this post was submitted on 15 Jun 2024
69 points (91.6% liked)

Open Source

31418 readers
16 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

Situation: You run a website and want users to have to do some amount of work in order to activate a function in your code. The "function" can be anything: creating an account, receiving some kind of in-game token/reward, dispensing coins from a faucet, whatever. Captchas are becoming increasingly both increasingly complex and increasingly useless against spam attacks. Various "proof of personhood" options are available (SMS verification etc) but come with downsides as well.

An obvious alternative to captchas is some kind of "proof work" scheme where the user has to run a certain number of hash calculations. This is cheap for individual users but expensive for spammers to spam, and could even net you a little crypto if you wanted it to. This, for example, is the approach used by Tor's anonymity network help prevent DDoS attacks. This is fine, but it serves no other purpose and uses lots of of energy. Though in Tor's implementation, it is only occasionally used as opposed to being used for every request.

My script is a "proof of useful work" captcha alternative. The user must download and process a chosen amount of workunits from a chosen BOINC project(s). This work is "useful" because it contributes to scientific research. BOINC is a software for distributed/volunteer computing and its used by scientists all over the world including the Large Hadron Collider (CERN) to offload expensive computation to the machines of volunteers. My script downloads stats from the BOINC projects and verifies the user has completed the work. If the user is a pre-existing BOINC user, they will already have sufficient credit to instantly activate the function on the site.

The default setup for this software is as a "crypto faucet", but you can plug-in any function you want: anti-spam, user registration, whatever. It calculates a cost for the "work" and makes sure it dispenses less than the cost, making sure no user has incentive to use the faucet more than a few times since it would cheaper for the user to just do the work on their own without the faucet acting as a middleman.

Downside of this tool is that the user may take some time to accumulate the credit (unless they are an existing BOINC user with credit) and the BOINC projects only report updated credit once every 24 hours (though if you ran your own BOINC project for this purpose, you could get this time down much lower). So while this can be good for longer-term tasks (such as giving an in-game reward to users who contribute to science), it is not quick. They also have to download and run BOINC (and change their username at a BOINC project), which is a big step compared to a captcha. In an ideal world, the BOINC work could be completed in the browser instead of by downloading BOINC, I believe folding at home had a client that could do this at one point.

Anyways, I think it's an interesting idea. Maybe you do too and can use it to your advantage somehow.

top 27 comments
sorted by: hot top controversial new old
[–] [email protected] 20 points 5 months ago (2 children)

@makeasnek Does BOINC have any verification or protection from malicious actors finishing the work incorrectly just to get through the captcha? If not, this might actually poison the BOINC network, because bad people will have a motivation to get credits without performing the work.

[–] [email protected] 15 points 5 months ago* (last edited 5 months ago)

Yes, most projects implement validation of some sort as even well-intentioned BOINC users will occasionally submit invalid workunits due to computation errors, random memory bits flipping, etc. Validation schemes range from simple to complex but suffice to say yes they nearly universally have some sort of validation mechanism. People have attempted to cheat BOINC before simply in pursuit of a "high score" compared to other users, so the BOINC ecosystem is well acquainted with proper defenses for such behavior. There are even cross-project competitions people can participate in, people join teams etc, so the competition can be quite fierce.

[–] [email protected] 4 points 5 months ago

There is already gridcoin which is a cryptocurrency that awards boinc work, so I'd say this concern has already been addressed because of that.

[–] [email protected] 7 points 5 months ago (3 children)

Can you implement it in WebAssembly so it runs in the user's browser directly, contributing to a site-wide account, where you just track individual user work on your end so that work is allocated to your visitors instantly?

[–] [email protected] 5 points 5 months ago

Requiring webassembly will break the website for most privacy hardened browsers (arkenfox, Librewolf, cromite, Mullvad, etc). Webassembly is disabled for security and privacy reasons in these browsers. Not worth IMO. See a short snippet of Arkenfox's reasoning here: https://arkenfox.github.io/gui/?s=javascript.options.wasm

[–] [email protected] 4 points 5 months ago (2 children)

haproxy-protection already does this. Tor also has a built-in PoW mode for onion services now too.

[–] [email protected] 1 points 5 months ago (1 children)

Why do so many sites still use endgame?

[–] [email protected] 1 points 5 months ago (1 children)
[–] [email protected] 1 points 5 months ago

Its DDOS protection for Onion Services. You've probably used it

[–] [email protected] 1 points 5 months ago

This is awesome, but what is gitgud and where can I find the code and docs?

[–] [email protected] 3 points 5 months ago

There's been some talks of making a BOINC WASM client, I'd love to see it happen

[–] [email protected] 5 points 5 months ago (2 children)

Not sure if you want to label it as a "captcha alternative". In most cases I'm sure the captcha is used because they want a real person looking at the page (and the ads on the page). In this case it seems more like a way to keep either bots or people from doing nothing but consuming content (or hacking) without giving back something of value. Either way I really like the idea.

Other ways, in theory, I think you could do this kind of thing are torrent ratios (e.g. hosting one or moreLinux ISOs), general archiving (e.g. you get asked to return a random range of bytes from a file you're supposed to be backing up), you run a weather station that reports temperature to the National Weather Service. You might think about a more general framework for just verifying if user X has been contributing something of value.

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago)

I won't mention here as I don't want this post to come across as promoting cryptocurrency, but this script was originally written to protect a faucet for a cryptocurrency that does exactly this (and has been since 2012). This cryptocurrency records user contribution to various computational projects (BOINC, Folding at home, etc) and can also be used for torrent seeding or other forms of contribution. So it could be used in this manner to verify a user has contributed X amount of computation over Y time periods.

The faucet handed out coins but the problem is that users want all the free coins right? But we only want to give a few free coins to each user. So we make them do the "work" and make sure the cost of work is > value of coins, so they have no motivation to hit the faucet multiple times. This is the original purpose of the script.

[–] [email protected] 2 points 5 months ago

I appreciate that its called a CAPTCHA alternative

[–] [email protected] 4 points 5 months ago (2 children)
[–] [email protected] 3 points 5 months ago

Thanks for the link!

[–] [email protected] 2 points 5 months ago (1 children)

I read the issue and didn't understand much. But I hope it will be implemented somehow

[–] [email protected] 2 points 5 months ago

What didn't you understand?

[–] [email protected] 3 points 5 months ago

Great idea!!!

[–] [email protected] 2 points 5 months ago (1 children)

Seems like sciencestats.net is down

[–] [email protected] 2 points 5 months ago

Yes I no longer host the site this code was designed for but the code still works and can be repurposed for anybody who wants to use it

[–] [email protected] 1 points 5 months ago

Bro's a genius

[–] [email protected] 1 points 5 months ago (1 children)

Can you please write a guide for how to run this on some sort of highly scalable load balancer that serves as a fronting for a back end web server, so it can be an easy replacement for orgs who use cloudflare?

[–] [email protected] 2 points 5 months ago (1 children)

This is well beyond my sysadmin capabilities unfortunately. This is more a proof-of-concept and would need some tweaking to be run at that kind of scale.

[–] [email protected] 1 points 5 months ago

We already have mCaptcha and a few others.. The reason none of these POCs ever actually get adopted is because the barrier of entry is too high.

[–] [email protected] 1 points 5 months ago (1 children)
[–] [email protected] 2 points 5 months ago

Depends on the BOINC project