Curious thought of the day: if they approached Linus to install a backdoor in the kernel - code that is open-source - does this imply they're confident they could hide a backdoor in open-source code in broad daylight?

Unfortunately it's feasible to conceal "backdoors" in open source code.  For example, in the Linux kernel, where you have 25M + lines of code, it becomes difficult to audit (by contrast the whole of OpenBSD is less than 3M lines of code).

It comes back to Linus' law and why it's mostly an idealist stance: "given enough eyeballs, all bugs are shallow" (Eric S. Raymond)

But if the eyeballs aren't actually looking (s they clearly weren't with respect to OpenSSL), the bugs don't get found.  Bugs which aren't found can become vulnerabilities which can be found by certain entities, but not disclosed (for years, if at all) and exploited.

As Torvalds said two years ago:

https://www.linux.com/news/linuxcon-201 … s-torvalds

With that in mind you can see how viable it could be to find and conceal an exploit.  Unfortunately it's the kernel which is the one component you need to trust.  Despite the work of the grsec/Brad Spengler and others, Torvalds has publicly taken a very laid back approach to security and has been dismissive of "security people".

And now, with the arrival of systemd and similar software (from gnome, freedesktop.org, et al), you have even greater complexity, more "attack surface" and more code which has just been written with the aim to bring in raw functionality to the detriment of all else.

Tor doesn't work for registering either.  Have you seen Can't register because you are a 'spammer'?  If someone gets thwarted by the spam measures and really wants to be here, they can contact us to do it manually.  We've done it several times.  Personally I despise captchas.  But let's see what the backend admins think about your suggestions.

As to trolls . . . have you read our (almost) no code of conduct?

Your enthusiasm is commendable.  But your thoughts have been a bit much for me to process.  Mostly I tune out after about two paras . . . 

I often write in depth, character trait.

They're only suggestions at the end of the day, you can ignore them, just I'd like to see more users join the Devuan forums.

Also, good point about the no code of conduct.

I presume because each bot has a different purpose:

1) Spiders (that simply datamine/harvest, either for search engines, or garbage 'rip-off' sites that need to all die in fires).
2) Pharmaceutical/Counterfiet bots (money is in the purchases of the dubious quality product).
3) Lobbyist bots (money is in achieving the desired outcome. See the FCC getting spammed with copy-paste comments from what looked to be Comcast as an example).
4) Propaganda bots (money in getting people to like or adopt a specific lifestyle choice, for example, pro-vaccine bots which I've personally encountered and exposed).
5) Military bots (attempting to achieve government policy, and thus already has the money. Usually spreads either propaganda, false information about particular targets, or is used to attack individuals to drive them off or away from a particular place).

In terms of Devuan, I imagine it's mainly 2 peppered with 5 (Red Hat being mainly funded by the US government, one of their biggest purveyors, likely does not want 'secure alternatives' cropping up. NSA got Microsoft to pwn Windows for them, and Red Hat is literally directly funded by the NSA, so chances are, given the NSA's Linus Torvalds backdoor offer failed [he went public on it], they want Red Hat to pwn most, if not all of, Linux [they already give Linus 'suggestions' on the NSA's behalf]. Only way to do that is to prevent people swapping to different configurations if they can't backdoor the kernel).

Curious thought of the day: if they approached Linus to install a backdoor in the kernel - code that is open-source - does this imply they're confident they could hide a backdoor in open-source code in broad daylight?

Does anyone still use SELinux these days?

1st of all the user does not see any bots, so it is logical to doubt the admin.
Admin is not interested what users think, she/he does what it takes to keep the forum "safe and functional".

Question/Hypothesis:  In an organic/bio gardening forum, there may be thousands of users, but there haven't many bot attacks.  Why do bots attack linux forums in specific (if they do)?

Aaaahhaaaahhh!!

As to trolls . . . have you read our (almost) no code of conduct?

Your enthusiasm is commendable.  But your thoughts have been a bit much for me to process.  Mostly I tune out after about two paras . . . 

@JoshuaFlynn . . . There is no google recaptcha on this forum.

In which case I'm genuinely confused. I don't recall off the top of my head, but after numerous retries the captcha thing got easier (I thought it changed into some image based one which I was then able to solve, but my memory apparently is turning to sludge with work stress), hard to explain.

Probably due to the fact spambots make use of VPNs like they do Tor proxies. It's not a perfect solution.

Perhaps configure something similar to cloudflare, in that a basic image captcha is issued to a 'suspicious' IP, which if solved, grants them access?

(IP on blacklist, page redirection to image captcha, temporarily grant that specific IP immunity, extend it upon login.)

My other query is how do you plan to deal with trolls? Obviously not an issue yet, but with all things that gain popularity, it'll rear it's head sooner or later.

Sorry if I sound rude, only trying to help, I like Devuan, so I'd much rather be 'that guy' and point out possible issues. More for consideration than anything.

So the system works and is non-negotiable.

This does not preclude the possibility of other also working systems that are more human friendly. One could easily ban everything and declare that also works, but that is not to say it's user friendly, and Devuan definitely stands to gain from an additional userbase.

Your question system almost thwarted me (I think it eventually defaulted to google's awful recaptcha system after numerous retries and I got in) and I would have gladly taken my hat and left had it continued for a bit longer - I take the view if a system is too difficult for entry, the person doesn't want me there. You might want to consider the fact that multiple users are reporting this issue and a view of 'it works for me' isn't quite how beta testing works.

I suspect by caught you mean bots that were filtered out during the registration period? If you're aiming to reduce server burdens, most shouldn't even be able to connect to the forum to begin with, and there are publicly available IP blacklists. I would strongly advise shuffling the anti-bot system around to find one more human friendly, because I suspect it's not just bots you're keeping out.

Better questions is a bit arbitrary because if they're too easy, bots get in, and if they're too hard you keep humans out, and keeping it all focused there is a single point of failure (there should be layers of filtrations). As mentioned, a bot handler could easily just preload the text answers for the questions and you'd have to rotate them out of service (if they hang around for long enough they could exhaust your entire supply), and more advanced piece of kit (like say, a Watson API) could likely do a lookup on the answers coupled with a bit of brute forcing guesswork (IE keeps an internal log of what answers succeed against which fail).

As irony would have it, I run a mechanize based python bot that updates my own forum on specific threads and specific topics, and despite the fact the main forum has guest posting enabled, the comedy style question coupled with a basic image captcha plus the two post minimum for URLs has dropped bot posting rates to zero (my bot gets around this because it has a manually registered account). I'd like to think the range bans on IP blocks also helps impede it but because they don't even arrive there's no figures to report (I probably get 150 bots on my forum in a 24 hour period).

Text based captchas are actually the easiest kind of captcha to adapt to. Having both a simple text question and image captcha means a more complex setup is required (you'd need an OCR at a minimum, and there's no decent free ones, and you can't have the bot 'learn' the answers because OCR failures would distort feedback).

Having spent the last couple of years outing military bot and sock accounts and flaws in captcha systems (in one case going so far as to write a bot to prove it in the case of two separate forums), this isn't out of ignorance. You can see some of FlynnBot's postings on another forum here. FlynnBot was reverse engineered from a piece of python code someone wrote trying to defraud the UK government petition (interesting piece of kit, could create temporary email addresses) that was published by Brietbart that I was trying to analyse.

Some good comments and ideas there.

Let me add a few complications....

"What's the truckers channel?" In Australia there is no such thing as a 'trucker', they're 'truckies', as are 'bikers', 'bikies', and the radio channel used is 40. Even those of us who use UHF radio probably wouldn't have the faintest clue what channel is used in North America, which, I think, is still 27MHz anyway.

Questions on pronunciation can be equally as difficult. For the word 'defeat' we say diff-eet with accent on the second syllable, as opposed to dee-feet with accent on the first. Asked to type how I'd pronounce 'Devuan' I'd likely put 'dev-wahn'. Pronouncekiwi has some interesting variations.

So even for English speakers this can be hard, harder still for those even from Latin based languages and nigh on impossible for those who come from an East Asian background. Anyone tried to decipher pronunciation in Pinyin?

Agreed on pronuciation questions.  FTR, there is an 'official' audio rendering of Devuan here

We call it Purpy.  But purple seemed close enough.   

This site was bot-proofed 247 days ago.  In those months it has stopped over 16.000 bots dead in their tracks.  The numbers are constantly escalating.  A few days ago we had over 550 blocked in a 24 hour period.  Not one has gotten through yet.  So the system works and is non-negotiable.

New and improved questions are always welcome.

golinux

Let me add a few complications....

"What's the truckers channel?" In Australia there is no such thing as a 'trucker', they're 'truckies', as are 'bikers', 'bikies', and the radio channel used is 40. Even those of us who use UHF radio probably wouldn't have the faintest clue what channel is used in North America, which, I think, is still 27MHz anyway.

Questions on pronunciation can be equally as difficult. For the word 'defeat' we say diff-eet with accent on the second syllable, as opposed to dee-feet with accent on the first. Asked to type how I'd pronounce 'Devuan' I'd likely put 'dev-wahn'. Pronouncekiwi has some interesting variations.

So even for English speakers this can be hard, harder still for those even from Latin based languages and nigh on impossible for those who come from an East Asian background. Anyone tried to decipher pronunciation in Pinyin?

Colours. My business revolves around colours and not in a pink fit would I describe the Devuan scheme as 'purple'. Violet grey, perhaps.

Staying a step ahead of the bots is one thing but keeping the questions answerable is another. Good luck.

The issues of captchas is a complex one, because, counter-intuitively, not all captcha solvers are done by bots (yes, they are outsourced to people who earn a couple of cents per solution), which is why usually bot unsolveable captchas like complex images are still seemingly solveable by spambots. More specialist bots have their own dedicated human handlers (especially when it comes to military software socks).

Defeating conventional spambots is fairly easy, you need to setup a deductive question that a bot cannot logically solve (a smarter bot handler will simply rotate through the text questions and preload answers for them, so you do also need to expire 'solved' questions). For example, on my forum, I ask the question 'In comedy, what does 2+2 equal?'. A bot will see the mathematics and answer '4', but a human will twig that the 'comedy' context changes the answer (which is either '5'/'five' or 'fish').

You'll want to include a number of natural answers rather than one 'right' answer (for example, the kernel image should include all valid kernel images in use by Devuan).

A couple of easy examples that easily thwart bots:
How is Devuan pronounced? (Dev-one, Devone, etc)
What is this forum's main colour theme? (Purple)
Devuan is to Debian as Lubuntu is to... (Ubuntu)

Leaps in logic or horribly general questions like this are nearly impossible for moderate complexity bots to answer. For example, how does the AI know how to pronounce Devuan? It doesn't (it likely doesn't have the speech processors to 'sound it out' either). Main colour theme 'seems obvious' but it has to know what a theme is, figure out the the colour codes, then covert those colour codes into the expected colour categorisation. Devuan to Debian is actually a rip on an IQ test question and requires categorical inference.

If the forum still wants to use 'proof of knowledge' questions (which discriminates against noobs), I strongly advise they be proof of knowledge questions that a person can reasonably achieve in a single non-specialised search, otherwise from a user interface standpoint this is adversely impeding the users.

From a long-term standpoint, the forum might want to acquire an IP blacklist of well known spambot associated IPs (perhaps even doing an automated whois style query to detect non-ISP based connections, with exceptions made for Tor nodes), and perhaps have a minimum two post limit before URLs in posts are enabled (which very quickly cripples bots even with guest post access because as a spambot they can never post without a URL and therefore always fail).

If someone has way too much time on their hands, they could likely do a plugin that determines the probability that a poster is likely a spambot and auto-ban (suspicious IP, suspicious email, drug/porn/offensive content themed post, excessive captcha failures, constant 'unable to post' failures involving URLs).

If you really want to stick it to systemd whilst keeping it factual, consider having a thread detailing systemd vulnerabilities and exploits (usually they have specific CVE names or well known titles), and make questions based around looking up the specific vulnerability code (be kind enough to link them in to the thread). That way you can both educate users and filter out spambots at the same time.