[cryptography] CAPTCHA as a Security System?

Nico Williams nico at cryptonector.com
Mon Jan 2 17:00:46 EST 2012

On Mon, Jan 2, 2012 at 2:40 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Mon, Jan 2, 2012 at 2:44 PM, John Levine <johnl at iecc.com> wrote:
>> Law is not software.  Ticketmaster's CAPTCHA is a security system in
>> the sense that it is obviously meant to keep out robo-purchasers.  It
>> doesn't matter that CAPTCHAs are not impossible to defeat, it matters
>> that any reasonable person can understand what's going on.
> [...]
>> To draw a rough analogy, if I'm arrested for breaking into your house,
>> it is not a defense that I couldn't have done it if you had a stronger
>> lock on the door.
> Would it be my house, or closer to a public business like Home Depot
> or Walmart? (with the 'gaming' being me and my family walking into a
> public store and making separate purchases to avoid '1 item per
> household' limits, even though my family had no interest in the
> product).

There's a non-trivial cost to the individual/business in implementing
good security measures.  There is a non-trivial cost to the people to
strengthen poor security measures through law enforcement.  The latter
is always necessary, but if individuals can lower the cost to the
people, shouldn't they be required to do so to some point and to some

Consider recent news articles about fire departments not battling
house fires whose owners/occupants did not pay fire department fees.
Couldn't the police and prosecutors do the same or a variation of the
concept?  I'm not referring here to immediate assistance, but to after
the fact activity, such as investigations and prosecutions.  I'm not
saying that this would be a good idea -I'm not sure yet either way-
but that the negative externalities of poor security measures are not
zero, and that we ought to try to quantify them and use those numbers
when setting public policy.

> The problem I see with Tciketmaster's position is they hung a public
> service off a public internet, and then claimed foul after someone
> [cleverly] used it. Perhaps Ticketmaster's terms of service forbid the
> practice, in which case I would expect a civil action.

Right.  Why should the people subsidize Ticketmaster by providing a
deterrent that makes up (?) for Ticketmaster's weak security systems?
Of course, I'm not sure that Ticketmaster had reason at the time to
think that their security system was weak, and that question is of
some importance.

> An unanswered question (for me): what's the Ticketmaster/US Attorney
> General connection? Why did Wiseguys' actions elicit a PATRIOT Act
> like response? Who went to law school with whom and where? It seems to
> me US Attorney resources would be better used elsewhere (such as an
> investigation of the economic terrorist across the river on Wall
> Street).

I wouldn't suspect any nefarious connections between Ticketmaster and
the DoJ, not yet.

Let's suppose that the cost of prosecution was high, but let's also
suppose that the deterrent effect of a successful prosecution is also
high, then the savings from future cases avoided may be high enough to
justify the action.  (Add in the benefit to the DoJ of using
otherwise-possibly-idle resources, and the benefit in terms of "power"
that accrues from even attempting to use the muscle of the State.)

On the other hand there is probably a very large, if hidden cost in
the form of weak security systems surviving much longer, which creates
weaknesses that might be exploited by those who can't be deterred by
criminal sanction (think social order breakdowns, foreign powers,


More information about the cryptography mailing list