Monday, May 20, 2002


Today Slashdot linked an article describing the security threats that Yahoo! faces. Nothing new or profound, but there's one bit I find hilarious.

Because some users create bots to sign up for massive numbers of accounts, Yahoo! has considered
using bot-detection techniques, which basically ask users to perform tasks which a bot would likely be unable to perform. (The example given is typing a passphrase which is displayed in an OCR-unfriendly image.) While techniques like this can prevent automated attacks, there's nothing keeping a human from sitting down and creating accounts by hand all day. The Yahoo! scientist quoted in the article basically throws up his hands and says that you can't prevent users from creating multiple accounts.

The funny part is his proposed solution. Instead of preventing this kind of attack, take advantage of it: force the user to solve a menial math problem
which, when combined with all the other menial math problems, performs some useful distributed computing task.

Of course, this doesn't make much sense. In order for the computation to be useful, the user-supplied solutions must be verified. This verification would likely be at least as expensive as computing it yourself. So you're not really getting users to "perform distributed computation tasks" for you: you're getting them to mimic computations you've already done. Possibly useful as a bot-detection technique, but hardly useful computationally.

Funny, though.

1 comment:

  1. My friend Tom Duff
    points out that there are many computations which are
    cheaper to verify than to compute. Of course this is true,
    but those problems (which tend to be searches or mathematical
    solutions) tend not to be the kind of thing a layman could do
    in short order. ("Factor the fifty composite numbers that
    follow 865439376047265.")
    If anyone can think of a computation that would actually be useful for this purpose, please speak up.