Monday, 5 August 2013


Was reading the article at Slashdot
regarding "Captchas" and the campaign to kill them off. I support this in the
sense that its darn annoying to be faced with captchas which defy the
ability for a human to read them. It has the right effect of hurting people
and not denying the bad guys.

Someone proposed some form of randomisation of the fields - but any
form of "this is clever" is met with "but this is simple(r)" to crack
by the bad guys.

If you randomize the field names, you have added zero complexity to a script
write who just needs to parse the javascript to find the field names.
If you randomize the javascript, you have added a tiny amount of
complexity to parse the javascript and figure out the algorithm which
does the randomization of the javascript. "genetic" or "mutation" programming -
both of which have existed for many decades. Such mutations used to
be (still are?) in fingerprinting executable code to detect who/how/where
the code was stolen from. (This is mostly non-existant these days -
encrypting code, as most apps are freely downloadable and either rely
on an app store approach to downloading or contact with a remote server
to approve the use/purchase).

Its a hard problem to solve - if it was easy, it would be done. For
every "easy" solution the bad guys can get in. Conversely, if you make
it hugely difficult for the bad guys you have hurt the good guys too.

For example, "fingerprinting" was at one time considered the ideal
solution for securing devices. If you have watched many films, the
"sticky tape copy of a fingerprint" is used to fool the device. That
may not work in real life, but ... what is a fingerprint? To such a device
a fingerprint is an "image" which causes some internal number to be generated.
Generate the same "number" and you are in. So, now the problem distils into
not having a duplicate fingerprint, but having a fingerprint which is
isomorphic to the one you want. (I overly simplify and I may be wrong, but
thats the line of thinking). Even if I am wrong, and each fingerprint
is uniquely matched, what happens when you lose a finger in an accident?
You have lost access to the records stored in that system. (Hey! Not to
worry, since likely the records were stolen by an SQL injection attack
or XSS error anyhow!)

Heres a problem (and I dont have the answer): How do you hide an elephant in
your house? (This is the kind of problem which bad guys need to solve
all the time). (I can think of a few bad answers, but put a million
bucks under the elephant, and someone will find a way to move the
elephant and uncover your money).

Solving security problems whilst sitting on a sofa is soooo easy :-)
In real life...not so.

Post created by CRiSP v11.0.18a-b6591

No comments:

Post a Comment