine, maybe it's not Proctor and Gamble. But do you want to face up against 500 people and tell them to stop doing what they want?Maybe they could sort out why this is hitting you so hard, when it doesn't affect others as much.It's probably because I'm running a relay program that helps people with their privacy. I'm not an exit relay or anything, but it's a good business model for tracking companies like those guys to put pressure on people who run those programs even passively, so that they can keep me from helping others have any privacy.If you don't want to be profiled, you shouldn't use the web, as it's not hard to track you:The greatest achievement of any thief is to convince you it's pointless to try and stop them from stealing. Because then you try to convince others, and in doing so you help weaken the people trying to help you, and your own attackers gain more support. So uh, don't ever tell anyone there's no point in trying to be safe. Even if you feel like it's true. If it is true, then there's no point in you telling anyone, right?https://panopticlick.eff.orgYeah, that one has never managed to get me. Use a generic user agent, disallow javascript, and disable cookies, and the amount of certainty they can get goes down a whole lot. What you really have to worry about is who ISPs are in cahoots with, because ISPs can track a lot of people with 100% legal certainty, without their permission or awareness. The EFF thing is a minor, paltry concern compared to that. Another thing to worry about is when people communicate using big, powerful centralized companies, like Google or Facebook. Organizations that have money and popularity can put pressure on people like me then, spending countless man hours developing tactics to prevent me from communicating with people, unless I allow their tracking software to run. But Panopticlick is just an idle curiosity, security-wise.I agree that captchas, particularly the D ones used here, are better. The forum is OSS and written in D, you can submit a PR or at least file an issue: https://github.com/CyberShadow/DFeedOh, thanks. Maybe I'll do that!
May 25 2016
On Wednesday, 25 May 2016 at 21:52:40 UTC, cy wrote:On Wednesday, 25 May 2016 at 20:24:50 UTC, Joakim wrote:If they're part of a company that's trying to put out a good service that will help you rather than hinder you, yes.It's run by the company behind Wordpress, which has less than 500 employees.Okay fine, maybe it's not Proctor and Gamble. But do you want to face up against 500 people and tell them to stop doing what they want?I doubt they're against Tor or whatever relay you're using, but it may be the cause.Maybe they could sort out why this is hitting you so hard, when it doesn't affect others as much.It's probably because I'm running a relay program that helps people with their privacy. I'm not an exit relay or anything, but it's a good business model for tracking companies like those guys to put pressure on people who run those programs even passively, so that they can keep me from helping others have any privacy.I wouldn't call it stealing, more like casing, ;) but yes, it is impossible to stop that without going to extreme measures, no matter how much you'd like it to be otherwise. I appreciate that some will go to extreme measures, and it's good that those options are there for them, but it doesn't sound like you yourself are doing so.If you don't want to be profiled, you shouldn't use the web, as it's not hard to track you:The greatest achievement of any thief is to convince you it's pointless to try and stop them from stealing. Because then you try to convince others, and in doing so you help weaken the people trying to help you, and your own attackers gain more support. So uh, don't ever tell anyone there's no point in trying to be safe. Even if you feel like it's true. If it is true, then there's no point in you telling anyone, right?Disabling javascript will help a lot, but the number of sites you can use goes way down with it. Of course, as you say, ISP tracking data can always be sold too.https://panopticlick.eff.orgYeah, that one has never managed to get me. Use a generic user agent, disallow javascript, and disable cookies, and the amount of certainty they can get goes down a whole lot. What you really have to worry about is who ISPs are in cahoots with, because ISPs can track a lot of people with 100% legal certainty, without their permission or awareness. The EFF thing is a minor, paltry concern compared to that.Another thing to worry about is when people communicate using big, powerful centralized companies, like Google or Facebook. Organizations that have money and popularity can put pressure on people like me then, spending countless man hours developing tactics to prevent me from communicating with people, unless I allow their tracking software to run.Yeah, I don't use any of those; I was talking about tracking and fingerprinting that goes on outside those central services.But Panopticlick is just an idle curiosity, security-wise.When they first put that site up, I was surprised how easy it was for them to fingerprint your browser even with cookies disabled, just by using all the identifying info your browser sends. With all the tracking ads and pixels embedded in practically every website these days, it's not hard for them to track you and I've seen advertiser presentations on how they're actively doing so. It's the price of a "free" web.
May 25 2016
On Monday, 23 May 2016 at 17:56:17 UTC, cy wrote:I've filled out one of these for every post I've made here.I often get a CAPTCHA when I'm using a VPN at home.
May 23 2016
On Monday, 23 May 2016 at 17:56:17 UTC, cy wrote:One thing that could be done is to disable the spam checker when the user is registered. As a counter part registering must be very strong: image capcha + text capcha + guess the code result + ?[...]I've filled out one of these for every post I've made here. Yet I'm logged in, with a persistent state on the server side. Could something be implemented along the lines of: ALTER TABLE users ADD COLUMN num_captchas_solved INTEGER DEFAULT 0 NOT NULL ETC; I can understand if even an ordinary user like myself could be suspected of spam. The Internet doesn't make it easy to distinguish in a lot of cases. But my account login status does. If you made it so someone solving 12 captchas didn't get asked any more (until they actually start sending spam), that'd be really nice. You could even award achievements! (Achievement unlocked: On Fire. 100 posts in a week? Jeezus!) Not sure if this is the right place to ask, but this is regarding the posting server on forums.dlang.org, which I use to access all these mailing lists and such, without getting all the messages in all the lists sent to my email inbox.
May 24 2016
On Tuesday, 24 May 2016 at 12:59:39 UTC, Basile B. wrote:One thing that could be done is to disable the spam checker when the user is registered. As a counter part registering must be very strong: image capcha + text capcha + guess the code result + ?Yes, that's the reason the spam checker shouldn't just be disabled when the user is registered. But what can be done is adding a counter of every time a captcha is filled out correctly. Once they've done that enough, no prompt to guess the code again. Then you wouldn't have to arbitrarily decide what a "strong" challenge is and just hope that it's solvable, and nobody circumvents it. Instead, you could continue to challenge them after registering, and you can record their success in stages. There's other tricks you can use to make life harder for spammers. Tracking how long people have had their accounts for instance, and only showing captchas and limiting post rate to new accounts. Spammers would, of course, cache up a million unused accounts then, and start firing them once they're old enough. But you can measure how often they've posted, and combine that with account age to get a good idea. You can use stronger captchas too, and more difficult to solve puzzles, if people won't keep being asked to solve them beyond a certain point. Even if spammers turn their supercomputers and south asian sweatshop workers to solving your captchas, making it harder for them costs them money and power, and all you have to do is make it not worth the trouble before they'll either run out of money, or go away.
May 24 2016
On Tuesday, 24 May 2016 at 16:36:36 UTC, cy wrote:On Tuesday, 24 May 2016 at 12:59:39 UTC, Basile B. wrote:Never mind it was a bad idea because a noob spammer can still register by hand and let his bot run afterward with right reg info stored for this site. I don't know how look the "professional" spam programs but they are probably fully automated, e.g almost never anyone is behind the screen. I remember a few years ago I had a BB forum and the captcha didn't prevent some spamming bots to auto-register, though it was probably due to a security hole at this time.One thing that could be done is to disable the spam checker when the user is registered. As a counter part registering must be very strong: image capcha + text capcha + guess the code result + ?Yes, that's the reason the spam checker shouldn't just be disabled when the user is registered.
May 25 2016
On Monday, 23 May 2016 at 17:56:17 UTC, cy wrote:Sorry about that. I'm a bit backlogged at the moment, but I could look at a pull request if someone could put that together. As a workaround, you could set up a news or mail client, and post via NNTP or email.Akismet thinks your post looks like spam. Please solve a CAPTCHA to continue.I've filled out one of these for every post I've made here. Yet I'm logged in, with a persistent state on the server side. Could something be implemented along the lines of:
May 25 2016