NYCPHP Meetup

NYPHP.org

[nycphp-talk] easily defeating captchas using automated imageanalysis

inforequest 1j0lkq002 at sneakemail.com
Wed Nov 3 08:20:49 EST 2004


Chris Shiflett shiflett-at-php.net |nyphp dev/internal group use| wrote:

>--- inforequest <1j0lkq002 at sneakemail.com> wrote:
>  
>
>>There's a way to defeat the to-be-monikered-adult hack. Remind
>>the world that it is illegal to participate in a security hack,
>>and that participation via adultsite captcha completion is at
>>the very minimum "grounds for investigation".
>>    
>>
>
>I don't see how this idea will work, because people have no idea that
>they're participating in any such thing. I can think of plenty of ways to
>word this:
>
>"In order to keep our competitors from harvesting our images, we ask that
>you please type in the word you see in the box below. Once you do this,
>we'll show you some pictures you don't want to miss!"
>
>In fact, I would hope that it would be impossible to prosecute someone who
>was tricked into providing this answer, because they literally have no way
>to know that the answer they're provided is going to be misused in any
>way.
>
>Chris
>

yes, that's the "balance between privacy/anonymity" and enforcement of 
what is essentially voluntary compliance. The idea is of course that 
people first have to be made aware that participation is a crime. It has 
to be common knowledge first. It is not up to the adult site to tell 
you, it is up to society to say it is wrong, and that you *should* know 
better.

Approach a stranger on the street and offere to sell her a watch. Many, 
many people will turn away because they don't want to get caught up in 
anything illegal.

That's why a technology solution is so attractive. It seems to suggest 
the possibility of a Utopian solution.

"I would hope that it would be impossible to prosecute someone who was tricked into providing this answer, because they literally have no way to know that the answer they're provided is going to be misused in any way."

This happens every day and that's what due process is for. It is not at all impossible but thankfully we still have a system that ensures an opportunity to defend ourselves, make a case etc. Or do we? That's why the recent justice dept detentions sans representation were so important... the new behavior has widespread implications.

Why don't nosy neighbors try your door on occasion to see if it is 
unlocked? What if your door was in a dark place, out of view. How many 
would test it then, just to "take an innocent  peek" ?

Where I live in beautiful ****** many people don't carry keys and leave 
doors unlocked. When I lived in ******* I shopped for a steel door 
because wooden doors were commonly defeated in that area. Was it because 
all the "bad people" lived in ***** or because they had basically 
anonymous access to test my security system?

I am of the camp "port scanning is not a crime" yet clearly our 
society's rule-based approach to security (threat of enforcement) does 
not apply - port scanning with an intent to determine a way to break 
security is probably worthy of being called a crime. You can't prove 
intent. Can we afford to try to prove it?

I think any IT person with an interest in the higher aspects of security 
should volunteer to work in local government for a while. You can do 
alot of good as an advisor and educator.

-=john andrews




More information about the talk mailing list