July 13, 2020, 12:11:02 pm

CAPTCHA issues and ideas

Started by OldGuy, July 27, 2019, 12:39:23 pm

0 Members and 1 Guest are viewing this topic.

OldGuy

1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?
2. Why not use Two Factor Authentication instead of CAPTCHA?

xyzzy

There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.

OldGuy

Quote from: xyzzy on July 27, 2019, 12:55:07 pm
There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.

So have a toggle. Problem solved. BTW, my phone gets texts when on wifi.

https://www.howtogeek.com/229643/how-to-use-a-cellphone-without-any-service/

Jester

Or just get rid of it.

Was there some kind of issue that made this necessary?

Eclipse

Anti screen scraping.

Apparently the devs have not heard of anti-captcha scripts.



Dwight Dutton

Quote from: OldGuy on July 27, 2019, 12:39:23 pm1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?


Open the WMIRS mission status board, and leave it running even if you don't need it.  It will auto refresh at intervals from 1 to 10 minutes, or anything in between (your choice) even if it is shrunk or in the background.  And you will never time out.

This works even if you are not in a mission.  Just open the status board for ANY mission and leave it running and Eservices / WMIRS never times out.

OldGuy

Quote from: Dwight Dutton on July 27, 2019, 10:16:42 pm
Quote from: OldGuy on July 27, 2019, 12:39:23 pm1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?


Open the WMIRS mission status board, and leave it running even if you don't need it.  It will auto refresh at intervals from 1 to 10 minutes, or anything in between (your choice) even if it is shrunk or in the background.  And you will never time out.

This works even if you are not in a mission.  Just open the status board for ANY mission and leave it running and Eservices / WMIRS never times out.

We did that and as long as the status board was all we wanted, perfect. As soon as we navigated away, CAPTCHA!

etodd

July 28, 2019, 12:54:33 am #7 Last Edit: July 28, 2019, 01:03:22 am by etodd
Quote from: OldGuy on July 27, 2019, 10:51:18 pm
Quote from: Dwight Dutton on July 27, 2019, 10:16:42 pm
Quote from: OldGuy on July 27, 2019, 12:39:23 pm1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?


Open the WMIRS mission status board, and leave it running even if you don't need it.  It will auto refresh at intervals from 1 to 10 minutes, or anything in between (your choice) even if it is shrunk or in the background.  And you will never time out.

This works even if you are not in a mission.  Just open the status board for ANY mission and leave it running and Eservices / WMIRS never times out.


We did that and as long as the status board was all we wanted, perfect. As soon as we navigated away, CAPTCHA!


I beleve the key was to NOT navigate away. Leave that window open, and minimize if you want to. Open a NEW window to navigate away, so the mission window is still open in the background.
MS - MO - AP - MP - FRO - ESO

sUAS MP - sUAS Instructor - sUAS Check Pilot

Vegas1972

Quote from: OldGuy on July 27, 2019, 01:20:40 pm
Quote from: xyzzy on July 27, 2019, 12:55:07 pm
There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.

So have a toggle. Problem solved. BTW, my phone gets texts when on wifi.

https://www.howtogeek.com/229643/how-to-use-a-cellphone-without-any-service/


I'm not allowed to have mr cell phone at work but have access to the internet.  Two factor using a cell phone would kill me.  A toggle would be alright.  Losing the captcha altogether would awesomer.
"Life is tough, but it's tougher if you're stupid.", Sgt. John M. Stryker.

Holding Pattern

July 28, 2019, 10:24:59 pm #9 Last Edit: July 28, 2019, 10:33:30 pm by Holding Pattern
Quote from: Vegas1972 on July 28, 2019, 08:13:14 pm
Quote from: OldGuy on July 27, 2019, 01:20:40 pm
Quote from: xyzzy on July 27, 2019, 12:55:07 pm
There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.

So have a toggle. Problem solved. BTW, my phone gets texts when on wifi.

https://www.howtogeek.com/229643/how-to-use-a-cellphone-without-any-service/


I'm not allowed to have mr cell phone at work but have access to the internet.  Two factor using a cell phone would kill me.  A toggle would be alright.  Losing the captcha altogether would awesomer.


There are hardware tokens available that you can flash to a common authentication system (TOTP being the most common).

Example:
https://www.protectimus.com/protectimus-slim-mini

SarDragon

I have noticed differences in "performance" between platforms and browsers. In Firefox (computer and phone) and Chrome (computer only), the Captcha is simply a checkbox, while in Edge (computer only), I get the "Pick the pictures" routine.
Dave Bowles
Maj, CAP
AT1, USN Retired
50 Year Member
Mitchell Award (unnumbered)
C/WO, CAP, Ret

Eclipse

The reCAPTCHA feature was not added for "security". it was added in an attempt to thwart scripts 
from scraping the site for non-NHQ approved applications.

"To further secure our portal, we have added a reCAPTCHA feature to esure (SIC) the person logging in is not a robot. "

Quote from: Vegas1972 on July 28, 2019, 08:13:14 pm
I'm not allowed to have mr cell phone at work but have access to the internet.  Two factor using a cell phone would kill me.  A toggle would be alright.  Losing the captcha altogether would awesomer.


TFA and similar security measures can be set to be indefinitely confirmed on trusted machines, and schemas
that are properly implemented using industry standard protocols work fine on mobile and desktop and generally
have multiple vectors for the second factor, including calling a landline telephone number.



NovemberWhiskey

Quote from: Eclipse on July 28, 2019, 11:10:15 pm
The reCAPTCHA feature was not added for "security". it was added in an attempt to thwart scripts 
from scraping the site for non-NHQ approved applications.

ref. also https://www.gocivilairpatrol.com/media/cms/R_120_001_ICL_CAP_CC_Memorandum_18__9D4CD773CDC5B.pdf

Eclipse

Quote from: NovemberWhiskey on July 28, 2019, 11:24:54 pm
Quote from: Eclipse on July 28, 2019, 11:10:15 pm
The reCAPTCHA feature was not added for "security". it was added in an attempt to thwart scripts 
from scraping the site for non-NHQ approved applications.

ref. also https://www.gocivilairpatrol.com/media/cms/R_120_001_ICL_CAP_CC_Memorandum_18__9D4CD773CDC5B.pdf


Now you did it.  Most of us aware of this were hoping if we walked barefoot and never looked it in the eye, it would go away.



NovemberWhiskey

As written, para 3 of that ICL certainly has the potential to make things interesting for the Hawaii Wing.

Eclipse

Quote from: NovemberWhiskey on July 28, 2019, 11:56:47 pm
As written, para 3 of that ICL certainly has the potential to make things interesting for the Hawaii Wing.


Seriously, Puerto Rico, too.

The free services CAP depends on to operate do not include host location guarantees in their SLAs.
That paragraph sets up the potential for a 7 figure unintended consequence for a solution
for a non-existent problem.



coudano

August 16, 2019, 08:41:06 pm #16 Last Edit: August 16, 2019, 08:54:05 pm by coudano
Well I'm officially sick of the CAPTCHA as well.

I would be _VERY_ interested to see some metrics describing the actual assessed risk that eservices is being scraped (or attempted), which is the justification for this measure.

I would be _VERY_ interested in doing a token based authentication where I login, validate myself, and then register my device so that any login attempt from my registered device doesn't CAPTCHA.  As in every online banking app/site out there today... (heck if i have a private key that's registered to my user account i shouldn't even need a username/password)
**Edit yeah if/when CAP does this we are going to need multiple devices per account, I login from my laptop, my ipad/EFB, and sometimes even my phone.

I would be _VERY_ interested in forcing whoever though the CAPTCHA was a good idea, to login to e-services a minimum of six times a day, every day, and time with a stopwatch how long it takes before said person starts twitching.

:)

etodd

Are you clicking the checkbox FIRST, before entering the name and password?  This works most of the time for me, so I don't have to click photos. Usually if I've already been online earlier in the day.
MS - MO - AP - MP - FRO - ESO

sUAS MP - sUAS Instructor - sUAS Check Pilot

Slim

Quote from: coudano on August 16, 2019, 08:41:06 pm
I would be _VERY_ interested in forcing whoever though the CAPTCHA was a good idea, to login to e-services a minimum of six times a day, every day, and time with a stopwatch how long it takes before said person starts twitching.

:)

For a little more fun, make them sit for 10 hours at a practice mission, maintaining a unit log in WMIRS, only to have to log in and go through the CAPTCHA business every time you need to make an entry.

Was much fun.

NOT!



Slim

jeders

Quote from: Slim on August 19, 2019, 03:34:49 am
Quote from: coudano on August 16, 2019, 08:41:06 pm
I would be _VERY_ interested in forcing whoever though the CAPTCHA was a good idea, to login to e-services a minimum of six times a day, every day, and time with a stopwatch how long it takes before said person starts twitching.

:)

For a little more fun, make them sit for 10 hours at a practice mission, maintaining a unit log in WMIRS, only to have to log in and go through the CAPTCHA business every time you need to make an entry.

Was much fun.

NOT!


Open a status log in one tab and the unit log in another. The status log continually updates and will keep you from being kicked for inactivity.
If you are confident in you abilities and experience, whether someone else is impressed is irrelevant. - Eclipse

Holding Pattern

In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:

https://www.section508.gov/content/guide-accessible-web-design-development#captcha

Phil Hirons, Jr.


Fubar

Quote from: Holding Pattern on September 04, 2019, 12:19:52 am
In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:


So I looked up what the heck 508 is, from their "About Us" page:

Quote from: 508About This Site
Section508.gov provides guidance to Federal agency staff who play a role in IT accessibility.


Doesn't apply to us.

That said, the CAPTCHA must die.

Holding Pattern

Quote from: Fubar on September 04, 2019, 04:14:34 am
Quote from: Holding Pattern on September 04, 2019, 12:19:52 am
In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:


So I looked up what the heck 508 is, from their "About Us" page:

Quote from: 508About This Site
Section508.gov provides guidance to Federal agency staff who play a role in IT accessibility.


Doesn't apply to us.

That said, the CAPTCHA must die.


According to the CAP Pamphlet on IT, it does apply.

jeders

Quote from: Holding Pattern on September 04, 2019, 05:08:47 pm
Quote from: Fubar on September 04, 2019, 04:14:34 am
Quote from: Holding Pattern on September 04, 2019, 12:19:52 am
In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:


So I looked up what the heck 508 is, from their "About Us" page:

Quote from: 508About This Site
Section508.gov provides guidance to Federal agency staff who play a role in IT accessibility.


Doesn't apply to us.

That said, the CAPTCHA must die.


According to the CAP Pamphlet on IT, it does apply.


If you are talking about the IT specialty track pamphlet, then the only reference to section 508 that I see is as an additional reading. That hardly counts as it applying to us.
If you are confident in you abilities and experience, whether someone else is impressed is irrelevant. - Eclipse

JohhnyD

https://www.okwgcap.org/accessibility

Oklahoma Wing - Civil Air Patrol is committed to providing a website that is accessible to all users regardless of ability. We recognize the importance and are continually working to increase the accessibility and usability of our website.

Our website should be in compliance with Section 504, Section 508 and Title II of the Rehabilitation Act. Section 504 requires equal access and communication of electronic information and data so that it is accessible to everyone. The district is utilizing the Web Content Accessibility Guidelines 2.0 - 2.1 A, AA to meet the requirements of Section 504.

Eclipse




ZigZag911

It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.

NIN

Quote from: ZigZag911 on November 17, 2019, 05:45:49 pm
It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.


Or its "Boy howdy, HQ sure can't get with the times and secure eServices like other organizations..."

It really can't be both.

If you're privy to the issues that may have precipitated the implementation of the CAPTCHA, then you understand.

Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Spaceman3750

Quote from: NIN on November 17, 2019, 07:40:49 pm
Quote from: ZigZag911 on November 17, 2019, 05:45:49 pm
It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.


Or its "Boy howdy, HQ sure can't get with the times and secure eServices like other organizations..."

It really can't be both.

If you're privy to the issues that may have precipitated the implementation of the CAPTCHA, then you understand.


This. Because of our predictable login ID pattern eServices is particularly vulnerable to username fuzzing and subsequent password attacks. CAPTCHA helps mitigate this, if for no other reason than it helps preserve performance for legitimate users. I'm surprised it took this long to be an issue.

Eclipse

Quote from: Spaceman3750 on November 17, 2019, 08:06:33 pm
This. Because of our predictable login ID pattern eServices is particularly vulnerable to username fuzzing and subsequent password attacks. CAPTCHA helps mitigate this, if for no other reason than it helps preserve performance for legitimate users. I'm surprised it took this long to be an issue.


It doesn't need to ask every time. Plenty of sites establish you're a person, or using a
CAPTCHA script, and then don't' ask every time.

It was also indicated that it was implemented to try and thwart people scraping the screen
for local apps, which would not be necessary if there were either actually useful squadron and activity
management modules or an API.

Neither of which is unreasonable in November 2019, considering that Tyrell Corp is prototyping Gen-7 replicants.
(Perhaps I've said too much, ignore...)



NIN

Quote from: Eclipse on November 18, 2019, 01:37:01 am
Neither of which is unreasonable in November 2019, considering that Tyrell Corp is prototyping Gen-7 replicants.
(Perhaps I've said too much, ignore...)


CAPF 27 just went in, you're the new commander of the Tannhauser Gate Composite Squadron.
Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Eclipse

Quote from: NIN on November 18, 2019, 02:54:59 am
Quote from: Eclipse on November 18, 2019, 01:37:01 am
Neither of which is unreasonable in November 2019, considering that Tyrell Corp is prototyping Gen-7 replicants.
(Perhaps I've said too much, ignore...)


CAPF 27 just went in, you're the new commander of the Tannhauser Gate Composite Squadron.


I've seen things you people wouldn't believe...



NIN

Quote from: Eclipse on November 18, 2019, 03:16:59 am
I've seen things you people wouldn't believe...


The bonus is, you can use the Voight-Kampff test instead of a membership board.

Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Gunsotsu

I believe this the appropriate time to use the latest...

Ok, Boomer.

NIN

Oh, come on. Surely you can be more dismissive than that?

Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Holding Pattern

Quote from: NIN on November 17, 2019, 07:40:49 pm
Quote from: ZigZag911 on November 17, 2019, 05:45:49 pm
It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.


Or its "Boy howdy, HQ sure can't get with the times and secure eServices like other organizations..."

It really can't be both.

If you're privy to the issues that may have precipitated the implementation of the CAPTCHA, then you understand.


MFA is more user-friendly and more secure.

NIN

Quote from: Holding Pattern on November 18, 2019, 05:30:22 pm
MFA is more user-friendly and more secure.


MFA also has its foibles.

For example, a text-based MFA is spoofable.

Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

xyzzy

I presume MFA stands for multi-factor authentication. There are many ways to implement this, and some of them are not suitable for the CAP national website. Some examples of unsuitable MFA:


  • Text to cell phone. No good, because airman may be in an area where Internet is available, but the airman's cell phone does not have coverage

  • Code sent to email account. Airman may not have the password to the email account with her.


Holding Pattern

Quote from: NIN on November 18, 2019, 10:50:23 pm
Quote from: Holding Pattern on November 18, 2019, 05:30:22 pm
MFA is more user-friendly and more secure.


MFA also has its foibles.

For example, a text-based MFA is spoofable.


A hardware token costs $6. An expensive hardware token on sale on black friday costs $25. A TOTP implementation on an existing smartphone costs $0.

There are solutions for everyone on this; SMS/email is mostly deprecated.

Eclipse

Quote from: xyzzy on November 18, 2019, 11:20:10 pm
I presume MFA stands for multi-factor authentication. There are many ways to implement this, and some of them are not suitable for the CAP national website. Some examples of unsuitable MFA:


  • Text to cell phone. No good, because airman may be in an area where Internet is available, but the airman's cell phone does not have coverage

  • Code sent to email account. Airman may not have the password to the email account with her.




A: "Airman" is not the generic for CAP Member.  "Member" is, at best.

B: You're citing very unusual edge cases, or situations where someone is incapable of managing their
passwords anyway, so scaling the system to them is foolhardy.



Eclipse

Quote from: Holding Pattern on November 18, 2019, 11:39:11 pm
There are solutions for everyone on this; SMS/email is mostly deprecated.


It may be discouraged, but it's not going anywhere, that is the most readily available / non-techie friendly
way to get people to use MFA.

Nothing is 100%, but it's sure better then just passwords.

But back to the OP, "security" is not the reason NHQ implemented the CAPTCHA, and in fact they
really have nothing to do with security considering how easily they are circumvented, yes, by scripts and
extensions.



Paul Creed III

MFA can be enabled using One-time token Password (OTP) apps such as Authy or Microsoft Authenticator which work without internet connectivity on the device (after initial enrollment) but support such things as push notifications as well so one doesn't have to type in a code.

My paid employer just enabled MFA on 35,000+ accounts using Microsoft Authenticator as the primary means with SMS and landlines as backup options. We are using Microsoft's Azure Active Directory for SSO to our systems, both cloud-hosted and on-prem, and Microsoft uses some secret sauce so users are not prompted every time.
Lt Col Paul Creed III, CAP
National Headquarters Cyber Curriculum Specialist
National Headquarters Photography Working Group

NIN

Quote from: Paul Creed III on November 19, 2019, 01:26:36 pm
Microsoft uses some secret sauce so users are not prompted every time.


If its the same secret sauce they use to classify Junk Mail in Outlook, be prepared for disappointment and despair.
Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Paul Creed III

Quote from: NIN on November 19, 2019, 01:51:23 pm
Quote from: Paul Creed III on November 19, 2019, 01:26:36 pm
Microsoft uses some secret sauce so users are not prompted every time.


If its the same secret sauce they use to classify Junk Mail in Outlook, be prepared for disappointment and despair.


MFA was enabled for our IT staff and early adopters months ago and has worked extremely well.

Regarding the Junk Mail in Outlook, is this using the default spam filtering or Microsoft's Advanced Threat Protection that uses cloud resources and interacts with Office 365 mailboxes in each tenant?
Lt Col Paul Creed III, CAP
National Headquarters Cyber Curriculum Specialist
National Headquarters Photography Working Group

NIN

AFAIK its "magic."

My experience with it over the last 10+ years could be summed up as "Microsoft applies a complex algorithm that takes in to account the contents of the email, attachments, sender frameworks, a random number generator, the phases of the moon, some incantations over chicken feet and a healthy dose of 'who knows?'." 

I have literally seen over the years, in multiple organizations (I used to work for an MSP, we had a hundred+ sites with dozens of users per site), the Junk Mail filter being so inconsistently applied that I have to throw up my hands and tell users who call in asking why mail they've previously classified as "not junk" is suddenly being junked or users that they communicate with all the time, even in their own organizations, are winding up in junk mail:   "I don't know. Nobody knows. I doubt Microsoft knows."

Consequently, I'm often wary of Microsoft "secret sauce."
Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Eclipse

And yet people continue to use Offline 365 despite there being better alternatives.



ZigZag911

This is very confusing.

There seems to be varying get opinions as to why this system has been instituted.

If there are genuine security concerns, then obviously it's necessary, even if it's a nuisance.

However,  some have suggested that there are other reasons driving this. What are you talking about.?

Clarification would be appreciated.

Eclipse

NHQ is pushing back hard on people using home-grown apps to manage units, activities, etc., and
with the absence of an API. more then a few people were screen-scraping data from eservices.

It was stated explicitly that one reason for the CAPTCHA was to prevent automated, unapproved
screen scrapers.



Holding Pattern

Quote from: Eclipse on November 19, 2019, 06:31:43 pm
NHQ is pushing back hard on people using home-grown apps to manage units, activities, etc., and
with the absence of an API. more then a few people were screen-scraping data from eservices.

It was stated explicitly that one reason for the CAPTCHA was to prevent automated, unapproved
screen scrapers.


This.

Several members tried to warn the developers not to do this because something like this would be the response.

Those developers did not listen.

CAPTCHA was the response.

Eclipse




Holding Pattern


Fubar

Couldn't they just shut down the accounts of the offenders? It's not like they don't know who is logging in.

Phil Hirons, Jr.

It's not quite that simple. The example code listed is fairly basic so it might be obvious.

When any program calls a webserver it self identifies what it is. Operating System, Web Browser, etc.

Now if you have it log in every five minutes 24/7 for a week, that could be identified.