Global Nerdy

Every now and again, I read articles like this one that claim that CAPTCHAs — those “please enter the text from this image” tests meant to verify that a human is filling out a web form — are no longer effective, as spammers have come up with algorithms and countermeasures to defeat them.

Jeff Atwood of the programming blog Coding Horror argues the opposite; he says that they work, and you only have to look to the 'net for proof:

Although there have been a number of CAPTCHA-defeating proof of concepts published, there is no practical evidence that these exploits are actually working in the real world. And if CAPTCHA is so thoroughly defeated, why is it still in use on virtually every major website on the internet? Google, Yahoo, Hotmail, you name it, if the site is even remotely popular, their new account forms are protected by CAPTCHAs.

In the article, he runs a number of experiments in which he takes graphics of text with varying degrees of distortion and runs them through SimpleOCR's demo page. He found that only a slight bit of distortion — not enough to fool even a five-year-old — was enough to confound SimpleOCR.  He also found that the text distortion might not even be necessary: just a little “noise” added to the picture caused SimpleOCR to fail to recognize any of the characters in the text.

He also points to his own experience on his blog, which uses what he calls “Naive CAPTCHA”, in which the CAPTCHA text is the same every time, and he's still stopped 99% of his comment spam.

He provides a CAPTCHA recipe that he says is “more protection than most websites need. All it needs to do is combine these elements:

• high contrast for human readability
• medium, per-character perturbation
• random fonts per character
• low background noise

Here's an example of a CAPTCHA created following this recipe:

Jeff also debunks the scenarios in which spammers use “Turing Farms” — either “sweatshops” of low-paid people to respond to CAPTCHA challenges or the much-publicized trick of showing people porn in exchange for answering a CAPTCHA challenge. They're just too expensive to be worth the effort, which is why CAPTCHAs work: they hit spammers where it hurts — in the pocketbook.

Link

A grad student in Indiana has created a boarding pass generator for NWA flights.

A 24-year-old computer security student working on his doctorate at Indiana University Bloomington has created a Web site that allows anyone with an Internet connection and a printer to create and print fake boarding passes for Northwest Airlines flights.

By entering your name and plugging in information about the flight — flight number, gate, seat number, departing city, destination, departure, and arrival times and class — the site generates a boarding pass the program's creator says will get you past security checkpoints, even without ID.

Christopher Soghoian, creator of "The Northwest Airlines Boarding Pass Generator," knew he would be opening up a can of worms by writing the program and creating the site, but says it's the only way to show people how deeply flawed airport and airline security are.

I completely disagree: everyone knows that the superficial airport security theater—badly designed as it is, and as dependent as it is on dubious information and proof of identity—is, at best, purely for show. Many serious security thinkers have made the point, over and over again, that the way we've designed security at our airports doesn't make us more secure at all. This "research" serves no one, and it doesn't advance our understanding of the problem one bit.

On the other hand, the publicity generated by this goof will probably cause a general security freak out among bureaucrats and politicos. The nearly-inevitable result will be yet more meaningless security ritual the next time you fly.

Thanks, buddy.

Link [via Interesting People]

Tags: security, airports, boarding passes, TSA

GigaOm has the lowdown on Apple's .Mac mail reno, with a 2.0 twist:

A few weeks ago we mentioned that Apple’s dot mac email service was getting a bit of a Web 2.0 makeover, one that was long overdue. Well, the new email is live now, and it is a perfect embodiment of how Apple would incorporate the Web 2.0 technologies such as Ajax.

Nice to see Apple give .Mac some much-needed love, and mail is a good place for Apple to work their "fast follower" (except without the "fast" this time) magic of refining a user experience we're all familiar with. After all, they weren't the first with an MP3 jukebox, with a portable MP3 player, or with photo managemement software, but they still managed to do it better, making it easier for users, than anyone else had up 'til then.

Even so, .Mac has a long way to go before it's the network hub of your Mac life—your identity in the cloud. Until then, the $99 for .Mac looks like something of a ripoff compared to what you can do with Google, Yahoo!, or MSN/Microsoft Live for free.

Link

Tags: .Mac, Web 2.0, Google, Yahoo!, MSN

According to Read/Write Web, Google's moving to reorganize the way they serve large advertising customers:

"Three of my most credible resources, including DM News’s Giselle Abramovich, are indicating plans for a significant re-organization at Google. On the re-org, says Ms. Abramovich,

“What this means is that there would be one global account director per account, that pulls in resources to sell as needed – PPC (pay-per-click), Print, Radio, Video, Display, etc.”

This means Google will utilize different types of ads (CPC, CPM, CPA, etc) over all media channels – search, mobile, video, audio, etc.

The benefit for Google's customers is that it enables them to target certain leads across different types of media. They can do that from one 'console' and they will work with 1 Google salesperson/account manager on their account. Of course will the large advertising agencies be happy with this scenario of Google providing a one-stop shop?

In some ways, it doesn't make a difference to the big agencies. They're still going to be the strategic adviser to the advertiser. Of course, they lose some of the advertising channel fragmentation that made their planning and trafficking services necessary, but having Google consolidate a bunch of channels may lower costs for everyone.

This is the way big brand advertisers want to do business—one point of contact to control their targeting and spend.

The big losers will be the smaller players in the search ecosystem with significant large-scale clients: the larger, dedicated search engine markeitng (SEM) firms. Their promise was to optimize search campagins horizontally across search engines, so an advertiser (or their agent) would go to them to spend across multiple search engines. Google can ace them out with this reorganization, based in part on their increasing dominance of search engine marketing, and assuming they can find the right inventory and technology to support a major advertiser's brand and rich media campaigns (ie, stuff that isn't search). You can bet YouTube figures into that thinking. For smaller-scale advertisers, where search is the the biggest, if not only, line item in their marketing budget, this doesn't mean much—they'll still need search marketing consolidators.

It's an interesting hint of a maturing Google.

Link

Tags: Google, advertising, search engine marketing

Inspired by a posting in Marginal Revolution which in turn was inspired by an article in Wired, John B. of the blog Indefinite Articles has written Six-Word Stories about different programming languages. A sample:

• C#: I am so better than Java!
• Java: How did I become today's COBOL?
• Visual Basic: I was “it” once! What happened?
• Perl: They’ll come crawling back. You’ll see!

Link

TiddlyWiki:Because I have, apparently, been living under a rock for the past two years, I'd never heard of TiddlyWiki until recently. It's a stunning display of client-side Ajax power: a JavaScript-based wiki contained entirely in a single HTML file. No server-side logic required. Personal wiki wherever your laptop goes (regardless of network connection)? No problem. Wiki on a USB stick? Sure thing. Neat-o.

Tags: TiddlyWiki, wiki, Ajax

Just to illustrate how different our professional lives are, let me show you the swag from the meeting I attended in Boston last week:

That's it.

To be fair, I'm what you'd call an industry analyst; it would create a conflict of interest for a technology company to shower me with freebies. But, come on…

Tags: swag, lucky bastards