Now Google's CAPTCHA Is Broken

steveit_is writes "Yesterday it was reported that Microsoft's revised CAPTCHA had been cracked. Now it's Google's turn. In a move that is sure to surprise no one, the spammers behind 'Xrumer' have announced that they've not only cracked Google's CAPTCHA, but other forms of image verification as well, including 'pick the cat' style CAPTCHA."

My test:

[SleptThroughClass (1127287)]

"To continue, guess which finger I'm holding up."

Re:My test:

[areusche (1297613)]

Captcha is a joke. They're become so difficult to read that I can't even decipher what it means!

I don't know what these companies are going to do to keep spammers from running email bot networks.

I want to say verify identity with a credit/debit card, but that won't work very well because of Johnny 13 year old who wants a Gmail account.

I've given up. Please just send me large amounts of email asking me to enlarge my pen15 while remortgaging my sub prime house!

Re:My test:

[eln (21727)]

I want to say verify identity with a credit/debit card, but that won't work very well because of Johnny 13 year old who wants a Gmail account.

That won't work for anyone who cares about their own privacy. Why would I want to give anyone my credit or debit card number if I wasn't actually buying something from that site at that particular time?

Re:

[thrillseeker (518224)]

well, it's an issue of trust - Google for example could be expected to not leak your card or apply charges to it, vice some other companies - and if 13-yr old Johnny wants an email address he can damn well ask his parents for one

Re:My test:

[compro01 (777531)]

I want to say verify identity with a credit/debit card

While we're thinking of bad ideas, why don't we give them our bank account numbers too?

Re:My test:

[Tx (96709)]

"Captcha is a joke. They're become so difficult to read that I can't even decipher what it means!"

I hear that. I was trying to complete one the other day, and honestly, I was only making educated guesses as to what the characters were, it took me three or four attempts. If they get any tougher, the only people who'll be able to do them will be the spammers using this kind of software!

Re:My test:

[Clandestine_Blaze (1019274)]

Soon, the only thing that will be able to read a CAPTCHA will be automated spam bots. The new CAPTCHA test will be: "If you can read this CAPTCHA, you are a spammer."

Those that get the CAPTCHA wrong will get in. Brilliant! Anyone want to subscribe to my newsletter?

Simple solution

[MosesJones (55544)]

I've got all the email addresses I want so lets just consider the internet closed to new entrants. I know it sounds draconian but I think we should build a great big firewall around the internet to stop all these illegal immigrants^H^H^H^H^spammers getting in.

Either that or can we just turn a blind eye while Google DDoSes every server associated with these people into oblivion.

Re:Simple solution

[iamdrscience (541136)]

lets just consider the internet closed to new entrants.

Your ideas are intriguing to me and I wish to subscribe to your newsletter.

Really though, I think we would have been better off if we did this about 10 years ago (maybe even 15). Better late than never though, I guess.

Well...

[bhunachchicken (834243)]

... you've got to admit that it's one hell of an achievement.

Re:Well...

[wtfispcloadletter (1303253)]

What is? Breaking Captcha? Not even close. Whether it's done with software or by paying humans in China, India, Africa, etc it's not impressive to say the least.

Google's captcha has been broken for a very long time. Only nobody has admitted it until now. I have several Google alerts setup for certain keywords. I use to get some pretty interesting alerts to articles, blogs, other sites, etc. Now 98%+ of the alerts I get are Blogger.com spam sites. It's been this way for about 5 months, possibly longer, but that's about when I started seeing an influx of pure junk.

At first I was reporting them to Google. Then after about the 100th or so alert and having checked several of the blogs to see if they were taken down (they weren't, just the one particular page that I reported was) I just gave up. Realizing that Google's captcha is seriously flawed and was broken.

Google and others need to change how easy it is for people to sign up for an account with them. Yes, it's going to be a hard row to hoe, but it needs to be done, especially for blogspot/blogger.com as those pages are just littering the internet with junk.

Great Source

[Frosty Piss (770223)]

Announcing that one has cracked something and actually having cracked that something are two different things. Folks like these are not the most trustworthy sources, especially for their own exploits - er, "sploits".

Re:

[mapsjanhere (1130359)]

Especially since there seem to be still doubt if most cracks are actually done by computer, or by humans. They all seem to be happening "off-line" at some unknown destination. Which might be a server cluster in some Russian university, or a sweat-shop in Bangladesh.

Enlarge your penis with Gillette Venus

[tepples (727027)]

Why should we believe this any more than we believe a cream can add two inches to your penis?

Possible bad example. Shaving cream along with a razor actually can add visible inches to a man's penis by taking pubic hair out of the way.

Re:Enlarge your penis with Gillette Venus

[gnud (934243)]

Shaving cream along with a razor can easily remove visible and very real inches from a man's penis :(

A modest proposal

[GroeFaZ (850443)]

1. Make the proof for P=NP the new CAPTCHA
2. Wait for crackers to solve it.
3. Profit!!

Re:A modest proposal

[by Anonymous Coward]

Assume N == 1,
p = 1p

You are rich now...
I hope you buy porsche for that money!

pick the cat

[gEvil (beta) (945888)]

I've had a few 'pick the cat' captchas where I couldn't even identify if the thing was actually supposed to be a cat!

Re:

[Deathdonut (604275)]

The basic problem with the 'pick the cat' CAPTCHA is that many computer users wouldn't know a pussy if they ever saw one.

Couldn't that be part of the test?

[mengel (13619)]

Couldn't you do a captcha where the first presentation has no cats? The user has to hit the refresh once or twice before seeing a cat, and then pick it; if they pick any of the non-cats, you call them a 'bot...

The real problem is GMail

[Animats (122034)]

Google has become a key enabler in spams and scams, because it's so easy to create GMail accounts in bulk. [jiffycreator.com] Many sites block email addresses from Hotmail and AOL, because they're mostly either spammers or losers. GMail once had a better reputation, because it was launched as an "exclusive" service. But we're getting close to the point where probably time to start blocking GMail addresses too.

Want to see a GMail scammer in action right now? Read this. [getafreelancer.com]

What I'm most excited about though is...

[bhunachchicken (834243)]

"including 'pick the cat' style CAPTCHA."

This is excellent news, since it now means that I can rely on this thing to find me suitable pussy instead of having to look for it myself... :)

DARPA math tests

[nategoose (1004564)]

Maybe instead of CAPCHA's sites should start using those math problems from DARPA's really hard math problems [slashdot.org] since these people seem to be so good at solving complex computational problems.

captchas, what about handwriting recognition?

[theantix (466036)]

OK can someone pleas hire these guys to work on handwriting recognition software? If they can ready these bizarrely twisted captchas why can't Palm read my name?

IT salaries are just too low.

[140Mandak262Jamuna (970587)]

If there are people who could write such sophisticated image processing software, and it pays them better to be bot runners bot enablers, the pay must be good on the dark side of the force.

Next CAPTCHAs

[chord.wav (599850)]

As usual, our firends at DARPA are always one step ahead. Use these to replace of the old CAPTCHAs.

1 - Develop a mathematical theory to build a functional model of the brain that is mathematically consistent and predictive rather than merely biologically inspired.

2 - Develop the high-dimensional mathematics needed to accurately model and predict behavior in large-scale distributed networks that evolve over time occurring in communication, biology, and the social sciences.

3 - Address Mumford's call for new mathematics for the 21st century. Develop methods that capture persistence in stochastic environments. ...

Can we get them to release the source?

[s7uar7 (746699)]

I always have a hell of a job reading Google's CAPTCHAs; a tool to do it automatically would be very useful.

Re:Why

[Bashae (1250564)]

How about an international treaty to implement the death penalty for spammers all over the world.

I mean, why not? Don't we squish mosquitos when they pester us? Spammers are a thousand times more annoying and just as harmful and useless.

Re:Why

[isorox (205688)]

How about an international treaty to implement the death penalty for spammers all over the world.

I mean, why not? Don't we squish mosquitos when they pester us? Spammers are a thousand times more annoying and just as harmful and useless.

How about a death penalty for anyone that buys anything from spam?

I'll do you one better!

[gbutler69 (910166)]

How about the Death Penalty for anyone who suggests the Death Penalty for anything besided truly heinous crimes? Oh, no, I just ate my tail.

Re:Why

[HTH NE1 (675604)]

Killing people is wrong. Comparing people to pests is something that the Nazis liked to do, with the same intention: to pave the way for killing people.

What if Godwin's Law carried the Death Penalty?

Re:Why

[moderatorrater (1095745)]

They probably should be, honestly. However, why not be thankful that the opposition is being open about their abilities to crack security? Obviously, a CAPTCHA system isn't going to work for the future; we should be developing a new methodology for verification.

Re:Why

[spiffmastercow (1001386)]

aren't these guys in jail?

I think the real question is: why are these people not working in research institutes? Image recognition is a hard problem. It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.

Re:Why

[WK2 (1072560)]

Being a criminal has excellent hours. And the job interview is easy. You never have to worry about being fired, laid off, etc, and you are responsible for your own paychecks. It's kind of like being a contractor, with the added benefit that you can choose your customers whether your customers are happy about it or not (usually not).

Re:Why

[swb (14022)]

Another benefit is that the drug tests aren't "Have you?" they are "How much do you want?"

Re:Why

[DriedClexler (814907)]

It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.

Not when you consider how much professors make vs. how much spammers who can beat captchas can make. Hint: if you find a quick way to factor semiprimes, don't snag $1 million from the Clay Institute. Reap $1 billion from credit cards. If you can easily toss aside ethics.

Incidentally, I was just reading Douglas Hofstadter's Metamagical Themas, where he goes in great depth talking about the difficulty of defining the letter "A", and how people are capable of recognizing A's in truly bizarre fonts. (And how it carries over to native readers of Chinese and defining Chinese characters.) He pursuasively argues that ability to recognize any 'A', including all the bizarre fonts with 'A' is AI-complete (though of course he didn't use that term). So it seems there's quite a ways to go in making captchas harder: don't just distort the image; use the craziest fonts you can.

Re:Why

[synaptik (125)]

It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.

Why $pammer$ in$tead of $chool? I$ that really your que$tion? $omehow, I think you might have mi$$ed the mo$t obviou$ motivation.

Re:Why

[geminidomino (614729)]

What does Microsoft have to do with it?

Re:

[SnowZero (92219)]

A 1% success rate is good enough to effectively "break" a captchca, but not good enough to really advance the state of machine vision by itself. In the end though, some good OCR work could come of these efforts, but not in comparison to the money and time everyone else loses from spam; We could have just funded the research. Sending spam, and unfortunately writing advanced spam tools, pays better than a university position.

Re:Why

[rockmuelle (575982)]

"I think the real question is: why are these people not working in research institutes? Image recognition is a hard problem. It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position."

So, I have a Ph.D. and know how to write this kind of software (well, I know how to go about writing this kind of software and have done it for other domains). Here's why I'm not working at a research institute or pursing a tenured university position:

First off, research institutes don't really exist anymore. There are a few corporate labs left, but they all focus on medium term product development (5 years out). The national labs still exist, but they're managed like businesses now and it's more difficult to do pure research at them. University "institutes" are just glorified research labs. If you're not the PI, you're either a post-doc, grad student, or tech, none of which is a viable long-term career option.

To get tenure, you have to spend 4-8 years working non-stop writing grants to fund students to do research so you can build up a publication record that impresses the tenure committee. Note that grants and pubs are both necessary: grants show you can bring money into the university, publications get the approval of the committee members outside your domain who only know how to assess research abilities by impact factors.

During this time, all your research is done by graduate students, who are often at the beginning of the careers and have limited technical abilities. They may be brilliant, but they are not the most efficient workers. So, not only do you have to publish, but your labor pool consists of people with 1-3 years experience.

Before tenure, you'll also only pull in about $60-90k/yr (and I know two very smart people who worked for free their first year as "visiting professors" just to get their foot in the door). At the end of this, if you don't get tenure, you're unemployable until you build up some marketable skills.

Contrast this with industry positions. While you don't get to work on whatever you want, there are some very interesting problems out there if you take your time to find a good position. At work, you're hired to do a job, not chase down funding, so you can spend more time working on the fun stuff. The hours are reasonable, so you have time in the evenings for other projects/hobbies (you don't have free time in academia). If you're selective in your employer, you'll also work with people with a broad range of experience and skills. You'll also make more money. And, if you're good and publish from time to time, you can get a tenured position later in life without having to go through the tenure process.

Of course, if you're evil, you can also find work breaking CAPTCHAs and building bot nets.

Note that though this sounds bitter, I'm not... I had a blast going back to school and highly recommend it to people mid-career (hint: go to the mid-west where it's cheap to live and your quality-of-life will remain about the same). But, modern academic environments just don't present an enticing career path.

-Chris

Re:Why

[erroneus (253617)]

Because they are circumventing a computer security measure. That is a felony in the U.S.

Re:

[thrillseeker (518224)]

unless it's the ("wrong") VP candidate's private email ...

Re:Why

[gEvil (beta) (945888)]

Because they are defrauding Google, Spamming US citizens and generally running a muck. That's what jails for for.

Yeah, jail all those muck-runners! (what is a 'muck'?)

Re:Why

[DreadfulGrape (398188)]

You (but mainly parent poster) might be interested to know that the word is actually "amok" which is defined as a "psychic disturbance characterized by depression followed by a manic urge to murder."

Indeed, this is what it means to "run amok." Also refer to the classic Looney Tunes clip, "Duck Amok."

hmmm... this is either Informative or Off-Topic. Guess I'll leave that to the moderators to decide.

Re:Why

[Jeremy Erwin (2054)]

(what is a 'muck'?)
Among other things, muck is horse manure. To muck a stall is to remove all the droppings and change the bedding.

Re:

[by Anonymous Coward]

No, they write image recognition software. The people who use their programs defraud Google.

Re:Why

[lilomar (1072448)]

by breaking turing tests.

Don't you mean passing turing tests?

Re:Why

[FilterMapReduce (1296509)]

Well, CAPTCHAs aren't true Turing tests; the goal of the classic Turing test is to force the computer to exhibit human intelligence in a back-and-forth interaction with an actual human. A CAPTCHA presents only a single intelligence-based challenge (recognizing the image). But if the CAPTCHA is considered to be a kind of limited/lazy Turing test, passing it "honestly" would consist of being able to recognize images in general, like a human, not by merely knowing how to solve the limited scope of image-puzzles that the particular CAPTCHA uses. So in that sense, these CAPTCHA-breakers do "cheat" or "break" the test by exploiting that limited scope.

Re:

[daem0n1x (748565)]

Great. Let's forbid Nmap. Forget that it's a very useful network administration tool. Hackers use it a lot.

Let's forbid cars. Bank robbers use them to escape.

Re:Why

[HTH NE1 (675604)]

From TFA:

This time those evil Russian bastards..

That would be why.

What does being born out of wedlock have to do with it?