Eleven years ago this month, a melancholy milestone was reached when IBM's Deep Blue computer beat world chess champion Garry Kasparov. The eternal struggle of humans against machines as personified in Kasparov's loss and the philosophical hand-wringing that followed comes to mind in relation to this posting by Nicholas Carr. He says some experts are concluding that attempts to crack "CAPTCHA" security are being done entirely by machines.
CAPTCHAs -- it stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart -- are the swirly series of characters users often are asked to type in to gain access to certain areas or do business on Web sites.
Carr's post is a response to a Washington Post story that details the issue. In the past, Carr writes, it was thought that people in developing countries were manually typing in character combinations to try to defeat CAPTCHA functions. Recent findings by Websense suggest, however, that the CAPTCHA is being attacked without human intervention, though it is unclear how this is happening.
CAPTCHA is attracting a lot of attention. PCWorld.com discusses the cracking of the version of CAPTCHA aimed at the sight-challenged. The piece drills down to the Gmail version; it is unclear if the exploit described extends to other audio-enhanced versions of CAPTCHA. In any case, the Gmail CAPTCHA consists of a female voice saying a series of letters surrounded by what the writer says is "creepy" noise he likens to "I am the Walrus" and "The Exorcist." It is repeated, and the user asked to type in the letters they hear. The firm Wintercore did a waveform analysis and noticed that the noise and letters were clearly distinguishable, which makes the system easy to break.
This Wired posting poses the question of whether CAPTCHA is becoming antiquated. The answer, apparently, is a qualified "no." That is not to say that it isn't in danger. The writer links to a page he found last year that quotes prices for automated decoding of different types of CAPTCHA programs. Google, Yahoo and Hotmail were assessed to be "very difficult" to defeat -- and just that happened this year.
It is not hopeless, however. The blogger points to ReCaptcha, HotCaptcha and KittenAuth as promising approaches. He doesn't describe them in detail, but does provide links. This Microsoft page looks at another approach, Animal Species Image Recognition for Restricting Access (ASIRRA). A related approach is GWAP (Games With a Purpose). The system leverages games played by site visitors to train computers to react more "intelligently." GWAP launched this week, and a member of the ReCaptcha team is on board.
Another sign that CAPTCHA is severely challenged comes in research from Newcastle University. If the string being used as the CAPTCHA is segmented -- broken up into its individual letters, for instance -- is it relatively easy to circumvent, according to Techworld. For that reason, vendors employ CAPTCHAs that are resistant to segmentation. The bad news for CAPTCHA is that the researchers developed a way to successfully segment the images more than 90 percent of the time.