Can you pass a Turing test?

The movie “Blade Runner” features a concept that’s well known in computer theory: A “Turing test”. Named after Alan Turing, this test should determine if you are speaking to a computer or to a human being. One such implementation that is widely used in the security world is CAPTCHA – Completely Automated Public Turing Test to Tell Computers and Humans Apart.

On the Internet, all the interfaces are computerized; when you buy a book from Amazon.com, it is really your browser (a computer program) that talks to a web server (a computer program). There is no way for Amazon.com to tell if you are a human being or just a computerized program for buying books online. That’s not a problem – as long as your credit card information checks out, Amazon would sell to you even if you were a dog, but think about services like free mail accounts (hotmail.com, gmail and the likes) – those are free accounts, but they are meant for humans not machines.

Why do we discriminate against machines? Because spammers frequently use free accounts to send bulk mail automatically. Hotmail is willing to tolerate if a human opens a free mail account and sends out stupid things (at least they will see the ads) but if a machine opens up an account to send SPAM, hotmail has all the disadvantages (resource overhead, getting blacklisted, bad reputation) with none of the advantages (exposure to ads). So before giving you a free account, hotmail would like to know that you’re human. This is done by a Turing test, but since we don’t have Rick Deckard’s apparatus we need to use a simplified version that looks like this:

Slashdot CAPTCHA

These letters are (supposedly) easy to read by a human, since our brain can ‘wipe out’ the unnecessary lines and slightly rotate the image. Our brain knows that a ‘y’ rotated 20 degrees is still a ‘y’. For a machine, that’s a different thing altogether and most OCR attempts will fail. At least that’s the basic principle. For a while it seemed like a good idea, and was implemented by ‘talk back’ systems (to prevent “comment spam”) and by various free services that wanted to prevent abuse.

Then the AI systems for recognizing images got a little better. That’s ok, because CAPTCHA is a tunable system – you can make it more and more difficult, and the characters became more and more strange:

CFXCaptcha CAPTCHA

Then something strange happened. It began to be difficult for humans to solve the Turing test:

Passport CAPTCHA

Can you solve that? Possibly. But with effort, and without guarantee of getting it right. Currently, CAPTCHA decoders are getting so good they can sometimes solve CAPTCHAs humans have difficulties with. Couple that with the fact that it’s enough for most spammers to “sometimes” succeed in solving the CAPTCHA challenge, and you end up with a big headache for the blog owners trying to block comment spam.

So we have a system that tried to determine if you’re a human being; but not all humans “pass” the test, whereas sometimes machines are clever enough to pass it automatically. Not good. Makes me wonder if those machines dream of electric sheep :-)

The last nail in the CAPTCHA coffin was a clever techniques used by spammers to break CAPTCHA: to actually use humans.
Apparantely spammers sent emails inviting to a ‘free porn’ account. When you go on to the web site to claim your free account, you are presented with a CAPTCHA challenge. What you are really doing, is breaking a challenge the spammers got from yahoo.com (for example) and when you solve the challenge, the spammers pass the answer to yahoo.com to open the free account. All of this can be done automatically, and at the end you may even get to see some juicy pictures (your ‘payment’ for helping the spammer). This is a classic “man in the middle” attack that even the most sophisticated CAPTCHA system is vulnerable to.

Speaking of sophisticated CAPTCHA systems, an attempt to provide a better replacement is the use of slightly-altered animal pictures instead of words:

Cwazymail CAPTCHA

That’s just silly, so I won’t even comment on it.

Interesting links about breaking CAPTCHAs:
PWNtcha – captcha decoder – includes nice examples of both ‘hard’ and ‘easy’ CAPTCHA.
A berkley research on the subject
A proof of concept for breaking CAPTCHA to post comment spam
How I failed the turing test – not exactly CAPTCHA related, but funny nevertheless.

Share