[cryptography] CAPTCHA as a Security System?
noloader at gmail.com
Mon Jan 2 12:58:15 EST 2012
I was reading "CAPTCHA: Using Hard AI Problems For Security" by Ahn,
Blum, Hopper, and Langford (www.captcha.net/captcha_crypt.pdf).
I understand how recognition is easy for humans and hard for computer
programs. Where is the leap made that CAPTCHA is a [sufficient?]
security device to protect things like web accounts, email accounts,
and blog comments? It seems to me that a threat model in which bots
(ie, programs) are the only adversary is flawed.
Would a security system that does not model a human attacker really
qualify as a security system? Or is the system only adequate for low
value targets, such as email accounts and blog comments? I'm kind of
inclined to the latter.
The reason I ask is Wiseguy Tickets Inc and their gaming of
Ticketmaster's CAPTCHA system to buy tickets . Eventually, Wiseguy
Tickets was indicted, and the indictment included a an assertion,
"[Wiseguy Tickets Inc] defeated online ticket vendors' security
mechanisms" . I'm not convinced CAPTCHA is a security system, and I
definitely don't consider it a system to protect multi-million dollar
More information about the cryptography