[23608] in Privacy_Forum
[ PRIVACY Forum ] Script of my national radio report yesterday
daemon@ATHENA.MIT.EDU (Lauren Weinstein)
Tue May 19 10:57:19 2026
Date: Tue, 19 May 2026 07:46:55 -0700
From: Lauren Weinstein <lauren@vortex.com>
To: privacy-dist@vortex.com
Message-ID: <20260519144655.GA23364@vortex.com>
Content-Disposition: inline
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: privacy-bounces+privacy-forum=mit.edu@vortex.com
This is the script from my national network radio report yesterday
about malware and other issues related to CAPTCHAs. As always, there
may have been minor wording variations from this script as I presented
this report live on air.
- - -
Well we've all seen CAPTCHAs, the online web site access mechanisms
that try to determine if we're human or actually some sort of
automated robot system -- these are designed to try control access to
and potential abuses of websites by spam robots for example. The term
was coined around 2003 and stands for "Completely Automated Public
Turing test to tell Computers and Humans Apart." The actual concept is
around six years older than that. The older types require the user to
identify distorted or otherwise obscured letters, numbers, words, or
whatever. And while in theory these are supposed to be easy for a
human to do and hard for an automated system trying to access
websites, many people have found them difficult in practice (sometimes
including me), and have to try again and again to get a challenge that
they can actually answer correctly. This is even worse for visually
impaired users, who often have to resort to audio based alternative
challenges, with distorted audio that can be even harder to identify.
Eventually the biggest CAPTCHA network was acquired by Google and
rebranded as "reCAPTCHA", giving them access to the related CAPTCHA
activity data from an enormous number of sites and users. CAPTCHAs of
various types have continued to advance of course, with fewer of the
traditional "challenge" type and more that employ ongoing user
activity data that simplifies to the common "I'm not a robot" box to
click on, or even systems where you don't need to click on anything or
reply with anything -- the systems automatically decide if they think
you're human either immediately or after you wait for a number of
seconds for the system to analyze your ongoing behavior. Sometimes
when you fail CAPTCHAs you're presented with a matrix of little images
and you're supposed to click the ones that include traffic lights or
cars, or some other category of items, which can be quite annoying and
sometimes quite difficult to do properly.
Something that most people probably don't realize is that some
challenge/response CAPTCHA systems are used to advance AI/machine
learning systems, with the human replies to the CAPTCHAs being used as
training data. But now we've come pretty much full circle, because as
AI systems have advanced they're increasingly rendering many kinds of
CAPTCHAs less and less effective, since AI systems can respond to
CAPTCHA challenges and emulate human activity with ever greater
accuracy. So the ability to tell the difference between actual humans
and non-humans trying to use these sites rapidly declines.
Even worse, fake CAPTCHAs have now become a popular vector for
distributing malware onto user systems. A typical way this works is
that you see the "I'm not a robot" type of prompt, and when you click
it you get a response saying you need to take additional steps to be
verified, by entering specific individual keyboard control characters
and perhaps also other characters in a particular sequence. This is a
giant red flag! No legitimate CAPTCHA will ever require a strange
keyboard sequence of this sort. Without getting into details here, if
you ever see a response like "enter these specific characters" after
clicking on a CAPTCHA, you should close the page immediately and then
clean out your system clipboard. Do NOT paste your clipboard unless
you've cleaned it out first by copying something innocuous into it,
otherwise you may trigger a malware download that was the payload of
that fake CAPTCHA!
The CAPTCHA saga is a great example -- and a particularly depressing
one -- of the law of unintended consequences. Systems originally
developed to try protect websites get used to train AI systems, that
then advance to the point where the AI systems seriously jeopardize
that protection, and even help to turn websites -- often
unknowingly -- into distribution hubs for damaging malware. Yet another
technology battle that is likely to keep getting worse, and as usual,
Internet users are trapped in the middle of the fight.
- - -
L
- - -
--Lauren--
Lauren Weinstein
lauren@vortex.com (https://www.vortex.com/lauren)
Lauren's Blog: https://lauren.vortex.com
Mastodon: https://mastodon.laurenweinstein.org/@lauren
Signal: By request on need to know basis
Founder: Network Neutrality Squad: https://www.nnsquad.org
PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility
_______________________________________________
privacy mailing list
https://lists.vortex.com/mailman/listinfo/privacy
