Yahoo CAPTCHA Hacked

Hell Yeah! reminds us of a 2-week-old development that somehow escaped notice here. A team of Russian hackers has found a way to decipher a Yahoo CAPTCHA, thought to be one of the most difficult, with 35% accuracy. The Russian group's notice, posted by one "John Wane," is dated January 16. This site hosts a rapidshare link to what looks to be demonstration software for Windows, and quotes the Russian researchers: "It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition — one cent per one CAPTCHA."

captcha security

[primadd]

I did my own captcha, but I'm not sure how much its worth - figured any non-standard one is better than none (or a std one).

Please take a look [primadd.net] - are the effects actually helping the recognition process?

--
social bookmarking widget for your site [primadd.net]

Re:Google Hacks

[Anonymous Coward]

Are you bashing MS just to bash them. Honestly, their so called 'stupid system' is the best thing I've seen out there. Please enlighten me wise one, and link me to a better alternative.

p.s. How do you know that Gmail accounts haven't been hacked into? Do you have data validating this?

It's not a challenge to bash MS, that comes way to easy, but to add some useful content to /. , might be a challenge for yourself, wise one.

Why not use humans?

[Besna]

Aren't there humans doing CAPTCHA? What is the cost there? I think slashdotters focus more on technology, but putting up a cheap and workable system to get humans anywhere to do this is also important.

Re:Dynamic forms?

[Loplin]

>What about the form that is around the captcha, generally a new account application, etc? What if those were to be made dynamic so the automated software trying to look for a hard-coded form fail?

Even if this were dynamic, there is only so many possible methods of displaying a form while still letting it be decipherable by a human. Given this limited set of possibilities, the programmer of a spam bot needs only to take into account any possible page mutations. More likely though, the spammer doesn't even look at a certain spot on the page; they probably do a little javascript to search the DOM for all text boxes and all images and ignores any images it already has copies of, the remainder image is likely the captcha. Then they would just search for context clues around the text boxes to see which box is most likely to be the one that accepts the captcha answer.

>Or better yet, have questions that modern computer AI has yet to break. Show a picture of a circle and ask "is this round?" or "is this not round?". Generally make the questions a bit more complex as AI gets better.

This is also suffers from the problem of limited number of possibilities. If someone can spend time putting questions in, someone can spend time filling in answers, and they only have to fill in answers once, after that, the bot can remember them for the next time it sees the same question.

If some sort of AI was used that could ask common sense questions, like cyc, the problem would be that the spammers have access to the very same AI.

The leading thought is that AI is not going to create better CAPTCHAs, but that bots that break CAPTCHAs are going to create better AI.

>I wonder if there could be some sort of AI research project that works in conjunction with a captcha system.
Not exactly AI, but the reCACPTCHA project does uses CAPTCHAs to decipher text that OCR programs can't when scanning books.

Other interesting work on CAPTCHAs

[ChoppedBroccoli]

Segmentation and intersecting arcs can be difficult for automated attacks: http://portal.acm.org/citation.cfm?id=1054972.1055070 [acm.org]

You know those annoying flash advertisement games (shoot the monkey for a free iPod)? Well, they could potentially be adapted for CAPTCHAs as well: http://cups.cs.cmu.edu/soups/2006/posters/misra-poster_abstract.pdf [cmu.edu]

Re:I thought those things were already broken

[kesuki]

that's why it costs 1 cent per 1 captcha, the overall cost of webhosting the porn for exchange boils down to 1 cent per solved captcha. obviously, if you're hosting on root-kited windows boxes in the us (the highest rate of infection is in the us) the cost is still about 1 cent per one captcha because the cost of paying hackers to keep a bot net sizable enough comes to about the same cost.

especially with sp3 coming out now, the cost of bot nets is higher, since sp3 offers a 'easy' bot net removal path, since staying off-line long enough to get all sp2's flaws patched is crucial in preventing reinfection. believe me, having a root-kit installed is easy even for a veteran computer guy to miss.

i have dvd's i burned almost 3 years ago that reinfect any windows machine with a root-kit, and are un-readable in linux, apparently the root-kit was using some hooks in nero burning rom to 'randomly' pick a burn project and put the root-kit installer on there so when windows tried to auto run it would install the root-kit, then show the 'window' that normally shows up on auto-run would show up. the rootkit took an 'extra' session, that was transparent, eg: it would only show using burning software to read the track data, for the burned cd or dvd. no additional files showed up in windows, but the extra session made it unreadable to linux.

also, the root-kit only runs in a 'blank' screen saver, which it protects and makes sure loads when the system is idle, so it never sends data when the user might be there to notice. and i think it sends the data as like, internet explorer, to bypass firewall rules. since none of the firewalls i tried could block it. i actually only found the original root kit when a second root-kit moved the first root-kit's files to the recycle bin. other than that none of the root kit scanners that were recommended to me could even detect this thing. only the 'symptoms' and the fact i could 'remove them' by staying off-line and not using my old discs were proof that i had a root kit.

symptoms included, auto-run becoming disabled, screen saver always resetting to 15 minutes (only when both root-kits were on there), and the 'desktop' showing up 2-3 times a day when in full-screen games (also only with both root kits), and finding root-kit files in recycle bin(only found on networked systems with the root kit, and didn't return on reinstall of both root-kit, likely was a 1 time 'bug' that was fixed later on)

so yeah, I didn't notice it for 3 years. Not that i usually have to deal with virus, but in the past I had only ever had to deal with 3 virus and in my 15 years online. and the third one was really a root-kit. I've also been using open-source software for 11 years, so that probably helped, of course, one of the virus was one that affected my open source software, the other 2 were windows based.

it's still easy to miss windows root-kit's nowadays, especially when hackers have root-kits that aren't published, and they use scripts to make the exe's have unique signatures (using compiler tricks) for known root-kits.

Random Coloration Photos

[copponex]

(if anyone uses this and makes a million, at least cut me in 10% for the idea)

I gather the last frontier for computers is image recognition. I'm not sure of the state of image processing, but if you could randomly color simple pictures (one flower, one pen, one cup (NO PUN INTENDED)) into about twenty different shades, and get about a hundred different photos, and just start rotating two or three a week in. So the user sees a small photo with radio boxes below:

The cup is ()red ()blue ()green ()purple ()orange ()yellow orange
The flower petals are ()orange ()blue ()brown ()black
The pen is ()grey ()black ()yellow

You could even start throwing in random names for the colors (silver, charcoal, etc.) using it in sentences, combine with shape guesses (the longer pens are what color? the biggest cup is what color?) Either that or use tiny bits of flash with motion. (the bouncing flower is what color? the flashing red object is what?)

I say a few thousand different sites armed with the same "screen green" paint and tens of thousands of different photos could throw up somewhat of a roadblock.

What say ye?

Re:Gentlemen, start your spambots

[nazanne]

That has been my experience, too. I admin a small bb and was having horrible problems with spam sign ups. CAPTCHAs didn't slow the spammers down at all. I went to a simple question that will be easily known by all of my target audience but probably won't be known by someone half way around the world entering CAPTCHAs for a penny a piece and allowed any spelling that is even close. I haven't had any spammers sign up for a couple years now. That obviously won't work for a major target like YAHOO though.

Re:Hey

[Janek Kozicki]

The 3D captcha [spamfizzle.com] seems to be a good solution here (that's a link from wikipedia article [wikipedia.org])

You pick several 3d models, like people, chairs or flowers. Name all their parts, like "chair leg", "human head" etc. The CAPTCHA is generated by placing a several 3D models randomly rotated on a scene and rendering them with easily readable letters "A", "B" placed on the named parts. The captcha questions are: "what is the letter on human head", "what is the letter on chair leg", etc..

People can answer pretty easily. The 3D models are always randomly placed and rotated on a scene, so bots have a problem.

Re:Gentlemen, start your spambots

[Anonymous Coward]

I'm using Voight-Kampff for a forum [zz-go.com] and is working very nice...

This is bad news for you all

[Anonymous Coward]

Posting anon for obvious reasons.

I used to be heavily involved in Yahoo chat spam and it does make a lot of money (10,000 per month wasnt unusual) We have programs to bulk create profiles, to modify profiles, as well as the actual chat bots.

The one thing we had to do, the one thing that stopped us being able to fully automate this is captcha. There was no way round it. Even if you got good at it and didnt farm it out to india you could only do 2000ish profiles a day. At the rate Yahoo kills em, you could just about keep up with feeding the bot new profiles.

Now that the verification is potentially broken it could potentially allow a spam bot army of orders of magnitude of the current ones onto the yahoo network, because the last constraint has been broken. This means, if true, that Yahoo spamming can now become fully automated.

Re:Not really news

[ookabooka]

Heh, yeah. . . .I used to hook up my computer using Rybka to yahoo chess. I played against other bots, other players(always a glorious win), and tolerated the unending spam from other bots that would just want you to go to some porn website. Eventually, they instituted a CAPTCHA. . .Oh noes, my bot was broken. Turns out I could just manually enter the CAPTCHA and grab the session ID info before the applet loaded and forward that manually to the bot. Once I'm "logged in" with the bot, it's no big deal. Point is: If a spammer has to type in one CAPTCHA and can then spam for days in God knows how many chat rooms. . is it really that effective? Should we interrupt logged in users with more CAPTCHA's? Quite the interesting problem indeed, perhaps some sort of feedback where people would mark someone as a bot, if enough people did it, it would present the bot with a CAPTCHA. *shrug*