From: Thor Lancelot Simon
To: Randall Webmail
Cc: Crypto List
Sent: Tue, 03 Jan 2012 01:58:46 -0500 (EST)
Subject: Re: [cryptography] CAPTCHA as a Security System?
On Tue, Jan 03, 2012 at 01:57:10AM -0500, Randall Webmail wrote:
>
>> There is one girl (and it is always a girl) who is at the co
On Tue, Jan 03, 2012 at 01:57:10AM -0500, Randall Webmail wrote:
>
> There is one girl (and it is always a girl) who is at the control center.
> She comes to the checkout station to override the system when the shopper
> scans beer. No one watches to see if you scan every item in your cart.
From: Peter Gutmann
To: cryptography@randombit.net, rv...@insightbb.com
Sent: Tue, 03 Jan 2012 01:51:26 -0500 (EST)
Subject: Re: [cryptography] CAPTCHA as a Security System?
Randall Webmail writes:
>>My neighborhood Wal*Mart has pretty much eliminated cashiers in favor of
>>self-checkouts.
>Do
=?UTF-8?Q?lodewijk_andr=C3=A9_de_la_porte?= writes:
>Our cozy dutch supermarkets are trying self-checkout systems themselves. They
>sometimes check carts with what's scanned. My dad's theory was that people
>are so afraid to have forgotten that they'd most likely scan their products
>multiple tim
Randall Webmail writes:
>My neighborhood Wal*Mart has pretty much eliminated cashiers in favor of
>self-checkouts.
>
>Anyone so inclined could walk in, load up a cart, walk up to a self-checkout,
>check maybe half the items in the cart, pay for them and leave, with no one
>the wiser until the phy
On Mon, 3 Jan 2012, John Levine wrote:
> Scalping can be very profitable, with markups of $100 per ticket not
> unsusual, so if I were a scalper, I'd have a network of web proxies,
> to make it hard to tell that they're all me, a farm of human CAPTCHA
> breakers in Asia who cost maybe 5c per CAPTCH
On Mon, Jan 2, 2012 at 9:08 PM, John Levine wrote:
> [...]. One of the advantages of having a working legal system is so
> that we can live reasonable lives with $20 locks in our doors, rather
> than all having to spend thousands to armor all the doors and windows,
> like they do in some other
On Mon, Jan 02, 2012 at 09:40:36PM -0500, Jonathan Katz wrote:
> Say passwords are chosen uniformly from a space of size N. If you never
> change your password, then an adversary is guaranteed to guess your
> password in N attempts, and in expectation guesses your password in N/2
> attempts.
>
Ticket sellers and scalpers have been been fighting since long before
there was an Internet.
>To do much better than slow down the scalpers Ticketmaster would have
>to either do a lot of work (with payments system providers' help) to
>ensure that payments are not anonymous and that the there is on
On Mon, 2 Jan 2012, lodewijk andr?? de la porte wrote:
The reason for regular change is very good. It's that the low-intensity
brute forcing of a password requires a certain stretch of time. Put the
change interval low enough and you're safer from them.
We've had someone talk on-list about a si
On Mon, Jan 2, 2012 at 7:12 PM, Craig B Agricola wrote:
> On Sun, Jan 01, 2012 at 03:16:39AM -, John Levine wrote:
>> Where's this log? Wherever it is, it's on a system that also has their
>> actual password.
>>
>> If I wanted to reverse engineer passwords, this doesn't strike me as a
>> part
On Sun, Jan 01, 2012 at 03:16:39AM -, John Levine wrote:
> > Well, on more than a few occasions, I've observed cases
> >where users have accidentally entered their password into the
> >"username" field (either alone, or with the username preprended).
> >Of course, the login attempt fails and, m
On 2012/1/2 lodewijk andré de la porte :
> The reason for regular change is very good. It's that the low-intensity
> brute forcing of a password requires a certain stretch of time. Put the
> change interval low enough and you're safer from them.
This may make sense in specific cases, but in the ge
On Mon, Jan 2, 2012 at 4:25 PM, Randall Webmail wrote:
> My neighborhood Wal*Mart has pretty much eliminated cashiers in favor of
> self-checkouts.
>
>[...]
> Wal*Mart is not stupid. They know full well that a certain percent of
> shoppers will indeed walk out with a certain amount of goods, ev
On 3/01/12 09:06 AM, lodewijk andré de la porte wrote:
I'd like to add to this conversation, as a side note, that a new type
of security has (fairly) recently emerged: legal security. "It's
illegal to break in, so we don't need security".
Right. But it needs to be a break in, not a trespass.
>
>
> My neighborhood Wal*Mart has pretty much eliminated cashiers in favor of
> self-checkouts.
>
> Anyone so inclined could walk in, load up a cart, walk up to a
> self-checkout, check maybe half the items in the cart, pay for them and
> leave, with no one the wiser until the physical inventory d
From: lodewijk andré de la porte
>I'd like to add to this conversation, as a side note, that a new type of
>security has (fairly) recently emerged: legal security. "It's >illegal to
>break in, so we don't need security". Quite common in convenience stores,
>people's homes and now, the Internet
The reason for regular change is very good. It's that the low-intensity
brute forcing of a password requires a certain stretch of time. Put the
change interval low enough and you're safer from them.
We've had someone talk on-list about a significant amount of failed remote
ssh login attempts. Shou
I'd like to add to this conversation, as a side note, that a new type of
security has (fairly) recently emerged: legal security. "It's illegal to
break in, so we don't need security". Quite common in convenience stores,
people's homes and now, the Internet. Some will find that this sort of
security
>
> Would a security system that does not model a human attacker really
> qualify as a security system?
>
If it's man-controlled it certainly does, like a ballistic missile blocking
device is also security/safety.
In real life security is also an "analog" kind of thing. Something becomes
"more se
On Mon, Jan 2, 2012 at 2:40 PM, Jeffrey Walton wrote:
> On Mon, Jan 2, 2012 at 2:44 PM, John Levine wrote:
>> Law is not software. Ticketmaster's CAPTCHA is a security system in
>> the sense that it is obviously meant to keep out robo-purchasers. It
>> doesn't matter that CAPTCHAs are not impos
On 2012-01-02, Marcus Brinkmann wrote:
My personal experience with CAPTCHAs is that they are increasingly
hard to decipher for humans. Has the scale already tipped over in
favor of computer programs?
On this one I'm not ready to take any sides, but I'd like to remind you,
too, that a given
On Mon, Jan 2, 2012 at 2:03 PM, Marcus Brinkmann
wrote:
> On 01/02/2012 06:58 PM, Jeffrey Walton wrote:
>> I was reading "CAPTCHA: Using Hard AI Problems For Security" by Ahn,
>> Blum, Hopper, and Langford (www.captcha.net/captcha_crypt.pdf).
>>
>> I understand how recognition is easy for humans a
On Mon, Jan 2, 2012 at 2:44 PM, John Levine wrote:
>>The reason I ask is Wiseguy Tickets Inc and their gaming of
>>Ticketmaster's CAPTCHA system to buy tickets [1]. Eventually, Wiseguy
>>Tickets was indicted, and the indictment included a an assertion,
>>"[Wiseguy Tickets Inc] defeated online tick
>The reason I ask is Wiseguy Tickets Inc and their gaming of
>Ticketmaster's CAPTCHA system to buy tickets [1]. Eventually, Wiseguy
>Tickets was indicted, and the indictment included a an assertion,
>"[Wiseguy Tickets Inc] defeated online ticket vendors' security
>mechanisms" [2]. I'm not convinced
On Mon, Jan 02, 2012 at 08:03:07PM +0100, Marcus Brinkmann wrote:
> Computer programs today are limited by attention of experts (programmers,
> researchers). What does "hard for computer programs" actually mean then? Is
> there a theoretical boundary that limits the abilities of computer program
On 01/02/2012 06:58 PM, Jeffrey Walton wrote:
> I was reading "CAPTCHA: Using Hard AI Problems For Security" by Ahn,
> Blum, Hopper, and Langford (www.captcha.net/captcha_crypt.pdf).
>
> I understand how recognition is easy for humans and hard for computer
> programs.
But is that really true?
My
Hi All,
I was reading "CAPTCHA: Using Hard AI Problems For Security" by Ahn,
Blum, Hopper, and Langford (www.captcha.net/captcha_crypt.pdf).
I understand how recognition is easy for humans and hard for computer
programs. Where is the leap made that CAPTCHA is a [sufficient?]
security device to pr
> Bernie Cosell writes:
>> On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
>>> Yes, ideally people would have a separate, strong password, changed
>>> regularly for every site.
>>
>> This is the very question I was asking: *WHY* "changed regularly? What
>> threat/vulnerability is addressed by r
On 2 January 2012 03:01, ianG wrote:
>>> When I was a rough raw teenager doing this, I needed around 2 weeks to
>>> pick up 5 letters from someone typing like he was electrified. The other 3
>>> were crunched in 4 hours on a vax780.
>>
>> how many samples? (distinct shoulder surf events)
>
>
> Ab
30 matches
Mail list logo