Now Google's CAPTCHA Is Broken 408
steveit_is writes "Yesterday it was reported that Microsoft's revised CAPTCHA had been cracked. Now it's Google's turn. In a move that is sure to surprise no one, the spammers behind 'Xrumer' have announced that they've not only cracked Google's CAPTCHA, but other forms of image verification as well, including 'pick the cat' style CAPTCHA."
My test: (Score:5, Funny)
Re: (Score:2)
Do that again, I double dare you!
Re:My test: (Score:4, Insightful)
Captcha is a joke. They're become so difficult to read that I can't even decipher what it means!
I don't know what these companies are going to do to keep spammers from running email bot networks.
I want to say verify identity with a credit/debit card, but that won't work very well because of Johnny 13 year old who wants a Gmail account.
I've given up. Please just send me large amounts of email asking me to enlarge my pen15 while remortgaging my sub prime house!
Re:My test: (Score:5, Insightful)
I want to say verify identity with a credit/debit card, but that won't work very well because of Johnny 13 year old who wants a Gmail account.
That won't work for anyone who cares about their own privacy. Why would I want to give anyone my credit or debit card number if I wasn't actually buying something from that site at that particular time?
Subscription (Score:2)
Why would I want to give anyone my credit or debit card number if I wasn't actually buying something from that site at that particular time?
Because you are buying something: a subscription to the site for some nominal price. Something Awful Forums, MetaFilter, and Kuro5hin manage to keep spammers out by charging for write access in this way.
Re: (Score:3, Insightful)
Re: (Score:2)
Besides, it's not like you can challenge any extra charges on your credit card. :-p
Sure, that would be a nuisance, but if Google purhcases at all led to leaked card numbers and this at all took place on some scale, it would very fast bite Google and ruin their reputation in a way I don't think they'd be willing to take.
Re: (Score:3, Insightful)
It has proven necessary to give up privacy in order to develop security.
This is almost never the case, and can only be the case if the system is already designed to be insecure.
Take flying, for example. You can't fly anonymously - and nowadays (especially) you have to identify yourself multiple times
That is about fear/control, not security. It has not improved security. It would not have prevented the incident which it is a response to. Saying "oops, we were wrong, you actually shouldn't cooperate with hijackers" would have improved security. Giving the crew members stun guns (probably don't want real guns in such a crowded place) would have improved security. Keeping a list of who is allowed to tra
Re:My test: (Score:4, Funny)
I want to say verify identity with a credit/debit card
While we're thinking of bad ideas, why don't we give them our bank account numbers too?
Re:My test: (Score:5, Insightful)
"Captcha is a joke. They're become so difficult to read that I can't even decipher what it means!"
I hear that. I was trying to complete one the other day, and honestly, I was only making educated guesses as to what the characters were, it took me three or four attempts. If they get any tougher, the only people who'll be able to do them will be the spammers using this kind of software!
Re:My test: (Score:4, Insightful)
Soon, the only thing that will be able to read a CAPTCHA will be automated spam bots. The new CAPTCHA test will be: "If you can read this CAPTCHA, you are a spammer."
Those that get the CAPTCHA wrong will get in. Brilliant! Anyone want to subscribe to my newsletter?
Simple solution (Score:5, Funny)
I've got all the email addresses I want so lets just consider the internet closed to new entrants. I know it sounds draconian but I think we should build a great big firewall around the internet to stop all these illegal immigrants^H^H^H^H^spammers getting in.
Either that or can we just turn a blind eye while Google DDoSes every server associated with these people into oblivion.
Re:Simple solution (Score:4, Insightful)
Your ideas are intriguing to me and I wish to subscribe to your newsletter.
Really though, I think we would have been better off if we did this about 10 years ago (maybe even 15). Better late than never though, I guess.
Re: (Score:2)
Either that or can we just turn a blind eye while Google DDoSes every server associated with these people into oblivion.
--
An Eye for an Eye will make the whole world blind - Gandhi
Think of the children (Score:2)
so lets just consider the internet closed to new entrants.
Including children in your family who have just turned 13, 18, or whatever?
Well... (Score:5, Insightful)
Re:Well... (Score:5, Insightful)
What is? Breaking Captcha? Not even close. Whether it's done with software or by paying humans in China, India, Africa, etc it's not impressive to say the least.
Google's captcha has been broken for a very long time. Only nobody has admitted it until now. I have several Google alerts setup for certain keywords. I use to get some pretty interesting alerts to articles, blogs, other sites, etc. Now 98%+ of the alerts I get are Blogger.com spam sites. It's been this way for about 5 months, possibly longer, but that's about when I started seeing an influx of pure junk.
At first I was reporting them to Google. Then after about the 100th or so alert and having checked several of the blogs to see if they were taken down (they weren't, just the one particular page that I reported was) I just gave up. Realizing that Google's captcha is seriously flawed and was broken.
Google and others need to change how easy it is for people to sign up for an account with them. Yes, it's going to be a hard row to hoe, but it needs to be done, especially for blogspot/blogger.com as those pages are just littering the internet with junk.
Re: (Score:2, Insightful)
Great Source (Score:5, Insightful)
Re: (Score:3, Interesting)
Re: (Score:2)
Remember these are spammers selling a product. Why should we believe this any more than we believe a cream can add two inches to your penis?
Enlarge your penis with Gillette Venus (Score:5, Funny)
Why should we believe this any more than we believe a cream can add two inches to your penis?
Possible bad example. Shaving cream along with a razor actually can add visible inches to a man's penis by taking pubic hair out of the way.
Re:Enlarge your penis with Gillette Venus (Score:5, Funny)
Re: (Score:3, Interesting)
The brilliance of the cat idea is that any series of images can be used as long as they can be divided into either Cat or NotCat by a reasonable human. Think car with giant cat ears, person w/ (shudder) fursuit, letterhead of the California Attorney's Tennis league... you'd need to code the entir
A modest proposal (Score:5, Funny)
2. Wait for crackers to solve it.
3. Profit!!
Re:A modest proposal (Score:4, Funny)
Assume N == 1,
p = 1p
You are rich now...
I hope you buy porsche for that money!
Re: (Score:2)
I really hope you're joking.
pick the cat (Score:5, Funny)
Re: (Score:2)
Yeah, I know. Captchas are becoming increasingly human-proof in the struggle to make them machine-proof.
Couldn't that be part of the test? (Score:3, Interesting)
Re: (Score:3, Funny)
The real problem is GMail (Score:5, Interesting)
Google has become a key enabler in spams and scams, because it's so easy to create GMail accounts in bulk. [jiffycreator.com] Many sites block email addresses from Hotmail and AOL, because they're mostly either spammers or losers. GMail once had a better reputation, because it was launched as an "exclusive" service. But we're getting close to the point where probably time to start blocking GMail addresses too.
Want to see a GMail scammer in action right now? Read this. [getafreelancer.com]
Re: (Score:2)
The scary thing is the number of bids he has racked up for a lousy $50 job. I wonder if people are dumb enough to believe his "this first job pays crap, but the next one will be really good!" bullshit?
Score one more for "Lazy Cryptographers"... (Score:2)
Score one more for the subtitle on the original CAPTCHA paper: "How Lazy Cryptographers do AI"...
My Captcha (Score:2)
Is Paris Hilton Hot? Yes or No
Are you male or female> Male or Female
Are you gay or a lesbian or Bi? Gay or Lesbian or Bi
That's it. Now you would have to seed it with about a billion logical chains like that but it could work.
Re: (Score:2)
That isn't a CAPTCHA. It fails on the "Completely Automated" part.
Re: (Score:2)
Re: (Score:2)
Except this will deny access everyone who chooses the wrong answer.
Actually, now that I think about it, this might be even better than denying accounts to spammers.
Re: (Score:2)
Define "enough variations"? What do you think is reasonable? A spammer network can build quite a database of images vs how many images a company is willing to hold. I'd dare say a bot network with all their hard drives have the edge here compared to a company's financing set aside for their anti-spam solution. Not only because of a bot networks potential scalability, but because due to the illegality of it all, a spammer doesn't finance the cost of setting it up -- his victims do.
What I'm most excited about though is... (Score:3, Funny)
"including 'pick the cat' style CAPTCHA."
This is excellent news, since it now means that I can rely on this thing to find me suitable pussy instead of having to look for it myself... :)
DARPA math tests (Score:5, Funny)
captchas, what about handwriting recognition? (Score:5, Interesting)
OK can someone pleas hire these guys to work on handwriting recognition software? If they can ready these bizarrely twisted captchas why can't Palm read my name?
Re: (Score:3, Interesting)
Those OCR algorithms are manually tweaked for a specific CAPTCHA algorithm, in the case of Gmail a tightly spaced letter sequence with spatial distortion. Neural networks have been better than humans in recognizing individual letters for a while (see http://research.microsoft.com/~kumarc/ [microsoft.com] ); the hardest part is separating the letter glyphs so that t
t3h ir0ny (Score:2)
TFA links to the website (botmaster.net...you probably don't want to go there) that sells XRumer. And what do I see for contact information? botmaster.net@gmail.com.
Sure hope they don't get spammed [f-secure.com]. Whatever you do, don't publish [mailto] that email address! botmaster.net@gmail.com -- don't do it!
Captchas are dead (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
> not wanting to give over financial information for just an email account.
For the incredible benefits that e-mail provides in this connected World, you're not even willing to pay a dollar | pound | yen for an account?
Really?
IT salaries are just too low. (Score:4, Interesting)
Next CAPTCHAs (Score:4, Funny)
As usual, our firends at DARPA are always one step ahead. Use these to replace of the old CAPTCHAs.
1 - Develop a mathematical theory to build a functional model of the brain that is mathematically consistent and predictive rather than merely biologically inspired.
2 - Develop the high-dimensional mathematics needed to accurately model and predict behavior in large-scale distributed networks that evolve over time occurring in communication, biology, and the social sciences.
3 - Address Mumford's call for new mathematics for the 21st century. Develop methods that capture persistence in stochastic environments. ...
Re: (Score:2)
XRumer is within my reach (Score:2)
They are being hosted in Texas... my home state. Now as to whether the operators are in state is another matter, but I will fire off a warning letter to the web host informing them that they could be potentially held liable for the criminal acts of this operation in the event charges are pressed.
Can we get them to release the source? (Score:4, Funny)
The politicians and lawyers should solve this (Score:2)
This thread will likely contain a bunch of clever technical solutions to spam. Probably all of them flawed because if there was a good technical solution we would have found it by now.
We know who the spammers are: almost all spam involves some sort of financial transaction which we can track. The only thing that stops us from getting at them is that they are seldom in the jurisdiction where they committed their offence. This however, can be solved. We did it for war crimes and for child porn. The UN just ne
3D captchas? (Score:2)
Drastic increase in forum spam in the last 2 days (Score:2)
The latest version of this program has hit a number of forums hard. In the last two days many vBulletin forum administrators have posted to complain and look for assistance--notice the sudden increase in activity on that thread as of the 11th post:
http://www.vbulletin.org/forum/showpost.php?p=1634634&postcount=11 [vbulletin.org]
In the last 15 minutes alone 3 spammers have attempted to register on a small forum that I help run, one that would only be of interest to a few hundred people. (We get a valid new user about
Next CAPTCHA to be broken (Score:2)
Will be Apple's!
this could actually be useful technology! (Score:2)
Artificial intelligence at last (Score:3, Insightful)
it's easy (Score:3, Insightful)
example:
image with a cat on the left and a dog on the right.
question: what's on the left?
answer: cat
example2:
girl crying, next to a broken glass
question: why the girl is crying?
answer: because of a broken glass
it's very human readable, and very dificult for software interpretation
and I just patented that...
Re: (Score:2, Funny)
This time those evil Russian bastards..
That would be why.
Re:Why (Score:5, Funny)
From TFA:
This time those evil Russian bastards..
That would be why.
What does being born out of wedlock have to do with it?
Re: (Score:2, Insightful)
Tis clearly a civil issue.
Re: (Score:2)
If Captcha technologies could be considered a security measure, which is most certainly is a security measure designed to allow only human users access to services, then it could be a criminal matter in that it is a tool designed and used for the purpose of circumventing security measures. And if the argument that "they don't use it, they just created and sold it" were used, there's always the aiding and abetting parts of criminal law as well as the "beyond a reasonable doubt" that they had to test it duri
Re: (Score:2)
Unless, you know, they aren't from the US where such silly things as "circumventing security measures" are considered illegal.
Re:Why (Score:4, Insightful)
How about an international treaty to implement the death penalty for spammers all over the world.
I mean, why not? Don't we squish mosquitos when they pester us? Spammers are a thousand times more annoying and just as harmful and useless.
Re:Why (Score:4, Insightful)
How about an international treaty to implement the death penalty for spammers all over the world.
I mean, why not? Don't we squish mosquitos when they pester us? Spammers are a thousand times more annoying and just as harmful and useless.
How about a death penalty for anyone that buys anything from spam?
I'll do you one better! (Score:5, Funny)
Re: (Score:2)
Fortunately, replacement ones [pawstar.com] are available.
Re: (Score:2)
OP meant in a Oroborous way, not in some kind of dirty furry way.
Re:Why (Score:5, Funny)
Killing people is wrong. Comparing people to pests is something that the Nazis liked to do, with the same intention: to pave the way for killing people.
What if Godwin's Law carried the Death Penalty?
Re:Why (Score:5, Insightful)
Re:Why (Score:5, Insightful)
aren't these guys in jail?
I think the real question is: why are these people not working in research institutes? Image recognition is a hard problem. It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.
Re:Why (Score:5, Funny)
Being a criminal has excellent hours. And the job interview is easy. You never have to worry about being fired, laid off, etc, and you are responsible for your own paychecks. It's kind of like being a contractor, with the added benefit that you can choose your customers whether your customers are happy about it or not (usually not).
Re:Why (Score:5, Interesting)
Another benefit is that the drug tests aren't "Have you?" they are "How much do you want?"
Re:Why (Score:5, Interesting)
It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.
Not when you consider how much professors make vs. how much spammers who can beat captchas can make. Hint: if you find a quick way to factor semiprimes, don't snag $1 million from the Clay Institute. Reap $1 billion from credit cards. If you can easily toss aside ethics.
Incidentally, I was just reading Douglas Hofstadter's Metamagical Themas, where he goes in great depth talking about the difficulty of defining the letter "A", and how people are capable of recognizing A's in truly bizarre fonts. (And how it carries over to native readers of Chinese and defining Chinese characters.) He pursuasively argues that ability to recognize any 'A', including all the bizarre fonts with 'A' is AI-complete (though of course he didn't use that term). So it seems there's quite a ways to go in making captchas harder: don't just distort the image; use the craziest fonts you can.
Re:Why (Score:5, Funny)
It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.
Why $pammer$ in$tead of $chool? I$ that really your que$tion? $omehow, I think you might have mi$$ed the mo$t obviou$ motivation.
Re:Why (Score:5, Funny)
What does Microsoft have to do with it?
Re: (Score:3, Interesting)
A 1% success rate is good enough to effectively "break" a captchca, but not good enough to really advance the state of machine vision by itself. In the end though, some good OCR work could come of these efforts, but not in comparison to the money and time everyone else loses from spam; We could have just funded the research. Sending spam, and unfortunately writing advanced spam tools, pays better than a university position.
Make more money spamming than a Prof (Score:2)
Besides that, anyone know how they can bypass the "Pick the cutest cat?" type of captcha?
Is it just brute forcing?,Paying 3rd world country people 10 cents per 100 captcha broken? I would imagine that it's much more sophisticated than that, but I dunno.
Re:Why (Score:5, Interesting)
"I think the real question is: why are these people not working in research institutes? Image recognition is a hard problem. It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position."
So, I have a Ph.D. and know how to write this kind of software (well, I know how to go about writing this kind of software and have done it for other domains). Here's why I'm not working at a research institute or pursing a tenured university position:
First off, research institutes don't really exist anymore. There are a few corporate labs left, but they all focus on medium term product development (5 years out). The national labs still exist, but they're managed like businesses now and it's more difficult to do pure research at them. University "institutes" are just glorified research labs. If you're not the PI, you're either a post-doc, grad student, or tech, none of which is a viable long-term career option.
To get tenure, you have to spend 4-8 years working non-stop writing grants to fund students to do research so you can build up a publication record that impresses the tenure committee. Note that grants and pubs are both necessary: grants show you can bring money into the university, publications get the approval of the committee members outside your domain who only know how to assess research abilities by impact factors.
During this time, all your research is done by graduate students, who are often at the beginning of the careers and have limited technical abilities. They may be brilliant, but they are not the most efficient workers. So, not only do you have to publish, but your labor pool consists of people with 1-3 years experience.
Before tenure, you'll also only pull in about $60-90k/yr (and I know two very smart people who worked for free their first year as "visiting professors" just to get their foot in the door). At the end of this, if you don't get tenure, you're unemployable until you build up some marketable skills.
Contrast this with industry positions. While you don't get to work on whatever you want, there are some very interesting problems out there if you take your time to find a good position. At work, you're hired to do a job, not chase down funding, so you can spend more time working on the fun stuff. The hours are reasonable, so you have time in the evenings for other projects/hobbies (you don't have free time in academia). If you're selective in your employer, you'll also work with people with a broad range of experience and skills. You'll also make more money. And, if you're good and publish from time to time, you can get a tenured position later in life without having to go through the tenure process.
Of course, if you're evil, you can also find work breaking CAPTCHAs and building bot nets.
Note that though this sounds bitter, I'm not... I had a blast going back to school and highly recommend it to people mid-career (hint: go to the mid-west where it's cheap to live and your quality-of-life will remain about the same). But, modern academic environments just don't present an enticing career path.
-Chris
Re:Why (Score:4, Interesting)
Because they are circumventing a computer security measure. That is a felony in the U.S.
Re: (Score:3, Interesting)
Re:Why (Score:5, Funny)
Yeah, jail all those muck-runners! (what is a 'muck'?)
Re: (Score:2)
Re: (Score:3, Funny)
A tutu for conjoined twins?
Re:Why (Score:4, Informative)
You (but mainly parent poster) might be interested to know that the word is actually "amok" which is defined as a "psychic disturbance characterized by depression followed by a manic urge to murder."
Indeed, this is what it means to "run amok." Also refer to the classic Looney Tunes clip, "Duck Amok."
hmmm... this is either Informative or Off-Topic. Guess I'll leave that to the moderators to decide.
Re:Why (Score:4, Informative)
(what is a 'muck'?)
Among other things, muck is horse manure. To muck a stall is to remove all the droppings and change the bedding.
Re: (Score:2)
It's also a variant of MUD, a la TinyMUCK.
Re: (Score:3, Insightful)
No, they write image recognition software. The people who use their programs defraud Google.
Re:Why (Score:4, Insightful)
Don't you mean passing turing tests?
Re:Why (Score:5, Insightful)
Re: (Score:3, Interesting)
Great. Let's forbid Nmap. Forget that it's a very useful network administration tool. Hackers use it a lot.
Let's forbid cars. Bank robbers use them to escape.
Re: (Score:3, Funny)
Well, I did see a pattern start to emerge after the first two examples, but wasn't entirely clear. But then I read the third example, and ... well, now I don't see any pattern.
Can you elaborate?
Re: (Score:3, Funny)
Re: (Score:2)
Because they are defrauding Google, Spamming US citizens and generally running a muck. That's what jails for for.
I prefer MUDs too, but I think you're being a bit harsh.
Seriously, I believe you meant "running amok". The reason that these spammers aren't in jail is because they live in another country. Even if what they're doing is illegal there, the people that matter probably don't care.
Re: (Score:2)
Re: (Score:2)
You use it in the sense of "I was mucking around" - you can't "run a muck" - it would have to be a noun there.
Re: (Score:2)
I'd imagine it's cheaper to pay someone in China, India, etc to do these thing
Cheaper than what?
By the time a piece of software has been developed that can reliably crack the captcha, it is effectively free. Although human-powered cracking isn't expensive, it costs per captcha broken.
Re: (Score:3, Insightful)
It isn't the implementation that is the problem, it is the concept. As long as there are people willing to work for pennies a day, or willing to solve puzzles for porn CAPTCHA is broken.
Re: (Score:3, Insightful)
This is what is already happening, at the exact rate that we can come up with new tests.
This rate is of course much slower than the rate at which spammers can crack them.
The problem with the word "rotating" is that it implies re-use. Once cracked, the test is worthless forever, not just for a couple of page loads.