Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

Rich Kulawiec rsk at gsp.org
Wed Jan 23 08:45:42 UTC 2013


On Mon, Jan 21, 2013 at 02:23:53AM -0600, Jimmy Hess wrote:
> that   sort of abuse is likely need to be protected against
> via a captcha challenge as well,   

Once again: captchas have zero security value.  They either defend
(a) resources worth attacking or (b) resources not worth attacking.  If it's
(a) then they can and will be defeated as soon as someone chooses to
trouble themselves to do so.  If it's (b) then they're not worth the
effort to deploy.  See, for example:

	http://www.freedom-to-tinker.com/blog/ed-felten/2008/09/02/cheap-captcha-solving-changes-security-game
	http://www.physorg.com/news/2011-11-stanford-outsmart-captcha-codes.html
	http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html
	http://cintruder.sourceforge.net/
	http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
	http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html
	http://it.slashdot.org/article.pl?sid=08/10/14/1442213

Now I'll grant that captchas aren't as miserably stupid as constructs
like "user at example dot com" [1] but they really are worthless the
moment they're confronted by even a modestly clueful/resourceful adversary.

---rsk

[1] Such constructs are based on the proposition that spammers capable
of writing and deploying sophisticated malware, operating enormous botnets,
maintaining massive address databases, etc., are somehow mysteriously
incapable of writing

	perl -pe 's/[ ]+dot[ ]+/./g; s/[ ]+at[ ]*/@/g; print $_, "\n";'

and similar trivial bits of deobfuscation code.



More information about the NANOG mailing list