W3C home > Mailing lists > Public > w3c-wai-ig@w3.org > January to March 2002

Re: sign up security:

From: Kelly Ford <kelly@kellford.com>
Date: Tue, 29 Jan 2002 06:04:23 -0800
Message-ID: <006f01c1a8cd$dd8382b0$dca5f5d1@redmond.corp.microsoft.com>
To: "wai-ig list" <w3c-wai-ig@w3.org>
I once talked with someone at Yahoo about this issue.  Their concern about
the .wav solution was that someone could write a program to interpret the
audio and thereby defeat the purpose of the security.  The problem they were
trying to solve was people creating accounts automatically and then mass
spamming bulletin boards with advertising.  Taking the steps to eliminate
these accounts after they have been created is a lot more costly in terms of
the worker time involved.

To me the telephone call back solution, while not perfect, is a reasonable
compromise.  Where available the TDD relay system can be used for those
individuals who may be deaf and blind.  Perfect this solution is not.  But
what is a practical alternative if a site feels the need for this level of
security?  I'd love to hear ideas.


----- Original Message -----
From: "David Poehlman" <poehlman1@home.com>
To: "Steve Carter" <steve@juggler.net>; "wai-ig list" <w3c-wai-ig@w3.org>
Sent: Tuesday, January 29, 2002 4:34 AM
Subject: Re: sign up security:


> they can also do this with those data strings in images.  The idea is to
> slow them down because we cannot totally stop them yet.  There are
> already tons of databases with questions around and there are many ways
> of automating verification that would be accessible .  My favorite way
> is a confirmation message that is auto generated.  this is an email
> system after all.  I could understand if it was a secure site for say
> making purchases.  there is where the real security is needed.  as soon
> as you allow email into the mix, you have all sorts of problems anyway
> because email can be broken in any number of ways.  I know they have not
> done this with the intention of foiling us but they have been slow to
> fix the problem when it is fixable.
>
> ----- Original Message -----
> From: "Steve Carter" <steve@juggler.net>
> To: "wai-ig list" <w3c-wai-ig@w3.org>
> Sent: Tuesday, January 29, 2002 6:00 AM
> Subject: Re: sign up security:
>
>
> ----- Original Message -----
> From: "David Poehlman" <poehlman1@home.com>
> To: "Steve Carter" <steve@juggler.net>; "wai-ig list"
> <w3c-wai-ig@w3.org>
> Sent: Monday, January 28, 2002 6:39 PM
> Subject: Re: sign up security:
>
>
> > the email function can be automated.
>
> Although the process of creating and sending an email can be automated,
> it
> is a hard problem to have a computer create a set of questions and check
> the
> answers to confirm the answerer is a human.
>
> AFAIK the way to do this would involve a huge database of questions and
> answers, and then the problem is a simple one for the attacker to beat:
> just
> load a machine with say 20 of the questions and their responses, then
> repeatedly attack the service until you are asked one of those
> questions.
> Hey presto you are through.
>
> A useful weapon against intruders is 'suspicion' and this is something
> that
> humans are good at again.  So you need a human interviewer.
>
> > Another area that is expensive to implement in a machine is world
> > knowledge and inference.  The problem here is that it is a hard
> problem
> > for a computer to be the interviewer as well as for a computer to be
> the
> > interviewee.
>
> > This is what makes the 'phone call' a compelling solution.  The test
> is
> > administered by a human, but because the human is costly to run, it is
> > only used in the minority of cases who cannot respond to the .png
> (say) or
> > .wav  formats.  The test is valid but again we have an issue with the
> > medium because the phone requires hearing and speaking.  I suppose in
> > that case an email exchange probably would be the most accessible
> > means of administering the interview.
>
> > The interview method of course requires a human operator for the
> > website's end.  At this point I have no suggestions for an automated
> > method.
>
>
Received on Tuesday, 29 January 2002 09:06:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 19 July 2011 18:14:00 GMT