Wednesday, January 30, 2008

CAPTCHA Captured?

If you ever purchased tickets online or even posted blog comments then odds are that you have used CAPTCHA (tm Carnegie Mellon University) but did not know that the technology had a name or that a large NSA funded project is behind it. CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart" and is a challenge-response test used in computing to determine whether or not the user is human.

The most common type of CAPTCHA displays an image containing distorted letters of a word or some sequence of letters and numbers. The user then needs to type the letters of a distorted image.

An alleged Russian security researcher announced the other week that his team has developed a system that correctly identifies the images from Yahoo's CAPTCHA system 35% of the time. Yahoo apparently confirmed that this was the case:

" We are aware of attempts being made toward automated solutions for CAPTCHA images and continue to work on improvements as well as other defenses. " [InformationWeek]

It does raise the question if solutions that require human processing, such as 3D CAPTCHA, would be a better solution.

Lastly, some have wondered if 'researcher' could be is in violation of the DMCA because they are circumventing security. As long as they continue frame their discovery as 'research' they appear to be safe. The DMCA states:

"An exception for encryption research permits circumvention of access control measures, and the development of the technological means to do so, in order to identify flaws and vulnerabilities of encryption technologies."
Sphere: Related Content

No comments: