New security question

[R-Tape]

If anyone has any good ideas for a new security question (for newly registering members) could they send me a PM with their suggestions please.

More spambots are getting through these days. Maybe they're getting smarter or our 'Ultimate game' question is on a list?

Could you PM specific suggestions rather than posting the Q & A publicly, in case it compromises its security (I obviously have no idea how these things work!).

[R-Tape]

Just bumping this. Does anyone else have any suggestions (PM them)?

[spider]

Just bumping this. Does anyone else have any suggestions (PM them)?

Several (joking) but they are not relevant to the question asked.

I never noted the original topic when it was posted sorry, or I'd of answered then.

On topic: I'll I'll fire you a quick PM now...

[R-Tape]

Cheers for the responses so far all.

More suggestions welcome. We're after something similar to the current 'Favourite Ultimate Game' question. Something that isn't easily googled by a bot, appropriate for virtually all potential real users (so can't be too niche, too specific to a particular country, or too technical etc). The Ultimate one is particularly good (though unfortunately less effective over time) as 'ultimate' is ambiguous, whereas say, "Mirrorsoft" is not.

Also - no suggestions about which INK colour of Sam Fox's hair is.

Feel free to post joke suggestions in this thread (PM real ones) to keep it bumped for a bit :–)

[1024MAK]

What is the colour of R-Types hair and face: both before and after he embarrasses himself

On a more serious note, does the system ask just one question, or can it say, ask three questions?

So for example can you ask a games question, a simple model/hardware question and a general question?

Mark

[Ast A. Moore]

On a more serious note, does the system ask just one question, or can it say, ask three questions?

Too many question may deter real people by being tedious and lengthening the registration processes.
But you’re right, we might have to come to something like this. Bots are getting smarter every day.

[1024MAK]

On a more serious note, does the system ask just one question, or can it say, ask three questions?

Too many question may deter real people by being tedious and lengthening the registration processes.
But you’re right, we might have to come to something like this. Bots are getting smarter every day.

The alternative is to require all new registered members to have their first three or five (or other agreed number) of posts to go in the moderation queue and await approval by a moderator. That’s what happens on Sinclair ZX World.

Mark

[redballoon]

Well, it's obvious, innit?

[manicminerfan001]

Pm’d a few. Easy really!

[AndyC]

Is there any way it could involve using a Lens Lok?

[Juan F. Ramirez]

We must use a cunning question that disorients them, for example:

Who's the most elegant man of this group?


They'll never guess it!

[patters]

That is brilliant

[spider]

The fun ideas about the codesheet card (please not multipage ones aka JSW2) and Lenslok are fun but not practical. The latter especially lol, I never could get that thing to work when I tried it once many years back.

The idea of moderation of the first few posts is a sensible one. There was a time when (other software) would not stop their posts unless they contained links however spammers have figured out ways around this unfortunately. The only downside of this is you then require members with moderator access to be able to check said posts, by this I mean within reason a new member should probably not have to wait x hours for their posts to be approved, this can be a turn off I've visited sites in the past where its taken a day or so for someone to approve a genuine post or two and to a new member it is off-putting especially if they have registered for help with their new/old/rediscovered and broken hardware etc.

As I put in a PM earlier you'll only ever get say 95% of them due to the human erm "involvement" in some cases. KeyCap as mentioned is still decent, I use it.

In regards to Sinclair specific questions these should not be too difficult as the scene attracts new people who may not have much if any background knowledge about models or software houses etc. Ideally if such a thing is used the QA must accept multiple answers or perhaps not be case sensitive (the former is preferable, I'll not say why here but it was in the PM with a reason)

In summary to the above: There's a delicate balance (there always was and always will be) between putting spammers off and not making it too much trouble for new registrants too. Multiple hoops to jump through is usually a no no in most cases.

[akeley]

Not sure if it's possible in this forum soft but I've seen other sites display an image, and a related multiple-choice question (eg photo of a +2A and few possible answers).

But overall I agree that it's probably best to make it very mild, unless the threat level is really high. An odd bot getting through now and then is not the end of the world, sometimes they can be even amusing (the latest ones can scan forums and make very believable posts).

[spider]

Not sure if it's possible in this forum soft but I've seen other sites display an image, and a related multiple-choice question (eg photo of a +2A and few possible answers).

I'm aware of this, but its (imo) only effective if at least say a dozen images are shown. Too few allows by chance it to work, and too many will annoy.

I know the one you mean, you're shown a row of thumbnails then asked to either via a dropdown pick which is say "a television" or via clicking it.

But overall I agree that it's probably best to make it very mild, unless the threat level is really high.

Yes I concur.


On a slightly different note (admins) it may be worthwhile blocking some well known temporary or spam tld's for emails, at least the common ones. Potential to cause issues if more than say 100 ( ! ) are installed, specifically php can throw a compilation error iirc or at least it could do on older php versions, but that's something for another topic if warranted. Just wanted to throw my extra bit into this topic as its security related.

I have some other ideas too but they are probably best sent via PM at some point.

[Stefan]

Is there any way it could involve using a Lens Lok?

Brilliant - and doable - see Si's LensKey

[Sol_HSA]

Blocking bots is doable.. write a virtual lens lock for example, that would be too custom for a generic bot solution.

The real problem are click farms. Real people paid to register on popular forums and make a few legit looking posts over time, and then post spam links, possibly by editing old posts or signatures.

When I was moderating one game's forum I'd notice some of these easily, while others were trickier; you'd have to look at an user's post history and see that while a single post would look fine, in context the whole input would be ambiguous. Like posts of "thanks for posting this, I had the same problem", or "I still can't find the key, any more hints?", Etc.

Periodically I'd purge the user base of n month old accounts with zero posts and would notice that a lot of those accounts had a lot in common - nothing a script would spot, but human does. The click farms would make these accounts, let them sit for a while and then start posting, as older accounts seem more credible.

And all of this was with custom registration questions.

[arjun]

Instead of a security question, what about using captchas? I hate them but they can be effective against bots if the subject is esoteric enough. In our case, it could be something along the lines of "identify speccy games in the pictures" from a list of game pics. Or summat.

[zup]

I'd like to see a captcha showing different sprites, and the user having to choose the ones made in ZX Spectrum. The other sprites should have features that are not possible (i.e.: "brick" pixels like CPC or A2600, more colours than possible or strange colours like C64 ones).

Another suggestion... why not make a set of 10 or 12 different questions and choose a different one every time?

[8BitAG]

Please don't make it too difficult for people who are interested in the Spectrum, but aren't necessarily Spectrum gurus, to register on the forum. I regularly visit and post in forums for machines that I definitely wouldn't be able to answer some of types of questions being suggested here.

[PeterJ]

Hi [mention]8BitAG[/mention],

Good points made. Most of the above are 'joke' suggestions that [mention]R-Tape[/mention] suggested be posted to keep the thread 'live'. Serious ones need to be sent by PM. It will be good to get a number of responses so we have a stock of questions.

It will just be a single question as before. The forum does allow multiple questions, but I think that is going beyond what we need. The plugin for this feature offers some very good advice.

These questions should be easy for your target audience to answer but beyond the ability of a bot capable of running a Google™ search. Only a single proper question is necessary. If you start receiving spam registrations, the question should be changed. Enable the strict setting if your question relies on mixed case, punctuation or whitespace.

[spider]

Please don't make it too difficult for people who are interested in the Spectrum, but aren't necessarily Spectrum gurus, to register on the forum. I regularly visit and post in forums for machines that I definitely wouldn't be able to answer some of types of questions being suggested here.

Yes I agree. This was something I touched on in one of my replies. It must not be difficult for a new or "non ZX" user to be able to register. I mean I know very little to nothing about say Atari machines and if I had to answer 'history or tech' questions to register on one of their forums, I'd struggle and have to Google, and probably "look elsewhere unless I really needed that site" , you know what I mean anyway as in if I was asked how much RAM machine xyz had or something I'd be completely baffled.

It will just be a single question as before. The forum does allow multiple questions, but I think that is going beyond what we need. The plugin for this feature offers some very good advice.

These questions should be easy for your target audience to answer but beyond the ability of a bot capable of running a Google™ search. Only a single proper question is necessary. If you start receiving spam registrations, the question should be changed. Enable the strict setting if your question relies on mixed case, punctuation or whitespace.

I'd agree only in certain circumstances multiple questions aka "hoops" are needed, and in those cases ideally it would be a simple (not a nasty Captcha method) question combined with a "pick the correct pic" type of thing but should not be needed.

Depending on the question itself (and the answer really) if it allows multiple "correct" answers it may be worthwhile permitting these in some cases. However I did put in a PM as to why this was not always a great idea, does depend on the "question in question" (see what I did there!) though. Its far better to state in the question if you require the answer to be all upper or lower case or suchlike.

That 'doc' text actually looks quite similar to things I used to write (different platform though) , but the advice is sound. Talking of which always try to avoid an audio captcha too unless its merely an option, should not be a first choice as some people hate them. Dropdowns with answers also not great as too many puts people off and too few makes it too easy for bots.

[catmeows]

Why not just use picture with simple equation like '22+5=?' and ask for result ?

[spider]

Why not just use picture with simple equation like '22+5=?' and ask for result ?

Am pleased you said picture (this is 100 times better than text!) but advanced script bots won't have a great deal of trouble dealing with a simple maths question as they will likely be able to 'read' (ORC) the characters out.

I did send 'workaround' for this in a PM yesterday that does (did?) work reasonably well if needed.


Mentioning characters, I'm not a fan of highly obscure font or obfuscation of lettering/words, aka early type of Captcha's as its hard for some with poor eyesight to deal with. They did work "back in their day" but these days much better options. I don't mean there's anything wrong with using a different font for it but it needs to be legible. Size variance won't effect a bot either actually in most cases.

[R-Tape]

Thanks for the suggestions all. For now we're just going to try the easier option of changing the question (we're going with one of made by PM so ta for that). If that doesn't do the trick we'll look into pictures, captchas etc later.

...and if that doesn't work then we'll insist on sending us a selfie holding today's newspaper in one hand, and your real Spectrum in the other.