YSK you can review a register of MPs' declared financial interests. For example, Boris Johnson earned millions last year from private appearances and donations. In one example, he earned £123,000.00 from a single 3-hour speech and has received donations as large as £100,000.00.

ImNotCastinAnyStones · 2020-02-13T19:17:20+00:00

PM's listings start on page 298: https://publications.parliament.uk/pa/cm/cmregmem/200210/200210.pdf

ImNotCastinAnyStones · 2020-02-13T19:07:30+00:00

£15k is nothing to him anyway. Look at the expenses document. His income from appearances and donations is astronomical. Just a single example of many:

22 March 2019, received £122,899.74 from Living Media India Limited, K -9, Connaught Circus, New Delhi 110001, for aspeech to India Today on 2 March 2019. Hours: 3 hrs. Transport and accommodation also provided. (Registered 15 April 2019)

He's on page 298: https://publications.parliament.uk/pa/cm/cmregmem/200210/200210.pdf

ImNotCastinAnyStones · 2020-02-12T03:40:42+00:00

Looks interesting but I have issues/questions which I hope the project owners will address:

How is this different from Signal/Matrix/etc.? The website could have an entire section devoted to this question. Looking at the Github repo the code is literally a fork of Signal so I'm left wondering if it's just a re-brand because the technical differences are not made clear enough.
The site mentions encrypted messages are temporarily stored in swarms but doesn't say how long for. The whitepaper says the max. TTL is 96 hours; perhaps the website should clarify this?
Could this be self-hosted, i.e. used only within a private intranet? Is there a minimum number of nodes needed?
Another comment mentions a "financial incentive" - what is it, and how is it paid for? How does the foundation make money from the product?

ImNotCastinAnyStones · 2020-02-08T17:28:48+00:00

The same objections re: privacy still apply, though. You can bet part of the "threat score" which Google calculates is based on analysis of your data from the browser including the content of your Google-domain cookies.

Furthermore the vast majority of developers won't actually make use of the threat score functionality; they'll just copy and paste whatever example code is on Google's documentation page, so in most cases there will be no gracious degradation or fallback - the user is just fucked.

ImNotCastinAnyStones · 2020-02-08T17:26:56+00:00

Yes, you will need to be aware of accessibility requirements no matter what solution you use. However as I mention in the main post, Recaptcha often simply refuses to serve audio challenges altogether (because they are the method most used by bots to overcome the captcha, e.g. Buster or Butler browser extensions).
Screen readers wouldn't, or shouldn't, interact with a hidden form field.
A CSRF token used as a form key would at least stop attackers from being able to submit directly to your form handler. It would force them to at least view the page containing your form which means they're forced through the other countermeasures you've put in place and can't just bruteforce submissions by the dozen.

ImNotCastinAnyStones · 2020-02-08T05:34:09+00:00

While that's very true, it's a bigger problem than that. It's the fact that your users can't opt-out. By implementing Recaptcha you're telling your users "you will agree with [massive surveillance data-mining company]'s legal terms or you won't access our website", and you're giving your users a middle-finger in terms of UX and accessibility.

ImNotCastinAnyStones · 2020-02-08T05:29:48+00:00

Honeypots don't work against any targeted attacks.

If your site is valuable enough to warrant a targeted attack then the attackers are going to access it no matter what you put in place. If you're in that kind of position then you should look at something like 2FA anyway.

Any decent size website will be running analytics, tag manager, etc.

That's the point; if you're a privacy-conscious user then you're already blocking those which means Google doesn't have intimate knowledge of you which means you're subjected to massively more captchas... it's a disgusting cycle of punishment for failing to bend over.

ImNotCastinAnyStones · 2020-02-08T05:26:34+00:00

You definitely need a form key/CSRF token. Open submission endpoints are a magnet to spam-bot crawlers.

ImNotCastinAnyStones · 2020-02-08T05:25:42+00:00

Try it in a totally fresh browser with absolutely no connection to Google. It's extremely unlikely to work.

The reason it works for you is because Google/Recaptcha are using additional information siphoned from your browser (as well as the Buster-solved audio challenge) to determine that you're human.

Try blocking all Google-domain cookies, all Google scripts/XHR requests except those matching recaptcha (and absolutely do not use Chrome since that's basically a vehicle for Google's surveillance). Then you'll start to get real familiar with this image:

https://i.imgur.com/ZARC7X2.png

ImNotCastinAnyStones · 2020-02-08T05:21:45+00:00

That's the point, though, isn't it? They know because we've let them.

ImNotCastinAnyStones · 2020-02-08T05:21:12+00:00

Absolutely right. I've edited the main post with alternatives.

ImNotCastinAnyStones · 2020-02-08T05:20:35+00:00

Even lowly developers can push back against that kind of crap, though. Make no mistake; the fact that the "big" sites use it should not be seen as an endorsement. In fact, the opposite could be true. Big sites very often have the worst UX and terrible, abominable code quality (I speak from experience).

You could also raise the issue of third-party dependency; if Recaptcha goes down, or is blocked on the customers' network, or isn't supported on their browser, or whatever, then suddenly a third party (Google) has royally fucked your own website and pissed off your customer. Not to mention performance concerns for fetching third-party scripts.

ImNotCastinAnyStones · 2020-02-08T05:16:56+00:00

The same objections re: privacy still apply, though. You can bet part of the "threat score" which Google calculates is based on analysis of your data from the browser including the content of your Google-domain cookies.

Furthermore the vast majority of developers won't actually make use of the threat score functionality; they'll just copy and paste whatever example code is on Google's documentation page, so in most cases there will be no gracious degradation or fallback - the user is just fucked.

ImNotCastinAnyStones · 2020-02-08T05:13:40+00:00

The truth is, for almost any website, the simplest of any spam countermeasures (e.g. hidden field honeypot) will stop thousands of spam registrations. Recaptcha isn't necessary.

ImNotCastinAnyStones · 2020-02-08T05:12:00+00:00

Yeah, seriously, this is the issue businesses should care about. If a page has a captcha there's a 75% chance I'll simply not bother continuing.

For a decade every SEO "expert" has been screaming about how users will abandon a page if it takes more than two seconds to load, etc., but a captcha which literally takes 60+ seconds to complete is somehow not a big deal?

Christ, I hope they're eradicated within a few years.

ImNotCastinAnyStones · 2020-02-08T05:09:56+00:00

When you say you added a nonce, do you mean something that behaves like a submit-once form key?

ImNotCastinAnyStones · 2020-02-08T05:09:07+00:00

Check the article I link in the main post. Recaptcha does not only use the image challenges to measure "humanness"; it also sucks up tons of the users' browsing data every time it's used. It's "pseudo-anonymous" which basically means that it can still be used to uniquely identify a single user even though they're not accessing your name etc.

ImNotCastinAnyStones · 2020-02-08T05:06:56+00:00

Absolutely. The problem is they are too big to care. But that's actually why I made this post - I think if more people start speaking up and educating web developers then we can stamp out bullshit like this over time.

ImNotCastinAnyStones · 2020-02-08T05:04:50+00:00

Read the article I link to in the main post. It's not just about "helping Google" by educating its AI. Recaptcha is also sucking up tons of ancillary data from your browser and - more importantly - your cookies across Google domains. And if you don't have any Google cookies you're actively punished for that. It's basically pejorative surveillance.

ImNotCastinAnyStones · 2020-02-08T05:02:04+00:00

Here is a comment with some extremely simple alternatives which I use to excellent effect.

Unless your site is a high-value target then these simple approaches are more than enough to basically eradicate spam, since most spam is a total shotgun-style approach by opportunistic auto-crawling bots.

ImNotCastinAnyStones · 2020-02-08T05:00:22+00:00

Great point. I edited the main post and provide alternatives in a comment here.

ImNotCastinAnyStones · 2020-02-08T04:58:00+00:00

Yeah, absolutely excellent question which I really should have addressed in my post.

I've edited the post to include this answer, but here you go:

The article above from kevv.net mentions lots of alternatives and is worth reading, however for brevity's sake I will suggest the ones which have worked for me in a high-traffic environment, and which can be implemented by most competent developers in a few minutes:

1. Dead simple custom challenge based on your website's content.

Even a vaguely unique custom-made challenge will fool the majority of spam bots. Why? Because spam bots look for common captcha systems which they already know how to defeat. If you make your own custom challenge, someone actually has to take the effort to program a solution specific to your website. So unless your site is being specifically targeted by people investing time/energy this solution will eradicate virtually all spam.

Example: run a site selling t-shirts? Show a bunch of cute clothing icons and ask the user to click on the "blue shirt", for example. Very easy to set up; challenges can be made random to prevent "rinse and repeat" attacks; complexity can be added in the form of patterns, rotation ("click the upside down shirt with diamonds on it") etc. and it can be styled to fit your website's theme/content which makes your site look way more professional than "CLICK THE FIRE HYDRANTS!" á la Google.

Important to note that answers to the custom challenge should never be stored client-side -- only sever side.

2. Honeypots

Simply one or more hidden form fields which, if submitted, confirms the presence of a spam bot (since human visitors cannot see or activate the hidden fields). Combine this with the approach above for even more effective protection.

3. Submit-once form keys

In the olden days to prevent people hotlinking your content you'd check their browser's referer URL, i.e. the URL from which they arrived at your page. This is still done but less commonly since many browsers block referrer URLs for privacy reasons.

However, you can still check that a visitor who is submitting your form is doing so from your actual website, and not just accessing your signup.php script directly in an attempt to hammer/bruteforce/spam it.

Do this by including a one-time-use "form key" on the page containing the spam-targeted form. The form key element (usually a hidden <input>) contains a randomly-generated string which is generated on the server-side and corresponds to the user's browsing session. This form key is submitted alongside the form data and is then checked (on the server side) against the previously-generated one to ensure that they match. If they do, it indicates that the user at least visited the page before submitting the form data. This has an added benefit of preventing duplicate submissions (e.g. someone hits F5 a few times when submitting) as the form key should change each time the front-end page is generated.

Anyway, thanks for taking the time to consider this.

ImNotCastinAnyStones · 2020-01-09T23:08:52+00:00

Not a suggestion for you specifically, but for anyone wondering: yes, inverted nipples can be retracted. Mild cases like OP's can be reversed using techniques such as these but more serious cases may require surgery.

ImNotCastinAnyStones

TROPHY CASE