Gmail CAPTCHA Cracked

I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."

i work with OCR/ICR technology

and I cannot help but wonder if this will increase our usually abysmal rate for reading handwriting. (and no, I don't design it myself so no ripping on me, just work with it)

Re:i work with OCR/ICR technology

Unfortunately, it's HumanPower(TM). About 3/4 of the way down TFA, they show a web page with instructions (in Russian) for the people who get paid to read the CAPTCHAs.

Re:i work with OCR/ICR technology

It's actually being cracked by a million monkeys clattering away at a million typewriters. Pretty hard to defeat that.

I liked the invitations only system better

I'm surprised they opened it up to the public. When they did, I pondered how long it would take before spammers would start doing this en masse.

One step closer...

I'm surprised they opened it up to the public.

This is good. Every time a bot successfully passes itself off as human, I get one step closer to getting my Turing machine.

I'm tired of my imaginary friends running off and leaving me alone... I want one with configuration options.

Re:One step closer...

Turing machine? Long magnetic tape with simple instruction set and finite alphabet? Don't we essentially have those for all intents and purposes? Turing did more theoretical work with computers than just AI.

Bots COULD invite themselves, that's not the point

You're missing one of the greatest strengths of the invitation system: it makes trivial the task of tracking who invited whom.

If you've got a bunch of known bot accounts which have a common progenitor, you just have to take a step up the tree and look at the progenitors siblings. Are those also all bot accounts? Keep going. Any bot account or group of accounts could eventually be traced back to a single invitation.

It would help for rooting out bot accounts.

Bots RTFM!

Curiously, the bots pretend to read the help information while breaking the CAPTCHA

Ever consider that maybe the bots aren't pretending? (cue Frankenstein music)

Re:Bots RTFM!

Except truly intelligent bots would realize that reading the help makes them easily distinguishable from humans. Bots that wanted to look human should also have the REFERER field show them as coming from a pr0n or blog site.

CAPTCHA is for weak minds

Instead, Google should use something akin MENSA tests. This would deter the bots and make the customers feel really good about themselves. And this feeling, my friend, can't be bought cheaply.

Re:CAPTCHA is for weak minds

That raises an interesting idea... why not use the capchas to perform some useful work? Example... display a scanned line of text from a project that needs a large volume of text OCR'd for free/cheap. Compare the texts from several submitters, and assume groups with a high match rate are reading it correctly.

This accomplishes three goals:
- fairly effective capchas
- accomplishes something
- causes OCR quality to improve (via the hard work of the botnet coders)

Not saying the above example is ideal, just trying to illustrate the idea. Take advantage of available resources (be they real people or botnets) and harvest it to accomplish something practical with it.

Re:CAPTCHA is for weak minds

http://recaptcha.net/ [recaptcha.net]

Humans?

This makes one wonder: Is it possible that it is cost effective for spammers to employ low-cost human labor and that they pipe all these captcha challenges to this set of humans whose sole job is to stare at computer screens with pending captcha challenges and answer them?

(I would imagine that this job would have high turnover :) )

Re:Humans?

one technique that has been used in the past, is that porn websites will have their registration page just be a proxy for a registration page on a site they want to spam. people register and they get their captchas done for free.

Well...

It would be too obvious if they were reading the ToS.

Stop using CAPTCHA!

Seriuosly! It is high time they moved to something that was difficult to break. IIRC there was an image comparison technique where you are supposed to match two images of similar objects or animals. I think here if the environment, color, zoom and other factors are different then there is no way this can be broken. Although you cannot generate such images, if you have a photo gallery of 10k pics and continuosly growing I think that should be good enough till we have humanoid robots that can look at the pictures and correctly match them.

Re:Stop using CAPTCHA!

Just use kittens [arstechnica.com] instead...

The idea is to present a 3x3 grid of images and have the user select the 3 kittens from the 9 fuzzy animals. That's something computers are still quite bad at... Though you probably need to change the probability of getting it by random luck to be worse than 1/84, in practice.

To be fair..

the CAPTCHA hasn't been "cracked". These people are just using humans to enter the CAPTCHA text; which is the whole point of the CAPTCHA anyways!

Remember: CAPTCHA is an acronym (or backronym, depending on who you believe) for "Completely Automated Public Turing test to tell Computers and Humans Apart".

The CAPTCHA would be considered cracked if there was a computer algorithm somewhere decoding it autonomously.

CAPTCHAs should die

They are an awful abomination on all website usability and is becoming increasingly common they just don't do what they are supposed to do any more.

So it seems that these companies have two options, either make the letters and numbers more unreadable and more frustrating to users, or scrap them completely and come up with a new anti-bot scheme.

My favorite so far is KittenAuth (http://www.thepcspy.com/kittenauth). It's easy to use, and would be a hell of a lot harder to crack then letters and numbers. Most importantly it's cute! So adorable

Mechanical Turk

If the bots are stalling for time, it's quite likely someone's home-grown version of Mechanical Turk distributed "human" task service, similar to the one by Amazon.

The image is put on queue and, say, a good number of, say, overseas employees... are getting the image and need to fill back in the solution as plain text. In the mean time the bot is "reading the manual".

When the bot gets the answer in time, it submits the form and there we go, account.

spam filtering

So if someone has broken the captcha, spam bots can send spam from the fake google accounts. Google can rate-limit outgoing email. Also they can watch accounts that send identical or similar emails. They already do profiling of accounts for adsense. By profiling accounts to filter spam, they can warn and then close down spammy accounts or simply close down the ones that look very spammy. Additionally, they can filter IPs and use cookies to identify infected spamnet computers.

If the web browser guys could agree on a standard to inform people that their computers look like they're infected, the major email and associated portal providers could start inserting signed messages in web pages that will inform the users that their computers are infected based on this kind of information.

I wonder if it's worth it to Microsoft and Google and Yahoo and AOL to team up to fight these increasingly powerful and sophisticated bot nets.

Re:Blurred text == secure??

Its funny actually, in the SIFT algorithm (detects scale invariant keypoints in an image, used for panorama stitching, computer vision, etc), it uses a Gaussian blur as part of the detection process. It uses multiple levels to better find invariant keypoints. While havening the unblurred image certainly helps, its not necessary.

Re:Get off the security high horse.

Not all Admins are you. Some of us actually know how to keep a Windows machine secure. Ignorance of the facts isn't an excuse.

Yet it is the case that sufficiently large numbers of Windows users are unable to keep their machines secure for a botnet to accomplish this task. The fact that Windows can be made secure does not even remotely mean that this will be done in practice.

Any machine Linux or Windows will be exploited and gang raped if it's not regularly updated and kept clean with the permissions system.

I would like to hear how this is actually being done in the wild on Linux/*BSD/MacOS/etc. The fact is that it isn't.

Re:Get off the security high horse.

I would like to hear how this is actually being done in the wild on Linux/*BSD/MacOS/etc

A botnet developer who hopes to mass a significantly sized network would have no interest in the sub 5% of desktop(read poorly managed, no matter the OS) computers that your niche market segment occupies.

Re:Time to ban Microsoft products

> A linux desktop O/S is just as insecure technically.
Secure from what? Internal or external threats? In the internal case it exhibits better protection from escalation of privilege (than windows, see Sony rootkit for an example). In the external case is affords simpler accounting of the processes laying around.

>The linux (and Apple) desktops are just more secure by the same reason a hut in a small remote village is more secure than an apartment in a big city ghetto - a one room apartment with many locks, metal doors and chains, but where the occupants let in muggers just because they said they were from Ebay.

No, it is more secure for a some applications because less of the network facing executable code needs to run at as high a privilege level.

>They're both not secure.
That depends entirely on the threat model you are protecting against. If you want it really secure from the network, take it off the network. If you want it secure from users put it in a locked room and have multi person, multi factor authentication to access it and require dual operator controls so no individual can pull something off unobserved. This is how PKI centers work. If you want a secure online server, you need accounting of the trusted code. The extend to which Windows and Linux compare is quite different for those cases.

>The trick is to NOT have a _one_room_ apartment or hut. You need an "airlock" (sandbox) for your browser (not just rooms for each person).

Or you might document and analyze your threat model first, before protecting against those threats.