Captcha and other security measures

thermalben's picture
thermalben started the topic in Tuesday, 3 Jan 2017 at 3:52pm

We've been aware of some problems posting on the site in recent months (can't post some links or words, and also sometimes require users to go through a heavy security process just to post a comment).

Although we actually haven't made any specific changes at our end, we did update some of our server software and this automatically created new security "rules" for form/comment posting. This has mainly been required to stamp our SPAM registrations and the like (you may occasionally see these bot-posts, which we delete as soon as we come across 'em).

Anyway, we realise it's been a pain in the arse, and we're sorry. We value everyone's contributions and want to make sure it's very easy to get your thoughts into our articles and forums.

As such, we're making some changes to the security software behind the scenes. 

First of all - we're swapping out the old "Captcha" software with Google's new "reCaptcha" (sounds the same but is a lot easier). Hopefully commenting won't require you to pass any security measures at all, if you've been a member for long enough.

However if you're still experiencing problems, or if it seems like it's not working properly, please let us know in this thread so that we can follow it up. This way we'll create a much better experience for all users.  

thermalben's picture
thermalben's picture
thermalben commented Tuesday, 3 Jan 2017 at 7:22pm

I see the reCaptcha tick box below the comment box too.

thermalben's picture
thermalben's picture
thermalben commented Tuesday, 3 Jan 2017 at 7:23pm

Interestingly, I only seem to see it once (per session I assume).

wingnut2443's picture
wingnut2443's picture
wingnut2443 commented Wednesday, 4 Jan 2017 at 4:58pm

Yep - I'm well and truly over the f u c k i n g captcha S H I T ... as a registered user of several years it is a pain in the arse. Sure, make it so for new users, but once a time period or number of comments / posts surely you can turn the "security measures" off?

I'll check back in a few months when you figure it out.

Just took me WAY too long to comment again. I'm over it.

Surfboard Design and Construction Kook. Evidence is here: www.ffwsurfboards.com.au
*FFW - Few Fun Waves ... that's what it's all about for me.

zenagain's picture
zenagain's picture
zenagain commented Wednesday, 4 Jan 2017 at 5:20pm

I don't seem to have a problem with it.

Is it geographical?

Watashi wa metabo oyagi desu.

thermalben's picture
thermalben's picture
thermalben commented Wednesday, 4 Jan 2017 at 5:12pm

Shouldn't have taken very long at all this time 'round. 

The new system uses Google's "reCaptcha" - you'll initially see this square box next to the "comment" button:

And then once you tick the "I'm not a robot" box, you can then press "Comment" (you'll see the box display a green tick, like this):

Then, after that you won't have to go through this process any more (my understanding is that it's once per day). It's essentially one extra mouse click per day.

If you're experiencing something other than this, please let me know.

thermalben's picture
thermalben's picture
thermalben commented Wednesday, 4 Jan 2017 at 5:14pm

Nothing geographical Zen. Should treat everyone the same.

However, there's a possibility that if you're trying to fly under the radar (hidden IP, Chrome Incognito, etc) then it may throw up more challenges as it may suspect that you're a threat. I don't know - every major website is using the same technology so we figured it was best for us too.

swab's picture
swab's picture
swab commented Wednesday, 4 Jan 2017 at 5:20pm

sorry for the late reply tb. with the clickjack thing,it happens on vimeo but not on youtube clips. Nothing to worry about your end,I use no-script which tells you of any potential clickjack threat. I'd say it's a vimeo tracking thing. Anyways the site looks good after the makeover.

zenagain's picture
zenagain's picture
zenagain commented Wednesday, 4 Jan 2017 at 5:23pm

Hmmm...

I edited out the rude words above.

I've only had to click once and that was a few days ago if I can recall. All seems to be working well, certainly not a daily thing.

Smooth running from my part of the world.

Watashi wa metabo oyagi desu.

thermalben's picture
thermalben's picture
thermalben commented Wednesday, 4 Jan 2017 at 5:25pm

Thanks Swab. As you can imagine, we don't have any control over YouTube and Vimeo content. We simply embed the videos into Swellnet (like everyone else). So it looks like it's something to do with your software.

thermalben's picture
thermalben's picture
thermalben commented Wednesday, 4 Jan 2017 at 5:26pm

Zen, shouldn't have any affect if there are rude words or not. The Captcha software is more interested in malicious posts and dodgy links than anything else. 

zenagain's picture
zenagain's picture
zenagain commented Wednesday, 4 Jan 2017 at 5:30pm

Just that Donweather said the other day he couldn't write sh1t and Wingy is Spacing out his swearwords. Thought it might have been some sort of net-nanny thing that some corporates use?

Anyway, fwiw all good here and I like the fresh look of the update.

Watashi wa metabo oyagi desu.

zenagain's picture
zenagain's picture
zenagain commented Wednesday, 4 Jan 2017 at 5:44pm

Ben, found a problem.

Can't open my surf report/forecast for Japan.

Can get to Honshu but the regions won't open. I've tried on my pc and phone. I touch on Honshu and a kind of half space drops down but won't go any further.

Edit: I can open the regions, have to right click on my pc or hold and pause on my phone to open a new tab to see the regional forecasts.

It's not seamless like it was. Importantly, I can still get the forecast though.

Watashi wa metabo oyagi desu.

swab's picture
swab's picture
swab commented Wednesday, 4 Jan 2017 at 5:41pm

cheers tb. yeah it's an mozilla add on. works well,sometimes too well.

sypkan's picture
sypkan's picture
sypkan commented Wednesday, 4 Jan 2017 at 5:44pm

As pointed out elsewhere I'm negative and full of hate, despite this, I'm finding recaptcha a vast improvement. So thanks for that.

Though it did make me go through the silly pictures thingy a few times initally. Being so hateful, I see this as an opportunity for a bit of negative indulgance to point out the fundamental design flaws of said software, that probably makes it so annoying.

eg. It asks me 'click on the squares that have street signs'. Well I hate to be pedantic (but hate is what I do) so, do I click the squares that have poles holding up the street signs? do I include the square next to the square with the yellow sign that has the back of a street sign? etc. etc.

For the tree one, do I include the trunk of the trees? etc. Not being a smart arse I just don't think the computer geeks have fully thought it through and think this may be causing difficulties for some users.

thermalben's picture
thermalben's picture
thermalben commented Wednesday, 4 Jan 2017 at 6:06pm

Zen - yeah that bug cropped up yesterday. We'll have a fix in place ASAP.

thermalben's picture
thermalben's picture
thermalben commented Wednesday, 4 Jan 2017 at 6:11pm

Sykpan, I think it makes you do this once if it's a little suspect on your profile (as mentioned above, using Incognito, or other browser ad-blocking software).

I'm not 100% sure on this, but if I test in regular Chrome, I don't see anything - but if I switch to Incognito then it also makes me choose street signs (or similar). But, it only makes me do this once. After that I don't have do a reCaptcha confirm again.

My gut feeling is that over time the software will eventually get better at knowing what are real risks, and what are not.

That being said, we're looking to implement some code that essentially removes this process if you're a known, identifiable user (i.e. Swellnet Pro registered, or have a post count above 50, or similar). Being a small community (rather than a huge database like Facebook), almost all of the problems we have are related to new users that are SPAM accounts.

sypkan's picture
sypkan's picture
sypkan commented Wednesday, 4 Jan 2017 at 7:42pm

Yeh I get that, and its working good for me now, but as I said it took a few times through different assortments of pictuïres, and now it leaves me alone...praise the gods.

though I've found this thing rather annoying on other sites. how would you interpret 'choose the squares with street signs'

Do you include the squares with only posts for signs?

Do you include the squares with only the grey backs of street signs?

Do you include squares with only the trunk of a tree?

I'm just curious more than anything

thermalben's picture
thermalben's picture
thermalben commented Wednesday, 4 Jan 2017 at 8:14pm

I have no idea which ones to include.. I suppose if you get it wrong you'll know!

sypkan's picture
sypkan's picture
sypkan commented Wednesday, 4 Jan 2017 at 8:21pm

Yeh, three times, until its request was not so ambiguous

thermalben's picture
thermalben's picture
thermalben commented Monday, 9 Jan 2017 at 11:47am

And... here's an example of the SPAM we're trying to stop.

This one happened overnight, and spammed six different articles - often replying to someone else's comments. So this means potentially six Swellnet users received email "replies" to their post with this content attached.

And as this was posted at 12:26am, there were no Swellnet staff online to take it down (so it remained online until I got up around 5am).

Overall, we're in a major better position from where we were several months ago, when we were getting 300-400 fake registrations per DAY (which had to be painstakingly removed in a manual process, so that we didn't also delete new genuine registrations). So, if I went three days without removing the new SPAM registrations, there'd be over a thousand. Etc etc. And the solution we had (another software called Mollom) wasn't very good IMO.

But even now, it's still a pain in the arse. And it shows that even Google's superior reCaptcha technology can still be thwarted by the SPAM bots.

GuySmiley's picture
GuySmiley's picture
GuySmiley commented Monday, 9 Jan 2017 at 4:01pm

I have been sent this twice in the last 24 hours have now blocked their email address [email protected]. Is there any way you can universally block that one Ben?

Anyway, I was really annoyed, there is no way am I going to work for $77 per hour!

thermalben's picture
thermalben's picture
thermalben commented Monday, 9 Jan 2017 at 4:21pm

Blocking [email protected] means you won't get other emails from us.. just keep that in mind. Otherwise, I don't have a workaround at the moment, sorry.

GuySmiley's picture
GuySmiley's picture
GuySmiley commented Monday, 9 Jan 2017 at 5:04pm

ooops, I've emailed you Ben

thermalben's picture
thermalben's picture
thermalben commented Tuesday, 10 Jan 2017 at 12:19pm

Have replied Guy.

wingnut2443's picture
wingnut2443's picture
wingnut2443 commented Friday, 1 Feb 2019 at 7:07am

Would love to comment more on some of these articles, but, FMD the login 'captcha' BS is just way too much of a PITA. Surely you can come up with a better system?

Surfboard Design and Construction Kook. Evidence is here: www.ffwsurfboards.com.au
*FFW - Few Fun Waves ... that's what it's all about for me.

lostdoggy's picture
lostdoggy's picture
lostdoggy commented Friday, 1 Feb 2019 at 7:11am

If you comment more often, the security measures go away.

wingnut2443's picture
wingnut2443's picture
wingnut2443 commented Sunday, 3 Feb 2019 at 7:44am

Really?

I posted regular comments and really tried when the stupid CAPTCHA thing was first installed, and it never seemed to go away. Don't know why. It was bloody annoying so logging in to comment wasn't worth it (and now still isn't).

Surely once you're a registered user (and been vetted by the registration process) there is no need for the CAPTCHA when you login and post a comment.

My $0.02 worth aren't worth that much, so no loss really.

Surfboard Design and Construction Kook. Evidence is here: www.ffwsurfboards.com.au
*FFW - Few Fun Waves ... that's what it's all about for me.

thermalben's picture
thermalben's picture
thermalben commented Sunday, 3 Feb 2019 at 8:02am

Unfortunately, at the moment we don't have control over the Captcha system. Crazy, but we've spent hours and hours looking into it and it's a byproduct of the support company we are currently with.

We are however making some changes to our hosting environment in the next month that will hopefully remove it completely for registered users who have satisfied a couple of requirements. I wish it were an easy fix (as it's annoying for us to waste time on it), but our hands are tied.

FWIW, my understanding is that if you're logged into a Google account (email or similar) in the same browser, the Captcha system doesn't show anywhere near as much, if at all (this is because it's owned by Google).

wingnut2443's picture
wingnut2443's picture
wingnut2443 commented Sunday, 3 Feb 2019 at 8:31am

I use direct login, in a cache clearing web browser (Firefox). Using the same laptop I do for work / business I can ill afford virus, hacks, etc so take the precaution to use a cache clearing system.

As I said, the control mechanism is in the 'registered user' system. Until you resolve it, it's easier to not comment. My $0.02 worth not that much anyway, so no loss really anyway.

And, PS: FWIW - no google account, or e-mail here.

Surfboard Design and Construction Kook. Evidence is here: www.ffwsurfboards.com.au
*FFW - Few Fun Waves ... that's what it's all about for me.

thermalben's picture
thermalben's picture
thermalben commented Sunday, 3 Feb 2019 at 8:35am

Caching could be the issue. We've identified that as being responsible for other problems too (saving log in details etc).

Everyone's opinion is valid though, we take it all on board and try to fix what we can.

However, although we had a glut of Captcha related problems some time ago (twelve months?) we haven't had any other feedback since - so we presumed it's working OK for most users.