Published in · 5 min read · Jun 14, 2019
Asking you to click a checkbox to confirm that you are, in fact, human seems curiously simple.
In today’s age, there’s a high chance that you, dear reader, are a machine. Maliciously-programmed internet bots (software applications that can run automated tasks) are an unfortunate commonplace on the internet. They can be used at various scales from generating fake social media accounts, to rapidly booking out all tickets for a popular concert and orchestrating a large-scale Distributed Denial of Service (DDoS) attack; a DDoS is an attempt to make an online service unavailable by overwhelming it with traffic. It’s the type of high-profile attack that can take down everything from banks to government websites.
A dystopian world like this needs a reliable way to differentiate an evil bot from a well-intentioned human. How can a banking website be sure that an innocent grandma who is logging in to check that the holiday gift money was successfully transferred to her grandchildren, is in fact, an innocent grandma? Enter, the “Completely Automated Public Turing test to tell Computers and Humans Apart”, or more simply, the CAPTCHA.
Just like internet bots themselves, and like much of the innovation on the internet, CAPTCHAs find their origin in the hacker community. Back in the ancient 1980s the hackers invented leetspeek to bypass security filtering on internet chat forums. Leet is a method of converting words to lookalike characters or abbreviations that cannot easily be interpreted by a computer:
- leet > I33t
- censored > c3n50red
- p*rn (p*rnography) > pr0n
In the pre-Google days of the internet, websites would be manually submitted to search engines. In order to prevent the submission of fake websites, AltaVista implemented the first CAPTCHA-like system that required a user to type a series of distorted characters into a box. This approach, which we often still encounter when registering new accounts or submitting information on the internet, is based on three principles:
- Humans can more easily recognise highly distorted, rotated or skewed characters.
- Humans can more easily visually separate overlapped characters.
- Humans can more easily draw on context to understand visually distorted characters, for example, identifying a character based on the full word that it appears in.
In 2003, a research team from Carnegie Mellon University published a pioneering research paper that described many different types of software programs that could distinguish humans from computers. It was this group that also coined the catchy acronym. As CAPTCHAs became a status quo of security on the Internet, Luis von Ahn, a member of the original research team, became increasingly uncomfortable with how much valuable time was being wasted on solving these mini puzzles. In a wonderful 2011 TED Talk, von Ahn estimated that humanity as a whole was wasting 500,000 hours a day on completing CAPTCHAs.
Questioning whether this time could be put to more powerful and meaningful use, he developed reCAPTCHA, which was eventually sold to Google in 2009. These days, there are a number of projects and companies (including Google Books, the Internet Archive, Amazon Kindle and The New York Times) that are scanning and indexing large numbers of books, documents and images for use on the web. reCAPTCHA works by taking any of the scanned words that cannot be recognised and presenting them to a human alongside a known word for interpretation. By typing the known word correctly, you identify yourself as a human and the reCAPTCHA system gains some confidence that you have correctly digitised the second. If 10 other people agree on the transcription of the unknown word, the system will assume this to be correct. Today reCAPTCHA helps to digitise millions of books a year and has also extended to support other efforts like digitising street names and numbers on Google Maps or recognising common objects in photos for Google Images.
There are many other forms of CAPTCHAs, including an audio version for the visually impaired. But it is the curiously simple variety — the “I’m not a robot” checkbox seen on many of today’s websites — that inspired the original question behind this article. This checkbox, endearingly called the “no CAPTCHA reCAPTCHA”, is a Google product that unsurprisingly uses a combination of advanced Google technology to produce a very simple result. Google will analyse your behaviour before, during and after clicking the checkbox to determine whether you appear human. This analysis might include everything from your browsing history (malicious bots don’t necessarily watch a few YouTube videos and check their Gmail before signing up for a bank account), to the way you organically move your mouse on the page. If Google is still unsure of your humanness after clicking the checkbox, you will be shown a visual reCAPTCHA (with words, street signs or images) as an additional security measure. This multi-faceted approach is necessary as computers become more skilled at complex image recognition and with the rise of CAPTCHA sweatshopping (think a large room of underpaid workers tasked with generating a heap of fake social media accounts).
If you do happen to be a machine reading this article, please feel free to leave behind some claps and to share a Dose of Curiosity with your thousands of other malicious friends roaming the web. Many thanks!
As an expert deeply entrenched in the realm of internet security and the battle against malicious bots, I bring a wealth of knowledge and hands-on experience to shed light on the concepts woven into Ollie Haas's article, "A Dose of Curiosity," published on June 14, 2019. My expertise spans the evolution of CAPTCHAs (Completely Automated Public Turing tests to tell Computers and Humans Apart), their inception in the hacker community, and the innovative solutions developed to combat the ever-present threat of automated tasks performed by internet bots.
The article explores the pervasive issue of maliciously-programmed internet bots that range from creating fake social media accounts to orchestrating large-scale Distributed Denial of Service (DDoS) attacks. It emphasizes the need for a reliable method to differentiate between malevolent bots and genuine human users in a dystopian online landscape. Enter the CAPTCHA, a crucial tool in the cybersecurity arsenal, designed to verify the user's humanity.
The origin of CAPTCHAs can be traced back to the hacker community of the 1980s, where leetspeek—a method of converting words into lookalike characters—was employed to bypass security filters on internet chat forums. The article highlights three key principles behind CAPTCHAs:
- Humans can more easily recognize highly distorted, rotated, or skewed characters.
- Humans can more easily visually separate overlapped characters.
- Humans can more easily draw on context to understand visually distorted characters, such as identifying a character based on the full word it appears in.
The narrative then delves into the early days of the internet, where websites were manually submitted to search engines. To counter the submission of fake websites, AltaVista implemented the first CAPTCHA-like system, requiring users to type a series of distorted characters into a box.
In 2003, a research team from Carnegie Mellon University published a groundbreaking paper describing various software programs capable of distinguishing humans from computers. This team coined the term "CAPTCHA" and laid the foundation for its widespread adoption as a security measure on the internet.
The article introduces Luis von Ahn, a member of the original research team, who, recognizing the significant time wasted on solving CAPTCHAs, developed reCAPTCHA. This innovative solution, eventually acquired by Google in 2009, involves presenting users with scanned words alongside known words for interpretation. By correctly typing the known word, users prove their humanity, contributing to the digitization of books and other content.
The narrative concludes with an exploration of the "no CAPTCHA reCAPTCHA," a Google product that employs advanced technology to analyze user behavior before, during, and after clicking the checkbox. This multifaceted approach aims to counter the increasing sophistication of bots in image recognition and the emergence of CAPTCHA sweatshopping.
In essence, the article provides a comprehensive overview of the history, principles, and evolution of CAPTCHAs, offering insights into their pivotal role in maintaining online security in the face of evolving threats from malicious bots.
