Wednesday, August 24, 2005
Captcha Decoder
I just saw a Slashdot post on the PWNtcha Captcha Decoder and had to mention it. The author is not doing this to help spammers, he seem interested in proving how weak they are and showing what kinds of captchas are hard to beat. Currently he is not decided on releasing the code, mentioning the full-disclosure debate as a reason he may eventually release it. Many people that push that idea say it is so the problem gets out and then forces it to be solved. Others (such as many Slashdotters) just want to see how it works or have proof it really does work.
The problem is Captchas are never going to be fool proof and releasing code like this just makes spammers jobs easier. I have no doubt spammers will eventually figure out how to do this themselves. But until that day comes (and it becomes widespread), Captchas are one of the more effective spam blockers. I don't really like them for many reasons, but I have to admit they are very helpful in preventing most modern bots.
Similar work has been done at UC Berkeley and in another program called aiCaptcha. Neither of them are releasing their code thankfully.
I do think his work on breaking Captchas is good. By learning how to break Captchas before the spammers do and documenting it, hopefully they can be made harder to break. Just as long as they don't help the spammers by actually giving them the code.
The problem is Captchas are never going to be fool proof and releasing code like this just makes spammers jobs easier. I have no doubt spammers will eventually figure out how to do this themselves. But until that day comes (and it becomes widespread), Captchas are one of the more effective spam blockers. I don't really like them for many reasons, but I have to admit they are very helpful in preventing most modern bots.
Similar work has been done at UC Berkeley and in another program called aiCaptcha. Neither of them are releasing their code thankfully.
I do think his work on breaking Captchas is good. By learning how to break Captchas before the spammers do and documenting it, hopefully they can be made harder to break. Just as long as they don't help the spammers by actually giving them the code.