Topic: [Poll] What do you think of the forum's usage of reCaptcha? (Read 2160 times)
It doesn't matter if I think because it is usual to avoid security robots that enter and roam mainly in this forum who could make the post contains useless garbage.
I am using firefox latest version, i didn't have a problem until yesterday, i have to solve 20 recaptcha and mind you i have to select sometimes street signs in a photo without any street signs! this is ridiculous and annoying.
For me it is slow to load and sometimes asks two or three times ... Also it is quite boring... Instead of traffic signs and roads and cars it could be about telling if it is a character from Star Trek or Star Wars ... or if it is a men´s or a woman´s legs or ...
Seriously, it is slow, but I don´t know if there is anything out there that offers the same level of safety and is faster.
Seriously, it is slow, but I don´t know if there is anything out there that offers the same level of safety and is faster.
As a Tor user, I quickly found the site totally unusuable when I was at Newbie rank. One fine day, after I was forced to try 17 (seventeen) different Tor circuits before I could even get a CAPTCHA thrown at me (!), I finally found a (not very good) workaround:
Well, write off hours wasted trying to coerce fresh Tor Browser to do exactly what I wanted with my precious seventeenth-circuit login cookies (as recovered from the browser console). I finally gave up, and installed a persistent browser exclusively for Bitcointalk.org. After checking the appropriate boxes and “only” trying three circuits to get a CAPTCHA, I am now allegedly logged in until the year 2023; oh yes, I backed up those cookies!
I thus hope to not be the canary in the CAPTCHA anymore; but I do care about this issue, and I will continue trying to adduce a workable solution.
I thus hope to not be the canary in the CAPTCHA anymore; but I do care about this issue, and I will continue trying to adduce a workable solution.
So... I suppose the least-evil current answer is, check the box to stay logged in; and back up those precious cookies!
There, in this thread, and elsewhere, I have repeatedly made noises about a better solution:
Any which way, if any popular forum has users who can handle public-key crypto, it should be Bitcointalk.org!
However, I never did the writeup I intended on a practical suggestion for achieving that. Back in early December, I hit a stone wall when I researched the topic. Sadly, idiot browser vendors have deprecated the
Another problem is, per my repeated inquiries upthread, the purpose of the login CAPTCHA is unclear. If, as I tend to presume, the purpose is to prevent online bruteforce of weak luser passwords (inevitably followed by “HELP CYRUS THEYMOS IM HACKED” threads), then pubkey auth would be an excellent solution. But if the purpose of the CAPTCHA is to inhibit mass login by spambots, as many others assume—well, then pubkey auth would fix nothing. If this is not a sensitive security question, I ask that theymos provide clarification.
half a month necro/
Half a month isn’t really necro, even for a less important thread; and this thread is very important. I hope that this thread will remain semi-active until a better solution is found.
I probably won't make changes in the near future, but I've been thinking about the captcha issue, and I wonder what people think about reCaptcha.
Where reCaptcha is used now, something is required, and AFAIK all other captcha services can be OCRed and are therefore useless. End-users often like SolveMedia, but those seem really easy to OCR. I actually really like the image classification approach on a theoretical level, though I hate relying onNSA-lite Google, and occasionally on Tor they throw you into some insane black hole of difficulty (though you can change your Tor exit to fix that).
Where reCaptcha is used now, something is required, and AFAIK all other captcha services can be OCRed and are therefore useless. End-users often like SolveMedia, but those seem really easy to OCR. I actually really like the image classification approach on a theoretical level, though I hate relying on
I really dont mind having them here in the forum as long as they are fast to load. Although I'm patient from waiting but not that long enough like the captchas in 2captcha.com, that's why I quit that work. Its just a matter of time just to solve it so if you added it here like the one from the log in I guess there won't be a problem.
I probably won't make changes in the near future, but I've been thinking about the captcha issue, and I wonder what people think about reCaptcha.
Where reCaptcha is used now, something is required, and AFAIK all other captcha services can be OCRed and are therefore useless. End-users often like SolveMedia, but those seem really easy to OCR. I actually really like the image classification approach on a theoretical level, though I hate relying onNSA-lite Google, and occasionally on Tor they throw you into some insane black hole of difficulty (though you can change your Tor exit to fix that).
Where reCaptcha is used now, something is required, and AFAIK all other captcha services can be OCRed and are therefore useless. End-users often like SolveMedia, but those seem really easy to OCR. I actually really like the image classification approach on a theoretical level, though I hate relying on
For me it is slow to load and sometimes asks two or three times ... Also it is quite boring... Instead of traffic signs and roads and cars it could be about telling if it is a character from Star Trek or Star Wars ... or if it is a men´s or a woman´s legs or ...
Seriously, it is slow, but I don´t know if there is anything out there that offers the same level of safety and is faster.
half a month necro/
I am using firefox latest version, i didn't have a problem until yesterday, i have to solve 20 recaptcha and mind you i have to select sometimes street signs in a photo without any street signs! this is ridiculous and annoying.
I am using firefox latest version, i didn't have a problem until yesterday, i have to solve 20 recaptcha and mind you i have to select sometimes street signs in a photo without any street signs! this is ridiculous and annoying.
Nobody has mentioned in this thread that google captcha blocks the forum entirely for a billion people living in China.
Likely this is important information to consider when choosing whether to force users to use a google service while accessing the site.
Likely this is important information to consider when choosing whether to force users to use a google service while accessing the site.
At some point this kind of issue really needs to be addressed. Forum should be welcome to all users anywhere in the world. Tho, I haven't seen any chinese in this forum contributed since basically most of them are just talking to their local boards and creating similar forum for them would really not be a problem
What you are saying is, why have any local forums at all?
Actually, why have a forum at all? Creating a similar forum for me would really not be a problem, yes? And another one for you?
I was actually referring the chinese users who can't acess the forum because of the captcha that even if they can't access the site there is still no problem. Since most of them are just posting on their local section. Don't bother wasting your time in creating a forum tho, LOL
It is fine other than:
1) The necessary use of JavaScript at the login page.
2) For people who log in and out frequently. This is not an issue for individuals such as myself, who are pretty much always logged in.
3) May be annoying to log in on the phone.
As long as it combats some forms of attacks, it is fine as is.
1) The necessary use of JavaScript at the login page.
2) For people who log in and out frequently. This is not an issue for individuals such as myself, who are pretty much always logged in.
3) May be annoying to log in on the phone.
As long as it combats some forms of attacks, it is fine as is.
That's true, it can be quite annoying when were selecting photos using our phone. It tends to misalign when you try to zoom into it then when you zoom out as well. Sometimes when you try to scan through the selections, it tends to select when you just want to browse. I just feel that its response when using a phone is slow. It's not a big deal though, but it can be time consuming at times.
However, you raise a chicken-and-egg problem: How does the forum know to whitelist a paid user at the login page?
I would suggest allowing the login page some restricted access to the data base, for the purpose of identifying the user type. If identified as a ReCaptcha bypass user then javascript code removing the ReCaptcha prompt will be executed. Alternatively, for the purposes of safety, a second database could be accessed which is generated as a subset of the original (again selecting the bypass users) thus avoiding any vulnerability concerns. This system could be easily implemented with a few IF ELSE statements in the original code.
However, there would need to be an alternative security measure in place to prevent brute force attacks, e.g. Only allow a maximum of ~5 password attempts before locking the account for some length.
Nobody has mentioned in this thread that google captcha blocks the forum entirely for a billion people living in China.
Likely this is important information to consider when choosing whether to force users to use a google service while accessing the site.
Likely this is important information to consider when choosing whether to force users to use a google service while accessing the site.
At some point this kind of issue really needs to be addressed. Forum should be welcome to all users anywhere in the world. Tho, I haven't seen any chinese in this forum contributed since basically most of them are just talking to their local boards and creating similar forum for them would really not be a problem
What you are saying is, why have any local forums at all?
Actually, why have a forum at all? Creating a similar forum for me would really not be a problem, yes? And another one for you?
Nobody has mentioned in this thread that google captcha blocks the forum entirely for a billion people living in China.
Likely this is important information to consider when choosing whether to force users to use a google service while accessing the site.
Likely this is important information to consider when choosing whether to force users to use a google service while accessing the site.
What would be the solution to this though? Assuming there would have to be a compromise we would likely see this abused by the many and more bots would be registering and spamming the forum. Chinese members could just use a VPN to sign up, unless there's another alternative which is just as effective as keeping the bots away.
Prescribing any kind of censorship circumvention measure is problematic as for users in a country which blocks censorship circumvention measures. Though there are always ongoing concerted efforts to keep Tor available to PRC (People’s Republic of China) users behind the GFW (“Great Firewall”—adverse nickname for PRC network censorship measures). It’s an arm’s race. And then, Chinese-through-Tor users would hit the reCAPTCHA problem I had: “Google is locking Tor users out of Bitcointalk.org!” I would suppose that some/many VPNs (as you suggest) might hit similar trouble, though I have not tried VPNs with this forum.
Here is an interesting bibliography, which includes references to many research papers written on GFW:
https://censorbib.nymity.ch/
There's services which offer to write out the captcha and send it to the users registering, so any other system which doesn't use the image could easily be abused and automated.
Well, there’s your usual CAPTCHA arms race.
I myself would much prefer public-key authentication for login. It’s a “crypto” forum, yet does not deploy basic cryptographic techniques for authentication! Of course, this would make it trivial for bots to log in; and this returns to my unanswered question which I have asked many times upthread and elsewhere: Is the purpose of the login CAPTCHA to stop login by bots, or to stop such bruteforcing of luser-selected passwords as may result in (more) so-called “hacked” accounts?
By the way, there is a(t least one) existing patent on a method for issuing fake or impossible CAPTCHAs to deny access to a service while pretending to allow access:
https://via.hypothes.is/https://www.google.com/patents/US9407661
(In other words: A patent on a method of being a jerk and intentionally wasting people’s time, effort, and frustration.)
The ReCaptcha prompt is sometimes unsolvable, or when it's the one with the fading blocks, takes far too much time to make it worth it.
Sometimes I don't sign in, simply because I can't be bothered to wait 1 minute for the fading blocks to go away.
Sometimes I don't sign in, simply because I can't be bothered to wait 1 minute for the fading blocks to go away.
As linked above, some of us have trouble even getting a CAPTCHA—broken or otherwise. Then when I can get a CAPTCHA, it steals time out of my life—60–90+s each time, mindlessly clicking pictures in servitude to a machine.
I myself have not yet received an unsolvable CAPTCHA on this forum. Only either refusal to serve a CAPTCHA, or extremely drawn-out and tedious CAPTCHAs.
If there was a paid option to bypass the ReCaptcha, I would seriously consider it.
So would I—with the caveat that I would not pay more than I already have for Copper Membership. If the purpose is a steeper anti-abuse fee which provides greater deterrent to abuse, then that shouldn’t be turned into a money-grab. Doing so would be wrong, a squeezing of innocent people under false colour of stopping the wrong of spammers who treating this forum as a money-grab.
However, you raise a chicken-and-egg problem: How does the forum know to whitelist a paid user at the login page?
The ReCaptcha prompt is sometimes unsolvable, or when it's the one with the fading blocks, takes far too much time to make it worth it.
Sometimes I don't sign in, simply because I can't be bothered to wait 1 minute for the fading blocks to go away. If there was a paid option to bypass the ReCaptcha, I would seriously consider it.
Sometimes I don't sign in, simply because I can't be bothered to wait 1 minute for the fading blocks to go away. If there was a paid option to bypass the ReCaptcha, I would seriously consider it.
Nobody has mentioned in this thread that google captcha blocks the forum entirely for a billion people living in China.
Likely this is important information to consider when choosing whether to force users to use a google service while accessing the site.
Likely this is important information to consider when choosing whether to force users to use a google service while accessing the site.
What would be the solution to this though? Assuming there would have to be a compromise we would likely see this abused by the many and more bots would be registering and spamming the forum. Chinese members could just use a VPN to sign up, unless there's another alternative which is just as effective as keeping the bots away.
There's services which offer to write out the captcha and send it to the users registering, so any other system which doesn't use the image could easily be abused and automated.
Nobody has mentioned in this thread that google captcha blocks the forum entirely for a billion people living in China.
Likely this is important information to consider when choosing whether to force users to use a google service while accessing the site.
Likely this is important information to consider when choosing whether to force users to use a google service while accessing the site.
At some point this kind of issue really needs to be addressed. Forum should be welcome to all users anywhere in the world. Tho, I haven't seen any chinese in this forum contributed since basically most of them are just talking to their local boards and creating similar forum for them would really not be a problem
Nobody has mentioned in this thread that google captcha blocks the forum entirely for a billion people living in China.
Likely this is important information to consider when choosing whether to force users to use a google service while accessing the site.
Likely this is important information to consider when choosing whether to force users to use a google service while accessing the site.
I probably won't make changes in the near future, but I've been thinking about the captcha issue, and I wonder what people think about reCaptcha.
Where reCaptcha is used now, something is required, and AFAIK all other captcha services can be OCRed and are therefore useless. End-users often like SolveMedia, but those seem really easy to OCR. I actually really like the image classification approach on a theoretical level, though I hate relying onNSA-lite Google, and occasionally on Tor they throw you into some insane black hole of difficulty (though you can change your Tor exit to fix that).
Where reCaptcha is used now, something is required, and AFAIK all other captcha services can be OCRed and are therefore useless. End-users often like SolveMedia, but those seem really easy to OCR. I actually really like the image classification approach on a theoretical level, though I hate relying on
how can someone complain about the NSA running Google and Cloudflare but still advertise TOR? Seems you have no issues with it, even its known where most of its funding is coming from... just curious...
A reply to this:
...devolved to this:
I guess you should also reread what I wrote
Since you jumped at my assumption of temporarily (note that) banning an IP address but you chose to completely ignore the fact that you can't log in again after a failed attempt for 60 seconds, if I'm not mistaken. I don't know how it is now with reCaptcha employed (since it takes longer than 60 seconds to pass anyway), but before it was introduced, you had to wait for some time if you entered incorrect credentials. At least, that's what I remember and that might not have had to do anything with your IP address at all, e.g. access to a specific account might have been restricted temporarily (but things might have changed since then, of course)
I'd rather say it is your incorrect assumption that spammers have multiple IP addresses (on the order of dozens, at least). Some of them have but certainly not the majority
Are you speculating, or do you have certain knowledge? I asked a question, because I don’t know. I nominally addressed my question to Vod, because I’ve seen him deeply involved in discussions of combatting abuse; and I inferred that perhaps, he may know something which I do not. And I keep asking, because three weeks ago I wound up chasing my tail trying to work out a viable means of public-key auth login—which would help solve the problem of bruteforce login attempts, but would do nothing against spambots
Vod, do you know the actual purpose of the CAPTCHA? Everybody seems to assume that it’s there to keep out spambots.[1] My first hunch is that theymos has a problem with bruteforcing of luser passwords, resulting in stolen accounts. You may perhaps know for certain, not as a matter of assumptions or speculation.
[...]
I would understand if theymos desires that such information not be disclosed. But I ask because I have wanted to suggest some alternative solutions; and it’s difficult to know whether my ideas are even worth mentioning.
[...]
I would understand if theymos desires that such information not be disclosed. But I ask because I have wanted to suggest some alternative solutions; and it’s difficult to know whether my ideas are even worth mentioning.
...devolved to this:
Since multiple users can be legitimately logged in from the same IP address, banning IP addresses for failed login attempts is also not a solution to bruteforcing. If theymos did that, then it would be trivial for an attacker to effectually ban Tor users from login to bitcointalk.org by deliberately making many bad login attempts from every exit node. Thus, I infer that theymos does not do this; and I assume the timeout you describe somehow works with cookies, or the like. Granted, I could be wrong there. It may simply be that nobody evil has thus far bothered to get Tor exits banned from attempted login
I guess you should also reread what I wrote
Since you jumped at my assumption of temporarily (note that) banning an IP address but you chose to completely ignore the fact that you can't log in again after a failed attempt for 60 seconds, if I'm not mistaken. I don't know how it is now with reCaptcha employed (since it takes longer than 60 seconds to pass anyway), but before it was introduced, you had to wait for some time if you entered incorrect credentials. At least, that's what I remember and that might not have had to do anything with your IP address at all, e.g. access to a specific account might have been restricted temporarily (but things might have changed since then, of course)
You incorrectly assume that a spammer must log in his sibyl accounts from the same IP address. Spammers often have many IP addresses; and indeed, it would be easy to do away with account farmers if they always logged their zillions of accounts in and out from the same IP address. Also, multiple accounts can be logged in from the same IP address. Either way, there is no reason for a spambot to ever log out
I'd rather say it is your incorrect assumption that spammers have multiple IP addresses (on the order of dozens, at least). Some of them have but certainly not the majority
Are you speculating, or do you have certain knowledge? I asked a question, because I don’t know. I nominally addressed my question to Vod, because I’ve seen him deeply involved in discussions of combatting abuse; and I inferred that perhaps, he may know something which I do not. And I keep asking, because three weeks ago I wound up chasing my tail trying to work out a viable means of public-key auth login—which would help solve the problem of bruteforce login attempts, but would do nothing against spambots
I don't quite understand what part of my post you refer to as speculating. But I'm utterly curious what makes you think that all spammers (well, most of them) have simultaneous access to multiple IP addresses (if that was your point). Anyway, why don't you just ask theymos directly (via PM or elsewise)? I guess he is the only one who can give you precise answers as to his intents and purposes. But since you are still sticking around here, I arrive at a conclusion that he is not likely to respond to your queries. So who is wasting whose time actually?
But never mind. When you are a newbie you can't post more than once in a while (like 6 minutes or so), and if you try you will get a warning that clearly states that your IP address is being limited, i.e. not your session or whatever. What else do you want to know?
A reply to this:
...devolved to this:
I guess you should also reread what I wrote
Since you jumped at my assumption of temporarily (note that) banning an IP address but you chose to completely ignore the fact that you can't log in again after a failed attempt for 60 seconds, if I'm not mistaken. I don't know how it is now with reCaptcha employed (since it takes longer than 60 seconds to pass anyway), but before it was introduced, you had to wait for some time if you entered incorrect credentials. At least, that's what I remember and that might not have had to do anything with your IP address at all, e.g. access to a specific account might have been restricted temporarily (but things might have changed since then, of course)
I'd rather say it is your incorrect assumption that spammers have multiple IP addresses (on the order of dozens, at least). Some of them have but certainly not the majority
Are you speculating, or do you have certain knowledge? I asked a question, because I don’t know. I nominally addressed my question to Vod, because I’ve seen him deeply involved in discussions of combatting abuse; and I inferred that perhaps, he may know something which I do not. And I keep asking, because three weeks ago I wound up chasing my tail trying to work out a viable means of public-key auth login—which would help solve the problem of bruteforce login attempts, but would do nothing against spambots.[1]
I set forth a query clearly in the interrogative; and I laid out my reasoning for an educated hypothesis. Whereas my question can only be answered by somebody who does actually know the precise nature of the problem which theymos ameliorated with the login CAPTCHA. If you do know, please say; but if you don’t, then I can tell you, your guess isn’t nearly as good as mine is.
I have been repeatedly asking all month whether my hypothesis about the login CAPTCHA is correct. There are exactly three valid answers: “Yes”, “no”, and “no comment—that is sensitive operational security information which we will not tell to someone we don’t know and trust.” Any of those would be fine—from someone who actually knows. Whereas if you’re simply hashing out your own hypothesis, then this whole discussion is a waste of my time.
1. Any spambot which could log in and set up a client certificate for future logins, could also save a cookie for staying logged in. Duh. But I’d like to know for certain before I pour more time into the sorry state of public-key auth on the Web. Browser vendors deprecated or even removed while I wasn’t looking. Only a minuscule fraction of users would be able to manually generate TLS certificate requests, or use alternatives such as SSH tunnels, OpenVPN, etc., etc. I spent hours trying to figure out an administrator-friendly and user-friendly solution, with the goal of making a suggestion which might actually be implemented. Then I realized, I shouldn’t bother trying to otherwise resolve the CAPTCHA’s purpose when I do not know its purpose with any degree of certainty.
Well, at least that wouldn’t make things worse; but from my perspective, it wouldn’t make things better, either!
Vod, do you know the actual purpose of the CAPTCHA? Everybody seems to assume that it’s there to keep out spambots.[1] My first hunch is that theymos has a problem with bruteforcing of luser passwords, resulting in stolen accounts. You may perhaps know for certain, not as a matter of assumptions or speculation.
[...]
I would understand if theymos desires that such information not be disclosed. But I ask because I have wanted to suggest some alternative solutions; and it’s difficult to know whether my ideas are even worth mentioning.
[...]
I would understand if theymos desires that such information not be disclosed. But I ask because I have wanted to suggest some alternative solutions; and it’s difficult to know whether my ideas are even worth mentioning.
...devolved to this:
Since multiple users can be legitimately logged in from the same IP address, banning IP addresses for failed login attempts is also not a solution to bruteforcing. If theymos did that, then it would be trivial for an attacker to effectually ban Tor users from login to bitcointalk.org by deliberately making many bad login attempts from every exit node. Thus, I infer that theymos does not do this; and I assume the timeout you describe somehow works with cookies, or the like. Granted, I could be wrong there. It may simply be that nobody evil has thus far bothered to get Tor exits banned from attempted login
I guess you should also reread what I wrote
Since you jumped at my assumption of temporarily (note that) banning an IP address but you chose to completely ignore the fact that you can't log in again after a failed attempt for 60 seconds, if I'm not mistaken. I don't know how it is now with reCaptcha employed (since it takes longer than 60 seconds to pass anyway), but before it was introduced, you had to wait for some time if you entered incorrect credentials. At least, that's what I remember and that might not have had to do anything with your IP address at all, e.g. access to a specific account might have been restricted temporarily (but things might have changed since then, of course)
You incorrectly assume that a spammer must log in his sibyl accounts from the same IP address. Spammers often have many IP addresses; and indeed, it would be easy to do away with account farmers if they always logged their zillions of accounts in and out from the same IP address. Also, multiple accounts can be logged in from the same IP address. Either way, there is no reason for a spambot to ever log out
I'd rather say it is your incorrect assumption that spammers have multiple IP addresses (on the order of dozens, at least). Some of them have but certainly not the majority
Are you speculating, or do you have certain knowledge? I asked a question, because I don’t know. I nominally addressed my question to Vod, because I’ve seen him deeply involved in discussions of combatting abuse; and I inferred that perhaps, he may know something which I do not. And I keep asking, because three weeks ago I wound up chasing my tail trying to work out a viable means of public-key auth login—which would help solve the problem of bruteforce login attempts, but would do nothing against spambots.[1]
I set forth a query clearly in the interrogative; and I laid out my reasoning for an educated hypothesis. Whereas my question can only be answered by somebody who does actually know the precise nature of the problem which theymos ameliorated with the login CAPTCHA. If you do know, please say; but if you don’t, then I can tell you, your guess isn’t nearly as good as mine is.
I have been repeatedly asking all month whether my hypothesis about the login CAPTCHA is correct. There are exactly three valid answers: “Yes”, “no”, and “no comment—that is sensitive operational security information which we will not tell to someone we don’t know and trust.” Any of those would be fine—from someone who actually knows. Whereas if you’re simply hashing out your own hypothesis, then this whole discussion is a waste of my time.
1. Any spambot which could log in and set up a client certificate for future logins, could also save a cookie for staying logged in. Duh. But I’d like to know for certain before I pour more time into the sorry state of public-key auth on the Web. Browser vendors deprecated or even removed
Forums can use the two and the members could select which option they like to log with it.
I remember such feature was used in faucets years ago.
I remember such feature was used in faucets years ago.
Well, at least that wouldn’t make things worse; but from my perspective, it wouldn’t make things better, either!
I think Theymos should replace the captcha with a proof of work challenge such as https://coinhive.com/
Reduce Spam AND make the forum some additional money.
Reduce Spam AND make the forum some additional money.
This would (0) require Javascript (as reCAPTCHA does—but worse, IIRC this also requires asm.js/webasm which I disable even when enabling JS), and (1) have a drastically disparate impact on those using fast computers versus slow computers/netbooks/mobile devices. It is also questionable whether it would answer the threat being staved off by the CAPTCHA. Admittedly, it would work better against what I suspect the threat to be, rather than against spam.
Vod, do you know the actual purpose of the CAPTCHA? Everybody seems to assume that it’s there to keep out spambots.[1] My first hunch is that theymos has a problem with bruteforcing of luser passwords, resulting in stolen accounts. You may perhaps know for certain, not as a matter of assumptions or speculation.
I would understand if theymos desires that such information not be disclosed. But I ask because I have wanted to suggest some alternative solutions; and it’s difficult to know whether my ideas are even worth mentioning.
1. This common assumption simply does not make sense to me. An account farmer could easily use human labour (self or others) to log bots into a large numbers of accounts with “stay logged in” checked, then let them stay logged in to make unlimited spam/nonsense/copypaste posts. It would be trivial; all the bots would need to do is to keep their cookies. I know this because I myself now stay logged in, on a credential apparently set to expire in the year 2023. I have not filled out the CAPTCHA since 10 December. Whereas a password bruteforcer would indeed be stymied by the CAPTCHA. A bruteforcer would also be slowed down by a POW. A spambot could complete the POW once, then stay logged in for years or until permabanned.
Forums can use the two and the members could select which option they like to log with it.
I remember such feature was used in faucets years ago.
Since multiple users can be legitimately logged in from the same IP address, banning IP addresses for failed login attempts is also not a solution to bruteforcing. If theymos did that, then it would be trivial for an attacker to effectually ban Tor users from login to bitcointalk.org by deliberately making many bad login attempts from every exit node. Thus, I infer that theymos does not do this; and I assume the timeout you describe somehow works with cookies, or the like. Granted, I could be wrong there. It may simply be that nobody evil has thus far bothered to get Tor exits banned from attempted login
I guess you should also reread what I wrote
Since you jumped at my assumption of temporarily (note that) banning an IP address but you chose to completely ignore the fact that you can't log in again after a failed attempt for 60 seconds, if I'm not mistaken. I don't know how it is now with reCaptcha employed (since it takes longer than 60 seconds to pass anyway), but before it was introduced, you had to wait for some time if you entered incorrect credentials. At least, that's what I remember and that might not have had to do anything with your IP address at all, e.g. access to a specific account might have been restricted temporarily (but things might have changed since then, of course)
You incorrectly assume that a spammer must log in his sibyl accounts from the same IP address. Spammers often have many IP addresses; and indeed, it would be easy to do away with account farmers if they always logged their zillions of accounts in and out from the same IP address. Also, multiple accounts can be logged in from the same IP address. Either way, there is no reason for a spambot to ever log out
I'd rather say it is your incorrect assumption that spammers have multiple IP addresses (on the order of dozens, at least). Some of them have but certainly not the majority
1. This common assumption simply does not make sense to me. An account farmer could easily use human labour (self or others) to log bots into a large numbers of accounts with “stay logged in” checked, then let them stay logged in to make unlimited spam/nonsense/copypaste posts. It would be trivial; all the bots would need to do is to keep their cookies. I know this because I myself now stay logged in, on a credential apparently set to expire in the year 2023. I have not filled out the CAPTCHA since 10 December. Whereas a password bruteforcer would indeed be stymied by the CAPTCHA. A bruteforcer would also be slowed down by a POW. A spambot could complete the POW once, then stay logged in for years or until permabanned.
I think you should reconsider your opinion
As to me, it doesn't make a lot of sense to use just one spam bot (account) when you can use hundreds or even thousands of them, and this is where captcha kicks in. Without it a spam bot could constantly log in and off using different accounts from the same IP address, so it would be next to impossible even to track them down let alone ban them all. Regarding preventing users' passwords from being brute forced, you don't need a captcha for that. If you enter an incorrect password, the forum will let you try again only after 1 minute, if I remember correctly. And I'm not sure if your IP won't be banned for longer after a few unsuccessful attempts
Please reread what I said, as quoted above; I have edited the quote to put the key words in red. If already building a spambot which opens web login sessions, it would be trivial to make it keep many different sessions in parallel. Get them all logged in—perhaps via a scammy website which proxies the CAPTCHA, and offers real or imaginary freebies (free Bitcoin!) for completing CAPTCHAs. Then, leave them logged in.
You incorrectly assume that a spammer must log in his sibyl accounts from the same IP address. Spammers often have many IP addresses; and indeed, it would be easy to do away with account farmers if they always logged their zillions of accounts in and out from the same IP address. Also, multiple accounts can be logged in from the same IP address. Either way, there is no reason for a spambot to ever log out.
Since multiple users can be legitimately logged in from the same IP address, banning IP addresses for failed login attempts is also not a solution to bruteforcing. If theymos did that, then it would be trivial for an attacker to effectually ban Tor users from login to bitcointalk.org by deliberately making many bad login attempts from every exit node. Thus, I infer that theymos does not do this; and I assume the timeout you describe somehow works with cookies, or the like. Granted, I could be wrong there. It may simply be that nobody evil has thus far bothered to get Tor exits banned from attempted login.
Assuming a correlation between users and IP addresses is a common fallacy. N.b., I have no idea how many users are currently logged into bitcointalk.org from the same IP address as I am using to post this right now. I’m almost certainly not the only one; moreover, my connecting IP address frequently changes. There are also reasons other than privacy why many users may share the same IP address: Carrier-grade NAT due to IPv4 address exhaustion, corporate proxies, etc., etc. —Also reasons why the same user may rapidly change IP addresses: Mobile users.... There is not and never was any strong correlation between people and IP addresses; security systems which assume that tend to simultaneously lock out legitimate users, and fail to lock out malicious attackers. Failure both ways.
Sad thing is I don't have any bitcoin. Also checked the cooper membership price. It costs around $31 which I don't have. :(
I read your other topic and it had a lot of insights. Some trolls always lurk around and take things other direction. You also said you are very good with tor. I am not an expert and just use it for bitcointalk browsing with java script enabled.
What I wanted to know if there is any other browser like tor so I could use that and browse anonymously.
I read your other topic and it had a lot of insights. Some trolls always lurk around and take things other direction. You also said you are very good with tor. I am not an expert and just use it for bitcointalk browsing with java script enabled.
What I wanted to know if there is any other browser like tor so I could use that and browse anonymously.
Well, if you signed up via Tor, then you must have some Bitcoin; theymos charges a small anti-abuse fee for new account signup from Tor and other IP addresses which have high risk for abuse. And if you didn’t sign up through Tor, then you are mixing Tor and non-Tor usage for the same account. That’s a big privacy no-no.
If you use Tor, then you should use only Tor Browser for your web browser. I actually dislike it, myself; but it has special privacy and antifingerprinting features, and also, it helps you blend into a crowd when you use the same browser as everybody else. The technical term is “anonymity set”. If you use a different browser with Tor, then you may still be more or less readily identifiable and/or trackable (web session linkage). You could be the only person using Browser X in a crowd of two million people using Tor Browser through Tor exits. If you want to use some privacy network other than Tor, I have no specific advice for you at this time. But this is all off-topic. If you desire a few further tips of where to learn about these things, feel free to ask your question in the Off-topic forum and PM me a link to your post. Just don’t get sucked into the huge heaps of trash posted there—much of which is posted by spammers trying to up their post counts; that’s the kind of dirt which can rub off on a newbie, if you get involved with it.
1. This common assumption simply does not make sense to me. An account farmer could easily use human labour (self or others) to log bots into a large numbers of accounts with “stay logged in” checked, then let them stay logged in to make unlimited spam/nonsense/copypaste posts. It would be trivial; all the bots would need to do is to keep their cookies. I know this because I myself now stay logged in, on a credential apparently set to expire in the year 2023. I have not filled out the CAPTCHA since 10 December. Whereas a password bruteforcer would indeed be stymied by the CAPTCHA. A bruteforcer would also be slowed down by a POW. A spambot could complete the POW once, then stay logged in for years or until permabanned.
I think you should reconsider your opinion
As to me, it doesn't make a lot of sense to use just one spam bot (account) when you can use hundreds or even thousands of them, and this is where captcha kicks in. Without it a spam bot could constantly log in and off using different accounts from the same IP address, so it would be next to impossible even to track them down let alone ban them all. Regarding preventing users' passwords from being brute forced, you don't need a captcha for that. If you enter an incorrect password, the forum will let you try again only after 1 minute, if I remember correctly. And I'm not sure if your IP won't be banned for longer after a few unsuccessful attempts
Jump to: