[Dave Birch] You know those wobbly writing boxes that you have to read when responding to blog posts, signing up for Hotmail, that kind of thing? I’ve always found them really annoying, and so have hackers, spammers and various other ne’erdowells. As a consequence, there’s a substantial demand for software that can read the wobbly writing so that computers can pretend to be people…

 

All of these developments clearly indicate the demand and supply for CAPTCHA breaking services, as well as the potential for abusing the clean domain reputation of the most popular email providers whose continuous emphasis on usability, namely coming up with more user friendly CAPTCHAs, often results in the easy of which the process can be automated.

[From Microsoft’s CAPTCHA successfully broken | Zero Day | ZDNet.com]

But look at the second comment on the story, which makes a point that occurred to me as I was reading the story. I was thinking "hey, can I get some of that software to make life easier for me when I’m posting blog comments?". More than once I’ve had a quick thought while reading someone’s blog post, clicked on "comment", typed in a quick note and then given up when I’ve typed in the wobbly writing incorrectly a couple of times. As the commenter points out, if the cracking software can read the codes better than many people can, so there will be a demand for that software from people who want to use it for legitimate access!

And, by the way, if you authenticate yourself with OpenID, as I just did on Faster Future, why should you need to read the wobbly writing at all? Surely one of the most important attributes that OpenID could share is "is_a_real_person" or something similar.

You can’t help wondering if the "test" line of thinking isn’t going down a "Turing test" blind alley. As systems get smarter, it will become increasingly difficult to tell that they are systems by setting them challenges that are presumed to be too difficult for computers to meet, such as reading wobbly writing or playing chess.

The only way that a system will be able to tell whether it is being accessed by a person or by another system will be by seeing some form of secure credential to attest to the fact: I might set this blog, for example, to only accept 2FA OpenID logins, and only accept 2FA credentials issued by major banks, whose "know your customer" obligations presumably include determining whether the customer is a person or a bot.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

1 comment

  1. I can never read the damn things… I think I have some kind of cognitive disorder (or hyper-order…). Maybe it should be added to those job interview psychological evaluations:
    – Do you work best in a structured or unstructured environment?
    – Are you comfortable with ambiguity?
    – Can you read those damn wobbly box thingies?

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: