Humans, Prove Yourselves

Google's CAPTCHA—a system to prevent spam bots from registering fake accounts—was recently compromised

Clear as Day

A selection of CAPTCHA tests from Google. You can read them all, right?

Google's CAPTCHA appears to have been cracked. On closer inspection, however, it seems Russian spammers have solicited humans to do the solving and to pass those accounts on to the computers. Websense Threat is reporting that one out of every five attacks of this kind on Google has been successful. Why is this an alarming development? Let's take a look at the CAPTCHA in order to understand.

Nearly everyone using a computer today has encountered a CAPTCHA. They're the strange-looking boxes of warped text on noisy backgrounds that you have to decipher in order to register for an online service or account. You type in the letters and the computer on the other end is convinced you're a person. They were developed to foil malicious spam software—called "bots"—from automatically signing up for email accounts and using those addresses to deliver the discounted prescription drug offers and stock tips we all know so well.

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. The Turing test is a well-known milestone in artificial intelligence developed by Alan Turing in the 1950s. In it, a human talks (via teletype) with another human and a computer which tries to appear human. If the computer fools the human into think it's a human, the computer has passed the test.

The CAPTCHA is akin to Turing in reverse, in which a computer is making the judgment. CAPTCHAs have worked exceptionally well from keeping computers from fooling other computers and thereby limiting spam. What happens, though, when humans are in collusion with the computers?

That's what appears to be the case with the Google spoofing. Spammers have turned to a live version of distributing computing, in which people are the ones sharing their processing downtime. Rarely is news about spammers' techniques good; they are usually a step ahead of everyone else. So far, Google is one of the few to keep pace. As someone who has abandoned many email accounts to an overwhelming deluge of junk mail, I certainly hope they can continue to keep up.