Seen any good ‘captchas’ lately?

Despite the early successes of captchas, many academic researchers are itching to crack the technologies they use.

Jul 1st, 2009
Th Jbairstowblue

Despite the early successes of captchas, many academic researchers are itching to crack the technologies they use.

By Jeff Bairstow

Every so often, a useful new word crops up in the science and technology lexicon that bears much closer examination. So it is with the acronym “captcha.” Just in case you haven’t figured them out, captchas are most commonly those annoying collections of drunken letters and slithering numbers that you have to type correctly before the digital gods will admit you to their inner sanctums.

It turns out that these little devils aren’t exactly new, either. Back in the year 2000, a group of researchers at Carnegie Mellon University developed these gadgets to prevent “bots” from wreaking havoc on web systems such as search engines. The name, “CAPTCHA” is a rather awkwardly contrived coinage, being an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.” But, you knew that, didn’t you?

Alan Turing was a brilliant British mathematician who aided military intelligence in cracking and developing top-secret codes during World War II. But Turing is largely remembered for his work in artificial intelligence, notably the concept of a test (the Turing Test) that could distinguish between a user and a machine. You can find much more about the Turing Test in Wikipedia.

So a captcha uses a reverse Turing Test that can tell whether a person or an automated bot is trying to access a multi-user system. (The architects of captchas seem to prefer the all-caps version in text—I do not. Indeed, the developers tried to get a trademark on the all-caps version, but failed.)

Captchas are widely used by e-mail systems, such as Yahoo and Google, by reservation systems, such as TicketMaster, and by social networking systems, such as Facebook and Twitter. Despite the early successes of captchas, many academic researchers are itching to crack the technologies they use. And, naturally, the major commercial spammers are also hard at work finding ways to defeat the latest captchas. There is even an automated recognition program that has successfully broken Yahoo’s captcha (called “EZ-Gimpy”).

The squiggly letters and squashed numbers type of captcha may soon be replaced by an image-recognition alternative. Such systems might ask the user for the correct orientation of a photo of, say, a parrot pictured upside-down against a very colorful background. Such a task is simple for a human but difficult for a machine. One major advantage of image recognition is that a relatively small number of images are required. Nonetheless, code-breakers can collect the images as they are proffered by the system. They can then build a database of images that can be broken relatively easily by human observers.

But wait! There’s more to come. The latest researcher ruse is a website called that is subtitled “Play Games that Computers Cannot Play.” The concept is to use addictive and adaptive games that will help computers to think more like humans. You’ll need a partner to play one of these games so there’s no chance of one of them replacing solitaire as the most popular lap-top time-waster of all time.

The brains behind much of this captcha development are the members of a team headed by Luis van Ahn, a post-doc at the CMU Center for ALgorithm ADaptation, Dissemination and INtegration (Aladdin). Clearly Luis is a man with a penchant for both crafty acronyms and rugged algorithms. But even the most tightly written algorithms will eventually give way under a mass attack.

Take the case of online polls; in 1999, the consumer magazine Outdoors asked readers to vote for the best graduate computer school. MIT students figured out a way to stuff the ballot boxes and ended up with 21,156 votes. In the meantime, CMU also did some ballot-box stuffing and ended up with 21,032 votes. The remaining schools on the list scored less than 1,000 votes!

Clearly most online polls continue to be vulnerable to bot attacks. Indeed I, for one, remain skeptical about any electronic form of voting. In my view, the code makers are likely to stay only one short step ahead of the code breakers.

Click here to enlarge image

Jeffrey Bairstow
Contributing Editor

More in Research