July 04, 2020, 05:11:03 pm

CAPTCHA issues and ideas

Started by OldGuy, July 27, 2019, 12:39:23 pm

0 Members and 1 Guest are viewing this topic.

Eclipse

Quote from: xyzzy on November 18, 2019, 11:20:10 pm
I presume MFA stands for multi-factor authentication. There are many ways to implement this, and some of them are not suitable for the CAP national website. Some examples of unsuitable MFA:


  • Text to cell phone. No good, because airman may be in an area where Internet is available, but the airman's cell phone does not have coverage

  • Code sent to email account. Airman may not have the password to the email account with her.




A: "Airman" is not the generic for CAP Member.  "Member" is, at best.

B: You're citing very unusual edge cases, or situations where someone is incapable of managing their
passwords anyway, so scaling the system to them is foolhardy.



Eclipse

Quote from: Holding Pattern on November 18, 2019, 11:39:11 pm
There are solutions for everyone on this; SMS/email is mostly deprecated.


It may be discouraged, but it's not going anywhere, that is the most readily available / non-techie friendly
way to get people to use MFA.

Nothing is 100%, but it's sure better then just passwords.

But back to the OP, "security" is not the reason NHQ implemented the CAPTCHA, and in fact they
really have nothing to do with security considering how easily they are circumvented, yes, by scripts and
extensions.



Paul Creed III

MFA can be enabled using One-time token Password (OTP) apps such as Authy or Microsoft Authenticator which work without internet connectivity on the device (after initial enrollment) but support such things as push notifications as well so one doesn't have to type in a code.

My paid employer just enabled MFA on 35,000+ accounts using Microsoft Authenticator as the primary means with SMS and landlines as backup options. We are using Microsoft's Azure Active Directory for SSO to our systems, both cloud-hosted and on-prem, and Microsoft uses some secret sauce so users are not prompted every time.
Lt Col Paul Creed III, CAP
National Headquarters Cyber Curriculum Specialist
National Headquarters Photography Working Group

NIN

Quote from: Paul Creed III on November 19, 2019, 01:26:36 pm
Microsoft uses some secret sauce so users are not prompted every time.


If its the same secret sauce they use to classify Junk Mail in Outlook, be prepared for disappointment and despair.
Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Paul Creed III

Quote from: NIN on November 19, 2019, 01:51:23 pm
Quote from: Paul Creed III on November 19, 2019, 01:26:36 pm
Microsoft uses some secret sauce so users are not prompted every time.


If its the same secret sauce they use to classify Junk Mail in Outlook, be prepared for disappointment and despair.


MFA was enabled for our IT staff and early adopters months ago and has worked extremely well.

Regarding the Junk Mail in Outlook, is this using the default spam filtering or Microsoft's Advanced Threat Protection that uses cloud resources and interacts with Office 365 mailboxes in each tenant?
Lt Col Paul Creed III, CAP
National Headquarters Cyber Curriculum Specialist
National Headquarters Photography Working Group

NIN

AFAIK its "magic."

My experience with it over the last 10+ years could be summed up as "Microsoft applies a complex algorithm that takes in to account the contents of the email, attachments, sender frameworks, a random number generator, the phases of the moon, some incantations over chicken feet and a healthy dose of 'who knows?'." 

I have literally seen over the years, in multiple organizations (I used to work for an MSP, we had a hundred+ sites with dozens of users per site), the Junk Mail filter being so inconsistently applied that I have to throw up my hands and tell users who call in asking why mail they've previously classified as "not junk" is suddenly being junked or users that they communicate with all the time, even in their own organizations, are winding up in junk mail:   "I don't know. Nobody knows. I doubt Microsoft knows."

Consequently, I'm often wary of Microsoft "secret sauce."
Darin Ninness, Col, CAP
Wing Dude
I like to have Difficult Adult Conversations™
Nothing posted on CAPTalk should be considered policy unless otherwise stated
The contents of this post are Copyright © 2007-2020 by NIN. All rights are reserved. Specific permission is given to quote this post here on CAP-Talk only.

Eclipse

And yet people continue to use Offline 365 despite there being better alternatives.



ZigZag911

This is very confusing.

There seems to be varying get opinions as to why this system has been instituted.

If there are genuine security concerns, then obviously it's necessary, even if it's a nuisance.

However,  some have suggested that there are other reasons driving this. What are you talking about.?

Clarification would be appreciated.

Eclipse

NHQ is pushing back hard on people using home-grown apps to manage units, activities, etc., and
with the absence of an API. more then a few people were screen-scraping data from eservices.

It was stated explicitly that one reason for the CAPTCHA was to prevent automated, unapproved
screen scrapers.



Holding Pattern

Quote from: Eclipse on November 19, 2019, 06:31:43 pm
NHQ is pushing back hard on people using home-grown apps to manage units, activities, etc., and
with the absence of an API. more then a few people were screen-scraping data from eservices.

It was stated explicitly that one reason for the CAPTCHA was to prevent automated, unapproved
screen scrapers.


This.

Several members tried to warn the developers not to do this because something like this would be the response.

Those developers did not listen.

CAPTCHA was the response.

Eclipse




Holding Pattern


Fubar

Couldn't they just shut down the accounts of the offenders? It's not like they don't know who is logging in.

Phil Hirons, Jr.

It's not quite that simple. The example code listed is fairly basic so it might be obvious.

When any program calls a webserver it self identifies what it is. Operating System, Web Browser, etc.

Now if you have it log in every five minutes 24/7 for a week, that could be identified.