there are a couple ways of thinking about this, but i certainly don't think captchas are on the way out. (well, one way out is something like OpenID)
since captchas are based on feature detection in domains where humans are still far superior to computers, the ultimate captcha would be something based on faces.
the problem is the permutability of the variables in the captcha means a lot more overhead for more variables graphically produced. i mean, to produce a string of text is far easier than to produce 10 faces. and in picture captchas are you left with pass/fail for every picture, so it leads to much less permutability, compared to text. in this regard, i think text-based captchas still have a place and will stay for quite a while.
and the newer "what is 2 + 3" is so bafflingly breakable that i can't believe it is actually being used.
a method i think worth exploring is by tracking mouse clicks, like show a banner-sized picture and ask users to click through items in a certain sequence, like "mouse, truck, building, blah blah." then you calculate the deviation from the hit-zone. however this cannot be done without a mouse. to make it keyboard-friendly you'd probably need to present a bunch of icons and ask users to select those icons in some order. in fact, i imagine this to be a good password replacement scheme (but again, as a password scheme you'd need 26x2 + 10 icons to match the permutability of a d+w password. hence the mouseclick)
but in any case, captchas are fairly distracting when they appear, so the captcha idea i wrote above is something i would do only when i have enough time to play with.
"2 + 3" and codinghorror.com's "ORANGE" CAPTCHA are 99% effective.
There are many (mostly unpopular) sites without effective protective measures against SPAM. For attacking these sites, botnets are effective.
Almost all popular sites have some effective protective measures. For these sites, coding and deploying a constantly evolving botnet to keep up with this arms race is just not effective. It is more cost effective to hire third-world (or even first-world) labor to attack them.
There was an article on news.ycombinator.com a few days ago about how posting a comment on TechCrunch is more effective advertising than AdBrite. Go look at the comments on TechCrunch and pay attention to how many of the frequent commenters link back to their sites. (The kewter.com guy sticks in my mind the most, as that domain name is hard to forget).
With that in mind, imagine paying a few US college students $6.00 an hour to read+comment on weblogs, forums, and social networking sites for hours at a time. Tell them that they are to carry on educated, intelligent, and intriguing discussion. For each post, they need to include a link back to (their profile on) your website. You could even hack together a few tools to make it really easy for them to participate in dozens or hundreds of discussions per day--for example, build an email-confirmation sidebar widget for Firefox and some collaboration software that allows human-net to collude.
first off, where do you get the 99% effective statistic? I'm genuinely curious, because I cannot think of a reason why the simple addition test is effective at all; i am still as baffled as ever.
as for hired spammers, i don't see a protection against that, nor do i challenge your argument about it, but the subject is CAPTCHAs. CAPTCHAs are turing tests; they tell computers from humans, not humans from humans. the difference is that botnets take very little money to run, once the software is mature. hiring takes money, and that in itself is a barrier. i don't know the true costs of running botnets vs hiring commenters; perhaps as you said, hiring is more cost-efficient, but it seems almost trivially easy to defeat the "2 + 3" mechanism, so trivial, that i would assume it to cost significantly less to defeat than hiring somebody even at 6 dollars per hour.
if the hired commenters post "intelligent" content, well then, it is, by definition, intelligent content. if "intelligent" only means "coherent" and "somewhat related to the topic of discussion," fine, it can be spam, but it still fits two criteria: 1. a human posted it, 2. it required mental effort to create. a legitimate user who is a maniac wouldn't fare any better. as such, i would believe that a hired commenter who posts "intelligent content" is as at least as intelligent as a nonhired user who posts "unintelligent content."
The 99% effective statistic came from the author of codinghorror.com. His CAPTCHA for every comment is a single static image of the word "ORANGE" in a slightly stylized but plainly readable font. I've seen other bloggers claim that simple addition puzzles are almost 100% effective as well (at least, they were when they were introduced).
I think that spammers simply don't want to create a special case handling of every site they come across.
I think in less than 5 years, a botnet will be able to participate in discussions in a way that is nearly indistinguishable from humans. If a robot posts better-than-average commentary, do you care if it is a real human or not?
Interesting. Perhaps spammers are just lazy -- if they aren't following the latest captcha techniques. I still find those examples incredible, but as long as they work, happy.
And to answer your question, no. When you play chess with a strong computer, or a living grandmaster, both are formidable opponents playing the same game. Talking to an educated person and a strong AI capable computer would be participating in the same discussion. (I don't know if this is objectionable but it makes perfect sense to me; if you see otherwise, do explain.)
However, if and when that happens, the world is going down a wildly different path, and that problem you point out will be a minor one, compared to some dramatic job cuts it will likely bring about and the businesses that it wipes out.
since captchas are based on feature detection in domains where humans are still far superior to computers, the ultimate captcha would be something based on faces.
the problem is the permutability of the variables in the captcha means a lot more overhead for more variables graphically produced. i mean, to produce a string of text is far easier than to produce 10 faces. and in picture captchas are you left with pass/fail for every picture, so it leads to much less permutability, compared to text. in this regard, i think text-based captchas still have a place and will stay for quite a while.
and the newer "what is 2 + 3" is so bafflingly breakable that i can't believe it is actually being used.
a method i think worth exploring is by tracking mouse clicks, like show a banner-sized picture and ask users to click through items in a certain sequence, like "mouse, truck, building, blah blah." then you calculate the deviation from the hit-zone. however this cannot be done without a mouse. to make it keyboard-friendly you'd probably need to present a bunch of icons and ask users to select those icons in some order. in fact, i imagine this to be a good password replacement scheme (but again, as a password scheme you'd need 26x2 + 10 icons to match the permutability of a d+w password. hence the mouseclick)
but in any case, captchas are fairly distracting when they appear, so the captcha idea i wrote above is something i would do only when i have enough time to play with.