Wednesday, December 3, 2008

Metadata - An Invisible CAPTCHA

TECHNOLOGY : Metadata - An Invisible CAPTCHA

Soon you may not need to squint at distorted letters to prove your humanity.

Andy Greenberg,

Nov 25 2008


Sanjay Sehgal thinks the average CAPTCHA, that collection of deformed characters that Web sites ask users to type out when registering for an account, is both too easy and too demanding. The image tests designed to weed out spam-spewing bots often annoy real people--and rarely keep out determined spammers.

The company Sehgal founded a year ago, Pramana, takes a different approach. Instead of submitting users to a test, the Atlanta-based company's technology plugs into Web sites and invisibly analyzes users' online behavior to determine who's a human and who's a bot. "We don't demand that users prove they're human," Sehgal says. "We simply watch them and decide for ourselves."

Pramana, which means "proof of reality" in Hindi, is currently in "stealth" mode, and won't reveal much about its customers or just how it works. The company isn't just media-shy--it also wants to prevent bot creators from figuring out how to evade its analysis.

David Dagon, a professor of cybersecurity at Georgia Tech who's familiar with Pramana, hints that the technology may involve tracking mouse movements for signs of human timing. Another key element to Pramana's approach is secretly cycling through changes in the criteria to keep spammers from cracking the code.

Those tactics might not stop spammers altogether, Dagon says, but they could make Web services much harder to access with automated software. "If we can shorten the cycle so that new kinds of measurement can be pushed out rapidly to many sites, the period of time when the CAPTCHA is broken by miscreants shrinks," he says. "We need to reduce the shadows in which malicious software thrives."

Pramana, like any CAPTCHA, will likely remain vulnerable to teams of humans paid small amounts to crack the tests. But Sehgal points out that his approach could make that business less profitable.

In traditional CAPTCHA situations, a spammer only needs a human to participate in one step of the account registration process: answering a CAPTCHA's questions. But with Pramana's system in place, spammers would have to pay humans to complete every element of the registration--if a bot took over at any point, the spammer would be revealed.

Detecting all automated behavior could force spammers to replace cheap software with relatively expensive humans. And that, after all, is just what CAPTCHAs are meant to achieve.

No comments:

This Day in History

Thanks for your Visit