RSnake has a post on Google’s new image orientation test to detect humans (or computers, depending on your point of view), and quite correctly he points out that it is simply a probability game to break it. When it comes down to it, I don’t think we can definitively tell a computer and human apart with a specific cognition test, as it is just a matter of time before computational power and algorithmic cleverness solve that cognitive test. However I also believe we are thinking about CAPTCHAs the wrong way- we shouldn’t try to identify an automated script but rather we should make it too expensive for the script to be practical. Encryption can be broken with sufficient time, it is technically possible to just brute force AES 256, but this doesn’t deter its use. We know its problem space and work factor are sufficiently large to make brute forcing computationally impractical even if technically possible. The same principles should apply to the design of a CAPTCHA test, though it has many more constraining factors (it must be complex and hard for a computer, but easy for a human, and take into account human disabilities, etc).

So when new CAPTCHA techniques come out we shouldn’t immediately lambast them simply because they don’t provide the definitive test to distinguish a computer adversary, but whether they sufficiently increase the work factor. If they do, the spammers and other folks are going to opt to exploit a competing service with a lower work factor, because it will increase their throughput and arguably make them more money. In the specific instance of Google’s new proposal it would seem to reduce the work factor if one was simply guessing, since the chances of guessing the image orientation is much higher than a random 8 digit alphanumeric string, however with the advances in OCR techniques most alphanumeric CAPTCHAs are being analyzed rather than guessed (the success rate seems to change daily, so I don’t know how that compares to guessing the image). The real question is whether it is easier, faster, and more reliable to analyze the images and determine which way is upright, and I think that is entirely dependent on the images chosen as well as whether a correctly oriented comparison image can be obtained (which would make the analysis pretty easy) or if it had to be algorithmically determined without comparison (which may be hard). In the examples given, I think the gum ball machine and guitar are poor choices for images, since there is an easy linear line that can be used to determine orientation, probably with slightly better than 25% accuracy, since the line will either point up, down, left, or right, and the “weight” or proportions would allow for an educated guess on whether vertical or horizontal orientation is more likely. The more complex the picture, with less clues towards orientation, the better.

Personally, though, I like the MSR pet finder CAPTCHA. It may be easier to break, but I think it serves a noble secondary purpose.

~ Joshbw