Monday, June 23, 2008

The issues with CAPTCHA security

CAPTCHA is a security technology for websites that works by making users verify they are a human by typing in a random string of letters or numbers displayed in an image.


You could consider it a Turing test for humans.

It is now widely used as it is easy to implement and has a reasonably good success rate in differentiating human and machine.
However it does have weaknesses and issues, and organisations need to think a little before they simply decide on the CAPTCHA path.

Here's some factors to consider.

CAPTCHA isn't accessible - straight CAPTCHA may breach accessibility law

CAPTCHA relies on presenting a graphic image of text to a viewer, who then reads the text and enters it into a text box. As computers are now smart enough to read clear images, the images used in modern CAPTCHA systems are usually 'messy' with random strokes and distorted letters (called reCAPTCHA).

For example:

These images can also be hard for some humans to read - the old, the young, the visually-impaired and even groups who would not consider themselves as having sight issues.

This means that visual CAPTCHA systems may be inaccessible under Australian laws regarding accessibility. This is a very important consideration for Australian government agencies.

There are approaches to get around this, such as either offering a selection of images, one of which (hopefully) is readable by the audience; or through offering an audio alternative, whereby someone listens to a series of letters or numbers - usually interspersed with other sounds - and types these in.

Note that the latter approach also has similar accessibility issues for those with hearing impairments.

Personally I have on occasion had difficulty using either a visual and audio CAPTCHA approach and my vision and hearing are both above average for my age group (Gen X).


CAPTCHA is breakable

There are several ways to break a CAPTCHA system.

The first is to simply have a large group of low paid computer users systematically interpret and type in the correct response.

Organisations in nations where labour is cheap are able to offer this as a service for hacking sites or preparing the way for automated systems to then use hacked sites and accounts for spamming and other illicit purposes.

Also as technology improves it becomes easier for machines to break CAPTCHA. Already we've seen a move from clear text to messy and distorted images - tested against optical character recognition to ensure they are not readable - in order to reduce the ability for computers to read the image.

It is only a matter of time before machines can also read these messy images - handwriting recognition and optical character recognition technology both continue to get better and are converging on this area.


Not endorsed by the W3C

CAPTCHA is not endorsed for use by the W3C.

The W3C has indicated in a working paper entitled Inaccessibility of CAPTCHA that CAPTCHA is inaccessible and the technology is not yet endorsed within W3C guidelines.

This means that it is not endorsed within the standard guidelines underpining website development in the public sector.

This doesn't exclude agencies from using it - it has not been specifically rejected by the W3C, it sits in a gray area and each agency would have to make their own decision.


So what next?

CAPTCHA has already advanced to reCAPTCHA - involving the messy distorted text indicated above.

Most reCAPTCHA implementations have also integrated audio reCAPTCHA as an alternative - in the hope that if people cannot read the image they can understand the sounds.

Some organisations, such as banks, use physical PIN devices, others have talked about using fingerprint or retina scanners attached to PCs.

However there is no clear successor to reCAPTCHA for widespread use on websites.


What should organisations do?

As there's no readily accessible and cost-effective alternative, organisations should strongly consider reCAPTCHA as a security measure in their sites, integrating both visual and audio approaches.

However they should also strongly consider offering an approach accessible to those who cannot see or hear the CAPTCHA security, such as phone-based identification or the use of secret questions.

Read full post...

Sunday, June 22, 2008

Why are government organisations slow at embracing social media?

This post was triggered by a question post over at Strange Attractor, asking Why isn't social software spreading like wildfire through business?

This is a question I have considered as well, in the last year from a government perspective.

It particularly puzzled me late last year when I made unsuccessful efforts to get a wiki in place for a very clear need within the organisation.

At the time it was clear that people in my agency wanted to collaborate more effectively, that they were committed to their jobs and highly able.

They were already making good use of the collaboration tools they had - meetings, documents, email and intranet.

At the time I believed the limiting factor was time. Everyone was overworked and stressed - people simply did not have the capacity to take on more meetings, read more documents or send more emails.

I also thought the solution was clear. To facilitate more collaboration what people needed was the tools to leverage their time for collaboration more effectively. I aimed to help them achieve this leverage using online social media tools.

ROI could be justified by travel savings, employee satisfaction and better quality outcomes.

However when attempting to introduce the wiki, I hit a brick wall and we went back to older approaches which, in my calculations, have cost the agency significantly more money and time and delivered an inferior outcome.

At the time I was quite disappointed and looked for an explanation of the cause within the agency's structure.

However after months of thought on this topic, I've arrived at the following conclusion as to why smart and able people resist the introduction of tools that would help them in their jobs.


It's command and control culture
The majority of organisations, both public and private, are structured as effective dictatorships. There is a CEO at the top, they allocate power out to trusted lieutenants, who transfer smaller amounts of power to underlings.

Each lieutenant has a particular area of power - be it Marketing, Sales, ICT, Operations, Finance or HR. They work together on the fringes where power must be shared to achieve the organisation's goals.

Now clearly this is an effective structure. It worked for hundreds, if not thousands, of years in medieval societies. Kings and Queens at top, ministers and advisers beneath them and fiefdoms owing allegiance to different groups.

However, by its nature this approach is divisive rather than integrative.

Each lieutenant competes over resources, recognition and money for their groups. There is only a small incentive to co-operate, and alliances do not always last very long.

Within each group underlings compete in a similar fashion, for power, prestige and position.

Again this isn't the most fertile soil for collaboration - except where there is direction from above or very clear and unequivocal win-win situations.


Now from my writing you may draw the conclusion that I am against this structural approach.

Actually I'm not. There's nothing intrinsically wrong with a command and control approach. What is important is to consider the goals of the organisation and whether the means achieve those goals with the available resources.

As the goals and environment change over time, the approach needs to be reassessed to ensure it continues to deliver on the outcomes cost-effectively.


The impact of technology
Today organisations attempt to achieve a great deal more with fewer resources. Technology has already facilitated this.

Phones replaced telegraphs that replaced runners, computers replaced typing pools that replaced scribes.

These changes didn't happen overnight, but once a certain proportion of organisations made the change others had no choice but to also change or die.

This has happened with the internet as well. Entirely new companies have formed and become very successful in the last ten years. The 'dinosaurs' didn't die out overnight but are being forced to adopt some of the traits of newer organisations to survive.

This evolutionary process occurs faster in the private sphere due to competition over profits. Government, being funded by the public purse is not subject to the same degree of competition and has less incentive to risk change.


The network effect
Online social networks are one of the next steps in this evolution.

In some ways these networks are even more of a challenge for organisations than the introduction of personal computers, which could be integrated into a existing organisational approaches.

Command and control structures by their nature seek to control and restrict information flows in order to better direct and focus their resources (staff). They silo areas by specific functions - putting all the programmers here, communications people there and finance people somewhere else.

This approach makes command and control management easier, as teams are homogeneous.

It also leads to the formation of different cultures and approaches in different areas of the organisation. These can reduce organisational efficiency by forming isolated silos, each with their own language and customs - a Tower of Babel situation.

Traditionally command and control organisations have dealt with this issue by employing translators to allow information to pass between areas in carefully managed ways. These include people in roles such as internal account managers, business analysts and project managers.

However with social networks the goal is complete transparency. Almost all the barriers between silos come down to allow free communication and collaboration. The focus becomes the outcome, rather than the process.


Change is hard
Even in cases where organisations want to support the free flow of ideas and collaboration, achieving this is hard as the command and control culture simply isn't aligned to support it.

Pockets of collaboration can and do spring up, but widespread adoption requires widespread change.

This change requires visible and strong leadership from those who gain the most from command and control structures and have the most to lose in a network organisation - the executives at the top of the pile.

If these people do not enthusiastically adopt, facilitate and support the change it will not occur.

This is very hard for senior management as they have the largest stake in the existing structure.

They need to willingly let go of their silo power in order to harness an even greater power - that of the organisation acting in unison.


The challenge is to give up control in order to retain it
So that's my view of why organisations are slow to adopt social media.

It's not skills, experience, power or even need. It's a side effect of the dominant command and control culture.

I'd appreciate your comments and views.


Bottom bar - change in motion
By the way for a practical example of how difficult this change can be and how long it takes, look at China and the political change it has been undergoing for the last twenty years.

The nation is struggling with how to give up centralised political power without losing control - a struggle reflected in miniature in many organisations around the world.

Read full post...

Intranet day - global event

It has felt a little like 'Intranet Day' in the last few days as I've posted a number 0f times about intranet developments.

It really was Intranet Day on 18-19 June - a global online event where intranet managers were able to discuss their intranet strategies and a number of large organisations such as the BBC, IBM and Microsoft demonstrated their intranet functionality.

The podcasts and slides from various presentations on the day will be available shortly at the IBF website.

I confess that I missed the event - hadn't even heard that it was taking place until it was over - so am eagerly awaiting these presentations. I'll post again once they are up.

If you also missed the event it is worth looking out for some of the Intranet Tours in Australia.

Or simply organise your own as I've done in the past.

Read full post...

Saturday, June 21, 2008

The power of participatory culture - in government

Stephen Collins of Acidlabs has delivered an extremely powerful presentation on the power of participatory culture and the evolution of social media as an extension of the natural tendency for humans to form communities.

These communities empower organisations, fostering a positive culture, improving staff retention, supporting collaboration and breaking down silos - making individual employees, teams and the entire organisation more powerful, effective and successful.

The approach holds as well, if not more so, for government organisations as for the private sector.

I cannot recommend this presentation highly enough!

Slouching towards intertwingularity: The power of participatory cultures

Read full post...

Visual bird's eye view of the internet's role in Barack Obama's US Presidential campaign

OK I admit it - Barack Obama's campaign, first for the Democrat nomination, and now for the US Presidency, fascinates me - hence my eObama post.

It's the first true online campaign for senior office in the world that has used the internet and social media effectively.

This visual representation of how the campaign ran, and the comparison of its success against others is fantastic for explaining how his systems work.

Developed by Xplane


View the image in full size

Read full post...

Bookmark and Share