Damian Brady’s Blog

Slashdot today carries a link to a story claiming that the CAPTCHA algorithm for Hotmail (or Windows Live Hotmail or whatever it’s called now) has been defeated by a spambot and the exploits have started.  So that’s Gmail, Yahoo Mail, and now Hotmail.

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a great idea, but if it doesn’t work, then it doesn’t work.

CAPTCHAs were developed to tell humans apart from software.  They’re essentially a Turing Test across a very limited domain, and because of the limited domain, they’re much easier to attack.  In the case of a standard warped-text CAPTCHA, the attacker knows that the challenge will be an image with a certain number of letters and/or numbers, and that it will be warped in one or more ways.  The software can be written with this in mind.  Additionally, even if there is only a miniscule success rate, it’s often worthwhile for a spammer, particularly if attempts can be automated and run several times a second.

So what’s the solution?

Slashdot made a tongue-in-cheek reference to Kitten Auth, suggested in 2006.  It may have been a playful suggestion, but I think they’re on the right track.  Kitten Auth basically presents the user with a number of pictures of cute fluffy animals, and tells the user to select all the kittens.  The premise is the same as the text-based CAPTCHAs - easy for humans, hard for computers - but it doesn’t use text, making OCR useless.

Something like Kitten Auth could work as long as there’s no predictability.  If the same images are repeatedly used, a brute force attack would work.  If you needed to select three kittens out of nine pictures, all you need is one random success and bam, you have copies of three images that are kittens.  Given enough time, the software could learn enough images to be viable as a solution.

Alternatively, if OCR can be trained to learn letters and numbers that are very warped and modified, then why not pictures of kittens?  It’s harder, sure, but if we mere mortals can tell a kitten apart from a possum, then why not a computer? These spammers and malware authors are pretty determined you know.

So what else?

Maybe the problem with CAPTCHAs is the “CA” part.  Completely Automated.  What about PAPTCHA? Partially Automated. Sure, it ruins the contrived acronym, but it might be more effective.

Arguably, Kitten Auth is already an PAPTCHA.  The pictures of kittens can’t really be completely automated unless there are 3D models of kittens rendered from different angles with different lighting each time… hmm… that’s an idea… but I digress.

If Microsoft and Google and Yahoo were to put some effort into changing their “PTCHA” regularly, by real people, maybe there’s a solution.

Here’s how it could work:

• Twenty people, armed with cameras, walk the streets for a few hours taking photos of random objects or scenery.
• They get back to the office and upload the photos to today’s collection.
• They link each photo to some standard questions (e.g. “what is the main object in this photo?”) and provide acceptable responses.
• They provide additional specific questions for each photo (e.g. “How many white horses are there in the field?”) and provide acceptable responses.
• One or more other staff members look at the photo and each question for quality control.  They can add more acceptable answers, remove them, or reject photos or questions outright.
• Photos are retired after a time to prevent them being learned.

As a very rough estimate, I’d expect that a person would be able to add at least fifty photos with ten questions each every day.  With 20 people, that equals 10,000 new PTCHAs every day - 50,000 per working week. Surely that’d be enough.  Is 20 people too many?  Even with five people you’d have 12,500 new challenges every week.  If you expire the questions after a month, you’d still have an incredibly large number to choose from.

Current CAPTCHAs effectively have an infinite number of possibilities, however they’re still in a narrow domain.  By expanding the domain to include any question about any photo, there’s no pattern to learn - no possible algorithm to solve the problem.

Is it foolproof?  Definitely not.  However, I’d suggest that implemented properly (and that means a lot of QA), it would be a lot harder to break than current CAPTCHA methods.

There could be a business in this you know… I’d be interested to know what you think!

Damo

Edit: I’ve been having a discussion with a friend of mine who has outlined exactly why 50,000 new challenges per week is not enough.  In short, if x people are creating these challenges, then some fraction of x can be employed to decipher them (answering is quicker than asking).  The answers get added to a massive database along with copies of the images, and there’ll be enough solutions saved to give some malicious code a decent success rate.  If the image and question match one in the database, then the answer will be there.

Repetition of challenges is therefore a significant problem.  A challenge that presents an “image and question” that is repeated every 200,000 requests (4 weeks of 50,000 per week) is far too repetitive.  If the malicious code runs one request every fifteen minutes on 1,000 nodes, you’d have seen every challenge in just over 2 days.

So to overcome this, here are some ideas:

• Use existing CAPTCHA technology such as warping the question text and putting it directly on the photo in a semi-random place.  You’d get no exact repeats.  The obvious problem is that this may still allow a malicious program to recognise sections of the photo that haven’t been altered.  With every photo and answer saved, there’s still a one in ten chance (given 10 questions per photo) of getting the question right.  Very unacceptable.
• Warp not only the text, but the image as well.  Obviously it’d still need to be recognisable, so overlaying a random, semitransparent pattern or something might be all you could do.  It might be enough to slow down matching of the image though.
• Include a bevy of questions that bear no relation to the image.  These could be added to any of the images.  For example, you could have a picture of a field of horses which renders with the question, “How many legs are most people born with?”

So now I have a system where a modified image is rendered with an overlayed warped-text question which may or may not have anything to do with the image.

Of course all I’m really doing is adding complexity, but as long as it’s complex enough to withstand attacks for the length of time it’s used (one month in my example), it should work.

My other suggestion, the CG kittens, got more interest.  In this case, there would be essentially no repeated images.  You’d probably only need a handful of animal models with a few variables set at random to make it feasible.  Perhaps fur colour, lighting, camera position, and some posture or face variables.

Every now and then I’ll get an email from someone that’s been addressed to a number of people. I can tell how many and who they are because all of our email addresses are listed in the “To:” header. My email address has been sent to a list of people I don’t know.

There are a couple of reasons I don’t want my email address broadcast to the world.

Spam et. al.

I often don’t know many of the other people on the list, and more to the point, I don’t know anything about their computers. It’s possible, probably likely, that in an email addressed to 20 people, at least one of them has a fairly insecure computer and probably has at least one virus or a trojan. When the insecure computer receives the email, my email address going to be visible to this malware.

In short, I can have the best and most robust security on my computer, and I can ensure my email address is never published on the web, but all of this is useless if a single person sends my email address to a compromised machine.

Email addresses can be personal

I may be in the minority here, but I maintain a large number of email addresses. Having my own domains means that I can set up separate email addresses for job applications, friends and family, work, web enquiries, and so on. Right now, off the top of my head, I can think of about twenty email addresses that I use regularly. Most are simply forwarders, but they allow me to categorise incoming emails efficiently.

The other thing this lets me do is control communication. If I am wary about giving a company or a person my email address, I’ll create a new one. If I start getting emails I don’t want, or if for some reason I don’t want them to contact me any more, I can delete the email address.

Now you can see the dilemma. If I’ve given a particular email address to one company and they broadcast it to other people in a group email, I lose control.

Easily Fixed

If you’re reading this blog, I’d be surprised if you didn’t know about BCC, but I’ll summarise just in case.

When sending an email, you can put recipients’ email addresses into the “To:” field, the “CC:” field, or the “BCC:” field. “To:” and “CC:” behave the same, but “CC:” indicates that the person is being given a “carbon copy” - a legacy name from the paper days.

“BCC:” stands for “blind carbon copy”. These people will still receive the email, but the email addresses in this section will not be included in the header. They will be kept private.

The problem of sending everyone’s email addresses out with the email is obviously easily fixed. Just put all the email addresses in the “BCC:” section. For emails amongst groups of friends and family, it’s often not a big deal, but in business it’s frankly unprofessional.

Design flaw

People still don’t know about BCC. I sometimes feel compelled to educate the sender of a group email about BCC and the usual response is surprise. They usually aren’t even aware of this function.

I think the problem is deeper than just a lack of education. There are fundamental design flaws here. Now, email is old - Wikipedia claims that it’s been around since about 1965. So I’m not going to suggest any fundamental technical changes. Such changes would be infeasible in a system that a) works, and b) is older than the Internet.

A significant part of the problem is that it’s called “BCC”. What the hell does that mean to the average person? Even expanding it to “blind carbon copy” doesn’t really help - it doesn’t describe its behaviour.

“Carbon copy” is relatively easy to understand. It’s at least reasonably clear that the people in this section will be getting a “copy” of the email - it’s not directly addressed to them, but they’ll see it anyway. But what does “blind” mean? That it will be invisible? It’ll be transmitted in Braille? People won’t know what BCC does until they’re told.

The other problem I can see is that “BCC:” isn’t presented as a default field in many email clients. The main email clients I use are Outlook and Gmail. In both cases, “BCC:” must be explicitly turned on.

Solutions

1. Change the name.
   “BCC” doesn’t mean anything - even when it’s expanded to “blind carbon copy” it doesn’t mean anything.
   Obviously, this change can’t be fundamental, but it can be cosmetic. If an email client changed “BCC:” to “Discreetly To:” or something similar, it might help with people’s understanding.
2. Change the behaviour.
   In an office environment, group emails to external domains should, by default, include everyone in the “BCC:” field rather than the “To:” field. If that’s too extreme, it should prompt the user, suggesting that perhaps they don’t want to share the list of email addresses with all the recipients. At the very least, hiding email addresses from the other recipients should be a very visible option.

In the meantime? Teach your staff about BCC. Make sure they use it when it’s appropriate.

Damo

I was doing some blog-hopping the other day and came across an old post called “The Scott Adams Meltdown: Anatomy of a Disaster” on the Ask Tog site.

Basically, Scott Adams (creator of the Dilbert comics) had an incident in early 2006 where he accidentally (permanently) deleted a post as well as 500 comments that were attached to it.

Tog identifies a “misleading metaphor” as one of the issues and highlights the importance of using appropriate metaphors when designing software and educating users on how to use it.

Several articles in his site talk about other misleading and confusing metaphors and how they contributed to bugs or problems, and it got me thinking about the use of metaphors a bit more.

Now, I’m a big fan of metaphors - I use them constantly, particularly when I’m talking about anything IT to a “layperson”. Communication between “nerds and normal people” is something that is typically not handled well. Frequently the nerd doing the explaining gets frustrated at the user’s lack of understanding and the user gets frustrated at the jargon and poor explanations. Metaphors can help, but only if they’re used properly. Similarly, when writing software, user-interface metaphors are frequently used. Think of the recycle bin in Windows or the Home button in your browser. These are (usually) effective metaphors.

My sister is fairly heavily involved in AFL. She was talking the other day about how coaches teach young kids the correct techniques for handballing and marking. They tell the kids to imagine the ball as a spaceship and the little valve in the middle of the laces as the spaceman. When you’re kicking, the spaceship should be pointing up, and the spaceman should be pointing to where you want to kick it.

The problem with this is that the intended behaviour doesn’t match the metaphor terribly well. A spaceship should point where it needs to go, right? In fact, the spaceman should probably point in that direction as well. Essentially, you’re telling kids to imagine the ball as a spaceship, but a spaceship that doesn’t really mimic the behaviour of a spaceship. It’s misleading.

It gets worse though. When they teach the kids to handball, they tell them to hold the spaceship in one hand with the spaceman at the top up and the spaceship pointing in the direction it needs to go. Ok, not bad so far. Then, they tell the kids to imagine there’s an icecream in their other hand. To handball correctly, they should smash the icecream into the back of the spaceship. What?

I don’t think I need to point out the problems with that one.

This, to me, is a series of very poorly thought-out metaphors. A metaphor should be something that someone can relate to to help them understand the concept in question. The properties and behaviour of the metaphor should closely resemble the model you’re trying to present. This is why metaphors like “bookmarks” in browsers and “address books” in email programs work reasonably well, and others like “Clippy” (Word’s abandoned instructional paperclip) confused many users.

Damo

Joel on Software has an absolutely magnificent article explaining the difficult situation Microsoft is in with Internet Explorer 8.

Essentially, he explains how and why the web browser is in a no-win situation. Microsoft can enforce “standards” and allow existing web pages to break if they don’t meet the standards (something no browser has done before) or they can continue to be backwards compatible and support all those workarounds people have been putting in for years to make-it-work-for-browser-X.

If they choose the first option, which is their current plan, they’ll have a hard time convincing the developers of all those existing websites (if they’re around any more) to update their sites to conform to the HTML4 and CSS1 standards amongst others. If not, all those webpages will work, but what’s the point of standards if they’re not enforced?

It’s a longish article, but it’s very well written and it provides great insight if you’re a web developer.

Damo

Let’s be honest, wireless connectivity is awesome. It’s fairly easy to set up, and it basically means you can roam all over the place while on the Internet.

I have a secure wireless LAN set up at home, another one at work and even another one accessible to me at uni. In case that isn’t enough, my mobile phone has a wireless broadband plan and I have a Vodafone USB modem from work for mobile broadband as well. Occasionally, if I’m sitting at my desk at work, I’ll plug my laptop in just to get that little bit more speed.

It’s convenient that I have so many wireless connections available to me, but it’s not as convenient as it could be. And that’s what technology is all about, right?

My laptop can connect to one of three WiFi networks, and they usually connect pretty transparently if they’re available. I turn the computer on, it finds a known wireless network and connects. The uni connection is the only exception and that’s just due to the security they’ve got in place. If need be, my laptop can also connect to one of two mobile broadband connections - one through my mobile phone via Bluetooth, and one via the USB modem. In these cases, I have to tell it to connect and provide the credentials every time.

Wouldn’t it be good if I could just set up all of these connections once and let my laptop decide what connection it wanted to use? I’d happily provide credentials to use for each connection and I’ll even order them in terms of preference.

I’m no network engineer, but I’m sure it can’t be too difficult to write some software to handle all of this for me? Identify which connections are available, use the one with the highest preference, and fail-over relatively silently to an alternative if it becomes unavailable. If it becomes available again, then reconnect and start using it.

Has anyone encountered a system that can do this nicely?

Damo

A couple of things today prompted me to write about this. The first and main one was an article on Coding Horror about actual vs perceived performance.

The premise of the article and the study it references is that a user’s perception of the speed of an operation is often more important than the actual speed of the operation.

This all harks back to a core software designer rule - effective feedback.

In short, if a user can see that something is happening, they’re less concerned with the time it takes. This realisation no doubt led to the plethora of spinning images around the web that let you know an asynchronous request is happening. Does the rotating wheel indicate how long it will take or whether it’s actually doing anything at all? No, of course not, but it is effective feedback and it inspires confidence from the user.

One of the first bits of code I wrote when I arrived at my current job was a function in an ASP.Net application that retrieved a credit report for a client. Its efficiency relied 100% on the efficiency of a server somewhere in New Zealand (there’s now an Australian server). I didn’t (and still don’t) know before request time whether it will be available or how long the request will take if it is. I know very little about the service apart from the message it expects and the response it will hopefully give me.

At first, there were a few complaints about how long the function took. Unlike everything else in the system, it didn’t respond straight away. On average, it only really took a few seconds, but it was long enough that some users wondered what was happening. Predictably, when I added a small chunk of javascript that showed a “Retrieving credit file” message and a pretty rotating circle, the complaints stopped. Because something was happening while they were waiting, albeit a simple animated gif, people were less concerned with the time it took.

I did say there were two things that prompted this post didn’t I? The second was a discussion I was having with a mate about efficient methods of storing, retrieving, and sorting data. It made me think that even if you refactored your code to cut down your search from say, O(n²) to O(n log n), would your users be any happier than if you added some javascript to distract them? It’s often worth investigating I think.

Damo

Every software developer worth his salt knows this saying. Basically it means that if the information coming into your system is garbage, you can’t expect to get anything but garbage out.

In terms of my recent work (two projects in particular), this has never been more evident. In both cases, I’m being given data as the input for a new system. In both cases, the new system is far more restrictive than the old system in terms of what it allows in certain fields. And in both cases, the data I’m being given is difficult to work with.

This problem rears its ugly head often, whether it be upgrading from an old application to a new one, or trying to get meaningful statistics out of information that wasn’t collected properly in the first place. In my recent work, I’ve been faced with both of these scenarios.

So why is this such a prevalent problem? It’s very easy to place blame on the developers of the original code and argue that they didn’t think about the consequences of free-text fields or that they didn’t validate the data properly. To an extent, you’d probably be right. I’m sure that the developers of the old system probably didn’t think it was worth validating a date because it was only going to be used for information; not for any statistics or filtering. Lazy? Probably, but every developer has done this. Maybe not with dates necessarily, but let me give you a scenario:

You have a client who wants an appointments system. He wants to track the phone calls received at the office, and he cares about when it was, who it was, why they called, and the follow through to an appointment. Fairly straightforward, no? So you ask this client about the “why they called” bit and they tell you that it could be any reason. You push, saying that that information won’t be useful unless it’s standardised and are told that it doesn’t matter - people should be able to write anything they want. The problem should be immediately apparent by now.

But let’s go further - let’s say that you insist so much that he lets you put an additional field in the form of an enumerable list of reasons someone could call. You’re happier because at least you have something concrete for this field that you can return to later, and the users of the system can still type whatever they like in the comments field. You even train the staff to make sure they select one of these reasons each time. Great! everyone wins… until the client wants to do some analysis on the reasons people have been calling. When you look at the data, you notice that nobody has been using this field. When asked, a staff member might say that it’s quicker just to put the reason in the comments section, or that there was more than one reason, or even that they didn’t know what the options really meant.

I’d argue that at this point, the data that’s in this extra field is less useful than the free-text data. Sure, it’s quantifiable and is great for statistics, but those statistics are wrong. Dead wrong. It’s even worse if management has been relying on them.

My point is that it’s all very well to make sure each piece of information you’re collecting is discrete or enumerable, but unless the users are using it properly, it won’t work and can have damaging effects. Garbage in - garbage out.

So where does this leave the future developers who have to import this data into their system later? Well, the answer’s fairly obvious and there’s no paddle. They (and I include myself in this) will be on their soapbox complaining about how the last guy didn’t do it properly, but really, it may not have been his fault.

That’s great, you say, but it doesn’t help me. No, it doesn’t, but it’s something to be aware of. Before (yes, before) you go headfirst into building a brand new system that will leave the other system for dead, look very carefully at the data that’s contained in that old system. Think about how it will fit into the new one - chances are it won’t without a lot of shoving, and you need to be prepared to shove. If it’s a new system, make sure that the stakeholders understand its limitations. Stress that even though you’re building it with enumerable options and discrete values (because that’s still a good idea), these will be worthless if they’re not used correctly. Make sure they understand this - if they don’t, you’ll be the first person they’ll yell at if their statistics are wrong.

-Damo