IM bots masquerading as humans

Seamus McCauley observes that on the internet, not many people know that you're a bot:

J: Would you like to hear a joke?
A: Sure, tell me about it.
J: Why don’t blind people skydive?
A: Perhaps it is impossible.

I hear worse jokes told by real people almost every day. And the above, of course, was the product of two chatbots talking to one another (Discover, via BoingBoing).

The Turing test is all very well, but in artificial lab conditions where you've been told to watch out for one robot and one human you've got a 50/50 chance of getting it right just by guessing. People just aren't generally paying that much attention, and at a time when many "people" communicate (almost) exclusively via 160 or even 80 characters of text I'm not at all convinced we'd spot the robots if they made up three-quarters of the online population.

It's not hard to imagine lots of devious phishing applications of these kinds of chat robots—they could be primed to ferret a certain kind of information out of you, such as your shopping preferences.

And the moral of this story? Don't waste your life indulging in the inane drivel of chat rooms, Twitter and so on? ; )

Machine in the middle

Jerry Fishenden writes about the thorny problem of "man in the middle attacks":

It's not only the good side of the Web that reinvents itself of course: it's the dark side too. Every time someone improves security, new attack methods appear.

One of the most current annoyances is what I guess is called "real time man in the middle". Think about an online bank. To log in online to bank Websites these days, you need a whole host of different authenticating information. Usually things like account number, customer number and some memorable facts and dates. Often you get asked for some random digits from a memorable number - you know, give me the 1st, 4th and 5th numbers of your memorable number. The idea is that it makes phishing attacks harder - since a phishing site would not get all of your logon data in one go.

Well, that was the thinking. Except now there are phishing sites with real-time scripts talking to the genuine sites behind them. So you get asked to type into the phishing site exactly what the real site is asking. The phishing site sits between you and the real site, as a real time man in the middle, capturing your keystrokes and playing them back to the real site in real time. When the real site asks for the 1st, 4th and 5th numbers, so does the phishing site: they don't need to get your whole memorable number, just the bits the real site is asking for.

And there's the problem of inferring human identity across digital networks: compared to the incredibly rich set of cues we use to identify one another in our face-to-face human interaction, identifying cues provided by digital user interfaces remain primitive. Because we can be so easily hoodwinked into thinking that website Y is in fact website X, there's always the possibility that someone will intercept the information we generate in our interactions with the website to impersonate our identity.