Last night I dreamt I was starting school at a new university, and as my "whimsy sport of the year" I was trying out for cheerleading. (Yikes, I know.) The cheerleading tryouts involved a week of putting on the intolerably girly/revealing cheerleading uniforms and then swimming laps for hours. It was weird. And when I went home at the end of the day, an old boyfriend was there and didn't understand when I tried to explain that it's the future now, and I have a new boyfriend. Weird.
Last week, I dreamt I was wading in a creekbed, trying to catch tiny fish with my bare hands. My cousins, parents, and some grandparents were there. We were very hungry, but we couldn't catch any fish because they were too fast. We needed tools, and we had none. A little bit upstream, some restaurant employees had big ceramic tools and were catching fish by the barrel-full.
The night before, I was invited to cook dinner for President Obama, but when he arrived he said he wasn't hungry. He said it really politely, but I could tell that he just didn't like my food.
Although the dreams are interesting, let's hope that this hot weather breaks and I can go back to my usual OCD dreams: travelling through a maze, visualizing air currents around a launching space shuttle, etc.
This post's theme word: stenotopic, "able to adapt to only a small range of environmental conditions."
Monday, September 7, 2009
VK couple's testing -- insecure protocol!
Friday's XKCD comic dealt with the question "How can I tell if my internet relationship is real, or just a chatbot?"
The VK couple's testing page was realized and announced in a follow-up blog post. As I understand it, you and your significant other go to this website. At the top, there's a [presumably unique] test ID. At the bottom, there's a "partner's link." So you send your partner the link, and you both reveal the letters/numbers you see, and you are each reassured of the other's non-bot status.
But here's the problem. If the bot is chatting with "thousands of connections at once," then it could just send your link to one of them and have them read it, passing the answer back to you. This breaks the security of the system, as no matter how you set it up, one person has to send a link to another person. This is a weak point, as a chatbot can use two real people to verify its own "real person" status.
VK couple's testing is interesting, but needs a more secure protocol.
[Update: I browsed the comments of the blog post, and many people pointed out the same vulnerability. One suggested fix for this insecure hole is to have the form require the names of both parties, a "signature" of sorts. This reduces the likelihood of failure, but since names are not unique, the bot could still set up an insecurity by mimicking the name of another real person, who it uses to solve the captcha. Likewise, timestamped tests make it harder, but not impossible, to break the protocol.]
This post's theme word: nugatory, "of little value; trifling" or "having no force; ineffective."
The VK couple's testing page was realized and announced in a follow-up blog post. As I understand it, you and your significant other go to this website. At the top, there's a [presumably unique] test ID. At the bottom, there's a "partner's link." So you send your partner the link, and you both reveal the letters/numbers you see, and you are each reassured of the other's non-bot status.
But here's the problem. If the bot is chatting with "thousands of connections at once," then it could just send your link to one of them and have them read it, passing the answer back to you. This breaks the security of the system, as no matter how you set it up, one person has to send a link to another person. This is a weak point, as a chatbot can use two real people to verify its own "real person" status.
VK couple's testing is interesting, but needs a more secure protocol.
[Update: I browsed the comments of the blog post, and many people pointed out the same vulnerability. One suggested fix for this insecure hole is to have the form require the names of both parties, a "signature" of sorts. This reduces the likelihood of failure, but since names are not unique, the bot could still set up an insecurity by mimicking the name of another real person, who it uses to solve the captcha. Likewise, timestamped tests make it harder, but not impossible, to break the protocol.]
This post's theme word: nugatory, "of little value; trifling" or "having no force; ineffective."
Subscribe to:
Comments (Atom)