Jump to content
LCPDFR.com downloads may be slow, as we've had to redirect them from our CDN due to a provider fault. We hope to get them back to full speed as soon as possible.
OfficerTargaryen

Bitcoin farming for Captcha?

Recommended Posts

I got a Norton coin farming alert when I tried to download a file on the download section.

 

This replaced the normal captcha and if I don't disable Norton it doesn't even load. If I do disable Norton it just asks to verify and nothing happens.

 

I understand you may want to monetize LSPDFR somehow, and why not create income from website, but must you guys do coin farming thing?

Share this post


Link to post
Share on other sites

Google's reCaptcha v1 service will be turned off from March 31, 2018. It already shows a deprecation warning to all users.

The reCaptcha v2 service is absolutely useless, and we have been spammed and our bandwidth wasted by targeted attacks on our download system and by spam bots. People also don't like the fact that they are trusting Google with their data, and that reCaptcha v2 is substantially more intrusive than other captchas (it injects js into your browser, it observes your behavior, analyzes your past behavior on other Google and reCaptcha using sites, and when it doesn't automatically verify the clicking on images is hugely annoying).

 

So, we are trying a new 'proof of work' CAPTCHA that takes around 3-10 seconds to complete on modern CPUs, that makes spamming the site uneconomical for spammers. This is something I was willing to develop internally, but one already exists, so we are trialing that. We're not expecting this to raise any substantial income for the site.

If this proves to be too intrusive, we will create a similar CAPTCHA in-house.

 

Edit: I have reverted us back to an image CAPTCHA whilst I solve issues with this not completing properly on some browsers.

Share this post


Link to post
Share on other sites

I don't really mind this solution, to be honest. But it's raising an alarm on Norton, effectively blocking it.  So that can't be positive at all.

 

"An intrusion attempt was blocked : Web Attack: JSCoinminer Download 10

Severity : High"

 

Using Firefox or Chrome, this happens. Then if I disable Norton this is what happens:

  • I press the verify button.
  • The captcha does it thing, eventually ending with a check mark.
  • I press download, it reloads the page and forces me to verify again.
  • Same thing happens and I just can't download the file.

Tries this a few times, no download.

 

EDIT:

Now the captcha challenge was reset, but it doesn't accept any of my answers.

Edited by OfficerTargaryen

Share this post


Link to post
Share on other sites

This is f'ing hilarious. You think putting a cryptocurrency miner in as your captcha is less intrusive than using the widely-accepted recaptcha? That's absurd and offensive. 


[WIP | Beta] Coastal Callouts: Upcoming action-packed mod with new vehicles, maps, capabilities, and callouts in and around the waters of Los Santos

[REL] Police Tape: Make your scenes more realistic while stopping peds and traffic

[REL] Better EMS: Realistic and dynamic EMS response
[REL] Custom Backup: Bringing ultimate customization power to LSPDFR backup!

Join the Parks Benefactor Program to support my work and get early beta access!

Share this post


Link to post
Share on other sites
31 minutes ago, PNWParksFan said:

This is f'ing hilarious. You think putting a cryptocurrency miner in as your captcha is less intrusive than using the widely-accepted recaptcha? That's absurd and offensive. 

 

Well, reCaptcha v2 is widely accepted because you just have to press a thing saying you are human. It's not like this is just a check to see if you can click a box, it is evaluating your browsing habits, which seems quite intrusive. This, as cyan said, has also been ineffective for us. It may not seem it but the site does get fairly frequent DDoS attempts.


"Work and ideas get stolen, then you keep moving on doing your thing."

Share this post


Link to post
Share on other sites
3 minutes ago, willpv23 said:

 

Well, reCaptcha v2 is widely accepted because you just have to press a thing saying you are human. It's not like this is just a check to see if you can click a box, it is evaluating your browsing habits, which seems quite intrusive. This, as cyan said, has also been ineffective for us. It may not seem it but the site does get fairly frequent DDoS attempts.

 

That argument is moot because this site uses Google Analytics, so guess what, you've already invited Google to track our browsing habits. You also serve ads, and they're tracking our browsing habits too (and occasionally redirecting us to malware). Most people on the internet are aware of the fact that Google tracks them, and are either OK with it or take steps to prevent it by e.g. using script blockers. It's not great, but it is the status quo. 

 

If reCaptcha isn't meeting the site's needs, then sure, look into other captcha providers. But running a crypto miner in the browser as your anti-DDOS solution is ridiculous and borders on malicious. If you get a lot of DDOS attacks, look into a service like Cloudflare, investigate other captcha options, do what you need to do. But don't suck up our CPU resources to make a quick buck without our consent under the guise of there being no better solution for preventing DDOS attacks. 


[WIP | Beta] Coastal Callouts: Upcoming action-packed mod with new vehicles, maps, capabilities, and callouts in and around the waters of Los Santos

[REL] Police Tape: Make your scenes more realistic while stopping peds and traffic

[REL] Better EMS: Realistic and dynamic EMS response
[REL] Custom Backup: Bringing ultimate customization power to LSPDFR backup!

Join the Parks Benefactor Program to support my work and get early beta access!

Share this post


Link to post
Share on other sites
On 1/17/2018 at 7:53 PM, PNWParksFan said:

 

That argument is moot because this site uses Google Analytics, so guess what, you've already invited Google to track our browsing habits. You also serve ads, and they're tracking our browsing habits too (and occasionally redirecting us to malware). Most people on the internet are aware of the fact that Google tracks them, and are either OK with it or take steps to prevent it by e.g. using script blockers. It's not great, but it is the status quo. 

 

If reCaptcha isn't meeting the site's needs, then sure, look into other captcha providers. But running a crypto miner in the browser as your anti-DDOS solution is ridiculous and borders on malicious. If you get a lot of DDOS attacks, look into a service like Cloudflare, investigate other captcha options, do what you need to do. But don't suck up our CPU resources to make a quick buck without our consent under the guise of there being no better solution for preventing DDOS attacks. 

 

We've been at this for a while, and learned a lot of valuable stuff in the process.

 

CloudFlare is only helpful if you receive low bandwidth DDoS attacks. Back about 3 years ago, we received a particularly large one, and they sent the traffic back to our origin server under the guise of a 'system fault'. When I contacted them about this we were instructed to upgrade to an Enterprise plan, which was completely uneconomical for us.

You might also be interested to know that CloudFlare's waiting page is a Proof of Work system itself.

 

This isn't really about DDoS attacks though, this is more about the spam and bandwidth wasting automated downloads that we receive. I have no understanding behind the motivations behind some of the bandwidth wasting attacks that we receive, but I assume someone wants to increase our costs.

 

The only thing that stops that right now is an effective CAPTCHA. However, I know that reCaptcha v2 can be solved for around 50 cents/1000 solves. I've had members brag to me that they don't do it because they are using an automatic solving service. I've seen on our internal analytics that this system doesn't work and was responsible for a great deal of slowdown over Christmas. When you're protecting downloads, that basically means 50 cents and a few zombie botnet hosts to overwhelm our download system, which is something we've had to deal with a few times.

 

Proof of Work is probably the path we will be going down to protect downloads long-term, but now that I'm aware that Norton blocks what we were intending to use, it will be replaced by an in-house system that does something else instead.

Share this post


Link to post
Share on other sites
18 hours ago, Cyan said:

 

We've been at this for a while, and learned a lot of valuable stuff in the process.

 

CloudFlare is only helpful if you receive low bandwidth DDoS attacks. Back about 3 years ago, we received a particularly large one, and they sent the traffic back to our origin server under the guise of a 'system fault'. When I contacted them about this we were instructed to upgrade to an Enterprise plan, which was completely uneconomical for us.

You might also be interested to know that CloudFlare's waiting page is a Proof of Work system itself.

 

This isn't really about DDoS attacks though, this is more about the spam and bandwidth wasting automated downloads that we receive. I have no understanding behind the motivations behind some of the bandwidth wasting attacks that we receive, but I assume someone wants to increase our costs.

 

The only thing that stops that right now is an effective CAPTCHA. However, I know that reCaptcha v2 can be solved for around 50 cents/1000 solves. I've had members brag to me that they don't do it because they are using an automatic solving service. I've seen on our internal analytics that this system doesn't work and was responsible for a great deal of slowdown over Christmas. When you're protecting downloads, that basically means 50 cents and a few zombie botnet hosts to overwhelm our download system, which is something we've had to deal with a few times.

 

Proof of Work is probably the path we will be going down to protect downloads long-term, but now that I'm aware that Norton blocks what we were intending to use, it will be replaced by an in-house system that does some useless work instead.

 

@Cyan was this the cause of the spam ads I was getting for amazon? Seems like it has stopped since you all updated the site yesterday. Which is a huge relief and my thanks to you all for your hard work. 

 

I have seen DDoS attacks before. They suck big time. I never understood why some idiot or idiots would want to ruin something good by DDoS attacks and making things miserable for others through those. 

 

I had to deal with a hacker years ago, it went legal. This hacker gained a lot of financial info and it was started through a sophisticated DDoS attack and keybind where the hacker gained access to passwords and then gained financial info then used the info for personal purchases. Crazy part is karma is a b. I got this hacker legally. 

Share this post


Link to post
Share on other sites

I heard about this yesterday. There was zero reason to drop reCAPTCHA and Cyan's explanation is 100% pure and utter bullshit. I'm not downloading anything from FR until they change this shit. Put a clear and concise message up that our machines are being used for financial gain, or switch back to reCAPTCHA, which doesn't violate user's rights to know what a website or application is doing to their machine. 

Share this post


Link to post
Share on other sites
1 hour ago, Pauly Sauficer said:

I heard about this yesterday. There was zero reason to drop reCAPTCHA and Cyan's explanation is 100% pure and utter bullshit. I'm not downloading anything from FR until they change this shit. Put a clear and concise message up that our machines are being used for financial gain, or switch back to reCAPTCHA, which doesn't violate user's rights to know what a website or application is doing to their machine. 

 

A) That's your prerogative not to download anything from this site.

 

B) 

Quote

Put a clear and concise message up that our machines are being used for financial gain.

 

We will, and then we'll also put up a notification that you clicking on ads is also used for financial gain.  We aren't doing anything new or crazy.  All websites use customer's/visitor's PC for financial gain in some form, even if it's not known.  Ultimately, this benefits you.  You want the site up?  You want to be able to download your files without issues? Well-la!  Either be happy with it or don't download.  Someone is always going to complain about what we use to combat DDoS, spam bots, etc.  There's no pleasing everyone and never will be.

 

Speaking for me, I have never once had any type of problem with this with my AV or anything.  I'm really trying to figure out what you're more mad about, that we admitted what we do or that we make money off of you.  (Which is how we support the site and keep it available for you)

Share this post


Link to post
Share on other sites

 

3 hours ago, Pauly Sauficer said:

I heard about this yesterday. There was zero reason to drop reCAPTCHA and Cyan's explanation is 100% pure and utter bullshit. I'm not downloading anything from FR until they change this shit. Put a clear and concise message up that our machines are being used for financial gain, or switch back to reCAPTCHA, which doesn't violate user's rights to know what a website or application is doing to their machine. 

 

Just putting this here since you seemed to have missed it:

 

On 1/17/2018 at 3:13 PM, Cyan said:

Proof of Work is probably the path we will be going down to protect downloads long-term, but now that I'm aware that Norton blocks what we were intending to use, it will be replaced by an in-house system that does something else instead.

 

 

Also there was slim to no financial gain involved, which you also seemed to have missed:

 

On 1/16/2018 at 9:39 AM, Cyan said:

We're not expecting this to raise any substantial income for the site.

 

At least read the topic before you start ranting about something you know nothing about.

 

Sorry if this comes across harsh but one thing that really bothers me is when people try to claim we are here for the money. We don't ask you pay us anything - LCPDFR and LSPDFR are completely free. We even offer ad-free installation options if you're uncomfortable with the installer that does have ads. We don't ask for donations. We have a store where you can buy merch, but are not shoving it down your throat everywhere. We have no extra benefits for people who do give us money. You don't even have to see the ads on the site, you can still fully access it with adblocker. The captchas are simply there to prevent flooding, not make money. I really do not get how people think we are financially motivated.


"Work and ideas get stolen, then you keep moving on doing your thing."

Share this post


Link to post
Share on other sites

We just want transparency on this. The way this went down, it seems like you guys were "caught" in the act. That makes it 100% worse. I'm all for exploring new ways to work with a captcha system because googles is shit. That's no secret. You guys have all right to monetize your website anyway you want. But secretly using your users, many of which are under age and have no idea how any of this works, to mine, no matter how little you make from it, can be seen as dirty (also, I get that it isn't there for monetary reasons. Slim is still some.).  Now I did a little research for my own peace of mind, and I'm finding that this is actually becoming a fairly common practice, but users need to be made aware. You guys need to make a blog post, a front page addition or what ever to let users know what's going on. You guys have the right to defend your website from attack, you have the right to monetize, but we, the users of your website, and supporters for years, have the right and deserve to know that there is something on your website using our resources, even if it is just for seconds. I don't think you guys are doing this to be malicious, but working in the shadows with no communication with the user base makes it seem like that.

 

I'm confident you guys will find the best way possible to stop the spam, but be transparent about it please. No forum posts no one will see, blog posts. Front page. In your face. Disclaimers when downloading. Also, I get you guys touched on some points already, specifically the notifications.

 

That's just my take on this. It's something that needs to be talked about. Also, for anyone concerned about this, look into proof of work vs captchas. It's becoming more and more common. Yeah, they CAN make money from it, but it's also very good at spam protection. Just gotta find the right solution, yo.

Share this post


Link to post
Share on other sites

Thank you for your continued feedback on this subject! We will certainly take everything onboard.

Right now there are no new developments other than what I posted last time, so I'm going to close this thread. It will be reopened at a time where we need more feedback or when we actually implement this.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...