The Death of CAPTCHA

For a while now we knew that CAPTCHA‘s were becoming irrelevant. There were a great solution when they were first introduced, but I think that everyone knew that they are not going to be around for a long time. The tend in technology is always constant improvement – so OCR engines will continuously improve each passing year. CAPTCHA strength on the other hand has an upper bound because it needs to be human readable. You can continue making the pictures more complex and tricky to solve but at some point they become as incomprehensible to a human being, as they are to some random bot. For example, how do you guys like the rapidshare dog/cat CAPTCHA?

The Infamous Cat CAPTCHA

I personally hate that one. Yes, you can sort of figure it out but you actually have to put some effort into it, and sometimes it’s just pure guesswork. Does it help against the automated scripts? I don’t know – I guess this is a question we should direct at Rapidshare. But it sure is annoying to regular users.

The OCR technology is not there yet – it’s getting better, but I presume that we could still get few years out of our CAPTCHA’s if their effectiveness boiled down to complexity of design vs. character recognition arms race. But we all know there is a growing cottage industry out there which uses real people to solve CAPTCHA’s by either tricking them into doing it or paying them per solved puzzle. I always imagined this to be rather shady business conducted in private spammer forums and via private channels. But it is not. They are actually doing this out in the open, as a legitimate paid service:

Image To Text

Here is a screenshot of imagetotext.com – a company which specializes in solving CAPTCHAS. They of course don’t say it like that, but I think the blurbs on their site make it pretty clear that they are not really interested in doing any sort of data entry tasks or into transcribing free hand text into digital format. They are interested in receiving a small image, and shooting back the text at $.02 a pop bought in “packages” of 500 images or more. With a narrow focus like that, what else could they be doing?

Note that I’m not linking to them, because sure as hell they don’t need any Google juice from me. :P The ubiquity of CAPTCHA basically created a new niche industry. All you need now is some clever script that will harvest CAPTCHAS, send them to Image to Text, receive responses and create accounts on popular online services. Thank god these sort of scripts are shady, and probably hard to get, right? You either have to make them yourself, or know where to find them, or who to ask for them. It’s not like anyone can just go to a website and buy, for example, an automated Myspace account creator? Right?

allBots Inc.

This one is from allbots.info – a website that seems to be selling precisely that: account generation scripts that create random profiles, and simply need a human being solving CAPTCHA’s really fast for them. So you buy one of these apps, then purchase a big ass package with ImageToText you can start building your brand new spam empire. All it takes is some cash – you can even be borderline retarded. It won’t slow you down.

Combine the two services, and you have yourself a deadly combo with no programing, and no thinking required. A bit scary if you think about it. I’m not sure how profitable are these two companies, but the fact that they exist indicates that there is demand for these type of services out there.

CAPTCHA’s may be effective in stopping your average home grown spammer, but they are actually creating a whole micro-industry revolving around circumventing them. In other words, they are actually performing natural selection – weeding out the week players with few resources, and leaving only the biggest, baddest and most determined in the game. They are the catalyst, helping to evolve bigger and better bad guys.

Public Turing tests may be doomed and I suspect they might get completely phased out from use on the web in next 5-10 years. And it’s not just CAPTCHA’s – all public Turing tests. After all, it doesn’t matter if you are interpreting an image, solving an equation, or answering a question – it doesn’t really matter if there is a low wage human worker solving it on the other end, and then handing control over to a script.

Google has an interesting idea going on with their text message based application. If you haven’t seen it, try signing up for one of their services such as Gmail or Google App Engine. Instead of using a CAPTCHA they send a text message with an activation code to your cell phone. At least for the time being this system remains much harder to game – which means we might see it being used more and more often by popular online services. Of course it does have serious downsides as not everyone with an internet connection may have a cell phone (think less developed countries) and not all cell carriers may be supported. We will need something else – but what?

It will be interesting to observe where will the anti-bot technology will go in the next few years.

[tags]captcha, imagetotext, allbots, rapidshare, public turing test[/tags]

This entry was posted in technology and tagged , . Bookmark the permalink.



11 Responses to The Death of CAPTCHA

  1. I hate to be a jerk, (No, wait. I love that. Never mind.) but it’s not “touring test.” http://en.wikipedia.org/wiki/Turing_test

    Reply  |  Quote
  2. Matt` UNITED KINGDOM Mozilla Firefox Windows says:

    Here’s hoping the arms race eventually develops a true AI :mrgreen:

    That, or the anti-spam questions serve a dual purpose, keeping both bots and idiots off of my internets… ask a complex question, only smart people know the answer, everybody wins.

    Reply  |  Quote
  3. Luke Maciak UNITED STATES Mozilla Firefox Ubuntu Linux Terminalist says:

    [quote comment=”9500″]I hate to be a jerk, (No, wait. I love that. Never mind.) but it’s not “touring test.” http://en.wikipedia.org/wiki/Turing_test/quote

    :ops: Oops! Damn spellcheck! I fixed it now. Thanks!

    [quote comment=”9501″]That, or the anti-spam questions serve a dual purpose, keeping both bots and idiots off of my internets… ask a complex question, only smart people know the answer, everybody wins.[/quote]

    This would mean that MySpace would go out of business as 90% of their user base would find themselves locked out. :P Which, is not such a band thing actually.

    Reply  |  Quote
  4. Nick UNITED STATES Mozilla Firefox Gentoo Linux says:

    That, or the anti-spam questions serve a dual purpose, keeping both bots and idiots off of my internets… ask a complex question, only smart people know the answer, everybody wins.

    People are on it as we, uh, post. Stupid Filter

    Reply  |  Quote
  5. astine UNITED STATES Mozilla Firefox Linux says:

    So you buy one of these apps, then purchase a big ass package with ImageToText you can start building your brand new spam empire. All it takes is some cash – you can even be borderline retarded. It won’t slow you down.

    BWAHAHAHAHAHAHAHAHAHAAAAAA!

    Soon my plan will be complete! Spam in every inbox, every comment log, inline of every blog! Soon everyone will be so pissed off at all the spam that they will simply log off of the Internet. Then, THEN, I will be the only person left online, leaving me free to do as I always wanted! Soon, my blog will have the most DIGGS!!!

    HAHAHAHAHAHAHAHAHAAAAAAAAA!!!1!!!!11!!1!!!1!!!!1111!

    Reply  |  Quote
  6. Luke Maciak UNITED STATES Mozilla Firefox Windows Terminalist says:

    @Nick – LOL good one! I saw it before, but it’s still funny!

    @astine – oh no! What have I done! I created a monster!

    Reply  |  Quote
  7. I am kinda missing the teli-marketers :(

    Really though, I think bloggers will always be one step a head of spammers (the bloggers that need the protection at least) captchas are really now only becomming an issue in Browser Based Games and Social Networking Sites due to their vounrablility to bots…
    Simple methods of avoiding spam on any joe blow blog will work because to be honest… not enough people care that travismccrea.com even exists for them to bother with it.

    And they know if they develop spam ware for a certain website in particular they are going to get IP blocked and their time was useless… spammers more key in on fully non protected blogs.

    Really, if it becomes an issue… just use a honeypot with the blank field (thats what I was using for the longest time) which will change the titles from Name Mail URL and Body to 342938479283749823794872394 d0350we989287439879243784 3490872948792384792387498 and 219834923857984732987239dfd3893 and then one extra one to throw the bot off because if it fills it out it will be sent back (it would be hidden in a “display: none;” what I also did for screen readers is put FFF text saying “this is a blank feild for spammers, please do not fill anything in it”

    Reply  |  Quote
  8. Luke Maciak UNITED STATES Mozilla Firefox Ubuntu Linux Terminalist says:

    @Travis – but the point is that instead of just a stupid bot, now you have a bot and a human being working in unison. The human passes the test by not filling out the right field, and the bot injects the payload.

    You can block the IP, and it will probably work on a smaller scale, but then they might proxy their requests through a large botnet and having each one come from a different IP.

    But yeah, small blogs have the advantage of not being large targets. But if you are indexed by Google or other search engines, then the bots can find you via random searches.

    Reply  |  Quote
  9. I just think that bloggers will always stay one step ahead of spammers, and its obvious that we will because spammers are always looking out for the old systems, and are TRYING to catch up with our current ones… Captchas have been around for HOW long? They are just now being able to get a rough solve on a few SIMPLE ones?

    Its not really about all bloggers getting together to find the perfect solution… its about all bloggers figuring out their OWN way making it virtually impossible for a bot to bot them all.

    Humans will always be able to help the bot but honestly in the time it takes for them to work with a bot… they can use an auto completer and just fill out the captchas themselfs.

    Reply  |  Quote
  10. astine UNITED STATES Mozilla Firefox Windows says:

    “but the point is that instead of just a stupid bot, now you have a bot and a human being working in unison.”

    It’s a concern, but a mechanical Turk will always have a cost overhead that a pure bot won’t be subject to. It needs enough to feed itself. So, there is definitely a limit on which targets can be attacked.

    Reply  |  Quote
  11. astine UNITED STATES Mozilla Firefox Windows says:

    addendum: A CAPTCHA is like one of those ‘club’ things you can put on your steering wheel.. Sure, even an idiot can circumvent it, but given the choice of a car with one and a car without, a thief will go for the car without. If you add a CAPTCHA to your blog, then a spammer has to decide whether it is worth the effort to crack it. It is with Gmail, but ye yolkle forum with a CAPTCHA is likely to fair better, especially when their are SOOO many others without one.

    Reply  |  Quote

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>