Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

[ Create a new account ]

Now Google's CAPTCHA Is Broken

Posted by CmdrTaco on Thursday October 02, @11:33AM
from the throw-it-on-the-pile dept.
Security Google
steveit_is writes "Yesterday it was reported that Microsoft's revised CAPTCHA had been cracked. Now it's Google's turn. In a move that is sure to surprise no one, the spammers behind 'Xrumer' have announced that they've not only cracked Google's CAPTCHA, but other forms of image verification as well, including 'pick the cat' style CAPTCHA."
google security captcha turingtest spam
it security
story

Related Stories

[+] Spammers Targeting Microsoft's Revised CAPTCHA 303 comments
toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"
Firehose:Now Googles CAPTCHA is Broken! by steveit_is (650459)
[+] Now Even Photo CAPTCHAs Have Been Cracked
MoonUnit writes "Technology Review has an interesting article about the way CAPTCHAS are fueling AI research. Following recent news about various textual CAPTCHAs being cracked, the article notes that a researcher at Palo Alto Research Center has now found a way crack photo-based CAPTCHAs too. Most approaches are based on statistical learning, however, so Luis von Ahn (one of the inventors of the CAPTCHA) says it is usually possible to make a CAPTCHA more difficult to break by making a few simple changes."
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Now Google's CAPTCHA Is Broken 25 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.

  • My test: (Score:5, Funny)

    by SleptThroughClass (1127287) on Thursday October 02, @11:37AM (#25233599) Journal
    "To continue, guess which finger I'm holding up."

      • Re:My test: (Score:5, Insightful)

        by eln (21727) on Thursday October 02, @11:51AM (#25233849)

        I want to say verify identity with a credit/debit card, but that won't work very well because of Johnny 13 year old who wants a Gmail account.

        That won't work for anyone who cares about their own privacy. Why would I want to give anyone my credit or debit card number if I wasn't actually buying something from that site at that particular time?

      • Re:My test: (Score:5, Insightful)

        by Tx (96709) on Thursday October 02, @12:15PM (#25234211) Journal

        "Captcha is a joke. They're become so difficult to read that I can't even decipher what it means!"

        I hear that. I was trying to complete one the other day, and honestly, I was only making educated guesses as to what the characters were, it took me three or four attempts. If they get any tougher, the only people who'll be able to do them will be the spammers using this kind of software!

  • Simple solution (Score:5, Funny)

    by MosesJones (55544) on Thursday October 02, @11:39AM (#25233633) Homepage

    I've got all the email addresses I want so lets just consider the internet closed to new entrants. I know it sounds draconian but I think we should build a great big firewall around the internet to stop all these illegal immigrants^H^H^H^H^spammers getting in.

    Either that or can we just turn a blind eye while Google DDoSes every server associated with these people into oblivion.

  • Well... (Score:5, Insightful)

    by bhunachchicken (834243) on Thursday October 02, @11:39AM (#25233653) Homepage
    ... you've got to admit that it's one hell of an achievement.

    • Re:Well... (Score:5, Insightful)

      by wtfispcloadletter (1303253) on Thursday October 02, @12:03PM (#25234007)

      What is? Breaking Captcha? Not even close. Whether it's done with software or by paying humans in China, India, Africa, etc it's not impressive to say the least.

      Google's captcha has been broken for a very long time. Only nobody has admitted it until now. I have several Google alerts setup for certain keywords. I use to get some pretty interesting alerts to articles, blogs, other sites, etc. Now 98%+ of the alerts I get are Blogger.com spam sites. It's been this way for about 5 months, possibly longer, but that's about when I started seeing an influx of pure junk.

      At first I was reporting them to Google. Then after about the 100th or so alert and having checked several of the blogs to see if they were taken down (they weren't, just the one particular page that I reported was) I just gave up. Realizing that Google's captcha is seriously flawed and was broken.

      Google and others need to change how easy it is for people to sign up for an account with them. Yes, it's going to be a hard row to hoe, but it needs to be done, especially for blogspot/blogger.com as those pages are just littering the internet with junk.

  • Great Source (Score:5, Insightful)

    by Frosty Piss (770223) on Thursday October 02, @11:41AM (#25233681)
    Announcing that one has cracked something and actually having cracked that something are two different things. Folks like these are not the most trustworthy sources, especially for their own exploits - er, "sploits".

  • A modest proposal (Score:5, Funny)

    by GroeFaZ (850443) on Thursday October 02, @11:41AM (#25233685)
    1. Make the proof for P=NP the new CAPTCHA
    2. Wait for crackers to solve it.
    3. Profit!!

  • pick the cat (Score:5, Funny)

    by gEvil (beta) (945888) on Thursday October 02, @11:42AM (#25233697)
    I've had a few 'pick the cat' captchas where I couldn't even identify if the thing was actually supposed to be a cat!

  • The real problem is GMail (Score:5, Interesting)

    by Animats (122034) on Thursday October 02, @11:44AM (#25233727) Homepage

    Google has become a key enabler in spams and scams, because it's so easy to create GMail accounts in bulk. [jiffycreator.com] Many sites block email addresses from Hotmail and AOL, because they're mostly either spammers or losers. GMail once had a better reputation, because it was launched as an "exclusive" service. But we're getting close to the point where probably time to start blocking GMail addresses too.

    Want to see a GMail scammer in action right now? Read this. [getafreelancer.com]

  • DARPA math tests (Score:5, Funny)

    by nategoose (1004564) on Thursday October 02, @11:48AM (#25233805)
    Maybe instead of CAPCHA's sites should start using those math problems from DARPA's really hard math problems [slashdot.org] since these people seem to be so good at solving complex computational problems.

  • OK can someone pleas hire these guys to work on handwriting recognition software? If they can ready these bizarrely twisted captchas why can't Palm read my name?

    • Re:Why (Score:5, Insightful)

      by moderatorrater (1095745) on Thursday October 02, @11:49AM (#25233811)
      They probably should be, honestly. However, why not be thankful that the opposition is being open about their abilities to crack security? Obviously, a CAPTCHA system isn't going to work for the future; we should be developing a new methodology for verification.

    • Re:Why (Score:5, Insightful)

      by spiffmastercow (1001386) on Thursday October 02, @11:51AM (#25233859)

      aren't these guys in jail?

      I think the real question is: why are these people not working in research institutes? Image recognition is a hard problem. It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.

      • Re:Why (Score:5, Funny)

        by WK2 (1072560) on Thursday October 02, @12:04PM (#25234023) Homepage

        Being a criminal has excellent hours. And the job interview is easy. You never have to worry about being fired, laid off, etc, and you are responsible for your own paychecks. It's kind of like being a contractor, with the added benefit that you can choose your customers whether your customers are happy about it or not (usually not).

      • Re:Why (Score:5, Interesting)

        by DriedClexler (814907) on Thursday October 02, @12:05PM (#25234047)

        It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.

        Not when you consider how much professors make vs. how much spammers who can beat captchas can make. Hint: if you find a quick way to factor semiprimes, don't snag $1 million from the Clay Institute. Reap $1 billion from credit cards. If you can easily toss aside ethics.

        Incidentally, I was just reading Douglas Hofstadter's Metamagical Themas, where he goes in great depth talking about the difficulty of defining the letter "A", and how people are capable of recognizing A's in truly bizarre fonts. (And how it carries over to native readers of Chinese and defining Chinese characters.) He pursuasively argues that ability to recognize any 'A', including all the bizarre fonts with 'A' is AI-complete (though of course he didn't use that term). So it seems there's quite a ways to go in making captchas harder: don't just distort the image; use the craziest fonts you can.

      • Re:Why (Score:5, Funny)

        by synaptik (125) on Thursday October 02, @12:06PM (#25234071) Homepage

        It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.

        Why $pammer$ in$tead of $chool? I$ that really your que$tion? $omehow, I think you might have mi$$ed the mo$t obviou$ motivation.

      • Re:Why (Score:5, Interesting)

        by rockmuelle (575982) on Thursday October 02, @01:02PM (#25234959)

        "I think the real question is: why are these people not working in research institutes? Image recognition is a hard problem. It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position."

        So, I have a Ph.D. and know how to write this kind of software (well, I know how to go about writing this kind of software and have done it for other domains). Here's why I'm not working at a research institute or pursing a tenured university position:

        First off, research institutes don't really exist anymore. There are a few corporate labs left, but they all focus on medium term product development (5 years out). The national labs still exist, but they're managed like businesses now and it's more difficult to do pure research at them. University "institutes" are just glorified research labs. If you're not the PI, you're either a post-doc, grad student, or tech, none of which is a viable long-term career option.

        To get tenure, you have to spend 4-8 years working non-stop writing grants to fund students to do research so you can build up a publication record that impresses the tenure committee. Note that grants and pubs are both necessary: grants show you can bring money into the university, publications get the approval of the committee members outside your domain who only know how to assess research abilities by impact factors.

        During this time, all your research is done by graduate students, who are often at the beginning of the careers and have limited technical abilities. They may be brilliant, but they are not the most efficient workers. So, not only do you have to publish, but your labor pool consists of people with 1-3 years experience.

        Before tenure, you'll also only pull in about $60-90k/yr (and I know two very smart people who worked for free their first year as "visiting professors" just to get their foot in the door). At the end of this, if you don't get tenure, you're unemployable until you build up some marketable skills.

        Contrast this with industry positions. While you don't get to work on whatever you want, there are some very interesting problems out there if you take your time to find a good position. At work, you're hired to do a job, not chase down funding, so you can spend more time working on the fun stuff. The hours are reasonable, so you have time in the evenings for other projects/hobbies (you don't have free time in academia). If you're selective in your employer, you'll also work with people with a broad range of experience and skills. You'll also make more money. And, if you're good and publish from time to time, you can get a tenured position later in life without having to go through the tenure process.

        Of course, if you're evil, you can also find work breaking CAPTCHAs and building bot nets.

        Note that though this sounds bitter, I'm not... I had a blast going back to school and highly recommend it to people mid-career (hint: go to the mid-west where it's cheap to live and your quality-of-life will remain about the same). But, modern academic environments just don't present an enticing career path.

        -Chris

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 SourceForge, Inc.