MNF Club Forums
Security Questions - Printable Version

+- MNF Club Forums (https://www.mnfclub.com/forum)
+-- Forum: Forums (https://www.mnfclub.com/forum/forumdisplay.php?fid=1)
+--- Forum: Feedback, Miscellaneous & Help (https://www.mnfclub.com/forum/forumdisplay.php?fid=4)
+--- Thread: Security Questions (/showthread.php?tid=1748)

Pages: 1 2


RE: Security Questions - Amberlicious - 07-25-2018

How difficult would it be to simply add a Google Captcha to the registration form?? All those manual questions are relatively easy for bots to bypass. Add a Google reCaptcha2 and you stop 99% of fake accounts.

For those who don't know what I'm talking about this is the 'I'm not a robot' checkbox that then takes you to things like 'Select all squares with street signs or car or busses or store fronts; and so forth

Just to follow up I found this:

https://docs.mybb.com/1.8/administration/spam/

From the official documentation of the forum (link above):
"CAPTCHA Images for Registration & Posting

In Admin CP > Configuration > General Configuration, a visual CAPTCHA challenge can be configured from a variety of options.
  • No CAPTCHA, in which the visual CAPTCHA challenge is disabled. This is not recommended, as disabling the CAPTCHA Images makes it much easier for automated systems to post spam.

  • MyBB Default CAPTCHA, in which a PHP GD captcha is generated. This can often be passed by automated systems and usually should not be used.

  • reCAPTCHA, which displays a “ReCAPTCHA” challenge; signup is required at Google’s ReCAPTCHA site to get the Public and Private keys that must be configured.

  • NoCAPTCHA reCAPTCHA, which displays the latest version of reCAPTCHA, in which a user simply clicks a checkbox to continue, or as a fallback must complete a simple picture-selection challenge; signup is required at [Google’s ReCAPTCHA site](https://www.google.com/recaptcha/intro/index.html to get the Public and Private keys that must be configured."
Make sure to go for the NoCAPTCHA reCaptcha option!!!


RE: Security Questions - Emmie - 07-25-2018

I will definbitely take a look at the recaptcha option, it is built into the forum as an option. The main issue would be that google will collect information via that, which means we'd have to do a whole concent thing for legal reasons, especially for EU particiapants thanks to the GDPR. And I am NOT qualified to deal with the legal aspects of that. I'll still bring it up with the devs though, and see if they are working out the kinks in the game, perhaps they can do that for the forum as well.


RE: Security Questions - Amberlicious - 07-25-2018

Hi Emmie, will all due respect, Google can see anything we post here anyway and this has noting to do with GDPR. A captcha is a basic thing without any legal implications. It is not that we are using a Google platform or tool to collect and keep people's information and payment details. This is just a free public forum.
I'm only pressing for this, because I know it is a very easy and simple feature to implement that will free a lot of time for all the mods to focus on their job which is to "moderate" de forum and not to search and delete bot users and spamming messages.
Obviously I don't know how much control of the forum you and the forum mods have, but this implementation doesn't require any development at all. I'm happy to be contacted by the "devs" to discuss the possibilities on this and other features in tech lingo if it would be beneficial.


RE: Security Questions - Alexa_Darkness - 07-25-2018

(07-25-2018, 11:12 AM)Amberlicious Wrote: Hi Emmie, will all due respect, Google can see anything we post here anyway and this has noting to do with GDPR. A captcha is a basic thing without any legal implications. It is not that we are using a Google platform or tool to collect and keep people's information and payment details. This is just a free public forum.
I'm only pressing for this, because I know it is a very easy and simple feature to implement that will free a lot of time for all the mods to focus on their job which is to "moderate" de forum and not to search and delete bot users and spamming messages.
Obviously I don't know how much control of the forum you and the forum mods have, but this implementation doesn't require any development at all. I'm happy to be contacted by the "devs" to discuss the possibilities on this and other features in tech lingo if it would be beneficial.
 
In response to Amberlicious…  these are the Google & Bing search results..  And even Emmie is mentioned


[Image: 31551816f335651adb080c0396b33246.png]


RE: Security Questions - Emmie - 07-25-2018

I will just quote google themselves.
"You acknowledge and understand that the reCAPTCHA API works by collecting hardware and software information, such as device and application data, and sending these data to Google for analysis. The information collected in connection with your use of the service will be used for improving reCAPTCHA and for general security purposes. It will not be used for personalized advertising by Google. Pursuant to Section 3(d) of the Google APIs Terms of Service, you agree that if you use the APIs that it is your responsibility to provide any necessary notices or consents for the collection and sharing of this data with Google. For users in the European Union, you and your API Client(s) must comply with the EU User Consent Policy currently located at http://www.google.com/about/company/user-consent-policy.html."
And
"EU user consent policy
If your agreement with Google incorporates this policy, or you otherwise use a Google product that incorporates this policy, you must ensure that certain disclosures are given to, and consents obtained from, end users in the European Economic Area. If you fail to comply with this policy, we may limit or suspend your use of the Google product and/or terminate your agreement.

Properties under your control
For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area.

You must obtain end users’ legally valid consent to:

the use of cookies or other local storage where legally required; and
the collection, sharing, and use of personal data for personalization of ads.
When seeking consent you must:
retain records of consent given by end users; and
provide end users with clear instructions for revocation of consent.
You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.

Properties under a third party's control
If personal data of end users of a third party property is shared with Google due to your use of, or integration with, a Google product, then you must use commercially reasonable efforts to ensure the operator of the third party property complies with the above duties. A third party property is a site, app or other property that is not under your, your affiliate's or your client's control and whose operator is not already using a Google product that incorporates this policy."

And the reason it looks like this is because of the GDPR, that much I know. What I don't know is exactly what would be expected of us when we implement it and to what extent. Which is why I prefer the devs to make the choice on it. I'm no expert for sure, but that's also why I don't wanna dive into things before I know what it entails.


RE: Security Questions - Amberlicious - 07-25-2018

Ok, I bow in respect of your dedication and great level of compliance. But I think my point still stands. We are not talking about the game login, but of a public forum that does not collect any form of payment whatsoever.

The search engines results are just obvious it is a public forum open to all including Google. The Forum isn't restricted to members only and will show in any search.

As per the GDPR, I stand corrected and agree with Emmie in letting the owners of the game decide what to do. Just for my clarification, are the devs and the owners the same people?? To me devs are that: tech developers that code the game and owners are responsible for policy, marketing, lawyers and profit.


RE: Security Questions - Amberlicious - 07-26-2018

Sorry to double post, but I got a little curious to know if Google reCaptcha is GDPR compliant or not.
A simple google search (hic) with "Is Google reCaptcha GDPR compliant?" doesn't result much. I have also used my Google dev login to search in the big G documentations and found absolutely no direct mention of GDPR. This is a big deal as Google collects information from each and every public search in its public engine and lets not get started with gmail and other products.

After some further searches and a lot of reading I found this discussion: https://law.stackexchange.com/questions/27908/gdpr-recaptcha-with-users-consent

The whole link is interesting, but this answer stands out:

Quote:
Quote:“From your perspective you should not worry about asking permission to use reCaptcha as it is not you who is processing the data it is google and any GDPR compliance falls on them.“

This is plain wrong. If a user visits your website you are the controller of data collected on your website. Regardless of what entity collects that data.

However in my non-legal opinion reCAPTCHA falls under Article 6 section 1d and 1f. Also Recital 49.

1d:
Quote:“processing is necessary in order to protect the vital interests of the data subject or of another natural person;”

While you could argue in some cases (most probably) reCAPTCHA is used to reduce spam to a business entity thus not a “natural person”.

1f:
Quote:“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Here is where the real ruling applies “Legitimate interests”. You as a business have a legitimate interest in reducing spam into your business. Not only does spam take up your time but it also takes up your resources. As to the extent in which spam takes up is dependent on the usage in question. But nearly everyone can safely assume reducing spam (one of the cornerstones of the GDPR) is a legitimate interest.

Recital 49 (excerpt):
Quote:The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

I just hope that whoever has the power to make decision on this and other issues like payment, doesn't simple take the easy way out and put it on the bill of the mods who are actually volunteers and doing a great job out of their own kindness.


RE: Security Questions - Emmie - 07-26-2018

Right, there are two developers for MNF, Vadim and Serega. They started this thing together, so there's no publisher or such. And I have forwarded the recaptcha registration page to Vadim. I'll let him have a look at it, and see what he thinks. As far as implementing recaptcha into our own registering process goes, it looks quite easy. But I am hesistant to do it when my knowledge of it is so limited.

On a side note, I went on several different sites that use recaptcha, and I didn't even get to see a single word of a privacy policy or such. So might be I'm worried for nothing, but better safe than sorry in this situation.


RE: Security Questions - Amberlicious - 07-26-2018

Hi Emmie

Thanks very much for explaining the structure of MnF and I now wonder who is the ActionScript guru -Smile
In the old days of Flash i use to develop websites in ActionScript too - it was fun!

You are absolutely right and I agree with you 100%. This isn't any of us call to make. If something goes wrong from the legal perspective, they are responsible for it and not us. It is their call to make. Technically, it is dead easy to install it and I'm more than happy to help you if you need any.


RE: Security Questions - Emmie - 07-26-2018

More in-depth on the developers of MNF Club, Serega is the one that does most, if not all animations and art. And Vadim is in charge of all things related to the servers. I don't wanna say for sure, but that's how I've understood it from talking with Vadim. One of these days, I'll ask him some more, and perhaps be able to share a more accurate picture of who deals with what.