Yahoo CAPTCHA Hacked

Hell Yeah! reminds us of a 2-week-old development that somehow escaped notice here. A team of Russian hackers has found a way to decipher a Yahoo CAPTCHA, thought to be one of the most difficult, with 35% accuracy. The Russian group's notice, posted by one "John Wane," is dated January 16. This site hosts a rapidshare link to what looks to be demonstration software for Windows, and quotes the Russian researchers: "It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition — one cent per one CAPTCHA."

I thought those things were already broken

[Anonymous Coward]

by having a teenage boy do it in exchange for letting him see porn.

Re:I thought those things were already broken

[2.7182]

I think the parent is serious. The idea is that your robot goes and grabs the images that needs to be decoded. Then on another website, it is presented and you can see free porn if you type in the word. I've heard of this but never read about it. Sounds like a good idea. Anyone know what this is called or some references ?

Re:

[Rageon]

No idea where I first read this, but I too remembering reading something very similar to the "solve the captcha for porn" idea.

Re:

[1u3hr]

No idea where I first read this, but I too remembering reading something very similar to the "solve the captcha for porn" idea.

It was suggested a few years ago. I've never seen any evidence of it being put into practice. I think it would be simpler to pay some computer sweatshop in Delhi to do this for a few cents each. I can find as more free porn than have any desire to see without any problem, so it's hard to see why users would bother. The site would very soon be common knowledge and interested parti

Re:I thought those things were already broken

[rthomas6]

http://news.bbc.co.uk/2/hi/technology/7067962.stm [bbc.co.uk]
Here is a link to a BBC article about something like that. It's a Windows program that rewards typing in captchas by showing a woman that takes off progressively more and more clothes.

Re:

[Plutonite]

That's got to be just about the funniest thing ever :)

Re:

[2.7182]

OK here is Cory Doctorow discussing it. [boingboing.net]

Re:

[Agripa]

I have heard it called a mechanical turk [wikipedia.org].

Re:I thought those things were already broken

[kesuki]

that's why it costs 1 cent per 1 captcha, the overall cost of webhosting the porn for exchange boils down to 1 cent per solved captcha. obviously, if you're hosting on root-kited windows boxes in the us (the highest rate of infection is in the us) the cost is still about 1 cent per one captcha because the cost of paying hackers to keep a bot net sizable enough comes to about the same cost.

especially with sp3 coming out now, the cost of bot nets is higher, since sp3 offers a 'easy' bot net removal path, since staying off-line long enough to get all sp2's flaws patched is crucial in preventing reinfection. believe me, having a root-kit installed is easy even for a veteran computer guy to miss.

i have dvd's i burned almost 3 years ago that reinfect any windows machine with a root-kit, and are un-readable in linux, apparently the root-kit was using some hooks in nero burning rom to 'randomly' pick a burn project and put the root-kit installer on there so when windows tried to auto run it would install the root-kit, then show the 'window' that normally shows up on auto-run would show up. the rootkit took an 'extra' session, that was transparent, eg: it would only show using burning software to read the track data, for the burned cd or dvd. no additional files showed up in windows, but the extra session made it unreadable to linux.

also, the root-kit only runs in a 'blank' screen saver, which it protects and makes sure loads when the system is idle, so it never sends data when the user might be there to notice. and i think it sends the data as like, internet explorer, to bypass firewall rules. since none of the firewalls i tried could block it. i actually only found the original root kit when a second root-kit moved the first root-kit's files to the recycle bin. other than that none of the root kit scanners that were recommended to me could even detect this thing. only the 'symptoms' and the fact i could 'remove them' by staying off-line and not using my old discs were proof that i had a root kit.

symptoms included, auto-run becoming disabled, screen saver always resetting to 15 minutes (only when both root-kits were on there), and the 'desktop' showing up 2-3 times a day when in full-screen games (also only with both root kits), and finding root-kit files in recycle bin(only found on networked systems with the root kit, and didn't return on reinstall of both root-kit, likely was a 1 time 'bug' that was fixed later on)

so yeah, I didn't notice it for 3 years. Not that i usually have to deal with virus, but in the past I had only ever had to deal with 3 virus and in my 15 years online. and the third one was really a root-kit. I've also been using open-source software for 11 years, so that probably helped, of course, one of the virus was one that affected my open source software, the other 2 were windows based.

it's still easy to miss windows root-kit's nowadays, especially when hackers have root-kits that aren't published, and they use scripts to make the exe's have unique signatures (using compiler tricks) for known root-kits.

Re:I thought those things were already broken

[novakyu]

that's why it costs 1 cent per 1 captcha, the overall cost of webhosting the porn for exchange boils down to 1 cent per solved captcha.

Er, where did you get that number? At Nearly Free Speech [nearlyfreespeech.net], it only costs $1 / GB (of transfer), and that's how much it would cost nearly anywhere else (or even less!), if you use significant amount of bandwidth.

I don't know exactly how large porn images are, never having looked at them, but if you guess a round number of 0.1 MB per picture, it's only about $0.0001, or 0.01 cent per captcha. I suppose it's better than nothing, but it's not yet very cost-prohibitive.

Re:

[Anonymous Coward]

<quote>I don't know exactly how large porn images are, never having looked at them.</quote>

Posting on /. and you've never seen porn? Bullshit.

Re:I thought those things were already broken

[nb caffeine]

Maybe he only watches movies

Re:

[novakyu]

Many hosts will charge more for porn. Or not allow it at all.

Hundred times more? I think at some point, it's probably cheaper for those in porn industry to get their own T1 line and a data center.

Do you have any evidence for this? At least at NearlyFreeSpeech.net, they don't have anything saying that they won't allow porn [nearlyfreespeech.net], and given the intimate connection between porn industry and the fight for first amendment rights (Larry Flint, anyone?), I doubt that they would disallow it, even unofficially. I am just saying this, because if what you say is true, and other webh

Hey

[Misanthrope]

They're used to seeing Cyrillic, the captcha has got to be easier to read!

Re:Hey

[Janek Kozicki]

The 3D captcha [spamfizzle.com] seems to be a good solution here (that's a link from wikipedia article [wikipedia.org])

You pick several 3d models, like people, chairs or flowers. Name all their parts, like "chair leg", "human head" etc. The CAPTCHA is generated by placing a several 3D models randomly rotated on a scene and rendering them with easily readable letters "A", "B" placed on the named parts. The captcha questions are: "what is the letter on human head", "what is the letter on chair leg", etc..

People can answer pretty easily. The 3D models are always randomly placed and rotated on a scene, so bots have a problem.

Re:

[PietjeJantje]

It's an interesting idea, but the only part that elevates it from just being another step in a war of arms, is the last part where it deals with compromises. It says attacks need to be recognized and then the captcha is modified. But this is what they already do or should be doing. Recognition is hard though with requests coming from any possible computer from a huge botfarm. But sites like Yahoo should simply rotate their captcha generation algorithms as soon as they know they have been compromised or even

Not really news

[Anonymous Coward]

A few months ago Yahoo introduced a CAPTCHA to prevent bots entering their chatrooms. Within a few days every room on yahoo was filled with bots once more, and still are to this day.

Given the current situation of the chat rooms on yahoo, it comes as no suprise at all that the other parts of the Yahoo system are inadequately protected from bots either.

Re:

[Hojima]

Probably the best thing I can come up with in order to prevent bots is have a recognition question of some sort. Just have a picture of something simple and ask what it is (a dog for instance), or have a very simple question like, "Is Paris Hilton a whore?"

Re:

[Main Gauche]

"Just have a picture of something simple and ask what it is (a dog for instance), or have a very simple question like, "Is Paris Hilton a whore?""

No matter how you tweak the captcha idea, the spammers can simply transplant the entire "task" to the person who wants porn.

Before I realized this, I was thinking of convoluted things like: having a huge list of questions about a huge collection of photos, embedding the question itself in a captcha, then asking the person to answer the question. But what's t

Re:

[Macka]

You're correct, but you're also missing the point a bit. Until now, spammers have had to rely on human assistance to translate captchas. It doesn't stop them, but it does slow them down somewhat. If spammers develop a software method to reliably translate captchas (and it will only get better over time) then the speed at which they are able to generate successful intrusions will increase, which is worse for everyone else.

So the battle must be fought on as many fronts as possible. And captcha solutions

Re:

[ookabooka]

Heh, yeah. . . .I used to hook up my computer using Rybka to yahoo chess. I played against other bots, other players(always a glorious win), and tolerated the unending spam from other bots that would just want you to go to some porn website. Eventually, they instituted a CAPTCHA. . .Oh noes, my bot was broken. Turns out I could just manually enter the CAPTCHA and grab the session ID info before the applet loaded and forward that manually to the bot. Once I'm "logged in" with the bot, it's no big deal. Point

Gentlemen, start your spambots

[timeOday]

What other tough AI problems can we foist onto spammers? People who buy V1agra through email ads could be the single largest source of computer science research "grants."

Re:Gentlemen, start your spambots

[xaxa]

Natural language processing etc:

To register, answer these questions and click the button on the right
What colour are buses in London?
What is three times three?
[Red] [Green] [Blue]

Re:Gentlemen, start your spambots

[SoupGuru]

That reminds me of the age check for Leisure Suit Larry back in the day... Who knew that the desire of a horny teen to see pixellated boobs would lead to history research?

Bellybutton

[Doc Ruby]

Bellybutton. Do I get a peek?

Re:

[KillerBob]

There was a hotkey, I think "CTRL-D", which skipped the questions....

Um, don't ask how I know that. >.>

Re:

[tkw954]

As an ex-underage Leisure Suit Larry player, I've wondered whether the game was really adult oriented, or was just a subtle attempt to teach kids recent history.

Re:

[Jussi K. Kojootti]

Seeing Leisure Suit Larry just brought back memories of how LucasArts handled copy protection since both X-Wing and LSL were out around the same time (mid to late 90s)

Late 90s? Don't kid yourself you old geezer. Larry came out in the eighties and even X-Wing is from -93.

Re:Gentlemen, start your spambots

[paeanblack]

To register, answer these questions and click the button on the right
What colour are buses in London?
What is three times three?
[Red] [Green] [Blue]

Yes, those are undoubtedly hard questions for a computer. How, exactly, do you plan to generate billions of these questions? For a CAPTCHA to work, it must still be hard even if the generation algorithm is public knowledge.

Re:Gentlemen, start your spambots

[driftingwalrus]

What about introducing spelling and grammatical errors? This would be difficult for a computer to interpret, but doable for a human.

Re:

[LordLucless]

Not really. After a couple of (thousand) runs through, the attacker would have a reasonably accurate database of the questions. They can then analyze the text to find the nearest match to one of the questions in its database.

Re:Gentlemen, start your spambots

[omeomi]

Not really. After a couple of (thousand) runs through, the attacker would have a reasonably accurate database of the questions. They can then analyze the text to find the nearest match to one of the questions in its database.

That's true. I've found, however, that introducing custom spam blocking methods, such as this, no matter how easy to break, often does a better job at stopping spam bots than more robust publicly available methods. For a target as big as Yahoo, this probably won't work, but I've found on PHPbb for instance, instead of using any of the publicly available captchas, which are easily defeated by bots, creating a simple question of this sort does wonders for bot-blocking. Even if it's just one question. If your site isn't big enough to be specifically targeted by bot farmers, sometimes a simple solution is better than a more complex one that everybody else is using.

Re:

[nazanne]

That has been my experience, too. I admin a small bb and was having horrible problems with spam sign ups. CAPTCHAs didn't slow the spammers down at all. I went to a simple question that will be easily known by all of my target audience but probably won't be known by someone half way around the world entering CAPTCHAs for a penny a piece and allowed any spelling that is even close. I haven't had any spammers sign up for a couple years now. That obviously won't work for a major target like YAHOO though.

Re:

[Mike89]

That has been my experience, too. I admin a small bb and was having horrible problems with spam sign ups. CAPTCHAs didn't slow the spammers down at all. I went to a simple question that will be easily known by all of my target audience but probably won't be known by someone half way around the world entering CAPTCHAs for a penny a piece and allowed any spelling that is even close. I haven't had any spammers sign up for a couple years now. That obviously won't work for a major target like YAHOO though.

That'

Re:

[goatpunch]

I have a little site, only really intended to share stuff with family and friends, served with custom scripts. I couldn't believe it when it was targetted by spammers. I could even see the test posts they made, checking to see if html was allowed etc., before unleashing the the bot to post dozens of links a day.

Re:

[flyingfsck]

My solution is even easier - a 10 second delay on every login attempt. It doesn't bother human beings, but bots give up and move on before the timer expires.

Random Coloration Photos

[copponex]

(if anyone uses this and makes a million, at least cut me in 10% for the idea)

I gather the last frontier for computers is image recognition. I'm not sure of the state of image processing, but if you could randomly color simple pictures (one flower, one pen, one cup (NO PUN INTENDED)) into about twenty different shades, and get about a hundred different photos, and just start rotating two or three a week in. So the user sees a small photo with radio boxes below:

The cup is ()red ()blue ()green ()purple ()oran

Re:Random Coloration Photos

[jsoderba]

I say that a lot of people are color blind.

Re:

[mgblst]

Well, it is about time we got rid of those mutants anyway. Nobody is interested in what they have to say.

Re:

[aliquis]

Or scramble all the colors in the image (not that useful I guess but a human can solve it anyway) of a large size where you only show a small part and also put in a riple effect somewhere on the image.

But no matter what we come up with it can always be solved somehow, of course. So it's rather useless, start ask for money for each account and the problem will be much smaller ;)

Re:

[grumbel]

but if you could randomly color simple pictures...

How about using complicated pictures instead of simple ones. Take a full 3D scene with multiple randomly positioned objects, then render it from a random viewpoint and present it to the user and ask questions like:

* "Click on the cat that is nearest to the dog"
* "What color does the cat behind the house have"
* "Click on the cat, the dog and then the horse"
* "Click on the gun worn by the guy with the hat"
* "Click on the blue car with its lights on"
* "Click on

What about i18n?

[gr8dude]

As these CAPTCHAs get more complicated, it becomes more difficult for non-speakers of the language to interpret them.

Re:

[xaxa]

This has the same problem as my suggestion -- it's to hard to generate more problems without writing something that can solve the problems at the same time.

The spammer can copy your photo, mark areas as cup, flower etc, then the algorithm can look for 'cup' in the sentence and see what colour the pixels are this time.

You might be surprised by this [unige.ch]. Click Accept and Connect, click Random, then from the returned images choose a couple as Rel[evant] and click Query. Depending how complicated the image you cho

Re:

[webmaster404]

And would make the coders look like they flunked English a few times, really, it would be unprofessional to do that.

Re:

[General Wesc]

What about introducing spelling and grammatical errors? This would be difficult for a computer to interpret, but doable for a human.

Yeah, that would solve the problem until someone developed an automated program to check spelling and grammar, which I'm sure is near-imposible. (By the way, does anyone know why there's a red line under that last word? Is my screen screwed up?)

Re: Imposible red lining.

[bornwaysouth]

Red lining ( a motoring term) comes from tiping too fast, typing to fist, typing two farst, um, using more than one finger per hand.

The key is to never type faster than your brains alpha rhythm. Otherwise, you slide into a meditative zone known as 'T-pool bimbo limbo'. On the other hand, I've generally found typists to be saner than managers, so maybe the mediative zone is a defense mechanism. The frontal cortex contemplates what's for dinner tonight while some low reptilian region recognizes scrawled lette

Re:

[TubeSteak]

What about introducing spelling and grammatical errors? This would be difficult for a computer to interpret, but doable for a human.

LoL! I find ur 1d3as fascntng, & wood lik 2 sbscrbe 2 YR noozl3ter.
kthxby

V1A9ra

[KKlaus]

Use spammers tactics against them. They've spent a huge amount of time trying to defeat intelligent filters by finding language that computers can't understand, but humans can. Might as well put that research to good use.

Re:

[nguy]

Computers don't understand grammar very well anyway, and spelling errors are trivial to correct or account for.

Re:Gentlemen, start your spambots

[aliquis]

Just put some hard to read perl code in there and ask the user to say what it does. If the answer is correct it's a bot, if the answer is wrong it's probably a human ;)

Re:

[jma05]

> What about introducing spelling and grammatical errors?

Ever typed a query into Google with a spelling mistake :-)? Most IR algorithms don't place much weight on grammar (if at all) to begin with. Many just consider sentences to be a bag of words. Some interpret basic rules. An error there won't change results much.

Re:

[wall0159]

"difficult for a computer to interpret, but doable for a human."

V1agra is used for what condition?
If you "make your girlfriend really happy" what are you doing?
What are p1lls and ph@rma?
Where do I go for a j0b, paying $3000/month and all I need to do is use the intenet at home?

Seems to me like someone's got it worked out already...

Re:

[Rocketship Underpant]

Why not just hire a human being to change it every day? Is there any particular reason these quasi-Voight-Kampff tests need to be generated from algorithms? Anything generated by an algorithm can be deciphered by an algorithm, after all.

Re:

[aliquis]

What about doing the captchas the other was around, like:

George Washington, and then the user has to draw him ;)

Or not.

oblig monty python

[Joe the Lesser]

Blue!

No!

Re@#831%$*...*thud*

Re:

[aliquis]

2) Yeah because it's insanely hard for a script to replace any words meaning a number with the actual number, find the part which says add and then add them all? It's not like you will have to code an answer for each possible string ..

Re:

[totally bogus dude]

If it's really not that hard, then why don't you tell us to how to create such a system then? What you described certainly doesn't match what paeanblack suggested.

In addition to being pretty much trivial to write a script for, you're also forgetting that many people are a lot less intelligent than computers and will actually fail at even simple maths. For an elitist site like /. it's probably okay to say "we don't want people who can't do simple sums to be able to sign up, anyway". If you're a big player

Re:

[russ1337]

Natural language processing etc: To register, answer these questions and click the button on the right What colour are buses in London? What is three times three? [Red] [Green] [Blue]

There is a good podcast on Security Now [grc.com] (see episode 101)
Here is the transcript - this bit not all that clear as it is an actual transcript from Steve's stenographer.

....But, for example, you could imagine some sort of puzzle-solving solution. There has been JavaScript created which asks simple, English-language problems

Use Google

[xswl0931]

Once you get the question in text form, it would be easy for a BOT to use Google to find the answer.

Re:

[Artefacto]

That's still not as good as this solution [xkcd.com]. I can't understand why it's not widely adopted.

Re:

[account_deleted]

Comment removed based on user account deletion

To keep out the Americans?

[tepples]

What colour are buses in London?

Such questions are good for people who can reasonably be expected to have watched a lot of television programmes. But for people who live in places where programs are broadcast more often than programmes, you're pretty much testing whether or not a bot can keyword-search a local mirror of English Wikipedia.

But if your site is too large, and the questions pertain to the subject of your site, they can be reasonably effective. I am a deputy administrator of a Tetris fan forum [tetrisconcept.com], and we have had virtually n

captcha security

[primadd]

I did my own captcha, but I'm not sure how much its worth - figured any non-standard one is better than none (or a std one).

Please take a look [primadd.net] - are the effects actually helping the recognition process?

--
social bookmarking widget for your site [primadd.net]

Re:

[Kaitnieks]

The letters are too far away from each other - makes it easy to separate them for proccessing. In fact, the only challenging aspect for OCRs in your captcha is the letter rotation/skewing. However, I don't think anyone will bother to write a captcha OCR for your site, unless it's Yahoo sized.

Re:captcha security

[Carnildo]

The character outlines are nicely distinct, which means that even basic OCR software should be able to break the CAPTCHA. Since it's so easy to break, you want to hide it from any bots that come by: remove all references to "captcha" from the page source, and you might want to move the HTML for the image away from the HTML for the entry box.

Re:

[cheater512]

Yeah making a captcha without edges while keeping it readable is incredibly difficult.

I made one once which was absolutely beautiful.
There was no way that it would be cracked because there were no edges to detect.
Readability wasnt great but everyone I tested it on did eventually get it.

Re:captcha security

[yani]

Although it seems counter-intuitive, character recognition (even with your filtering) is a relatively easy problem for a computer to solve. The hard problem is segmentation. It is relatively easy for a human to segment characters when they are somehow joined together, by artifacts or occlusion, it can be very hard to do with current methods.

Hence all good modern captchas have moved away from character recognition captchas (such as yours) to segmentation based captchas. You only need to read the wikipedia article on CAPTCHAs to see some examples: http://en.wikipedia.org/wiki/Captcha [wikipedia.org].

Re:

[Verte]

Of course, most CAPTCHA that do this make the junk lines a different thickness to the text, which makes them easy to pick out algorithmically. Further, most segmentation-based CAPTCHA can be solved by looking at derivatives of edges of colour and thus continuing the line. Fuzzy-homological methods are probably the way to go with the current round of captcha. The question then will be, how do you fool that kind of algorithm? Perhaps by being creative with colour and texture?

That's really impressive.

[heyguy]

I've found Yahoo's CAPTCHA to be really annoying. I probably get it wrong about 20% of the time because the picture is so distorted (and I've been surprised that I got it right a lot of the time). I even considered writing them an email complaining about it, but then I realized they probably don't give a crap.

Lets all say it togeter.

[twotailakitsune]

We hate CAPTCHA. Most thing they do to make it difficult for computers to decode, make it a lot more difficult for humans to decode. Most of them are not usable by text browsers (dah), and the blind. Some have audio that is hard for people to hear, and sill easy for computer to decode. Last, CAPTCHA's are so over used that people just do them without thinking. For all you know that Porn/ware site is using you to do CAPTCHA for them. Not that it is needed. This is just one more nail in the CAPTCHA coffin.

Only Yahoo?

[Sigma 7]

33% of Yahoo capitchas isn't really impressive - you still get a large quantity of negative hits, and unless you have an array of IP addresses (most people don't), there will still be a large quantity of addresses registered from a given IP. Also, a large quantity of negatives would cast doubt on any positive matches from the same IP.

Also, Yahoo captchas aren't that "hard" - they are black text from known font pools on a white background that get slightly warped and have black lines drawn on some characters. This is hardly strong since it doesn't hit all letters within the word (which is done by reCAPTCHA) or use a large font-pool variety.

Even the Slashdot Captcha is harder - it hits the whole image and uses different fonts within the word.

Re:

[teh moges]

33% of 100,000 attempts per day is 33,000 posts per day. The idea of Captchas is to reduce this to nearly 0 successful hits per day.

Re:

[Sigma 7]

33% of 100,000 attempts per day is 33,000 posts per day.

That also has 67,000 failed captchas per day - something you generally notice. If your captcha system detects rapid-fire captcha attempts (requests, failed, etc), you can auto-block the IP address that is making that many requests.

You'd probably want to do that anyway, since 1.15 requests per second for captchas is on par with flooding.

Re:

[KillerBob]

Botnet. Every connected system has a unique IP address. (or enough of the connected systems do, at least). Enough IP variation to skirt around the detection.

Re:

[FinestLittleSpace]

In your very very very very very very very very long post, you failed to add the main issue with banning botnet-member computers; they're generally on dynamic IPs.

Lease time on a botnet...

[POttedPOrk]

Botnets have a whole bunch of IP addresses. Simply deploy your Yahoo CAPTCHA cracker code on a botnet that some other fine internet entrepreneur has assembled, and it doesn't matter how many negatives you generate because they will be from a variety of hosts. Certainly with 33% success rate, you're doing pretty well, especially considering your typical spray-and-pray spam blitz.

Re:

[arth1]

33% of Yahoo capitchas isn't really impressive

I think it's pretty damn impressive; it's better than what I do. I usually need 4-5 tries before I get a captcha all correct. 33%, or 1 in 3 would be an improvement.

Malware

[Zantetsuken]

Ya, if its not malware, I'll buy a bridge from somebody, and then go bungee jumping without a chord...

Re:Malware

[wellingtonsteve]

without a chord is fine... ...it's when you're missing a cord that you need to worry

Re:

[bcdm]

Hey now, be fair...what's the point of bungee jumping if you can't have "Thunderstruck" or similar playing on the way down?

Jumping without a chord would be no fun at all.

Increase In Chat Spam

[blueZhift]

This might account for the recent increase in spam chat messages I've been seeing there. My guess is that the spam filtering is not as effective on chat as email. Indeed, chat may not pass through any kind of filtering at all afaik. That will probably change soon, but in the meantime I suppose the people who cracked the captcha will make a tidy profit.

35%???

[wbren]

I'm impressed. That's better than I can do. Some CAPTCHAs take me five or six tries to get right.

Re:35%???

[GiMP]

I agree, that is better than I normally do as well. Maybe someone could make this a firefox plugin so that mere mortals can actually access webpages that use CAPTCHAs.

It is sad because with corrective lenses, my vision is 20/20, and I'm highly technical. I should not have any problems with CAPTCHAs; However, my grandmother is another story. She has poor vision, can't figure out how to do a carriage return on her computer, has difficulty understanding the concept of scrollbars, and I'm sure would not be able to deal with even the easiest CAPTCHAs in use today. This is not usability. Granted, given the choice between SPAM or CAPTCHAs, I'll chose the lesser of the two evils...

Re:

[Carewolf]

Are you sure your grandmother is not a bot?

Re:35%??? Captcha success is lower

[WillAffleckUW]

I have to agree with you here.

When I try to post at the Seattle Times [nwsource.com] their Captcha is nigh unreadable. It's dark and frequently I only succeed with maybe one try out of five.

Which really frosts my cookies and has made it so I try not to buy their print edition, choosing instead the more user-friendly system at the much more urban-focussed Seattle Post-Intelligencer [nwsource.com] instead.

It's a royal pain.

Akismet

[TheSpoom]

This is why you need a queryable, updateable public spam database like Akismet [akismet.com] where, with a little effort in telling it the odd time it gets it wrong, you can eliminate 99% of spam. This might not help for a registration script, but you could use it on the content ultimately used by the registered user to determine whether the signup was likely a bot or a human.

Warning on playing with the demo

[xynopsis]

Did anyone notice that the image recognition code is imported from a binary DLL? I was under the impression that the Russian hackers would provide the source for the recognition code as well. But then, the people who released this are only interested in generating as much spam. Why should you trust them? You would be foolish enough to _not_ execute your test program that imports this dll in a vmware instance instead of your actual machine. Anybody done a comprehensive strace to determine sockets/descriptors opened by using this dll?

Dynamic forms?

[British]

What about the form that is around the captcha, generally a new account application, etc? What if those were to be made dynamic so the automated software trying to look for a hard-coded form fail?

Have the captcha be at the beginning, sometimes middle, sometimes at the end of the form. Mix it up a bit. Have no two application forms look the same.

Or better yet, have questions that modern computer AI has yet to break. Show a picture of a circle and ask "is this round?" or "is this not round?". Generally make t

Re:

[Loplin]

>What about the form that is around the captcha, generally a new account application, etc? What if those were to be made dynamic so the automated software trying to look for a hard-coded form fail?

Even if this were dynamic, there is only so many possible methods of displaying a form while still letting it be decipherable by a human. Given this limited set of possibilities, the programmer of a spam bot needs only to take into account any possible page mutations. More likely though, the spammer doesn't e

Cost

[debrain]

Soon, the cost of identity on the internet will be money. The technology circumventing human-being verification is growing faster, and with greater economic motivation, than the technology preventing non-humans from registration. Soon there will be no way to distinguish between a human and computer on an independent web-sites.

Cometh the centralized, homogenized, certified verifying-as-human web-sites (vis-à-vis facebook?).

Gee, Ya THINK

[buss_error]

Yahoo!'s captcha has been hacked, perhaps not as well, in the past. I've seen open http proxies pounding away at Yahoo to the tune of 100,000 per hour and more. Hotmail's is broken, so are others. The real shame is that the Storm Worm controllers are being protected by a national government and law enforecement system.

So what's the answer?

I'm sure I don't know. I do know that the wild west theory of accepting any kind of behaviour isn't acceptable. I know that some minimum standard of what's allowed and what isn't is going to have to take place. Where these limits are placed is a thing for a global conversation, and there will be differances of opinion.

Is cracking a captcha acceptalbe? Is phishing and identity theft acceptable? Is fraud and uncontrolled spam acceptable? What limits, and on what actions?

I'm just not that smart. But I think we can agree on a few things. Let's start to find out what those things are... and acting in concert with other network operators to enforce those standards. Fail to meet them, and your network routing gets dropped...

Other interesting work on CAPTCHAs

[ChoppedBroccoli]

Segmentation and intersecting arcs can be difficult for automated attacks: http://portal.acm.org/citation.cfm?id=1054972.1055070 [acm.org]

You know those annoying flash advertisement games (shoot the monkey for a free iPod)? Well, they could potentially be adapted for CAPTCHAs as well: http://cups.cs.cmu.edu/soups/2006/posters/misra-poster_abstract.pdf [cmu.edu]

Lets use Traveling Salesman!

[sam_paris]

I know!

Lets use instances of the travelling sales problem as CAPTCHAS. In a year the Russians will have them cracked and we'll finally know that P = NP!

Yahoo fails even with captcha

[MeditationSensation]

If you've ever tried the Yahoo chatrooms, you know they're overrun by spam bots. The problem wasn't with the captcha, it was that it challenged users only once and at the beginning of the session. So as long as your spam bot didn't appear idle or lose connection, it could stay on indefinitely. Now with the captcha broken, spammers don't even have to do captchas manually.

What about accessibility

[kylehase]

The topic of "are you human" was covered on Security Now a while back and someone brought up a great point. Tools to deter bots also makes it difficult for accessibility software since they use many of the same concepts as bots. Even audio captchas are no longer a strong bot deterrence.

With advocacy groups like the National Federation of the Blind suing Target for their inaccessible website it'll be a very tough challenge to develop new good captchas while maintaining accessibility to everyone.

On another

Just use reCAPTCHA

[NickCatal]

I don't understand why more people don't use reCAPTCHA [recaptcha.net]. If the best book OCRs can't figure out a word, it is probably going to be difficult for a 3rd party OCR to figure out a distorted version of that word. Much less 2 words. Add on to that the fact that there is a central DB monitoring what IPs are solving these CAPTCHAs and on what sites these CAPTCHAs are being solved on and you allow the reCAPTCHA project the ability to improve the reliability of their service.

Plus you get to help digitize books for pu

Captchas Will Pass Away

[localman]

I remember thinking about the Captcha problem a while back and thinking that something related to the subtleties of facial recognition might work -- "click on the woman in a group of men", for example. Of course you'd need tons of images with the correct zones mapped, for example, but I thought the starting point of gender recognition could be very tough for computers and relatively easy for humans.

Then I read about that thing where they display Captchas on free porn sites and have the users (actual humans

CAPTCHA + moderation

[pfafrich]

On my site pfaf.org [pfaf.org] I use a simple Q&A type CAPTCHA plus human moderation. A non-standard captcha means that the cost for a spammer goes up, they have to write a specific code to break the captcha. The human moderation means that they get 0 value for sucess. End result they don't bother. My work is vastly reduced by using the capture as no spam to deal with.

Re:

[Anonymous Coward]

Are you bashing MS just to bash them. Honestly, their so called 'stupid system' is the best thing I've seen out there. Please enlighten me wise one, and link me to a better alternative.

p.s. How do you know that Gmail accounts haven't been hacked into? Do you have data validating this?

It's not a challenge to bash MS, that comes way to easy, but to add some useful content to /. , might be a challenge for yourself, wise one.

Re:

[Ilgaz]

My guess is that the lack of security will do more harm than good.

The Net is an unforgiving beast.

What suggests that those 1000 people have anything to do with security?

Yahoo and all major sites should start firing the ever infected, ever abused IP's from their network. Put the blame on ISP. Start with open proxies. People should see difference between using a stupid, non managed ISP vs. a real ISP which takes care about security issues on their network. "Based on our records, you are using a listed open proxy which generally means your machine is virus/worm infected. Please click this link for a free