Stupid stupid registration question
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #1
Stupid stupid registration question
It seems there are quite a number of people who somehow believe that adding an additional question on the registration page somehow makes their forums less susceptible to bot registrations, over the standard MyBB captcha.

Well, it's true that MyBB's captcha isn't the best (and in fact, may not be that difficult to crack), but for those blockheads out there, it's certainly better than any additional question.  If anything, it's FAR easier for a bot coder to answer questions than it is to recognise squiggly text.

But I primarily dislike it for the following principle: the effort you need to put in to make it work linearly scales with the effort the bot coder has to go to.
Think about it this way.  If I set up 10 questions for my board, then the bot coder just needs to code in 10 answers to their program, and they've defeated your system.  Perhaps, if you're really enthusiastic, you could make up 100 questions, which means the bot coder just needs to put in 100 answers.  Maybe bot coders can't be stuffed so much, and hopefully won't bother with your board, right?
Wrong.  Actually, if they just coded in 10 answers, the bot would work 10% of the time.  As it is a bot, it doesn't matter so much for the bot coder, since the machine just has to do more work - it will still ultimately get through.

Questions might not necessarily be easy to come up with either, especially if you're planning to be more creative.  You may think everyone knows who the current president of the United States is (let's say you're diligent and update this when it changes too Tongue), but perhaps some visitors from some, say, East Asian nations, may not be so sure.

Maybe a standard set of questions would solve it?  Unfortunately no, it just means that bot coders have a common target/interface to deal with.


The method to solve these sort of issues is to use a system which doesn't scale linearly, that is, a lot more difficult for the bot coder to bypass than it is for the forum software coder to write.  Which is essentially what captcha tries to do (although captcha does have its downsides).



But disregarding the design concerns I have with these systems, it appears that the people coding MyBB plugins to try to implement the above are clearly no smarter, unfortunately.

I believe LeX- was one of the first to implement it, but as you'd probably expect, the design is completely flawed.
I have seen some other attempts, and this recent one has caused me to want to post this thread.

All of those involve the use of a static link between question and answer.  The user won't notice this, but a (non-braindead) bot coder probably will, and certainly use this flaw to their advantage.
Here, I'll try to explain why this is stupid design and a bad idea.

How these plugins statically link question and answer
Typically, the questions and answers are stored in a database table somewhere, usually with the fields "id", "question" and "answer".  There's an obvious link between "question" and "answer".  The "id" column is just used as it is good database design, and makes it easier to track the two (though strictly, if questions are unique, not necessary).
Most of these plugins I see work by randomly selecting a question and displaying it on the registration page.  As the system needs to also be able to handle an answer, typically the "id" is sent to the page to track which question was sent.
Simplified, the HTML would look something like this:

HTML Code
<input type="hidden" name="question_id" value="{$question['id']}" />
{$question['question']}
<input type="text" title="Enter answer here" name="question_answer" />


And the logic works something like this:
Registration page: randomly select question from table and send question id and question text to browser
Actual registration process: grab the question from the table, from the sent question id, and compare the answer given by the user with that stored in the table.  If they match, it's a valid answer, otherwise, it's invalid.

Why it doesn't work
The above relies on the assumption that the question id cannot be forged by the user.  Of course, this is hardly the case.  Imagine if I edited the above HTML to something like:

HTML Code
<input type="hidden" name="question_id" value="1" />
What is 1+1
<input type="hidden" title="Enter answer here" name="question_answer" value="2" />

I have effectively permanently bypassed this security.  "question_id" was meant to be random, but the system never checks that that actually is the case, so I can bypass it by making it non-random, and in fact, something I select.
It doesn't matter how many questions you add to the database, as long as you don't delete the above, this "exploit" will always work and doesn't require any extra work.

The solution?
To not use static links.  Similar to how MyBB has a captcha table.
When the user visits the registration page, create a temporary entry into some table containing the real question id.  Eg:

Code:
$question_id = get_random_question_id();
$artefact_id = $db->insert_query("question_sessions", array('qid' => $question_id));
now send the artefact_id to the user - do NOT ever send them the question_id

And when validating, check for the real question id from the artefact id, and don't forget to delete this row from the question_sessions table regardless of it being valid or not!.
Managing a temporary table is also more work (ie cleanup), but it's the only way to do it properly.


My Blog
12-05-2010 11:39 AM
Find all posts by this user Quote this message in a reply
x-Treme Offline
Member
***
Posts: 68
Joined: May 2010
Post: #2
RE: Stupid stupid registration question
so is there a better captcha system out there that will be more difficult for bots to crack?

Forum Freebies
12-05-2010 11:53 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #3
RE: Stupid stupid registration question
reCaptcha should be good.

I'm somewhat doubting bots actually do crack MyBB's system, due to its lack of popularity, but there could be.  Most spammers these days are human anyway.
Something like DeCaptcher (uses cheap labour from 3rd world countries to do their bidding) will bypass any captcha system you have anyway.

My Blog
(This post was last modified: 12-05-2010 12:01 PM by ZiNgA BuRgA.)
12-05-2010 11:58 AM
Find all posts by this user Quote this message in a reply
x-Treme Offline
Member
***
Posts: 68
Joined: May 2010
Post: #4
RE: Stupid stupid registration question
Just found this on the mods site
http://mods.mybb.com/view/javascript-bot-protection

Have you tried this yet?

Forum Freebies
12-05-2010 12:03 PM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,357
Joined: Jan 2008
Post: #5
RE: Stupid stupid registration question
I've seen systems like those before.  They work against more basic bots perhaps, but bot coders who can get through captcha can probably get through that too.
It's an okay alternative to captcha perhaps, if well implemented and you're not targeted, though significantly easier to bypass than captcha.

My Blog
12-05-2010 01:33 PM
Find all posts by this user Quote this message in a reply
Imran Offline
Member
***
Posts: 204
Joined: Apr 2010
Post: #6
RE: Stupid stupid registration question
I also recommend ReCaptcha to the users, if they really want to to stop spam registrations.

[Image: logo.png]

[Image: twitter.png]
12-05-2010 08:21 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Vapor Offline
Member
***
Posts: 115
Joined: Oct 2010
Post: #7
RE: Stupid stupid registration question
Though this is not for mybb, what do you think of this ?

https://www.keycaptcha.com/

D3G Gaming Team - http://d3g.in

[Image: vapor_sig.png]
01-06-2011 07:09 AM
Visit this user's website Find all posts by this user Quote this message in a reply
MattR Offline
Junior Member
**
Posts: 40
Joined: Jul 2010
Post: #8
RE: Stupid stupid registration question
Requires HTML5 or Flash. Not a good start as HTML5 support isn't in all browsers yet (they say 'modern' browsers but a lot of people are still on IE6/7/8) and Flash sucks. Nice idea but I don't know if it'd take off or is a better way of doing things.
(This post was last modified: 01-06-2011 08:14 AM by MattR.)
01-06-2011 08:12 AM
Find all posts by this user Quote this message in a reply
Vapor Offline
Member
***
Posts: 115
Joined: Oct 2010
Post: #9
RE: Stupid stupid registration question
I don't see why people don't update browsers to the newest version? Is it just laziness or the extreme difficulty it takes to do it?

D3G Gaming Team - http://d3g.in

[Image: vapor_sig.png]
01-06-2011 09:43 AM
Visit this user's website Find all posts by this user Quote this message in a reply
leefish Offline
Hamster
*****
Posts: 1,009
Joined: Apr 2010
Post: #10
RE: Stupid stupid registration question
Not everybody can -  a lot of people browse from work or school - and its not always possible to download a "better" browser. IE6 and 7 will be with us for a while yet I think. I have Opera 11 at the moment - and it still doesn't support all the new HTML5 features.


[Image: leelink.gif]
MYBB1.6 & XThreads
(This post was last modified: 01-06-2011 09:53 AM by leefish.)
01-06-2011 09:52 AM
Visit this user's website Find all posts by this user Quote this message in a reply

« Next Oldest | Next Newest »

 Standard Tools
Forum Jump: