New web security system tests computers' emotions

Sorting the men from the replicants.

A new Captcha system seeks to separate humans from computers by testing empathy – and spreading awareness of human rights human rights abuses at the same time.

A Captcha – which stands for Completely Automated Public Turing test to tell Computers and Humans Apart – is the test used when logging into many sites to distinguish between real people and malicious programs, which may attempt to log into many thousands of accounts at the same time. You've all used one – signing up for a New Statesman commenting account, if nowhere else – and they are ripe for being put to good use.

ReCAPTCHA was the first socially-beneficial captcha, and still the most popular. It uses the combined might of all the human brain power wasted on Captchas to transcribe scanned books:

reCAPTCHA improves the process of digitizing books by sending words that cannot be read by computers to the Web in the form of CAPTCHAs for humans to decipher. More specifically, each word that cannot be read correctly by OCR is placed on an image and used as a CAPTCHA. This is possible because most OCR programs alert you when a word cannot be read correctly.

Since it took off, ReCAPTCHA has been used on innumerable sites, and is now displayed over 100 million times a day. But that success comes at a price. Now that the low hanging fruit has been plucked, fewer and fewer easily-transcribable words remain in its corpus, meaning that the system regularly throws up completely unintelligible words, words in other scripts, or things which just aren't language at all.

The civil rights captcha wants to be the replacement. Rather than using the captcha to perform useful work, like reCAPTCHA, it uses it to raise awareness about important issues:

Instead of visually decoding an image of distorted letters, the user has to take a stand regarding facts about human rights. Depending on whether the described situation is positively or negatively charged, the CAPTHA generates three random words from a database. These words describe positive and negative emotions. The user selects the word that best matches how they feel about the situation, and writes the word in the CAPTCHA. Only one answer is correct, the answer showing compassion and empathy.

As well as being important socially – example questions include "The parliament in St. Petersburg recently passed a law that forbids "homosexual propaganda". How does that make you feel?" – the Civil Rights Captcha is stronger against attack as well. It includes the same visual element as a reCAPTCHA, requiring potential attackers to decipher obfuscated words, but also requires any automated attack to parse a complex question, pick the right emotion, and only then work out which of the proffered words match that emotion.

The whole thing is rather reminiscent of Blade Runner:

We'll catch those pesky replicants yet.

Rutger Hauer, in the film Blade Runner.

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Getty
Show Hide image

Marcus Hutchins: What we know so far about the arrest of the hero hacker

The 23-year old who stopped the WannaCry malware which attacked the NHS has been arrested in the US. 

In May, Marcus Hutchins - who goes by the online name Malware Tech - became a national hero after "accidentally" discovering a way to stop the WannaCry virus that had paralysed parts of the NHS.

Now, the 23-year-old darling of cyber security is facing charges of cyber crime following a bizarre turn of events that have left many baffled. So what do we know about his indictment?

Arrest

Hutchins, from Ilfracombe in Devon, was reportedly arrested by the FBI in Las Vegas on Wednesday before travelling back from cyber security conferences Black Hat and Def Con.

He is now due to appear in court in Las Vegas later today after being accused of involvement with a piece of malware used to access people's bank accounts.

"Marcus Hutchins... a citizen and resident of the United Kingdom, was arrested in the United States on 2 August, 2017, in Las Vegas, Nevada, after a grand jury in the Eastern District of Wisconsin returned a six-count indictment against Hutchins for his role in creating and distributing the Kronos banking Trojan," said the US Department of Justice.

"The charges against Hutchins, and for which he was arrested, relate to alleged conduct that occurred between in or around July 2014 and July 2015."

His court appearance comes after he was arraigned in Las Vegas yesterday. He made no statement beyond a series of one-word answers to basic questions from the judge, the Guardian reports. A public defender said Hutchins had no criminal history and had previously cooperated with federal authorities. 

The malware

Kronos, a so-called Trojan, is a kind of malware that disguises itself as legitimate software while harvesting unsuspecting victims' online banking login details and other financial data.

It emerged in July 2014 on a Russian underground forum, where it was advertised for $7,000 (£5,330), a relatively high figure at the time, according to the BBC.

Shortly after it made the news, a video demonstrating the malware was posted to YouTube allegedly by Hutchins' co-defendant, who has not been named. Hutchins later tweeted: "Anyone got a kronos sample."

His mum, Janet Hutchins, told the Press Association it is "hugely unlikely" he was involved because he spent "enormous amounts of time" fighting attacks.

Research?

Meanwhile Ryan Kalember, a security researcher from Proofpoint, told the Guardian that the actions of researchers investigating malware may sometimes look criminal.

“This could very easily be the FBI mistaking legitimate research activity with being in control of Kronos infrastructure," said Kalember. "Lots of researchers like to log in to crimeware tools and interfaces and play around.”

The indictment alleges that Hutchins created and sold Kronos on internet forums including the AlphaBay dark web market, which was shut down last month.

"Sometimes you have to at least pretend to be selling something interesting to get people to trust you,” added Kalember. “It’s not an uncommon thing for researchers to do and I don’t know if the FBI could tell the difference.”

It's a sentiment echoed by US cyber-attorney Tor Ekeland, who told Radio 4's Today Programme: "I can think of a number of examples of legitimate software that would potentially be a felony under this theory of prosecution."

Hutchins could face 40 years in jail if found guilty, Ekelend said, but he added that no victims had been named.

This article also appears on NS Tech, a new division of the New Statesman focusing on the intersection of technology and politics.

Oscar Williams is editor of the NewStatesman's sister site NSTech.