Re: [cryptography] CAPTCHA as a Security System?
On 01/03/2012 04:08 AM, John Levine wrote: unsusual, so if I were a scalper, I'd have a network of web proxies, to make it hard to tell that they're all me, a farm of human CAPTCHA breakers in Asia who cost maybe 5c per CAPTCHA, a large set of employees, friends, and relatives who will let me use their names and credit cards (for a small commission) and scripts that blast through Ticketmaster's web pages as fast as they can, so they can buy the tickets the moment they go on sale, before real humans can. That's overstating the costs of captcha solving by several orders of magnitude: $1.39 per 1000 captchas from http://www.deathbycaptcha.com/ $0.7-$1 per 1000 captchas from http://antigate.com/ $2 (in 2009) for 1000 captchas from http://www.decaptcher.com/ (defunct) $7 for 1000 captchas from http://www.decaptcher2.com/ This is just from their websites and forums, so I can not vouch for the quality of their service. Thanks, Marcus ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
On 01/03/12 06:54, Peter Gutmann wrote: =?UTF-8?Q?lodewijk_andr=C3=A9_de_la_porte?=lodewijka...@gmail.com writes: Our cozy dutch supermarkets are trying self-checkout systems themselves. They sometimes check carts with what's scanned. My dad's theory was that people are so afraid to have forgotten that they'd most likely scan their products multiple times more often than they forgot, and that relatively little people steal anyway. The way it's done here, the checkout system knows the approximate weight of each item that you scan, and if you don't add an item of that weight to the Which is a real pain when you buy plants just after they have been watered ! -- Darren J Moffat ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] CAPTCHA as a Security System?
Hi All, I was reading CAPTCHA: Using Hard AI Problems For Security by Ahn, Blum, Hopper, and Langford (www.captcha.net/captcha_crypt.pdf). I understand how recognition is easy for humans and hard for computer programs. Where is the leap made that CAPTCHA is a [sufficient?] security device to protect things like web accounts, email accounts, and blog comments? It seems to me that a threat model in which bots (ie, programs) are the only adversary is flawed. Would a security system that does not model a human attacker really qualify as a security system? Or is the system only adequate for low value targets, such as email accounts and blog comments? I'm kind of inclined to the latter. The reason I ask is Wiseguy Tickets Inc and their gaming of Ticketmaster's CAPTCHA system to buy tickets [1]. Eventually, Wiseguy Tickets was indicted, and the indictment included a an assertion, [Wiseguy Tickets Inc] defeated online ticket vendors' security mechanisms [2]. I'm not convinced CAPTCHA is a security system, and I definitely don't consider it a system to protect multi-million dollar assets. Jeff [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ [2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
On 01/02/2012 06:58 PM, Jeffrey Walton wrote: I was reading CAPTCHA: Using Hard AI Problems For Security by Ahn, Blum, Hopper, and Langford (www.captcha.net/captcha_crypt.pdf). I understand how recognition is easy for humans and hard for computer programs. But is that really true? My personal experience with CAPTCHAs is that they are increasingly hard to decipher for humans. Has the scale already tipped over in favor of computer programs? Computer programs today are limited by attention of experts (programmers, researchers). What does hard for computer programs actually mean then? Is there a theoretical boundary that limits the abilities of computer programs to recognize captures, or is Ahn just exploiting a temporary lack of economic incentive to realize the full capabilities of computer systems for these kind of problems? IMO, the problems that computers are really (as opposed to currently) bad at often turn out to be the problems that defy objective solutions. Many recaptcha (OCR) problems are ambiguous. If there is no objective solution to a problem, how can performance be evaluated? Where is the leap made that CAPTCHA is a [sufficient?] security device to protect things like web accounts, email accounts, and blog comments? It seems to me that a threat model in which bots (ie, programs) are the only adversary is flawed. Louis von Ahn's favorite subject is human computation. A separation between (the capabilities of) humans and computers is axiomatic to his research, otherwise his whole subject would evaporate. There are two fundamental assumptions made: First, there are problems that are hard for computers to solve but easy for computers to generate. Second, the bad guys can muster huge computational resources but few human resources. The first assumption is a, at least for the time being, a rejection of the Church-Turing conjecture. The second assumption is an extrapolation of past experiences into the future, and as such very optimistic/naive. I don't know about any justification offered for either dogma. Ahn's Phd thesis[1] is surprisingly void of a theoretical underpinning of his work, in fact, it does not even contain the phrase Church-Turing. It is also completely void of any security analysis. You'd think that a phd thesis about human computation applied to security problems would at least contain something on either, but if there is, I can't find it. [1] http://www.scribd.com/doc/2533967/Human-Computation-PhD-Thesis-Luis-von-Ahn Thanks, Marcus ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
On Mon, Jan 02, 2012 at 08:03:07PM +0100, Marcus Brinkmann wrote: Computer programs today are limited by attention of experts (programmers, researchers). What does hard for computer programs actually mean then? Is there a theoretical boundary that limits the abilities of computer programs to recognize captures, or is Ahn just exploiting a temporary lack of economic incentive to realize the full capabilities of computer systems for these kind of problems? That was a pretty explicit aspect to the whole proposal. It adds incentives to solve supposedly difficult AI problems. (Or incentives to build very efficient mechanical turk systems, which is of course what mostly happened because that's cheaper and more reliable than funding AI research). Quoting from the paper Much like research in cryptography has had a positive impact on algorithms for factoring and discrete log, we hope that the use of hard AI problems for security purposes allows us to advance the field of Artificial Intelligence. We introduce two families of AI problems that can be used to construct captchas and we show that solutions to such problems can be used for steganographic communication. captchas based on these AI problem families, then, imply a win-win situation: either the problems remain unsolved and there is a way to differentiate humans from computers, or the problems are solved and there is a way to communicate covertly on some channels. and A primary goal of the captcha project is to serve as a challenge to the Artificial Intelligence community. -Jack ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
The reason I ask is Wiseguy Tickets Inc and their gaming of Ticketmaster's CAPTCHA system to buy tickets [1]. Eventually, Wiseguy Tickets was indicted, and the indictment included a an assertion, [Wiseguy Tickets Inc] defeated online ticket vendors' security mechanisms [2]. I'm not convinced CAPTCHA is a security system, and I definitely don't consider it a system to protect multi-million dollar assets. Law is not software. Ticketmaster's CAPTCHA is a security system in the sense that it is obviously meant to keep out robo-purchasers. It doesn't matter that CAPTCHAs are not impossible to defeat, it matters that any reasonable person can understand what's going on. To draw a rough analogy, if I'm arrested for breaking into your house, it is not a defense that I couldn't have done it if you had a stronger lock on the door. R's, John ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
On 2012-01-02, Marcus Brinkmann wrote: My personal experience with CAPTCHAs is that they are increasingly hard to decipher for humans. Has the scale already tipped over in favor of computer programs? On this one I'm not ready to take any sides, but I'd like to remind you, too, that a given form of CAPTCHA, as in its success or failure, is not a measure of how the overarching principle behind such validation can do at best. Instead it's a measure of how well somebody out there was able to capture the essence of the methodology. There, it's pretty much equivalent to how well any single designer can capture the essence of biometrics (which by extension include all of your cognitive, unusual computational capabilities as well). Those things aren't being captured too well, as you can see from the contrary, hacker side: http://cvdazzle.com/ . Computer programs today are limited by attention of experts (programmers, researchers). What does hard for computer programs actually mean then? Pretty much anything where Fourier-like methods don't apply, I think. -- Sampo Syreeni, aka decoy - de...@iki.fi, http://decoy.iki.fi/front +358-50-5756111, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
Would a security system that does not model a human attacker really qualify as a security system? If it's man-controlled it certainly does, like a ballistic missile blocking device is also security/safety. In real life security is also an analog kind of thing. Something becomes more secure. Passwords (at any complexity) always have a chance to be random guessed, yet they're security. Bottom line security is usually considered to be something of added safety. The foolish thing here was to think it'd really help. Yet other will always be so foolish to misunderstand what CAPTCHA's mean and meant. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
I'd like to add to this conversation, as a side note, that a new type of security has (fairly) recently emerged: legal security. It's illegal to break in, so we don't need security. Quite common in convenience stores, people's homes and now, the Internet. Some will find that this sort of security sucks. That it doesn't protect them very well. They won't care though, because even though the window was open, no one should've entered. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
From: lodewijk andré de la porte lodewijka...@gmail.com I'd like to add to this conversation, as a side note, that a new type of security has (fairly) recently emerged: legal security. It's illegal to break in, so we don't need security. Quite common in convenience stores, people's homes and now, the Internet. Some will find that this sort of security sucks. That it doesn't protect them very well. They won't care though, because even though the window was open, no one should've entered. My neighborhood Wal*Mart has pretty much eliminated cashiers in favor of self-checkouts. Anyone so inclined could walk in, load up a cart, walk up to a self-checkout, check maybe half the items in the cart, pay for them and leave, with no one the wiser until the physical inventory didn't match up with the computer inventory. Wal*Mart is not stupid. They know full well that a certain percent of shoppers will indeed walk out with a certain amount of goods, every day. They have a very good idea of the dollar value of this shrinkage, and they have decided that the shrinkage costs less than the eight or so dollars an hour that it would cost to put clerks in place. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
My neighborhood Wal*Mart has pretty much eliminated cashiers in favor of self-checkouts. Anyone so inclined could walk in, load up a cart, walk up to a self-checkout, check maybe half the items in the cart, pay for them and leave, with no one the wiser until the physical inventory didn't match up with the computer inventory. Wal*Mart is not stupid. They know full well that a certain percent of shoppers will indeed walk out with a certain amount of goods, every day. They have a very good idea of the dollar value of this shrinkage, and they have decided that the shrinkage costs less than the eight or so dollars an hour that it would cost to put clerks in place. Our cozy dutch supermarkets are trying self-checkout systems themselves. They sometimes check carts with what's scanned. My dad's theory was that people are so afraid to have forgotten that they'd most likely scan their products multiple times more often than they forgot, and that relatively little people steal anyway. The self-checkouts are also faster, and thus more convenient. Not to mention more consistent, even on holidays they'll work. The vector on security is getting thinner though. Although this is certainly connected to not needing security, mostly due to legality. You seem to agree. Good. Crypto list. Right. Sorry. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
On 3/01/12 09:06 AM, lodewijk andré de la porte wrote: I'd like to add to this conversation, as a side note, that a new type of security has (fairly) recently emerged: legal security. It's illegal to break in, so we don't need security. Right. But it needs to be a break in, not a trespass. So there needs to be a security method to be broken -- no matter how weak. From what I recall of this, there needs to be a reasonable notice and a security system for the breaking of. This is why WAP, etc, works ... because it is a security system, and even though it can be broken with a boltcutter, it's illegal to break in. So the end result is that you can commit the crime, and you'll leave your trails, and you'll be in jurisdiction. Quite common in convenience stores, people's homes and now, the Internet. Some will find that this sort of security sucks. That it doesn't protect them very well. They won't care though, because even though the window was open, no one should've entered. It somewhat depends on who the attacker is. If they are law-abiding citizens and they happen to be in the same jurisdiction, a legal mechanism works reasonably well. Indeed, if one of them is true, it can help. This also happens to align well with online banks which only permit transfers inside the country. As the mule who receives the money has done so without permission, she has participated in fraud and the money can be yanked right back out again. (Never mind that she already sent the money to another jurisdiction...) The thing is, just because a security mechanism doesn't seem to translate to technological space doesn't mean it doesn't have legs. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
On Mon, Jan 2, 2012 at 4:25 PM, Randall Webmail rv...@insightbb.com wrote: My neighborhood Wal*Mart has pretty much eliminated cashiers in favor of self-checkouts. [...] Wal*Mart is not stupid. They know full well that a certain percent of shoppers will indeed walk out with a certain amount of goods, every day. Yes, but this is not the same situation as with Ticketmaster. The equivalent for Ticketmaster would be scalpers who go through the captcha many times, by hand, *slowly*, and who adhere to per-person purchase limits or who make minimal efforts to get on a bit past such limits -- something Ticketmaster may be willing to tolerate. To do much better than slow down the scalpers Ticketmaster would have to either do a lot of work (with payments system providers' help) to ensure that payments are not anonymous and that the there is one person per ticket purchase for any one event, or else they'd have to auction off the tickets so as to find the market price for them. I'm not sure as to the feasibility of the former, particularly when Ticketmaster can probably get the law to help, but I'd prefer the latter. (Perhaps because I'm not going to bother camping out for bracelets and I can probably afford free market rates for the events I want to attend!) Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
Ticket sellers and scalpers have been been fighting since long before there was an Internet. To do much better than slow down the scalpers Ticketmaster would have to either do a lot of work (with payments system providers' help) to ensure that payments are not anonymous and that the there is one person per ticket purchase for any one event They already do that -- the only way to pay on their web site is with a credit card, and you can't use the same card for a lot of purchases in a row. I'm pretty sure you can't use another card with the same mailing address, either. or else they'd have to auction off the tickets so as to find the market price for them. For a variety of business reasons they usually don't want to do that, and they don't want brokers to do it for them. Sports teams want it to be at least somewhat possible for fans to get tickets. That's why they let people wait in long lines, since that's correlated with fanly devotion rather than wealth, and sends the message to the rest of the fans that if they were equally devoted, they too could get tickets. Ticketmaster wants to make it as easy as possible for individuals to buy tickets, while making it as hard as possible for scalpers pretending to be individuals, or individuals working for scalpers, to buy them. CAPTCHAs keep out the less determined scalpers, but there is no reliable mechanical way to tell a nice human from a nasty one. Scalping can be very profitable, with markups of $100 per ticket not unsusual, so if I were a scalper, I'd have a network of web proxies, to make it hard to tell that they're all me, a farm of human CAPTCHA breakers in Asia who cost maybe 5c per CAPTCHA, a large set of employees, friends, and relatives who will let me use their names and credit cards (for a small commission) and scripts that blast through Ticketmaster's web pages as fast as they can, so they can buy the tickets the moment they go on sale, before real humans can. At some point, since there aren't that many large scalping operations, rather than playing an endless game of jumping through hoops and crypto cat and mouse which will certainly have the side-effect of losing some legit purchases, it is perfectly sensible to go after them legally. One of the advantages of having a working legal system is so that we can live reasonable lives with $20 locks in our doors, rather than all having to spend thousands to armor all the doors and windows, like they do in some other parts of the world. R's, John ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
On Mon, Jan 2, 2012 at 9:08 PM, John Levine jo...@iecc.com wrote: [...]. One of the advantages of having a working legal system is so that we can live reasonable lives with $20 locks in our doors, rather than all having to spend thousands to armor all the doors and windows, like they do in some other parts of the world. Indeed! I'm not sure that this translates so well to online security though, where one must defend against attackers that the law can't reach. You make a good case that it does translate well to the Ticketmaster case though. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
On Mon, 3 Jan 2012, John Levine wrote: Scalping can be very profitable, with markups of $100 per ticket not unsusual, so if I were a scalper, I'd have a network of web proxies, to make it hard to tell that they're all me, a farm of human CAPTCHA breakers in Asia who cost maybe 5c per CAPTCHA, [[...]] According to http://www.nytimes.com/2010/04/26/technology/26captcha.html?hpw the going rate for paying humans to break CAPTCHAs is around $1 per 1000 CAPTCHAS, i.e., around 0.1 cent per CAPTCHA. -- -- Jonathan Thornburg [remove -animal to reply] jth...@astro.indiana-zebra.edu Dept of Astronomy IUCSS, Indiana University, Bloomington, Indiana, USA Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
Randall Webmail rv...@insightbb.com writes: My neighborhood Wal*Mart has pretty much eliminated cashiers in favor of self-checkouts. Anyone so inclined could walk in, load up a cart, walk up to a self-checkout, check maybe half the items in the cart, pay for them and leave, with no one the wiser until the physical inventory didn't match up with the computer inventory. Don't they have minders that watch the self-checkouts? The way they're set up here your chances of sneaking an item out is probably about as good as it would be with a human-controlled checkout, and for anything more than one or two small items there's not much chance. (The self-checkouts are arranged in such a way that one or two people can supervise all of them, if they simply replaced the human in each row with a barcode scanner then it wouldn't be so easy). Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
=?UTF-8?Q?lodewijk_andr=C3=A9_de_la_porte?= lodewijka...@gmail.com writes: Our cozy dutch supermarkets are trying self-checkout systems themselves. They sometimes check carts with what's scanned. My dad's theory was that people are so afraid to have forgotten that they'd most likely scan their products multiple times more often than they forgot, and that relatively little people steal anyway. The way it's done here, the checkout system knows the approximate weight of each item that you scan, and if you don't add an item of that weight to the shopping next to the scanner, they complain. This acts as an auditing system for the scanning, if you accidentally double-scan or accidentally miss a scan they'll catch it. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
From: Peter Gutmann pgut...@cs.auckland.ac.nz To: cryptography@randombit.net, rv...@insightbb.com Sent: Tue, 03 Jan 2012 01:51:26 -0500 (EST) Subject: Re: [cryptography] CAPTCHA as a Security System? Randall Webmail rv...@insightbb.com writes: My neighborhood Wal*Mart has pretty much eliminated cashiers in favor of self-checkouts. Don't they have minders that watch the self-checkouts? The way they're set up here your chances of sneaking an item out is probably about as good as it would be with a human-controlled checkout, and for anything more than one or two small items there's not much chance. There is one girl (and it is always a girl) who is at the control center. She comes to the checkout station to override the system when the shopper scans beer. No one watches to see if you scan every item in your cart.Most people don't steal, and it's cheaper for Wal*Mart to allow the thieves to ply their trade than it is to put $8.00/hour girls in place to (mostly) stop those who do. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
On Tue, Jan 03, 2012 at 01:57:10AM -0500, Randall Webmail wrote: There is one girl (and it is always a girl) who is at the control center. She comes to the checkout station to override the system when the shopper scans beer. No one watches to see if you scan every item in your cart. Most people don't steal, and it's cheaper for Wal*Mart to allow the thieves to ply their trade than it is to put $8.00/hour girls in place to (mostly) stop those who do. You have more faith in human nature (or perhaps a considerably less sophisticated understanding of the costs of inventory shrinkage) than Walmart does. Look up. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] CAPTCHA as a Security System?
From: Thor Lancelot Simon t...@panix.com To: Randall Webmail rv...@insightbb.com Cc: Crypto List cryptography@randombit.net Sent: Tue, 03 Jan 2012 01:58:46 -0500 (EST) Subject: Re: [cryptography] CAPTCHA as a Security System? On Tue, Jan 03, 2012 at 01:57:10AM -0500, Randall Webmail wrote: There is one girl (and it is always a girl) who is at the control center. She comes to the checkout station to override the system when the shopper scans beer. No one watches to see if you scan every item in your cart. Most people don't steal, and it's cheaper for Wal*Mart to allow the thieves to ply their trade than it is to put $8.00/hour girls in place to (mostly) stop those who do. You have more faith in human nature (or perhaps a considerably less sophisticated understanding of the costs of inventory shrinkage) than Walmart does. Look up. Yes, of course there are the black hemisphere cameras on the ceiling. They're videotaping everytihng that goes on. The checkouts are thirty feet from the exit doors. What are the odds that anyone is going to be watching the live video AND that they will notice the shopper who does not scan the $30 ham AND that they will alert security AND that security will intercept the shopper before he leaves the store? I don't know about Wal*Mart, but the policy in Rite Aid stores here (Louisville, KY) is that people who are caught shoplifting are told not to come back to Rite Aid. There is no prosecution - because it costs money to send witnesses to court, and the only thing the court is going to do is fine them and charge them court costs totaling around $200 - and tell them to stay out of Rite Aid. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography