{"id":44,"date":"2008-07-17T01:56:43","date_gmt":"2008-07-17T06:56:43","guid":{"rendered":"http:\/\/www.bitquill.net\/blog\/?p=44"},"modified":"2008-11-22T12:22:28","modified_gmt":"2008-11-22T17:22:28","slug":"the-fall-of-captchas-really","status":"publish","type":"post","link":"https:\/\/bitquill.net\/blog\/the-fall-of-captchas-really\/","title":{"rendered":"The Fall of CAPTCHAs &#8211; really?"},"content":{"rendered":"<p>I recently saw a Slashdot post dramatically titled &#8220;<a title=\"Fallout from the Fall of CAPTCHAs (Slashdot)\" href=\"http:\/\/it.slashdot.org\/article.pl?sid=08\/07\/15\/2025220\">Fallout From the Fall of CAPTCHAs<\/a>&#8220;, citing an equally dramatic article about &#8220;<a title=\"How CAPTCHA got trashed (Computerworld)\" href=\"http:\/\/www.computerworld.com.au\/index.php\/id;489635775;fp;;fpid;\">How CAPTCHA got trashed<\/a>&#8220;.\u00c2\u00a0 Am I missing something? Ignoring their name for a moment, <strong>CAPTCHAs are <em>computer<\/em> programs, following specific rules, and therefore they are subject to the same cat-and-mouse games that all security mechanisms go through. Where exactly is the surprise?<\/strong> So Google&#8217;s or Yahoo&#8217;s current versions were cracked.\u00c2\u00a0 They&#8217;ll soon come up with new tricks, and still newer ones after those are cracked, and so on.<\/p>\n<p>In fact, I was always confused about one aspect of CAPTCHAs. <strong>I thought that a <a title=\"Turing test (Wikipedia)\" href=\"http:\/\/en.wikipedia.org\/wiki\/Turing_test\">Turing test<\/a> is, by definition, <em>administered<\/em> by a human, so a &#8220;completely-automated Turing-test&#8221; is an oxymoron, something like a &#8220;liberal conservative&#8221;.<\/strong> An unbreakable authentication system based on Turing tests should rely <em>fully<\/em> on <a title=\"Human-based Computation (Wikipedia)\" href=\"http:\/\/en.wikipedia.org\/wiki\/Human-based_computation\">human computation<\/a>: humans should also be at the end that generates the tests. Let humans come up with questions, using references to images, web site content, and whatever else they can think of.\u00c2\u00a0 Then match these to other humans who can gain access to a web service by solving the riddles. Perhaps the tests should also be somehow rated, lest the simple act of logging in turns into an absurd treasure hunt. I&#8217;m not exactly sure if and how this could be turned into an <a title=\"The ESP Game\" href=\"http:\/\/www.gwap.com\/gwap\/gamesPreview\/espgame\/\">addictive game<\/a>, but I&#8217;ll leave that to the experts.\u00c2\u00a0 The idea is too obvious to miss anyway.<\/p>\n<p>CAPTCHAs, even in their current form, have led to numerous contributions.\u00c2\u00a0 A non-exclusive list, in no particular order:<\/p>\n<ol>\n<li>They have a catchy name. That counts a lot. Seriously. I&#8217;m not joking; if you don&#8217;t believe me, repeat out loud after me: &#8220;I have no idea what &#8216;onomatopoeia&#8217; is\u00e2\u20ac\u201dI&#8217;d better MSN-Live it&#8221; or &#8220;&#8230; I&#8217;d better Yahoo it.&#8221;\u00c2\u00a0 Doesn&#8217;t quite work, does it?<\/li>\n<li>They popularized an idea which, even if <a title=\"USPTO 6195698: Method for selectively restricting access to computer systems (Google Patent Search)\" href=\"http:\/\/www.google.com\/patents?id=VncGAAAAEBAJ\">not entirely new<\/a>, was made accesible to webmasters the world over, and is now used daily by thousands if not millions of people.\u00c2\u00a0 What greater measure of success can you think of for a technology?<\/li>\n<li>Sowed the seeds for Luis von Ahn&#8217;s <a title=\"Human Computation (Google Video)\" href=\"http:\/\/video.google.com\/videoplay?docid=-8246463980976635143\">viral talk<\/a> on human computation, which has featured in countless universities, companies and conferences.\u00c2\u00a0 Although not professionally designed, the slides&#8217; simplicity matches their content in a Jobs-esque way. As for delivery and timing, Steve might even learn something from this talk (although, in fairness, Steve Jobs probably doesn&#8217;t get the chance to introduce the same product hundreds of times).<\/li>\n<\/ol>\n<p>So is anyone really surprised that the race for smarter tests and authentication mechanisms has not ended, and probably never will? (Incidentally, the lecture video above is from 2006, over three years <em>after<\/em> the first CAPTCHAs were <a title=\"EzGimpy\" href=\"http:\/\/www.cs.sfu.ca\/~mori\/research\/gimpy\/\">succesfully broken<\/a> by another computer program\u00e2\u20ac\u201dsee also <a title=\"Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA\" href=\"http:\/\/www.cs.sfu.ca\/~mori\/research\/papers\/mori_cvpr03.pdf\">CVPR 2003 paper<\/a>\u00e2\u20ac\u201d.\u00c2\u00a0 <strong>There are no silver bullets, no technology is perfect, but some are really useful.<\/strong> Perhaps CAPTCHAs are, to some extent, victim of their own hype which, however, is instrumental and perhaps even necessary for the wide adoption of any useful technology.\u00c2\u00a0 I&#8217;m pretty sure we&#8217;ll see <a title=\"Google Patents CAPTCHA Killer?\" href=\"http:\/\/www.blahblahtech.com\/2008\/01\/google-patent-captcha-killer.html\">more elaborate tests<\/a> soon, not less.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I recently saw a Slashdot post dramatically titled &#8220;Fallout From the Fall of CAPTCHAs&#8220;, citing an equally dramatic article about &#8220;How CAPTCHA got trashed&#8220;.\u00c2\u00a0 Am I missing something? Ignoring their name for a moment, CAPTCHAs are computer programs, following specific rules, and therefore they are subject to the same cat-and-mouse games that all security mechanisms [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[3,45],"tags":[50,49,58,4],"class_list":["post-44","post","type-post","status-publish","format-standard","hentry","category-pointless","category-scitech","tag-commentary","tag-computer-science","tag-opinion","tag-web"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p7x9xm-I","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/bitquill.net\/blog\/wp-json\/wp\/v2\/posts\/44","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitquill.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitquill.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitquill.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bitquill.net\/blog\/wp-json\/wp\/v2\/comments?post=44"}],"version-history":[{"count":0,"href":"https:\/\/bitquill.net\/blog\/wp-json\/wp\/v2\/posts\/44\/revisions"}],"wp:attachment":[{"href":"https:\/\/bitquill.net\/blog\/wp-json\/wp\/v2\/media?parent=44"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitquill.net\/blog\/wp-json\/wp\/v2\/categories?post=44"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitquill.net\/blog\/wp-json\/wp\/v2\/tags?post=44"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}