ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] Re: 2. C/R - Exploits

2004-02-06 03:26:03
from [Jon Kyme] [Permanent Link] 

The point was about paying for puzzle solving with porn views.
I'm still unaware of the existence of an exploit or a good discussion

of

the economics.

I'm not saying it's impossible, just currently in the realm of theory.



The original news article is here, you can probably contact the 
journalist and ask:

http://www.post-gazette.com/pg/03278/228349.stm



I've had helpful responses now from both Byron Spice (the author of the
article) and Luis von Ahn at CMU, and I'm happy to be able to introduce
some facts into the argument.

Luis was able to tell me this:
"The first mention that such an attack was possible comes from myself.
I thought of it at around early 2001 and told a few people about it. Some
time in 2002 I heard that one porn company was doing it for some time
against the Yahoo! CAPTCHA but that they had stopped. Ever since, all I
have heard is rumors that this happens, but I have not been able to see it
in real life."

Machine attacks are documented, for instance,
Greg Mori of UC Berkeley Computer Vision Group has some pages outlining a
method used to break Gimpy, the CAPTCHA used at Yahoo!
http://www.cs.berkeley.edu/~mori/gimpy/gimpy.html

There's a news article here:
http://www.siam.org/siamnews/11-02/gimpy.htm

I think the bottom line is that "easy" CAPTCHAs are likely to be vulnerable
to machine-based attacks. It's clearly possible that "hard" puzzles may be
susceptible to what Luis has called "Stealing Cycles from Humans" (or in
the case of the pay-with-porn approach, "buying cycles"), however, the
economics of this kind of attack have not been fully explored. We don't
have any firm evidence for an actual exploit "in the wild".

This is an issue for C/R schemes which assume that success solving an easy
puzzle assures us that there is a human "on the end". Getting a solution
for a hard puzzle might make us feel fairly secure, but the fact remains
that this input to our system is from an untrusted source, and can't be
relied on to establish trust beyond a certain level of confidence.


Regards,
Jon Kyme














--

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] 1a. Inventory of Problems - Spoofed mail addresses, Brett Watson
Next by Date:  [Asrg] Re: 1a. Inventory of Problems - Spoofed mail addresses, Za'mbori, Zolta'n
Previous by Thread:  Re: RE: [Asrg] 2. C/R - Exploits, Jon Kyme
Next by Thread:  [Asrg] 0. General - Soliciting Volunteers for Subgroups, Yakov Shafranovich
Indexes:  [Date] [Thread] [Top] [All Lists]