Computerworld on how CAPTCHA, those little boxes that ask you to type the words you see, are not only failing, but being gamed by spammers:

“I think my view on this now is that time is definitely running out for current CAPTCHA systems; already they are not as effective as they once were,” says Wood. “It’s already becoming more difficult for real customers to use them successfully, and they continue to come under increasing pressure from spammers.”

The embrace of CAPTCHA as a verification technique is a personal puzzle. As a rule, if one computer spit it out, another computer will eventually figure out how to understand it. Large sites, which were often the first to begin using the technique to prevent spammers from abusing their services, are going to face a dedicated army of crackers intent on breaking their little voodoo wards.

I’d love to have a conversation with a developer from a large site on just what measures they’ve tried, what measures have failed, and why they failed. From the outside, it often seems like the problem is being solved with an increasingly failing pattern that can’t be improved.

It’s a bit like comment spam. When nearly everyone runs the exact same blog software, which spits out the exact same HTML structures, and stores the POST processor files in the the exact same place, of course spammers are going to develop bots capable of peddling their payloads across millions of sites. The homogenous is the vulnerable.

If your comment form has a field called “comment”, you’ve shot yourself in the foot.

Last time I tackled this problem, we used numerous random, hidden fields along with randomized field names to make it impossible for a bot to easily post to the same URL over and over again with the same payload. It didn’t solve the problem 100%, but it eliminated all bots not specifically tailored to cracking the site. Although, given enough incentive, any scheme we develop will eventually be cracked.

The great wheel just keeps on spinning.