Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

[ Create a new account ]

Fallout From the Fall of CAPTCHAs

Posted by kdawson on Tue Jul 15, 2008 05:05 PM
from the script-kiddie-fodder dept.
Security Spam
An anonymous reader recommends Computerworld's look at the rise and fall of CAPTCHAs, and at some of the ways bad guys are leveraging broken CAPTCHAs to ply their evil trade. "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..."
captcha security spam recaptcha
it security
story

Related Stories

[+] Yahoo CAPTCHA Hacked 252 comments
Hell Yeah! reminds us of a 2-week-old development that somehow escaped notice here. A team of Russian hackers has found a way to decipher a Yahoo CAPTCHA, thought to be one of the most difficult, with 35% accuracy. The Russian group's notice, posted by one "John Wane," is dated January 16. This site hosts a rapidshare link to what looks to be demonstration software for Windows, and quotes the Russian researchers: "It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition — one cent per one CAPTCHA."
[+] Gmail CAPTCHA Cracked 317 comments
I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."
[+] Technology: Windows Live Hotmail CAPTCHA Cracked, Exploited 362 comments
eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?
Firehose:The rise and fall of CAPTCHAs: now a hackers dream by Anonymous Coward
[+] Technology: reCAPTCHA Hard At Work, Rescuing Fading Texts 112 comments
sciencehabit writes "Computer scientists have developed a program, called reCAPTCHA, which is being used in lieu of CAPTCHA by several sites, to help digitize old books and newspapers. The reCAPTCHA takes entries from old and faded texts that optical scanners and digital-text readers have trouble with. So every time you solve that string of crooked letters, you may actually be helping historians digitally reconstruct a page from the 1908 New York Times." The Science Now story links to the longer and more informative article at Ars Technica. (We last mentioned this program last year — and now it's good to get some sense of how well it's working.)
[+] Now Even Photo CAPTCHAs Have Been Cracked 20 comments
MoonUnit writes "Technology Review has an interesting article about the way CAPTCHAS are fueling AI research. Following recent news about various textual CAPTCHAs being cracked, the article notes that a researcher at Palo Alto Research Center has now found a way crack photo-based CAPTCHAs too. Most approaches are based on statistical learning, however, so Luis von Ahn (one of the inventors of the CAPTCHA) says it is usually possible to make a CAPTCHA more difficult to break by making a few simple changes."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Fallout From the Fall of CAPTCHAs 25 Comments More | Login /

 Full
 Abbreviated
 Hidden
More | Login
Loading... please wait.

  • Cracaked CAPTHAs!!! oh no! (Score:5, Interesting)

    by xpuppykickerx (1290760) on Tuesday July 15, @05:08PM (#24203279)
    I hate the fact that a computer can view these things better than I can. Lately, a lot of the CAPTCHAs have become unreadable by human viewers.

    • Re:Cracaked CAPTHAs!!! oh no! (Score:5, Insightful)

      by Anders (395) on Tuesday July 15, @05:16PM (#24203421)

      I hate the fact that a computer can view these things better than I can. Lately, a lot of the CAPTCHAs have become unreadable by human viewers.

      They don't view it better than you, they just do not get impatient from failing 4 out of 5 times.

        • The best way I've seen that captcha's got broken are by "free porn sites". The web site is what is cracking another captcha. When it gets a captcha to solve, it passes it to one if it's "porn viewers" - "please type the word that this captcha says in order to prove you are old enough to view the porn". Then the porn is displayed and the bot running on the website has a potential solution made by a human to do it's botting with.

          This method will suffice to crack ANY CAPTCHA!

          --jeffk++

  • Anyone usinging specialised tests? (Score:5, Interesting)

    by niceone (992278) * on Tuesday July 15, @05:09PM (#24203291) Journal
    Heh, at the end of the article they have a link to a site that requires you to solve a calculus problem to register (it gets easier if you reload the page a few times, down to simple arithmetic). I have a site that is only of interest to people who use verilog (a hardware design language) I've toyed with requiring a some digital logic problem to be solved, but the volume of spam signups it's big enough for me to be bothered yet...

    Of course this solution isn't going to work for gmail - which seems to be the preferred email provider for the spam signups I do get these days.
      • The problem is that to set up that CAPTCHA you have to have a person sift through a huge picture archive of cats and dogs and mark each one. However, that limits the size of your CAPTCHA dictionary to however many entries a person can parse in a reasonable amount of time. This means the bad guys can sit down a person (or two, or ten) and go through all of your images to seed a database with the correct answers for their bots.

      • Re:Anyone usinging specialised tests? (Score:5, Insightful)

        by Lehk228 (705449) on Tuesday July 15, @05:23PM (#24203537) Journal
        not really, unless the catalog is huge and you expect your legitimate users to be biologists. if there are even as many as 100 animals the script can just guess, and 1% of attempts get through. when thousands of bots are signing up simultaniously 1% is a whole lot of bots

        • Re:Anyone usinging specialised tests? (Score:5, Interesting)

          by stomv (80392) on Tuesday July 15, @05:40PM (#24203829) Homepage

          what is the opposite of up?
          what day is after friday?
          what does seven plus three equal?
          what letter of the alphabet comes before d?
          how many wheels does a bicycle have?
          what is the third word of this sentence?

          These are generally difficult for computers to solve, can be programed to have permutations, and since the quiz answer can be tied to the account, if a particular question or style is getting spammed frequently, it can be removed from the list of questions.

          It's an arms race, and this system won't work forever, but it's fairly easy to implement and fairly difficult to overcome.

  • Mix it up a bit? (Score:5, Interesting)

    by Hektor_Troy (262592) on Tuesday July 15, @05:10PM (#24203303)

    Combine it with a mix of simple math and image recognition? I.e.

    "What colour hair does the (2+four)/3 girl from the left have?"

    Hell, skip the math part if that's too easy.

    • Re:Mix it up a bit? (Score:5, Insightful)

      by jandrese (485) <kensama@vt.edu> on Tuesday July 15, @05:19PM (#24203473) Homepage Journal
      Computers are pretty good at math last time I checked. Asking for something that would require a full on AI to answer is good (the hair color part), but the problem is that it requires a human to seed the questions, which means they will be limited in number. If they're limited in number then the spammers will just go through and keep reloading the screen until they've seen all (or mostly all) of the answers and program their bot with the correct answers.

      CAPTCHAs need to be able to be generated algorithmically by a computer, but not answered by one, which is a surprisingly difficult problem. Anything that requires human intervention on the creation of each variation is doomed to fail because spammers have more free time than you do.

        • Re:Mix it up a bit? (Score:5, Funny)

          by jandrese (485) <kensama@vt.edu> on Tuesday July 15, @05:32PM (#24203699) Homepage Journal
          I can't wait until someone's daughter tries to make an account on Barbie's Horse Talk website and is presented with the following CAPTCHA:

          Prove that a 3-manifold space has the additional property that each loop in the space can be continuously tightened to a point then it is just a three-dimensional sphere.

  • CAPTCHAs are only able to protect things worth $.0025, no matter how good they are. Simply because at about that price, you can pay humans to solve them for you.

    Thus for preventing mail spam, it can work. But to prevent, say, bots from harvesting Ticketmaster, they will always fail, no matter how good they are.

  • Still useful (Score:5, Insightful)

    by truthsearch (249536) on Tuesday July 15, @05:18PM (#24203453) Homepage Journal

    CAPTCHA is still useful for small to medium sites that aren't specifically targeted. Your average blog, for example, is only hit by random bots that try to get quick and easy posts. Only the largest sites like GMail need to find something better today.

    For example, I use reCAPTCHA [recaptcha.net] on DocForge [docforge.com] to block the standard wiki spam bots. Since my site's not large enough to be under heavy attack very little gets through. Someday CAPTCHA may be so easy to break that everyone's at risk, but not today.

  • The best part is.. (Score:5, Interesting)

    by QuantumG (50515) * <qg@biodome.org> on Tuesday July 15, @05:20PM (#24203487) Homepage Journal

    Spammers are cracking some of the hardest problems of AI research.

    How can they do that, and yet all the great academic minds can't? Two things:

    * funding
    * a willingness to use "anything that works"

    What's really scary is that, in the end, spamming may turn out to be an agent of good.

  • A dumb question: (Score:5, Interesting)

    by AndGodSed (968378) on Tuesday July 15, @05:21PM (#24203507) Homepage

    Howcome /. is so spam free?

    Do the hackers just not care about us,
    or:
    is this like one of those "safe zones" where geeks and hackers can hang out as long as nobody asks or tells? (looks at guy to his left..."say is that a CAPTCHA in your pocket or are you just excited to be here...")

  • fall of open email (Score:5, Insightful)

    by drDugan (219551) on Tuesday July 15, @05:23PM (#24203551) Homepage

    it is no wonder that the "under 25" crowd now says "myspace me" or "facebook me" and no longer use email. why would they?

    in a globally connected world with several billion possible users - open email simply won't work much longer.

    when we need are permission based systems - ones in which people need permission before they can contact another person. it would eliminate spam entirely, by integrating whitelists into mail clients. because no one has built a system like this that leverages and extends existing email servers - private organizations leveraging social connections have moved in to fill the gap. sadly, because facebook messages and myspace messages are not built on an open standard - you have to go through those companies to contact people.

    • Re:fall of open email (Score:5, Funny)

      by TheLostSamurai (1051736) on Tuesday July 15, @05:55PM (#24204045)

      it is no wonder that the "under 25" crowd now says "myspace me" or "facebook me" and no longer use email. why would they?

      Whatever happened to giving someone your phone number and actually talking to them. I asked a girl for her number the other night and she gave me her myspace address. Thanks, but no thanks. At least make the effort and give me a fake phone number if you don't ever really want to talk to me again.

  • Just use (Score:5, Insightful)

    by linhares (1241614) <linharesNO@SPAMclubofrome.org.br> on Tuesday July 15, @05:30PM (#24203673) Homepage
    BONGARD PROBLEMS [scribd.com]. No machine can crack them in at least 10 years time. And when one does, baby, we'll have genuine AI.

  • The Irony (Score:5, Funny)

    by techsoldaten (309296) on Tuesday July 15, @05:42PM (#24203869) Homepage Journal

    The irony about this is that a CAPTCHA is a Turing test, a form of authentication designed to prove that a human is making the request. Given that some CAPTCHAs are rapidly becoming too hard for people to read, the outcomes of the tests are reversed - humans cannot win the test, only computers.

    I have CAPTCHAs on my blog, but only deny posters who actually fill them in. Goes a long way to deterring spammers.

    M

    • Re:The Irony (Score:5, Interesting)

      by Telecommando (513768) on Tuesday July 15, @06:07PM (#24204237)

      Interesting.

      A few months ago I tried to post on a blog (sorry, I forget which one), entered the CAPTCHA and got a message that I was a suspected bot and my IP address was banned from posting for 48 hours.

      I went back and carefully read the terms of use (just above the posting window) and buried in the middle of the terms was the phrase, "Do not enter the captcha, instead enter the first three letters of the fifteenth word in the second paragraph followed by the third word after the eighth word in the first paragraph in all capital letters."

      A neat idea, but I suppose it won't be long before that one is cracked as well.

  • On sites like gMail.. (Score:5, Insightful)

    by bill_kress (99356) on Tuesday July 15, @05:43PM (#24203901)

    On gMail some simple rules should suffice. Don't allow a brand-new account to send out more than a few (20?) emails a day. Make sure that most of the email varies. Make sure the account gets and reads email as well as sends it, and that the email is accessed.

    The trick is, you keep rotating these measures and don't tell anyone just what they are. You don't automatically disable anyone who breaks the rules, you just hold on to any large number of similar messages until a human reviews them--possibly through some mechanism similar to the "picture matching game" where multiple people identify a message as spam.

    If it's determined to be spam, never tell them you caught on, just stop email from that account from being sent, silently. Log the ip addresses and use them to help you identify other accounts from the same computer if possible.

    You could also use the ip addresses to notify people that they are a spambot next time that IP address is used to look up something on any google service.

    Wow, that's a broad action with a lot of chances for failure, but I bet it could be refined enough to work--and worst case failure isn't bad at all--just one time when you go to search google you get a warning page back instead of your search results.

    Really this just takes some dedicated effort and creative thinking by a strong, creative engineer with some power within google (I know there are quite a few of those)

  • Misleading phrasing (Score:5, Insightful)

    by merreborn (853723) on Tuesday July 15, @05:54PM (#24204039) Journal

    CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work

    This is misleadingly implies that CAPTCHA somehow enables spammers. On the contrary, broken CAPTCHA does not enable spammers to do anything they couldn't already do -- we're just back where we were before CAPTCHA.

    And to be fair, CAPTCHA is still reducing the rate at which attackers are able to create accounts, keeping some smaller, less sophisticated players out of the game entirely, and protecting lower-value targets (e.g., most small-time bloggers with comment spam problems still see a drastic improvement when they set up CAPTCHA)

    If everyone stopped using CAPTCHA, the spam problem would get noticeably worse.

  • Offshoring CAPTCHA solving (Score:5, Informative)

    by Animats (122034) on Tuesday July 15, @06:18PM (#24204385) Homepage

    The spammers have a new solution to CAPTCHAs in place - offshore outsourcing. [ezadsuite.com] This has become a sizable operation. System status earlier today:

    Current Status: Volumes are exceedingly high. -- Automatically dispatching more labor
    Queued Captchas: 91
    Total outsourced volume: 4564301

    This service is integrated with Craigslist auto posting tools, allowing high-speed spamming of Craigslist. It's also used for other services, like obtaining GMail accounts.

    Even Craigslist's callback-by-phone system is starting to crack. Temporary phone numbers for Craiglist verification, provided by marginal telephony providers, have dropped to $1.50 in bulk.

    The overall effect of Craigslist's new protections is that the cost of spamming has gone up, enough to slow down the low-rent operators but not by enough to stop it.

    As I've pointed out previously, Google plays a central role in this. [slashdot.org] Google's services provide a facade of anonymity for scammers to hide behind. GMail for anonymous mail, YouTube for anonymous infomercials, AdWords for anonymous advertising, Checkout for anonymous money transfer, and Blogger/Blogspot for anonymous redirectors to zombie machines are all valuable services for scammers and spammers. All those services are used heavily by Craigslist spammers.

    Others have provided some of the same services, but the competing services had bad reputations. Anybody trying to do business via Hotmail just had to be phony. Many mail agents just block all Hotmail mail. Anyone running a business off of "freewebpage.org" probably wasn't someone you'd want to deal with. So you had some strong indications of lack of legitimacy there.

    Google, though, still has a good reputation. The combination of Google's reputation and low customer standards offers a great opportunity for scammers, and they're taking it.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.