Friday, September 14, 2007


As you may know, over the last several years, spammers have sought to post spam in blog comments, on web groups, web bulletin board forums, etc. Hackers and their worms do the same but post malware instead.

I'm sure you've seen CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart") on various websites. Typically it's that image of distorted letters that supposedly only humans can decode.

CAPTCHAs were a means of reducing the risk of spamming. I'm sure originally the idea was to have a silver bullet solution but whenever you pit humans against humans you end up with an arms race. So now we have spammers with software able to decode the more rudimentary CAPTCHAs. More sophisticated tests arise with letters too hard for some people to recognize and decipher.

Here's another alternative--kittens! The key is to make the test solely about doing something that computers are bad at doing but humans are good at doing. Computers are good at memorizing and doing things quickly so you have to prevent them from trying every combination and memorizing all the answers. Natural language, image recognition, letter recognition, facial recognition, all these things people do much better than computers even when spammers have thousands of compromised systems at their disposal. One has to be careful about implementation details (don't always use the same image name for the cute little calico or someone can just memorize which filenames correspond to kittens).

I wonder if we couldn't leverage quirks of the human brain instead. Like optical illusions. I'm not sure how you'd do this in a way that would lend itself to quick Q&A and prevent computers from just memorizing answers by rote. Make commenters play something like Brain Age. Or what if you find a way to ask questions that humans are very likely to get wrong but computers won't (like the second question of this series)? Even better if humans answer in unpredictably wrong ways or if a given question can be made to be unpredictable.

It all goes back to Alan Turing who imagined a test for artificial intelligence. Put a person, the judge, in a room and have them communicate in natural language with a computer and a person. If the judge can't tell the two apart with certainty the computer passes. Of course that test would take too long just to post a blog comment (and you'd have to repeat it every time you take a similarly protected action). That's why the shortcut methods above were developed. The biggest shortcut is that the judge is now a computer, a major flaw in the test (or does the judge simply have to act more human than the computer being tested?).

One major glitch in this whole scheme is the underlying assumption that spamming is done solely by computers. I read once that spammers have been known to actually hire people to thwart CAPTCHAs. So for that threat, we're out of luck. But the automated threat of bots and the like is still viable and widely used.

In security our goal isn't to solve problems once and for all (impossible since it is a human vs. human kind of problem), it's to raise the bar for the difficulty of the attack just enough to reduce the risk just enough that we can live with the remaining risk.

Sometimes it's also a question of being a little more secure than your peers. Do you ever park your nice car next to much nicer cars in a parking lot figuring if any get stolen it won't be yours?

Security is kind of like escaping a bear. You don't have to run faster than the bear, you just have to run faster than your friend.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.