nanog mailing list archives
Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)
From: Rich Kulawiec <rsk () gsp org>
Date: Wed, 23 Jan 2013 03:45:42 -0500
On Mon, Jan 21, 2013 at 02:23:53AM -0600, Jimmy Hess wrote:
that sort of abuse is likely need to be protected against via a captcha challenge as well,
Once again: captchas have zero security value. They either defend (a) resources worth attacking or (b) resources not worth attacking. If it's (a) then they can and will be defeated as soon as someone chooses to trouble themselves to do so. If it's (b) then they're not worth the effort to deploy. See, for example: http://www.freedom-to-tinker.com/blog/ed-felten/2008/09/02/cheap-captcha-solving-changes-security-game http://www.physorg.com/news/2011-11-stanford-outsmart-captcha-codes.html http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html http://cintruder.sourceforge.net/ http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/ http://www.troyhunt.com/2012/01/breaking-captcha-with-automated-humans.html http://it.slashdot.org/article.pl?sid=08/10/14/1442213 Now I'll grant that captchas aren't as miserably stupid as constructs like "user at example dot com" [1] but they really are worthless the moment they're confronted by even a modestly clueful/resourceful adversary. ---rsk [1] Such constructs are based on the proposition that spammers capable of writing and deploying sophisticated malware, operating enormous botnets, maintaining massive address databases, etc., are somehow mysteriously incapable of writing perl -pe 's/[ ]+dot[ ]+/./g; s/[ ]+at[ ]*/@/g; print $_, "\n";' and similar trivial bits of deobfuscation code.
Current thread:
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Scott Weeks (Jan 17)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Matt Palmer (Jan 19)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jimmy Hess (Jan 19)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Matt Palmer (Jan 20)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jean-Francois Mezei (Jan 20)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jimmy Hess (Jan 21)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Rich Kulawiec (Jan 23)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 23)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Rich Kulawiec (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Andrew Sullivan (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Mike A (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and David Barak (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Rich Kulawiec (Jan 25)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 25)
- Re: Suggestions for the future on your web site: (was cookies, and Michael Thomas (Jan 26)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jimmy Hess (Jan 19)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Matt Palmer (Jan 19)