Re: sign up security:

----- Original Message -----
From: "David Poehlman" <poehlman1@home.com>
To: "Steve Carter" <steve@juggler.net>; "wai-ig list" <w3c-wai-ig@w3.org>
Sent: Monday, January 28, 2002 6:39 PM
Subject: Re: sign up security:


> the email function can be automated.

Although the process of creating and sending an email can be automated, it
is a hard problem to have a computer create a set of questions and check the
answers to confirm the answerer is a human.

AFAIK the way to do this would involve a huge database of questions and
answers, and then the problem is a simple one for the attacker to beat: just
load a machine with say 20 of the questions and their responses, then
repeatedly attack the service until you are asked one of those questions.
Hey presto you are through.

A useful weapon against intruders is 'suspicion' and this is something that
humans are good at again.  So you need a human interviewer.

> Another area that is expensive to implement in a machine is world
> knowledge and inference.  The problem here is that it is a hard problem
> for a computer to be the interviewer as well as for a computer to be the
> interviewee.

> This is what makes the 'phone call' a compelling solution.  The test is
> administered by a human, but because the human is costly to run, it is
> only used in the minority of cases who cannot respond to the .png (say) or
> .wav  formats.  The test is valid but again we have an issue with the
> medium because the phone requires hearing and speaking.  I suppose in
> that case an email exchange probably would be the most accessible
> means of administering the interview.

> The interview method of course requires a human operator for the
> website's end.  At this point I have no suggestions for an automated
> method.

Received on Tuesday, 29 January 2002 06:03:05 UTC