reCaptcha - "send alerts to owners" - who? - recaptcha

I'm trying to get reCaptcha working on my website.
I found out I have to register my domain for this first, since I already have a google account this is quite easy, but the very last checkbox made me think:
How does google determine who the owners are?
And what kind of alerts will those be? E-Mails?
I'm a bit worried that some random person will get an E-Mail one day not knowing what to do with it since I'm not the only one working on that domain. And if they just mean my google account I'm registering this with...that doesn't make sense because they should've written "you" instead of owners then. - although your site is making this even more confusing. :D
I'm aware this is not directly a programming question.
I'm open for suggestions for a better Stack-exchange platform to ask this question at, there are too many - I couldn't find any other that seem to fit.

In the reCAPTCHA admin settings, there is a textbox where you can enter a list of email addresses for owners. This will grant them access to manage the reCAPTCHA settings and send them alerts, if enabled.

Related

Instagram user's contact e-mail?

Ruby on rails dev here.
This question has been asked before. Here, here and here.
The problem is that they did not make the right question or the solution given was somewhat shallow.
I ´ll be as specific as I can.
The Goal
I want get the user´s contact e-mail and not the account e-mail. Two different things. :)
Some users leave their email on the contact button. It´s public.
My goal is to make a software that can extract e-mails, but for now, only extracting one e-mail from one single account will be more than enough to have my MVP going.
here is an example below on how instagram let users share their e-mail.
The Problem
It only shows in app :( If it were to be shown on the browser as well, it would be a walk in the park. The contact button that has the e-mail and phone number does not show in the browser.
**The Good Part*
There is some solutions to it.
This guy has a figured it out using the API, but I don´t quite understand how he did it. The downside is that all solution wants to sell you a product.
The focus of this company lies on extracting instagram e-mails and it seems legit.
Last but not least, this dude is using appium to extract those juicy e-mails. The third won´t really work for me because it seems too messy. Having to use a android emulator will be my last resort.
Thanks for helping and happy new year.
Set up mitmproxy on your machine.
Set up the certificates on your phone and use your machine as the gateway.
Analyze the traffic.
Reverse engineer the API (to log in and get info about user profiles) and then use it in your Ruby/Python/whatever code.

using google classroom api to change course ownerId

How? Easiest method?
Tried using postman on desktop, googles OAuth2 playground and google help pages to try make sense of what to do. Ended up using GAM as this is the easiest and gives the most helpful responses.
I have tried changing this from multiple places and i always get the error:
ERROR: 400: #UserInIllegalDomain Invitation cannot be created for user in this domain - failedPrecondition
the command:
gam update course 8077159861 owner hiddenusername#longleypark.ac.uk
(username is DEFINITELY correct ive just hidden it as its not vital information)
Any help would be much appreciated, from what i can tell some guides said to add longleypark.ac.uk to whitelisted domain under classroom but because this is the primary domain for this g suite it says you cant add your current domain so this isnt an option.
I believe the google API is broken. If anyone can prove otherwise would be a great help.
Google API support haven't managed to give me any proper response, keep saying they will test and let me know but I haven't been informed of any results yet.
Google forums support has informed me once a user account is deleted and 20 days have passed the account becomes unrecoverable which means any classrooms they are the owner of become "orphans" which means "limited functionality" and the inability to change the owner ever again, the only solution is to recreate the classroom from scratch, unfortunately along with the original account all the documents submitted to that classroom are also lost.
There are NO ways around this even though the ownerId field for a classroom really should be editable from some sort of database management tool or admin console/API.
I have run into this problem today. Thought using the API I'd be able to swap the ownerId, but no.
Bizarre that Google don't let you do this as a Google Workspace admin. We know have 3 GCSE sets which are unusable with 3 months of the 2 year course left. Very frustrating.

Get user's email ID on Google Home

I'd want to get user's emailID from an Action on Google. I understand that Google Sign-In is the best way to do that. Even though I don't really need the user to sign in to the action, I think there is no other way to get user's email (please correct me if I'm wrong). But according to the documentation,
Google Sign-In for the Assistant is currently in developer preview. You can build Actions that use this feature, but they can't be published at this time.
However, Walgreens action does the same thing. I wanted to know how. I tried to search a lot, and ended up with these answers. I have done this already and it works. But I wanted to know, if there is any way to release an app using Google Sign-In.
If not, do I need to go through OAuth2.0 flow, and if so, I assume I'd need to have my own authentication system in place?
Please correct me if I'm wrong and help me find the best way to get user's emailID. I think there should be something easier than getting an authentication system in place and getting it to support OAuth2.
if there is any way to release an app using Google Sign-In.
You want the email id of the user. Google sign-in is nothing more than you getting the user's email address (inside a token that is signed by Google so you can verify it).
If you just get an email address as a "string" then you'd need to verify it before you can use it. So think of Google sign-in as an optimized UI flow to get a user's email address. Once you get the verified email address from Google, you can let them have access to the data on your site that is under that account.
Let me know if that is not clear.
From a timeline perspective, this should be out of developer preview within a month. Let me know if you want to try using it before that.
From my own research I think you are right. Until the Google Sign In account linking graduates from developer preview you would have to implement an OAuth workflow, which is a bit of a pain (although the implicit one doesn't look too bad). So perhaps the real question is ... when will Google Sign In account linking be fully available? Anyone from Google? Even a ballpark estimate would be useful.

How can i get list of domain users from Google Apps account without administrative access?

This is a similar question to How can i get list of Domain user's from Google Apps account?
However, I'd like to use a normal account (not an administrative account) to retrieve the user list. It seems like this should be possible as the gmail autocomplete returns domain contacts not listed in the user's contact store. I've looked at the autocomplete Ajax call, but it requires something in the beginning of the string (and no, I don't really want to loop through a-z one by one - that is just way to hacky). For example:
https://mail.google.com/mail/c/u/0/data/contactstore?ac=true&ct=true&gp=true&hl=en&id=domain&max=15&out=js&tok=beginningOfUsersName&type=4
Both versions of the Google contacts API seem to omit domain users unless you have them imported into your own contacts list. I've also looked at querying users in the "Coworkers" system group, all to no avail. I also find it interesting that "add a coworker's calendar" on Google calendar does not provide autocomplete - they use a popup instead.
I'm working on a C# project, but this is a general Google API question, so any pointers in any language would help.
Update
It looks like this is feasible now with admin/directory google api endpoints
see: https://developers.google.com/admin-sdk/directory/v1/guides/manage-users?authuser=0#retrieve_users_non_admin
Original answer
I was able to work around this issue, so I'll document the workaround, even if it doesn't involve Google. I wrote a program (in C#) to query the internal Active Directory (LDAP) store and pick up all the users from there instead. At that point I could get their email addresses and query Google with it. Not the best method, but it worked for my needs.
The C# was roughly patterned from this powershell script, although I pulled out the computers query and added in the capture of the user's email address: http://www.visualbasicscript.com/List-all-users-or-computers-in-the-default-domain-m35650.aspx
The LDAP property I included to get the proper email address for Google was 'proxyAddresses', although this will not be correct for all environments.

Creative account confirmation without the use of emails

I employ email validation to grant people full use of the site. The trouble is, sometimes these emails get spam-boxed, or never arrive, so I get many people complaining that they cannot confirm their account.
Was wondering if there are other (creative) ways to offer secondary validation option to users who didnt get the validation. Its a free site, so I dont want to ask for credit cards, or mobile #s.
The purpose of this is to make abuse of the site less rampant, since we ban a lot of people, and they come back with dozens of accounts to prove something. Spam/robot registrations are not an issue (right now).
What we started doing recently was letting members send us an email to a special email address. We give them a hash code, and all they have to do is put that code somewhere in the subject or the body of the email, and send it to us. We have a cron job running in the background that gets those emails, parses the subject/body looking for the hash, and if found activates the account.
It doesn't work 100%, because some ISPs also block their users from sending us emails, but no solution would work 100%.
Based on your comment in Rob S.' answer, it sounds more like you want to identify situations where the same browser is creating multiple accounts rather than confirm that what's at the other end is human.
Dropping a cookie in the user's browser can be very helpful in finding the repeat offenders, especially those not savvy enough to clear their cookies or visit while in private mode. Some forum software like vBulletin does this and can notify the administrators when it happens.
Another alternative might be browser fingerprinting, which is where you use a bunch of the information provided in the HTTP exchange. An example of this is the EFF's Panopticlick.
Just got a "fun" new way to annoy your banned people a bit.
once you ban them (I guess you close the account and ban the IP). Then log their browser agent string with their IP and screen resolution.
If there is a match when showing the website to them. Just remove the registration link/page. Dont even show the link to the page, as it might piss them off. Dont explain why its gone. Just keep it gone, eg. for 3 weeks or 2 month.
That way they dont have a cookie on the browser to remove, they cant find the registration so they cant know WHY they cant make a new account.
Secondly, if on a school or something (dont know how old they are), the other existing users will still be able to login to their accounts as its ONLY registration that has been removed. Not login.
How about that? is that clever enough?
Basically what you're looking to do is separate the humans from the robots. There are two primary ways to do this:
1) Require users signing up to check boxes and type a word spelled out in an image captcha. These are usually very difficult tasks for a computer to complete.
2) Allow users to sign-up using their account from a different site such as OpenID or Google assuming that anyone who has one of these accounts is a real person.
I recommend combining both methodologies.
Good luck!
There are unlimited ways of doing this.
You mention mobiles and free, but if you have access to a SMS-gateway, you can receive SMS-messages for free (but might need to pay some sort of monthly subscription though). But show a dynamically generated code the the current user. Store this code in "his session" and do an ajax check each 15-30 sec to see if the sms-code was received by the gateway. If so, accept the account and let them registrate. This would requiere the gateway + your users to have a personal mobile. Enough about mobiles...
Make a question or more that is randomly generated. Use pictures/tokens instad of tekst so that the user has to press the correct image in correct order to perform some sort of answer.
Could be like a jackpot-machine with 3 cells where the images are randomly placed and generated inside dynamic named files, so that robots cant analyse the names to guess the right answer.
You mention e-mails to be easy to spoof. Yes indeed, but what if the emails would come lets say each week containing some sort of "important info" that the user would need to read/use on the website to continue. Once the account hasnt been used for a certain time (lets say 3 month, kill it)... and you could also say to have a "free account" you must accept that we send you 1 mail pr. month that you need to activate within 1 week. If you dont, we are free to close/delete your account details.
... and many more
I dont know what you want to "protect", but if its for gaming, then dont let the gamers have "extra levels/weapons" until they have provided a certain amount of these codes OR paid for access OR validated by phone or something.
Thats my first 3 ideas, I think the possibilities are unlimited. The main issue here is, make it too hard to validate yourself and the users go away unless your site is REALLY worth it.
You might think of the much used "Free forever (but limited)" approach way of selling stuff these days on the net. The users can make as many accounts they want, but the licens is still only "single/small/basic". Once you get more experienced, you get more features or you might just upgrade by paying... at this time you know WHO is real and WHO isnt.
My point is, dont over protect. Just design with the mind of spammers will always find a way in, no matter how good you protect it. Those giving up first are your real users/customers.
I would rather spend time on making this product/website/game so great that EVERYONE wants to pay for an account after a while.
Lastly from real life... there are COMPANIES in China with kids employeed to play World of Warcraft with one purpose. Harvest virtual gold and sell it on Ebay to other western players who pays with real dollars. Its not allowed according to the gamelicens and their accounts/gameslicenses are constantly getting banned. But it gives them so much income so they have calculated with this and they just buy new licences and continue.
So if EVEN Blizard(WoW creators)
doesnt have enough power/money to keep
fakes out of the game, how do you
expect to do much better? :o)
Usefull answer?

Resources