- From: David Poehlman <poehlman1@home.com>
- Date: Tue, 29 Jan 2002 07:34:24 -0500
- To: "Steve Carter" <steve@juggler.net>, "wai-ig list" <w3c-wai-ig@w3.org>
they can also do this with those data strings in images. The idea is to slow them down because we cannot totally stop them yet. There are already tons of databases with questions around and there are many ways of automating verification that would be accessible . My favorite way is a confirmation message that is auto generated. this is an email system after all. I could understand if it was a secure site for say making purchases. there is where the real security is needed. as soon as you allow email into the mix, you have all sorts of problems anyway because email can be broken in any number of ways. I know they have not done this with the intention of foiling us but they have been slow to fix the problem when it is fixable. ----- Original Message ----- From: "Steve Carter" <steve@juggler.net> To: "wai-ig list" <w3c-wai-ig@w3.org> Sent: Tuesday, January 29, 2002 6:00 AM Subject: Re: sign up security: ----- Original Message ----- From: "David Poehlman" <poehlman1@home.com> To: "Steve Carter" <steve@juggler.net>; "wai-ig list" <w3c-wai-ig@w3.org> Sent: Monday, January 28, 2002 6:39 PM Subject: Re: sign up security: > the email function can be automated. Although the process of creating and sending an email can be automated, it is a hard problem to have a computer create a set of questions and check the answers to confirm the answerer is a human. AFAIK the way to do this would involve a huge database of questions and answers, and then the problem is a simple one for the attacker to beat: just load a machine with say 20 of the questions and their responses, then repeatedly attack the service until you are asked one of those questions. Hey presto you are through. A useful weapon against intruders is 'suspicion' and this is something that humans are good at again. So you need a human interviewer. > Another area that is expensive to implement in a machine is world > knowledge and inference. The problem here is that it is a hard problem > for a computer to be the interviewer as well as for a computer to be the > interviewee. > This is what makes the 'phone call' a compelling solution. The test is > administered by a human, but because the human is costly to run, it is > only used in the minority of cases who cannot respond to the .png (say) or > .wav formats. The test is valid but again we have an issue with the > medium because the phone requires hearing and speaking. I suppose in > that case an email exchange probably would be the most accessible > means of administering the interview. > The interview method of course requires a human operator for the > website's end. At this point I have no suggestions for an automated > method.
Received on Tuesday, 29 January 2002 07:34:27 UTC