Fallout From the Fall of CAPTCHAs 413
An anonymous reader recommends Computerworld's look at the rise and fall of CAPTCHAs, and at some of the ways bad guys are leveraging broken CAPTCHAs to ply their evil trade. "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..."
Cracaked CAPTHAs!!! oh no! (Score:5, Interesting)
Re:Cracaked CAPTHAs!!! oh no! (Score:5, Insightful)
I hate the fact that a computer can view these things better than I can. Lately, a lot of the CAPTCHAs have become unreadable by human viewers.
They don't view it better than you, they just do not get impatient from failing 4 out of 5 times.
And they share better. (Score:3, Interesting)
Put 1,000 computers on the problem and allow them to share information from their successes ... and you've cracked a CAPTCHA implementation.
And there are hundreds of thousands of zombies out there.
Re:And they share better. (Score:5, Interesting)
The best way I've seen that captcha's got broken are by "free porn sites". The web site is what is cracking another captcha. When it gets a captcha to solve, it passes it to one if it's "porn viewers" - "please type the word that this captcha says in order to prove you are old enough to view the porn". Then the porn is displayed and the bot running on the website has a potential solution made by a human to do it's botting with.
This method will suffice to crack ANY CAPTCHA!
--jeffk++
Re:And they share better. (Score:5, Interesting)
Absolutely correct.
I run a mid-sized web development shop. A few years ago we were doing mostly retail sites. Vanilla and boring but we worked it down to a science and had some really great "modules" that made these sites super profitable for us. Of course, everything has its seedy side and with retail it was SEO.
Everybody wanted it. About 80% of our customers were of the "Do whatever, just ideminfy me" stripe. (And these are established companies paying high 5-figures for these sites). We drew our own demarcation about what we would and wouldn't do. (Excessive Internal-link structure is OK, zombie sites are not).
Now most our work is social networking.
We, too, followed the "rise" of CAPTCHA and we've been happy with our results. We always used a custom CAP for each site, and we tried to keep them relatively readable, being of the belief that making it too hard will only keep out Humans: If somebody wants to crack it, they will.
We still use them regularly. I noticed that about a year ago we actually had people begin to request them specifically. (Isn't that what Buffett said about the home mortgage mess? When the regular joe's started flipping houses, he knew it was over?)
Anyhoo, I think the real fault in CAP's is that they worked too well. They became too big of a target. Now, we try to mix and match a number of different techniques to identify humans.
Solutions range from dirt-simple: An input box named, say, "City" that has a label that reads "13 plus 8 equals:" or "What is the 3rd word on this page?"
To the more complex "what is the color of the front-door in this picture?"
We have a simple library we use for these things that pulls the questions (and, if applicable, the pics) from a Database of about 25,000 different turing tests.
The thing is, none of them are too complex. Any mediocre programmer could write an application to crack it. But your bot will probably never see that same exact question again, so it becomes irrelevant.
And, to tie it in to the parent, we chose this technique precicely because of what we learned from CAPs. Before there were software hacks, there was the "porn hack" and the "sweatshop labor hack."
In this case, when a bot the site, it's fairly difficult for it to even detect which item is the turing test. We auto-generate the location and even the name of the form field so it's always a bit different.
SEOs - Lying to Robots so Robots Lie to Humans (Score:5, Interesting)
Search Engines help humans find web pages that the humans might find interesting, and they do this by having robots spider the web looking for patterns. Search Engine Optimizers try to get humans to read their customers' web pages in three ways:
Re: (Score:3, Insightful)
Try reading page where every second word is a link and tell me how pleasant it is. And why, for God's sake, would you want to? You just need ONE link to the front page at the top.
It makes the site stink of SEO and I'm likely to give up on it immediately.
Re: (Score:3, Interesting)
Re:Cracaked CAPTHAs!!! oh no! (Score:4, Interesting)
Or from failing 999 times out of 1,000. Computers have an infinite amount of patience. Security schemes that don't acknowledge that are doomed to failure.
Re: (Score:3, Interesting)
If patience were something we could quantify reliably, I suspect that we would find computers to have none at all.
The reason? Computers also have no boredom.
Re: (Score:3, Insightful)
Boredom is something you get when you run out of patience. Computers never get bored because they never run out of patience!
Re:Cracaked CAPTHAs!!! oh no! (Score:4, Insightful)
Looks like I'm not the only one not smart enough - they replaced this CAPTCHA with some "Happy Hour" mode, which didn't require any form.
You aren't supposed too solve that one (Score:3, Insightful)
Instead of solving the catchpa they want you to pay up for the payed service that doesn't have the catchpa.
Rapidshare WANTS to delay you and make it hard because the free users just cost them money.
Re: (Score:3, Informative)
Re: (Score:3, Funny)
Anyone usinging specialised tests? (Score:5, Interesting)
Of course this solution isn't going to work for gmail - which seems to be the preferred email provider for the spam signups I do get these days.
Re: (Score:2)
What about that captcha system where you identify a type of animal, like whether this picture is a dog or a cat?
Why not captchas like that, or similar? I'm pretty sure that identification of an object or animal would be much harder than letters.
Re: (Score:3, Informative)
While that's a class of problem that's tricky (though not impossible) to address, giving you the choice of a few different animals it might be is insufficient. Even if there are 10 choices, random guessing will be right 10% of the time, and that's enough for spammers. Subjective answers (showing a picture of a dog and having someone type "dog") are tricky because not everyone will type "dog", and you don't want to reject humans.
The current design fits the requirements well because the answer is distinctly o
Re: (Score:3, Insightful)
That's better, but it still has only 720 unique solutions, which is still within brute-force range. Your image library would need to be vast, or paying someone a small amount to label all the images once is an effective attack.
By comparison, a text CAPTCHA has something like 56 billion unique solutions for a 6-digit string.
Re: (Score:3, Interesting)
Add random (but light) noise to the images while they're being served and randomize their filenames. There will be no way for an automated system to identify if it's been served the same image twice because the filename and checksum of the image would have been different.
Re: (Score:3, Insightful)
A botnet with 10,000 zombies randomly guessing which of them might be kittens (without ever look at the pictures themselves) will breeze through that like it's not even there.
Re:Anyone usinging specialised tests? (Score:5, Insightful)
Re: (Score:3, Insightful)
Or you can be smart and realize that sites like petfinder already have to sift through.
http://research.microsoft.com/asirra/ [microsoft.com]
over 3 million photos in the dataset.
Re:Anyone usinging specialised tests? (Score:4, Insightful)
A good solution here... (Score:5, Interesting)
A good solution here is to include this as part of the turing test itself.
As I mentioned upthread, I'm a partner in a web dev shop. We do a lot of social networking (of course) and about a year ago we developed a utility to create just this type of turing test. For example, we'll have a picture, and ask the question "What is the color of the 3rd fish from the left?"
What we do, is we pair these tests on a page. We'll include a known test, like the one above. And we'll also show an unclassified image and we might ask "how many people are in this picture?"
There is no wrong answer for that test, and their answer is recorded. Soon, that same question will be asked for that same picture. As soon as its confirmed 2 times, it gets classified as having n people. Soon after it would be displayed again asking "how many females are in this pic?" or "what color shirt is the person on the right wearing?"
When we created the app, the DB had about 5000 turing tests in it. We then attached a DB of about 100,000 images that were pre-classified but not to an extent that would allow us to write a test off it.
Now, after a year in use across a couple dozen moderately trafficked websites, we have nearly 25,000 turing tests. All 20,000 new tests have been created thru the technique I described above.
The real reason we did it wasn't to save on some development costs. We could've hired temp workers and paid them $8 an hour to classify pictures.
We did it because I believe strongly that the key to simple turing tests like this is a large corpus of data. If a bot only encounters the same test once or twice EVER, then the problem becomes difficult to solve. This is like the ANTI-CAPTCHA.
CAPTCHA was all about taking a specific technique to its maximum extent: Challenge a computer system by taking a narrow field (OCR) and pushing it beyond the current state-of-the-art.
These tests are all about a general technique thats broad where CAPTCHA is just deep.
The only way to build a bot to solve each test in our DB would be to give it genuine intelligence. It would have to be capable of determining context, reference, connotation, image ID, etc.
As a programmer, if you say "Here's a captcha, write a program to solve it" I wouldn't know HOW, but I'd at least have an idea of where to begin.
Now, if you show me a picture with the turing test of "What object is in the hands of the 3rd woman from the left" ... well... i wouldn't know where to begin.
Re: (Score:3, Interesting)
What we do, is we pair these tests on a page. We'll include a known test, like the one above. And we'll also show an unclassified image and we might ask "how many people are in this picture?"
This is basically what reCAPTCHA [recaptcha.net] does, although they only use words. They take images of words that off-the-shelf OCR software failed to read, apply more distortions, and serve them up two at a time. One of the words is known; the other is unknown but becomes known after enough people have submitted the same answer.
And as a bonus, the answers aren't just used to grant access to a web site - they're used to digitize the old books that the images came from in the first place.
Re:A good solution here... (Score:4, Insightful)
"There is no wrong answer for that test, and their answer is recorded. Soon, that same question will be asked for that same picture. As soon as its confirmed 2 times, it gets classified as having n people."
How do you know that those 2 confirmed times weren't bots, and that you've just allowed those bots to effectively choose the answer to your question?
Re:Anyone usinging specialised tests? (Score:5, Insightful)
Re:Anyone usinging specialised tests? (Score:4, Funny)
Re: (Score:3, Funny)
Make Them Write (Score:4, Funny)
I've toyed with the idea of making users write a 500 word essay on a random topic. I would then send this to my high school English teacher, and if it got maybe a B or above I would consider it legit.
Re: (Score:2)
Re:Anyone usinging specialised tests? (Score:5, Interesting)
what is the opposite of up?
what day is after friday?
what does seven plus three equal?
what letter of the alphabet comes before d?
how many wheels does a bicycle have?
what is the third word of this sentence?
These are generally difficult for computers to solve, can be programed to have permutations, and since the quiz answer can be tied to the account, if a particular question or style is getting spammed frequently, it can be removed from the list of questions.
It's an arms race, and this system won't work forever, but it's fairly easy to implement and fairly difficult to overcome.
Re: (Score:3, Insightful)
It's an arms race, and this system won't work forever, but it's fairly easy to implement and fairly difficult to overcome.
Not really, its all about scale. That system wouldn't last more than just a few seconds if a full "attack" were performed by a large botnet. The number of permutations is relatively finite, therefore with a large number of computers trying to "solve" the problem, once the correct answers were "cracked" then they could be shared and eventually the bots either know all of the answers, or you removed *all* of the questions from the list. I'm not saying this is an ineffective system for small/medium sites, b
Re: (Score:3, Funny)
down
saturday
ten
e
two
the
Now your captcha systems has been completely broken by my bots.
Buy some Viagra! she screamed, as the thorny wisps of french looked upon dog. Finally, she embarked, with implacable wit.
Re:Anyone usinging specialised tests? (Score:5, Funny)
what is the third word of this sentence?
No, its the first.
Re:Anyone usinging specialised tests? (Score:4, Funny)
No.
You see there is an ongoing war against the postmasters by the webmasters. I am a postmaster, and I get roughly 300ish spam mails per site.
And the webmasters sit and chuckle. Bastards, they could make it stop!
But they don't... animals...
Mix it up a bit? (Score:5, Interesting)
Combine it with a mix of simple math and image recognition? I.e.
"What colour hair does the (2+four)/3 girl from the left have?"
Hell, skip the math part if that's too easy.
Re:Mix it up a bit? (Score:5, Insightful)
CAPTCHAs need to be able to be generated algorithmically by a computer, but not answered by one, which is a surprisingly difficult problem. Anything that requires human intervention on the creation of each variation is doomed to fail because spammers have more free time than you do.
Re: (Score:3, Informative)
Or there just needs to be a very large database of possibilities. Microsoft's Asirra [microsoft.com] is one of these with a finite number of items, but due to the nature and number of the items, a computer will have a difficult time breaking it.
Re:Mix it up a bit? (Score:5, Funny)
Prove that a 3-manifold space has the additional property that each loop in the space can be continuously tightened to a point then it is just a three-dimensional sphere.
Re:Mix it up a bit? (Score:4, Funny)
I can't wait until someone's daughter tries to make an account on Barbie's Horse Talk website and is presented with the following CAPTCHA:
Prove that a 3-manifold space has the additional property that each loop in the space can be continuously tightened to a point then it is just a three-dimensional sphere.
So thats why Grigori Perelman [wikipedia.org] decided to solve that CAPTCHA.
Re:Mix it up a bit? (Score:4, Funny)
And I can't wait until someone's daughter answers back:
Re: (Score:2)
Re:Mix it up a bit? (Score:4, Insightful)
"On the internet, only CAPTCHAs know you're a dog." Because, of course, there aren't any color-blind people on the internet...
First, hair color is a terrible test... You've got about a 24% chance of getting it right without looking...
Putting together a set of images with full extensive descriptions such as that would be prohibitive, while numbers and letters can be pretty easily automatically generated.
Re:Mix it up a bit? (Score:4, Funny)
Now if you had said,
What color of hair does the 3rd girl on the right have,
A: green
B: brown
c: Blond
D: I drive a ferrari, I don't care about hair color!
you would only eliminate about one eighth
Re: (Score:3, Funny)
Image recognition fails on two counts - perception and natural language. One man's ginger is another's man's strawberry blonde, and if you've ever looked women's hair dye you'll know that they have about 50 billion words for "brown".
Automate CAPTCHA attacks? (Score:2, Insightful)
Correct me if I'm wrong, but wouldn't something capable of "automating captcha attacks" be, um, a major advance in artificial cognition, and quite a wealth of scientific information, since that means it can solve an arbitrary captcha like a human can?
Re: (Score:2, Funny)
I'm wrong
Fixed.
If ... but it is not. (Score:2)
They don't do anything amazing with the images. They just attempt to reverse what is known about how the source site modifies the images.
With enough machines aimed at the problem, it becomes simple to brute-force it and then share the information amongst the other machines.
Remember, the CAPTCHA's are limited in that they still have to be understandable to humans.
Captchas are only good for protecting cheap stuff. (Score:5, Insightful)
CAPTCHAs are only able to protect things worth $.0025, no matter how good they are. Simply because at about that price, you can pay humans to solve them for you.
Thus for preventing mail spam, it can work. But to prevent, say, bots from harvesting Ticketmaster, they will always fail, no matter how good they are.
Gold Farming as CAPTCHA equivalent (Score:4, Informative)
Humans may not be as fast as robots, but they can be surprisingly cheap. There's enough of the world where $1/hour* is an attractive wage that speak some English, and if the people there can solve a CAPTCHA in 9 seconds, that's at the $0.0025 price level that Nick was referring to. (Hi, Nick!)
If you're a scammer and there's a website that you want to crack, but it's not big enough to pay somebody to develop an algorithm for (either because the CAPTCHA's too hard or changes too often etc.), you can find some corrupt Nigerian generals' orphaned children who'll do it, or some Chinese guys who are tired of beating up monsters to get gold pieces or magic swords.
I don't know the going price of zombies or mail relay accounts, and it's probably dropping at faster than Moore's Law, but some sites are probably worth attacking.
* "Make good money $5 a day... Made any more I might move away..."
I wonder.. (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
The problem isnt the CAPTCHA itself... (Score:2, Interesting)
Depressing (Score:3, Insightful)
Re:Depressing (Score:4, Interesting)
It's depressing to me that things like viagra spam are still profitable enough to make spamming them financially useful. Sure, the way the economics of it work out you only need a really low response rate to break even, but hasn't everyone already gotten enough of those emails? I'd imagine that whatever market there is for sketch viagra distributors would be saturated by now.
At least with phishing spam I get to see new scams on a regular basis (some quite cleverly disgused too). But some of the more vanilla spam just seems pointless.
Re: (Score:3, Insightful)
That's what I don't understand. If I wanted to take Viagra for some reason, I could just get a sample from my doctor.
Why would I buy something from a random stranger online?
Wait a minute. Maybe it's not the actual spam itself that's profitable. There's an illusion that it is, so it's the selling of spam that's profitable.
In other words, you don't get paid for spamming Viagra, you get paid for selling the computer time to the people who think they'll get rich spamming Viagra.
Maybe.
Re: (Score:3, Insightful)
Because if they actually send the spam, then the people selling the Viagra might get some hits. And even if they don't make a profit, the fact that they get hits may entice them to try again, providing a potentially larger source of revenue for the people sending the spam.
Still useful (Score:5, Insightful)
CAPTCHA is still useful for small to medium sites that aren't specifically targeted. Your average blog, for example, is only hit by random bots that try to get quick and easy posts. Only the largest sites like GMail need to find something better today.
For example, I use reCAPTCHA [recaptcha.net] on DocForge [docforge.com] to block the standard wiki spam bots. Since my site's not large enough to be under heavy attack very little gets through. Someday CAPTCHA may be so easy to break that everyone's at risk, but not today.
Re: (Score:2)
I've tried CAPTCHA, I've tried the 3 kittens (click the 3 pictures of kittens) I've tried 1 dog, 1 kitten, 1 wheel.
They all fail.
The only way to keep them from posting is to require an admin to approve the account before they can post.
Re: (Score:3, Insightful)
Well, you can check my site's recent changes [docforge.com] to see nothing gets through that contains external links, which are the only anonymous submissions protected with CAPTCHA.
Maybe your site's running some very common software. I have a Drupal site [seenonslash.com] for example, that sometimes hit by bots that are obviously specifically written to attack Drupal sites. Or maybe your CAPTCHA implementations have already been broken, or aren't (pseudo-)random enough.
The best part is.. (Score:5, Interesting)
Spammers are cracking some of the hardest problems of AI research.
How can they do that, and yet all the great academic minds can't? Two things:
* funding
* a willingness to use "anything that works"
What's really scary is that, in the end, spamming may turn out to be an agent of good.
But they're not, really (Score:3, Informative)
Much of this is finding a way to brute-force the methods used on particular sites, overwhelming randomness, etc. It's not really a computer reading any difficult text.
Only on Slashdot could this be modded insightful (Score:3, Insightful)
Way to go use a post about the cracking of captchas, which is done by the way using standard techniques developed by academic researchers and using the 'let an unwary human solve it to get to porn' approach, both of which were foreseen by researchers as reasons why captchas would not work in the long term, to deliver a baseless critique of academia.
Academia is probably the least dogmatic and bureaucratic environment there is. My personal experience with this comes from a physics lab, but I've heard similar
A dumb question: (Score:5, Interesting)
Howcome /. is so spam free?
Do the hackers just not care about us,
or:
is this like one of those "safe zones" where geeks and hackers can hang out as long as nobody asks or tells? (looks at guy to his left..."say is that a CAPTCHA in your pocket or are you just excited to be here...")
Re:A dumb question: (Score:5, Informative)
Re:A dumb question: (Score:4, Interesting)
Re:A dumb question: (Score:5, Funny)
Howcome /. is so spam free?
You must be new here.
and blind.
Suggested New CAPTCHA method. (Score:3, Interesting)
fall of open email (Score:5, Insightful)
it is no wonder that the "under 25" crowd now says "myspace me" or "facebook me" and no longer use email. why would they?
in a globally connected world with several billion possible users - open email simply won't work much longer.
when we need are permission based systems - ones in which people need permission before they can contact another person. it would eliminate spam entirely, by integrating whitelists into mail clients. because no one has built a system like this that leverages and extends existing email servers - private organizations leveraging social connections have moved in to fill the gap. sadly, because facebook messages and myspace messages are not built on an open standard - you have to go through those companies to contact people.
Re: (Score:3, Insightful)
I think they've gone there because a social network provides much more than just email communication - the networks monitor your friends for you. Also they include the profile posturing that AOL profiles were so good at in the 90s. But it will suck for them when Myspace and any other proprietary setup fails, or is purchased by evil(tm) organizations, or when then evolve past usability (suck as Hotmail, AOL, ebay etc) and believe me they never stop tinkering because they have to make a profit. Remember the A
Re:fall of open email (Score:5, Funny)
it is no wonder that the "under 25" crowd now says "myspace me" or "facebook me" and no longer use email. why would they?
Whatever happened to giving someone your phone number and actually talking to them. I asked a girl for her number the other night and she gave me her myspace address. Thanks, but no thanks. At least make the effort and give me a fake phone number if you don't ever really want to talk to me again.
OpenID signatures (Score:4, Interesting)
Integrate OpenID based signatures with email by inserting a line into the email header.
Not a new idea, its the same old 3rd party trust situation-- so clearly the trusted OpenID servers would be targeted; however, if you added a simplistic peer ranking system on those user IDs (extending openID a little) then the bad IDs would get ranked down by real people.
This would also provide a means for verification for multiple emails used by the same individual's OpenID which could shield their actual identity (but not any better privacy than you have already.)
Additional headers for point of origin server could also be useful as some servers are less trust worthy than others (note: spam ranking is fuzzy and a slight nudge either way near the threshold value can make a noticeable difference. ) Server identity issues are already being worked on; but emails are not tied securely to the original server.
I'd like to see a standard email header line for spam ranking (0-100?); I'm sick of these "{spam?}" lines inserted in subject lines that I see time to time.
An OpenID based solution would get OpenID heavily tested since spammers may solve the big AI problems as well as letting us know where to get Viagra.
Re: (Score:3, Insightful)
it is no wonder that the "under 25" crowd now says "myspace me" or "facebook me" and no longer use email. why would they?
You're not wrong, but there's also another reason:
The vast majority of non-technical people use web-based e-mail services such as Yahoo, Hotmail, GMail, etc. Personally I hate webmail (and I suspect most other Slashdotters do too), but 1) it's ISP-independent, so you don't lose your e-mail address if you change ISPs (which will probably happen if you move, even if there's a monopoly and you only have one choice for broadband); 2) it's computer-independent, so it's easy to check your mail at a friend's hous
Re: (Score:3, Insightful)
Excellent analysis. I wish more people were able to step into a non-geek's shoes and look at the world.
When it comes down it, most people don't care about free software ideals, open protocols, or avoiding monoculture. They just want to get through their boring jobs, come home, be entertained, and try to get laid.
Anything that makes these things easier or better is going to become popular with the masses. Anything that doesn't is going to remain confined to a core of people who've been able to see the world
Leverage (Score:3, Insightful)
The word is "use".
http://www.urbandictionary.com/define.php?term=leverage [urbandictionary.com]
Re: (Score:3, Insightful)
The whole point of "using" something is to gain value from it. This word "leverage" is a blight descended from marketing droids trying to make their simple ideas sound fancy. It's not enough to use the tool they are trying to sell you -- no, you will leverage it.
Check the word usage in the summary: "bad guys are leveraging broken CAPTCHAs to ply their evil trade"
Read again in plain English: "bad guys are using broken CAPTCHAs to ply their evil trade"
Your sentence: "because no one has built a system like t
Re: (Score:3, Insightful)
It is not a failure of open
Just use (Score:5, Insightful)
Re:Just use (Score:5, Insightful)
Re: (Score:3, Insightful)
It seems you'd have to provide a list of possible ways in which the two sets of images are different. Any solution where random-guessing has a non-negligible solution rate isn't a solution for spam. Anything vaguely multiple-choice fails. The CAPTCHA scheme, on the other hand, has an enormous solution space.
Re: (Score:3, Insightful)
Ten years? Where do you get that figure?
And I don't see how this level of pattern recognition makes an AI "genuine". Software that can consistently tell you from context when "flies" is a noun or a verb would be more to the point.
turing test (Score:4, Funny)
The first thing to actually pass the Turing test will probably be a spam-bot. Isn't that disgusting?
The Irony (Score:5, Funny)
The irony about this is that a CAPTCHA is a Turing test, a form of authentication designed to prove that a human is making the request. Given that some CAPTCHAs are rapidly becoming too hard for people to read, the outcomes of the tests are reversed - humans cannot win the test, only computers.
I have CAPTCHAs on my blog, but only deny posters who actually fill them in. Goes a long way to deterring spammers.
M
Re:The Irony (Score:5, Interesting)
Interesting.
A few months ago I tried to post on a blog (sorry, I forget which one), entered the CAPTCHA and got a message that I was a suspected bot and my IP address was banned from posting for 48 hours.
I went back and carefully read the terms of use (just above the posting window) and buried in the middle of the terms was the phrase, "Do not enter the captcha, instead enter the first three letters of the fifteenth word in the second paragraph followed by the third word after the eighth word in the first paragraph in all capital letters."
A neat idea, but I suppose it won't be long before that one is cracked as well.
On sites like gMail.. (Score:5, Insightful)
On gMail some simple rules should suffice. Don't allow a brand-new account to send out more than a few (20?) emails a day. Make sure that most of the email varies. Make sure the account gets and reads email as well as sends it, and that the email is accessed.
The trick is, you keep rotating these measures and don't tell anyone just what they are. You don't automatically disable anyone who breaks the rules, you just hold on to any large number of similar messages until a human reviews them--possibly through some mechanism similar to the "picture matching game" where multiple people identify a message as spam.
If it's determined to be spam, never tell them you caught on, just stop email from that account from being sent, silently. Log the ip addresses and use them to help you identify other accounts from the same computer if possible.
You could also use the ip addresses to notify people that they are a spambot next time that IP address is used to look up something on any google service.
Wow, that's a broad action with a lot of chances for failure, but I bet it could be refined enough to work--and worst case failure isn't bad at all--just one time when you go to search google you get a warning page back instead of your search results.
Really this just takes some dedicated effort and creative thinking by a strong, creative engineer with some power within google (I know there are quite a few of those)
Google Captcha was NOT broken (Score:3, Insightful)
Maybe the poster should've RTFA. But this is Slashdot after all. Nobody reads the articles.
http://it.slashdot.org/comments.pl?sid=467856&cid=22568696 [slashdot.org]
Misleading phrasing (Score:5, Insightful)
This is misleadingly implies that CAPTCHA somehow enables spammers. On the contrary, broken CAPTCHA does not enable spammers to do anything they couldn't already do -- we're just back where we were before CAPTCHA.
And to be fair, CAPTCHA is still reducing the rate at which attackers are able to create accounts, keeping some smaller, less sophisticated players out of the game entirely, and protecting lower-value targets (e.g., most small-time bloggers with comment spam problems still see a drastic improvement when they set up CAPTCHA)
If everyone stopped using CAPTCHA, the spam problem would get noticeably worse.
CAPTCHA != Turing (Score:3, Insightful)
Offshoring CAPTCHA solving (Score:5, Informative)
The spammers have a new solution to CAPTCHAs in place - offshore outsourcing. [ezadsuite.com] This has become a sizable operation. System status earlier today:
Current Status: Volumes are exceedingly high. -- Automatically dispatching more labor
Queued Captchas: 91
Total outsourced volume: 4564301
This service is integrated with Craigslist auto posting tools, allowing high-speed spamming of Craigslist. It's also used for other services, like obtaining GMail accounts.
Even Craigslist's callback-by-phone system is starting to crack. Temporary phone numbers for Craiglist verification, provided by marginal telephony providers, have dropped to $1.50 in bulk.
The overall effect of Craigslist's new protections is that the cost of spamming has gone up, enough to slow down the low-rent operators but not by enough to stop it.
As I've pointed out previously, Google plays a central role in this. [slashdot.org] Google's services provide a facade of anonymity for scammers to hide behind. GMail for anonymous mail, YouTube for anonymous infomercials, AdWords for anonymous advertising, Checkout for anonymous money transfer, and Blogger/Blogspot for anonymous redirectors to zombie machines are all valuable services for scammers and spammers. All those services are used heavily by Craigslist spammers.
Others have provided some of the same services, but the competing services had bad reputations. Anybody trying to do business via Hotmail just had to be phony. Many mail agents just block all Hotmail mail. Anyone running a business off of "freewebpage.org" probably wasn't someone you'd want to deal with. So you had some strong indications of lack of legitimacy there.
Google, though, still has a good reputation. The combination of Google's reputation and low customer standards offers a great opportunity for scammers, and they're taking it.
Digital Spy (Score:3, Interesting)
Digital Spy have an interesting, but unfortunately very annoying, way of dealing with Captcha. If you sign up from a Hotmail, Gmail or Yahoo account, then you have to pay Digital Spy £5 to register that account. Business email addresses or ones from ISPs don't require a fee.
A simple albeit incredibly annoying solution.
I've been playing around with next gen CAPTCHAs... (Score:3, Interesting)
And what does
Next gen CAPTCHA link here [panaqqa.com].
Note - this is just a random sample image, not an actual implementation.
Blind people (Score:3, Insightful)
A lot of blind people surf the web too, you know. How do you think they like to be confronted with a CAPTCHA?
The end of CAPTCHAs is a win for web usability.
Re: (Score:3, Insightful)
The end of CAPTCHAs is a win for web usability.
Hmm-- a tradeoff between pissing off vast majority of users who are annoyed by spam, and pissing off the tiny minority of users with impaired vision.
Re: (Score:2)
Re: (Score:3, Interesting)
I dunno. I recently installed reCaptcha on a site that received dozens of spam messages through its online forms, and they all instantly stopped. None of them have returned. It's a low-traffic site, but still... made me think reCaptcha was doing a decent job.
Re: (Score:3, Informative)
Most of these attacks come from zombies, and I don't think anyone wants to block potential customers.
Though if they did, maybe people would start paying attention to computer security.
Re: (Score:3, Insightful)
"What's the problem? The solution to the problem is simple... just solve it!"
Brilliant! Why didn't any of us think of that?
And your solution is...?
Please bear in mind "The system does not do X and Y" is not generally the form a real solution takes. Although it gives me one hell of an idea for the next jok