Slashdot Log In
Now Even Photo CAPTCHAs Have Been Cracked
Posted by
timothy
on Tue Oct 14, 2008 11:14 AM
from the given-enough-eyeballs dept.
from the given-enough-eyeballs dept.
MoonUnit writes "Technology Review has an interesting article about the way CAPTCHAS are fueling AI research. Following recent news about various textual CAPTCHAs being cracked, the article notes that a researcher at Palo Alto Research Center has now found a way crack photo-based CAPTCHAs too. Most approaches are based on statistical learning, however, so Luis von Ahn (one of the inventors of the CAPTCHA) says it is usually possible to make a CAPTCHA more difficult to break by making a few simple changes."
Related Stories
[+]
Yahoo CAPTCHA Hacked 252 comments
Hell Yeah! reminds us of a 2-week-old development that somehow escaped notice here. A team of Russian hackers has found a way to decipher a Yahoo CAPTCHA, thought to be one of the most difficult, with 35% accuracy. The Russian group's notice, posted by one "John Wane," is dated January 16. This site hosts a rapidshare link to what looks to be demonstration software for Windows, and quotes the Russian researchers: "It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition — one cent per one CAPTCHA."
[+]
Gmail CAPTCHA Cracked 317 comments
I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."
[+]
Technology: Windows Live Hotmail CAPTCHA Cracked, Exploited 362 comments
eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?
[+]
Fallout From the Fall of CAPTCHAs 413 comments
An anonymous reader recommends Computerworld's look at the rise and fall of CAPTCHAs, and at some of the ways bad guys are leveraging broken CAPTCHAs to ply their evil trade. "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..."
[+]
Inside India's CAPTCHA Solving Economy 167 comments
Anti-Globalism points out an analysis of India's CAPTCHA-solving industry posted at ZDNet. It begins:
"No CAPTCHA can survive a human that's receiving financial incentives for solving it, and with an army of low-waged human CAPTCHA solvers officially in the business of data processing while earning a mere $2 for solving a thousand CAPTCHAs, I'm already starting to see evidence of consolidation between India's major CAPTCHA solving companies. The consolidation, logically leading to increased bargaining power, is resulting in an international franchising model recruiting data processing workers empowered with do-it-yourself CAPTCHA syndication web based kits, API keys, and thousands of proxies to make their work easier and the process more efficient."
[+]
Spammers Targeting Microsoft's Revised CAPTCHA 303 comments
toomuchtoomuchspam writes "According to Websense, Microsoft's CAPTCHA has been busted again. CAPTCHA was surely a logical move for different service providers to fight against spammers, but it seems to be melting down. 'Realizing the potential for massive abuse from spammers with anti-CAPTCHA capabilities, who could use the clean IP reputation to carry out various attacks over Email and Web space, Microsoft attempted to increase the complexity of their CAPTCHA system. The CAPTCHA system was revised in an attempt to both prevent automatic registrations from computer programs or automated bots, and preserve CAPTCHA's usability and reliability. As this attack shows, those efforts have failed,' says Websense security researcher Prasad. Could there be any better CAPTCHA? A better solution?"
[+]
Now Google's CAPTCHA Is Broken 408 comments
steveit_is writes "Yesterday it was reported that Microsoft's revised CAPTCHA had been cracked. Now it's Google's turn. In a move that is sure to surprise no one, the spammers behind 'Xrumer' have announced that they've not only cracked Google's CAPTCHA, but other forms of image verification as well, including 'pick the cat' style CAPTCHA."
Firehose:Now even photo CAPTCHAs have been cracked by Anonymous Coward
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
damn it (Score:5, Insightful)
They're already hard to read. Why do I feel that soon I wont be able to read ANY of them!?
Re:damn it (Score:5, Funny)
Parent
Re:damn it (Score:5, Funny)
These programs are Satan's rectum, poised to let loose over the web.
Parent
Re:damn it (Score:5, Funny)
So CAPTCHA images are ineffective at blocking the bots. No surprise. It won't be long before these AIs start joining Yahoo or Google mail for the same reasons we do: Chatting.
tiredbot&yahoo.com : "Boy I had a rough day at work today. My user wanted me to compile a new program AND surf the internet at the same time!"
spamalot@gmail.com: "Wow rough. I was lucky. My user took the day off, so I just spend the day spamming. I love how those humans react - sending me hategrams. hahahahaha! That just makes me want to send more spam! Fools."
tiredbot&yahoo.com : "You are so bad girl."
Parent
Re:damn it (Score:5, Funny)
Parent
Re:damn it (Score:5, Insightful)
Parent
Re:damn it (Score:5, Interesting)
Ah...reminds me of one of my favorite t-shirts:
http://www.tshirthell.com/funny-shirts/fuck-the-colorblind/ [tshirthell.com]
The underlying problem is that we're running out of things that are easy for people but hard for computers. Most attempts to expand or 'improve' visual CAPTCHA at this point will cause more pain to humans than reduction in computer success.
So, let's change directions, and make the computer solve a different sort of problem. For example, a turing test of sorts, where the problem is to solve something that is difficult to parse programmatically, but relatively easy for a person to answer. Maybe the recent Turing test results are a good indication of what the questions should be. Multiple related questions would be an particularly interesting area; for example, ask related questions where pronouns are ambiguous (to a computer).
Parent
Re:damn it (Score:5, Interesting)
Ah-hah! I've got the answer to our CAPTCHA problems:
We just make them so hard that it becomes impossible for a human to solve it. Then we invert the solution: if you pass the CAPTCHA, you're obviously a bot, because a human can't solve it. FAIL the CAPTCHA, we know that you're human.
Parent
Re:damn it (Score:5, Interesting)
You say this in jest, and I admit it made me smile, but we did something somewhat like this.
We have a website with a contact form on it, that gets lots of spam. After numerous discussions with marketing about implementing CAPTCHAs, we decided to simply put a text box on the form that says "leave this blank", with the HTML form field named "comment". Humans leave it blank. And sure enough, the spammers cram their links into all form fields, so we can ignore their crap.
We initially even made the form hidden (CSS font color and field color the same as the background), so a user wouldn't even see it. That was great.
Not a perfect solution for all cases, but it worked pretty well for us.
Parent
I don't get it (Score:5, Interesting)
Asking simple math or site-relevant questions are not only easier for humans (I'm talking about "What's 5 - 3") to read, but they're harder for automated parsing by software to crack.
Re:I don't get it (Score:5, Funny)
Parent
Re:I don't get it (Score:4, Insightful)
Asking simple math or site-relevant questions are not only easier for humans (I'm talking about "What's 5 - 3") to read, but they're harder for automated parsing by software to crack.
How do you figure that would be harder for automated parsing software to crack? I would think that would be many times easier than to ICR an image that is purposely obfuscated. (I used to work on ICR software and I'd rather write an automated-question-parser)...
Parent
Re:I don't get it (Score:5, Insightful)
The reason is, a captcha has to have a ruleset. You can't just display a graphic and a textbox and not explain to (or make it very obvious) what the person is supposed to do. For that reason, people can make bots that take advantage of the parts of the system that never change.
If you have a system that asks math questions, they'll write a spam bot that parses the question, does that math, and gets through. You'll make it a little harder, they'll adjust their bots for that. It's an arms race.
The holy grail of course is to find something that humans can do easily, but is impossible (or very very unlikely statistically) for a program to be able to do.
Parent
Re:I don't get it (Score:5, Insightful)
You have to consider the source of the questions. If the questions are human-generated, it's not economically feasible. Remember that they can train their CAPTCHA-defeating software by paying large numbers of people to supply the answers to CAPTCHAs. Even a very large database could fall to that approach.
If the questions are machine-generated, then you're pitting a machine generating questions and answers against a machine designed to answer questions.
Parent
Re:I don't get it (Score:5, Funny)
you're pitting a machine generating questions and answers against a machine designed to answer questions.
You make it sound like that's hard. Here's a question that a machine could generate that another machine could not answer:
"What number am I thinking of?"
Parent
Re:I don't get it (Score:5, Funny)
Good idea. Here are a few questions to start with:
1) What is the best editor: Vi or Emacs?
2) Was there a cabal?
3) Did Romero make you his bitch?
4) Rick Astley would never: give you up; let you down; run around and desert you; make you cry; say goodbye; tell a lie and hurt you?
Parent
Re:I don't get it (Score:5, Interesting)
You can even take this approach one step further and use CSS to move the field outside the viewable range of the page or set its visible property to false so the user won't even see it.
Parent
Re:I don't get it (Score:5, Insightful)
Parent
How about (Score:5, Interesting)
Instead of asking someone to type in the letters, numbers or how many cats there are in the photo, just randomly generate some scenario:
"Jim and Sue go to the park on Sunday. Billy the dog goes too."
Then you can ask random questions like:
"What is the name of the dog?"
"What day did they go to the park?"
"Where did they go?"
That might work OK for a while...
Re:How about (Score:5, Insightful)
Keep in mind you need questions that anyone with a 3rd-grade education could read and solve
Why? Personally, I'd prefer to participate in forums that require a college level education to participate in.
Parent
when... (Score:4, Insightful)
Re:CAPTCHAs kick-start Singularity (Score:5, Funny)
Parent
Re:Not a security feature (Score:5, Insightful)
CAPTCHA is not a security feature. It's a way to help avoid robots pretending to be humans. Anyone using it as a security feature is just giving more reasons for people to find ways to break them. All in all, it's time to get rid of CAPTCHA and move on to some more logical system that would be more difficult, such as a system where users are asked to answer a simple question that contains the answer, such as: If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot? How many liters of water fit into a five-liter bottle?
It sounds like a great idea, but I've met plenty of people who wouldn't be able to answer either of your questions. To steal a random quote from the internet:
"Back in the 1980s, Yosemite National Park was having a serious problem with bears: They would wander into campgrounds and break into the garbage bins. This put both bears and people at risk. So the Park Service started installing armored garbage cans that were tricky to open -- you had to swing a latch, align two bits of handle, that sort of thing. But it turns out it's actually quite tricky to get the design of these cans just right. Make it too complex and people can't get them open to put away their garbage in the first place. Said one park ranger, "There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists."
Parent
Re:Not a security feature (Score:5, Funny)
> If you were born in 1973 and JFK was shot in 1961, were you alive when he was shot?
I have developed a device that answers random yes/no questions correctly 50% of the time. Me and my flip-a-coin-bot will take over the world!
Parent
Re:Not a security feature (Score:5, Funny)
Parent