Re: [CODE4LIB] perl recaptcha?
I believe that would be an error 438 (38 = F U on a DTMF keypad). Would you like to co-author an Internet Draft to get it in the RFC? ;) On Thu, Jul 3, 2008 at 4:22 PM, Thomas Dowling <[EMAIL PROTECTED]> wrote: > I renamed our input for e-mail address from '' to > something pretty generic, and the bots that hit us immediately stopped > supplying valid addresses for that input, so that's easy to catch. > > Then as an experiment, I put '' back in, inside a > comment. Sure enough, the bots see it and stick and address there, which is > even easier to catch. So it isn't just a WordPress thing. > > Now if I could just return an HTTP status that meant "Go [EMAIL PROTECTED] > yourself". > > > Thomas Dowling > [EMAIL PROTECTED] > > > > > Genny Engel wrote: > >> More anecdote: I got rid of pretty much 100% of spam on our blog by >> commenting out the URL input box. Then add a few lines of code to the >> comment processor: >> if ($_POST['url']) { >> header('HTTP/1.0 406 Not Acceptable'); exit; >> } >> If the post contains a URL it's a bot, since a human wouldn't be able >> to submit a URL field. What I don't know is whether all the bots >> hitting our comment form happen to be WordPress-specific bots >> preprogrammed to send a URL value, or if it's really true in a more >> general sense that commenting out input fields is a good way to foil >> bots. >> Genny Engel >> Internet Librarian >> Sonoma County Library >> [EMAIL PROTECTED] >> 707 545-0831 x581 >> www.sonomalibrary.org >> >> >> [EMAIL PROTECTED] 07/01/08 02:00PM >>> > It's anecdotal, but since I added a little "What's two plus two" input >> box to my forms, we hardly get any more form spam. You could easily >> switch the question each time, although I haven't had the need to. >> >> We weren't getting hit once a minute, mind you, so you might be >> attracting a better class of bots . . . . >> >> On Tue, Jul 1, 2008 at 10:36 AM, MJ Ray <[EMAIL PROTECTED]> wrote: >> >>> Thomas Dowling <[EMAIL PROTECTED]> wrote: >>> Does anyone know anything concrete about "cognitive" captchas? I've >>> run >> >>> into anecdotal support for things like: Enter the word "orange" >>> [...] >>> Are these known to work? Or are they just clever guesses about >>> what >> >>> bots might not be able to figure out? >>> There are mostly anecdotes because this stuff is hard to test >>> properly. I found they worked a little, but are just clever >>> >> guesses. >> >>> "3.1 Logic puzzles >>> >>> The goal of visual verification is to separate human from machine. >>> >> One >> >>> reasonable way to do this is to test for logic. Simple mathematical >>> word puzzles, trivia, and the like may raise the bar for robots, at >>> least to the point where using them is more attractive elsewhere. >>> >>> Problems: Users with cognitive disabilities may still have trouble. >>> Answers may need to be handled flexibly, if they require free-form >>> text. A system would have to maintain a vast number of questions, or >>> shift them around programmatically, in order to keep spiders from >>> capturing them all. This approach is also subject to defeat by human >>> operators." >>> >>> Source: http://www.w3.org/TR/turingtest/#logic >>> >>> As that last phrase hints, bots are not the only problem. See >>> http://www.schneier.com/blog/archives/2007/11/spammers_using.html for >>> example. >>> >>> >>> Hope that helps, >>> -- >>> MJ Ray (slef) >>> Webmaster for hire, statistician and online shop builder for a small >>> worker cooperative http://www.ttllp.co.uk/ http://mjr.towers.org.uk/ >>> >> >> (Notice http://mjr.towers.org.uk/email.html) tel:+44-844-4437-237 >>> >>> >> >> >>
Re: [CODE4LIB] Temporary library cards via Unicorn?
If I understand you correctly, you want to allow "instant registration" so that a user can register and immediately use online databases, without having to step foot in a library? Further, this is something you anticipate for the future, and not something you want _just_ for migration? Assuming I'm understanding your correctly, I have a couple ideas. All in all, it depends really on how you authenticate access to your databases (SIP/NCIP or just dummy 'Does this meet the rules for a valid number'?-type authentication). I'm going to assume that it's the second (or, perhaps if you use number 1 you can also check number 2 if number 1 comes back with a 'soft' failure [user not registered... denial would be caused by delinquency/expiration/etc]). My first thought would be to create a "dummy" registration system. A person fills out a form online. The contents of this form are e-mailed to a library. The system generates a number that meets the validation criteria for the databases, but would not be valid for the PAC or the like. For example, if your libraries use a patron barcode scheme 2C (where B is a branch ID number, is the patrons' "serial number" at that particular branch and C is a mathematically-calculated checkdigit), your "electronically-generated" barcode numbers could use a branch ID of something you'd be unlikely to utilize in the system (such as , so a sample barcode may be 200014). A second option may be to frequently create a number of "dummy" patron records with real barcode numbers. These barcode numbers will then be placed in a database on your web site. A patron will register using a web form, and when he/she clicks "submit" the application will be e-mailed to the library staff. He will then get his real card number and PIN and can use this for requesting items in the PAC/etc. He would then be instructed to come to the library to get his actual card. The staff would take the e-mail application and update the "dummy" registration to reflect his actual data. A third option would be to not utilize numbers at all. If you can add an authentication to your database provider to support access from a referer page, you could create a temporary-use form on your web site. A user would have to fill this out, and upon completion he can access your databases (because the referer would be your web site). A downside is not all database vendors support this type of "authentication", and many firewalls are beginning to block HTTP_REFERER. As a final note, if Patron Self Registration from the OPAC is a feature you may find useful (for databases or otherwise), file an enhancement request with SIRSI. Quite a number of systems' DO support a self-registration mechanism, and chances are it's probably on their "to-do list" anyway... But, if people start asking for it, the priority will rise! Good luck in your migration, and I hope this helps! --Don McMorris On 4/23/07, Michael McCulley <[EMAIL PROTECTED]> wrote: We have the older Sirsi DRA Classic system here at SDPL, and while we are migrating soon to Unicorn from SirsiDynix, we already can see something we're interested in doing that seems "beyond" Unicorn's capabilities. Has anyone seen or heard of coding/scripts or hacks/workarounds to provide eCards (temporary library cards) via Unicorn? We'd like to issue temporary cards via the Unicorn interface or our public Web site for "immediate" access to the databases, say good for 30-60 days, and, later, they can be upgraded at any of our library to a full-access library card. As an aside, we'll have the hosted version of Unicorn, so we won't have the system/files on any local servers we can access. We've noticed with interest that some Horizon systems, III, CARL, etc. can do this, but thus far, I can't see anyone with Unicorn that has done this. Any type of library (academic or public) is a good source, if you've heard of something. Please drop me a note via e-mail, or post here. Thanks in advance, Michael P. Michael McCulley, Librarian II / Information & Technology San Diego Public Library, 820 E Street, CA 92101-4806 Phone: 619-238-6678 / FAX: 619-238-6639 E-mail: [EMAIL PROTECTED]
Re: [CODE4LIB] Using OpenID in libraries
Ryan's message (I guess seeing "academia") made me think of Athens, which made me further think "Hey, Subscription Databases are just ITCHING for OpenID!". I mean, come on... The methods we have for database authentication aren't working well... 1) authenticating to a proxy and browsing the database through it: Extra bandwidth is needed, meaning additional cost 2) HTTP_REFERER: Lots of firewalls are blocking this... not to mention the need to click about 3+ layers of links and potentially entering a library card number before using the resource 3) Registering a service-specific user ID in the library or remote via method 1 or 2: Who wants another username/password? Here's a scenario: I want to access Novelist. So, I go to my library web site. I disable my firewall so that HTTP_REFERER will be passed on. I dig out my library card and enter the number on Ebsco's page. I'm finally where I want to be... Now, if Novelist implemented OpenID, I could simply go straight there (whether or not I've ever been there), I can just go to the Novelist web site and enter the OpenID that I've set up with my library. 1 step, 1 set of credentials. All is good. And, this could potentially be expanded so that if my patron is delinquent, the database can deny him access! Now, come on... who doesn't think OpenID would be GREAT for subscription databases? On 3/22/07, Ryan Eby <[EMAIL PROTECTED]> wrote: I haven't seen much in library world outside of some talk/discussion. I did come across one academia that did implement it: http://blog.case.edu/jms18/2007/03/09/openid_server_integrated_with_cas Not sure if it's taken off much otherwise in the academic or public sector. I think quite a few are lucky to get any authentication working well. Ryan On 3/22/07, William Denton <[EMAIL PROTECTED]> wrote: > I hadn't been too clear on OpenID but a week or two ago I listened to a > recording of a talk about that explained it well. I can't find it again, > unfortunately, but you can take my word for it that it was pretty good. > > Is OpenID being used in libraries? It struck me that it could work well > for library systems that share resources: two systems that are part of the > same consortium or provincial/state system; two neighbouring public > systems that let people from one borrow at the other; academic libraries > that want to make it easy for visiting profs and grad students to get > temporary access to online resources; etc. > > Say I live in Lower Mowat but one day I'm in Upper Mowat, in the next > municipality (or county, or whatever) over, visiting my tailor. The two > library systems are separate but share their resources. I pop into the > library to update my Twittering friends on my inseam measurement. I don't > actually have an account at the Upper Mowat Library, but I log in to one > of their computers using my Lower Mowat-supplied OpenID identifier, and > the Upper Mowat system recognizes where I'm from and gives me access to > everything. > > Bill > -- > William Denton, Toronto : miskatonic.org : frbr.org : openfrbr.org >
Re: [CODE4LIB] Using OpenID in libraries
So far, I haven't heard much about OpenID in libraries. It will change, I'm sure. Once you get past the bureaucracy(sp?), OpenID+Z39.83(NCIP) will make libraries' pretty much borderless. Especially now that Evergreen is going to force commercial ILS vendors' to make their systems worth their cost ;) --Don On 3/22/07, William Denton <[EMAIL PROTECTED]> wrote: I hadn't been too clear on OpenID but a week or two ago I listened to a recording of a talk about that explained it well. I can't find it again, unfortunately, but you can take my word for it that it was pretty good. Is OpenID being used in libraries? It struck me that it could work well for library systems that share resources: two systems that are part of the same consortium or provincial/state system; two neighbouring public systems that let people from one borrow at the other; academic libraries that want to make it easy for visiting profs and grad students to get temporary access to online resources; etc. Say I live in Lower Mowat but one day I'm in Upper Mowat, in the next municipality (or county, or whatever) over, visiting my tailor. The two library systems are separate but share their resources. I pop into the library to update my Twittering friends on my inseam measurement. I don't actually have an account at the Upper Mowat Library, but I log in to one of their computers using my Lower Mowat-supplied OpenID identifier, and the Upper Mowat system recognizes where I'm from and gives me access to everything. Bill -- William Denton, Toronto : miskatonic.org : frbr.org : openfrbr.org