Search This Blog

Wednesday, October 20, 2010

How to Captcha that Hot Ticket...

I found this story in Wired.  My rants on the value and security of print versus electronic forms of secure documents got a big boost yesterday when I found it.

It looks like a judge in New Jersey is trying to make defeating CAPTCHA a Federal Crime.  That's right - you've seen it a million times when signing up for forums, web sites, web accounts, virtually any web activity with a terms of service or something to sell.  They want to make sure you're "you" and not some bot.  But this takes things to a whole new level...

So what's the story (from Wired)...

"The case targets a ring of defendants who used various means to bypass CAPTCHA — the squiggly letters and numbers websites display to prove a visitor is human — in order to automatically purchase thousands of tickets from online vendors and resell them to premium customers....  The defendants have been charged with wire fraud and with violating the anti-hacking Computer Fraud and Abuse Act, in an elaborate scheme that allegedly used a network of bots and other deceptive means to bypass CAPTCHA and grab more than 1 million tickets for concerts and sporting events. They made more than $25 million in profits from the resale of the tickets between 2002 and 2009."

Basically these guys wrote programs that got around the idea that you had to be a human to solve a CAPTCHA display on ticket web sites.  How they did that is interesting in and of itself, but there are more important freedom issues at stake.

I certainly don't advocate fraud of any type.  Printed tickets of all forms: lottery, concert, speeding, and so on all are produced and managed on printed forms that are hard to duplicate for good reason.  Fraud has been around a long time and complex printed objects have always been a good way to keep it in check.  Not that it always succeeds, but in general "Joe Average" doesn't cross the line to create fake concert tickets and so forth.

(Though this was and is an issue as home laser and inkjet printers become more sophisticated.  Much of this is address today through embossing, foil and other stamps, embedded strips, steganography, and so forth.)

The defendants in this case bought the actual tickets in questions - well, actually they got customers to give them credit card information and when the time came their customers bought the tickets - no credit card fraud is alleged.

The issue is how they bought them.  

They wrote programs to log into places like TicketMaster, create fake ID's on the site (this is where the CAPTCHA defeat comes in) and supplied valid credit cards (with the owner's permission) to buy the tickets.

The rub is that the "Terms of Service" (from TicketMaster) on these sites says "you" must not do a lot of things - among them not "hack" the site and you must be, well, er, you:

"By using or attempting to use the Site, you certify that (i) you are a resident of the United States and are at least 13 years of age or, if under the age of 13, you have the consent of your parent or guardian (over the age of 18) to use the Site, or (ii) you are not a resident of the United States and are at least 18 years of age or, if under the age of 18, you have the consent of your parent or guardian (over the age of 18) to use the Site. If you do not meet these requirements or, if for any reason, you do not agree with all of the terms and conditions contained in these Terms, please discontinue using the Site immediately."

So what if I'm a programmed software robot and I click the "I agree" tab for this?  

The issue is that these sites used CAPTCHA to determine you were legitimate users of the site and the defendants found a way around it.

(How they did this show how remarkably stupid and simple-minded the CAPTCHA people were (at least I hope "were" and not "are").  Each of the squiggly letter blocks you see like this:

Turns out that the "which dintcari" is an image with a consistent URL.  That's right - if you see "PghWE5 iYeOP" it turned out that the squiggly image was always the same image file - across all of CAPTCHA's customer base.  

So the defendants wrote programs to go around the internet and collect CAPTCHA challenges and their respective image URLs.  They solved the CAPTCHAs and matched those with the image URLs.  Their robot simply looked at the CAPTCHA URL, checked its database to see if it was a known one, and, if it was, put in the right letters.

Now, no one thinks that "getting around" a CAPTCHA, except perhaps this judge, should be a Federal Crime and there is significant legal precedence for thinking that way.  Basically this line of thought says that "terms of use" constitute a civil contract and if you violate that problem you have a civil legal problem, not a criminal one.

And this is the problem.

If this case should be decided against the defendants than potentially anytime you "violate terms of service" you could be considered to have committed a Federal Crime (18 Section U.S.C 1030).

Read it for yourself - it won't be hard for a prosecutor to convict anyone of at least one of these items.

Now do I think these defendants are guilty of fraud?  Yes.  

Do I think they committed Federal Computer crimes?  Yes - according to the statutes. 

Do I think the statutes apply in this case? No.

And here's why.

Addressing forged documents in real-world situations has gone on for centuries.  The most effective solution would have been for the ticket sites to reject the tickets they thought were acquired in an invalid manner at the venues.

Word would have travelled fast that buying a ticket from WiseGuy was a mistake and they would have gone out of business.

Instead we have a judge making anything that violates "terms of service", and I am sure everyone here reads all of those terms in every detail, a Federal Crime.

Again - print solves the problem.  Add some data onto the tickets sold electronically that indicate they are involved in an improper scheme and reject them at the point of entry.  If "dad and mom" have to take little Jr. home from the gate of that Miley Cirus concert because their tickets get rejected for "terms of service" a lesson will be learned.

The ramifications of this case will be heard far and wide - not only will you get in trouble for whatever you were doing that violated terms of service in the first place - copying a song, sneaking onto a porn site, spying on your spouse, whatever - but now you could be the target of a criminal investigation as well - and at the Federal level.

No comments:

Post a Comment