Saw this on the BBC web site thought about this discussion:
http://www.bbc.co.uk/news/technology-21260007
Ticketmaster dumps 'hated' Captcha verification system
The world's largest online ticket retailer is to stop requiring users to
enter hard-to-read words in order to prove they are human.
Rich Kulawiec wrote:
On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:
However, as part of a defense in depth strategy, it can still make
sense.
Brother, you're preaching to the choir. I've argued for defense in depth
for longer than I can remember. Still am.
But defenses have
On 1/26/13, Michael Thomas m...@mtcc.com wrote:
Rich Kulawiec wrote:
On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:
However, as part of a defense in depth strategy, it can still make
sense.
But defenses have to be *meaningful* defenses. Captchas are a pretend
defense. They're
On 24 January 2013 23:38, Joe Greco jgr...@ns.sol.net wrote:
..
So, then, replace it with what, exactly? What if we all wake up
one morning to find that our computers have gained an IQ of 6000?
Will the computers be making jokes about as dumb as a human and
debating ways to identify if
On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:
However, as part of a defense in depth strategy, it can still make
sense.
Brother, you're preaching to the choir. I've argued for defense in depth
for longer than I can remember. Still am.
But defenses have to be *meaningful*
But defenses have to be *meaningful* defenses. Captchas are a pretend
defense. They're wishful thinking. They're faith-based security.
They're a hook-and-eye latch.
Now, if you want to go installing a bank vault door to keep your dog
in the backyard, by all means, be my guest. Me, I'm
On Wed, Jan 23, 2013 at 01:20:07PM +0100, . wrote:
CAPTCHAS are a defense in depth that reduce the number of spam
incidents to a number manageable by humans.
No, they do not. If you had actually bothered to read the links that
I provided, or simply to pay attention over the last several
On Wed, Jan 23, 2013 at 01:20:07PM +0100, . wrote:
CAPTCHAS are a defense in depth that reduce the number of spam
incidents to a number manageable by humans.
No, they do not. If you had actually bothered to read the links that
I provided, or simply to pay attention over the last several
On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:
A CAPTCHA doesn't need to be successful against every possible threat,
it merely needs to be effective against some types of threats. For
example, web pages that protect resources with a CAPTCHA are great at
making it much more
On Thu, Jan 24, 2013 at 11:00:50AM -0500, Andrew Sullivan wrote:
On Thu, Jan 24, 2013 at 09:50:15AM -0600, Joe Greco wrote:
A CAPTCHA doesn't need to be successful against every possible threat,
it merely needs to be effective against some types of threats. For
example, web pages that
Well, yes and no. Lately, AFAICT, most CAPTCHAs have been so
successfully attacked by wgetters that they're quite easy for machines
I wasn't aware that there was now a -breakCAPTCHA flag to wget.
The point I was making is that it's a defense against casual copying
of certain types of
--- On Thu, 1/24/13, Andrew Sullivan asulli...@dyn.com wrote:
Lately, AFAICT, most CAPTCHAs have
been so
successfully attacked by wgetters that they're quite easy
for machines
to break, but difficult for humans to use. For
example, I can testify
that I now fail about 25% of the
On Thu, Jan 24, 2013 at 5:48 AM, Rich Kulawiec r...@gsp.org wrote:
On Wed, Jan 23, 2013 at 01:20:07PM +0100, . wrote:
CAPTCHAS are a defense in depth that reduce the number of spam
incidents to a number manageable by humans.
No, they do not. If you had actually bothered to read the links
On 13-01-24 13:52, George Herbert wrote:
It's true that relying on the laziness of attackers is statistically
useful, but as soon as one becomes an interesting enough target that
the professionals aim, then professional grade tools (which walz
through captchas more effectively than normal
On Thu, Jan 24, 2013 at 04:43:47PM -0500, Jean-Francois Mezei wrote:
It is better to have a tent with holes in the screen door than no screen
door. If the damaged screen door still prevents 90% of mosquitoes from
getting in, it does let you chase down and kill those that do get in.
I get this
To resort to plain language instead of overworked metaphor, the
problem with CAPTCHAs is that they're increasingly easier for
computers to solve than they are for humans. This is perverse,
because the whole reason they were introduced was that they were
_hard_ for computers but _easy_ for
On Thu, Jan 24, 2013 at 8:48 AM, Rich Kulawiec r...@gsp.org wrote:
(Yes, yes, I'm well aware that many people will claim that *their* captchas
work. They're wrong, of course: their captchas are just as worthless
as everyone else's. They simply haven't been competently attacked yet.
And
On 1/23/13, Rich Kulawiec r...@gsp.org wrote:
On Mon, Jan 21, 2013 at 02:23:53AM -0600, Jimmy Hess wrote:
Once again: captchas have zero security value. They either defend
(a) resources worth attacking or (b) resources not worth attacking. If
it's (a) then they can and will be defeated as
On Mon, Jan 21, 2013 at 02:23:53AM -0600, Jimmy Hess wrote:
that sort of abuse is likely need to be protected against
via a captcha challenge as well,
Once again: captchas have zero security value. They either defend
(a) resources worth attacking or (b) resources not worth attacking. If
On 23 January 2013 09:45, Rich Kulawiec r...@gsp.org wrote:
On Mon, Jan 21, 2013 at 02:23:53AM -0600, Jimmy Hess wrote:
that sort of abuse is likely need to be protected against
via a captcha challenge as well,
Once again: captchas have zero security value. They either defend
(a)
On Mon, 21 Jan 2013 23:23:16 -0500, Jean-Francois Mezei said:
This article may be of interest:
http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/
Basically, a Montreal student, developping mobile software to interface
with schools system found
On 1/21/13, Matt Palmer mpal...@hezmatt.org wrote:
Nonce on the server is a scalability hazard (as previously discussed). You
It's not really a scalability hazard. Not if its purpose is to
protect a data driven operation, or the sending of an e-mail; in
reality, that sort of abuse is
On 21 January 2013 07:19, Matt Palmer mpal...@hezmatt.org wrote:
...
If the form is submitted without the correct POST value, if their IP
address changed, or after too many seconds since the timestamp,
then redisplay the form to the user, with a request for them to
visually inspect and
On 21 January 2013 09:26, . oscar.vi...@gmail.com wrote:
On 21 January 2013 07:19, Matt Palmer mpal...@hezmatt.org wrote:
...
If the form is submitted without the correct POST value, if their IP
address changed, or after too many seconds since the timestamp,
then redisplay the form to the
--- jfmezei_na...@vaxination.ca wrote:
From: Jean-Francois Mezei jfmezei_na...@vaxination.ca
Either way, you still need to have either a cookie or a hidden form [...]
But ONLY when needing to do a transaction. As I originally mentioned
why
This article may be of interest:
http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/
Basically, a Montreal student, developping mobile software to interface
with schools system found a bug. Reported it. And when he tested to see
if the bug had been
On Sat, Jan 19, 2013 at 03:54:37PM -0800, George Herbert wrote:
On Jan 18, 2013, at 7:52 PM, Matt Palmer mpal...@hezmatt.org wrote:
On Fri, Jan 18, 2013 at 09:41:41AM +0100, . wrote:
On 17 January 2013 23:38, Matt Palmer mpal...@hezmatt.org wrote:
..
By the way, if anyone *does* know of
On Jan 20, 2013, at 11:51 AM, Matt Palmer mpal...@hezmatt.org wrote:
On Sat, Jan 19, 2013 at 03:54:37PM -0800, George Herbert wrote:
On Jan 18, 2013, at 7:52 PM, Matt Palmer mpal...@hezmatt.org wrote:
Storing any state server-side is a really bad idea for scalability and
reliability.
?
On Sat, Jan 19, 2013 at 06:33:33PM -0600, Jimmy Hess wrote:
On 1/18/13, Matt Palmer mpal...@hezmatt.org wrote:
Primarily abuse prevention. If I can get a few thousand people to do
something resource-heavy (or otherwise abusive, such as send an e-mail
somewhere) within a short period of
On 13-01-21 01:19, Matt Palmer wrote:
Things that require me to worry (more) about scalability are out, as are
things that annoy a larger percentage of my userbase than cookies (at least
with cookies, I can say you're not accepting cookies, please turn them on,
whereas with randomly
On Thu, Jan 17, 2013 at 02:55:59PM -0800, Scott Weeks wrote:
--- mpal...@hezmatt.org wrote: ---
From: Matt Palmer mpal...@hezmatt.org
[Cookies on stat.ripe.net]
On Wed, Jan 16, 2013 at 11:36:25AM -0800, Shrdlu wrote:
The cookie stays around for a YEAR (if I let it), and has the
On Fri, Jan 18, 2013 at 09:41:41AM +0100, . wrote:
On 17 January 2013 23:38, Matt Palmer mpal...@hezmatt.org wrote:
..
By the way, if anyone *does* know of a good and reliable way to prevent CSRF
without the need for any cookies or persistent server-side session state,
I'd love to know
On Jan 18, 2013, at 7:52 PM, Matt Palmer mpal...@hezmatt.org wrote:
On Fri, Jan 18, 2013 at 09:41:41AM +0100, . wrote:
On 17 January 2013 23:38, Matt Palmer mpal...@hezmatt.org wrote:
..
By the way, if anyone *does* know of a good and reliable way to prevent CSRF
without the need for
On 1/18/13, Matt Palmer mpal...@hezmatt.org wrote:
Primarily abuse prevention. If I can get a few thousand people to do
something resource-heavy (or otherwise abusive, such as send an e-mail
somewhere) within a short period of time, I can conscript a whole army of
unwitting accomplices into
On 17 January 2013 23:38, Matt Palmer mpal...@hezmatt.org wrote:
..
By the way, if anyone *does* know of a good and reliable way to prevent CSRF
without the need for any cookies or persistent server-side session state,
I'd love to know how. Ten minutes with Google hasn't provided any useful
On 1/16/13 8:36 PM, Shrdlu wrote:
On 1/16/2013 9:40 AM, john wrote:
I took a look at this site and unfortunately the use of cookies is very
ingrained into the code. Removing the requirement breaks all
functionality of www.ris.ripe.net and changing the functionality would
require a rewrite
[Cookies on stat.ripe.net]
On Wed, Jan 16, 2013 at 11:36:25AM -0800, Shrdlu wrote:
The cookie stays around for a YEAR (if I let it), and has the
following stuff:
Name: stat-csrftoken
Content: 7f12a95b8e274ab940287407a14fc348
[...]
To your credit, you only ask once, but you ought to ask
--- mpal...@hezmatt.org wrote: ---
From: Matt Palmer mpal...@hezmatt.org
[Cookies on stat.ripe.net]
On Wed, Jan 16, 2013 at 11:36:25AM -0800, Shrdlu wrote:
The cookie stays around for a YEAR (if I let it), and has the
following stuff:
CSRF protection is one of the few valid uses of a
On 1/16/2013 9:40 AM, john wrote:
I took a look at this site and unfortunately the use of cookies is very
ingrained into the code. Removing the requirement breaks all
functionality of www.ris.ripe.net and changing the functionality would
require a rewrite of the site.
Sooner or later, you'll
39 matches
Mail list logo
