Article Options

Is unusable the same as 'secure'? Why security is borked.

 
Wh1t3Rabbit| January 4, 2013
3 Comments

In this post, I will be using an edge-case to demonstrate a point. If you are uncomfortable with that, please stop reading.

 

Irony alert! This blog has a re-CAPTCHA system in the comments, also easily defeatable (thanks to the person who keeps proving it... now stop). I think this further illustrates the point, don't you?

 

 

I just failed the human test... what?!

 

You know "security" has lost its way when you try to perform an action and the validation piece to make sure you're human, the bit that is meant to keep the 'bots and scripts' out, isn't possible to complete.

 

Case in point, this screen capture:

Worst_reCaptcha_ever.JPG

 

Wait ... is that ... hieroglyphics?! What language is that 2nd part? That looks like 3 stick figures to me, what about you?

 

I know, I'll click the little speaker, which should say the second part, and I'll just easily write it down ... right? Wrong. It's a robo-voice that is absolutely unintelligible... no clue what it said.

 

While I realize that this is just one example of really bad security, it made me stop and think. This is the direction we're headed in... the next time you say something like "users are just too stupid to understand our uber-good security" ...remember this because I asked on Twitter (a reasonable representation of smart people) and not one person had any clue what this was. I did get some hilarious responses though (shared at the end for comedic relief).

 

 

But seriously...

 

Before you start writing your reply about how this isn't the way all security is done, I already conceded that in the first sentence of this post ... I realize this is a crazy edge case. But think about how often you've encountered security measures that don't allow legitimate tasks to be performed because we've made is so gosh darn hard.

 

I'm sure if I clicked the refresh button enough (I clicked it 3 times, they were all ridiculously difficult to guess) I would find something in that 2nd part I could make out - but that's the point isn't it. Why should I have to keep clicking refresh until I find something that's easy - isn't that what a bot or script would do? Does this conclusively prove this re-CAPTCHA has failed?

 

On a more general note, this is a trend many of us in the industry have talked about as a dangerous path to our own demise. In an effort to thwart the 'bad guys' we've escalated the path to more and more ridiculous work-arounds ...like this re-CAPTCHA for example. We're in effect accelerating our own demise. Every time a consumer or customer (dare I use the word, "user") sees something like this they get frustrated and curse "those security people" for making the system unusable. Some of the consumers of these increasingly ludicrous contraptions are simply walking away. I had a shopping cart here, and I got so frustrated I simply quit and went to a different site which I didn't have to guess what appears to be glyphs on.

 

 

Security must be friendly

 

If you're still arguing that we need to 'force' security onto the user, you're probably someone who sees nothing wrong with getting a few of these and having to cycle until you find a readable one (or guess-able one). You probably don't care that a good percentage of your consumers will simply give up and go elsewhere ...or if this is an enterprise application they'll simply find another way.

 

This is wrong, simply put.

 

Security needs to be simpler on the well-meaning human than we are making it. Oddly enough, FaceBook's secondary validation system is really good at this... you've probably seen it once or twice because you are human and aren't trying to create a thousand accounts at once, or log into someone else's account. The notion that you need to 'challenge' everyone is silly in the vast majority of applications and will result in a rebellion of the consumer. In order to find that balance you need to inconvenience as few people as little as possible, and this means admitting that some baddies will slip through ...but that's within the 'tolerance'. By the way, your tolerance can't be 0.

 

Before I get that re-CAPTCHA which I have zero chance of getting right, I should have tripped some sort of 'sensor' that tells the system I'm likely not human. Maybe I fly through pages too fast. Maybe I drop into the application registration page without going through the landing page first. Maybe I simply add to cart, check out without registering from the same IP address more than once in 10 seconds ...you get the idea. Also, maybe we dump this insane re-CAPTCHA for something that a human has a chance of getting correct?

 

I have to wonder ... how many security walls like this are there out there that consumers/humans can't get through, but hackers and scripts/bots blow through no problem... way to go guys.

 

Yes, this is an edge case. I acknowledge that, most security isn't like this ... yet. Whether we keep pushing for more insanity like this is up to you the practitioner, designer and architect. Please stop the insanity ... please work very hard in 2013 to make sure your security is usable, and friendly.

 

 

Comments welcome! I especially want to hear from you if you have examples of insane security that's unusable and/or failing at 'security' goals.

 

Also ... this year I'm starting a new blog 'label' ... "relevant security" for those posts which just go to the heart of this matter. I hope to have several guest-posts on this topic!

 

 

-Some hilarious responses from Twitter friends-

 

hilarious_responses_re-CAPTCHA.gif

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Trolls will not be fed.

Labels: relevant security
Labels:
Comments
Vyrus001(anon) | ‎01-04-2013 03:11 PM
Options

Frankly the entire argument of "if it can be beaten, just make it harder!" is counter productive from both a technical AND governance / policy perspective. Every captcha system out there has been beaten at every level and there are tons of technical talks out there describing how (eg: http://www.dc949.org/projects/stiltwalker/). To use stiltwalker as an example, google issued a patch the hour before the talk was given making it much harder to attack, it also made the audio portion of the service borderline impossible to use, thus making the failure rate so high that the automated attack numbers are almost guaranteed to match the human failure rate. The simple truth is, the higher your human failure rate, the less effective your captcha is, because every human failure counts as a point of data where your application failed to tell the difference between a computer and a human.

screamingbyte(anon) | ‎01-04-2013 07:43 PM
Options

When I first saw this kind of "security" being implemented, I thought it would be a good solution.  Now, not so much.  I believe that determining the difference between human and computer lies more in an interactive system.  For example, a simple graphical applet that requires the user to interact with it in some random way (I suppose much like solving a mini-game) would probably be an excellent replacement.  The problem is that technology continues to increase exponentially in half the amount of time.  So, the implementations we used just 5 years ago are often useless.  I imagine that just about any application which is used to check for a human user will only be relevant for a certain amount of time as technology and software continues to become more complex.  Just as it is accepted in Enterprise Architecture, agility is also just as critical in security.

The fact that CAPTCHA is easily defeated signals that it is time to find something else.  I harp on this all the time, but I can't seem to write it enough... the availability criteria of the CIA Triad cannot be brushed aside and still expect an implement to perform the job adequately.  If it's too hard for a human to solve, the tech has evolved and it's time to switch to a different method of verification.  I think this is a great place to begin implementing multi-factor verification, much as multi-factor authentication is a must have in our networks today.

Pattern_Juggled(anon) | ‎01-11-2013 03:37 AM
Options

I've rolled out a rather long-ish reply to this post, and thus took the liberty of burning bits on our machine rather than doing so here. The response can be found here (full link raw: http://www.denspace.org/viewtopic.php?f=8&t=14&p=155#p155). 

 

Cheers, 

 

- Pt_jD | http://cryptocloud.ca

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author(s)


Follow Us
Community Announcements
50 Must Read IT Blogs