Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)
Rich Kulawiec
rsk at gsp.org
Wed Jan 23 08:45:42 UTC 2013
On Mon, Jan 21, 2013 at 02:23:53AM -0600, Jimmy Hess wrote:
> that sort of abuse is likely need to be protected against
> via a captcha challenge as well,
Once again: captchas have zero security value. They either defend
(a) resources worth attacking or (b) resources not worth attacking. If it's
(a) then they can and will be defeated as soon as someone chooses to
trouble themselves to do so. If it's (b) then they're not worth the
effort to deploy. See, for example:
http://www.freedom-to-tinker.com/blog/ed-felten/2008/09/02/cheap-captcha-solving-changes-security-game
http://www.physorg.com/news/2011-11-stanford-outsmart-captcha-codes.html
http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html
http://cintruder.sourceforge.net/
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html
http://it.slashdot.org/article.pl?sid=08/10/14/1442213
Now I'll grant that captchas aren't as miserably stupid as constructs
like "user at example dot com" [1] but they really are worthless the
moment they're confronted by even a modestly clueful/resourceful adversary.
---rsk
[1] Such constructs are based on the proposition that spammers capable
of writing and deploying sophisticated malware, operating enormous botnets,
maintaining massive address databases, etc., are somehow mysteriously
incapable of writing
perl -pe 's/[ ]+dot[ ]+/./g; s/[ ]+at[ ]*/@/g; print $_, "\n";'
and similar trivial bits of deobfuscation code.
More information about the NANOG
mailing list