I’ve mentioned before how information security folks seem to always prefer cats to dogs. Now Microsoft has announced an authentication system that relies on human ability to differentiate the two better than computers:
But the truth about cats and dogs is that humans are much better than computer programs at telling them apart. Scientists at Microsoft Research developed a program that capitalizes on this ability. Twelve photographs of cats and dogs pop up on the screen, and users have to identify the cats (“You’re a human!”) or they won’t be allowed to proceed. On the Cal Poly site, this takes about 10 seconds.
This does not seem immune from farming attacks. In other words, attackers can forward the images to human “mules” and pay them a nominal fee to guess the correct answer and send back the results. So instead of using computer automation to reduce the cost of the attack, they find cheap human laborers, often unwitting ones — the next time you have to answer a authentication test, ask yourself if you really know where the results are going.
The free program was rolled out two months ago, and several institutions are experimenting with it. A bonus for animal lovers: The photos come from a database of more than 2 million animals held by the adoption service Petfinder.com, and each one comes with a link that can lead you to adopt the pet.
It really does not seem new to me at all, especially given that there are already (relay) attacks in the wild that can defeat it. Perhaps the novelty is in this mix of advertising/public message and authentication.
I couldn’t help but notice that Microsoft attempts to side-steps this vulnerability by simply re-defining security terms to their liking.
A HIP is considered insecure if there is a way for an automated script to collect a large number of tickets without the commensurate human effort. Note that this definition also disqualifies attacks against a HIP that require computational effort as expensive as a paying a human to solve the HIP manually.
Wow. You are no longer insecure if you just change the definition of the word. Perhaps Vista is secure now too because the definition of insecurity disqualifies “expensive” (as determined by Microsoft) attacks against it?
If they meant to say that human relay attacks are unable to defeat the system because of cost, then that is what they should have said and then they should have been able to test/prove the point (or at least defend it).
For example, let’s say I setup a fake adoption agency and advertise to unwitting folks who want to see the cute pets and maybe look for one to adopt from my web-site. You look for cats for free, I get authentication data. The good-intentioned “moral imperative” of the concept suddenly becomes its Achilles heel — reduces the cost of attack, right?
Ooops.
More suspect information is hidden in the code. If you go to the Microsoft demo site and read the page source, you will find this warning:
// Note to anyone reading this code — this page, of course, is doing
// client-side validation, which is not secure. To implement a secure
// service, a server-side validation component is required. For an example,
// see http://www.asirra.com/examples/ExampleService.html.
Sounds like “Warning, this is not secure, but we’re hiding the warning because we want to give the impression of something secure to generate interest.”
Wonder if Microsoft is planning to track use through their web service and/or take a cut of the adoption fees. I smell a rat.