[159854] in North American Network Operators' Group
Re: Suggestions for the future on your web site: (was cookies, and
daemon@ATHENA.MIT.EDU (George Herbert)
Thu Jan 24 13:53:09 2013
In-Reply-To: <20130124134822.GA31908@gsp.org>
Date: Thu, 24 Jan 2013 10:52:53 -0800
From: George Herbert <george.herbert@gmail.com>
To: Rich Kulawiec <rsk@gsp.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Jan 24, 2013 at 5:48 AM, Rich Kulawiec <rsk@gsp.org> wrote:
> On Wed, Jan 23, 2013 at 01:20:07PM +0100, . wrote:
>> CAPTCHAS are a "defense in depth" that reduce the number of spam
>> incidents to a number manageable by humans.
>
> No, they do not. If you had actually bothered to read the links that
> I provided, or simply to pay attention over the last several years,
> you would know that captchas are not any kind of defense at all.
>
> They're like holding up tissue paper in front of a tank: worthless.
>
> (Yes, yes, I'm well aware that many people will claim that *their* captchas
> work. They're wrong, of course: their captchas are just as worthless
> as everyone else's. They simply haven't been competently attacked yet.
> And relying on either the ineptness or the laziness of attackers is
> a very poor security strategy.)
>
> ---rsk
It's true that relying on the laziness of attackers is statistically
useful, but as soon as one becomes an interesting enough target that
the professionals aim, then professional grade tools (which walz
through captchas more effectively than normal users can, by far) make
them useless.
I disagree that they're entirely ineffective. The famous Wiley
cartoon (found also in the frontspiece of the original Firewalls
book...) "You have to be this tall to storm the castle" does apply.
But knowing the relative height and availability of storm-the-captcha
tools is important. They are out there, pros use them all the time,
they are entirely effective.
--
-george william herbert
george.herbert@gmail.com
