I’ve mentioned before how information security folks seem to always prefer cats to dogs. Now Microsoft has announced an authentication system that relies on human ability to differentiate the two better than computers:

But the truth about cats and dogs is that humans are much better than computer programs at telling them apart. Scientists at Microsoft Research developed a program that capitalizes on this ability. Twelve photographs of cats and dogs pop up on the screen, and users have to identify the cats (“You’re a human!”) or they won’t be allowed to proceed. On the Cal Poly site, this takes about 10 seconds.

This does not seem immune from farming attacks. In other words, attackers can forward the images to human “mules” and pay them a nominal fee to guess the correct answer and send back the results. So instead of using computer automation to reduce the cost of the attack, they find cheap human laborers, often unwitting ones — the next time you have to answer a authentication test, ask yourself if you really know where the results are going.

The free program was rolled out two months ago, and several institutions are experimenting with it. A bonus for animal lovers: The photos come from a database of more than 2 million animals held by the adoption service Petfinder.com, and each one comes with a link that can lead you to adopt the pet.

It really does not seem new to me at all, especially given that there are already (relay) attacks in the wild that can defeat it. Perhaps the novelty is in this mix of advertising/public message and authentication.

I couldn’t help but notice that Microsoft attempts to side-steps this vulnerability by simply re-defining security terms to their liking.

A HIP is considered insecure if there is a way for an automated script to collect a large number of tickets without the commensurate human effort. Note that this definition also disqualifies attacks against a HIP that require computational effort as expensive as a paying a human to solve the HIP manually.

Wow. You are no longer insecure if you just change the definition of the word. Perhaps Vista is secure now too because the definition of insecurity disqualifies “expensive” (as determined by Microsoft) attacks against it?

If they meant to say that human relay attacks are unable to defeat the system because of cost, then that is what they should have said and then they should have been able to test/prove the point (or at least defend it).

For example, let’s say I setup a fake adoption agency and advertise to unwitting folks who want to see the cute pets and maybe look for one to adopt from my web-site. You look for cats for free, I get authentication data. The good-intentioned “moral imperative” of the concept suddenly becomes its Achilles heel — reduces the cost of attack, right?

Ooops.

More suspect information is hidden in the code. If you go to the Microsoft demo site and read the page source, you will find this warning:

// Note to anyone reading this code — this page, of course, is doing
// client-side validation, which is not secure. To implement a secure
// service, a server-side validation component is required. For an example,
// see http://www.asirra.com/examples/ExampleService.html.

Sounds like “Warning, this is not secure, but we’re hiding the warning because we want to give the impression of something secure to generate interest.”

Wonder if Microsoft is planning to track use through their web service and/or take a cut of the adoption fees. I smell a rat.

The news.com.au site has reported that a 13-yr old is being charged with fraudulently earning £250,000.

In brief, he continually de-frauded people by abusing trust in business deals — he cheated.

It does not seem that exciting or unusual, except for the fact that he was able to get away with it for so long. The article does not mention that he tried to hide his identity. The opposite, actually:

The boy was first arrested in October 2004, but bailed and went on to reoffend – a pattern that repeated itself four times in two years.

Thus it is most remarkable that the controls to prevent fraud were so weak. I guess they treated him with kid gloves.

They do not even say that he changed names, just that he continually moved on to new victims and that he looked older than 13 (blame the victim?).

A police source said: “It was like he was addicted to conning people. And whenever he was confronted with what he did, he showed absolutely no remorse.”

Guilt, remorse…they’re good ethical foundations, but they generally do not put up the best defense against a criminal mind, especially when the perpetrator lacks them entirely. I get the sense that his real exploit was simply that the police did not want to charge him as an adult.

But despite his intelligence, his lack of education was exposed in emails littered with spelling and grammatical errors.

But a police source said he could be very convincing: “He is 6ft tall and looks a lot older.”

Is it really that intelligent to lack remorse, and to build a business by abusing the trust of consumers? He just seems like someone who was awarded repeated opportunities to break the rules that he did not respect in the first place. Why does Enron come to mind…?

So I guess the question is whether the incident(s) will be treated as an exception or if anti-fraud measures will be altered now to account for juvenilles. Even more radical might be to start treating 13 year olds as adults in terms of Internet commerce, as the age seems to be recognized as formal adulthood in some cultures.

Adulthood can be defined in terms of biology, law, personal character, or social status. These different aspects of adulthood are often inconsistent and contradictory. A person may be biologically an adult, and have adult behavioral characteristics but still be treated as a child if they are under the legal age of majority. Conversely one may legally be an adult but possess none of the maturity and responsibility that define adult character.

…such as spelling and grammatical accuracy.