Best practices for IP protection on photography site - reactjs

Before all the un-helpful comments come out of the woodwork (i.e. "if you want to protect it, don't upload it") - I get it. The only way to protect it is to not put it out there. Not an option, not helpful. Home security isn't about never allowing someone to break into your home. If they want in, they can cut a hole in the wall if your windows and door are too secure. The idea is to make it harder so the average burglar will move on. That's what I'm looking for here. Make it a pain so the average would-be thief will move on. With that out there here is my situation:
I'm putting the finishing touches on a portfolio site for a photographer. The site is a headless React WP site. I've seen so many "suggestions" for how to protect their copyrighted materials that my head is spinning. "Disable right click." "DON'T disable right click." "Upload only smaller, compressed images." Trust me, I know that a Google search will give tons of answers. Problem is, too many of them are conflicting or generic. I figured I would go to a group of people who are generally more technically savvy, and have probably had to face similar situations.
Here is what I have done so far:
employed plugins that automatically compress and limit size on uploaded images. This allows the client to upload what they want, and keeps them safe.
employed plugin that automatically puts copyright info and a QR code onto the image that directs the scanner back to the main page of the site. As the point of the site is to show off the beautiful images, we decided to put them only in the corner, even though covering more of the image would be more effective.
decided NOT to bother with blocking right click as it's a nuisance at best and is easy to circumvent by users with limited technical knowledge (is this the right call?)
Any other ideas I should entertain?

Related

Large File Advice

I have to deliver 2-ish GB media files to customers (zipped up) after purchase. Any advice on how to deliver such big files to the general population (translated: novice internet users who will not be savvy enough to use FTP or something).
We can build a download manager for Windows users, but I doubt we'll be able to get one for Mac/Linux. Is there a standard solution I don't know about?
Thanks!
For most users on a high speed internet connection, novice or not, a direct HTTP download link is likely sufficient. Just be sure that your HTTP responses for both HEAD and GET return the Content-Length header so that users get an accurate progress bar for their download.
In my opinion, the only other reasonable option for novices is probably a download manager. You could of course build your own (possibly using a product like Real Basic to quickly code for all 3 platforms)
There are a number of companies out there that have off the shelf "download assistants" as well. May want to take a look at what companies like Adobe are using for their software downloads.
EDIT: Turns out Adobe uses a custom AIR application for their "download assistant" which is a cross platform option as well.
I'd say have them as a .torrent file. That way people can continue where they left off, and don't have to start over. You can divide the file into a bunch of rar's or .r01-.r20 and it'll help with distribution. THe bottom line is you don't want people to keep having to start over, this can be frustrating. With a .torrent is viable, especially if you don't want to use FTP.
Windows doesn't have a built in .torrent handler, but I'm sure Linux does. OS X I'm not sure about either.

I have a system I would like to implement, advise or theory would be pretty cool

So I want to extract the content from a system that is prebuilt...
it uses PHP + MySQL to CRUD the data, I am thinking of displaying the data in moveable + draggable windows that the logged in users can set, and be recalled upon logon. I am thinking cookies and AJAX with some HTML5 + CSS3 goodness, or even some Cappucino with mongoDB. PLease LMK what you all think.
V/R
CAM
It doesn't matter. Seriously, pick something that (1) interests you, (2) you've always wanted to learn, or (3) has the most jobs available in your area.
Once you are finished, add it to your portfolio and show it off. If you like the languages you used, then use them again. If not, then do something different next time.
Everyone is going to care about how awesome your app is not what language or technology you used in the process.

How to switch users in a smooth way in a Point-Of-Sale system?

I am designing a Point-Of-Sale system for a small shop. The shop just have one Point-Of-Sale but often they are one to three users (sellers) in the shop. Each user have their own user account in the system so they login and logout very often. How should I design the login/logout system in a good way?
For the moment the users don't use passwords, because it takes so long time to type the password each time they login.
The Platform is Windows Vista but I would like to support Windows 7 too. We use Active Directory on the Network. The system is developed in Java/Swing for the moment, but I'm thinking about to change to C#.NET/WPF.
I am thinking about an SmartCard solution, but I don't know if that fits my situation. It would be more secure (which I like) but I don't know if it will be easy to implement and smooth to use, i.e. can I have the POS-system running in the background or started very quickly when the users switch? Are SmartCard solutions very expensive? (My customers are small shops) Is it preferred to use .NET or Java in a SmartCard solution?
What other solutions do I have other than passwords/no passwords/smartcards?
How should I design the login/logout system in a good way?
Is there any good solution using SmartCards for this purpose?
I would like suggested solutions both for C#.NET/WPF and Java/Swing platforms.
I would like suggested solutions both for Active Directory solutions and solutions that only use one user profile in Windows.
How is this problem solved in similar products? I have only seen password-solutions, but they are clumsy.
An interesting solution is to use "Fast User Switching", i.e. the capability to have multiple user sessions open on the same PC. The POS software could be launched through the Startup folder of each seller account and would stay active in each seller session.
I thought that being in a domain (i.e. using Active Directory) disables Fast User Switching, but according to The old new thing, this was true on XP only. I just checked with my Win7 machine at work: it is in a domain but still has the "switch user" menu item.
The main advantage is that if your software is already multi-user aware, you don't need to change it.
I should have made the Fast User Switching check before writing what is below, because this seems to be the simplest solution. Here are other ideas, anyway.
Another solution is what you mention of having a single Windows user but several "virtual users" that your application manages. A smart card is a good way to implement a pseudo-login. In C++, the API allows detecting the removal or insertion of a card, so the application could detect this and read the card after insertion to know who's currently in front of the computer. .NET can easily call this API through P/Invoke; I don't know much of Java, except that JNI could be a solution to call the native API if there is no managed library that publishes this capability.
What should be done is researching the different types of card and how to talk to them, as your app should use a card that does not require a PIN to be accessed (or you are back to the slow login system, except if tying a 4-digit number is not considered too slow).
I've seen restaurants where waiters insert a key into the cash register in order to be identified. I googled "cash registers" but could only find a complete solution package, rather than the components like a key reader.
An almost idiotic question is: how much security do you need ? Does it make sense to have big buttons on the first screen of the app, where people click in order to tell the system who they are ? When they are done, they click on a "Finish" button and the app goes back to the "identify" screen. I've put this at the end because it is so simplistic that it has a low probability of being useful.
I'm not familiar with a broad range of smart card provider solutions, but I know Gemalto has a .Net friendly setup. Most others are geared to Java, but support is widening.
With regards to switching user sessions and your application, it depends on how "heavy" your application is. If your app requires quite a bit of start-up time / resources then you might consider creating the basic application as a service on the machine which can run in the background continuously and then you can load a light-weight UI to interact with the service with each user session (maybe launch via Startup menu).
There is a C# project on CodeProject which provides a framework for interacting with smart card services in windows - might be interesting reading.
I had a chance to work with the Open Source Computer Vision library (OpenCV)
in one of my past projects and its "Face-Recognition" is what you're after. It is written using native code, but can be easily used with Java, .NET, Android, iOS. All you need is a webcam and a button "Switch User" with the onClickListener that will take a picture and compare it with the images of your employees. Advantage? Once the picture's taken, it gets processed in less than 10ms. And as Timores mentioned earlier, once the face is recognised, you simply switch the session. Simple yet effective solution. Good luck!
maybe you want to think about using barcode scanner... probably you already have this device on POS ... my software for bars and restaurants use barcode scanner to recognize users. You have 2 options for using: first, user must log in with own barcode card, then he can use the application ... the second is better, everyone can use application, but to print the receipt user must use barcode card. After then he is responsible for that amount on this receipt.

Whats a good way to protect a link database from automatic scrapers?

I have a large link database, that I would want to protect against others who would want to copy them. Is there anything I can do other than force people to enter a CAPTCHA before each link?
you can output the links using ROT13, and then use javascript to put them back to normal.
this way, the scrapers must support javascript in order to steal your links, which should cut down on the number of eligible scrapers
bonus points: replace ROT13 with something harder, and obfuscate your 'decode' javascript.
The javascript suggestion could work, but you would render your page inaccessible to those using assistive technologies like screen readers as well as anyone without javascript.
Another possible option would be to generate a cryptographic nonce. This technique is currently used to protect against CSRF attacks, but could also be used to ensure that the scraper would have to request a page from your site before accessing a link. This approach may not be appropriate if you support hotlinking, but if you just want to make sure that someone went to your site first, it could work.
Another somewhat ghetto option would be use referrers. These can be easily faked, but it might prevent some of the dumber scrapers. This also requires that you know where your users came from before they hit your site.
Can you let us know if you are hotlinking or if the user comes to your site before going to the protected link? We might be able to provide better advice that way.

Heuristics to discover spammers/bots (In forums, blogs etc)

The ways I can think of are:
Measure the time between actions.
Compare the posts' content (if they're too similar to each other) or, better yet, only the posted links.
Checking the distribution over a period of time the user is active (if the user is active, say posting once every hour, for a week, then either we have a superman or a bot here).
Some special activity expected: like in stackoverflow, I would expect users to press their user name link (top middle) to see their new answers, comments, questions etc.
(added by chakrit) Number of links in a post.
Not heuristic. Use some async JS for user login. (Just makes life a bit harder on the bot programmer).
(added by Alekc) Not heuristic. User-agent values.
And, How could I forget Google's approach (mentioned down by Will Hartung). Give users the ability to mark someone as Spam, enough Spam votes means this is a Spam user. (calculating what is enough users, is the work here).
Any more ideas?
I might be over estimating the intelligence of bot creators, but number 6 is completely useless against any semi decent bot creator. Using the C# browser control to create your bot would pretty much render 6 useless. From what I've seen with that type of software that's a pretty common approach.
Validating on the useragent is pretty much useless too all of the blog spam I use to get was from bots appearing to be valid web browsers.
I use to get a lot of blog spam. I would literally be deleting hundreds of comments a day. I made use of reCaptcha and now I might get 1 a month.
If you really try to make something like this. I would attempt by doing the following:
User starts off with no ability to post a url.
After X number of posts have been analyzed in relation to the other posts in the thread then give them access to post urls.
The users activity on the site, the post quality, and what ever other factors you deem necessary will be a reputation for that users IP.
Then based the reputation of the IP and the other IPs on the same subnet you can make other decisions on whatever you want.
That was just the first thing that came to mind. Hope it helps.
The number of links in a post.
I believe I've read somewhere that Akismet use the number of links as one of its major heuristics.
And most of spam comments at my blog contains 10+ links in them.
Speaking of which... you just might want to check out the Akismet API itself .. they are extremely effective.
How about a search for spam related keywords in the post body?
Not a heuristic but an effective approach: You can also keep up-to-date with the stats published by StopForumSpam using their APIs.
Time between page visits is common I believe.
I need to add a comment section to my personal site and am thinking of asking people to give me their email address; I'll email them a "publish comment" link.
You might want to check if they've come from a Spam blacklist IP address (See http://www.spamhaus.org/)
There is another answer that suggests using Akismet for detecting spam, which I completely endorse.
However, they are not the only player on the block.
There is TypePad AntiSpam which uses the same heuristics as Akismet, as well as the same API (just a different URL and api key, the structure of the calls is the same). It can be safe to say they pretty much take the same approach as Akismet.
You might also want to check out Project Honeypot. From what I can tell, it can do a lookup based on the IP address of the user, and if it is a known malicious IP, it will tell you (harvester or something like that).
Finally, you can check LinkSleeve which approaches comment spam with what it claims to be a different way. Basically, it checks the links that are being linked to in comments, and based on where the links are going to, makes a determination.
Don't forget the ultimate heuristic: The "Report Spam" button that users can click. If nothing else, this gives you as administrator a chance to update your rule base for stuff that may be slipping through. Of course, you can simply delete the offending post and user right away as well.
I have some doubts about 4° point, anyway i would also add User-Agent. It's pretty easy to fake, but in my experience, about 90% of bots are using Perl as UA
I am sure there is a webservice of some kind that you can get a list of top SEO keywords, check the content for those keywords. if the content is to rich in keywords suspect it as being spam.

Resources