You are here: Home > Social > Human Cloud

Human Cloud

Written by on · Leave a Comment
Print Friendly

I shared some opinions about ‘Human Cloud’ (not the same as Sun’s blog about it). My ‘human cloud’ is about the ‘elasticity’, ‘on demand’ and automated problem solving using real humans. This can be a good thing or a bad thing especially when designing-implementing secure/any solutions.

Something I did not post which just came to my mind… …CAPTCHA and human interactions elements should not be depended upon for secure solutions. They are “what any humans/trained pets can do” unlike e.g. 2/nth factors authentication e.g. “What I have” and “What I know”. If it is common “e.g. CAPTCHA”, then it’s weaker.

For my post in OWASP.MY to someone’s post on bruteforce password cracking, and subsequent replies, see “https://lists.owasp.org/pipermail/owasp-malaysia/” and look for “Brute Force Password Guessing!!!”.

Here’s the original post:

Hi Guys,

Talking about CAPTCHA… …

I am involved in ‘cloud’ solutions and read interesting articles of ‘Human
Cloud’ (some terms I made up to let you imagine better). I try to dig them
out if anyone interested, can’t recall exactly where I read it. Could be a
SecurityTube posting of a speaker at HiTB KL last yr.

Ok, the technique is this, determined crackers can use ‘outsourced/offshore’
help to workaround CAPTCHA say from India/China or where labour cost is
lower. You can create API to screenshot/save CAPTCHA image and send to those
team elsewhere, they solve for you in seconds and via API, automatically
passed to your cracking application. I likened that to ‘cloud’, ‘human CPU’
on demand.

So my opinion is this, as long the additional ‘factor’ is human processing
required e.g. typing back a CAPTCHA, voice dictation, click on some patterns
etc, these can be outsourced using APIs to ‘human cloud’. The additional
‘factor’ should be something that the user must have physically that these
‘human cloud’ can’t possibly have in order to be stronger. CAPTCHAs just
make it a little hassle for those ‘script kiddies’ but what if ‘human cloud’
APIs are as cheap as Apple Store app download e.g. $0.01 per solved CAPTCHA?

On another perspective, when we are using CAPTCHA, we are actually being the
‘human cloud’ solving some organization’s book scanning OCR process (
http://recaptcha.net/learnmore.html). Good or bad I am not sure, why not
harness ‘human cloud’ for improving your own processes? But that is another
topic.

What do you think? Until today am still fascinated by ‘human cloud’.

Leave A Comment...

*