Slashdot Mirror
Porn Rewards Users To Get Past Anti-Spam Captchas
Stalke writes "Spammers are now usings a new technique to circumvent the 'captchas,' the distorted text in graphics, that users must input to receive the free email account. The spammers have cracked the system by displaying the 'captchas' on free porn sites in real time. Since there are always a large number of people signing up for free porn, they do the work of decripting the 'captchas' which is then replayed back into the spammers program to create a new email account. Who thought that porn could be a hacking technique!" Sure sounds plausible, though the link here says only "someone told me."
I'm hacking ..... now go away, what I'm doing in here is private.
you're all figments of my deranged imagination
Porn, the foundation of the internet. It will never go away or die. It has more uses then we can even imagine.
Evolution or ID?
I'm not for spamming... But if I were a spammer... I would pat myself on my back... Pretty nifty... Bastards!
Stay away from porn? You're new here, right?
"Sic Semper Tyrannosaurus Rex."
Proof once again that porn (and it's usually associated activities... ahem) will NOT make you go blind!
"Stay away from porn and you don't have to worry about this way of spammers getting your email address."
Yeah, like that is really going to happen. The internet would crash if that happened. So many internet accouts would be caneceled that ISPs would go out of business. It would be the doom of the internet.
Evolution or ID?
What is everyone in the Slashdot crowd gonna do? On one hand you dont want to get spammed, but on the other hand you NEED your pr0n. However, i think this will take care of itself because eventually people will be too busy deleting spam to look at pr0n online, reducing the amount of spam....Ok, i'm half kidding, but i really do think this is an ingenius way of spammers getting around certain barriers. Say what you will, but spammers have shown/proven that they can overcome many obstacles to continue their spamming.
Two reasons this sounds like rubbish: The catchups are generated on a per session basis for the person trying to sign up for the email address . Surely if they then try and get a third party to do the decoding the session will be expired. Also The article points out that Optical Character recognition is more than adequate to break this so I can not see a situation that spammers would do this elaborate probably unworkable method over OCR. No facts and a friend of a friend source makes this sound like total BS.
The internet makes me stupid.
This can be easily countered if the free e-mail sites configure their servers, so that the 'captchas' can only be loaded into pages that they've served themselves.
I'm not sure how that works, but I've seen it in action on some sites.
Maybe someone else knows how it's done?
Now if we could only get spammers to use their ingenuity for good rather than evil, we could solve all of the worlds problems.
I Am My Own Worst Enemy
and the server side scripts will check that the IP that the image was served to is the same one that signs up for the free e-mail.
Beings aspergers AND pulling chicks... I enjoy the challenge!
For your captcha, use a picture of a really ugly old woman with "click here to see more" written across it, and no one visiting a porn site will help with the decryption.
Sheesh, evil *and* a jerk. -- Jade
Is it just me or are people becoming less critical about what a valid news sources is?
'Someone told me...' on a 'blog'?
That doesn't carry quite the weight of the BBC and Reuters to me, but I suppose there's a good chance no-one was threatened by a 'democratic' government during the production of the article, so maybe it's less biased than some.
"Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
If 'captchas' are being cracked, then it means its time for a new technique. What do you think will be used next? The old, crude method of 'look at X line in Y paragraph and enter the word?' Or something geared towards countering this crack such as a randomly generated list of instructions requiring the user to scramble the 'captcha'?
They like to call the method called "many carrots and more sticks".
If you read the article more carefully, you'll realize that this technique has nothing to do with cracking existing email accounts. It's a technique for signing up for new accounts for spammers to use. However, I agree with another poster -- the article sounds like BS to me.
A million new Slashdot accounts were added today.
Sheesh, evil *and* a jerk. -- Jade
pr0n isn't really my thing, so I can't say I've ever seen this done... but it's a nifty way to gather hordes of horny, sweaty human volunteers to willingly generate thousands of spamming accounts for you...
It's just like the Anna Kournikova virus from a few years back... except this one actually gives you free pr0n. Remember the one that asked you to open an attachment to see a free picture of Anna? (yeah, I was overseas, and some lonely airman in the desert opened this virus on our military computer network... took us days to unclog our servers)
Ingenious... they'll be set for years.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
...hide a dynamically created PGP key in the captchas, using steganography?
If the image ...has been inlined from Yahoo or Hotmail... as the article says, couldn't Yahoo/etc have their image generation scripts setup dynamically to check the referrer (or should I say referer? ;-)).
I seem to recall this approach being used by online comic strips trying to prevent inline linking from elsewhere...
--LP
This was suggested in an old issue of Technology Review
Sounds like distributed computing systems. Hmmmm.....maybe we can use this in...yeah that's it!!
Someone told me once that most technologies that have become successful are those technologies that assist in the dissemination of porn and/or voyeurism. Thinking about it, that's very true. Radio gave way quickly to television, which gave way to cable, and BAM! You get porn. Radio also gave way to the telephone, which gave way to party lines, and BAM! Advances in optics have brought us photography (BAM!), telescopes (BAM!), and eyeglasses (the... the porn is so CLEAR now!), to name a few. Look at the primary achievement of the 90s. The commercialization of the Internet. That's essentially a porn revolution!
So porn is being used to break encryption. Personally, I feel there can be no other way. Porn will lead us to the greatest achievements of our day, and conversely, all roads lead to porn.
It's our past, our present, and our future. Embrace it, or be left behind.
"Every jumbled pile of person has a thinking part that wonders what the part that isn't thinking isn't thinking of"-TMBG
Porn hustlers are the most brilliant minds alive today. They're the first to embrace new technology, have the most secure websites on the web (well, the major ones, at least), great marketers (TITS!), and can coerce the populace to do their bidding to make even more money. I wish I was even half as brilliant as they are...
Creator of the popular web game Proximity
This is a challenge for the HABEAS idea (HABEAS uses a copyrighted poem to sue spammers who send spam). The pornspammers are quite obviously circumventing a security-measure. Based on the sending-IP address, aol/hotmail etc should be able to do some sueing.
I'm not a complete idiot... Some parts are missing.
Having millions of people actively looking for your product = millions of human scripters = more powerful than some puny code. Sweet.
The computer science department at Berkeley has already broken the Yahoo-like Captcha. They use an algorithm to break it. They recommend "Gimpy" as a replacement, which their software has yet to crack. The blog is full of crap, the captcha is generated every session, so you can't make a link to the image like they would like because the session would end.
Based on his user id he seems to be older than you here.
They've harnessed the power of horniness, but for evil. If only that unlimited power could be harnessed for good -- it would be like having controlable fusion and all of the heavy water we'd ever need.
Amazingly clever, those evil spamming bastards.
Why are you letting these clowns ruin our country?
Can someone show me a real example of this being used? Please. Pretty please....
I can tell you that 99% of the illegal or 'gray area' activities like SPAM that go on in the online porn community are likely performed by less than 1% of the companies.
A vast majority of operators I speak with are firmly against SPAM because it simply doesn't result in profit. For one, customers who join up as a result of SPAM, result is a much higher chargeback rate on credit card purchases, and in general being on the receiving end of traffic from SPAM is more than a nightamre dealing with 1000s of pissed of system admins.
Also, porn site operators want to maintain legitimate mailing lists to keep their customers informed, but that is now a pipe dream, as even customer support is difficult over e-mail because much of it gets caught up in SPAM filters.
Personally I won't do contract work for any porn company that uses SPAM because those are the ones that usually try to beat me out of a check. Also, they are the least likely to be around in 6 months, because most of them go under very quickly. In addition, I get sick of moving apps from host to host to host as they routinely get booted for sending, or being associated with SPAM.
Having a bookmark to Google does not make you an expert on everything.
You're right. But. A) you're repeating what the editor already said, and B) you are overstating your case a bit for the following reasons:
In fairness, the poster on the blog was Cory Doctorow, who is a long time, well-known net-citizen and isn't exactly some random guy, although you may not know him. For a sample of his work, see this piece in Salon which mentions that he won the John W. Campbell Award for best new science fiction writer at the 2000 Hugo Awards. He's not a journalist, he's a blogger, but it's an interesting tidbit nonetheless...
And even if he was a random blogger, his credentials are much less important than the core concept he's disclosing: that someone seeking to generate email accounts (or open bank accounts or whatever) could have porn-seeking humans workaround the turing-ish test security measures. The story is less that someone is doing it, than that someone could be doing it. At least to me.
Plus this is a hacker-type story... I wouldn't expect Reuters, etc. to carry it first.
I actually was glad to see the Slashdot editor point out the "someone told me" caveat... it's a sign to me that the editors here are getting better. They're warning us about the weaknesses in the story, not just slapping stuff up here without a care.
--LP
Can I have a look at those porn URLs? I really need them for my research.
Well I don't have an example of the page, but I do happen to have one of the captcha tests they were using... :)
Click here to decode pr0n captcha
-JT
I doubt it's the back...
Just use java applet instead of an image. It will be a whole lot harder to write a script that take captchas from the sign-up page to pr0n users.
If the captcha contained a background of additional instructions such as "To get your free account, please type in www.free-email.com/username/captchawords", then it would prevent the porn site/ spammer from seeing the results.
Two wrongs don't make a right, but three lefts do.
Surely if they then try and get a third party to do the decoding the session will be expired.
The idea is that if that pseudo-porn site attracts enough visitors, the captchas will be solved pretty fast.
For example, even if the site get one [interested] visitor per minute (that's not much for a busy site, and session will definitely not time out that fast) it means something like 24*3600=86400 email addresses a day.
*Preface: I'm not a hax0r or even a programmer. Just a crusty old sysadmin* It's plausable. If spammers run the pr0n site they then whip up a script to initate the "signup" of free email when somebody agrees to see their site. Something keeps the webpage loading while in the background a session to yahoo/hotmail is spawned getting up to the Captcha part. It retrieves the image, presents it to the human. Access is granted to pornsite, solution to Captcha handed off to background process. Even given my limited cgi/perl knowledge I believe I could make it work. It'd be kludgy, but as long as I had a steady stream of pervs looking at the site it'd work.
Rather than guess a single image, how about a feature on the page at random? For example Yahoo Mail can ask "What is the menu to the immediate right of Addresses. (which according to my Yahoo Mail screen would be "Calendar"), Or even "What company is the banner ad up top advertising" which serves 2 purposes 1) Captcha Test and 2) Ensuring the advertising is looked at :-)
Unless a Spammer plans on building a porno site exactly like Yahoo (and incur the wrath of a zillion lawyers consequently), this would be a difficult one to counter attack (unless someone here could prove otherwise). Thoughts?
...in bed
So Slick Willie's bone to the entertainment industry for their blind support may turn out to have some use after all....
I guess that with all the "Mad Cow Disease" threats bovines have had to turn to other professions other than being hamburgers. Clever these Holsteins!
Harpo Tunnel Syndrome--my wrist feels funny.
I first heard about this meme from an article by John Dvorak. He suggested that one way around these capkchas would be for porn sites to serve them to surfers, asking them to solve them before allowing them access to a page or site. I have not personally seen this suggestion implemented, but I have used it as an example many times while explaining why this form of computer security doesn't work.
I've never understood people that pay or subscribe for porn. There is simply no need. The air outside isn't really that dirty. The creepy crawlies will not bite you. You cannot get infected by talking to other people. Girls don't generally mind any of the Linux t-shirt (apart from the "I WANT TO ROOT YOU" shirts, but then, that is a scary thought). I appreciate the hands-on people of the world *arf*, but if you're the stereotypical geek who's girlfriend's surname is MPG, try looking around, it really isn't hard to find. I'd list some sites to check first, but I'm not ready for the 'Informative' score! Obviously, I've never looked for porn before, I'm just assuming...
All they have to do is copyright the capta image, and sue the pants off anybody who uses it without permission.
Any lawyers want to comment on this?
My rights don't need management.
Really, it shouldn't be too hard to create a self-sustaining energy producing system. Distribute free Jack-O-Trons (much like the CueCat a few years ago).
Have volunteers attach the Jack-O-Tron to their wrist, plug the other end into a wall outlet, show them porn, and pass that kinetic eneregy right into the power grid!
I have misplaced my pants.
for whacking off
Self improvement is masturbation. Now self destruction...
So much for context affecting perception...
Generally, bash is superior to python in those environments where python is not installed.
Considering that it is not at all necessary to have "free" email accounts to spam (I worked for IEG, I know these things), I'm not sure this story isn't bogus. No serious porn outfit needs to worry about these issues. What isn't contracted out to people who are perfectly able to set up a mail server on a DSL line, don't need to because the truth is when you rent 3 OC-3 conx, your telecom supplier really doesn't care because they like the $$$ that kind of service brings in.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
What about putting some of the millenium prize problems to be solved to sign up a pr0n page. Who knows... maybe with enough porn-reward someone will solve it!
Spammers who don't traffic in stolen credit cards will be shut out.
As a countermeasure, credit card companies should monitor the $1 e-mail charges and do a courtesy call to customers. They do this already when unusual charges appear on a bill. So, most of these $1 e-mail account spammers will be shut down the first day when the credit card companies notify Yahoo, Hotmail, etc. about bogus e-mail accounts. From the credit card company's perspective, these courtesy calls will be well worth their time because they will be detecting stolen cards before massive charges are racked up.
That's genius. Much as I hate spammers, I have to admire this very clever solution.
...and you give us the results we want to hear. It's the new Microsoft way of getting unbiased research done apparently.
This is my sig. There are many like it but this one is mine.
This is a known troll - he makes intelligent, critical remarks which doesn't fit into the slashdot mainstream and show common sense ...but can I run Linux on it?
"Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
"Hey, I'm only seeing ugly people having sex!, guess I have to step up the quality of my work"
The grass is only greener, if you don't take care of your own lawn.
We *just* added captcha functionality at spamgourmet but we're using a random number at the end of each quizword, and we use a random filename for each image. The code just went up on sourceforge if you want to take a look.
who's moderating the meta-moderators?
I read about a company doing this last year in Wired (I think!). Anyway, it was a porn outfit that was also into spamming. They got people to type in the catchas that were inlined from yahoo as part of a script. Sort of a key punch job. These people sat at a computer, run a program, and these catchas would come up, and they would type in the word. The script would deliver the word to yahoo (before it timed out), and the script would take care of the rest of the details of creating new accounts, and promptly spam from them. Anyway, in exchange for doing this, they got paid in free access to the porn sites.
This story has enough of those details that it appears to a retelling of the same story that has mutated over time, sort of the way urban ledgends do.
The other problem with captcha-relaying is that if your captcha's have a distinct look about them, it's easy to tell if some porn site is using yours. So...
Think I could convince Yahoo or Paypal to give me a job looking at porn in an attempt to find captchas that look just like theirs?
(j/k)
I don't have to imagine it. I live the dream!
Ok, at the end you have the free porn sites with alot of hotmail or whatever email accounts. So what do they do with them or who do they sell them to? The value of them cannot be that high since you would only get one shot after which the site would close them down for sending alot of spam.
I applaud the sheer evil genius of whoever thought up this gem. Their creativity on behalf of their dark masters is remarkable.
Now please, come back to the light side.
Perhaps rather than using a captcha in a jpg you could serve it up via an image java applet. I dont believe you'd be able to redirect the applet or its image to a remote server. If the captcha server served up the applet to client on address X if the reply came from address Y you'd know redirection was occurring - perhaps you'd need ssl for the applet.
Damn, I missed the porn angle.
Fuck the system? Nah, you might catch something.
By the user who sees the image. That's why the proper solution to bandwidth theft (via image srcing) is not to require a referer from your own site. This is an inconvenience for UAs that don't send the referer. Rather, reject the request if a referer is present and not from your own site .
The beauty of this is that it works because a majority of users do send honest referers. If I try to steal bandwidth from your site and you're using this restriction, most of my viewers won't see the image. That provides me with enough incentive to host the image myself, or ask your permission, or whatnot. Yes, the image will still display correctly for a few people who don't send the referer at all, but who wants a majority of their viewers to see a broken image? The scheme I propose is just as simple as requiring that all image requests have your referer, and just as effective, but is much more accommodating of privacy-conscious users.
Gates' Law: Every 18 months, the speed of software halves.
Yes, I've hundreds of seen these 'captchas' in the last weeks when I was surfing, ..., uhm, ah, well, never mind.
HAHAHA!
This is ancient news, it has been mentioned by me on the ASRG list in November and on my blog. The original new article was published by the Post Gazette, and found by Matt McCay in his blog. Liudvikas Bukys mentioned it in his blog also. You might also want to take a look at the W3C draft on why these visual tests do not work for disabled people. And to end this off, the basic premise of C/R is that the return address is valid. Even if spammers break these visual tests, in order to do that, they must have a valid return address - ergo, making them traceable.
The free Email-Website should just add some text inside their captcha like this:
"registration for: free-mail.com"
"only for registation at: free-mail.com"
"don't help spammers, answer this only
if you are at free-mail.com"
At least the people registering on the porn site would realize they are helping a spammer and would not do the decoding.
CJones
For instance... "blog". The very mention of that word makes me cringe. It sounds as though someone tried to create the internet equivalent of the Smurfs use of the word "smurf". "I'm going to blog in my blog."
Now we have "captchas", which sounds like someone from New Jersey got a little tipsy and decided to name these images.
What the blazes is a "captcha"? Just call it distorted text, just call it a diary! Now if you don't mind, I'm going to go protect my blog with captchas.
Seen any BadMarketing lately?
I wonder if they have filed for a patent?
The free email-website should just add some text inside their image including their URL like this:
"registration for: free-mail.com"
"only for registation at: free-mail.com"
"don't help spammers, answer this only
if you are at free-mail.com"
At least the people registering on the porn site would realize they are helping a spammer and would *hopefully* not do the decoding.
CJones
Actually, the "best" approach was almost there in your third paragraph. Instead of doing so many contortions to make a still saveable image or images more difficult, the best approach would be something that many folks would pitch a hissy fit about.
Use Java or Flash to display the "image" - you could code the applet not to work if not served directly from the mail site, or to tell the user how they are helping spread spam or whatever.
But there is probably little support for things that require a plugin.
I had already read somewhere (don't recall where) about the exact same attack. In fact, I believe it was somewhere in the captcha's website.
Make it complicated. People stupid enough to sign up for free porn simply arent smart enough to solve a basic logic puzzle.
People don't exist to serve systems, systems exist to serve people.
You can get even MORE free porn by giving away your e-mail?!
Maybe my pr0n surfing differ from yours, but why should I 'sign up' for something that's just as easy to get for free anyway? It's not like it's difficult to find free pr0n.
If the tube was pumping Neo's penis instead of plugged into his head.
Thats the solution. Make a porn sharing P2P application so idiots no longer have to sign up for free porn on the web. Lets ruin the porn industry like we ruined the music industry.
People don't exist to serve systems, systems exist to serve people.
I thought that'w why there's something called ethics, which tells you when an ingenious thing may be good or bad.
IMHO, you can't applaud unethical uses of ingenuity.
Make them solve for mate in a chess game.
People don't exist to serve systems, systems exist to serve people.
CAPTCHA:
Completely
Automated
Public
Turing Test to Tell
Computers and
Humans
Apart
for more info www.captcha.net
A well designed challenge/response system won't challenge those people to whom the user has already sent email out to. I think nuisances like you have mentioned are temporary and will be refined in the future as spam becomes a greater problem (and it will).
I use a challenge/response system myself for my email and it certainly has nothing to do with me thinking I am really important or that my time is worth more than yours. It is all about me being totally sick of spam and being willing to take extreme measures to stop it.
All of my friends are already on my whitelist (or get on it quickly enough) and have forgotten that I ever had a challenge/response system in place. It really is not a nuisance at all to anyone who communicates with me on a regular basis.
I for one welcome our new porn site gathering, website registering overlords.
This brilliant design is the frontier of human/computer interaction. It creates a P2P network of human brains to crack an intractibly compute-intensive problem. We are now in the nascent Matrix, as it feeds off our organic energy. It's only a matter of time before CaptchaNet becomes selfaware. At least it has a use for us - we'll make great pets.
--
make install -not war
Could it be that the New York Times is less reputable than a porn merchant?
This is just like seti@home only backwards. Think of the possibilities of a whole mass of people using intuition and image processing capabilities to solve small parts of large problems.
(insert obligatory overlord comment)
Also, read Vacuum Flowers by Michael Swanwick
I expect that soon all porn viewing jobs will be outsourced to India.
You got to back your crew. j00 have been served!
This was on Slashdot ages ago.
THE NERD IS THE COMPUTER.
Free porn sites are complete shit anyway. Either get your porn from usenet and P2P or pay for a subscription site. There are some GREAT sites out there for not much money (I go to deluxepass.com which is like $30/mo for unlimited downloading of 6 terrabytes of ripped DVDs in high quality xvid format).
/etc/postfix/virtual, commented-out the deluxepass.com@ email address, did a postmap virtual/postfix reload and no more spam or mail from them.
Further, just use an alternate address for each adult site you sign up with. In this example, I used deluxepass.com@(mydomainhere.com). After registering, a couple months went by and I began getting spam for other porn sites to this address. So, I went into
They can use whatever methods they want, but if I bounce all email to an address, they can't spam it anyway. So fuck 'em.
The bot could run the java applet through the SSL connection, take a screenshot, crop the image, send that out as is currently done.
A bit more work, but not impossible.
So when wifey catches you surfing porn, are you supposed to say that a virus took over the PC or that you were just signing up for free email?
very nice example.
you'd give you're email id, credit card etc for porn but will cringe at the thought of nytimes getting hold of your email id.
seriously.. geeks, get your priorities straight.
I'm not trying to make any enemies, but I've got to speak my mind on this.
I further admit that this is an off-topic reply, although it does have to do with spam somewhat, and I guess maybe it deserves to be modded down heavily, but I really object to the signature in the parent message. The signature misrepresents a question asked during a congressional hearing by heavily editing it and then displaying it as a statement.
Here is how the signature reads (copied and pasted in case it gets changed):
"there should be an unlimited right to fill up your mailbox with e-mail." -- Democrat Robert C. "Bobby" Scott
I looked up the transcript at house.gov, and here is what was actually said by Bobby Scott:
"But there should be unlimited right to fill up your mailbox with-- your e-mail mailbox-- with unsolicited bulk commercial e-mail?"
He was asking that question of Joseph Rubin, a witness at the hearing, during an exchange where Scott was trying to get Mr. Rubin to clarify his position about what "spam" really is, and how it might relate to various Supreme Court decisions and the First Amendment and all that. It was a long and complex exchange between several representatives and various expert witnesses, full of questions, answers, clarifications, and minute details, the way congressional hearings always are.
To alter the text and punctuation of that single line of the hearing, the transcript of which is 53 pages long, making it appear that Bobby Scott supports the right of spammers to fill up people's mailboxes, is dishonest. If it wasn't for the awkward and outrageous wording of the statement, I wouldn't have felt compelled to look it up, and might have taken it at face value myself, thinking that the spammers have a Democratic friend in Washington. Maybe they do, but I don't think it's Bobby Scott.
You are in error. No-one is screaming. Thank you for your cooperation.
Right, but if Yahoo/etc serves up the image via SSL, while they could be getting a forged referrer, they should have a valid IP # that they could then block or prosecute.
Unless the porn purveyor had compromised zombie PCs making the SSL requests and relaying the image to the porn webserver over IRC or something.
--LP
Yes, and Disney preys on the weakness in children.
Furnace manufacturers prey on the weaknesses of people in colder climates.
I don't see how porn is deceptive, some people just like to see naked people, and people having sex, that is what you see with porn, no deception.
Porn is just another product/service. Obviously you don't like it, and that is your choice.
Part of a free society is being able to choose what YOU do, not what others do.
I don't care if you spend your days watching porn, I don't care if you sit on your couch and drink till you pass out, I don't care if you pray for hours a day, I don't care if you are in a same sex marriage.
These things don't affect me, I can chose not to do them, and I don't really have a good reason to stop you.
Now we have it... the missing link between porn and spam!
Using porn as a motivation drive to do work...
So basically it's a Wanker Rotary Engine?
MOD PARENT UP! funny + interesting
I'm sure you realize this, but the technique described would work to break virtually any system, including yours. The spammer loads your page, and downloads your dynamically generated image to a file. They show their copy of the image to a porn-wannabe, five seconds later, who tells them the string. They then submit your form, along with that string.
Dynamically generating the image simply means that they need one porn-seeker per captcha bypass. Somehow, I don't think that will be a problem.
Destroy the incentive.
Give away free porn WITHOUT having to jump through any hoops!
Hah! That'll show 'em!
1. Automate creating email accounts on yahoo and hotmail.
2. ???
3. Profit
Does anybody know what #2 might be ? I'm missing the motivation behind all these clever tricks.
The Verisign Chief Scientist just proposed a solution on the ASRG list.
"Basically Microsoft should add a copyright notice to their turing test image and offer a free X-Box for the first person to report each site using a man in the middle attack to defeat it."
Later on
"Set up a bounty system for reporting such attacks, a free X-Box is probably more attractive than free porn. Or you could give a free X-Box and a subscription to your choice of Penthouse, Comopolitan or a non-porn title."
Cosmopolitan? A porn title? Err yes I guess it is.
Kinda sneaky, using one social network hack to defeat another.
the sad part is actually read it as the elephant being in his pajamas before reading the punchline.
Spammers browse at -1
Using the 'net to harness human cognition instead of computers' clock cycles? I am impressed.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
So now porn harvesters will need to take the captcha from the porn site which took it to get around the Anti-spam in order to collect the images automatically...
Do you remember the copyrighted anti-spam haiku? Maybe including a copyright notice inside the image would be a way to threaten the porn sites that would "steal" the CAPTACHA.
;-)
This is definitely not a technical solution but yet another way to leverage the copyright laws to protect against this attack.
Another trick would be to merge a user notice inside the image. The notice would say "Exclusive property of yahoo.com" or "Using outside of Hotmail.com is illegal"?
Of course such a notice needs to be readable by humans, while difficult to remove for a computer, which is yet another challenge.
The question is what creates the most psychological pressure? Porn or EULAs?
We can work around IBMs patent if we come up with a way to pay Open Source developers with porn.
Submit a patch and you'll be rewarded with 5 minutes of unlimited access.
Mmmm.. Donuts
What these guys have done is effectively created a distributed wetware network of human problem solvers that are rewarded by porn for solving problems in realtime. This is like SETI@HOME, except you have highly motivated nodes utilizing human brains instead of piddly little silicon chips.
What other types of problems might they throw at this network? Decoding images is brilliant, but let's think of other uses?
How about categorization? Google could contract out to this network the categorization of images for image searching.
In an attempt to think about uses, my brain is overheating. This is an absolutely incredible idea. Porn sites could even stop charging (users) and instead start leasing out their "borg clusters" to data processors that need to do highly complex data processing. You could achieve results in realtime for problems that could never before be solved with computers! Computer vision, language processing,
I can even imagine new video compression algorithms that take advantage of the ability of humans to exactly identify objects that are moving between frames. The trick is just to decompose the problem so that the humans could easily "click click click" the hard computer vision part of the problem away
Someone should start a company to leverage this idea. Here is to PORN!!! The bringer of all tech revolutions!!!!
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator
http://www.snopes.com/history/american/gauge.htm
InThane
Only allow certain clients (IE) to access the challenge/CAPTCHA. This way you know the referrer isn't forged. This discards both the script and the zombie fetching the challenges.
Identify the client/machine uniquely in a way that isn't forgeable. Attach this information to the yahoo.com or hotmail.com account, and keep track of how many accounts are registered per machine.
Remains the attack were the porn site *asks* the user to go and register an account with such membername and such password, before getting access to the porn...
creating a specialized OCR for this? My theory is that if they are computer generated, you can get as many of them as you need for analysis, and it is reversable by the human brain, it should be reversable by program. I'm going to have to try this sometime, because I just think there are more practical ways to read them than to trick users into it.
J
I can count to 1023 on my hands. Ask me about #132.
I, for one, welcome our silicone-titted overladies...
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
The first time I heard this idea, it was someone on slashdot suggesting it. I also saw the idea of 1x1 transparent gif bugs in spam mail as someone suggesting it on slashdot before I ever saw it in an actual spam.
Just think about that before you go posting things like "but the spammer could easily do X to get round it" - THEY'RE WATCHING YOU!
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
...And it's called Usenet
So, the computer has a task the CPU is poor at performing, so they offload that procedure to specialized "wetware" that's more efficient at handling that kind of processing. The people are being used like FPU's or GPU's. Paid in porn, instead of run on electricity.
How'd you like to have a job as a coprocessor? Is this the computer-age version of dehumanizing assembly line drones- soon people will sit in front of computers all day long handling the offloaded processing tasks computers are poor at handling?
Come to think of it, this is already going on a lot. Computers process all the transactions at most companies, but they have certain "flags" they catch that offload certain transactions-ones that are exceptional for some reason (complex, may involve fraud, etc)- for people to handle personally. I just hadn't thought of people as coprocessing drones handeling certain exceptions a computer program comes across and offloads for biological processing.
The matrix won't happen all at once with a war. It will creep up on us so we hardly notice it. We won't be subjugated, we'll volunteer.
-Phat Tony
Can anyone tell me how to set my sig on Slashdot?
Bill Gates, fix that!
sone@saranac.net
My mom once told me, If Men spent the same amount of time research space as the did female breasts we would have bases on the moons of saturn by now.
I agree great idea realy.
Come the revolution, the Bourgeois, Capitalistic, "A PARKING STICKER HOLDERS", will be first against the wall!
At the very least sites such as Yahoo, etc. should add a water mark to captchas which indicate that they are to be used for the Yahoo email signup, perhaps even add a "report abuse to.." wording on it.
The grass is only greener, if you don't take care of your own lawn.
...but they can just discard the excess requests, qhich is why they gave the figure shown. :-)
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It's a clever idea (even if nobody has actually done it yet) but I think Captchas will always be ahead in the arms race.
.sig
Cut and paste my Captchas? Ok, I'll embed it in a java program.
Screen capture? I'll make it dependant on the web-site you're visiting.
(which of these objects starts with the same letter as the third letter of my website?)
In the end though, the best a captchas can do is prove there's a human somewhere in the loop.
A spammer (or anyone else for that matter) could hire real people to answer them.
Automate the non-captcha part of the signup, and you could generate several hundred accounts per hour.
-- this is not a
It looks like mom was right: Porn is eeevil. The fruit of evil is spam.
How about spreading anti-spam propagandas in the captchas?
Like "Visit www.spamassassin.org"
I love to see spammers spreading advertisements about Spam Assassin on porn sites...
I remember in the 1980s, there was a gag system to which one could pose a question and get back an answer. To get the answer, one first had to answer another question in the system. Not real-time, but worked fine in the steady state, and was a real hoot. Some people wasted almost as much time coming up with good Oracle answers as we all do posting to Slashdot....
Mencken had it right. So glad that's old news.
does free porn come from anyway? I assume its ripped off some pay site?
You gotta be kidding!? Why the fuck do the morons need to spam my box 24/7 with their shit. Grrrrrrrrrrr
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
"This image allows the user to sign up for a foobar.com e-mail account. If you see this image on another site please enter the word: fakeword"
Where fakeword is a random captcha style word, that the site recognizes as an attempt by a third party to get the user to solve the captcha.
The captcha site behaves as if it allowed the fakeword, except it doesn't actually create the account. Once a fakeword is used the site can take all sorts of measures like putting that IP address on a fakeword list. Thus it would not depend on every user of an image to enter the fakeword, just one honest user. One would need more than an IP list to deal with NAT, but you get the idea.
The user who entered the fakeword is rewarded, because the spammer site doesn't know that the fakeword is entered. They will need to attempt to login to the account to verify it. Sites could use either: 1) New accounts are not active for one hour. 2) Actually create fakeword accounts, but then delete them after an hour.
Just some rough ideas, but I am sure someone can come up with a solution to this spammer activity.
This message is encrypted with Quad ROT-13 to protect the author's copyright under the DMCA.
... today the machines are distributing processing to human as peripherals ... next the machines use us as batteries.
-pyrrho
Yeah, some sites check the referer (sic) field in the HTTP header sent by your browser to make sure you've really come from a link on their website. Such annoyances can be avoided by using a proxy, such as junkbuster, which doesn't send the referer field, or hacking up the browser to always send a referer that's one level up from where you are trying to go. You're right that the spammer's would be able to directly link to the captchas. If a site such as yahoo just put a little copyright yahoo string on their captchas, that would make copying them around a porn server a little more problematic, I would think.
"Reality is that which, when you stop believing in it, doesn't go away." -- Philip K. Dick
It's not a complete fix, but making your 'captchas' larger and putting your trademark and website identity inside the 'captchas' would make it pretty obvious if anyone is doing this to you. The text to echo back should be at a random location in the image, so the spammer cannot crop it in an automated fashion. Also, a URL in the image to report to if it's seen on a site where it's not expected would be good.
The whores get mad when the sluts give it away for free.
So has someone patented this yet? Better hurry, else someone 20 years from now might decided it's theirs!
... that wanking makes you blind, else a porn site would be the worst place to try and use visitors to decode Captchas.
We should, instead of asking people to decode a captcha, ask them instead to find the next prime or something. The Riemann Hypothesis would be solved in no time! :-)
sevbut have you considered the following argument: shut up.
The email accounts that this idea harvests can certainly be used for spam mischief, but I have already seen a variation on this theme that is used for much more practical (and financially rewarding) purposes. For obvious reasons I'm not at liberty to give too many details, but realize that there are a lot of services that use captchas that aren't offering free email accounts. Think bigger. For instance, say, Ticketmaster.
/. and show off to da man, on the other hand, you get to drive a nice sports car and live in a duplex in Manhattan. It's a trade-off.
:)
A lot of sites are using Turing tests these days because an OCR software solution would require a decent budget and some real programmers to crack. Sure, it can be done, but if the prize is a few email solicitations, that's not a big pot of gold to tempt most people with the resources to do this. But when the payout is bigger (say, a dozen front-row seats to a concert, or 3rd base seats at the World Series) you will see much more sophisticated systems arising that can make you shitloads of cash without anyone ever being the wiser. Of course, there's different ethics at work. What would you be more annoyed at: getting a hundred junk emails a day, or missing out on those 50-yard seats at the Super Bowl?
The reason you don't hear too much about this sort of thing is because the people involved appreciate the huge amounts of money at stake, so they keep their mouths shut. Yeah, it's too bad you can't put your system on
Why am I even mentioning any of this? Because I missed the boat (heck, wasn't even invited onboard!), so I'm not making any dime off it. Which makes me a little bitter.
Know and understand this: any system you can think of that has holes in it that can be exploited for financial gain are most likely already being exploited by insiders who know a lot more about these sytems than we do. As a general rule, if you have a clever idea to make a million bucks, it might not have been done already. But if it's up on Slashdot, you have most definately missed the boat.
There are a number of newbloggers and other online freelance journalists whose writing and authoritativeness compares reasonably well with that of newspaper opinion page syndicated columnists. I'd rate Cory well above, say, Charles Krauthammer. (Sorry to have to use US examples here...) He's not usually trying to do what Molly Ivins does, but when she's doing a random-culture thing, they're fairly similar in quality. Sure, there are newspaper editors who decide only to run the columns of Molly's that they like, but then Slashdot only features Cory's articles when they think they're interesting.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks