A proposed security measure always has to be judged against cost, and compared against alternatives that include doing nothing. Are we under attack from captcha-guessing bots, or is it a mere annoyance? Is it easier for us to simply delete the occasional spam rather than armor up the place?

I wasn’t that impressed by PeopleSpoor’s technology, and I suspect that it’ll be busted in considerably less than a decade. You also have to judge security measures over the long haul, and even if their system is exactly as difficult as a captcha, it’s ten years after the invention of the captcha and if nothing else, there’s that much more raw computer power available to break it.

Ten years ago you couldn’t rent computer power by the yard for pennies like you can today.

Which of course means that captcha is also that much weaker today.

Maybe another way to address the problem with the tools at hand is to reexamine security policy. Allowing anyone to post after passing only a captcha is asking for trouble if captcha is weak. But if we require people to be registered to post, and use captcha to verify organic sentience during registration, we considerably slow down aspiring spammers. We can close down a spammer’s account, whichis better than running around deleting individual spam posts by anonymous visitors. How the tools are used matters too.

A single Captcha word does the spam-deflecting job, and that they’re using distributed processing (us) to get some work done with the extra word doesn’t bother me. I remember a while some years ago when my computer was doing stuff for SETI when I wasn’t using it. I don’t think I’d do that now.

I doubt the “fake” captcha returns are plugged directly into OCR results with no further input, but if the author has fun saying dirty words to a computer, he can go for it.