Welcome, Guest. Please login or register.
Did you miss your activation email?
December 08, 2019, 11:21:22 AM
Home Help Login Register
News:

CAP Talk  |  General Discussion  |  The Lobby  |  Topic: CAPTCHA issues and ideas
0 Members and 1 Guest are viewing this topic.
Pages: 1 2 3 [All] Send this topic Print
Author Topic: CAPTCHA issues and ideas  (Read 2610 times)
OldGuy
Salty & Seasoned Contributor

Posts: 695
Unit: TBKS

« on: July 27, 2019, 12:39:23 PM »

1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?
2. Why not use Two Factor Authentication instead of CAPTCHA?
Report to moderator   Logged
xyzzy
Member

Posts: 77

« Reply #1 on: July 27, 2019, 12:55:07 PM »

There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.
Report to moderator   Logged
OldGuy
Salty & Seasoned Contributor

Posts: 695
Unit: TBKS

« Reply #2 on: July 27, 2019, 01:20:40 PM »

There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.
So have a toggle. Problem solved. BTW, my phone gets texts when on wifi.

https://www.howtogeek.com/229643/how-to-use-a-cellphone-without-any-service/
Report to moderator   Logged
Jester
Seasoned Member

Posts: 407

« Reply #3 on: July 27, 2019, 05:17:28 PM »

Or just get rid of it.

Was there some kind of issue that made this necessary?
Report to moderator   Logged
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #4 on: July 27, 2019, 05:22:12 PM »

Anti screen scraping.

Apparently the devs have not heard of anti-captcha scripts.
Report to moderator   Logged


Dwight Dutton
Seasoned Member

Posts: 265

« Reply #5 on: July 27, 2019, 10:16:42 PM »

1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?

Open the WMIRS mission status board, and leave it running even if you don't need it.  It will auto refresh at intervals from 1 to 10 minutes, or anything in between (your choice) even if it is shrunk or in the background.  And you will never time out.

This works even if you are not in a mission.  Just open the status board for ANY mission and leave it running and Eservices / WMIRS never times out.
Report to moderator   Logged
OldGuy
Salty & Seasoned Contributor

Posts: 695
Unit: TBKS

« Reply #6 on: July 27, 2019, 10:51:18 PM »

1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?

Open the WMIRS mission status board, and leave it running even if you don't need it.  It will auto refresh at intervals from 1 to 10 minutes, or anything in between (your choice) even if it is shrunk or in the background.  And you will never time out.

This works even if you are not in a mission.  Just open the status board for ANY mission and leave it running and Eservices / WMIRS never times out.
We did that and as long as the status board was all we wanted, perfect. As soon as we navigated away, CAPTCHA!
Report to moderator   Logged
etodd
Salty & Seasoned Contributor

Posts: 1,903

« Reply #7 on: July 28, 2019, 12:54:33 AM »

1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?

Open the WMIRS mission status board, and leave it running even if you don't need it.  It will auto refresh at intervals from 1 to 10 minutes, or anything in between (your choice) even if it is shrunk or in the background.  And you will never time out.

This works even if you are not in a mission.  Just open the status board for ANY mission and leave it running and Eservices / WMIRS never times out.

We did that and as long as the status board was all we wanted, perfect. As soon as we navigated away, CAPTCHA!

I beleve the key was to NOT navigate away. Leave that window open, and minimize if you want to. Open a NEW window to navigate away, so the mission window is still open in the background.
« Last Edit: July 28, 2019, 01:03:22 AM by etodd » Report to moderator   Logged
MS - MO - AP - MP - FRO - ESO

sUAS MP - sUAS Instructor - sUAS Check Pilot
Vegas1972
Member

Posts: 79
Unit: PCR-NV

« Reply #8 on: July 28, 2019, 08:13:14 PM »

There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.
So have a toggle. Problem solved. BTW, my phone gets texts when on wifi.

https://www.howtogeek.com/229643/how-to-use-a-cellphone-without-any-service/

I’m not allowed to have mr cell phone at work but have access to the internet.  Two factor using a cell phone would kill me.  A toggle would be alright.  Losing the captcha altogether would awesomer.
Report to moderator   Logged
"Life is tough, but it's tougher if you're stupid.", Sgt. John M. Stryker.
Holding Pattern
Salty & Seasoned Contributor

Posts: 1,576
Unit: Victory

« Reply #9 on: July 28, 2019, 10:24:59 PM »

There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.
So have a toggle. Problem solved. BTW, my phone gets texts when on wifi.

https://www.howtogeek.com/229643/how-to-use-a-cellphone-without-any-service/

I’m not allowed to have mr cell phone at work but have access to the internet.  Two factor using a cell phone would kill me.  A toggle would be alright.  Losing the captcha altogether would awesomer.

There are hardware tokens available that you can flash to a common authentication system (TOTP being the most common).

Example:
https://www.protectimus.com/protectimus-slim-mini
« Last Edit: July 28, 2019, 10:33:30 PM by Holding Pattern » Report to moderator   Logged
SarDragon
Global Moderator

Posts: 10,821
Unit: Smoots

« Reply #10 on: July 28, 2019, 11:08:41 PM »

I have noticed differences in "performance" between platforms and browsers. In Firefox (computer and phone) and Chrome (computer only), the Captcha is simply a checkbox, while in Edge (computer only), I get the "Pick the pictures" routine.
Report to moderator   Logged
Dave Bowles
Maj, CAP
AT1, USN Retired
Mitchell Award (unnumbered)
C/WO, CAP, Ret
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #11 on: July 28, 2019, 11:10:15 PM »

The reCAPTCHA feature was not added for "security". it was added in an attempt to thwart scripts 
from scraping the site for non-NHQ approved applications.

"To further secure our portal, we have added a reCAPTCHA feature to esure (SIC) the person logging in is not a robot. "

I’m not allowed to have mr cell phone at work but have access to the internet.  Two factor using a cell phone would kill me.  A toggle would be alright.  Losing the captcha altogether would awesomer.

TFA and similar security measures can be set to be indefinitely confirmed on trusted machines, and schemas
that are properly implemented using industry standard protocols work fine on mobile and desktop and generally
have multiple vectors for the second factor, including calling a landline telephone number.
Report to moderator   Logged


NovemberWhiskey
Member

Posts: 83
Unit: NER-NY-301

« Reply #12 on: July 28, 2019, 11:24:54 PM »

The reCAPTCHA feature was not added for "security". it was added in an attempt to thwart scripts 
from scraping the site for non-NHQ approved applications.
ref. also https://www.gocivilairpatrol.com/media/cms/R_120_001_ICL_CAP_CC_Memorandum_18__9D4CD773CDC5B.pdf
Report to moderator   Logged
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #13 on: July 28, 2019, 11:28:54 PM »

The reCAPTCHA feature was not added for "security". it was added in an attempt to thwart scripts 
from scraping the site for non-NHQ approved applications.
ref. also https://www.gocivilairpatrol.com/media/cms/R_120_001_ICL_CAP_CC_Memorandum_18__9D4CD773CDC5B.pdf

Now you did it.  Most of us aware of this were hoping if we walked barefoot and never looked it in the eye, it would go away.
Report to moderator   Logged


NovemberWhiskey
Member

Posts: 83
Unit: NER-NY-301

« Reply #14 on: July 28, 2019, 11:56:47 PM »

As written, para 3 of that ICL certainly has the potential to make things interesting for the Hawaii Wing.
Report to moderator   Logged
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #15 on: July 29, 2019, 12:07:56 AM »

As written, para 3 of that ICL certainly has the potential to make things interesting for the Hawaii Wing.

Seriously, Puerto Rico, too.

The free services CAP depends on to operate do not include host location guarantees in their SLAs.
That paragraph sets up the potential for a 7 figure unintended consequence for a solution
for a non-existent problem.
Report to moderator   Logged


coudano
Salty & Seasoned Contributor

Posts: 1,157

« Reply #16 on: August 16, 2019, 08:41:06 PM »

Well I'm officially sick of the CAPTCHA as well.

I would be _VERY_ interested to see some metrics describing the actual assessed risk that eservices is being scraped (or attempted), which is the justification for this measure.

I would be _VERY_ interested in doing a token based authentication where I login, validate myself, and then register my device so that any login attempt from my registered device doesn't CAPTCHA.  As in every online banking app/site out there today... (heck if i have a private key that's registered to my user account i shouldn't even need a username/password)
**Edit yeah if/when CAP does this we are going to need multiple devices per account, I login from my laptop, my ipad/EFB, and sometimes even my phone.

I would be _VERY_ interested in forcing whoever though the CAPTCHA was a good idea, to login to e-services a minimum of six times a day, every day, and time with a stopwatch how long it takes before said person starts twitching.

:)
« Last Edit: August 16, 2019, 08:54:05 PM by coudano » Report to moderator   Logged
etodd
Salty & Seasoned Contributor

Posts: 1,903

« Reply #17 on: August 16, 2019, 08:44:36 PM »

Are you clicking the checkbox FIRST, before entering the name and password?  This works most of the time for me, so I don't have to click photos. Usually if I've already been online earlier in the day.
Report to moderator   Logged
MS - MO - AP - MP - FRO - ESO

sUAS MP - sUAS Instructor - sUAS Check Pilot
Slim
Salty & Seasoned Contributor

Posts: 616

« Reply #18 on: August 19, 2019, 03:34:49 AM »

I would be _VERY_ interested in forcing whoever though the CAPTCHA was a good idea, to login to e-services a minimum of six times a day, every day, and time with a stopwatch how long it takes before said person starts twitching.

 :)
For a little more fun, make them sit for 10 hours at a practice mission, maintaining a unit log in WMIRS, only to have to log in and go through the CAPTCHA business every time you need to make an entry.

Was much fun.

NOT!
Report to moderator   Logged

Slim
jeders
Global Moderator

Posts: 2,238

« Reply #19 on: August 19, 2019, 01:33:39 PM »

I would be _VERY_ interested in forcing whoever though the CAPTCHA was a good idea, to login to e-services a minimum of six times a day, every day, and time with a stopwatch how long it takes before said person starts twitching.

 :)
For a little more fun, make them sit for 10 hours at a practice mission, maintaining a unit log in WMIRS, only to have to log in and go through the CAPTCHA business every time you need to make an entry.

Was much fun.

NOT!

Open a status log in one tab and the unit log in another. The status log continually updates and will keep you from being kicked for inactivity.
Report to moderator   Logged
If you are confident in you abilities and experience, whether someone else is impressed is irrelevant. - Eclipse
Holding Pattern
Salty & Seasoned Contributor

Posts: 1,576
Unit: Victory

« Reply #20 on: September 04, 2019, 12:19:52 AM »

In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:

https://www.section508.gov/content/guide-accessible-web-design-development#captcha
Report to moderator   Logged
Phil Hirons, Jr.
Salty & Seasoned Contributor

Posts: 820
Unit: NER-001

« Reply #21 on: September 04, 2019, 01:24:05 AM »

Very interesting.
Report to moderator   Logged
Fubar
Salty & Seasoned Contributor

Posts: 799

« Reply #22 on: September 04, 2019, 04:14:34 AM »

In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:

So I looked up what the heck 508 is, from their "About Us" page:

Quote from: 508
About This Site
Section508.gov provides guidance to Federal agency staff who play a role in IT accessibility.

Doesn't apply to us.

That said, the CAPTCHA must die.
Report to moderator   Logged
Holding Pattern
Salty & Seasoned Contributor

Posts: 1,576
Unit: Victory

« Reply #23 on: September 04, 2019, 05:08:47 PM »

In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:

So I looked up what the heck 508 is, from their "About Us" page:

Quote from: 508
About This Site
Section508.gov provides guidance to Federal agency staff who play a role in IT accessibility.

Doesn't apply to us.

That said, the CAPTCHA must die.

According to the CAP Pamphlet on IT, it does apply.
Report to moderator   Logged
jeders
Global Moderator

Posts: 2,238

« Reply #24 on: September 04, 2019, 07:46:44 PM »

In today's can of worms on the subject, I don't believe our captcha implementation is 508 compliant:

So I looked up what the heck 508 is, from their "About Us" page:

Quote from: 508
About This Site
Section508.gov provides guidance to Federal agency staff who play a role in IT accessibility.

Doesn't apply to us.

That said, the CAPTCHA must die.

According to the CAP Pamphlet on IT, it does apply.

If you are talking about the IT specialty track pamphlet, then the only reference to section 508 that I see is as an additional reading. That hardly counts as it applying to us.
Report to moderator   Logged
If you are confident in you abilities and experience, whether someone else is impressed is irrelevant. - Eclipse
JohhnyD
Member

Posts: 66

« Reply #25 on: September 07, 2019, 07:08:12 PM »

https://www.okwgcap.org/accessibility

Oklahoma Wing - Civil Air Patrol is committed to providing a website that is accessible to all users regardless of ability. We recognize the importance and are continually working to increase the accessibility and usability of our website.

Our website should be in compliance with Section 504, Section 508 and Title II of the Rehabilitation Act. Section 504 requires equal access and communication of electronic information and data so that it is accessible to everyone. The district is utilizing the Web Content Accessibility Guidelines 2.0 - 2.1 A, AA to meet the requirements of Section 504.
Report to moderator   Logged
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #26 on: November 15, 2019, 03:23:13 AM »

https://xkcd.com/2228/

Report to moderator   Logged


ZigZag911
Salty & Seasoned Contributor

Posts: 1,994

« Reply #27 on: November 17, 2019, 05:45:49 PM »

It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.
Report to moderator   Logged
NIN
Administrator

Posts: 5,445
Unit: of issue

« Reply #28 on: November 17, 2019, 07:40:49 PM »

It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.

Or its "Boy howdy, HQ sure can't get with the times and secure eServices like other organizations..."

It really can't be both.

If you're privy to the issues that may have precipitated the implementation of the CAPTCHA, then you understand.

Report to moderator   Logged
Darin Ninness, Lt Col, CAP
Sq Bubba, Wing Dude, National Guy
I like to have Difficult Adult Conversations™
The contents of this post are Copyright © 2007-2019 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.
Spaceman3750
Salty & Seasoned Contributor

Posts: 2,708

« Reply #29 on: November 17, 2019, 08:06:33 PM »

It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.

Or its "Boy howdy, HQ sure can't get with the times and secure eServices like other organizations..."

It really can't be both.

If you're privy to the issues that may have precipitated the implementation of the CAPTCHA, then you understand.

This. Because of our predictable login ID pattern eServices is particularly vulnerable to username fuzzing and subsequent password attacks. CAPTCHA helps mitigate this, if for no other reason than it helps preserve performance for legitimate users. I’m surprised it took this long to be an issue.
Report to moderator   Logged
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #30 on: November 18, 2019, 01:37:01 AM »

This. Because of our predictable login ID pattern eServices is particularly vulnerable to username fuzzing and subsequent password attacks. CAPTCHA helps mitigate this, if for no other reason than it helps preserve performance for legitimate users. I’m surprised it took this long to be an issue.

It doesn't need to ask every time. Plenty of sites establish you're a person, or using a
CAPTCHA script, and then don't' ask every time.

It was also indicated that it was implemented to try and thwart people scraping the screen
for local apps, which would not be necessary if there were either actually useful squadron and activity
management modules or an API.

Neither of which is unreasonable in November 2019, considering that Tyrell Corp is prototyping Gen-7 replicants.
(Perhaps I've said too much, ignore...)
Report to moderator   Logged


NIN
Administrator

Posts: 5,445
Unit: of issue

« Reply #31 on: November 18, 2019, 02:54:59 AM »

Neither of which is unreasonable in November 2019, considering that Tyrell Corp is prototyping Gen-7 replicants.
(Perhaps I've said too much, ignore...)

CAPF 27 just went in, you're the new commander of the Tannhauser Gate Composite Squadron.
Report to moderator   Logged
Darin Ninness, Lt Col, CAP
Sq Bubba, Wing Dude, National Guy
I like to have Difficult Adult Conversations™
The contents of this post are Copyright © 2007-2019 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #32 on: November 18, 2019, 03:16:59 AM »

Neither of which is unreasonable in November 2019, considering that Tyrell Corp is prototyping Gen-7 replicants.
(Perhaps I've said too much, ignore...)

CAPF 27 just went in, you're the new commander of the Tannhauser Gate Composite Squadron.

I've seen things you people wouldn't believe...
Report to moderator   Logged


NIN
Administrator

Posts: 5,445
Unit: of issue

« Reply #33 on: November 18, 2019, 03:39:19 AM »

I've seen things you people wouldn't believe...

The bonus is, you can use the Voight-Kampff test instead of a membership board.

Report to moderator   Logged
Darin Ninness, Lt Col, CAP
Sq Bubba, Wing Dude, National Guy
I like to have Difficult Adult Conversations™
The contents of this post are Copyright © 2007-2019 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.
Gunsotsu
Forum Regular

Posts: 184

« Reply #34 on: November 18, 2019, 06:41:02 AM »

I believe this the appropriate time to use the latest...

Ok, Boomer.
Report to moderator   Logged
NIN
Administrator

Posts: 5,445
Unit: of issue

« Reply #35 on: November 18, 2019, 03:06:06 PM »

Oh, come on. Surely you can be more dismissive than that?

Report to moderator   Logged
Darin Ninness, Lt Col, CAP
Sq Bubba, Wing Dude, National Guy
I like to have Difficult Adult Conversations™
The contents of this post are Copyright © 2007-2019 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.
Holding Pattern
Salty & Seasoned Contributor

Posts: 1,576
Unit: Victory

« Reply #36 on: November 18, 2019, 05:30:22 PM »

It's a pain, just another example of National taking volunteers for granted, and disrespecting the value of our time.

Or its "Boy howdy, HQ sure can't get with the times and secure eServices like other organizations..."

It really can't be both.

If you're privy to the issues that may have precipitated the implementation of the CAPTCHA, then you understand.

MFA is more user-friendly and more secure.
Report to moderator   Logged
NIN
Administrator

Posts: 5,445
Unit: of issue

« Reply #37 on: November 18, 2019, 10:50:23 PM »

MFA is more user-friendly and more secure.

MFA also has its foibles.

For example, a text-based MFA is spoofable.

Report to moderator   Logged
Darin Ninness, Lt Col, CAP
Sq Bubba, Wing Dude, National Guy
I like to have Difficult Adult Conversations™
The contents of this post are Copyright © 2007-2019 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.
xyzzy
Member

Posts: 77

« Reply #38 on: November 18, 2019, 11:20:10 PM »

I presume MFA stands for multi-factor authentication. There are many ways to implement this, and some of them are not suitable for the CAP national website. Some examples of unsuitable MFA:

  • Text to cell phone. No good, because airman may be in an area where Internet is available, but the airman's cell phone does not have coverage
  • Code sent to email account. Airman may not have the password to the email account with her.
Report to moderator   Logged
Holding Pattern
Salty & Seasoned Contributor

Posts: 1,576
Unit: Victory

« Reply #39 on: November 18, 2019, 11:39:11 PM »

MFA is more user-friendly and more secure.

MFA also has its foibles.

For example, a text-based MFA is spoofable.

A hardware token costs $6. An expensive hardware token on sale on black friday costs $25. A TOTP implementation on an existing smartphone costs $0.

There are solutions for everyone on this; SMS/email is mostly deprecated.
Report to moderator   Logged
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #40 on: November 19, 2019, 12:12:18 AM »

I presume MFA stands for multi-factor authentication. There are many ways to implement this, and some of them are not suitable for the CAP national website. Some examples of unsuitable MFA:

  • Text to cell phone. No good, because airman may be in an area where Internet is available, but the airman's cell phone does not have coverage
  • Code sent to email account. Airman may not have the password to the email account with her.

A: "Airman" is not the generic for CAP Member.  "Member" is, at best.

B: You're citing very unusual edge cases, or situations where someone is incapable of managing their
passwords anyway, so scaling the system to them is foolhardy.
Report to moderator   Logged


Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #41 on: November 19, 2019, 12:16:01 AM »

There are solutions for everyone on this; SMS/email is mostly deprecated.

It may be discouraged, but it's not going anywhere, that is the most readily available / non-techie friendly
way to get people to use MFA.

Nothing is 100%, but it's sure better then just passwords.

But back to the OP, "security" is not the reason NHQ implemented the CAPTCHA, and in fact they
really have nothing to do with security considering how easily they are circumvented, yes, by scripts and
extensions.
Report to moderator   Logged


Paul Creed III
Seasoned Member

Posts: 280
Unit: GLR-OH-275

« Reply #42 on: November 19, 2019, 01:26:36 PM »

MFA can be enabled using One-time token Password (OTP) apps such as Authy or Microsoft Authenticator which work without internet connectivity on the device (after initial enrollment) but support such things as push notifications as well so one doesn't have to type in a code.

My paid employer just enabled MFA on 35,000+ accounts using Microsoft Authenticator as the primary means with SMS and landlines as backup options. We are using Microsoft's Azure Active Directory for SSO to our systems, both cloud-hosted and on-prem, and Microsoft uses some secret sauce so users are not prompted every time.
Report to moderator   Logged
Lt Col Paul Creed III, CAP
National Headquarters Cyber Curriculum Specialist
National Headquarters Photography Working Group
NIN
Administrator

Posts: 5,445
Unit: of issue

« Reply #43 on: November 19, 2019, 01:51:23 PM »

Microsoft uses some secret sauce so users are not prompted every time.

If its the same secret sauce they use to classify Junk Mail in Outlook, be prepared for disappointment and despair.
Report to moderator   Logged
Darin Ninness, Lt Col, CAP
Sq Bubba, Wing Dude, National Guy
I like to have Difficult Adult Conversations™
The contents of this post are Copyright © 2007-2019 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.
Paul Creed III
Seasoned Member

Posts: 280
Unit: GLR-OH-275

« Reply #44 on: November 19, 2019, 02:00:00 PM »

Microsoft uses some secret sauce so users are not prompted every time.

If its the same secret sauce they use to classify Junk Mail in Outlook, be prepared for disappointment and despair.

MFA was enabled for our IT staff and early adopters months ago and has worked extremely well.

Regarding the Junk Mail in Outlook, is this using the default spam filtering or Microsoft's Advanced Threat Protection that uses cloud resources and interacts with Office 365 mailboxes in each tenant?
Report to moderator   Logged
Lt Col Paul Creed III, CAP
National Headquarters Cyber Curriculum Specialist
National Headquarters Photography Working Group
NIN
Administrator

Posts: 5,445
Unit: of issue

« Reply #45 on: November 19, 2019, 02:20:59 PM »

AFAIK its "magic."

My experience with it over the last 10+ years could be summed up as "Microsoft applies a complex algorithm that takes in to account the contents of the email, attachments, sender frameworks, a random number generator, the phases of the moon, some incantations over chicken feet and a healthy dose of 'who knows?'." 

I have literally seen over the years, in multiple organizations (I used to work for an MSP, we had a hundred+ sites with dozens of users per site), the Junk Mail filter being so inconsistently applied that I have to throw up my hands and tell users who call in asking why mail they've previously classified as "not junk" is suddenly being junked or users that they communicate with all the time, even in their own organizations, are winding up in junk mail:   "I don't know. Nobody knows. I doubt Microsoft knows."

Consequently, I'm often wary of Microsoft "secret sauce."
Report to moderator   Logged
Darin Ninness, Lt Col, CAP
Sq Bubba, Wing Dude, National Guy
I like to have Difficult Adult Conversations™
The contents of this post are Copyright © 2007-2019 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #46 on: November 19, 2019, 05:24:50 PM »

And yet people continue to use Offline 365 despite there being better alternatives.
Report to moderator   Logged


ZigZag911
Salty & Seasoned Contributor

Posts: 1,994

« Reply #47 on: November 19, 2019, 05:57:24 PM »

This is very confusing.

There seems to be varying get opinions as to why this system has been instituted.

If there are genuine security concerns, then obviously it's necessary, even if it's a nuisance.

However,  some have suggested that there are other reasons driving this. What are you talking about.?

Clarification would be appreciated.
Report to moderator   Logged
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #48 on: November 19, 2019, 06:31:43 PM »

NHQ is pushing back hard on people using home-grown apps to manage units, activities, etc., and
with the absence of an API. more then a few people were screen-scraping data from eservices.

It was stated explicitly that one reason for the CAPTCHA was to prevent automated, unapproved
screen scrapers.
Report to moderator   Logged


Holding Pattern
Salty & Seasoned Contributor

Posts: 1,576
Unit: Victory

« Reply #49 on: November 19, 2019, 06:48:25 PM »

NHQ is pushing back hard on people using home-grown apps to manage units, activities, etc., and
with the absence of an API. more then a few people were screen-scraping data from eservices.

It was stated explicitly that one reason for the CAPTCHA was to prevent automated, unapproved
screen scrapers.

This.

Several members tried to warn the developers not to do this because something like this would be the response.

Those developers did not listen.

CAPTCHA was the response.
Report to moderator   Logged
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #50 on: November 19, 2019, 07:28:21 PM »

Which "developers"?
Report to moderator   Logged


Holding Pattern
Salty & Seasoned Contributor

Posts: 1,576
Unit: Victory

« Reply #51 on: November 19, 2019, 07:33:57 PM »

Exhibit A:
https://github.com/nharmon/wmirs_scraper
Report to moderator   Logged
Fubar
Salty & Seasoned Contributor

Posts: 799

« Reply #52 on: November 20, 2019, 03:21:12 AM »

Couldn't they just shut down the accounts of the offenders? It's not like they don't know who is logging in.
Report to moderator   Logged
Phil Hirons, Jr.
Salty & Seasoned Contributor

Posts: 820
Unit: NER-001

« Reply #53 on: November 20, 2019, 03:36:06 PM »

It's not quite that simple. The example code listed is fairly basic so it might be obvious.

When any program calls a webserver it self identifies what it is. Operating System, Web Browser, etc.

Now if you have it log in every five minutes 24/7 for a week, that could be identified.
Report to moderator   Logged
Pages: 1 2 3 [All] Send this topic Print 
CAP Talk  |  General Discussion  |  The Lobby  |  Topic: CAPTCHA issues and ideas
 


Powered by MySQL Powered by PHP SMF 2.0.15 | SMF © 2017, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.062 seconds with 39 queries.