Forgot your password?
typodupeerror
Security Spam

Fallout From the Fall of CAPTCHAs 413

Posted by kdawson
from the script-kiddie-fodder dept.
An anonymous reader recommends Computerworld's look at the rise and fall of CAPTCHAs, and at some of the ways bad guys are leveraging broken CAPTCHAs to ply their evil trade. "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..."
This discussion has been archived. No new comments can be posted.

Fallout From the Fall of CAPTCHAs

Comments Filter:
  • by xpuppykickerx (1290760) on Tuesday July 15, 2008 @05:08PM (#24203279)
    I hate the fact that a computer can view these things better than I can. Lately, a lot of the CAPTCHAs have become unreadable by human viewers.
    • by Anders (395) on Tuesday July 15, 2008 @05:16PM (#24203421)

      I hate the fact that a computer can view these things better than I can. Lately, a lot of the CAPTCHAs have become unreadable by human viewers.

      They don't view it better than you, they just do not get impatient from failing 4 out of 5 times.

      • by khasim (1285)

        Put 1,000 computers on the problem and allow them to share information from their successes ... and you've cracked a CAPTCHA implementation.

        And there are hundreds of thousands of zombies out there.

        • by statusbar (314703) <jeffk@statusbar.com> on Tuesday July 15, 2008 @06:09PM (#24204263) Homepage Journal

          The best way I've seen that captcha's got broken are by "free porn sites". The web site is what is cracking another captcha. When it gets a captcha to solve, it passes it to one if it's "porn viewers" - "please type the word that this captcha says in order to prove you are old enough to view the porn". Then the porn is displayed and the bot running on the website has a potential solution made by a human to do it's botting with.

          This method will suffice to crack ANY CAPTCHA!

          --jeffk++

          • by encoderer (1060616) on Tuesday July 15, 2008 @06:58PM (#24205079)

            Absolutely correct.

            I run a mid-sized web development shop. A few years ago we were doing mostly retail sites. Vanilla and boring but we worked it down to a science and had some really great "modules" that made these sites super profitable for us. Of course, everything has its seedy side and with retail it was SEO.

            Everybody wanted it. About 80% of our customers were of the "Do whatever, just ideminfy me" stripe. (And these are established companies paying high 5-figures for these sites). We drew our own demarcation about what we would and wouldn't do. (Excessive Internal-link structure is OK, zombie sites are not).

            Now most our work is social networking.

            We, too, followed the "rise" of CAPTCHA and we've been happy with our results. We always used a custom CAP for each site, and we tried to keep them relatively readable, being of the belief that making it too hard will only keep out Humans: If somebody wants to crack it, they will.

            We still use them regularly. I noticed that about a year ago we actually had people begin to request them specifically. (Isn't that what Buffett said about the home mortgage mess? When the regular joe's started flipping houses, he knew it was over?)

            Anyhoo, I think the real fault in CAP's is that they worked too well. They became too big of a target. Now, we try to mix and match a number of different techniques to identify humans.

            Solutions range from dirt-simple: An input box named, say, "City" that has a label that reads "13 plus 8 equals:" or "What is the 3rd word on this page?"

            To the more complex "what is the color of the front-door in this picture?"

            We have a simple library we use for these things that pulls the questions (and, if applicable, the pics) from a Database of about 25,000 different turing tests.

            The thing is, none of them are too complex. Any mediocre programmer could write an application to crack it. But your bot will probably never see that same exact question again, so it becomes irrelevant.

            And, to tie it in to the parent, we chose this technique precicely because of what we learned from CAPs. Before there were software hacks, there was the "porn hack" and the "sweatshop labor hack."

            In this case, when a bot the site, it's fairly difficult for it to even detect which item is the turing test. We auto-generate the location and even the name of the form field so it's always a bit different.

      • by fm6 (162816) on Tuesday July 15, 2008 @05:48PM (#24203959) Homepage Journal

        Or from failing 999 times out of 1,000. Computers have an infinite amount of patience. Security schemes that don't acknowledge that are doomed to failure.

        • Re: (Score:3, Interesting)

          by Kismet (13199)

          If patience were something we could quantify reliably, I suspect that we would find computers to have none at all.

          The reason? Computers also have no boredom.

          • Re: (Score:3, Insightful)

            by fm6 (162816)

            Boredom is something you get when you run out of patience. Computers never get bored because they never run out of patience!

    • by nbert (785663) on Tuesday July 15, 2008 @05:30PM (#24203665) Homepage Journal
      Makes one feel like an idiot if some site starts to require impossible Captchas. Rapidshare for example had one where you were supposed to only write the letters featuring a cat (other letters had a dog). I had to enable some zoom feature of my DE to get a closer look but still the dogs and cats looked like some screen-dirt to me. Never managed to solve this one properly.

      Looks like I'm not the only one not smart enough - they replaced this CAPTCHA with some "Happy Hour" mode, which didn't require any form.
  • by niceone (992278) * on Tuesday July 15, 2008 @05:09PM (#24203291) Journal
    Heh, at the end of the article they have a link to a site that requires you to solve a calculus problem to register (it gets easier if you reload the page a few times, down to simple arithmetic). I have a site that is only of interest to people who use verilog (a hardware design language) I've toyed with requiring a some digital logic problem to be solved, but the volume of spam signups it's big enough for me to be bothered yet...

    Of course this solution isn't going to work for gmail - which seems to be the preferred email provider for the spam signups I do get these days.
    • by Shikaku (1129753)

      What about that captcha system where you identify a type of animal, like whether this picture is a dog or a cat?

      Why not captchas like that, or similar? I'm pretty sure that identification of an object or animal would be much harder than letters.

      • Re: (Score:3, Informative)

        by blueg3 (192743)

        While that's a class of problem that's tricky (though not impossible) to address, giving you the choice of a few different animals it might be is insufficient. Even if there are 10 choices, random guessing will be right 10% of the time, and that's enough for spammers. Subjective answers (showing a picture of a dog and having someone type "dog") are tricky because not everyone will type "dog", and you don't want to reject humans.

        The current design fits the requirements well because the answer is distinctly o

      • by jandrese (485) <kensama@vt.edu> on Tuesday July 15, 2008 @05:22PM (#24203525) Homepage Journal
        The problem is that to set up that CAPTCHA you have to have a person sift through a huge picture archive of cats and dogs and mark each one. However, that limits the size of your CAPTCHA dictionary to however many entries a person can parse in a reasonable amount of time. This means the bad guys can sit down a person (or two, or ten) and go through all of your images to seed a database with the correct answers for their bots.
        • Re: (Score:3, Insightful)

          by prockcore (543967)

          The problem is that to set up that CAPTCHA you have to have a person sift through a huge picture archive of cats and dogs and mark each one.

          Or you can be smart and realize that sites like petfinder already have to sift through.

          http://research.microsoft.com/asirra/ [microsoft.com]

          over 3 million photos in the dataset.

        • by encoderer (1060616) on Tuesday July 15, 2008 @07:24PM (#24205425)

          A good solution here is to include this as part of the turing test itself.

          As I mentioned upthread, I'm a partner in a web dev shop. We do a lot of social networking (of course) and about a year ago we developed a utility to create just this type of turing test. For example, we'll have a picture, and ask the question "What is the color of the 3rd fish from the left?"

          What we do, is we pair these tests on a page. We'll include a known test, like the one above. And we'll also show an unclassified image and we might ask "how many people are in this picture?"

          There is no wrong answer for that test, and their answer is recorded. Soon, that same question will be asked for that same picture. As soon as its confirmed 2 times, it gets classified as having n people. Soon after it would be displayed again asking "how many females are in this pic?" or "what color shirt is the person on the right wearing?"

          When we created the app, the DB had about 5000 turing tests in it. We then attached a DB of about 100,000 images that were pre-classified but not to an extent that would allow us to write a test off it.

          Now, after a year in use across a couple dozen moderately trafficked websites, we have nearly 25,000 turing tests. All 20,000 new tests have been created thru the technique I described above.

          The real reason we did it wasn't to save on some development costs. We could've hired temp workers and paid them $8 an hour to classify pictures.

          We did it because I believe strongly that the key to simple turing tests like this is a large corpus of data. If a bot only encounters the same test once or twice EVER, then the problem becomes difficult to solve. This is like the ANTI-CAPTCHA.

          CAPTCHA was all about taking a specific technique to its maximum extent: Challenge a computer system by taking a narrow field (OCR) and pushing it beyond the current state-of-the-art.

          These tests are all about a general technique thats broad where CAPTCHA is just deep.

          The only way to build a bot to solve each test in our DB would be to give it genuine intelligence. It would have to be capable of determining context, reference, connotation, image ID, etc.

          As a programmer, if you say "Here's a captcha, write a program to solve it" I wouldn't know HOW, but I'd at least have an idea of where to begin.

          Now, if you show me a picture with the turing test of "What object is in the hands of the 3rd woman from the left" ... well... i wouldn't know where to begin.

          • Re: (Score:3, Interesting)

            by Mr2001 (90979)

            What we do, is we pair these tests on a page. We'll include a known test, like the one above. And we'll also show an unclassified image and we might ask "how many people are in this picture?"

            This is basically what reCAPTCHA [recaptcha.net] does, although they only use words. They take images of words that off-the-shelf OCR software failed to read, apply more distortions, and serve them up two at a time. One of the words is known; the other is unknown but becomes known after enough people have submitted the same answer.

            And as a bonus, the answers aren't just used to grant access to a web site - they're used to digitize the old books that the images came from in the first place.

          • by markandrew (719634) on Wednesday July 16, 2008 @04:33AM (#24209623)

            "There is no wrong answer for that test, and their answer is recorded. Soon, that same question will be asked for that same picture. As soon as its confirmed 2 times, it gets classified as having n people."

            How do you know that those 2 confirmed times weren't bots, and that you've just allowed those bots to effectively choose the answer to your question?

      • by Lehk228 (705449) on Tuesday July 15, 2008 @05:23PM (#24203537) Journal
        not really, unless the catalog is huge and you expect your legitimate users to be biologists. if there are even as many as 100 animals the script can just guess, and 1% of attempts get through. when thousands of bots are signing up simultaniously 1% is a whole lot of bots
      • by jim.hansson (1181963) on Tuesday July 15, 2008 @05:24PM (#24203559) Homepage
        then you write a little program that will show nude pictures, if users identify pictures for you. do not underestimate the length some people will go to for seing mostly skin.
        • Re: (Score:3, Funny)

          Obviously the solution is to make porn free so that this is no longer an incentive. Obviously also this means that the government should subsidize it.
    • by linuxpyro (680927) on Tuesday July 15, 2008 @06:00PM (#24204135)

      I've toyed with the idea of making users write a 500 word essay on a random topic. I would then send this to my high school English teacher, and if it got maybe a B or above I would consider it legit.

  • Mix it up a bit? (Score:5, Interesting)

    by Hektor_Troy (262592) on Tuesday July 15, 2008 @05:10PM (#24203303)

    Combine it with a mix of simple math and image recognition? I.e.

    "What colour hair does the (2+four)/3 girl from the left have?"

    Hell, skip the math part if that's too easy.

    • by jandrese (485) <kensama@vt.edu> on Tuesday July 15, 2008 @05:19PM (#24203473) Homepage Journal
      Computers are pretty good at math last time I checked. Asking for something that would require a full on AI to answer is good (the hair color part), but the problem is that it requires a human to seed the questions, which means they will be limited in number. If they're limited in number then the spammers will just go through and keep reloading the screen until they've seen all (or mostly all) of the answers and program their bot with the correct answers.

      CAPTCHAs need to be able to be generated algorithmically by a computer, but not answered by one, which is a surprisingly difficult problem. Anything that requires human intervention on the creation of each variation is doomed to fail because spammers have more free time than you do.
    • by autocracy (192714)
      That would too quickly fall to a computer. The reason CAPTCHAs (did) work is because the number of possible answers was respectably high. If you put 10 people in a line, a computer would probably get the right answer the 5th time around. If you put 100 people in a line, you'd get a very pissed off user.
    • by evilviper (135110) on Tuesday July 15, 2008 @05:38PM (#24203801) Journal

      "What colour hair does the (2+four)/3 girl from the left have?"

      "On the internet, only CAPTCHAs know you're a dog." Because, of course, there aren't any color-blind people on the internet...

      First, hair color is a terrible test... You've got about a 24% chance of getting it right without looking...

      Putting together a set of images with full extensive descriptions such as that would be prohibitive, while numbers and letters can be pretty easily automatically generated.

    • by QuantumRiff (120817) on Tuesday July 15, 2008 @05:45PM (#24203913)
      You just eliminated one third of the US population from accessing your site..  Sad, isn't it.
      Now if you had said,
      What color of hair does the 3rd girl on the right have,
      A: green
      B: brown
      c: Blond
      D: I drive a ferrari, I don't care about hair color!
      you would only eliminate about one eighth
    • Re: (Score:3, Funny)

      by Von Helmet (727753)

      Image recognition fails on two counts - perception and natural language. One man's ginger is another's man's strawberry blonde, and if you've ever looked women's hair dye you'll know that they have about 50 billion words for "brown".

  • Correct me if I'm wrong, but wouldn't something capable of "automating captcha attacks" be, um, a major advance in artificial cognition, and quite a wealth of scientific information, since that means it can solve an arbitrary captcha like a human can?

    • Re: (Score:2, Funny)

      by Anonymous Coward

      I'm wrong

      Fixed.

    • They don't do anything amazing with the images. They just attempt to reverse what is known about how the source site modifies the images.

      With enough machines aimed at the problem, it becomes simple to brute-force it and then share the information amongst the other machines.

      Remember, the CAPTCHA's are limited in that they still have to be understandable to humans.

  • by nweaver (113078) on Tuesday July 15, 2008 @05:14PM (#24203385) Homepage

    CAPTCHAs are only able to protect things worth $.0025, no matter how good they are. Simply because at about that price, you can pay humans to solve them for you.

    Thus for preventing mail spam, it can work. But to prevent, say, bots from harvesting Ticketmaster, they will always fail, no matter how good they are.

  • ...if this is connected to what I could swear is an increase in spam lately. Has anyone else noticed an unusually high amount of sensational false headlines and Russian nonsense appearing in their inboxes?
  • But rather an over-reliance on turnkey solutions to the problem. The overwhelming majority of places that use them all use the same format (hard to read words) which in turn creates an incentive for someone to break it as it will be easily applied to other CAPTCHAs. The solution is for there to be a wide variety of them that come up at any given time of the "what number is on the picture of the girl in the blue shirt" one day, but "pick the picture of the elephant" a week later. I predict that a company lik
  • Depressing (Score:3, Insightful)

    by MarkPNeyer (729607) on Tuesday July 15, 2008 @05:17PM (#24203439)
    Does anyone else find it as depressing as I do that such obviously intelligent, motivated individuals can't find a more productive use of their talents?
    • Re:Depressing (Score:4, Interesting)

      by cowscows (103644) on Tuesday July 15, 2008 @05:36PM (#24203753) Journal

      It's depressing to me that things like viagra spam are still profitable enough to make spamming them financially useful. Sure, the way the economics of it work out you only need a really low response rate to break even, but hasn't everyone already gotten enough of those emails? I'd imagine that whatever market there is for sketch viagra distributors would be saturated by now.

      At least with phishing spam I get to see new scams on a regular basis (some quite cleverly disgused too). But some of the more vanilla spam just seems pointless.

      • Re: (Score:3, Insightful)

        That's what I don't understand. If I wanted to take Viagra for some reason, I could just get a sample from my doctor.

        Why would I buy something from a random stranger online?

        Wait a minute. Maybe it's not the actual spam itself that's profitable. There's an illusion that it is, so it's the selling of spam that's profitable.

        In other words, you don't get paid for spamming Viagra, you get paid for selling the computer time to the people who think they'll get rich spamming Viagra.

        Maybe.

  • Still useful (Score:5, Insightful)

    by truthsearch (249536) on Tuesday July 15, 2008 @05:18PM (#24203453) Homepage Journal

    CAPTCHA is still useful for small to medium sites that aren't specifically targeted. Your average blog, for example, is only hit by random bots that try to get quick and easy posts. Only the largest sites like GMail need to find something better today.

    For example, I use reCAPTCHA [recaptcha.net] on DocForge [docforge.com] to block the standard wiki spam bots. Since my site's not large enough to be under heavy attack very little gets through. Someday CAPTCHA may be so easy to break that everyone's at risk, but not today.

    • by g0bshiTe (596213)
      I call bulls**t on this one, my clansite gets 1000 new zombie accounts created per day.
      I've tried CAPTCHA, I've tried the 3 kittens (click the 3 pictures of kittens) I've tried 1 dog, 1 kitten, 1 wheel.
      They all fail.

      The only way to keep them from posting is to require an admin to approve the account before they can post.
      • Re: (Score:3, Insightful)

        by truthsearch (249536)

        Well, you can check my site's recent changes [docforge.com] to see nothing gets through that contains external links, which are the only anonymous submissions protected with CAPTCHA.

        Maybe your site's running some very common software. I have a Drupal site [seenonslash.com] for example, that sometimes hit by bots that are obviously specifically written to attack Drupal sites. Or maybe your CAPTCHA implementations have already been broken, or aren't (pseudo-)random enough.

  • The best part is.. (Score:5, Interesting)

    by QuantumG (50515) * <qg@biodome.org> on Tuesday July 15, 2008 @05:20PM (#24203487) Homepage Journal

    Spammers are cracking some of the hardest problems of AI research.

    How can they do that, and yet all the great academic minds can't? Two things:

    * funding
    * a willingness to use "anything that works"

    What's really scary is that, in the end, spamming may turn out to be an agent of good.

    • by XanC (644172)

      Much of this is finding a way to brute-force the methods used on particular sites, overwhelming randomness, etc. It's not really a computer reading any difficult text.

  • A dumb question: (Score:5, Interesting)

    by AndGodSed (968378) on Tuesday July 15, 2008 @05:21PM (#24203507) Homepage Journal

    Howcome /. is so spam free?

    Do the hackers just not care about us,
    or:
    is this like one of those "safe zones" where geeks and hackers can hang out as long as nobody asks or tells? (looks at guy to his left..."say is that a CAPTCHA in your pocket or are you just excited to be here...")

  • by gurps_npc (621217) on Tuesday July 15, 2008 @05:23PM (#24203541) Homepage
    This CAPTCHA has text from six emails. Five are randomly selected from those sent by people that have opened an email account in the past month. One is from an email account that is a honeypot. "Please select all emails that that are spam." Note, the obvious secondary benefit is that it is used as a spam detector. Then of course there is the simple rule: "Our free email accounts can not be used to send more than 20 emails per day. If you need more, please sign up for our deluxe account, that charges you $1 per year. of service"
  • fall of open email (Score:5, Insightful)

    by drDugan (219551) on Tuesday July 15, 2008 @05:23PM (#24203551) Homepage

    it is no wonder that the "under 25" crowd now says "myspace me" or "facebook me" and no longer use email. why would they?

    in a globally connected world with several billion possible users - open email simply won't work much longer.

    when we need are permission based systems - ones in which people need permission before they can contact another person. it would eliminate spam entirely, by integrating whitelists into mail clients. because no one has built a system like this that leverages and extends existing email servers - private organizations leveraging social connections have moved in to fill the gap. sadly, because facebook messages and myspace messages are not built on an open standard - you have to go through those companies to contact people.

    • Re: (Score:3, Insightful)

      by robogun (466062)

      I think they've gone there because a social network provides much more than just email communication - the networks monitor your friends for you. Also they include the profile posturing that AOL profiles were so good at in the 90s. But it will suck for them when Myspace and any other proprietary setup fails, or is purchased by evil(tm) organizations, or when then evolve past usability (suck as Hotmail, AOL, ebay etc) and believe me they never stop tinkering because they have to make a profit. Remember the A

    • by TheLostSamurai (1051736) on Tuesday July 15, 2008 @05:55PM (#24204045)

      it is no wonder that the "under 25" crowd now says "myspace me" or "facebook me" and no longer use email. why would they?

      Whatever happened to giving someone your phone number and actually talking to them. I asked a girl for her number the other night and she gave me her myspace address. Thanks, but no thanks. At least make the effort and give me a fake phone number if you don't ever really want to talk to me again.

    • OpenID signatures (Score:4, Interesting)

      by bussdriver (620565) on Tuesday July 15, 2008 @06:15PM (#24204349)

      Integrate OpenID based signatures with email by inserting a line into the email header.

      Not a new idea, its the same old 3rd party trust situation-- so clearly the trusted OpenID servers would be targeted; however, if you added a simplistic peer ranking system on those user IDs (extending openID a little) then the bad IDs would get ranked down by real people.

      This would also provide a means for verification for multiple emails used by the same individual's OpenID which could shield their actual identity (but not any better privacy than you have already.)

      Additional headers for point of origin server could also be useful as some servers are less trust worthy than others (note: spam ranking is fuzzy and a slight nudge either way near the threshold value can make a noticeable difference. ) Server identity issues are already being worked on; but emails are not tied securely to the original server.

      I'd like to see a standard email header line for spam ranking (0-100?); I'm sick of these "{spam?}" lines inserted in subject lines that I see time to time.

      An OpenID based solution would get OpenID heavily tested since spammers may solve the big AI problems as well as letting us know where to get Viagra.

    • Re: (Score:3, Insightful)

      by Phroggy (441)

      it is no wonder that the "under 25" crowd now says "myspace me" or "facebook me" and no longer use email. why would they?

      You're not wrong, but there's also another reason:

      The vast majority of non-technical people use web-based e-mail services such as Yahoo, Hotmail, GMail, etc. Personally I hate webmail (and I suspect most other Slashdotters do too), but 1) it's ISP-independent, so you don't lose your e-mail address if you change ISPs (which will probably happen if you move, even if there's a monopoly and you only have one choice for broadband); 2) it's computer-independent, so it's easy to check your mail at a friend's hous

      • Re: (Score:3, Insightful)

        by QuoteMstr (55051)

        Excellent analysis. I wish more people were able to step into a non-geek's shoes and look at the world.

        When it comes down it, most people don't care about free software ideals, open protocols, or avoiding monoculture. They just want to get through their boring jobs, come home, be entertained, and try to get laid.

        Anything that makes these things easier or better is going to become popular with the masses. Anything that doesn't is going to remain confined to a core of people who've been able to see the world

    • Leverage (Score:3, Insightful)

      by Raenex (947668)

      The word is "use".

      http://www.urbandictionary.com/define.php?term=leverage [urbandictionary.com]

    • Re: (Score:3, Insightful)

      by fermion (181285)
      I am always surprised at how computer illeterate the general population is. There are a large number of people over 35 that cannot use email. There are a huge number of people under 25 that believe the internet is IE, and the only place they can get to is facebook and yahoo. I have seen kids sit down a computer, type in facebook, get an error, type in yahoo, get an error, and just quit. I have had any number of kids tell me they need to check thier email and go to facebook.

      It is not a failure of open

  • Just use (Score:5, Insightful)

    by linhares (1241614) on Tuesday July 15, 2008 @05:30PM (#24203673)
    BONGARD PROBLEMS [scribd.com]. No machine can crack them in at least 10 years time. And when one does, baby, we'll have genuine AI.
    • Re:Just use (Score:5, Insightful)

      by BitHive (578094) on Tuesday July 15, 2008 @05:47PM (#24203953) Homepage
      Can you generate them algorithmically?
    • Re: (Score:3, Insightful)

      by blueg3 (192743)

      It seems you'd have to provide a list of possible ways in which the two sets of images are different. Any solution where random-guessing has a non-negligible solution rate isn't a solution for spam. Anything vaguely multiple-choice fails. The CAPTCHA scheme, on the other hand, has an enormous solution space.

    • Re: (Score:3, Insightful)

      by fm6 (162816)

      Ten years? Where do you get that figure?

      And I don't see how this level of pattern recognition makes an AI "genuine". Software that can consistently tell you from context when "flies" is a noun or a verb would be more to the point.

  • turing test (Score:4, Funny)

    by Anonymous Coward on Tuesday July 15, 2008 @05:37PM (#24203775)

    The first thing to actually pass the Turing test will probably be a spam-bot. Isn't that disgusting?

  • The Irony (Score:5, Funny)

    by techsoldaten (309296) on Tuesday July 15, 2008 @05:42PM (#24203869) Journal

    The irony about this is that a CAPTCHA is a Turing test, a form of authentication designed to prove that a human is making the request. Given that some CAPTCHAs are rapidly becoming too hard for people to read, the outcomes of the tests are reversed - humans cannot win the test, only computers.

    I have CAPTCHAs on my blog, but only deny posters who actually fill them in. Goes a long way to deterring spammers.

    M

    • Re:The Irony (Score:5, Interesting)

      by Telecommando (513768) on Tuesday July 15, 2008 @06:07PM (#24204237)

      Interesting.

      A few months ago I tried to post on a blog (sorry, I forget which one), entered the CAPTCHA and got a message that I was a suspected bot and my IP address was banned from posting for 48 hours.

      I went back and carefully read the terms of use (just above the posting window) and buried in the middle of the terms was the phrase, "Do not enter the captcha, instead enter the first three letters of the fifteenth word in the second paragraph followed by the third word after the eighth word in the first paragraph in all capital letters."

      A neat idea, but I suppose it won't be long before that one is cracked as well.

  • by bill_kress (99356) on Tuesday July 15, 2008 @05:43PM (#24203901)

    On gMail some simple rules should suffice. Don't allow a brand-new account to send out more than a few (20?) emails a day. Make sure that most of the email varies. Make sure the account gets and reads email as well as sends it, and that the email is accessed.

    The trick is, you keep rotating these measures and don't tell anyone just what they are. You don't automatically disable anyone who breaks the rules, you just hold on to any large number of similar messages until a human reviews them--possibly through some mechanism similar to the "picture matching game" where multiple people identify a message as spam.

    If it's determined to be spam, never tell them you caught on, just stop email from that account from being sent, silently. Log the ip addresses and use them to help you identify other accounts from the same computer if possible.

    You could also use the ip addresses to notify people that they are a spambot next time that IP address is used to look up something on any google service.

    Wow, that's a broad action with a lot of chances for failure, but I bet it could be refined enough to work--and worst case failure isn't bad at all--just one time when you go to search google you get a warning page back instead of your search results.

    Really this just takes some dedicated effort and creative thinking by a strong, creative engineer with some power within google (I know there are quite a few of those)

  • by Britz (170620) on Tuesday July 15, 2008 @05:50PM (#24203975) Homepage

    Maybe the poster should've RTFA. But this is Slashdot after all. Nobody reads the articles.
    http://it.slashdot.org/comments.pl?sid=467856&cid=22568696 [slashdot.org]

  • by merreborn (853723) on Tuesday July 15, 2008 @05:54PM (#24204039) Journal

    CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work

    This is misleadingly implies that CAPTCHA somehow enables spammers. On the contrary, broken CAPTCHA does not enable spammers to do anything they couldn't already do -- we're just back where we were before CAPTCHA.

    And to be fair, CAPTCHA is still reducing the rate at which attackers are able to create accounts, keeping some smaller, less sophisticated players out of the game entirely, and protecting lower-value targets (e.g., most small-time bloggers with comment spam problems still see a drastic improvement when they set up CAPTCHA)

    If everyone stopped using CAPTCHA, the spam problem would get noticeably worse.

  • CAPTCHA != Turing (Score:3, Insightful)

    by oljanx (1318801) on Tuesday July 15, 2008 @05:55PM (#24204049)
    In a Turing test, obviously, a human does the verification. Unless you have an army of extremely low-wage laborers doing the verification, or a machine capable of passing a real Turing test, the CAPTCHA will *never* work. The only solution for now, I think, would be to force multiple layers of authentication on users. ie, you can have your craigslist account, but you're gonna need to pay 2.95 S&H and wait 5-7 days to get your key chain dongle before you can log in. Obviously, the average user is not going to be up for that. So you're stuck with spam. It sucks, but there's no way around it.
  • by Animats (122034) on Tuesday July 15, 2008 @06:18PM (#24204385) Homepage

    The spammers have a new solution to CAPTCHAs in place - offshore outsourcing. [ezadsuite.com] This has become a sizable operation. System status earlier today:

    Current Status: Volumes are exceedingly high. -- Automatically dispatching more labor
    Queued Captchas: 91
    Total outsourced volume: 4564301

    This service is integrated with Craigslist auto posting tools, allowing high-speed spamming of Craigslist. It's also used for other services, like obtaining GMail accounts.

    Even Craigslist's callback-by-phone system is starting to crack. Temporary phone numbers for Craiglist verification, provided by marginal telephony providers, have dropped to $1.50 in bulk.

    The overall effect of Craigslist's new protections is that the cost of spamming has gone up, enough to slow down the low-rent operators but not by enough to stop it.

    As I've pointed out previously, Google plays a central role in this. [slashdot.org] Google's services provide a facade of anonymity for scammers to hide behind. GMail for anonymous mail, YouTube for anonymous infomercials, AdWords for anonymous advertising, Checkout for anonymous money transfer, and Blogger/Blogspot for anonymous redirectors to zombie machines are all valuable services for scammers and spammers. All those services are used heavily by Craigslist spammers.

    Others have provided some of the same services, but the competing services had bad reputations. Anybody trying to do business via Hotmail just had to be phony. Many mail agents just block all Hotmail mail. Anyone running a business off of "freewebpage.org" probably wasn't someone you'd want to deal with. So you had some strong indications of lack of legitimacy there.

    Google, though, still has a good reputation. The combination of Google's reputation and low customer standards offers a great opportunity for scammers, and they're taking it.

  • Digital Spy (Score:3, Interesting)

    by Rik Sweeney (471717) on Tuesday July 15, 2008 @06:29PM (#24204553) Homepage

    Digital Spy have an interesting, but unfortunately very annoying, way of dealing with Captcha. If you sign up from a Hotmail, Gmail or Yahoo account, then you have to pay Digital Spy £5 to register that account. Business email addresses or ones from ISPs don't require a fee.

    A simple albeit incredibly annoying solution.

  • by Panaqqa (927615) * on Tuesday July 15, 2008 @06:29PM (#24204567) Homepage
    I had thought of using something similar to what I have posted at the link below. The user must solve three of these in a row. Of course the number of fonts/numbers/backgrounds would be much large. Also I planned to introduce letters, letter pairs and shapes. But the key concept is that the instructions to solve are also embedded in the image. Much tougher I would think.

    And what does /. think?

    Next gen CAPTCHA link here [panaqqa.com].

    Note - this is just a random sample image, not an actual implementation.
  • Blind people (Score:3, Insightful)

    by Dogun (7502) on Tuesday July 15, 2008 @07:52PM (#24205775) Homepage

    A lot of blind people surf the web too, you know. How do you think they like to be confronted with a CAPTCHA?

    The end of CAPTCHAs is a win for web usability.

    • Re: (Score:3, Insightful)

      by Jeremy Erwin (2054)

      The end of CAPTCHAs is a win for web usability.

      Hmm-- a tradeoff between pissing off vast majority of users who are annoyed by spam, and pissing off the tiny minority of users with impaired vision.

"It's like deja vu all over again." -- Yogi Berra

Working...