Anonymous
01/28/2025 (Tue) 10:34
[Preview]
No.27933
del
SITUATION UPDATE
During the last week we addressed a critical bug on Magrathea which made it possible for attacker to avoid solving re- and hcaptchas. This resulted in a couple of days relative lull in the flood. The attacker has a trigger mechanism, that sends new wave of flood on deletion or new posting. This trigger got turned off after we applied the fix, up until about 12 hours ago. Now that it's back on it could mean that he is either fine with paying the captcha solvers, or he has another exploit.
If there are board staff around, you could try dedicating a thread for the flood, and do deletions to trigger him to flood more, pay for more captcha. Every 1000 captcha he has to solve cost him $1-3. We are many, we could rack up a tidy sum for him each month. That is if he has to pay for the solvers.
I'm attaching a userscript for various browser plugins that helps selecting all the posts after a specific post. The script adds a button to each post on endchan.org. I suggest using guerilla scripting, you only have to throw the script into a specific folder and you are good to go after a browser restart. But use the tools that works for you, Grease- or Tempermonkey are just fine.
I know some of the BOs/BVs already using something similar.
We also tried to find a solution for the hidden board - hidden images problem. Not yet resolved.
We also got reports with issues on Tor, for Magrathea if I recall it correctly.
We started to deploy recaptcha on Wrongthink. We are fairly certain the basic lynxchan captcha can be solved by OCR or other techniques which doesn't cost the attacker. The captcha work on Wrongthink isn't finished, there are issues with account and board creation, I think both still needs the original.
On WT we patched up a number of bug, some of which we caused by tinkering. We have little time for testing before applying solutions so breaking something is always a possibility.
And we are still working on the Proof-of-Work (PoW) because we need a set of mitigation tools, and that should cost the attacker in processing power.
Magrathea doesn't pop banned alerts. If your posts don't appear, try to make a post on endchan.org. If you are banned it will show the alert. If your IP was banned as single IP, then you can appeal against the ban. If you are range banned the alert will say so, no appeal is possible.
Globally I don't ban ranges, so I can lift it if I banned you accidentally.
As for the long run we still wish to deploy a self hosted captcha. We aren't fans of 3rd party solutions either.
Message too long. Click here to view full text.
Edited last time by Shiban on 01/28/2025 (Tue) 10:34.