I am back.

submitted by magnora7[A] from (self.SaidIt)

sorted by:
top
newinsightfulfun
you are viewing a single comment's thread.

view the rest of the comments →

[–]zyxzevn 5 insightful - 3 fun5 insightful - 2 fun6 insightful - 3 fun -  (11 children)

it's a new browser, new IP, new everything, basically randomized. They've really got it down to a science. Although perhaps the randomness itself is a giveaway...

Sounds like very organized. Maybe even military.
Certainly a well worked out procedure.
Maybe they also have 1000s of facebook /google accounts.

Speed of a calculation also randomized? (javascript/wasm) Might be harder. Also some data may be cached if they did not clear it (like site icon).

[–]magnora7[S] 9 insightful - 5 fun9 insightful - 4 fun10 insightful - 5 fun -  (10 children)

Yeah I agree it's very organized. It's known JIDF has done this sort of thing for a while, could be them. I've had run-ins with them before. They stole one of my subreddits long ago fraudulently through the redditrequest system and literally put up a JIDF flag on the sidebar after they stole it. That was like 6 years ago. Then when I started calling those people out, the reddit admins immediately banned my account for something I did 3 months prior...

This is the subreddit (which was intended to be a backup/alternate sub for /r/undelete): https://www.reddit.com/r/undeleteundelete/

They also have a wiki article: https://en.wikipedia.org/wiki/Jewish_Internet_Defense_Force

So this has been a problem for a while. Usually it was just an edge case thing though, or trolls playing around, but now it's a serious problem that affects almost all sizable forums. Our current attacks could be JIDF, could be Chinese, could be US, could be Russian, could be all 4, could be something else. Who knows. I would say JIDF and China both probably do not like some of the things posted on saidit, so they would have motive. But I really have no idea. Could just be a crazy guy in his basement who works for hire off craigslist paid by some random person that just doesn't like saidit for some reason. But it seems pretty well coordinated, especially if you include the DDOS attacks (which are STILL ongoing, like every 3rd day for literally years) so I'd guess it's at least a 3-4 person organization.

Also the DDOS attacks still occur even though they're obviously not successful, which indicates to me someone just has an automated DDOS attack botnet on a rotating schedule.

Speed of a calculation also randomized?

Cool idea but each page is always completely custom so there's no baseline metric to judge against because the filesize is always different

Also some data may be cached if they did not clear it (like site icon).

Perhaps, I'm not sure how to detect this in a way that would be useful though

[–]zyxzevn 5 insightful - 3 fun5 insightful - 2 fun6 insightful - 3 fun -  (9 children)

It sounds like JI DF to me.

With calculation I mean something like a complicated physics calculation.
In both JS and WASM.
You can also render something to the screen with JS to test the speed of their graphics.
You can combine the speed-check with a word-check (captcha). You render a noisy image of a moving&rotating word, while spheres and other objects move in the image. Easy for humans. Very hard even for AI trained for exactly this.

[–][deleted] 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (8 children)

fancy shit. does anyone have these moving captchas in use today?

[–]zyxzevn 4 insightful - 2 fun4 insightful - 1 fun5 insightful - 2 fun -  (0 children)

I saw it a few times. Most sites use google (google-captcha) instead.

[–]magnora7[S] 2 insightful - 2 fun2 insightful - 1 fun3 insightful - 2 fun -  (6 children)

That's a cool idea. I could probably cook something up maybe, like 2 grids and the letters, each rotating independently, all the same color on top of each other, with some animated wavy effects distorting all that.

I found this code available, view the demo, we could modify this maybe: https://www.codeseek.co/martingrand/animated-captcha-concept-WxPZVY?lang=en

That was the only one I could find, everything else was research papers

[–][deleted] 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (5 children)

Nice, I bet that would work much better than what we have in place now to stop bots and scripts and non-humans.

[–]magnora7[S] 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (4 children)

Yeah I agree, I'm down to swap out our captcha with this animated one if that's an easily doable thing

[–][deleted] 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (3 children)

Hhahaa nothing is easy around here. You'd also have to figure out a secure way to get the captcha secret into the js widget in the first place, without a scripted browser being able to read it. I didn't dig into how the demo does it. With a plan image, all the user ever has access to is the image itself.

[–]magnora7[S] 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (2 children)

Yeah true. I have no idea how any of that works. I looked it up and apparently it is impossible to hide js code from the end user. So in theory they could always download the js file and look at the password being presented. But maybe that could be obfuscated somehow

[–][deleted] 4 insightful - 2 fun4 insightful - 1 fun5 insightful - 2 fun -  (1 child)

if this were done with SVG instead, you could deliver from the server a confusing looking SVG payload which is the password but as its rendered coordinates/vector art data. then you add two other wrong passwords to it too, and it would be very hard to decode by a bot, although possible. then you can animate it and change text colors and all sorts of fancy shit once your js kicks in.