Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Defeating CAPTCHA

from [Derick Anderson] Network Security [Permanent Link]
Subject: RE: Defeating CAPTCHA
Date: Fri, 26 Aug 2005 12:45:00 -0400 
Just an observation about the growing complexity of solutions being
presented...

If I have to look at 10 images of strawberries in various stages of
decay, answer inane riddles, or pass an I.Q. test before registering for
some site, then I'm going to decide that whatever your service is, I
don't need it that badly. And if I, as a technologically-saavy
individual, refuse to jump through hoops to prove I'm not a spammer, how
likely is it that the average web surfer is going to?

If a system is built to run on a computer, then a computer can automate
input into that system. If you want to curb a particular use-case of
your system (say, signing up for an account), make it economically
unattractive or put a human on the receiving side. I can think of three
ways (off-hand) to make a use-case "economically unattractive":

1. Charge money. Spammers aren't going to shell out cash en masse.
2. Require a uniquely identifiable token which requires confirmation of
the token holder. PayPal's signup is a good example - they credit your
bank account with some paltry sum and you tell them later what it is.
3. Provide a service with only information that can't be exploited for
profit.

Attempting to automate a human recognition system is a race that will
leave the humans behind. Eventually only automated spammers will be able
to get into your system.

My two cents.

Derick Anderson
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Defeating CAPTCHA, Michal Zalewski
Next by Date:  GPL version of WiKID Strong Authentication released, Nick Owen
Previous by Thread:  RE: [WEB SECURITY] Re: Defeating CAPTCHA, Marian Ion
Next by Thread:  Re: Defeating CAPTCHA, Devdas Bhagat
Indexes:  [Date] [Thread] [Top] [All Lists]