Welcome, Guest. Please login or register.
Did you miss your activation email?
December 08, 2019, 09:56:30 AM
Home Help Login Register
News:

CAP Talk  |  General Discussion  |  The Lobby  |  Topic: CAPTCHA issues and ideas
0 Members and 1 Guest are viewing this topic.
Pages: 1 2 [3]  All Send this topic Print
Author Topic: CAPTCHA issues and ideas  (Read 2607 times)
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #40 on: November 19, 2019, 12:12:18 AM »

I presume MFA stands for multi-factor authentication. There are many ways to implement this, and some of them are not suitable for the CAP national website. Some examples of unsuitable MFA:

  • Text to cell phone. No good, because airman may be in an area where Internet is available, but the airman's cell phone does not have coverage
  • Code sent to email account. Airman may not have the password to the email account with her.

A: "Airman" is not the generic for CAP Member.  "Member" is, at best.

B: You're citing very unusual edge cases, or situations where someone is incapable of managing their
passwords anyway, so scaling the system to them is foolhardy.
Report to moderator   Logged


Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #41 on: November 19, 2019, 12:16:01 AM »

There are solutions for everyone on this; SMS/email is mostly deprecated.

It may be discouraged, but it's not going anywhere, that is the most readily available / non-techie friendly
way to get people to use MFA.

Nothing is 100%, but it's sure better then just passwords.

But back to the OP, "security" is not the reason NHQ implemented the CAPTCHA, and in fact they
really have nothing to do with security considering how easily they are circumvented, yes, by scripts and
extensions.
Report to moderator   Logged


Paul Creed III
Seasoned Member

Posts: 280
Unit: GLR-OH-275

« Reply #42 on: November 19, 2019, 01:26:36 PM »

MFA can be enabled using One-time token Password (OTP) apps such as Authy or Microsoft Authenticator which work without internet connectivity on the device (after initial enrollment) but support such things as push notifications as well so one doesn't have to type in a code.

My paid employer just enabled MFA on 35,000+ accounts using Microsoft Authenticator as the primary means with SMS and landlines as backup options. We are using Microsoft's Azure Active Directory for SSO to our systems, both cloud-hosted and on-prem, and Microsoft uses some secret sauce so users are not prompted every time.
Report to moderator   Logged
Lt Col Paul Creed III, CAP
National Headquarters Cyber Curriculum Specialist
National Headquarters Photography Working Group
NIN
Administrator

Posts: 5,445
Unit: of issue

« Reply #43 on: November 19, 2019, 01:51:23 PM »

Microsoft uses some secret sauce so users are not prompted every time.

If its the same secret sauce they use to classify Junk Mail in Outlook, be prepared for disappointment and despair.
Report to moderator   Logged
Darin Ninness, Lt Col, CAP
Sq Bubba, Wing Dude, National Guy
I like to have Difficult Adult Conversations™
The contents of this post are Copyright © 2007-2019 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.
Paul Creed III
Seasoned Member

Posts: 280
Unit: GLR-OH-275

« Reply #44 on: November 19, 2019, 02:00:00 PM »

Microsoft uses some secret sauce so users are not prompted every time.

If its the same secret sauce they use to classify Junk Mail in Outlook, be prepared for disappointment and despair.

MFA was enabled for our IT staff and early adopters months ago and has worked extremely well.

Regarding the Junk Mail in Outlook, is this using the default spam filtering or Microsoft's Advanced Threat Protection that uses cloud resources and interacts with Office 365 mailboxes in each tenant?
Report to moderator   Logged
Lt Col Paul Creed III, CAP
National Headquarters Cyber Curriculum Specialist
National Headquarters Photography Working Group
NIN
Administrator

Posts: 5,445
Unit: of issue

« Reply #45 on: November 19, 2019, 02:20:59 PM »

AFAIK its "magic."

My experience with it over the last 10+ years could be summed up as "Microsoft applies a complex algorithm that takes in to account the contents of the email, attachments, sender frameworks, a random number generator, the phases of the moon, some incantations over chicken feet and a healthy dose of 'who knows?'." 

I have literally seen over the years, in multiple organizations (I used to work for an MSP, we had a hundred+ sites with dozens of users per site), the Junk Mail filter being so inconsistently applied that I have to throw up my hands and tell users who call in asking why mail they've previously classified as "not junk" is suddenly being junked or users that they communicate with all the time, even in their own organizations, are winding up in junk mail:   "I don't know. Nobody knows. I doubt Microsoft knows."

Consequently, I'm often wary of Microsoft "secret sauce."
Report to moderator   Logged
Darin Ninness, Lt Col, CAP
Sq Bubba, Wing Dude, National Guy
I like to have Difficult Adult Conversations™
The contents of this post are Copyright © 2007-2019 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #46 on: November 19, 2019, 05:24:50 PM »

And yet people continue to use Offline 365 despite there being better alternatives.
Report to moderator   Logged


ZigZag911
Salty & Seasoned Contributor

Posts: 1,994

« Reply #47 on: November 19, 2019, 05:57:24 PM »

This is very confusing.

There seems to be varying get opinions as to why this system has been instituted.

If there are genuine security concerns, then obviously it's necessary, even if it's a nuisance.

However,  some have suggested that there are other reasons driving this. What are you talking about.?

Clarification would be appreciated.
Report to moderator   Logged
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #48 on: November 19, 2019, 06:31:43 PM »

NHQ is pushing back hard on people using home-grown apps to manage units, activities, etc., and
with the absence of an API. more then a few people were screen-scraping data from eservices.

It was stated explicitly that one reason for the CAPTCHA was to prevent automated, unapproved
screen scrapers.
Report to moderator   Logged


Holding Pattern
Salty & Seasoned Contributor

Posts: 1,576
Unit: Victory

« Reply #49 on: November 19, 2019, 06:48:25 PM »

NHQ is pushing back hard on people using home-grown apps to manage units, activities, etc., and
with the absence of an API. more then a few people were screen-scraping data from eservices.

It was stated explicitly that one reason for the CAPTCHA was to prevent automated, unapproved
screen scrapers.

This.

Several members tried to warn the developers not to do this because something like this would be the response.

Those developers did not listen.

CAPTCHA was the response.
Report to moderator   Logged
Eclipse
Too Much Free Time With Silver Clasp
*
Posts: 30,440

« Reply #50 on: November 19, 2019, 07:28:21 PM »

Which "developers"?
Report to moderator   Logged


Holding Pattern
Salty & Seasoned Contributor

Posts: 1,576
Unit: Victory

« Reply #51 on: November 19, 2019, 07:33:57 PM »

Exhibit A:
https://github.com/nharmon/wmirs_scraper
Report to moderator   Logged
Fubar
Salty & Seasoned Contributor

Posts: 799

« Reply #52 on: November 20, 2019, 03:21:12 AM »

Couldn't they just shut down the accounts of the offenders? It's not like they don't know who is logging in.
Report to moderator   Logged
Phil Hirons, Jr.
Salty & Seasoned Contributor

Posts: 820
Unit: NER-001

« Reply #53 on: November 20, 2019, 03:36:06 PM »

It's not quite that simple. The example code listed is fairly basic so it might be obvious.

When any program calls a webserver it self identifies what it is. Operating System, Web Browser, etc.

Now if you have it log in every five minutes 24/7 for a week, that could be identified.
Report to moderator   Logged
Pages: 1 2 [3]  All Send this topic Print 
CAP Talk  |  General Discussion  |  The Lobby  |  Topic: CAPTCHA issues and ideas
 


Powered by MySQL Powered by PHP SMF 2.0.15 | SMF © 2017, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.062 seconds with 39 queries.