On 2016-05-29 12:29, Rich Kulawiec wrote:
On Fri, May 27, 2016 at 11:07:44AM -0700, Jay Hennigan wrote:
>CAPTCHA could potentially fix it, but that is sure to raise
>objections as being too inconvenient for list operators playing the
>numbers game.
Captchas are also not a valid anti-abuse mechanism: they have been quite
thoroughly beaten and are only used today by those who have failed to
pay attention to adversarial progress over the last 10-15 years.
Resources are either targets for abuse or they're not; adversaries are
either competent and well-resourced or they're not. In the case where
resources*are* targets and adversaries*are* competent/well-resourced,
they will defeat captcha mechanisms at will using either automated,
manual, or hyrid techniques. In the other three cases, captchas aren't
necessary, either because the resource isn't being targeted, or adversaries
aren't capable, or both.
This is downright silly, it's akin to saying that one shouldn't bother
locking their front door because a trained locksmith can pick the lock.
Yes, a captcha can be beaten, as can literally every other security
mechanism if one imagines a sufficiently competent and well-resourced
adversary. Most adversaries are not both competent and well-resourced,
why not raise the bar against the low-level dull roar of attacks that
happen all the time?
Security is a system of layers, never a single perfect mechanism and
we're talking about mailing list subscriptions here, not missile launch
codes; unless one's company depends on mailing lists, the overall
resources available to combat a generally-minor problem will be equally
minimal and a captcha will defeat the entirety of the types of
adversaries which one can expect to encounter.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
