1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?
2. Why not use Two Factor Authentication instead of CAPTCHA?
There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.
Quote from: xyzzy on July 27, 2019, 12:55:07 PM
There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.
So have a toggle. Problem solved. BTW, my phone gets texts when on wifi.
https://www.howtogeek.com/229643/how-to-use-a-cellphone-without-any-service/
Or just get rid of it.
Was there some kind of issue that made this necessary?
Anti screen scraping.
Apparently the devs have not heard of anti-captcha scripts.
Quote from: OldGuy on July 27, 2019, 12:39:23 PM1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?
Open the WMIRS mission status board, and leave it running even if you don't need it. It will auto refresh at intervals from 1 to 10 minutes, or anything in between (your choice) even if it is shrunk or in the background. And you will never time out.
This works even if you are not in a mission. Just open the status board for ANY mission and leave it running and Eservices / WMIRS never times out.
Quote from: Dwight Dutton on July 27, 2019, 10:16:42 PM
Quote from: OldGuy on July 27, 2019, 12:39:23 PM1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?
Open the WMIRS mission status board, and leave it running even if you don't need it. It will auto refresh at intervals from 1 to 10 minutes, or anything in between (your choice) even if it is shrunk or in the background. And you will never time out.
This works even if you are not in a mission. Just open the status board for ANY mission and leave it running and Eservices / WMIRS never times out.
We did that and as long as the status board was all we wanted, perfect. As soon as we navigated away, CAPTCHA!
Quote from: OldGuy on July 27, 2019, 10:51:18 PM
Quote from: Dwight Dutton on July 27, 2019, 10:16:42 PM
Quote from: OldGuy on July 27, 2019, 12:39:23 PM1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?
Open the WMIRS mission status board, and leave it running even if you don't need it. It will auto refresh at intervals from 1 to 10 minutes, or anything in between (your choice) even if it is shrunk or in the background. And you will never time out.
This works even if you are not in a mission. Just open the status board for ANY mission and leave it running and Eservices / WMIRS never times out.
We did that and as long as the status board was all we wanted, perfect. As soon as we navigated away, CAPTCHA!
I beleve the key was to NOT navigate away. Leave that window open, and minimize if you want to. Open a NEW window to navigate away, so the mission window is still open in the background.
Quote from: OldGuy on July 27, 2019, 01:20:40 PM
Quote from: xyzzy on July 27, 2019, 12:55:07 PM
There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.
So have a toggle. Problem solved. BTW, my phone gets texts when on wifi.
https://www.howtogeek.com/229643/how-to-use-a-cellphone-without-any-service/
I'm not allowed to have mr cell phone at work but have access to the internet. Two factor using a cell phone would kill me. A toggle would be alright. Losing the captcha altogether would awesomer.
Quote from: Vegas1972 on July 28, 2019, 08:13:14 PM
Quote from: OldGuy on July 27, 2019, 01:20:40 PM
Quote from: xyzzy on July 27, 2019, 12:55:07 PM
There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.
So have a toggle. Problem solved. BTW, my phone gets texts when on wifi.
https://www.howtogeek.com/229643/how-to-use-a-cellphone-without-any-service/
I'm not allowed to have mr cell phone at work but have access to the internet. Two factor using a cell phone would kill me. A toggle would be alright. Losing the captcha altogether would awesomer.
There are hardware tokens available that you can flash to a common authentication system (TOTP being the most common).
Example:
https://www.protectimus.com/protectimus-slim-mini
I have noticed differences in "performance" between platforms and browsers. In Firefox (computer and phone) and Chrome (computer only), the Captcha is simply a checkbox, while in Edge (computer only), I get the "Pick the pictures" routine.
The reCAPTCHA feature was not added for "security". it was added in an attempt to thwart scripts
from scraping the site for non-NHQ approved applications.
"To further secure our portal, we have added a reCAPTCHA feature to esure (SIC) the person logging in is not a robot. "Quote from: Vegas1972 on July 28, 2019, 08:13:14 PM
I'm not allowed to have mr cell phone at work but have access to the internet. Two factor using a cell phone would kill me. A toggle would be alright. Losing the captcha altogether would awesomer.
TFA and similar security measures can be set to be indefinitely confirmed on trusted machines, and schemas
that are properly implemented using industry standard protocols work fine on mobile and desktop and generally
have multiple vectors for the second factor, including calling a landline telephone number.
Quote from: Eclipse on July 28, 2019, 11:10:15 PM
The reCAPTCHA feature was not added for "security". it was added in an attempt to thwart scripts
from scraping the site for non-NHQ approved applications.
ref. also https://www.gocivilairpatrol.com/media/cms/R_120_001_ICL_CAP_CC_Memorandum_18__9D4CD773CDC5B.pdf
Quote from: NovemberWhiskey on July 28, 2019, 11:24:54 PM
Quote from: Eclipse on July 28, 2019, 11:10:15 PM
The reCAPTCHA feature was not added for "security". it was added in an attempt to thwart scripts
from scraping the site for non-NHQ approved applications.
ref. also https://www.gocivilairpatrol.com/media/cms/R_120_001_ICL_CAP_CC_Memorandum_18__9D4CD773CDC5B.pdf
Now you did it. Most of us aware of this were hoping if we walked barefoot and never looked it in the eye, it would go away.
As written, para 3 of that ICL certainly has the potential to make things interesting for the Hawaii Wing.
Quote from: NovemberWhiskey on July 28, 2019, 11:56:47 PM
As written, para 3 of that ICL certainly has the potential to make things interesting for the Hawaii Wing.
Seriously, Puerto Rico, too.
The free services CAP depends on to operate do not include host location guarantees in their SLAs.
That paragraph sets up the potential for a 7 figure unintended consequence for a solution
for a non-existent problem.
Well I'm officially sick of the CAPTCHA as well.
I would be _VERY_ interested to see some metrics describing the actual assessed risk that eservices is being scraped (or attempted), which is the justification for this measure.
I would be _VERY_ interested in doing a token based authentication where I login, validate myself, and then register my device so that any login attempt from my registered device doesn't CAPTCHA. As in every online banking app/site out there today... (heck if i have a private key that's registered to my user account i shouldn't even need a username/password)
**Edit yeah if/when CAP does this we are going to need multiple devices per account, I login from my laptop, my ipad/EFB, and sometimes even my phone.
I would be _VERY_ interested in forcing whoever though the CAPTCHA was a good idea, to login to e-services a minimum of six times a day, every day, and time with a stopwatch how long it takes before said person starts twitching.
:)
Are you clicking the checkbox FIRST, before entering the name and password? This works most of the time for me, so I don't have to click photos. Usually if I've already been online earlier in the day.
Quote from: coudano on August 16, 2019, 08:41:06 PM
I would be _VERY_ interested in forcing whoever though the CAPTCHA was a good idea, to login to e-services a minimum of six times a day, every day, and time with a stopwatch how long it takes before said person starts twitching.
:)
For a little more fun, make them sit for 10 hours at a practice mission, maintaining a unit log in WMIRS, only to have to log in and go through the CAPTCHA business every time you need to make an entry.
Was much fun.
NOT!
Quote from: Slim on August 19, 2019, 03:34:49 AM
Quote from: coudano on August 16, 2019, 08:41:06 PM
I would be _VERY_ interested in forcing whoever though the CAPTCHA was a good idea, to login to e-services a minimum of six times a day, every day, and time with a stopwatch how long it takes before said person starts twitching.
:)
For a little more fun, make them sit for 10 hours at a practice mission, maintaining a unit log in WMIRS, only to have to log in and go through the CAPTCHA business every time you need to make an entry.
Was much fun.
NOT!
Open a status log in one tab and the unit log in another. The status log continually updates and will keep you from being kicked for inactivity.
In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:
https://www.section508.gov/content/guide-accessible-web-design-development#captcha
Very interesting.
Quote from: Holding Pattern on September 04, 2019, 12:19:52 AM
In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:
So I looked up what the heck 508 is, from their "About Us" page:
Quote from: 508About This Site
Section508.gov provides guidance to Federal agency staff who play a role in IT accessibility.
Doesn't apply to us.
That said, the CAPTCHA must die.
Quote from: Fubar on September 04, 2019, 04:14:34 AM
Quote from: Holding Pattern on September 04, 2019, 12:19:52 AM
In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:
So I looked up what the heck 508 is, from their "About Us" page:
Quote from: 508About This Site
Section508.gov provides guidance to Federal agency staff who play a role in IT accessibility.
Doesn't apply to us.
That said, the CAPTCHA must die.
According to the CAP Pamphlet on IT, it does apply.
Quote from: Holding Pattern on September 04, 2019, 05:08:47 PM
Quote from: Fubar on September 04, 2019, 04:14:34 AM
Quote from: Holding Pattern on September 04, 2019, 12:19:52 AM
In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:
So I looked up what the heck 508 is, from their "About Us" page:
Quote from: 508About This Site
Section508.gov provides guidance to Federal agency staff who play a role in IT accessibility.
Doesn't apply to us.
That said, the CAPTCHA must die.
According to the CAP Pamphlet on IT, it does apply.
If you are talking about the IT specialty track pamphlet, then the only reference to section 508 that I see is as an additional reading. That hardly counts as it applying to us.
https://www.okwgcap.org/accessibility
Oklahoma Wing - Civil Air Patrol is committed to providing a website that is accessible to all users regardless of ability. We recognize the importance and are continually working to increase the accessibility and usability of our website.
Our website should be in compliance with Section 504, Section 508 and Title II of the Rehabilitation Act. Section 504 requires equal access and communication of electronic information and data so that it is accessible to everyone. The district is utilizing the Web Content Accessibility Guidelines 2.0 - 2.1 A, AA to meet the requirements of Section 504.
https://xkcd.com/2228/
(https://imgs.xkcd.com/comics/machine_learning_captcha.png)
It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.
Quote from: ZigZag911 on November 17, 2019, 05:45:49 PM
It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.
Or its "Boy howdy, HQ sure can't get with the times and secure eServices like other organizations..."
It really can't be both.
If you're privy to the issues that may have precipitated the implementation of the CAPTCHA, then you understand.
Quote from: NIN on November 17, 2019, 07:40:49 PM
Quote from: ZigZag911 on November 17, 2019, 05:45:49 PM
It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.
Or its "Boy howdy, HQ sure can't get with the times and secure eServices like other organizations..."
It really can't be both.
If you're privy to the issues that may have precipitated the implementation of the CAPTCHA, then you understand.
This. Because of our predictable login ID pattern eServices is particularly vulnerable to username fuzzing and subsequent password attacks. CAPTCHA helps mitigate this, if for no other reason than it helps preserve performance for legitimate users. I'm surprised it took this long to be an issue.
Quote from: Spaceman3750 on November 17, 2019, 08:06:33 PM
This. Because of our predictable login ID pattern eServices is particularly vulnerable to username fuzzing and subsequent password attacks. CAPTCHA helps mitigate this, if for no other reason than it helps preserve performance for legitimate users. I'm surprised it took this long to be an issue.
It doesn't need to ask every time. Plenty of sites establish you're a person, or using a
CAPTCHA script, and then don't' ask every time.
It was also indicated that it was implemented to try and thwart people scraping the screen
for local apps, which would not be necessary if there were either actually useful squadron and activity
management modules or an API.
Neither of which is unreasonable in November 2019, considering that Tyrell Corp is prototyping Gen-7 replicants.
(Perhaps I've said too much, ignore...)
Quote from: Eclipse on November 18, 2019, 01:37:01 AM
Neither of which is unreasonable in November 2019, considering that Tyrell Corp is prototyping Gen-7 replicants.
(Perhaps I've said too much, ignore...)
CAPF 27 just went in, you're the new commander of the Tannhauser Gate Composite Squadron.
Quote from: NIN on November 18, 2019, 02:54:59 AM
Quote from: Eclipse on November 18, 2019, 01:37:01 AM
Neither of which is unreasonable in November 2019, considering that Tyrell Corp is prototyping Gen-7 replicants.
(Perhaps I've said too much, ignore...)
CAPF 27 just went in, you're the new commander of the Tannhauser Gate Composite Squadron.
I've seen things you people wouldn't believe...
Quote from: Eclipse on November 18, 2019, 03:16:59 AM
I've seen things you people wouldn't believe...
The bonus is, you can use the Voight-Kampff test instead of a membership board.
I believe this the appropriate time to use the latest...
Ok, Boomer.
Oh, come on. Surely you can be more dismissive than that?
Quote from: NIN on November 17, 2019, 07:40:49 PM
Quote from: ZigZag911 on November 17, 2019, 05:45:49 PM
It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.
Or its "Boy howdy, HQ sure can't get with the times and secure eServices like other organizations..."
It really can't be both.
If you're privy to the issues that may have precipitated the implementation of the CAPTCHA, then you understand.
MFA is more user-friendly and more secure.
Quote from: Holding Pattern on November 18, 2019, 05:30:22 PM
MFA is more user-friendly and more secure.
MFA also has its foibles.
For example, a text-based MFA is spoofable.
I presume MFA stands for multi-factor authentication. There are many ways to implement this, and some of them are not suitable for the CAP national website. Some examples of unsuitable MFA:
- Text to cell phone. No good, because airman may be in an area where Internet is available, but the airman's cell phone does not have coverage
- Code sent to email account. Airman may not have the password to the email account with her.
Quote from: NIN on November 18, 2019, 10:50:23 PM
Quote from: Holding Pattern on November 18, 2019, 05:30:22 PM
MFA is more user-friendly and more secure.
MFA also has its foibles.
For example, a text-based MFA is spoofable.
A hardware token costs $6. An expensive hardware token on sale on black friday costs $25. A TOTP implementation on an existing smartphone costs $0.
There are solutions for everyone on this; SMS/email is mostly deprecated.
Quote from: xyzzy on November 18, 2019, 11:20:10 PM
I presume MFA stands for multi-factor authentication. There are many ways to implement this, and some of them are not suitable for the CAP national website. Some examples of unsuitable MFA:
- Text to cell phone. No good, because airman may be in an area where Internet is available, but the airman's cell phone does not have coverage
- Code sent to email account. Airman may not have the password to the email account with her.
A: "Airman" is not the generic for CAP Member. "Member" is, at best.
B: You're citing very unusual edge cases, or situations where someone is incapable of managing their
passwords anyway, so scaling the system to them is foolhardy.
Quote from: Holding Pattern on November 18, 2019, 11:39:11 PM
There are solutions for everyone on this; SMS/email is mostly deprecated.
It may be discouraged, but it's not going anywhere, that is the most readily available / non-techie friendly
way to get people to use MFA.
Nothing is 100%, but it's sure better then just passwords.
But back to the OP, "security" is not the reason NHQ implemented the CAPTCHA, and in fact they
really have nothing to do with security considering how easily they are circumvented, yes, by scripts and
extensions.
MFA can be enabled using One-time token Password (OTP) apps such as Authy or Microsoft Authenticator which work without internet connectivity on the device (after initial enrollment) but support such things as push notifications as well so one doesn't have to type in a code.
My paid employer just enabled MFA on 35,000+ accounts using Microsoft Authenticator as the primary means with SMS and landlines as backup options. We are using Microsoft's Azure Active Directory for SSO to our systems, both cloud-hosted and on-prem, and Microsoft uses some secret sauce so users are not prompted every time.
Quote from: Paul Creed III on November 19, 2019, 01:26:36 PM
Microsoft uses some secret sauce so users are not prompted every time.
If its the same secret sauce they use to classify Junk Mail in Outlook, be prepared for disappointment and despair.
Quote from: NIN on November 19, 2019, 01:51:23 PM
Quote from: Paul Creed III on November 19, 2019, 01:26:36 PM
Microsoft uses some secret sauce so users are not prompted every time.
If its the same secret sauce they use to classify Junk Mail in Outlook, be prepared for disappointment and despair.
MFA was enabled for our IT staff and early adopters months ago and has worked extremely well.
Regarding the Junk Mail in Outlook, is this using the default spam filtering or Microsoft's Advanced Threat Protection that uses cloud resources and interacts with Office 365 mailboxes in each tenant?
AFAIK its "magic."
My experience with it over the last 10+ years could be summed up as "Microsoft applies a complex algorithm that takes in to account the contents of the email, attachments, sender frameworks, a random number generator, the phases of the moon, some incantations over chicken feet and a healthy dose of 'who knows?'."
I have literally seen over the years, in multiple organizations (I used to work for an MSP, we had a hundred+ sites with dozens of users per site), the Junk Mail filter being so inconsistently applied that I have to throw up my hands and tell users who call in asking why mail they've previously classified as "not junk" is suddenly being junked or users that they communicate with all the time, even in their own organizations, are winding up in junk mail: "I don't know. Nobody knows. I doubt Microsoft knows."
Consequently, I'm often wary of Microsoft "secret sauce."
And yet people continue to use Offline 365 despite there being better alternatives.
This is very confusing.
There seems to be varying get opinions as to why this system has been instituted.
If there are genuine security concerns, then obviously it's necessary, even if it's a nuisance.
However, some have suggested that there are other reasons driving this. What are you talking about.?
Clarification would be appreciated.
NHQ is pushing back hard on people using home-grown apps to manage units, activities, etc., and
with the absence of an API. more then a few people were screen-scraping data from eservices.
It was stated explicitly that one reason for the CAPTCHA was to prevent automated, unapproved
screen scrapers.
Quote from: Eclipse on November 19, 2019, 06:31:43 PM
NHQ is pushing back hard on people using home-grown apps to manage units, activities, etc., and
with the absence of an API. more then a few people were screen-scraping data from eservices.
It was stated explicitly that one reason for the CAPTCHA was to prevent automated, unapproved
screen scrapers.
This.
Several members tried to warn the developers not to do this because something like this would be the response.
Those developers did not listen.
CAPTCHA was the response.
Which "developers"?
Exhibit A:
https://github.com/nharmon/wmirs_scraper
Couldn't they just shut down the accounts of the offenders? It's not like they don't know who is logging in.
It's not quite that simple. The example code listed is fairly basic so it might be obvious.
When any program calls a webserver it self identifies what it is. Operating System, Web Browser, etc.
Now if you have it log in every five minutes 24/7 for a week, that could be identified.