Matt Burgess’ October 2017 article in Wired, entitled “Captcha is dying. This is how it’s being reinvented for the AI age” is worth reading. A high level survey of the history and misadventures of the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), the broken aspect of each evolution of the bot detection test is examined. The CAPTCHA seemed like a good idea at the time back in 2003 (but some patent filings date the concept to the late 1990s), but quickly became one of the most despised ‘features’ of web sites like Ticket Master and cellphone insurer Asurion. Ticket Master gave CAPTCHA the heave-ho in 2013, and not a decade too soon, replacing them with other speed bumps. Burgess forgets to point out PWNTCHA, the adversarial OCR system that has broken over thirty captcha schemes. Of course, why bother with OCR when you can get 1,000 captchas solved on demand with real humans for $1.00 US, using a system not unlike Mechanical Turk.
When researchers (Sivakorn et al) turned Google’s own services against Google’s new and improved re-Captcha (because the old ones were broken), and showed it off at Black Hat Asia in 2016, everyone knew the end was near for the concept of Captcha. Now, the latest iteration of the evolutionary war against bots is to make things easy for bots and hard for people, so if you get it wrong, you must be a human. What’s wrong with that picture? Seems like an easy one to spoof. Just flip an unfair coin.
The upshot? Don’t bother with security solutions that rely on CAPTCHA. The mere use of CAPTCHA in a bot solution is an admission that the solution is not a solution. Magnus’ patented behaviorally-based active countermeasure actually works. All the time.
And The Red Queen? She was the villain in Lewis Carrol’s Alice in Wonderland, but in evolutionary biology circles represents the driving force among competing species. She’s been generalized to arms races, and now seems apropos to describe the ‘evolution’ of bots versus web apps.