Archive for the ‘captcha’ Category

“Let none ignorant of geometry enter my door”

Wednesday, April 13th, 2011

The famous inscription at the entrance of Plato’s Academy “Μηδείς άγεωμέτρητος είσίτω μον τήν στέγην” (translated as “Let none ignorant of geometry enter my door”) could be considered as the oldest admission requirement for a maths student; the digital modern version could be this maths CAPTHCA:

http://nakedsecurity.sophos.com/2011/03/09/a-complicated-calculus-based-anti-spam-captcha/

On Facebook’s social authentication

Tuesday, February 15th, 2011

Recently Facebook added security controls to protect its users against unauthorised access:

http://blog.facebook.com/blog.php?post=486790652130

It was about time to employ SSL in order to protect the passwords, but the use of “social authentication” creates a false sense of security:

1. CAPTCHA are supposed to distinguish between a machine and a human, not a hacker and a human. Perhaps we should emphasize that hackers are human! Watch out Facebook, you will get Greenpeace on your tail, hackers are not animals :-p

2. The complexity of breaking the social CAPTCHA is linear, or at least it is definitely not exponential. Following point 1 above, a human hacker maintains enough cognitive skills to gather enough information to “break” the challenge. Besides, the person’s characteristics, ethnic background traits etc. form a side channel that help us eliminate some answers (for example from the pictures below the person is less likely to be Nick Wilkerson, Tim Kuper, David Starling) and the probability distribution is not uniform.


Copyright © 2017 Information Security and Incident Response Research Unit. All Rights Reserved.
No computers were harmed in the 0.370 seconds it took to produce this page.

Designed/Developed by Lloyd Armbrust & hot, fresh, coffee.