Monday, June 11, 2007

The spammers are developing the next AI systems

From the New York Times
Captchas are the puzzles on many Web sites that present a string of distorted letters and numbers. These are supposed to be easy for people to read and retype, but hard for computer software to figure out.

Most major Internet companies use captchas to keep the automated programs of spammers from infiltrating their sites.

There is only one problem. As online mischief makers design better ways to circumvent or defeat captchas, Web companies are responding by making the puzzles more challenging to solve — even for people. …

“You can make a captcha absolutely undefeatable by computers, but at some point, you are turning this from a human reading test into an intelligence test and an acuity test,” said Michael Barrett, the chief information security officer at PayPal, a division of eBay. “We are clearly at the point where captchas have hit diminishing returns. …

The emergence of the technology started a wave of research into ways to make computers smart enough to crack the puzzles.

Yet some of that activity can be ethically murky. Aleksey Kolupaev, 25, works for an Internet company in Kiev, Ukraine, and in his spare time, with his friend Juriy Ogijenko, he develops and sells software that can thwart captchas by analyzing the images and separating the letters and numbers from the background noise. They charge $100 to $5,000 a project, depending on the complexity of the puzzle.

Mr. Kolupaev said he had worked both for legitimate companies that want to test their own security and for spammers who seek to infiltrate Web sites.

“Nothing is unbreakable, and each system has its own weakness,” he said. “If you create a program that only recognizes one picture from a hundred, it’s not a problem. You just hit the site 100 times, and you break through.”

On his Web site,, Mr. Kolupaev boasts of cracking the captchas of companies like MySpace and PayPal; the site also ranks the effectiveness of each captcha. He says he believes that his work makes the Internet more secure because companies tend to improve the captchas that he critiques.

No comments: