Presidium Podium

I want to talk about a particular type of captcha that has earned my contempt on grounds of its utter perversion.

Of all the things I could be moved to rant about from this vantage point (truly, a pool of manifold things), it is not entirely clear to me why I want to talk about this one. Besides, there are enough ridiculous applications of Internet technologies to fill a respectable galaxy in and of themselves, let alone the other things that belong to the genus “ridiculous.”

But wait, that’s what they told me a blog was for! So folks can rant about everything from the texture of their navel hair to their pet hare, and stuff like that. Nothing will stand in the way of my quest to get what I paid for.

Yes, I too hear the bells of irony tolling, in light of the chosen theme of “ridiculous applications of Internet technologies.” It’s an “interesting twist!” Ba-da-dooom! Cue for laughter.

Perhaps it’s because I feel that it blasphemes upon what is otherwise an interesting concept from a theoretical point of view, as far as computer science, cognitive science and artificial intelligence are concerned. Let’s chalk it up to striking a disciplinary nerve.

First, a brief explanation¹ of what a “captcha” is for those in the audience that haven’t picked this up mission-critical, synergistic, high-ROI Web 2.0 cross-platform collaborative content blogosphere term.

You’ve probably run into situations filling out forms online, entering bank information, posting to blogs, signing up for new services, and so on, in which you are required to manually input a series of characters as they appear in an image. This is basically intended to either prevent spam or add an extra layer of security by authenticating that the user is in fact human, thwarting automated processes that can fill out forms mechanically and submit them via a “robotic” HTTP request.

Malicious spammers and fraudsters often use these types of scripts to automatically create thousands of accounts for a particular purpose (to use as spam reflectors?), initiate batched credit card transactions with stolen numbers from a hijacked host in a short time, etc, etc. Fill in the blanks here; I’m so benevolent that I’m obviously hurting for creativity in the area of e-malice. [spreads angel wings]

Among the reasons this technique works are:

• The rendering of characters in an image as opposed to plain text makes it considerably harder to read the character stream; at the very least, it would require grabbing the image and running it through OCR (Optical Character Recognition)² software; all of which would have to somehow be worth the effort to defeat a particular captcha.
• The image is typically complex. The alphabetical characters are usually distorted or warped somehow, or appear with the superimposition or overlay of polychromatic lines or complex visual patterns rather similar to anti-counterfeiting designs that are not easily reproducible in copying. Government treasuries use these types of patterns in their printing processes to confer distinction upon an official, treasury-backed currency note. In this case, this has the effect of confusing OCR software by making it problematic to discern an alphanumeric character from extraneous data.
• Even if such schemes are theoretically defeasible in a programmatic way, the effort to defeat a particular captcha is absolutely not worth it in most cases. It would require very complicated image processing, and good captchas rotate the distortions employed. A spam or fraud effort would have to scale or pay very, very well to go through that kind of rigamarole.

That’s what a captcha is. In fact, many blogs have them to prevent comment spam. Numerous captcha modules are available for WordPress, as comment spam is a very common phenomenon due to the ubiquitous proliferation of WordPress installations.

Spammers have picked up on the fact that all WordPress form interfaces use the same basic form field ID keys and devised elaborate (ro)bot scripts that trawl the Internet in search of unsuspecting WordPress blogs and automatically post comments to them en masse.

If this blog becomes extensively linked on Google, where (ro)bot scripts can learn of the site URL, I very well may have to set one up for commenting as well, unfortunately. But we’ll tackle problems as they come - reactively, not proactively, otherwise I forfeit my admission to slacker heaven.

Anyway, of course folks quickly intuited that alphanumeric characters in captchas a relatively weak way to approach this problem, or at the very least an uninteresting one. Instead, one could design something that places even more complex demands upon a machine, but which would be utterly trivial to human subjectivity, thus highlighting the distinction between the two more acutely.

For instance, one could generate a series of pictures of various animals, and entreat the user to select the kittens of the group. It’s been done.

It would be a very difficult feat of image processing to accurately detect whether a picture contains a kitten. Possible, for sure; in fact, many enterprise content filters used in school systems attempt to do this for porn³. But accurately? Worth the effort? Absolutely not.

In theory, the concept is an interesting one. If nothing else, it’s a succinct statement about a fundamental problem explored in artificial intelligence and cognitive science: how could one make a machine mimick the adaptive subjectivity of the human mind, even with respect to relatively elementary sensory phenomena? Is it even logically possible?

Rather fascinating to think about, although I don’t claim the scholarly credentials to offer anything particularly intelligent or conceptually robust.

And now, we come to HotCaptcha.com, a captcha implementation that relies on the user picking three attractive people of a given gender from a group. The language of its error messages suggests that if you fail to pick the correct “hot” people, you aren’t certifiably human: “Die, bot, die!”

From a technical point of view, it’s actually a rather commendable implementation. It is easy to insert into a web application. It pays excellent homage to what the Web 2.0 lexicon terms mashups by, well, using them. The images are actually syndicated from the swill known as HotOrNot.com and the evaluation is performed based on the three highest-”rated” pictures. It even claims to use a HotOrNot API to do this - good use of web services and libraries.

Yet something about this is very off-putting. I’m not entirely sure what it is.

I suppose I could furnish some rather basic anticipated objections, sound prudish as they might to some of you. The user can only pick pictures of people that they are socially expected to find “hot.” But aside from the obvious reasons why that’s ridiculous, I don’t exactly feel that some jugular vein of sexual politics has just been sliced open.

(I did learn, from trying “switch to men” — out of idle curiosity as to whether the bias toward “mass-culture endorsed attractiveness” was the same — that I was apparently a bot, because I appear to not only lack the anything but the foggiest clue as to what it is that women find attractive about men, but — far more importantly for this exercise — have no expectation whatsoever of what is the “prescribed” social expectation of attractiveness by the masses of plebians submitting HotOrNot.com ratings. I imagine that’s a good thing from a heteronormative standpoint?)

But none of this cuts through to the essence of it.

I think if I had to pin it down to something, it’s probably some form of disgust that humans have once again managed to infuse - yea, pollute - yet another interesting and otherwise inertly formal innovation with sexual evocations, technology aiding and abetting.

At least the site acknowledges some form of that in its subtitle, “Using mashups to reach new heights (or new lows?) in security.”

Lows. Definitely new lows.

But then again, perhaps this objection is metaphysically problematic, rather as if I said that I suffer on behalf of the integrity of the concept of “comparisons” from the invention of beauty pageants.

That’s OK. If I wanted metaphysical coherence — or even to use the term “metaphysical” in a way that is truly correct — I wouldn’t have dropped out of the philosophy program.

You might say I ride the metaphysical short bus. These Presidium.org people are paying me by the word, so, garbage in -> garbage out as far as that goes.

^{1 Those who know me will understandably chuckle at the suggestion of brevity in connection with any explanation I deliver. But little did you know, these Presidium.org people are paying me by the word.}

^{2 The sort of stuff used to automatically turn scanned documents from mere images to editable text by “reading” the printed characters from the raw image.}

^{3 And fail. The only ones reported to work, in my experience, fall back on some sort of flat blacklist in the end.}

Bogdan-Andrei Iancu says: “As scheduled, tomorrow will be the official release of OpenSER version 1.3.”

I’m pretty stoked. Every point release of OpenSER has brought with it new changes that make it ever more useful to me in my implementational work, additional useful modules, and other things that together conspire to make it a great SIP proxy.

Here is a pretty good rundown of the essential differences.

Incidentally, I am not the only one, after all, to have picked up on the fact that
avp_db_query() - an obscure function implemented by the avpops module - may be the single most useful thing to have made its appearance in OpenSER in recent memory. Someone else has too.

Before avp_db_query(), for all the things one could do with OpenSER, direct interaction with an RDBM via SQL and using the returned tuples in call processing logic was not one of them; the best one could do was use one of the existing database schemas, such as the table used for storing key/value pairs for avpops, or perhaps the lcr (Least Cost Routing) module. Incidentally, EVA (Evariste Voice Arbiter), the billing mediation platform, is built atop OpenSER and heavily relies on this database interface.

UPDATE 2007-12-13: Here are the complete 1.3 release notes.

So, I’m going to give a whirl at starting a personal blog. It’s something I haven’t done since my trip to Europe 2003, the impressions of which I meticulously documented from the computer lab at Universität Innsbruck on a homespun blog and content management system crafted largely for this purpose, which immediately fell into neglect soon upon my return.

Hand-crafted blog software. That was back in the halcyon high school days, when I had time for such things. I did, and still do suffer from a bad case of Not Invented Here Syndrome.

Fear not, no such inventiveness here. The pragmatism of age and occupation has given way to WordPress not appearing to be the evil it once was, even if evil is the term you are moved to apply to the justice my slightly-customised template does to Web 2.0 aesthetics. That’s cool; if you want good web design, talk to this guy.

The main impetus for this is actually to disassociate some of my personal writings from the Evariste Systems Blog as I find increasingly that the topics I wish to write about do not comport neatly with the purpose of that blog, nor necessarily align with what I desire to be official positions of the company from a marketing and corporate identity management standpoint.

So, if you like, stick the RSS feed in your reader of choice.