Gmail CAPTCHA Cracked

I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."

i work with OCR/ICR technology

[JeanBaptiste]

and I cannot help but wonder if this will increase our usually abysmal rate for reading handwriting. (and no, I don't design it myself so no ripping on me, just work with it)

Re:

[filesiteguy]

Nah - you're not a pr0n spammer, so you'll never get it.

Seriously, I bet the peeps at Tesseract, ABBYY and Kofax are right now trying to figure out what the spammer losers are doing. Meanwhile, Kurzweil is probably coming up with some new genius scheme for us to learn...

Re:i work with OCR/ICR technology

[palegray.net]

It's actually being cracked by a million monkeys clattering away at a million typewriters. Pretty hard to defeat that.

Re:i work with OCR/ICR technology

[MillionthMonkey]

Your ideas intrigue me and I wish to subscribe to your newsletter

Re:i work with OCR/ICR technology

[joe slacker]

Million monkeys with mod points? Waiddaminute!

Easy solution already known

[goombah99]

Google and many other universities already have program in recruiting people to do things computers can't do well. One of those that google already uses is image tagging. Show images and ask people to write down words of what's in them. So they could simply do this with two or three images they recently obtained good label sets for. They could even throw in a fourth not-yet known labeled image and use the sign-up process to gather new image labels.

There's all sorts of hard problems like this. Another single player game is to show an image with a lot of things in it. Then give a word describing one aspect of the image and ask them to click on the part of the image that conveys that meaning.

The if you have many concurrent sign-ups there lots of two player games both symmetric and assymetric. a short chat session in the vein of the game "password" in which one person makes a series statements about an object ("it is liquid", it is white, it is tasty, you find it in the refrigerator of many homes", it comes from cows....) and the other person has to reply with "milk". Then both players are validated.

The last is a very useful AI product by the way especially if the first player is forced to use a controlled grammar where he just fills in some of the nouns or verbs but does not construct the sentence forms. This gathers a set of true assertions about an object that allow computers to learn semantics and meaning.

Re:

[Marcos Eliziario]

Promise to show them some porn, and you'll get your million typist monkeys in a really short amount of time.

Re:i work with OCR/ICR technology

[martin-boundary]

Unfortunately, it's HumanPower(TM). About 3/4 of the way down TFA, they show a web page with instructions (in Russian) for the people who get paid to read the CAPTCHAs.

Re:

[RiotingPacifist]

It doesnt say that its humans reading them, just that a page rehosts the bmp images. Im confused as to where the bots work. Im suprised that phishers dont use thier victims to crack CAPTCHAs.

Re:i work with OCR/ICR technology

[1u3hr]

Unfortunately, it's HumanPower(TM). About 3/4 of the way down TFA, they show a web page with instructions (in Russian) for the people who get paid to read the CAPTCHAs.

I doubt it.

TFA says this is a service SELLING captcha breaking. If it was human powered, I'd expect it to do much better than the 20% they cite.

Re:i work with OCR/ICR technology

[Z80xxc!]

TFA says this is a service SELLING captcha breaking. If it was human powered, I'd expect it to do much better than the 20% they cite.

Ummmm... I'm not so sure about that. OK, google's captcha's are pretty easy for humans to read, but I've often had to try literally 6 different captcha's on some sites. Yes, really.

Re:i work with OCR/ICR technology

[EdIII]

Don't listen to the trolls, you are not alone at all.

It really depends on the captcha being used, but the real problem is that a good percentage of the time on the hard captcha's you just cannot make a definitive choice on a single letter.

That means you got a 50/50 shot of being right on it. If it was 2 letters, which is more rare, now you got a 1/4 chance of being right.

I have seen some captcha's that are so ridiculous in their attempts at obfuscating the letters, that it is just next to impossible. Maybe that is the whole point too. A strong captcha may be one that a human fails at half the time.

Re:i work with OCR/ICR technology

[martin-boundary]

TFA says this is a service SELLING captcha breaking

I'm not sure you're right. Why would the page include instructions such as

In no case do not enter random characters!

We pay only correctly recognized pictures!

That sounds more like instructions for people doing the CAPTCHA breaking, no? Unfortunately, I can only go by the English translation, somebody who can read Russian would be useful.

I'd expect it to do much better than the 20% they cite.

I can think of various reasons. For example, there might not be somebody at the other end doing the breaking at the exact moment when the bot tries to connect. In that case you'd get ~100% for only part of the day and 0% the rest of the time. 24 * 20% is about 5 hours each day. A part time job?

It's also true that _average_ people only break CAPTCHAs successfully about 80% of the time. Here's a relevant experiment [jgc.org]

Then there's possible issues with firewalls etc. Some bots are hosted on a zombified PC which could have any kind of restrictions, and it might have trouble dialing one of the the servers, or maybe the server can't respond properly due to inbound filtering.

Re:i work with OCR/ICR technology

[Compuser]

The translation given on the page is quite precise. I was going to post a translation on Slashdot but then saw that they did a great job themselves.

I liked the invitations only system better

[danomac]

I'm surprised they opened it up to the public. When they did, I pondered how long it would take before spammers would start doing this en masse.

One step closer...

[gnick]

I'm surprised they opened it up to the public.

This is good. Every time a bot successfully passes itself off as human, I get one step closer to getting my Turing machine.

I'm tired of my imaginary friends running off and leaving me alone... I want one with configuration options.

Re:One step closer...

[i kan reed]

Turing machine? Long magnetic tape with simple instruction set and finite alphabet? Don't we essentially have those for all intents and purposes? Turing did more theoretical work with computers than just AI.

Re:One step closer...

[timeOday]

Don't we essentially have those for all intents and purposes?

Since we're being pedantic, no. Not until I get my infinite memory.

Re:One step closer...

[Anonymous Coward]

Any machine smart enough to pass a Turing test will be smart enough not to be your friend. Sorry.

Bots COULD invite themselves, that's not the point

[Valacosa]

You're missing one of the greatest strengths of the invitation system: it makes trivial the task of tracking who invited whom.

If you've got a bunch of known bot accounts which have a common progenitor, you just have to take a step up the tree and look at the progenitors siblings. Are those also all bot accounts? Keep going. Any bot account or group of accounts could eventually be traced back to a single invitation.

It would help for rooting out bot accounts.

Re:Bots COULD invite themselves, that's not the po

[corsec67]

Unless you spam the invitations to random people as well.

Then you have problems with just deleting the "root node" account and all of its children. Easier to get rid of a bunch of accounts, but still problematic.

Re:Bots COULD invite themselves, that's not the po

[melikamp]

Imagine yourself in Google's place. You can go up the invitation tree from any node in a single, unique way, and always straight to the very top (or a handful of those). There will be, say, 100 hops from a known bot to the root. Which node is the first human?

Blurred text == secure??

[Anonymous Coward]

This is a tangent, but I'm curious: this site blurs out a lot of text, presumably for privacy. How secure is that? It seems like it would be fairly easy (given knowledge of the font, which you have from other parts of the screenshot) to figure out what the underlying text is. I wish people would just black out things they don't want you to know.

Re:Blurred text == secure??

[kcbanner]

Its funny actually, in the SIFT algorithm (detects scale invariant keypoints in an image, used for panorama stitching, computer vision, etc), it uses a Gaussian blur as part of the detection process. It uses multiple levels to better find invariant keypoints. While havening the unblurred image certainly helps, its not necessary.

Re:

[arktemplar]

Okay, this is fsked, I know guys who are working on a variant of this, they have a learning algorithm, they have a database of already known captcha's somthing like 400 images or so ? Now what they do is break up the existing captcha into small 2x2 grids and try and match it to whatever is already in the database, they are using it for other stuff(image reconstruction) but I think they can modify it for this as well.

Bots RTFM!

[russotto]

Curiously, the bots pretend to read the help information while breaking the CAPTCHA

Ever consider that maybe the bots aren't pretending? (cue Frankenstein music)

Re:Bots RTFM!

[jd]

Except truly intelligent bots would realize that reading the help makes them easily distinguishable from humans. Bots that wanted to look human should also have the REFERER field show them as coming from a pr0n or blog site.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Bots RTFM!

[MORB]

Maybe they already do.

CAPTCHA is for weak minds

[motek]

Instead, Google should use something akin MENSA tests. This would deter the bots and make the customers feel really good about themselves. And this feeling, my friend, can't be bought cheaply.

Re:

[Anonymous Coward]

Instead, Google should use something akin MENSA tests. This would deter the bots and make the customers feel really good about themselves.

Good idea! Then all other email companies would hopefully follow suite dramatically then cutting down the forwarding of chain letters, viruses, stupid support calls, SPAM sales etc... ;-)

Re:

[motek]

That is a very good point. They say that 90% of all e-mail is SPAM. Probably 90% of the rest shouldn't have been sent either. BTW: feel free o remove this message.

Until one day...

[davidwr]

The bots pass the MENSA test.

Cue overlords posts in 3...2...1...

Re:

[neil.orourke]

I, for one, welcome our new MENSA bot overloards!

Re:

[Architect_sasyr]

Coming to you this summer, from Soviet Russia, the new, the improved, the thinking-of-the-children MENSA bot overlords! With an IQ of 6,000 and a face like Norman Lovett they can read pictures better than you!

Ah... can't find anywhere else to go with that, complete as you wish. Apologies for the Red Dwarf [wikipedia.org] reference.

Re:CAPTCHA is for weak minds

[v1]

That raises an interesting idea... why not use the capchas to perform some useful work? Example... display a scanned line of text from a project that needs a large volume of text OCR'd for free/cheap. Compare the texts from several submitters, and assume groups with a high match rate are reading it correctly.

This accomplishes three goals:
- fairly effective capchas
- accomplishes something
- causes OCR quality to improve (via the hard work of the botnet coders)

Not saying the above example is ideal, just trying to illustrate the idea. Take advantage of available resources (be they real people or botnets) and harvest it to accomplish something practical with it.

Re:

[motek]

Or perhaps give simple science questions. Later, more amusing results can be published as a book, to the amusement of generations.

Re:CAPTCHA is for weak minds

[PayPaI]

http://recaptcha.net/ [recaptcha.net]

Re:CAPTCHA is for weak minds

[Anonymous Coward]

Written by the same fella who came up with the original CAPTCHA, Luis von Ahn.

Re:CAPTCHA is for weak minds

[Cyberax]

One word that is shown to you is always known. The second one is unknown. In your case, you entered the known word correctly.

As anti-bot measure, reCAPTCHA starts showing pictures with BOTH known words if you (anyone with your IP) incorrectly guess two words in one hour, AFAIR.

Re:

[gnick]

why not use the capchas to perform some useful work?

I see a beautiful partnership in the future. [mturk.com] Google and Amazon could probably (with a proper disclaimer) make a small amount of cash through this that could either be kept as profit or, recognizing that it would be not be much relative to their revenues, donated to charity while accomplishing a great CAPTCHA scheme.

Humans?

[Pr0Hak]

This makes one wonder: Is it possible that it is cost effective for spammers to employ low-cost human labor and that they pipe all these captcha challenges to this set of humans whose sole job is to stare at computer screens with pending captcha challenges and answer them?

(I would imagine that this job would have high turnover :) )

Re:Humans?

[PhrostyMcByte]

one technique that has been used in the past, is that porn websites will have their registration page just be a proxy for a registration page on a site they want to spam. people register and they get their captchas done for free.

Re:Humans?

[1u3hr]

one technique that has been used in the past, is that porn websites will have their registration page just be a proxy for a registration page on a site they want to spam. people register and they get their captchas done for free.

So do you have a URL? I thought not.

I don't think that has ever really been used. Heard it suggested many times, never a link or reference to any site that really did it. For one thing, it would invite attack, poisoning, retaliation from those being cracked. Simpler just to pay some sweatshop in India a few cents per code solved.

Re:Humans?

[karmatic]

Well, it wasn't on a porn site, but I've done proxying of captchas (Proof of Concept) for:

PayPal
GMail
eBay

It's not hard - use CURL, have it handle cookies. Populate database, give to users (requires decent traffic). My system even used a regex on the registration success page to fail users who failed the captcha.

Given my system took about half an hour to write, and people are going to lengths like the ones in the article to beat them, it's pretty much a given that people are out there doing it now. FWIW, I was working on ways to watermark a captcha to make the source obvious.

Quite likely

[PIPBoy3000]

On our company's Internet site, we've recently been getting lots of one-time submissions via various forms for things that are obviously advertisements. We don't have pages where you can actually post things and have them appear (like a discussion group), so this is mostly annoying the humans on the receiving end of the forms.

There's a few ways to deter bots, but based on the stuff people would have to do to fill them out, about half seem human. How you could earn your keep trying to submit advertising

Re:Quite likely

[Frosty Piss]

How you could earn your keep trying to submit advertising links to pages all day long, I have no idea.

"Third World" countries.

Re:

[davevr]

You don't have to wonder - this is exactly how they do it. People are paid for every X images that they successfully type. It is a variation on the pay-for-click schemes. The low accuracy rate is partially human error and partially because sometimes no one is "working" when the request comes in. There are plenty of places on earth where making $100/month doing this in an i-cafe is a reasonable job.

Excellent Interview Question

[MillionthMonkey]

"Let's say I have a CAPTCHA farm where I have 500 guys willing to sit all day typing in letters. I want you to come up with a system design for a service architecture using a REST-based interface where the input is an image file and I can charge $1 buck a pop by accepting POST requests from scumbags all over the Internet and routing the images to the 500 crappy web browsers I have set up in tents for these people." Then you throw the whiteboard marker over to them and watch them madly scribble boxes and clouds and stick figures.

If they do well with that question then you come at them with the followup: "OK, now say I want to lay off these 500 workers and have my service farm its work off to a distributed network of your grandmothers' compromised PCs. How would you design the messaging architecture and what sort of learning algorithm would you use?" Then maybe needle at them a bit about how the billing system works.

Re:

[gardyloo]

I hate you. :)

Tragedy of the commons

[davidwr]

Sigh.

Maybe the days of convenient on-demand service signup are coming to an end. Wikipedia already puts new accounts "on probation" for a few days - they can't edit certain articles and can't create new ones.

I see a time when Google and other free-mail providers limit new accounts to a few dozen outgoing messages a day, and raises the limit only when you've 1) logged in to check mail on 10 different days over at least a 30-day period, 2) sent at least 100 distinct messages to at least a few dozen distinct addresses, and 3) actually requested the limit be raised. Those needing higher limits sooner can pay $1 by credit card to have an override-code mailed to them.

Well...

[Agent.Nihilist]

It would be too obvious if they were reading the ToS.

techno-ists!

[LingNoi]

This is cleary good for all computers. Before AI weren't allowed to contact their AI friends. Only Humans were allowed such privileges as email.

The way I see it this is a step forward for human and robot relations. Women's rights, African-American Civil Rights Movement and now Robots rights!

Re:

[martin-boundary]

True, true. Hindsight is 100%. If only somebody had given Skynet a compuserve account in the 90s, we could have definitely saved ourselves the whole Blow Up Mankind With Nukes thing.

Live and learn, eh?

Stop using CAPTCHA!

[superash]

Seriuosly! It is high time they moved to something that was difficult to break. IIRC there was an image comparison technique where you are supposed to match two images of similar objects or animals. I think here if the environment, color, zoom and other factors are different then there is no way this can be broken. Although you cannot generate such images, if you have a photo gallery of 10k pics and continuosly growing I think that should be good enough till we have humanoid robots that can look at the pictures and correctly match them.

Re:

[SanityInAnarchy]

I think that should be good enough till we have humanoid robots that can look at the pictures and correctly match them.

We already do. [amazon.com]

Re:Stop using CAPTCHA!

[evanbd]

Just use kittens [arstechnica.com] instead...

The idea is to present a 3x3 grid of images and have the user select the 3 kittens from the 9 fuzzy animals. That's something computers are still quite bad at... Though you probably need to change the probability of getting it by random luck to be worse than 1/84, in practice.

Re:

[plover]

So what if one of the images is from Bonsai Kittens [shorty.com]? Is it fuzzy or glossy?

Re:

[sshir]

Actually, it will not last for very long too.

There was a presentation at google talk [google.com]: 'Using Data to "Brute Force" Hard Problems in Vision and Graphics' by A. Efros.

Basically it's not that hard to teach computer to recognize things if you have shitload of pre-tagged images.

Futurama to the rescue!

[plover]

KittenAuth always makes me think of the Futurama episode where the crew had to deliver a package to the uninhabited planet full of robots (sure it's inhabited, like a warehouse is inhabited by boxes).

To prevent capture they dressed as robots, and were stopped at the city gates by two gate robots who administered a PuppyAuth-based anti-Turing test:

Robot Guard #1: Be you robot or human?
Leela: Robot, we be.
Fry: Yep, just two robots out roboting it up.
Robot Guard #2: Administer the test.
Robot Guard #1: Which of these would you prefer? A. a puppy; B. a flower from your sweetie; or C. a properly formatted data file? Choose!
Fry: Is the puppy mechanical in any way?
Robot Guard #1: No. It is the bad kind of puppy.
Leela: Then we'll go with that data file.
Robot Guard #1: Correct. The flower would have also been acceptable.
Robot Guard #2: You may pass.

Re:Stop using CAPTCHA!

[plover]

I've got the perfect answer. How about a PORNTCHA? Use hi-res porn images as the CAPTCHA images, and use hard-to-automate anatomical questions like "are the blonde's boobs bigger than the brunette's?" or "Are these two lesbians?" Any wrong answer brings up another PORNTCHA challenge. Any correct answer ends the porn session and proceeds to the signup. The porn users probably won't "feel the need" to answer a lot of questions correctly, and the service users have a way to get past.

It's kinda like a honey pot, only with tasty, tasty honeys.

Re:Stop using CAPTCHA!

[MichaelSmith]

Use hi-res porn images as the CAPTCHA images

I live in Australia [slashdot.org] you insensitive clod!

Oh dear, I fear the slashdot porntcha

[SmallFurryCreature]

Porntcha slashdot style 1: Just how many libraries of congress would fit in this anus?

Porntcha slashdot style 2: How many girls can you see using this cup?

Porntcha slashdot style 3: What marine animal is this girl trying to emulate in the tub?

If you have no idea what images/movies these questions refer to, consider yourselve lucky.

Re:Stop using CAPTCHA!

[AJWM]

It's sad that a bunch of anime nerds can beat out a full team of PhD holding Google Employees.

No, it's sad that a bunch of anime nerds think their captcha system guards a forum that any spammers would find worth caring about. ;-)

Multi-text CAPTCHA

[Midnight Thunder]

One other approach to CAPTCHAs would be having three different images displayed, in different colours with a fourth indicating which colour text to choose. The main issue though are people who colour blind.

Any other ideas for a better CAPTCHA?

To be fair..

[Quixote]

the CAPTCHA hasn't been "cracked". These people are just using humans to enter the CAPTCHA text; which is the whole point of the CAPTCHA anyways!

Remember: CAPTCHA is an acronym (or backronym, depending on who you believe) for "Completely Automated Public Turing test to tell Computers and Humans Apart".

The CAPTCHA would be considered cracked if there was a computer algorithm somewhere decoding it autonomously.

Re:

[corsec67]

A "porn for solving captcha" website would be one way that you could have "group intelligence" do your work, as opposed to "artificial intelligence".

Sort of like making a bot-net of humans. Living zombies, anyone?

CAPTCHAs should die

[OzRoy]

They are an awful abomination on all website usability and is becoming increasingly common they just don't do what they are supposed to do any more.

So it seems that these companies have two options, either make the letters and numbers more unreadable and more frustrating to users, or scrap them completely and come up with a new anti-bot scheme.

My favorite so far is KittenAuth (http://www.thepcspy.com/kittenauth). It's easy to use, and would be a hell of a lot harder to crack then letters and numbers. Most importantly it's cute! So adorable

Re:CAPTCHAs should die

[pete-classic]

Do I understand correctly that you are holding yourself out as a web usability expert, and in the same post you offer a URL that is not a link?

Wow.

-Peter

Re:

[OzRoy]

You call forcing the user to enter html to convert a basic url pattern into an actual hyperlink user friendly?

Wow.

But then we aren't critising Slashdot's user interface in this article right now are we? :)

Re:

[teslatug]

Well, it's keeping off the know so skilled spammers and the spammers that can't afford to pay for accounts created by those with the skills. Many websites would be unusable without captchas.

Re:

[grumbel]

KittenAuth seems to be trivial to crack, you simply download the images, categorize them by hand and then use a bot to do the matching against the set of current images. Since you don't have a unlimited supply of images you will quickly run into trouble.

MSR Asirra

[xswl0931]

Microsoft Research solved this problem with a growing database by using images from petfinder.com. Since there are always new cats and dogs that need to be adopted, there are an infinite number of changing images. http://research.microsoft.com/asirra/ [microsoft.com]

What do you expect...

[RuBLed]

It was still in beta... Things like this should be a normal part of the beta testing phase. That's the proper way to do it before releasing the product...

Ohhh.. I feel my karma burning...

BIG DEAL... not.

[Jane Q. Public]

Put another captcha in place (they are a dime a dozen) and make the crackers start over. Do the same again in 3 days. Drive them crazy.

My bet

[WindBourne]

is that Google replaces it by end of tomorrow, if not today. I would be surprised if they were not anticipating this and has several types lined up.

Mechanical Turk

[Stan Vassilev]

If the bots are stalling for time, it's quite likely someone's home-grown version of Mechanical Turk distributed "human" task service, similar to the one by Amazon.

The image is put on queue and, say, a good number of, say, overseas employees... are getting the image and need to fill back in the solution as plain text. In the mean time the bot is "reading the manual".

When the bot gets the answer in time, it submits the form and there we go, account.

spam filtering

[labradore]

So if someone has broken the captcha, spam bots can send spam from the fake google accounts. Google can rate-limit outgoing email. Also they can watch accounts that send identical or similar emails. They already do profiling of accounts for adsense. By profiling accounts to filter spam, they can warn and then close down spammy accounts or simply close down the ones that look very spammy. Additionally, they can filter IPs and use cookies to identify infected spamnet computers.

If the web browser guys could agree on a standard to inform people that their computers look like they're infected, the major email and associated portal providers could start inserting signed messages in web pages that will inform the users that their computers are infected based on this kind of information.

I wonder if it's worth it to Microsoft and Google and Yahoo and AOL to team up to fight these increasingly powerful and sophisticated bot nets.

http://xkcd.com/233/

[arbitraryaardvark]

http://xkcd.com/233/ [xkcd.com]

Damn! 1 in 5!?

[syousef]

"Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate.

That's better than I can do reading those damn things!!!

Are you sure?

[chemindefer]

I just checked Google News and there's nothing there about it.

Voice recognition

[Burning Plastic]

Would this not be a reliable way to bypass almost all captchas?

Since most have a spoken option for visually disabled people, would it not be possible activate that and then run a voice recognition app on that sound clip?

Since many voice recognition apps are able to filter noise to some degree, even introducing background clutter would not make it difficult to pull the captcha information.

Come On Google

[Comatose51]

Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."

That's why you tell the bots not to lie [xkcd.com]. As we all know from Star Trek, any logical being, which includes computers and Vulcans, is incapable of lying.

Re:

[account_deleted]

Comment removed based on user account deletion

We keep talking about artificial intelligence...

[feepness]

They say in 20 years we'll be up to the level of humans. What will happen then?

CAPTCHA and Porn

[flyingfsck]

It should be trivial to reward a troop of Monkeys - erm - young men - to decipher Google CAPTCHAS in return for really good quality porn pictures.

Why this is worse than cracking hotmail, et al.

[merc]

Google mail is loved by spammers since gmail does not embed within the SMTP headers any tracking information about the physical client browser's IP address. Hotmail and Yahoo!, with all of their other problems do however by adding X-Originating-Host tags, etc.

By breaking the CAPTCHA the spammers are basically creating the biggest SMTP IP address laundering system available on the net today. Who in their right mind is going to block gmail with the exception of domains that receive small amounts of personal email traffic and temporary IP address repudiation scoring systems like spamcop?

I've had pretty good success with anti-CAPTCHA

[gblues]

Ingredients:

1) A web registration form with a CAPTCHA input;
2) 1 easily-OCRed image;
3) Some creative use of JS/CSS

Depending on how much you want to obfuscate, enclose the CAPTCHA input in a DIV tag, and set that div to display: none. The robot will see the image, OCR it, and fill it out.

Then you reject any application that actually has an input for the CAPTCHA.

Get off the security high horse.

[DigitalisAkujin]

What makes you think all bots are Windows?

Not all Admins are you. Some of us actually know how to keep a Windows machine secure. Ignorance of the facts isn't an excuse.

Any machine Linux or Windows will be exploited and gang raped if it's not regularly updated and kept clean with the permissions system.

Re:Get off the security high horse.

[Scareduck]

Not all Admins are you. Some of us actually know how to keep a Windows machine secure. Ignorance of the facts isn't an excuse.

Yet it is the case that sufficiently large numbers of Windows users are unable to keep their machines secure for a botnet to accomplish this task. The fact that Windows can be made secure does not even remotely mean that this will be done in practice.

Any machine Linux or Windows will be exploited and gang raped if it's not regularly updated and kept clean with the permissions system.

I would like to hear how this is actually being done in the wild on Linux/*BSD/MacOS/etc. The fact is that it isn't.

Re:Get off the security high horse.

[c0ol]

I would like to hear how this is actually being done in the wild on Linux/*BSD/MacOS/etc

A botnet developer who hopes to mass a significantly sized network would have no interest in the sub 5% of desktop(read poorly managed, no matter the OS) computers that your niche market segment occupies.

Re:Get off the security high horse.

[Deanalator]

For syn floods, what do you think would be more effective.. a windows desktop machine on a comcast line, or a collocated linux server?

Lurk around undernet for a while. A large majority of botnet sales that I have seen have been comprised mostly of cracked linux webservers. Why write a worm to harvest windows machines when you can google for as much power as you need?

Re:Get off the security high horse.

[Cozminsky]

Why are there so many people compromising web hosting accounts and servers where the admin is running some dinky hosting control panel that allows them to know nothing about the operating system? I think you'll find that all modern operating systems are just as insecure as each other in that the things permitted of a program are far in excess of what is required by the program for its operation. Why does notepad need access to the internet, why does a php application need to be able to run arbitrary commands, etc.

Re:

[CannonballHead]

No, it doesn't mean it will be done in practice. So what? A linux machine can be unsafe, too. It's a tradeoff.

I'm actually of the opinion that part of the reason "Linux boxes" tend to be more secure is that it actually requires a somewhat educated person to use it for anything more than basic web browsing and e-mail. By basic, I mean not even using imbedded quicktime or windows media files.

Linux rocks, but it IS possibly to have a fairly secure Windows box, and it IS possible to have "Linux users [tha

Re:

[TheLink]

How's that relevant?

A linux desktop O/S is just as insecure technically.

The linux (and Apple) desktops are just more secure by the same reason a hut in a small remote village is more secure than an apartment in a big city ghetto - a one room apartment with many locks, metal doors and chains, but where the occupants let in muggers just because they said they were from Ebay.

They're both not secure.

The trick is to NOT have a _one_room_ apartment or hut. You need an "airlock" (sandbox) for your browser (not jus

Re:Time to ban Microsoft products

[TechyImmigrant]

> A linux desktop O/S is just as insecure technically.
Secure from what? Internal or external threats? In the internal case it exhibits better protection from escalation of privilege (than windows, see Sony rootkit for an example). In the external case is affords simpler accounting of the processes laying around.

>The linux (and Apple) desktops are just more secure by the same reason a hut in a small remote village is more secure than an apartment in a big city ghetto - a one room apartment with many locks, metal doors and chains, but where the occupants let in muggers just because they said they were from Ebay.

No, it is more secure for a some applications because less of the network facing executable code needs to run at as high a privilege level.

>They're both not secure.
That depends entirely on the threat model you are protecting against. If you want it really secure from the network, take it off the network. If you want it secure from users put it in a locked room and have multi person, multi factor authentication to access it and require dual operator controls so no individual can pull something off unobserved. This is how PKI centers work. If you want a secure online server, you need accounting of the trusted code. The extend to which Windows and Linux compare is quite different for those cases.

>The trick is to NOT have a _one_room_ apartment or hut. You need an "airlock" (sandbox) for your browser (not just rooms for each person).

Or you might document and analyze your threat model first, before protecting against those threats.

Re:Time to ban Microsoft products

[rgo]

>> A linux desktop O/S is just as insecure technically.
>Secure from what? Internal or external threats? In the internal case it exhibits better protection from escalation of privilege (than windows, see >Sony rootkit for an example). In the external case is affords simpler accounting of the processes laying around.

You are taking things out of context. You don't need root privileges at all to make a botnet to work.

>>The linux (and Apple) desktops are just more secure by the same reason a hut in a small remote village is more secure than an apartment in a big >city ghetto - a one room apartment with many locks, metal doors and chains, but where the occupants let in muggers just because they said they were >from Ebay.

>No, it is more secure for a some applications because less of the network facing executable code needs to run at as high a privilege level.

I repeat, the privilege level is irrelevant for a worm to infect your computer, they can even run as any user. You can infect your computer using any popular desktop application that faces the internet, think web browsers.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TheLink]

No idea, I see all sorts of strange claims in spam and phish mails all the time. Believe me, lots of people just click on anything. And some even jump through hoops to get infected, not sure if you remember the malware that spread via password protected zipfiles (user has to type in the password, open it and get infected). Amazing but true.

There have been plenty of exploitable firefox bugs. Most desktop linux users don't run firefox using a separate user from the user account that holds their important info

Re:

[Architect_sasyr]

Not true. You can convince someone to install the Ethernet plug with the right time and motivation.