Before you watch this video, to make sure
you’re not a robot,
please look at these pictures and identify
the street signs, the cars,
the fire hydrants, the shop fronts,
the numbers on the front doors,
and the ever-growing sense of frustration.
In the late 90s the most popular search engine
was AltaVista, and they had a spam problem.
People were writing automated scripts to send
in spam and malicious links to their
finely crafted database of the web,
and they needed to add a test that
only humans could pass.
Their solution was to add a question to the
submission form that,
back then, only a human could answer.
In their case it was to identify a warped
string of letters and numbers.
Image processing wasn’t at the point where
a computer could easily identify the squiggly letters,
but it was trivial for a human.
Or at least,
trivial for a human with good eyesight.
Accessible versions didn’t
come along for a while.
But that was one of the first public versions of what
became known as a CAPTCHA;
a Completely Automated Public Turing Test to Tell Computers and Humans Apart.
A version called reCAPTCHA came along a few
years later:
it was used to help scan old books and newspapers.
When a CAPTCHA was needed,
the team would send one scanned word that
they knew was right, deliberately distorted,
and another word that their scanning systems
weren’t sure about.
The user would have to type in both:
the known word was to check it was a human
answering, they had to get that right,
but the unknown word – after maybe a dozen
people had agreed on what it was –
that would be logged as part of the book scan.
Google ended up buying reCAPTCHA.
But by then, the arms race was well underway.
The bot makers looked at reCAPTCHA as a challenge,
and they rose to it admirably.
First, they could train computers
to read those messed up words.
This was before the recent breakthroughs in
machine learning and artificial intelligence,
but even a fairly rudimentary system could
solve reCAPTCHA well enough to let bot-makers
create fake accounts and send spam
some of the time.
If the test was still too difficult, though,
they could just pay humans.
The bot makers set up systems where
automated bots would fill in all the details,
ready to send spam, and then
when the CAPTCHA appeared,
the bots would show it to human operators,
hired from countries where
the average income is low.
Those humans got paid to sit there and solve
CAPTCHA after CAPTCHA after CAPTCHA.
After all, it’s only testing that there’s
a human in the loop somewhere.
You could even outsource your CAPTCHA solving
needs to any one of dozens of companies
who all competed on price and accuracy.
Actually, you still can.
Or you could get unsuspecting members of the
public to solve CAPTCHAs for you.
You could set up a web site with, er,
some images that some people
might want to see(!)
and  before they could visit,
they’d have to prove they were human by
solving a CAPTCHA.
Which was copied straight from whatever site
your bots were trying to get into.
So then Google released
reCAPTCHA version 2.
Which is where you’re presented with a single
check box,
that you have to click on to prove you are
not a robot.
And clearly, any bots presented with that box
would be honest and not click it.
It’s not really about clicking the box.
When you complete one of these new CAPTCHAs,
extra data is sent.
And Google is very cagey about what
that data is,
because everything they reveal is a clue for
the people trying to break it.
But that box is loaded into your browser from
google.com,
which means it can look at any login cookies
that Google already have on your browser.
Certainly if you clear your cookies,
you are way more likely to get
that secondary check
that asks you to identify
buses or fire hydrants.
And maybe it checks how your mouse moves in
the moments before clicking the box?
And the exact position and length of time your
finger tapped the phone screen?
Plus a bunch of other things that Google all feeds
into their giant machine-learning system.
The only people that know for sure
are the designers, and they aren’t telling.
The CAPTCHA solving services, of course,
are already offering a cost per thousand to
solve these.
It may be harder,
but it’s not unbreakable.
Using machine learning,
bots can be trained to pass those secondary
checks themselves, and to hide as humans,
well, identifying the correct sections
of the presented images
is something that you can throw
cloud machine learning at.
And given that Google Cloud sells
machine learning systems,
it’s very likely that some of their servers
are creating CAPTCHAs,
and others are trying to break them.
And, even then,
you can just have humans on standby instead.
So at the end of 2018,
Google released reCAPTCHA version 3.
And you might have already passed, or failed,
one of those without knowing it.
There’s no box to tick, no puzzles to solve:
when you browse round a site,
version 3 works in the background
and watches what you do.
By the time you’re posting a comment or
signing up,
it’s already assigned you a score
based on how likely you are to be human.
And again, Google is being very careful
about saying how they’re working that out.
But the answer is very likely “it's a machine learning system they're throwing everything into
"and they  don’t know it works either”.
Hopefully they’re taking account of
incognito mode, and accessibility tools.
Because if you get a low score,
maybe your comment will get sent to a 
moderator to check… or maybe it’ll just
disappear into nothing and you'll never know.
The bot makers, of course,
are already working on the challenge.
I signed up for a new bank account online
a few months ago,
and I had to send in a photo of my ID and a
video of me holding that ID and waving.
That’s checking not just that I’m a human,
but that I’m the one specific human
I claim to be.
Bots are becoming more and more indistinguishable
from humans.
Successful CAPTCHA methods are having to be
more and more intrusive.
The arms race continues,
as it has done for
twenty years or  more.
I’m going to do something very strange for
a sponsorship segment now:
I’m going to tell you about limits.
I’ve said “you should use a password manager”.
And it’s true.
I use one, I recommend you do too.
Which is why this video is sponsored by Dashlane,
the password manager,
if you go to dashlane.com/tomscott,
you can get a free 30-day trial
of Dashlane  Premium,
and I recommend you try it out for yourself.
But there are some things that
a password manager cannot help with.
If you are worried that a major government
is trying to steal your secrets,
or industrial spies with millions of dollars
of funding are targeting you specifically:
well, you probably already have
professional advice.
After all, if someone actually gets to your computer’s
hardware and installs stuff
that pulls things right out of the physical memory…
well, at some point,
even a password manager has to decrypt
the password, put it in memory,
and pass it on to wherever you’re
actually trying to log in to.
If an attacker has physical access
to the hardware, it’s over.
And of course, the weak link in almost every
security system is human.
All the security in the world cannot protect
you from someone threatening you with violence
unless you type in your password.
And in the UK,
if the police have a court order requiring
you to give them your password,
it is a criminal offence to refuse.
People have been jailed for it.
Dashlane cannot help you with that.
But using Dashlane means that
every password is different,
so when some online service that you signed up to
years ago and forgot about gets breached,
it’s no big deal.
Actually, Dashlane will also warn you about data breaches
with instant alerts for websites where you
have accounts.
Using Dashlane also means that every password
is long, complicated and secure --
but you don’t have to try and
type them in on your phone,
because Dashlane will autofill them for you
everywhere you go.
It can even auto-change passwords for you
on a lot of sites, with the click of a button.
In short,
using something like Dashlane means that passwords
stop being this worrying pain in the ass and
start being something that it’s really easy
to deal with.
I thought long and hard before accepting sponsorship
for this series, but honestly:
if you are techie enough to watch these videos,
you should use a password manager.
So: dashlane.com/tomscott for a free 30-day
trial of Dashlane Premium, and if you like it,
you can use the code “tomscott”
for 10% off at purchase.
