"Proof-of-Work CAPTCHA with password cracking functionality"
The "work" is "to use the distributed power of webusers’ computers" to "obtain suspects’ passwords in order to access encrypted evidence" and "support law enforcement activities".
Funny how that isn't mentioned anywhere in the linked site.
> Normally, it is undesirable for users’ passwords to be cracked. However, in the case of law enforcement, we often need to obtain suspects’ passwords in order to access encrypted evidence. The obvious solution is to build powerful (and expensive) dictionary cryptanalysis computers. A less obvious approach is to use the distributed power of web users’ computers, as has been done in the Seti@Home (https://setiathome.berkeley.edu/ — suspended project) or Folding@Home projects (https://foldingathome.org/). The proposed approach can therefore support law enforcement activities while providing the desired functionality to the web community
"You're not allowed to visit this website unless you submit your computer to being part of the fed's password cracking botnet" that's a whole fresh hell. A better use case is right there in their own description! I'd love my captchas to be little Folding@Home problems.
btw no, cap does not contribute to any "fed botnet". you can build the WASM binaries yourself and compare the hashes. added a clarification about that to the docs.
Generally that is countered by asking for a mix of known and unknown solutions; your accuracy on the unknown is assessed through your accuracy on the known.
Is it possible to do some other sort of cryptographic trick than simply seeding the mix with known and knowns. Some sort of sum of many answers combined? Maybe it isn’t possible in this use case though (brute forcing passwords).
For example is crypto POW really just doing a mix of known and unknowns or is there more cryptographic magic to it than that?
Definitely concerning, although I'm having trouble finding anything in the codebase to support this.
This paper even seems to contradict aspects of the project's no tracking stance. If someone told me this paper was for a different (but similar) project, I'd believe it after looking at the two side by side.
Would definitely want this to be addressed before I'd consider using it.
There are two binaries commited to the repo (cap_wasm_bg.wasm) but from what I can tell, it doesn't seem to be making any network calls or what have you. They still should get rid of them and add a Rust build step for their browser/node packages.
It's not a good practice to commit binary blobs in a repository. And I don't think it would be difficult to add a prepublish step to your npm packages so that you can remove them. The end user shouldn't need to run the build script and compare hashes whenever the source code changes.
Very surprised to get pushback on what I thought was an industry standard lmao
Interesting discovery. This research sounds creepy and ill-advised, but my intuition suggests to me this is an innocent attempt to do something useful rather than waste energy on a PoW algorithm. My intuition also tells me that if this project became popular enough, attackers would break the algorithm fairly easily and the project would just revert to a more conventional PoW algorithm that doesn't try to be smart.
Cap does not send any of the calculated hashes ANYWHERE, the white paper just details a bit how proof-of-work works and I thought that it would be interesting to share.
In case you weren't aware, a blue hat is typically associated with law enforcement in the US. On its own it'd be no problem, but the logo, the paper, and the comment above correctly pointing out concerns/lack of acknowledgement on your site (until now) really comes off as suspicious.
FWIW, I do believe you just made a few unintentional awkward choices instead of being malicious... But a product associated with something like this is a hard sell.
I think there's a good chance they just linked to the paper for technical background, unrelated to the paper's mention of law enforcement usage. The website mentions self-hosted, no third-party requests, etc. Unless they're flat-out lying.
https://www.researchgate.net/publication/374638786_Proof-of-...
"Proof-of-Work CAPTCHA with password cracking functionality"
The "work" is "to use the distributed power of webusers’ computers" to "obtain suspects’ passwords in order to access encrypted evidence" and "support law enforcement activities".
Funny how that isn't mentioned anywhere in the linked site.