- Security problems inherent in the smart grid, Scientific American
- Analyzing CAPTCHAs, Schneier on Security
- MySQL update addresses DoS vulnerability, The H
- Security updates for PostgreSQL, The H
- Reader, acrobat patches plug 23 security holes, Krebs on Security
- Facebook, Twitter used in stock fraud schemes, ReadWriteWeb
- FCC may confront ISPs over botnets, malware, Krebs on Security
- Schneier on Stuxnet, Schneier on Security
- EU agency report on Stuxnet, The Register
- Foxit patches PDF software flaws, Zero Day
- Spammers use soft hyphen to hide malicious URLs, Slashdot
- Oracle update delivers 81 database security fixes, Zero Day
Tag: CAPTCHA
TCLP 2010-08-08 News
This is news cast 221, an episode of The Command Line Podcast.
In the intro, my thanks to Mike for his donation for which he has earned a merit badge. A final reminder there will not be a feature cast this coming week, I’ll be out in San Francisco for most of the week. Also, a quick review of George Mann’s “The Osiris Ritual“. I reviewed his first novel, “The Affinity Bridge”, earlier in the Summer.
This week’s security alerts are RFIDs can be provably read at over 60 meters and an algorithmic attack on reCAPTCHA.
In this week’s news an algorithm to improve the energy efficiency of mesh networks, concerns over a citizen vigilante group monitor ISPs though the groups claims may be overstated, Google ends Wave development though is dedicated to learning from its failure in this case probably from its complexity despite adding more resources and opening up to more users, and unpacking what exactly went on between Google and Verizon especially as they deny claims of an anti-neutrality pact (even on Twitter). Odds are good they are still meeting and talking to some end which may be why the NYT is sticking to its story. Cringely has the most intriguing guess at their possible goal.
Following up this week EFF offers assistance to targets of the US Copyright Group and the FCC ends closed door discussions on its net neutrality plan.
[display_podcast]
View the detailed show notes online. You can also grab the flac encoded audio from the Internet Archive.
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.
Security Alerts for the Week Ending 7/4/2010
- Securing WordPress based on hard won, 1st hand experience
- New Twitter phishing attack
- New Microsoft Messenger has same security flaws as the old
- 22 million SSL certs in user are invalid
- Kraken botnet returns from the dustbin
- Adobe pushes out emergency fixes for Reader
- Qualitative differences in crypto and data usage
- White hate demonstrates Foursquare privacy hole capturing hundreds of thousands of logins
- Hack AT&T voice mail with Android
- Regular domains have more malware than porn sites
- Detection of suspicious logins extended to Google Apps
- Facebook apps must now seek user permission to access their data
- Replacing static CAPTCHAs with animation
- Top apps fail to utlize security features in Windows
- 50 arrested in spyware dragnet
- New Opera version includes malware protection
Google Acquires ReCAPTCHA
I have talked and written about CAPTCHAs repeatedly, initially in admiration of the elegance of the idea originally developed at CMU by Luis von Ahn. As time has marched on, though, many CAPTCHA implementation have fallen to the ever increasing power and sophistication of attackers. The cleverest of them have farmed out breaking of CAPTCHAs to actual people, bypassing what makes them ordinarily so effective, that is using computationally difficult puzzles that are relatively easy for humans to solve.
Personally, I still think the core idea has permutations and a certain neatness and simplicity yet to be exhausted. Ahn would seem to agree, building on the defensive aspects of the CAPTCHA to come up with reCAPTCHA, a project that uses optical character recognition failures both as a puzzle to prove a user is human, not a bot, and to serve a public good. As reCAPTCHA’s challenges are solved and vetted, the results feed back into the OCR projects from which they originated, improving digitization of texts more cheaply and effectively than using other, more individually labor intensive techniques.
Google also has invested considerably in CAPTCHA implementations, working feverishly to stay ahead of attackers. With their beleaguered Books project which at its core is a large scale effort to digitize texts, it is hardly surprising to see news this past week that Google has acquired Ahn’s spin off, commercial effort around the original academic reCAPTCHA project. According to the NYT’s, Ahn has collaborated with Google before, for a similar crowd sourced effort to supplement machine categorization of information, specifically the tagging of photos.
According to Ars Technica, reCAPTCHA hadn’t previously contributed to Google’s Books project but the acquisition makes sense both for that project and to help to continue to evolve the defenses Google uses for its many services. Ahn will become a Google employee no doubt working on both collective user efforts and creative security initiatives, hopefully some or all of his staff from reCAPTCHA will be joining him.
Lauren Weinstein does urge some caution around this otherwise optimistic union. He details his evaluation of reCAPTCHA for use with a forum he was setting up recently. His post has a good explanation of the data possibly being logged by reCAPTCHA as participating sites and users make use of it. The potential privacy risks here are pretty clear and he unfortunately had some difficulty in discovering the project’s policies around how they treat this data.
So I was very surprised to discover that I could not find any reCAPTCHA privacy policy explaining to ordinary Web users displaying those pages, or interacting with the reCAPTCHA system, how that collected data would be handled from a privacy and data protection standpoint.
He thinks the acquisition is an opportunity, a critical one, for Google to remedy this situation. I think there is good evidence to believe that they will. This is an issue worth keeping an eye on so the new efforts of the reCAPTCHA folks at Google isn’t hobbled by arguments over the unintended consequences of moving their work to the search giant where the risks of data retention and correlation are even greater.