Re: [CODE4LIB] perl recaptcha?

[don . mcmorris]

I believe that would be an error 438 (38 = F U on a DTMF keypad).  Would you
like to co-author an Internet Draft to get it in the RFC? ;)

On Thu, Jul 3, 2008 at 4:22 PM, Thomas Dowling <[EMAIL PROTECTED]>
wrote:

> I renamed our input for e-mail address from '' to
> something pretty generic, and the bots that hit us immediately stopped
> supplying valid addresses for that input, so that's easy to catch.
>
> Then as an experiment, I put '' back in, inside a
> comment.  Sure enough, the bots see it and stick and address there, which is
> even easier to catch.  So it isn't just a WordPress thing.
>
> Now if I could just return an HTTP status that meant "Go [EMAIL PROTECTED] 
> yourself".
>
>
> Thomas Dowling
> [EMAIL PROTECTED]
>
>
>
>
> Genny Engel wrote:
>
>> More anecdote: I got rid of pretty much 100% of spam on our blog by
>> commenting out the URL input box.  Then add a few lines of code to the
>> comment processor:
>>  if ($_POST['url']) {
>>  header('HTTP/1.0 406 Not Acceptable');  exit;
>> }
>>  If the post contains a URL it's a bot, since a human wouldn't be able
>> to submit a URL field.  What I don't know is whether all the bots
>> hitting our comment form happen to be WordPress-specific bots
>> preprogrammed to send a URL value, or if it's really true in a more
>> general sense that commenting out input fields is a good way to foil
>> bots.
>> Genny Engel
>> Internet Librarian
>> Sonoma County Library
>> [EMAIL PROTECTED]
>> 707 545-0831 x581
>> www.sonomalibrary.org
>>
>>
>>  [EMAIL PROTECTED] 07/01/08 02:00PM >>>
>
 It's anecdotal, but since I added a little "What's two plus two" input
>> box to my forms, we hardly get any more form spam.  You could easily
>> switch the question each time, although I haven't had the need to.
>>
>> We weren't getting hit once a minute, mind you, so you might be
>> attracting a better class of bots . . . .
>>
>> On Tue, Jul 1, 2008 at 10:36 AM, MJ Ray <[EMAIL PROTECTED]> wrote:
>>
>>> Thomas Dowling <[EMAIL PROTECTED]> wrote:
>>>
 Does anyone know anything concrete about "cognitive" captchas?  I've

>>> run
>>
>>> into anecdotal support for things like:
   Enter the word "orange" 

>>> [...]
>>>
 Are these known to work?  Or are they just clever guesses about

>>> what
>>
>>> bots might not be able to figure out?

>>> There are mostly anecdotes because this stuff is hard to test
>>> properly.  I found they worked a little, but are just clever
>>>
>> guesses.
>>
>>> "3.1 Logic puzzles
>>>
>>> The goal of visual verification is to separate human from machine.
>>>
>> One
>>
>>> reasonable way to do this is to test for logic. Simple mathematical
>>> word puzzles, trivia, and the like may raise the bar for robots, at
>>> least to the point where using them is more attractive elsewhere.
>>>
>>> Problems: Users with cognitive disabilities may still have trouble.
>>> Answers may need to be handled flexibly, if they require free-form
>>> text. A system would have to maintain a vast number of questions, or
>>> shift them around programmatically, in order to keep spiders from
>>> capturing them all. This approach is also subject to defeat by human
>>> operators."
>>>
>>> Source: http://www.w3.org/TR/turingtest/#logic
>>>
>>> As that last phrase hints, bots are not the only problem.  See
>>> http://www.schneier.com/blog/archives/2007/11/spammers_using.html for
>>> example.
>>>
>>>
>>> Hope that helps,
>>> --
>>> MJ Ray (slef)
>>> Webmaster for hire, statistician and online shop builder for a small
>>> worker cooperative http://www.ttllp.co.uk/ http://mjr.towers.org.uk/
>>>
>>
>>  (Notice http://mjr.towers.org.uk/email.html) tel:+44-844-4437-237
>>>
>>>
>>
>>
>>

Re: [CODE4LIB] Temporary library cards via Unicorn?

[Don McMorris]

If I understand you correctly, you want to allow "instant
registration" so that a user can register and immediately use online
databases, without having to step foot in a library?  Further, this is
something you anticipate for the future, and not something you want
_just_ for migration?

Assuming I'm understanding your correctly, I have a couple ideas.  All
in all, it depends really on how you authenticate access to your
databases (SIP/NCIP or just dummy 'Does this meet the rules for a
valid number'?-type authentication).  I'm going to assume that it's
the second (or, perhaps if you use number 1 you can also check number
2 if number 1 comes back with a 'soft' failure [user not registered...
denial would be caused by delinquency/expiration/etc]).

My first thought would be to create a "dummy" registration system.  A
person fills out a form online.  The contents of this form are
e-mailed to a library.  The system generates a number that meets the
validation criteria for the databases, but would not be valid for the
PAC or the like.  For example, if your libraries use a patron barcode
scheme 2C (where B is a branch ID number,  is the
patrons' "serial number" at that particular branch and C is a
mathematically-calculated checkdigit), your "electronically-generated"
barcode numbers could use a branch ID of something you'd be unlikely
to utilize in the system (such as , so a sample barcode may be
200014).

A second option may be to frequently create a number of "dummy" patron
records with real barcode numbers.  These barcode numbers will then be
placed in a database on your web site.  A patron will register using a
web form, and when he/she clicks "submit" the application will be
e-mailed to the library staff.  He will then get his real card number
and PIN and can use this for requesting items in the PAC/etc.  He
would then be instructed to come to the library to get his actual
card.  The staff would take the e-mail application and update the
"dummy" registration to reflect his actual data.

A third option would be to not utilize numbers at all.  If you can add
an authentication to your database provider to support access from a
referer page, you could create a temporary-use form on your web site.
A user would have to fill this out, and upon completion he can access
your databases (because the referer would be your web site).  A
downside is not all database vendors support this type of
"authentication", and many firewalls are beginning to block
HTTP_REFERER.

As a final note, if Patron Self Registration from the OPAC is a
feature you may find useful (for databases or otherwise), file an
enhancement request with SIRSI.  Quite a number of systems' DO support
a self-registration mechanism, and chances are it's probably on their
"to-do list" anyway... But, if people start asking for it, the
priority will rise!

Good luck in your migration, and I hope this helps!
--Don McMorris

On 4/23/07, Michael McCulley <[EMAIL PROTECTED]> wrote:

We have the older Sirsi DRA Classic system here at SDPL, and while we are migrating soon 
to Unicorn from SirsiDynix, we already can see something we're interested in doing that 
seems "beyond" Unicorn's capabilities.

Has anyone seen or heard of coding/scripts or hacks/workarounds to provide eCards 
(temporary library cards) via Unicorn? We'd like to issue temporary cards via the Unicorn 
interface or our public Web site for "immediate" access to the databases, say 
good for 30-60 days, and, later, they can be upgraded at any of our library to a 
full-access library card. As an aside, we'll have the hosted version of Unicorn, so we 
won't have the system/files on any local servers we can access.

We've noticed with interest that some Horizon systems, III, CARL, etc. can do 
this, but thus far, I can't see anyone with Unicorn that has done this. Any 
type of library (academic or public) is a good source, if you've heard of 
something. Please drop me a note via e-mail, or post here.

Thanks in advance,
Michael


P. Michael McCulley, Librarian II / Information & Technology
San Diego Public Library, 820 E Street, CA 92101-4806
Phone: 619-238-6678 / FAX: 619-238-6639
E-mail: [EMAIL PROTECTED]

Re: [CODE4LIB] Using OpenID in libraries

[Don McMorris]

Ryan's message (I guess seeing "academia") made me think of Athens,
which made me further think "Hey, Subscription Databases are just
ITCHING for OpenID!".  I mean, come on... The methods we have for
database authentication aren't working well...

1) authenticating to a proxy and browsing the database through it:
Extra bandwidth is needed, meaning additional cost
2) HTTP_REFERER: Lots of firewalls are blocking this... not to mention
the need to click about 3+ layers of links and potentially entering a
library card number before using the resource
3) Registering a service-specific user ID in the library or remote via
method 1 or 2: Who wants another username/password?

Here's a scenario: I want to access Novelist.  So, I go to my library
web site.  I disable my firewall so that HTTP_REFERER will be passed
on.  I dig out my library card and enter the number on Ebsco's page.
I'm finally where I want to be...

Now, if Novelist implemented OpenID, I could simply go straight there
(whether or not I've ever been there), I can just go to the Novelist
web site and enter the OpenID that I've set up with my library.  1
step, 1 set of credentials.  All is good.

And, this could potentially be expanded so that if my patron is
delinquent, the database can deny him access!

Now, come on... who doesn't think OpenID would be GREAT for
subscription databases?

On 3/22/07, Ryan Eby <[EMAIL PROTECTED]> wrote:

I haven't seen much in library world outside of some talk/discussion.
I did come across one academia that did implement it:

http://blog.case.edu/jms18/2007/03/09/openid_server_integrated_with_cas

Not sure if it's taken off much otherwise in the academic or public
sector. I think quite a few are lucky to get any authentication
working well.

Ryan

On 3/22/07, William Denton <[EMAIL PROTECTED]> wrote:
> I hadn't been too clear on OpenID but a week or two ago I listened to a
> recording of a talk about that explained it well.  I can't find it again,
> unfortunately, but you can take my word for it that it was pretty good.
>
> Is OpenID being used in libraries?  It struck me that it could work well
> for library systems that share resources: two systems that are part of the
> same consortium or provincial/state system; two neighbouring public
> systems that let people from one borrow at the other; academic libraries
> that want to make it easy for visiting profs and grad students to get
> temporary access to online resources; etc.
>
> Say I live in Lower Mowat but one day I'm in Upper Mowat, in the next
> municipality (or county, or whatever) over, visiting my tailor.  The two
> library systems are separate but share their resources.  I pop into the
> library to update my Twittering friends on my inseam measurement.  I don't
> actually have an account at the Upper Mowat Library, but I log in to one
> of their computers using my Lower Mowat-supplied OpenID identifier, and
> the Upper Mowat system recognizes where I'm from and gives me access to
> everything.
>
> Bill
> --
> William Denton, Toronto : miskatonic.org : frbr.org : openfrbr.org
>

Re: [CODE4LIB] Using OpenID in libraries

[Don McMorris]

So far, I haven't heard much about OpenID in libraries.  It will
change, I'm sure.  Once you get past the bureaucracy(sp?),
OpenID+Z39.83(NCIP) will make libraries' pretty much borderless.

Especially now that Evergreen is going to force commercial ILS
vendors' to make their systems worth their cost ;)

--Don

On 3/22/07, William Denton <[EMAIL PROTECTED]> wrote:

I hadn't been too clear on OpenID but a week or two ago I listened to a
recording of a talk about that explained it well.  I can't find it again,
unfortunately, but you can take my word for it that it was pretty good.

Is OpenID being used in libraries?  It struck me that it could work well
for library systems that share resources: two systems that are part of the
same consortium or provincial/state system; two neighbouring public
systems that let people from one borrow at the other; academic libraries
that want to make it easy for visiting profs and grad students to get
temporary access to online resources; etc.

Say I live in Lower Mowat but one day I'm in Upper Mowat, in the next
municipality (or county, or whatever) over, visiting my tailor.  The two
library systems are separate but share their resources.  I pop into the
library to update my Twittering friends on my inseam measurement.  I don't
actually have an account at the Upper Mowat Library, but I log in to one
of their computers using my Lower Mowat-supplied OpenID identifier, and
the Upper Mowat system recognizes where I'm from and gives me access to
everything.

Bill
--
William Denton, Toronto : miskatonic.org : frbr.org : openfrbr.org