Quick Security Alerts for the Week Ending 10/10/2010

TCLP 2010-08-08 News

This is news cast 221, an episode of The Command Line Podcast.

In the intro, my thanks to Mike for his donation for which he has earned a merit badge. A final reminder there will not be a feature cast this coming week, I’ll be out in San Francisco for most of the week. Also, a quick review of George Mann’s “The Osiris Ritual“. I reviewed his first novel, “The Affinity Bridge”, earlier in the Summer.

This week’s security alerts are RFIDs can be provably read at over 60 meters and an algorithmic attack on reCAPTCHA.

In this week’s news an algorithm to improve the energy efficiency of mesh networks, concerns over a citizen vigilante group monitor ISPs though the groups claims may be overstated, Google ends Wave development though is dedicated to learning from its failure in this case probably from its complexity despite adding more resources and opening up to more users, and unpacking what exactly went on between Google and Verizon especially as they deny claims of an anti-neutrality pact (even on Twitter). Odds are good they are still meeting and talking to some end which may be why the NYT is sticking to its story. Cringely has the most intriguing guess at their possible goal.

Following up this week EFF offers assistance to targets of the US Copyright Group and the FCC ends closed door discussions on its net neutrality plan.

View the detailed show notes online. You can also grab the flac encoded audio from the Internet Archive.

Creative Commons License

This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

Security Alerts for the Week Ending 7/4/2010

Google Acquires ReCAPTCHA

I have talked and written about CAPTCHAs repeatedly, initially in admiration of the elegance of the idea originally developed at CMU by Luis von Ahn. As time has marched on, though, many CAPTCHA implementation have fallen to the ever increasing power and sophistication of attackers. The cleverest of them have farmed out breaking of CAPTCHAs to actual people, bypassing what makes them ordinarily so effective, that is using computationally difficult puzzles that are relatively easy for humans to solve.

Personally, I still think the core idea has permutations and a certain neatness and simplicity yet to be exhausted. Ahn would seem to agree, building on the defensive aspects of the CAPTCHA to come up with reCAPTCHA, a project that uses optical character recognition failures both as a puzzle to prove a user is human, not a bot, and to serve a public good. As reCAPTCHA’s challenges are solved and vetted, the results feed back into the OCR projects from which they originated, improving digitization of texts more cheaply and effectively than using other, more individually labor intensive techniques.

Google also has invested considerably in CAPTCHA implementations, working feverishly to stay ahead of attackers. With their beleaguered Books project which at its core is a large scale effort to digitize texts, it is hardly surprising to see news this past week that Google has acquired Ahn’s spin off, commercial effort around the original academic reCAPTCHA project. According to the NYT’s, Ahn has collaborated with Google before, for a similar crowd sourced effort to supplement machine categorization of information, specifically the tagging of photos.

According to Ars Technica, reCAPTCHA hadn’t previously contributed to Google’s Books project but the acquisition makes sense both for that project and to help to continue to evolve the defenses Google uses for its many services. Ahn will become a Google employee no doubt working on both collective user efforts and creative security initiatives, hopefully some or all of his staff from reCAPTCHA will be joining him.

Lauren Weinstein does urge some caution around this otherwise optimistic union. He details his evaluation of reCAPTCHA for use with a forum he was setting up recently. His post has a good explanation of the data possibly being logged by reCAPTCHA as participating sites and users make use of it. The potential privacy risks here are pretty clear and he unfortunately had some difficulty in discovering the project’s policies around how they treat this data.

So I was very surprised to discover that I could not find any reCAPTCHA privacy policy explaining to ordinary Web users displaying those pages, or interacting with the reCAPTCHA system, how that collected data would be handled from a privacy and data protection standpoint.

He thinks the acquisition is an opportunity, a critical one, for Google to remedy this situation. I think there is good evidence to believe that they will. This is an issue worth keeping an eye on so the new efforts of the reCAPTCHA folks at Google isn’t hobbled by arguments over the unintended consequences of moving their work to the search giant where the risks of data retention and correlation are even greater.