ASIRRA Security by Cats

I had a lot of success recently adding security questions to a community bulletin board to stop bots from registering and attempting to spam the forum. I have the same problem on the flashlight wiki, but it hasn’t gotten out of hand yet. Lately I have been getting one or two bot registrations a day. Just like on the bulletin board, registering doesn’t allow them to post spam, they still have to be confirmed by me to post anything. But I still go in and block them which takes a little time. So I was looking for a way to add security questions like I did for the bulletin board. I like the security questions because they are so easy for users to get correct (unlike the blurry text used in CAPTCHA systems). (To be fair, ReCAPTCHA, where you enter two blurry words, does have a practical purpose in helping to convert scanned books into text.)

But all I was finding for wikis was an extension called ConfirmEdit that is meant to flash a CAPTCHA every time someone makes an edit, which wasn’t what I wanted. I should have read more about it though. CAPTCHA doesn’t necessarily involve blurry text, it just means “Completely Automated Public Turing test to tell Computers and Humans Apart,” which can be any kind of test. And in fact, ConfirmEdit has several choices including blurry text, asking simple questions, asking the user to solve simple math problems, and one that involves the user identifying pictures of cats. Yes, pictures of cats. People can easily recognize whether a picture shows a dog or a cat, but this is much more difficult for a computer. Microsoft has developed a system called ASIRRA (“Animal Species Image Recognition for Restricting Access”) which shows you twelve thumbnail pictures of animals. You then click on only the pictures that are cats. The thumbnails are pretty tiny, but a bigger version pops up when your mouse is over the picture. Some people might still have a hard time, for instance if they are blind, though I doubt many people interested in flashlights are blind. Also some of the pictures can be kind of blurry, but you can get a new set of images if you want. The pictures themselves come from millions of pictures stored at petfinder.com and you could even adopt the dogs or cats shown if you want (this is why they make their database available). You can try it at ASIRRA.

Additionally, ConfirmEdit can be configured to control several different types of events, not just confirming edits. One of the options is for new user registration. Perfect.

Well, I had to try out the cat thing. It was pretty easy to install the ConfirmEdit extension and add a couple of lines to my localsettings.php file in my Wiki installation, but it didn’t work because I didn’t realize I also needed to install the ASIRRA extension (supposedly ConfirmEdit includes ASIRRA by default, but it didn’t). Once I got that done, I configured it so that the only time it would use ASIRRA was when a new person registered. I already have anonymous edits turned off and only users that are confirmed by me are allowed to edit, so I’m not worried about spammers, just new registrations. I really like this idea.

catsecure.png

Freaky Facebook Friends

This weekend Jeb convinced me to sign up with Facebook again. I had done this before for a couple of weeks before I just got spooked by the excessive connectiveness and lack of privacy. Then I got an ad saying Mom had recommended some kind of dating service, when she says she didn’t do that. So then it seemed to be all about me sharing tons of private information which was being used against me dishonestly.

When I signed back up, they hadn’t really deleted any of the old information or my friends from the last time. Even my password was the same. So the first thing I did was set my privacy settings so only friends could see what I am doing, then I got rid of most of my old friends who were mostly people from high school that I don’t keep up with and some of them I didn’t even know.

So I had things a little more under control. And I like being able to see what’s going on with the family. So maybe I’ll stick with it. But Facebook continues to freak me out. I got some friend recommendations like Facebook does. Usually they seem to be people who are friends with my friends, like Bob. But somehow there were two people with whom I didn’t have any common friends. One was the person who found the dog I fostered this year, and the other was a guy in California that I bought some flashlight parts from. What? I sent these people e-mails, so can Facebook read my e-mails that had nothing to do with Facebook and were sent after I left Facebook? Who knows? Maybe Yahoo is sharing my e-mails with Facebook. Or it could be these people are sharing their e-mails or contacts with Facebook, so Facebook knows I know them.

So Facebook is still awful, but I think I’ll stay with it for another day or two anyway.

Fighting the Russians, Part 2

In Part 1, I was fighting bogus membership registrations on my community bulletin board by blocking IP addresses and certain e-mail domains. It was fairly effective for a while, but lately I was getting 10-20 bogus signups and the blocked IP addresses, which I could see were blocking people every day, could not keep up. It was also a pain to look up an IP address (to see where they were coming from, usually Russia, Ukraine, Poland, etc., but also France, China, Africa, even places in the US that wouldn’t be interested in my bulletin board). Given all the different IP addresses using the same or similar e-mail addresses, I think the spammers were somehow spoofing IP addresses. They may have been using computers in other places that had been infected or something, but that seems unlikely just because it would be harder to do (though I don’t know how hard it is to spoof an IP address either).

So I got rid of the Captcha (the blurry letters or numbers that you have to read to prove you’re a real person) and added a plug-in that asks a simple question like “What is the capital of our state?” (that question has the advantage that anyone local will know the answer, but you can’t Google the answer). I had never installed a plug-in with MyBB, but it wasn’t that bad actually. I downloaded a file, unzipped it, and had to place about 8 files in the right place on my installation, and then I was able to use MyBB’s control panels to activate the plug-in and customize the questions. I tried registering a couple of times and was able to register by answering the question correctly. The control panel for the questions shows me the percentage of people getting the answer to the questions correct.

After a day, I have gotten no spam registrations (and no real ones either since the bulletin board is barely active), though my IP blocks still show they are blocking some people. I am not sure if the Captcha was hacked so that a bot could read those letters or if people were reading them and registering or some combination where people read the Captcha and then a robot does the registration. Whatever, I like that the Captcha is gone because sometimes I have a hard time reading those anyway, and answering the question should be really much easier and more effective.

Wikia

When I started the Flashlight Wiki (now getting 100-200 visits a day), one of the sites that would turn up when I searched for “flashlight wiki” was a flashlight wiki on wikia.com. I had read an article about Wikia that it was a for-profit version of Wikipedia with fewer rules about subject matter. It is a good place for fans of TV shows, video games, etc. to go into endless detail about a subject, which Wikipedia would not allow.

Continue reading “Wikia”

Fighting the Russians

For the last couple of months, I have been getting a couple of people a day signing up on my community bulletin board using Russian-sounding names and usually gmail addresses that don’t match their usernames. Since the community served is a town nowhere close to Russia, these have to be some kind of spammers. Even though new users have to type in text from an image (Captcha), they can’t actually post any messages until they are confirmed by me. And I won’t confirm them until they tell me their real name and where they live. For a while, I would send an e-mail when someone signed up asking for this information, but after getting some obviously bogus signups, I just put in the instructions that people needed to e-mail me if they wanted to be authorized to post messages. None of the Russians has done that.

Continue reading “Fighting the Russians”