Re: sign up security: from David Poehlman on 2002-01-29 (w3c-wai-ig@w3.org from January to March 2002)

From: David Poehlman <poehlman1@home.com>
Date: Tue, 29 Jan 2002 07:34:24 -0500
To: "Steve Carter" <steve@juggler.net>, "wai-ig list" <w3c-wai-ig@w3.org>
Message-ID: <001701c1a8c1$498768d0$f28d3244@cp286066a>

they can also do this with those data strings in images.  The idea is to
slow them down because we cannot totally stop them yet.  There are
already tons of databases with questions around and there are many ways
of automating verification that would be accessible .  My favorite way
is a confirmation message that is auto generated.  this is an email
system after all.  I could understand if it was a secure site for say
making purchases.  there is where the real security is needed.  as soon
as you allow email into the mix, you have all sorts of problems anyway
because email can be broken in any number of ways.  I know they have not
done this with the intention of foiling us but they have been slow to
fix the problem when it is fixable.

----- Original Message -----
From: "Steve Carter" <steve@juggler.net>
To: "wai-ig list" <w3c-wai-ig@w3.org>
Sent: Tuesday, January 29, 2002 6:00 AM
Subject: Re: sign up security:


----- Original Message -----
From: "David Poehlman" <poehlman1@home.com>
To: "Steve Carter" <steve@juggler.net>; "wai-ig list"
<w3c-wai-ig@w3.org>
Sent: Monday, January 28, 2002 6:39 PM
Subject: Re: sign up security:


> the email function can be automated.

Although the process of creating and sending an email can be automated,
it
is a hard problem to have a computer create a set of questions and check
the
answers to confirm the answerer is a human.

AFAIK the way to do this would involve a huge database of questions and
answers, and then the problem is a simple one for the attacker to beat:
just
load a machine with say 20 of the questions and their responses, then
repeatedly attack the service until you are asked one of those
questions.
Hey presto you are through.

A useful weapon against intruders is 'suspicion' and this is something
that
humans are good at again.  So you need a human interviewer.

> Another area that is expensive to implement in a machine is world
> knowledge and inference.  The problem here is that it is a hard
problem
> for a computer to be the interviewer as well as for a computer to be
the
> interviewee.

> This is what makes the 'phone call' a compelling solution.  The test
is
> administered by a human, but because the human is costly to run, it is
> only used in the minority of cases who cannot respond to the .png
(say) or
> .wav  formats.  The test is valid but again we have an issue with the
> medium because the phone requires hearing and speaking.  I suppose in
> that case an email exchange probably would be the most accessible
> means of administering the interview.

> The interview method of course requires a human operator for the
> website's end.  At this point I have no suggestions for an automated
> method.

Received on Tuesday, 29 January 2002 07:34:27 UTC