Re: Defeating CAPTCHA

[Andrew van der Stock <vanderaj () greebo net>]

CAPTCHAs have two major problems:

a) high value systems using CAPTCHAs are already defeated using  
trivial techniques:

* supply a CAPTCHA to adult websites' "day pass". Works every time.  
Defeated by a human

b) Legal accessibility in most countries, and *particularly* Australia

Legally, you must not disadvantage disabled users. This has been  
proven in court time and time again, such as the Sydney Olympics case.

http://www.contenu.nu/socog.html

So you *have* to have a secondary path, which is likely to be far  
more secure as it will typically involve thinking Turing machines (ie  
humans). However, what happens if you make it less secure? From a  
security path, if your disabled path is simpler than the primary  
path, the attacker wins. E.g. "I am not a terrorist card"

http://www.schneier.com/crypto-gram-0403.html#10

CAPTCHAs are the wrong solution to a poorly articulated problem; we  
have to come up with something else. Personally, the reason we have  
CAPTCHAs (and honey nets, another pet hate of mine) is that we are  
far too lenient on the attackers.

The heirarchy of needs should be aimed at legitimate users, not  
attackers. Therefore, we need to target, remove and penalize attackers.

thanks,
Andrew