[159815] in North American Network Operators' Group
Re: Suggestions for the future on your web site: (was cookies, and
daemon@ATHENA.MIT.EDU (Rich Kulawiec)
Wed Jan 23 03:46:01 2013
Date: Wed, 23 Jan 2013 03:45:42 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: nanog@nanog.org
In-Reply-To: <CAAAwwbU4EpqPngckmeVtfjVYHG_PEN1-uOOwtRoLPbpjPonGPg@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Jan 21, 2013 at 02:23:53AM -0600, Jimmy Hess wrote:
> that sort of abuse is likely need to be protected against
> via a captcha challenge as well,
Once again: captchas have zero security value. They either defend
(a) resources worth attacking or (b) resources not worth attacking. If it's
(a) then they can and will be defeated as soon as someone chooses to
trouble themselves to do so. If it's (b) then they're not worth the
effort to deploy. See, for example:
http://www.freedom-to-tinker.com/blog/ed-felten/2008/09/02/cheap-captcha-solving-changes-security-game
http://www.physorg.com/news/2011-11-stanford-outsmart-captcha-codes.html
http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html
http://cintruder.sourceforge.net/
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html
http://it.slashdot.org/article.pl?sid=08/10/14/1442213
Now I'll grant that captchas aren't as miserably stupid as constructs
like "user at example dot com" [1] but they really are worthless the
moment they're confronted by even a modestly clueful/resourceful adversary.
---rsk
[1] Such constructs are based on the proposition that spammers capable
of writing and deploying sophisticated malware, operating enormous botnets,
maintaining massive address databases, etc., are somehow mysteriously
incapable of writing
perl -pe 's/[ ]+dot[ ]+/./g; s/[ ]+at[ ]*/@/g; print $_, "\n";'
and similar trivial bits of deobfuscation code.
