Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Defeating CAPTCHA

from [Andrew van der Stock] Network Security [Permanent Link]
Subject: Re: Defeating CAPTCHA
Date: Fri, 26 Aug 2005 15:32:49 +1000 
CAPTCHAs have two major problems:

a) high value systems using CAPTCHAs are already defeated using trivial techniques:

* supply a CAPTCHA to adult websites' "day pass". Works every time. Defeated by a human

b) Legal accessibility in most countries, and *particularly* Australia

Legally, you must not disadvantage disabled users. This has been proven in court time and time again, such as the Sydney Olympics case.

http://www.contenu.nu/socog.html

So you *have* to have a secondary path, which is likely to be far more secure as it will typically involve thinking Turing machines (ie humans). However, what happens if you make it less secure? From a security path, if your disabled path is simpler than the primary path, the attacker wins. E.g. "I am not a terrorist card"

http://www.schneier.com/crypto-gram-0403.html#10

CAPTCHAs are the wrong solution to a poorly articulated problem; we have to come up with something else. Personally, the reason we have CAPTCHAs (and honey nets, another pet hate of mine) is that we are far too lenient on the attackers.

The heirarchy of needs should be aimed at legitimate users, not attackers. Therefore, we need to target, remove and penalize attackers.

thanks,
Andrew

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Defeating CAPTCHA, Jayson Anderson
Next by Date:  Re: looking for stats, Robin Wood
Previous by Thread:  Re: Defeating CAPTCHA, Jayson Anderson
Next by Thread:  Re: Defeating CAPTCHA, Stephen de Vries
Indexes:  [Date] [Thread] [Top] [All Lists]