Yes the title is intentionally sensational and ment to evoke thought and a reaction.
There have been several articles online ([here](http://securitylabs.websense.com/content/Blogs/2919.aspx), [here](http://www.theregister.co.uk/2008/02/08/microsoft_captcha_buster/), [here](http://www.theregister.co.uk/2008/02/25/gmail_captcha_crack/), and [here](http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html) to name a few) discussing the recent evolutions of Spam Bots that have not only successfully cracked the CAPTCHA in the signup processes for Google’s Gmail and Microsoft’s Live Hotmail, but have improved the automation and effeciency to a point where a new account is created every six seconds.
If you don’t already know what a CAPTCHA is, it’s a simple test designed to tell the difference between a Computer and a Human – the test is implemented in a way that is very easy for a person to complete but usually very difficult for a machine. Almost all CAPTCHAs are implemented as a scrambled image of text. More than likely you’ve used / seen one somewhere on the internet as they are very popular. (For a complete description and history check out the [Wikipedia](http://en.wikipedia.org/wiki/Captcha) article.)
Spam has always been a game of economics – simply put the fact that an individual or organization has to commit/invest almost zero resources to successfully deliver millions of emails. First it was Colocation for some groups ([AT&T Supports Spammers](http://www.news.com/2100-1023-248067.html)), then Broadband (DSL and Cable), then Dedicated servers, to where we are today. A collection of all of the above plus hundreds of thousands of Virus infected Bots connected to the Internet. In every case the expense to income ratio is so completed skewed on the income side to keep the spammer motivated to continue.
Let me give an example. For this example we are going to make the following assumptions:
- Monthly Recurring Cost for a Dedicated Server: $99 Dollars
- List Size: one (1) million email addresses
- Conversion Rate: 0.01% (one hundred people)
- Average Revenue per Conversion: $40 Dollars
In this example the Spammer would stand to make $3,901 Dollars in that one month. In fact to double the costs incurred the Spammer would only need a success rate of 0.0005% (five people). Simple economics = tons of Spam.
So what does this have to do with Amazon AWS? Maybe nothing, but quite possibly everything. Amazon receintly introduced a service called [Mechanical Turk](http://www.amazon.com/Mechanical-Turk-AWS-home-page/b/ref=sc_fe_l_4?ie=UTF8&node=15879911&no=3440661&me=A36L942TSJ2AJA) and let me quote from their page:
“Amazon Mechanical Turk is a marketplace for work that requires human intelligence. The Mechanical Turk web service enables companies to programmatically access this marketplace and a diverse, on-demand workforce. Developers can leverage this service to build human intelligence directly into their applications. While computing technology continues to improve, there are still many things that human beings can do much more effectively than computers, such as identifying objects in a photo or video, performing data de-duplication, transcribing audio recordings or researching data details. [snip] Businesses or developers needing tasks done (called Human Intelligence Tasks or “HITs”) can use the robust Mechanical Turk APIs to access thousands of high quality, low cost, global, on-demand workers — and then programmatically integrate the results of that work directly into their business processes and systems.”
Notice anything interesting… “such as identifying objects in a photo”? Simply put Amazon has introduced a new economic cost model to the business of sending Spam. How much would a Gmail or Hotmail account be worth to a Spammer? Both email services have very low block rates (which directly correlates to a high delivery rate) given their size. Would $1 dollar per email account be worth it to a Spammer for an account that could maybe deliver 100,000 emails before being turned off?
So the question I pose is: has the computer really cracked the CAPTCHA, or is this just economics?
April 21, 2008
