The Web can be a dangerous place. Attackers come at your sites constantly from all sides, wielding powerful weapons in attempts to degrade, defile, compromise, shut down, or simply take advantage of your Web presence. A user may fight back with security patches, input validation checks, encryption, running with least privilege, reducing possible attack surface, and a myriad of other secure coding techniques. But new attacks and new angles continue to proliferate, so the defenses evolve as well.
One of the greatest tools in an attacker's arsenal is computing power. The speed at which a computer can send hundreds and thousands of requests to hundreds and thousands of sites is staggering. Often, this is used for attacks that in moderation might not be considered an attack at all. For example, Hotmail® provides free e-mail accounts to the general public. However, Hotmail® is not happy to provide thousands of accounts to an attacker looking to use the accounts to send boatloads of spam to unsuspecting users. The problem for Hotmail® and other sites in the same predicament is that it can be very hard to differentiate a browser controlled by a grandmother looking to open an account to correspond with her grandson, from an attacker with a custom application looking to automatically open multiple accounts to send that grandson e-mail of a different sort. A famous problem known as the Turing Test led to one solution.
In 1950, Alan Turing fundamentally changed the world of artificial intelligence by proposing what is now known as the Turing Test. Turing believed that manmade computers would one day have abilities and intelligence rivaling that of humans. After all, the human brain is a form of a computer, albeit one based in biology rather than in silicon. Turing believed that asking whether computers can think is meaningless, that the true test of intelligence is whether a human could differentiate an artificial intelligence developed by human from an actual human.
To further his argument, Turing proposed the Turing Test. The Turing Test involves a scenario where a computer is placed in one room and a human contestant in another, both of which are separated from a third party. The third party is a human interrogator, who does not know which room contains the computer. This interrogator poses questions to both rooms through a text-based interface and receives answers from both the computer and the human contestant. When satisfied, the interrogator guesses which room contains the computer and which room contains the human contestant. If the interrogator is unable to come to the correct answer more than half the time, the computer passes the test and is considered as intelligent as the human contestant.
The Turing Test is based on the problem of a human differentiating between a computer and a human. In a sense, the Turing Test addresses the reverse of the problem described above: differentiating human-initiated requests from requests scripted by a program. This scenario has formally been named the Reverse Turing Test (RTT), although the term has also been used in some circumstances to describe a similar scenario but where both contestants attempt to be recognized as a computer.
One solution to the Reverse Turing Test is the CAPTCHA. CAPTCHAs, or more specifically “Completely Automated Public Turing Tests to Tell Computers and Humans Apart,” also known as Human Interactive Proofs (HIPs). A HIP is a puzzle that is easily solvable by a human but difficult for a computer. In essence, HIPs take advantage of the intelligence gap that exists between humans and computers. HIPs differ from the standard Turing Test in that they are “completely automated,” meaning that the questions or puzzles posed to the user come from a computer, and are generated automatically. CAPTCHA-based systems are now in use all over the Web, from large Internet portals to smaller, individually run personal sites.
There are various types of HIP puzzles, typically presented to users as images. One popular type of HIP renders words in a distorted form, asking the user to enter the presented word. Another type of HIP displays one or more pictures of a familiar entity (such as a monkey), also distorted, asking the user to name the contents of the pictures.
When implemented properly, a HIP puzzle can prevent an automated script or a hacker from accessing services and resources that are meant for only humans to use, such as web site account registration, e-mail, and chat rooms. However, as these resources become more valuable, the ability to solve HIPs has become more valuable.
A HIP that displays distorted characters, can typically be solved via a two step process by computers. In the first step, the HIP image is segmented into its component characters. In the second step, the segmented characters may be analyzed using an optical character recognition (OCR) program to recognize the characters. The challenge for spammers is to collect a significant number of HIP samples and have the samples labeled by humans. Once the labeling is complete, it is possible for a software engineer to write a program that can learn how to segment the HIPs by using the labeled set as a training set.