Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security Businesses Google The Internet

Now Google's CAPTCHA Is Broken 408

steveit_is writes "Yesterday it was reported that Microsoft's revised CAPTCHA had been cracked. Now it's Google's turn. In a move that is sure to surprise no one, the spammers behind 'Xrumer' have announced that they've not only cracked Google's CAPTCHA, but other forms of image verification as well, including 'pick the cat' style CAPTCHA."
This discussion has been archived. No new comments can be posted.

Now Google's CAPTCHA Is Broken

Comments Filter:
  • My test: (Score:5, Funny)

    by SleptThroughClass ( 1127287 ) on Thursday October 02, 2008 @11:37AM (#25233599) Journal
    "To continue, guess which finger I'm holding up."
    • by ozphx ( 1061292 )

      Do that again, I double dare you!

    • Re:My test: (Score:4, Insightful)

      by areusche ( 1297613 ) on Thursday October 02, 2008 @11:46AM (#25233761)

      Captcha is a joke. They're become so difficult to read that I can't even decipher what it means!

      I don't know what these companies are going to do to keep spammers from running email bot networks.

      I want to say verify identity with a credit/debit card, but that won't work very well because of Johnny 13 year old who wants a Gmail account.

      I've given up. Please just send me large amounts of email asking me to enlarge my pen15 while remortgaging my sub prime house!

      • Re:My test: (Score:5, Insightful)

        by eln ( 21727 ) on Thursday October 02, 2008 @11:51AM (#25233849) Homepage

        I want to say verify identity with a credit/debit card, but that won't work very well because of Johnny 13 year old who wants a Gmail account.

        That won't work for anyone who cares about their own privacy. Why would I want to give anyone my credit or debit card number if I wasn't actually buying something from that site at that particular time?

        • Why would I want to give anyone my credit or debit card number if I wasn't actually buying something from that site at that particular time?

          Because you are buying something: a subscription to the site for some nominal price. Something Awful Forums, MetaFilter, and Kuro5hin manage to keep spammers out by charging for write access in this way.

        • Re: (Score:3, Insightful)

          well, it's an issue of trust - Google for example could be expected to not leak your card or apply charges to it, vice some other companies - and if 13-yr old Johnny wants an email address he can damn well ask his parents for one
          • Besides, it's not like you can challenge any extra charges on your credit card. :-p

            Sure, that would be a nuisance, but if Google purhcases at all led to leaked card numbers and this at all took place on some scale, it would very fast bite Google and ruin their reputation in a way I don't think they'd be willing to take.

      • Re:My test: (Score:4, Funny)

        by compro01 ( 777531 ) on Thursday October 02, 2008 @12:02PM (#25233997)

        I want to say verify identity with a credit/debit card

        While we're thinking of bad ideas, why don't we give them our bank account numbers too?

      • Re:My test: (Score:5, Insightful)

        by Tx ( 96709 ) on Thursday October 02, 2008 @12:15PM (#25234211) Journal

        "Captcha is a joke. They're become so difficult to read that I can't even decipher what it means!"

        I hear that. I was trying to complete one the other day, and honestly, I was only making educated guesses as to what the characters were, it took me three or four attempts. If they get any tougher, the only people who'll be able to do them will be the spammers using this kind of software!

  • by MosesJones ( 55544 ) on Thursday October 02, 2008 @11:39AM (#25233633) Homepage

    I've got all the email addresses I want so lets just consider the internet closed to new entrants. I know it sounds draconian but I think we should build a great big firewall around the internet to stop all these illegal immigrants^H^H^H^H^spammers getting in.

    Either that or can we just turn a blind eye while Google DDoSes every server associated with these people into oblivion.

  • Well... (Score:5, Insightful)

    by bhunachchicken ( 834243 ) on Thursday October 02, 2008 @11:39AM (#25233653) Homepage
    ... you've got to admit that it's one hell of an achievement.
    • Re:Well... (Score:5, Insightful)

      by wtfispcloadletter ( 1303253 ) on Thursday October 02, 2008 @12:03PM (#25234007)

      What is? Breaking Captcha? Not even close. Whether it's done with software or by paying humans in China, India, Africa, etc it's not impressive to say the least.

      Google's captcha has been broken for a very long time. Only nobody has admitted it until now. I have several Google alerts setup for certain keywords. I use to get some pretty interesting alerts to articles, blogs, other sites, etc. Now 98%+ of the alerts I get are spam sites. It's been this way for about 5 months, possibly longer, but that's about when I started seeing an influx of pure junk.

      At first I was reporting them to Google. Then after about the 100th or so alert and having checked several of the blogs to see if they were taken down (they weren't, just the one particular page that I reported was) I just gave up. Realizing that Google's captcha is seriously flawed and was broken.

      Google and others need to change how easy it is for people to sign up for an account with them. Yes, it's going to be a hard row to hoe, but it needs to be done, especially for blogspot/ as those pages are just littering the internet with junk.

  • Great Source (Score:5, Insightful)

    by Frosty Piss ( 770223 ) on Thursday October 02, 2008 @11:41AM (#25233681)
    Announcing that one has cracked something and actually having cracked that something are two different things. Folks like these are not the most trustworthy sources, especially for their own exploits - er, "sploits".
    • Re: (Score:3, Interesting)

      Especially since there seem to be still doubt if most cracks are actually done by computer, or by humans. They all seem to be happening "off-line" at some unknown destination. Which might be a server cluster in some Russian university, or a sweat-shop in Bangladesh.
    • by 1u3hr ( 530656 )
      Notice the image illustrating all the captchas it can supposedly break is marked "Copyright 2006". If it could do that 2 years ago, why is it news now?

      Remember these are spammers selling a product. Why should we believe this any more than we believe a cream can add two inches to your penis?

    • Re: (Score:3, Interesting)

      by tsm_sf ( 545316 )
      Yeah I'm especially doubtful about the claim to have broken 'pick-the-cat'. Either they're using a tiny and generic sample pool, they're the most brilliant software authors of all time, or they're full of shit.

      The brilliance of the cat idea is that any series of images can be used as long as they can be divided into either Cat or NotCat by a reasonable human. Think car with giant cat ears, person w/ (shudder) fursuit, letterhead of the California Attorney's Tennis league... you'd need to code the entir
  • by GroeFaZ ( 850443 ) on Thursday October 02, 2008 @11:41AM (#25233685)
    1. Make the proof for P=NP the new CAPTCHA
    2. Wait for crackers to solve it.
    3. Profit!!
  • by gEvil (beta) ( 945888 ) on Thursday October 02, 2008 @11:42AM (#25233697)
    I've had a few 'pick the cat' captchas where I couldn't even identify if the thing was actually supposed to be a cat!
    • Yeah, I know. Captchas are becoming increasingly human-proof in the struggle to make them machine-proof.

      • Couldn't you do a captcha where the first presentation has no cats? The user has to hit the refresh once or twice before seeing a cat, and then pick it; if they pick any of the non-cats, you call them a 'bot...
    • Re: (Score:3, Funny)

      by Deathdonut ( 604275 )
      The basic problem with the 'pick the cat' CAPTCHA is that many computer users wouldn't know a pussy if they ever saw one.
  • by Animats ( 122034 ) on Thursday October 02, 2008 @11:44AM (#25233727) Homepage

    Google has become a key enabler in spams and scams, because it's so easy to create GMail accounts in bulk. [] Many sites block email addresses from Hotmail and AOL, because they're mostly either spammers or losers. GMail once had a better reputation, because it was launched as an "exclusive" service. But we're getting close to the point where probably time to start blocking GMail addresses too.

    Want to see a GMail scammer in action right now? Read this. []

    • by jandrese ( 485 )
      My favorite part of that was the last requirement:

      7) Once all these accounts are created, I need you to visit a URL and fill out 2000 forms and enter the information for the Gmail Accounts you created.

      The scary thing is the number of bids he has racked up for a lousy $50 job. I wonder if people are dumb enough to believe his "this first job pays crap, but the next one will be really good!" bullshit?

  • Score one more for the subtitle on the original CAPTCHA paper: "How Lazy Cryptographers do AI"...

  • Is Fire Hot? Yes or No
    Is Paris Hilton Hot? Yes or No
    Are you male or female> Male or Female
    Are you gay or a lesbian or Bi? Gay or Lesbian or Bi

    That's it. Now you would have to seed it with about a billion logical chains like that but it could work.
    • That isn't a CAPTCHA. It fails on the "Completely Automated" part.

      • Replace the Text for Paris Hilton with her photo. Then ask. The point is it combines images with logic and with enough variations it would work.
        • by CSMatt ( 1175471 )

          Except this will deny access everyone who chooses the wrong answer.

          Actually, now that I think about it, this might be even better than denying accounts to spammers.

        • Define "enough variations"? What do you think is reasonable? A spammer network can build quite a database of images vs how many images a company is willing to hold. I'd dare say a bot network with all their hard drives have the edge here compared to a company's financing set aside for their anti-spam solution. Not only because of a bot networks potential scalability, but because due to the illegality of it all, a spammer doesn't finance the cost of setting it up -- his victims do.

  • by bhunachchicken ( 834243 ) on Thursday October 02, 2008 @11:48AM (#25233801) Homepage

    "including 'pick the cat' style CAPTCHA."

    This is excellent news, since it now means that I can rely on this thing to find me suitable pussy instead of having to look for it myself... :)

  • by nategoose ( 1004564 ) on Thursday October 02, 2008 @11:48AM (#25233805)
    Maybe instead of CAPCHA's sites should start using those math problems from DARPA's really hard math problems [] since these people seem to be so good at solving complex computational problems.
  • by theantix ( 466036 ) on Thursday October 02, 2008 @11:50AM (#25233825) Journal

    OK can someone pleas hire these guys to work on handwriting recognition software? If they can ready these bizarrely twisted captchas why can't Palm read my name?

    • Re: (Score:3, Interesting)

      by hankwang ( 413283 ) *

      OK can someone pleas hire these guys to work on handwriting recognition software? If they can ready these bizarrely twisted captchas why can't Palm read my name?

      Those OCR algorithms are manually tweaked for a specific CAPTCHA algorithm, in the case of Gmail a tightly spaced letter sequence with spatial distortion. Neural networks have been better than humans in recognizing individual letters for a while (see [] ); the hardest part is separating the letter glyphs so that t

  • TFA links to the website ( probably don't want to go there) that sells XRumer. And what do I see for contact information?

    Sure hope they don't get spammed []. Whatever you do, don't publish [mailto] that email address! -- don't do it!

  • The truth of the mater is that there is almost nothing you can do to stop a spammer if they want into your system bad enough. A captcha merely means that they might have to take some time to tweak their image rec. software, or hit your site enough to generate all the possible captchas. The only possible way that I could see companies like google keeping spammers out, would be to require a valid credit card, that matches the user's name and then have them verify their account by entering the small deposit
    • For quite some time, Yahoo! Mail required a credit card to sign up for an account. They dropped it eventually when it hindered sign-ups.
    • > not wanting to give over financial information for just an email account.

      For the incredible benefits that e-mail provides in this connected World, you're not even willing to pay a dollar | pound | yen for an account?


  • by 140Mandak262Jamuna ( 970587 ) on Thursday October 02, 2008 @11:53AM (#25233891) Journal
    If there are people who could write such sophisticated image processing software, and it pays them better to be bot runners bot enablers, the pay must be good on the dark side of the force.
  • by chord.wav ( 599850 ) on Thursday October 02, 2008 @12:01PM (#25233979) Journal

    As usual, our firends at DARPA are always one step ahead. Use these to replace of the old CAPTCHAs.

    1 - Develop a mathematical theory to build a functional model of the brain that is mathematically consistent and predictive rather than merely biologically inspired.

    2 - Develop the high-dimensional mathematics needed to accurately model and predict behavior in large-scale distributed networks that evolve over time occurring in communication, biology, and the social sciences.

    3 - Address Mumford's call for new mathematics for the 21st century. Develop methods that capture persistence in stochastic environments. ...

  • They are being hosted in Texas... my home state. Now as to whether the operators are in state is another matter, but I will fire off a warning letter to the web host informing them that they could be potentially held liable for the criminal acts of this operation in the event charges are pressed.

  • by s7uar7 ( 746699 ) on Thursday October 02, 2008 @12:09PM (#25234115) Homepage
    I always have a hell of a job reading Google's CAPTCHAs; a tool to do it automatically would be very useful.
  • This thread will likely contain a bunch of clever technical solutions to spam. Probably all of them flawed because if there was a good technical solution we would have found it by now.

    We know who the spammers are: almost all spam involves some sort of financial transaction which we can track. The only thing that stops us from getting at them is that they are seldom in the jurisdiction where they committed their offence. This however, can be solved. We did it for war crimes and for child porn. The UN just ne

  • Why the heck don't the big companies use 3D captchas? Each letter could have a thickness and be rotated at a random angle.
  • The latest version of this program has hit a number of forums hard. In the last two days many vBulletin forum administrators have posted to complain and look for assistance--notice the sudden increase in activity on that thread as of the 11th post: []
    In the last 15 minutes alone 3 spammers have attempted to register on a small forum that I help run, one that would only be of interest to a few hundred people. (We get a valid new user about

  • Will be Apple's!

  • If these people would put their time into doing good, they could probably do some real good in the form of character recognition for scanners and hand held input writing recognition. Think of taking this and using it to understand what someone has written in their pda and converting it to text without someone having to learn a new writing language. Or scanning written letters and other writings and converting them normal print.
  • by J.R. Random ( 801334 ) on Thursday October 02, 2008 @03:32PM (#25237165)
    If the spammers can now crack "pick the cat" captchas then they are already able to do some pretty good real life scene recognition. To improve the technology just make some appropriate captchas and wait for those Russians to crack it. (For miltary apps, "click on the arial view of the tank, not the dump truck".) Next, improve machine speech recognition by making some audio based captchas. The possibilities are endless, and much cheaper than handing out grants to university poobahs.
  • it's easy (Score:3, Insightful)

    by dangil ( 167785 ) on Thursday October 02, 2008 @03:41PM (#25237309)
    instead of character recognition, ask questions based on a given image


    image with a cat on the left and a dog on the right.

    question: what's on the left?
    answer: cat


    girl crying, next to a broken glass

    question: why the girl is crying?
    answer: because of a broken glass

    it's very human readable, and very dificult for software interpretation

    and I just patented that...

The moon is a planet just like the Earth, only it is even deader.