Hi all, I’d like to draw your attention to the wiki. The spammers appear to know the solution to the current entry barrier “What is usually the last command in a ConTeXt source file (without the backslash)?”, and the number of fake accounts is growing fast: http://wiki.contextgarden.net/Special:Log/newusers They don’t, however, seem to vandalize yet, so I guess the postal code of Hasselt is unbreakable with today’s technology ;-) Nevertheless the account spam is messing up the recent changes feed: http://wiki.contextgarden.net/index.php?title=Special:RecentChanges&feed=rss Even if it’s not urgent, may I suggest we collect possible replacements for the current question? I can’t image the damage those accounts would do once they figure out how to post links. Best Philipp
On Fri, Apr 5, 2013 at 3:43 PM, Philipp Gesang wrote:
Hi all,
I’d like to draw your attention to the wiki. The spammers appear to know the solution to the current entry barrier “What is usually the last command in a ConTeXt source file (without the backslash)?”, and the number of fake accounts is growing fast:
http://wiki.contextgarden.net/Special:Log/newusers
They don’t, however, seem to vandalize yet, so I guess the postal code of Hasselt is unbreakable with today’s technology ;-) Nevertheless the account spam is messing up the recent changes feed:
http://wiki.contextgarden.net/index.php?title=Special:RecentChanges&feed=rss
Even if it’s not urgent, may I suggest we collect possible replacements for the current question? I can’t image the damage those accounts would do once they figure out how to post links.
It would probably be best to: 1.) Remove all those account (attention: some users are actually legitimate and contributed valid content). 2.) Find out if there is any problematic IP and block those IPs. 3.) Install something like http://www.mediawiki.org/wiki/Extension:ConfirmAccount and/or maybe use both captcha and some context-specific question (honestly: if users don't know how to answer some slightly more tricky question, they shouldn't be able to get the account). We could use questions like "Last name of president of ConTeXt User Group." I haven't been on wiki for a while and received a warning about the issue yesterday. Mojca
3.) Install something like http://www.mediawiki.org/wiki/Extension:ConfirmAccount and/or maybe use both captcha and some context-specific question
Adding an actual captcha seems like the way to go; it may not prevent all automated account creations, but it clearly filters much better than a static list of questions with plain-text answers. Arthur
On 04/05/2013 04:09 PM, Arthur Reutenauer wrote:
Adding an actual captcha seems like the way to go; it may not prevent all automated account creations, but it clearly filters much better than a static list of questions with plain-text answers.
... or have them write a letter of motivation and require three letters of recommendation from already renowned ConTeXt users ;-)
On Fri, 5 Apr 2013 15:59:47 +0200
Mojca Miklavec
some context-specific question (honestly: if users don't know how to answer some slightly more tricky question, they shouldn't be able to get the account). We could use questions like "Last name of president of ConTeXt User Group."
Uh... ? Why not some *really* tricky question like: "what keyword is to be used to right-justify?" :) Alan
···
On Fri, Apr 5, 2013 at 3:43 PM, Philipp Gesang wrote:
Hi all,
I’d like to draw your attention to the wiki. The spammers appear to know the solution to the current entry barrier “What is usually the last command in a ConTeXt source file (without the backslash)?”, and the number of fake accounts is growing fast:
http://wiki.contextgarden.net/Special:Log/newusers
They don’t, however, seem to vandalize yet, so I guess the postal code of Hasselt is unbreakable with today’s technology ;-)
I spoke too soon (or maybe those guys read the list and view this discussion as a challenge?): http://wiki.contextgarden.net/Special:Contributions/TrenaLege
Nevertheless the account spam is messing up the recent changes feed:
http://wiki.contextgarden.net/index.php?title=Special:RecentChanges&feed=rss
Even if it’s not urgent, may I suggest we collect possible replacements for the current question? I can’t image the damage those accounts would do once they figure out how to post links.
It would probably be best to:
1.) Remove all those account (attention: some users are actually legitimate and contributed valid content).
2.) Find out if there is any problematic IP and block those IPs.
Careful as their IPs could be spoofed, you might end up blocking innocent users.
3.) Install something like http://www.mediawiki.org/wiki/Extension:ConfirmAccount and/or maybe use both captcha and some context-specific question (honestly: if users don't know how to answer some slightly more tricky question, they shouldn't be able to get the account). We could use questions like "Last name of president of ConTeXt User Group."
This could discourage people from fixing trivial stuff like misspellings. Maybe add a note that they should drop a mail to the list if they don’t know the answer. Regards Philipp -- () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments
Hi Taco, We're getting 3-12 new accounts created per day. If nothing else, they're cluttering up the recent changes list. I think it's a good idea to update the security questions --- it's easy to do, it'll probably work, and we can always move on to stronger measures that require more work. Below are some replacemetn questions. * If you have a log of which questions get answered correctly, perhaps only rotate out the bad question(s); * If finding the cracked questions is nontrivial (i.e. more work than 'just open the log file and see which ones get answered every day'), just replace them all. If this works, hooray; if it stops working, we can either change the questions again (if the spammers took long to get through) or move on to e.g. the ConfirmAccount extension [1,2] (if the questions got cracked quickly, so we are getting 'human' attention from the spammer instead of his bots). [1] http://www.mediawiki.org/wiki/Extension:ConfirmAccount [2] http://www.stargate-wiki.de/wiki/Spezial:Benutzerkonto_beantragen Cheers, Sietse The proposed questions: * What command indicates 'text starts here'? (Include the backslash.) \starttext * What command is used to setup the bodyfont? (Include the backslash.) \setupbodyfont * What is the last name (starts with K) of the man who created TeX? Knuth * What is the first name (7 letters, starts with H) of Mr Zapf? Hermann * How many letters does 'stoptext' contain? (Please type out the number as a word.) Eight
On Thu, 25 Apr 2013, Sietse Brouwer wrote:
We're getting 3-12 new accounts created per day. If nothing else, they're cluttering up the recent changes list.
I think it's a good idea to update the security questions --- it's easy to do, it'll probably work, and we can always move on to stronger measures that require more work. Below are some replacemetn questions.
* If you have a log of which questions get answered correctly, perhaps only rotate out the bad question(s); * If finding the cracked questions is nontrivial (i.e. more work than 'just open the log file and see which ones get answered every day'), just replace them all.
If this works, hooray; if it stops working, we can either change the questions again (if the spammers took long to get through) or move on to e.g. the ConfirmAccount extension [1,2] (if the questions got cracked quickly, so we are getting 'human' attention from the spammer instead of his bots).
Confirm account means that a new user will not be able to quickly correct typos etc. Isn't there a simple way to add a captcha to mediawiki. I am not a big fan of Captchas, but the are the de facto standard for human verification. A user only has to do it once, so it is not too big of an annoyance either. Aditya
Confirm account means that a new user will not be able to quickly correct typos etc. Isn't there a simple way to add a captcha to mediawiki.
Just found one (I had missed it when I sent my previous e-mail): http://www.mediawiki.org/wiki/Extension:ReCAPTCHA, nowadays merged into http://www.mediawiki.org/wiki/Extension:ConfirmEdit (which is not ConfirmAccount). ConfirmEdit can be configured to only present captchas to non-logged-in users, when they try to edit or create a page, or create an account. Might that be useful? Or we could go old-school copy protection style: "What is the fifth word on page 120 of the TeXbook?" :-P If we want to have a slightly higher barrier of entry: "Name one undocumented command that you recently heard about on the mailing list." ;-) Cheers, Sietse
Am 26.04.2013 um 10:57 schrieb Alan BRASLAU
On Thu, 25 Apr 2013 23:52:56 +0200 Sietse Brouwer
wrote: Or we could go old-school copy protection style: "What is the fifth word on page 120 of the TeXbook?" :-P
\TEX
Maybe \TeX\ but not \TEX\ which is a \CONTEXT\ command and not available with plain \TeX. Wolfgang
On 4/26/2013 10:57 AM, Alan BRASLAU wrote:
On Thu, 25 Apr 2013 23:52:56 +0200 Sietse Brouwer
wrote: Or we could go old-school copy protection style: "What is the fifth word on page 120 of the TeXbook?" :-P
\TEX
we could go for sound ... pronounce \TEX\ the right way .. only DEK could edit then Hans ----------------------------------------------------------------- Hans Hagen | PRAGMA ADE Ridderstraat 27 | 8061 GH Hasselt | The Netherlands tel: 038 477 53 69 | voip: 087 875 68 74 | www.pragma-ade.com | www.pragma-pod.nl -----------------------------------------------------------------
On 04/25/2013 07:31 PM, Sietse Brouwer wrote:
Hi Taco,
We're getting 3-12 new accounts created per day. If nothing else, they're cluttering up the recent changes list.
I think it's a good idea to update the security questions --- it's easy to do, it'll probably work, and we can always move on to stronger measures that require more work. Below are some replacemetn questions.
Yes, I had already contacted Mojca a couple of weeks ago. I think we should demand that all questions be answered in Dutch. Every serious ConTeXter has to know some Dutch, and nothing better than asking "What is the ConTeXt keyword for a two-sided layout" and expecting "dubbelzijdig" as an answer. If that doesn't help, we make them pronounce it... Thomas
On Thu, 25 Apr 2013 20:19:41 +0200
"Thomas A. Schmitz"
I think we should demand that all questions be answered in Dutch. Every serious ConTeXter has to know some Dutch, and nothing better than asking "What is the ConTeXt keyword for a two-sided layout" and expecting "dubbelzijdig" as an answer. If that doesn't help, we make them pronounce it...
++ (One can always look in mult-def.lua in order to cheat, but this won't help me with the pronounciation) Alan
Hello,
On Thu, 25 Apr 2013 20:19:41 +0200, Thomas A. Schmitz
On 04/25/2013 07:31 PM, Sietse Brouwer wrote:
Hi Taco,
I think it's a good idea to update the security questions --- it's easy to do, it'll probably work, and we can always move on to stronger measures that require more work. Below are some replacemetn questions.
Yes, I had already contacted Mojca a couple of weeks ago. I think we should demand that all questions be answered in Dutch. Every serious ConTeXter has to know some Dutch,
even though I consider myself a serious Ctx user, Dutch is still Greek to me.
and nothing better than asking "What is the ConTeXt keyword for a two-sided layout" and expecting "dubbelzijdig" as an answer.
Goggle translator would help in this case (http://translate.google.com/#en/nl/doublesided); but having a "more complicated keyword/option" may mean a unanswered/unanswerable question... How about to prompt the user to encode a displayed math, e.g. "b/a2^3" to be answered "$\frac{b}{a_2^3}$"? Best regards, Lukas
If that doesn't help, we make them pronounce it...
Thomas
-- Ing. Lukáš Procházka [mailto:LPr@pontex.cz] Pontex s. r. o. [mailto:pontex@pontex.cz] [http://www.pontex.cz] Bezová 1658 147 14 Praha 4 Tel: +420 244 062 238 Fax: +420 244 461 038
On 04/26/2013 08:31 AM, Procházka Lukáš Ing. - Pontex s. r. o. wrote:
even though I consider myself a serious Ctx user, Dutch is still Greek to me.
How about to prompt the user to encode a displayed math, e.g. "b/a2^3" to be answered "$\frac{b}{a_2^3}$"?
Well, in that case, I'd actually prefer Greek - "write line 222 of book 2 of the Odyssey in its original Greek," or something like that... Seriously, I guess I'm not alone when I say I never use math. But I agree something has to be done... Thomas
Hi, Currently we are using QuestyCaptcha w/ ConfirmEdit. This is definitely supposed to be safer than bitmap images unless the images become so complex that even humans get it wrong, which has happened for me on various sites and is the most annoying thing in, like, ever! I do not mind adding new questions and/or replacing all of them, but it is a bad idea to send the new ones to the mailing list, since somehow a spamnet seems to have found the answers and I doubt that they actually went to the trouble of looking up the answers on pragma-ade.com (but then again, weirder stuff has happened). For now, I will quickly invent some of my own questions. Best wishes, Taco
participants (13)
-
Aditya Mahajan
-
Alan BRASLAU
-
Arthur Reutenauer
-
Hans Hagen
-
Leo Arnold
-
luigi scarso
-
Mojca Miklavec
-
Philipp Gesang
-
Procházka Lukáš Ing. - Pontex s. r. o.
-
Sietse Brouwer
-
Taco Hoekwater
-
Thomas A. Schmitz
-
Wolfgang Schuster