It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionThe Google captcha is an insolence(81 posts)(81 posts)
(81 posts)
Pages:
1
2
3
4
5
6
This is my favourite topic
Posted June 07, 2018
avatar
toxicTom: I think CDNs are fine for stuff that created lots of server/bandwidth load, like large images or even video. But they should really be avoided for delivering "active" stuff - code.
Sadly, I most often see them use to load CSS, fonts and JavaScript.
For hosting big files I have no issue with them.
Posted June 08, 2018
avatar
deleted_user:
avatar
kohlrak: I'm a little curious about this process. What is it? What exactly's going on?
avatar
deleted_user:
A modern JS application is actually a pretty complex bit. Not talking driver and kernel programming, of course, but no less complex than apps written in compiled languages such as C# and Java.
Discord - Spyware bundled into a javascript package
You got your framework, a ton of dependencies that it uses, a ton of dependencies that you bring in separately, all the tests, all the mock data and snapshots, etc. It gets big. And I mean REALLY big. Thousands of files (a lot of them only necessary for the dev environment, not for prod.)

In the end, though, you really only want to have a single js file for the site. So all of this stuff needs to be cleaned up, merged, possibly transpiled, minified, etc. There is a lot that goes into this. The build process for a medium sized application can take up to 30 seconds to build on a fast machine. And I can't even imagine the complexity of a colossal app like Facebook. I mean there is a reason why Facebook invented React and Google invented Angular. (Although Angular sucks.)
It sounds to me like the age-old problem of the abstraction loosing control. People import libraries like colleges require you to buy books. You might just need a sentences in a book, just like you might need some sort of ATOI function from stdlib. Javascript? I don't know. I don't use it enough.
Posted June 08, 2018
avatar
deleted_user:
A modern JS application is actually a pretty complex bit. Not talking driver and kernel programming, of course, but no less complex than apps written in compiled languages such as C# and Java.
avatar
kohlrak: Discord - Spyware bundled into a javascript package

You got your framework, a ton of dependencies that it uses, a ton of dependencies that you bring in separately, all the tests, all the mock data and snapshots, etc. It gets big. And I mean REALLY big. Thousands of files (a lot of them only necessary for the dev environment, not for prod.)

In the end, though, you really only want to have a single js file for the site. So all of this stuff needs to be cleaned up, merged, possibly transpiled, minified, etc. There is a lot that goes into this. The build process for a medium sized application can take up to 30 seconds to build on a fast machine. And I can't even imagine the complexity of a colossal app like Facebook. I mean there is a reason why Facebook invented React and Google invented Angular. (Although Angular sucks.)
avatar
kohlrak: It sounds to me like the age-old problem of the abstraction loosing control. People import libraries like colleges require you to buy books. You might just need a sentences in a book, just like you might need some sort of ATOI function from stdlib. Javascript? I don't know. I don't use it enough.
You can always write everything from scratch. Good luck, though.

At work I'm known as the one who hates dependencies, but I also know when not to reinvent language, fire, and the wheel.
Posted June 08, 2018
I agree, down with the captcha!

I would much prefer something like steam's system that asks you for a code when you are logging in from a new context, and sends you the code through email.

I do think they need something to help prevent abuse and/or account theft, but this method is too problematic.
Posted June 08, 2018
avatar
saluk: I agree, down with the captcha!

I would much prefer something like steam's system that asks you for a code when you are logging in from a new context, and sends you the code through email.

I do think they need something to help prevent abuse and/or account theft, but this method is too problematic.
Jokes aside, I don't think you fully understand what the captcha is protecting from.

It isn't very difficult to write code which will automatically create accounts, set them to not use 2-factor authentication, and then downvote/report all your posts and threads until they are auto-deleted. All a malicious user would have to do, is type in your name into a field, hit Enter and go to sleep. In the morning you'd be wiped out from these forums.

Worse yet, it's entirely possible to wipe the forum altogether using this trick. The functionality of the forum as it is today certainly allows for this. That captcha is really the only non-trivial protection that this forum has against an attack like that.

Sure, this could be fixed in a number of other ways, but the fact of the matter is — it isn't. So just removing the captcha could cause some serious damage pretty much immediately.
Posted June 08, 2018
avatar
tinyE: Serious question ----
Seriously? XD
Posted June 08, 2018
avatar
deleted_user:
avatar
saluk: I agree, down with the captcha!

I would much prefer something like steam's system that asks you for a code when you are logging in from a new context, and sends you the code through email.

I do think they need something to help prevent abuse and/or account theft, but this method is too problematic.
avatar
deleted_user:
Jokes aside, I don't think you fully understand what the captcha is protecting from.

It isn't very difficult to write code which will automatically create accounts, set them to not use 2-factor authentication, and then downvote/report all your posts and threads until they are auto-deleted. All a malicious user would have to do, is type in your name into a field, hit Enter and go to sleep. In the morning you'd be wiped out from these forums.

Worse yet, it's entirely possible to wipe the forum altogether using this trick. The functionality of the forum as it is today certainly allows for this. That captcha is really the only non-trivial protection that this forum has against an attack like that.

Sure, this could be fixed in a number of other ways, but the fact of the matter is — it isn't. So just removing the captcha could cause some serious damage pretty much immediately.
Yeah, you couldn't just remove it. We just want a better system.

Two things:

The 2-factor auth would not be something you can disable. It would work the way the captcha does now - we detect some change and want to make sure you are legit, enter this code from your email. In most other cases, you wouldn't have to see it. (Setting it to always appear might be a nice user feature of course, for those who want more protection)

Having a little extra protection for a sign-ups would be alright to me. But recaptcha is one of the worst ones.
Posted June 08, 2018
avatar
deleted_user:
avatar
kohlrak: Discord - Spyware bundled into a javascript package

It sounds to me like the age-old problem of the abstraction loosing control. People import libraries like colleges require you to buy books. You might just need a sentences in a book, just like you might need some sort of ATOI function from stdlib. Javascript? I don't know. I don't use it enough.
avatar
deleted_user:
You can always write everything from scratch. Good luck, though.

At work I'm known as the one who hates dependencies, but I also know when not to reinvent language, fire, and the wheel.
This is why i mix C and Assembly sources (or sometimes write entirely in assembly and link the C libs): I don't want to reinvent the wheel just for optimization.

Dependencies are a problem, however. I find the most popular libraries usually have dependencies to somemthing closed source that's not on the target platform i'm actually developing for. This is especially problematic when trying to do cross-platform devving. I've come to the conclusion that we can't just say "open source," but opt for "open source absolutism" when looking for libraries. I understand drivers are a concern, but if it's properly abstracted to something that's open source and cross platform, the problem goes away.

avatar
deleted_user:
avatar
saluk: I agree, down with the captcha!

I would much prefer something like steam's system that asks you for a code when you are logging in from a new context, and sends you the code through email.

I do think they need something to help prevent abuse and/or account theft, but this method is too problematic.
avatar
deleted_user:
Jokes aside, I don't think you fully understand what the captcha is protecting from.

It isn't very difficult to write code which will automatically create accounts, set them to not use 2-factor authentication, and then downvote/report all your posts and threads until they are auto-deleted. All a malicious user would have to do, is type in your name into a field, hit Enter and go to sleep. In the morning you'd be wiped out from these forums.

Worse yet, it's entirely possible to wipe the forum altogether using this trick. The functionality of the forum as it is today certainly allows for this. That captcha is really the only non-trivial protection that this forum has against an attack like that.

Sure, this could be fixed in a number of other ways, but the fact of the matter is — it isn't. So just removing the captcha could cause some serious damage pretty much immediately.
I'm more worried about the product keys, which is where we're seeing the captchas reused. I think the forums are low priority, because the gamecodes are a big deal, too, and presumably can be brute-forced. I think i have 1 or 2 non-expiring game codes, believe it or not, and i may give them out some day.
avatar
saluk: Yeah, you couldn't just remove it. We just want a better system.

Two things:

The 2-factor auth would not be something you can disable. It would work the way the captcha does now - we detect some change and want to make sure you are legit, enter this code from your email. In most other cases, you wouldn't have to see it. (Setting it to always appear might be a nice user feature of course, for those who want more protection)

Having a little extra protection for a sign-ups would be alright to me. But recaptcha is one of the worst ones.
You're adorable. 2-factor auth would be easy as pie to automate. 2-factor auth is to prevent people from guessing your password and/or using keyloggers to get in. They have to use your email, too, to get it.

Randomly generated SVGs with questions based on them would work. Heck, i'm kinda tempted to make my starmap idea just because it's a fun idea. However, my server's a dinosaur, so i don't want to hold it down too much with that kind of setup. Would be really easy, though: just write questions, make the questions have correct answers, and fill in the junk data to throw off the AI. Convert it to a PNG so it has to use an OCR at the least (catches most bots) to even begin to try answering the questions.
Post edited June 08, 2018 by kohlrak
Posted June 08, 2018
avatar
SirPrimalform: I've not had to do a captcha on GOG for a long long time, when are you being asked to do it?
I get it every time when I want to check or redeem a code and sometimes when I want to log in, even with 2-factor authentication enabled. And it always is a major pain to get that crap even running.

avatar
deleted_user:
As a developer it is difficult for me to imagine any web site functioning without huge amounts of JavaScript.
And that's where the problem comes from. :P

avatar
vv221: JavaScript should be used to enhance the user experience, but the site should still be usable without it.
Exactly!
Post edited June 08, 2018 by eiii
Posted June 08, 2018
I see, I was only comnsidering the cases I've been recently annoyed by captchas - signing in from different web browsers or after signing out. I totaly missed the other side of the argument, sorry.

Agreed that a captcha of some kind is needed to prevent spamming keys. I like your idea of the starmap.

The big problem with something like recaptcha is that we are training bots to be able to solve captchas. Google owns it and is using the data to imrpvoe their ai. Having every site use the same captcha is also bad, because if there is ever a vulnerability then everyone will be vulnerable. Better to come up with your own slightly different system than what others are using.

I like your idea of a starmap, you could have different kinds of questions, like "which star is between X and Y" or "which star is nearest to the center".
Posted June 08, 2018
avatar
saluk: I see, I was only comnsidering the cases I've been recently annoyed by captchas - signing in from different web browsers or after signing out. I totaly missed the other side of the argument, sorry.

Agreed that a captcha of some kind is needed to prevent spamming keys. I like your idea of the starmap.

The big problem with something like recaptcha is that we are training bots to be able to solve captchas. Google owns it and is using the data to imrpvoe their ai. Having every site use the same captcha is also bad, because if there is ever a vulnerability then everyone will be vulnerable. Better to come up with your own slightly different system than what others are using.

I like your idea of a starmap, you could have different kinds of questions, like "which star is between X and Y" or "which star is nearest to the center".
Yep. It's kind of like how we used to do it with letters and noise, but then we realized that to keep OCRs from getting through it was to set it so that people with eye problems couldn't break the captcha. Audio captchas could totally use situations then ask questions about what you hear. I thought of a way to do something like NATO brevity code, where the user could hear it over and over again, and it would ask questions like "where is Eagle 2-1?" "What is Chalice 2 concerned about?" "How many migs are there?"
Posted June 08, 2018
avatar
toxicTom: What really pissed me off though is that everyone and their dog is referencing third-party scripts (google, fb...) all over the place. And every one of these inclusions sends a request with referrer and allows browser-fingerprinting. That way you can be tracked by the big providers all over the web.
I hate that too. But at least you can reduce that kind of tracking with add-ons like Decentral Eyes. Google captchas are much worse. You cannot do anything against them, they force you to allow tracking.

avatar
kohlrak: I'm just saying i think google intentionally doesn't want you self-hosting, despite all the benefits.
Of course they do not want self-hosting as it would reduce their possibilities to track users.
Post edited June 08, 2018 by eiii
Posted June 08, 2018
avatar
kohlrak: Dependencies are a problem, however. I find the most popular libraries usually have dependencies to somemthing closed source that's not on the target platform i'm actually developing for.
Uh... weren't we talking about JavaScript? What closed source?

It's not that you are wrong, it's that your idea in this case doesn't apply because we are talking about stuff that's worlds apart.
avatar
eiii: And that's where the problem comes from. :P
So you don't want the modern web? You want the sites to be something from 1.0 days, that runs on forms and everything you do has to be done via a button-click form submission that causes an http call to the server where the html is rendered?

Well... I've seen kinkier fetishes, but I am ever so glad that you aren't gonna get your way.
Post edited June 08, 2018 by Alaric.us
Posted June 08, 2018
avatar
deleted_user:
avatar
kohlrak: Dependencies are a problem, however. I find the most popular libraries usually have dependencies to somemthing closed source that's not on the target platform i'm actually developing for.
avatar
deleted_user:
Uh... weren't we talking about JavaScript? What closed source?

It's not that you are wrong, it's that your idea in this case doesn't apply because we are talking about stuff that's worlds apart.
These are "universal practices." Another issue is, like i said, those external dependencies. You grab a JS file, think you're doing it right, them bam, only to find out that something goes missing month's later. This "build" thing seems to help against that (i assume it pulls in all dependencies and makes your program dependency free), but it's only a matter of time before people find ways around it, because they want exclusive control over some of their code. Right now, dependencies are only a problem with javascript if you don't build or rely on certain browser functionality (which is a problem with JS overall, and my main reason for hating webdev).
Posted June 08, 2018
avatar
deleted_user:
Uh... weren't we talking about JavaScript? What closed source?

It's not that you are wrong, it's that your idea in this case doesn't apply because we are talking about stuff that's worlds apart.
avatar
kohlrak: These are "universal practices." Another issue is, like i said, those external dependencies. You grab a JS file, think you're doing it right, them bam, only to find out that something goes missing month's later. This "build" thing seems to help against that (i assume it pulls in all dependencies and makes your program dependency free), but it's only a matter of time before people find ways around it, because they want exclusive control over some of their code. Right now, dependencies are only a problem with javascript if you don't build or rely on certain browser functionality (which is a problem with JS overall, and my main reason for hating webdev).
Given that we have different areas of expertise, and this particular topic happens to be within mine, I think I am going to stick to my opinion.

Overall I agree that you shouldn't just include random code that you found written on a public toilet's wall into your project. If it's something simple, it's best to do it yourself. However, known open source libraries with a ton of contributors, good tests, etc. are perfectly fine to include.
Pages:
1
2
3
4
5
6
This is my favourite topic
Community
General discussionThe Google captcha is an insolence(81 posts)(81 posts)
(81 posts)