[cryptography] CAPTCHA as a Security System?

Jeffrey Walton noloader at gmail.com
Mon Jan 2 15:40:53 EST 2012


On Mon, Jan 2, 2012 at 2:44 PM, John Levine <johnl at iecc.com> wrote:
>>The reason I ask is Wiseguy Tickets Inc and their gaming of
>>Ticketmaster's CAPTCHA system to buy tickets [1]. Eventually, Wiseguy
>>Tickets was indicted, and the indictment included a an assertion,
>>"[Wiseguy Tickets Inc] defeated online ticket vendors' security
>>mechanisms" [2]. I'm not convinced CAPTCHA is a security system, and I
>>definitely don't consider it a system to protect multi-million dollar
>>assets.
>
> Law is not software.  Ticketmaster's CAPTCHA is a security system in
> the sense that it is obviously meant to keep out robo-purchasers.  It
> doesn't matter that CAPTCHAs are not impossible to defeat, it matters
> that any reasonable person can understand what's going on.
Perhaps this speaks volumes to incompetence. The Ticketmaster board
appears to have chronic and progressive credibility problems [1]. Why
would the senior leadership at Ticketmaster claim its a security
system if it cannot protect anything? I imagine shareholders expect
better performance from the company's well compensated leaders (take a
look at the company's 10-K filings from
http://phx.corporate-ir.net/phoenix.zhtml?c=194146&p=irol-SECTicketmaster).

> To draw a rough analogy, if I'm arrested for breaking into your house,
> it is not a defense that I couldn't have done it if you had a stronger
> lock on the door.
Would it be my house, or closer to a public business like Home Depot
or Walmart? (with the 'gaming' being me and my family walking into a
public store and making separate purchases to avoid '1 item per
household' limits, even though my family had no interest in the
product).

The problem I see with Tciketmaster's position is they hung a public
service off a public internet, and then claimed foul after someone
[cleverly] used it. Perhaps Ticketmaster's terms of service forbid the
practice, in which case I would expect a civil action.

An unanswered question (for me): what's the Ticketmaster/US Attorney
General connection? Why did Wiseguys' actions elicit a PATRIOT Act
like response? Who went to law school with whom and where? It seems to
me US Attorney resources would be better used elsewhere (such as an
investigation of the economic terrorist across the river on Wall
Street).

Jeff

[1] http://www.dailyfinance.com/2011/01/27/ticketmaster-settlement-class-action-lawsuit-over-deceptive-fe/



More information about the cryptography mailing list