ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] A CAPTCHA that automatically detects and neutralizes attacks.

2005-06-11 11:40:29
from [Peter J. Holzer] [Permanent Link] 
On 2005-06-11 05:02:12 -0400, der Mouse wrote:

Finally, C/R systems answer the question "was this mail sent by
somebody who cares enough about the mail to answer my challenge?"
which is a stronger version of question 1.


That's not what C/R systems answer.

C/R systems answer "has the entity who apparently sent this mail gotten
my challenge and answered it?".


"... and did I receive the answer?" Yes. Obviously. I should have
phrased that differently: C/R systems are designed to answer the
question ...
They fall a bit short of their design goal.


This differs from your phrasing in three important ways: (1) the
distinction between the entity which sent the mail and the entity which
apparently sent the mail;


I thought about mentioning this explicitely, but didn't: Somebody who
forges the sender address is obviously not interested in getting DSNs or
challenges.


(2) the assumption, or lack thereof, that challenge-answering, when it
occurs, is based on a level of caring about the mail getting through
(as opposed to, say, a desire to throw a monkey-wrench into the C/R
system - I've heard from people who deliberately answer challenges
resulting from mail they didn't send, to do that); and


While I don't doubt that there are people who do that I doubt that there
are enough of them to matter.


(3) the realization that a failure to answer may be
because the challenge was not delivered, because its recipient is
unable to answer it (eg, a blind man I know getting a vision-based
challenge), or the answer didn't make it back.


There are two subproblems here:

1) The challenge or the response may be lost in transit. True and mostly
   beyond the influence of the sender. This is where the implementations
   fall short of the design goal.

2) The ability to answer the challenge. This is mostly a question of
   effort. A blind man can ask a seeing person for help, if he thinks
   the message was worth the effort. If I receive a challenge in Tagalog
   I can hire a translator to translate it (and presumably also my
   answer). But that would have to be an exceptionally important
   message (and I probably wouldn't have sent it by mail in the first
   place). So the degree of caring necessary to answer the challenge
   will vary wildly between different senders, not only because of
   different abilities, but also because of different levels of
   aversion against C/R systems. But the phrase "cares enough to answer"
   covers that. (Of course that may mean that the design goal wasn't a
   particularly useful one in the first place)

        hp

-- 
   _  | Peter J. Holzer    | Ich sehe nun ein, dass Computer wenig
|_|_) | Sysadmin WSR       | geeignet sind, um sich was zu merken.
| |   | hjp(_at_)hjp(_dot_)at         |
__/   | http://www.hjp.at/ |    -- Holger Lembke in dan-am

Attachment: pgpqfQrG28Ypt.pgp
Description: PGP signature

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] A CAPTCHA that automatically detects and neutralizes attacks., Peter J. Holzer
Next by Date:  [Asrg] New type of spam?, Reinhold Jordan
Previous by Thread:  [Asrg] Re: A CAPTCHA that automatically detects and neutralizes attacks., Frank Ellermann
Next by Thread:  Re: [Asrg] A CAPTCHA that automatically detects and neutralizes attacks., John Levine
Indexes:  [Date] [Thread] [Top] [All Lists]