[cryptography] CAPTCHA as a Security System?

John Levine johnl at iecc.com
Mon Jan 2 14:44:05 EST 2012


>The reason I ask is Wiseguy Tickets Inc and their gaming of
>Ticketmaster's CAPTCHA system to buy tickets [1]. Eventually, Wiseguy
>Tickets was indicted, and the indictment included a an assertion,
>"[Wiseguy Tickets Inc] defeated online ticket vendors' security
>mechanisms" [2]. I'm not convinced CAPTCHA is a security system, and I
>definitely don't consider it a system to protect multi-million dollar
>assets.

Law is not software.  Ticketmaster's CAPTCHA is a security system in
the sense that it is obviously meant to keep out robo-purchasers.  It
doesn't matter that CAPTCHAs are not impossible to defeat, it matters
that any reasonable person can understand what's going on.

To draw a rough analogy, if I'm arrested for breaking into your house,
it is not a defense that I couldn't have done it if you had a stronger
lock on the door.

R's,
John




More information about the cryptography mailing list