Hi All, I was reading "CAPTCHA: Using Hard AI Problems For Security" by Ahn, Blum, Hopper, and Langford (www.captcha.net/captcha_crypt.pdf).
I understand how recognition is easy for humans and hard for computer programs. Where is the leap made that CAPTCHA is a [sufficient?] security device to protect things like web accounts, email accounts, and blog comments? It seems to me that a threat model in which bots (ie, programs) are the only adversary is flawed. Would a security system that does not model a human attacker really qualify as a security system? Or is the system only adequate for low value targets, such as email accounts and blog comments? I'm kind of inclined to the latter. The reason I ask is Wiseguy Tickets Inc and their gaming of Ticketmaster's CAPTCHA system to buy tickets [1]. Eventually, Wiseguy Tickets was indicted, and the indictment included a an assertion, "[Wiseguy Tickets Inc] defeated online ticket vendors' security mechanisms" [2]. I'm not convinced CAPTCHA is a security system, and I definitely don't consider it a system to protect multi-million dollar assets. Jeff [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ [2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography