CAPTCHAs look to separate humans from bots

The long view of security strategies for your network.

Many readers have no doubt encountered funny-looking images of distorted letters that look as if they are filtered through a haze of mind-altering substances. Sometimes these images are associated with sign-ups for Web pages; occasionally one encounters e-mail systems that demand that one decode the weird letters and numbers to be able to send e-mail to a person being guarded against spam.

These puzzles are known as CAPTCHAs, standing for “Completely Automated Public Turing test to tell Computers and Humans Apart.” They were developed by The CAPTCHA Project at Carnegie Mellon University:
http://www.captcha.net/

It started around 2000 as an approach to defeating bots (automated processes - from “robots”) that can be used to abuse online services. The examples cited on the CAPTCHA Web site include distortions of online polls, abuse of free e-mail services, search-engine violations of privacy requests on Web sites, spam, and brute-force challenges to passwords on live systems.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Many readers have no doubt encountered funny-looking images of distorted letters that look as if they are filtered through a haze of mind-altering substances. Sometimes these images are associated with sign-ups for Web pages; occasionally one encounters e-mail systems that demand that one decode the weird letters and numbers to be able to send e-mail to a person being guarded against spam.

These puzzles are known as CAPTCHAs, standing for “Completely Automated Public Turing test to tell Computers and Humans Apart.” They were developed by The CAPTCHA Project at Carnegie Mellon University:
http://www.captcha.net/

It started around 2000 as an approach to defeating bots (automated processes - from “robots”) that can be used to abuse online services. The examples cited on the CAPTCHA Web site include distortions of online polls, abuse of free e-mail services, search-engine violations of privacy requests on Web sites, spam, and brute-force challenges to passwords on live systems.

There are several types of CAPTCHAs in use today:

* Gimpy, which presents distorted letters and numbers that are difficult for machines to interpret but easy for people to recognize.
* Bongo, resembling a simple IQ test involving pattern recognition (better hope you agree with the designers’ opinions).
* Pix, which distorts ordinary photographs and presents a list of words from which one must select the element in common (I failed a sample in which the images were all supposed to look like cheese but included what appeared to be a plate with a pile of rotting leaves in one and a platter of sushi in a fourth).
* Sounds, which distort a sound clip and ask the user to interpret the clip.

The visually based systems are evidently difficult or impossible for visually impaired users to master, as is the last one for hearing-impaired users. Any attempt to use CAPTCHAs should offer alternatives for _bona fide_ human beings with perceptual disabilities to authenticate themselves.

According to the CAPTCHA Web site, several artificial intelligence research groups are using CAPTCHAs as challenges. In addition, criminals have been applying human ingenuity to defeat the system as well. In particular, some spammer bots have been transferring CAPTCHAs to pornography sites where unsuspecting pornophiles decode them on behalf of the bots. Other bots take advantage of the relatively small number of answers available for many of the CAPTCHA applications; if there is no limit on the number of retries, the bots simply try all the values until they succeed.

Future CAPTCHAs may include increasingly difficult logic problems or questions requiring the kind of knowledge typical of real people (e.g., “Why do politicians who initiate foreign wars generally have few of their own children in the military forces?”). The problem will then become one of rejecting an increasing number of real people.

Read more about security in Network World's Security section.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.