Yahoo CAPTCHA Hacked

Hell Yeah! reminds us of a 2-week-old development that somehow escaped notice here. A team of Russian hackers has found a way to decipher a Yahoo CAPTCHA, thought to be one of the most difficult, with 35% accuracy. The Russian group's notice, posted by one "John Wane," is dated January 16. This site hosts a rapidshare link to what looks to be demonstration software for Windows, and quotes the Russian researchers: "It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition — one cent per one CAPTCHA."

I thought those things were already broken

by having a teenage boy do it in exchange for letting him see porn.

Re:I thought those things were already broken

Not an easy job to stay concentrated on.

Re:I thought those things were already broken

[2.7182]

I think the parent is serious. The idea is that your robot goes and grabs the images that needs to be decoded. Then on another website, it is presented and you can see free porn if you type in the word. I've heard of this but never read about it. Sounds like a good idea. Anyone know what this is called or some references ?

Re:I thought those things were already broken

[Rageon]

No idea where I first read this, but I too remembering reading something very similar to the "solve the captcha for porn" idea.

Re:I thought those things were already broken

[rthomas6]

http://news.bbc.co.uk/2/hi/technology/7067962.stm
Here is a link to a BBC article about something like that. It's a Windows program that rewards typing in captchas by showing a woman that takes off progressively more and more clothes.

Re:I thought those things were already broken

[2.7182]

OK here is Cory Doctorow discussing it.

Re:I thought those things were already broken

[kesuki]

that's why it costs 1 cent per 1 captcha, the overall cost of webhosting the porn for exchange boils down to 1 cent per solved captcha. obviously, if you're hosting on root-kited windows boxes in the us (the highest rate of infection is in the us) the cost is still about 1 cent per one captcha because the cost of paying hackers to keep a bot net sizable enough comes to about the same cost.

especially with sp3 coming out now, the cost of bot nets is higher, since sp3 offers a 'easy' bot net removal path, since staying off-line long enough to get all sp2's flaws patched is crucial in preventing reinfection. believe me, having a root-kit installed is easy even for a veteran computer guy to miss.

i have dvd's i burned almost 3 years ago that reinfect any windows machine with a root-kit, and are un-readable in linux, apparently the root-kit was using some hooks in nero burning rom to 'randomly' pick a burn project and put the root-kit installer on there so when windows tried to auto run it would install the root-kit, then show the 'window' that normally shows up on auto-run would show up. the rootkit took an 'extra' session, that was transparent, eg: it would only show using burning software to read the track data, for the burned cd or dvd. no additional files showed up in windows, but the extra session made it unreadable to linux.

also, the root-kit only runs in a 'blank' screen saver, which it protects and makes sure loads when the system is idle, so it never sends data when the user might be there to notice. and i think it sends the data as like, internet explorer, to bypass firewall rules. since none of the firewalls i tried could block it. i actually only found the original root kit when a second root-kit moved the first root-kit's files to the recycle bin. other than that none of the root kit scanners that were recommended to me could even detect this thing. only the 'symptoms' and the fact i could 'remove them' by staying off-line and not using my old discs were proof that i had a root kit.

symptoms included, auto-run becoming disabled, screen saver always resetting to 15 minutes (only when both root-kits were on there), and the 'desktop' showing up 2-3 times a day when in full-screen games (also only with both root kits), and finding root-kit files in recycle bin(only found on networked systems with the root kit, and didn't return on reinstall of both root-kit, likely was a 1 time 'bug' that was fixed later on)

so yeah, I didn't notice it for 3 years. Not that i usually have to deal with virus, but in the past I had only ever had to deal with 3 virus and in my 15 years online. and the third one was really a root-kit. I've also been using open-source software for 11 years, so that probably helped, of course, one of the virus was one that affected my open source software, the other 2 were windows based.

it's still easy to miss windows root-kit's nowadays, especially when hackers have root-kits that aren't published, and they use scripts to make the exe's have unique signatures (using compiler tricks) for known root-kits.

Re:I thought those things were already broken

a rough analogy (but not quite the same thing) would be the Chinese Lottery.

Look up Bruce Schneier's Applied Cryptography or RFC 3607 for details.

Re:I thought those things were already broken

[nog_lorp]

In RuneScape "Botting", an application was developed where captcha's were typed reciprocally, sit and type captchas for 5 minutes and you'd get 50 captchas typed for you later. It was called "sleepwalker".

Re:I thought those things were already broken

[Plutonite]

That's got to be just about the funniest thing ever :)

Re:I thought those things were already broken

[zcat_NZ]

That's been done before. ... or as the article says, you just pay some guy in Bangalore one cent per captcha to do it.

Re:I thought those things were already broken

[novakyu]

that's why it costs 1 cent per 1 captcha, the overall cost of webhosting the porn for exchange boils down to 1 cent per solved captcha. Er, where did you get that number? At Nearly Free Speech, it only costs $1 / GB (of transfer), and that's how much it would cost nearly anywhere else (or even less!), if you use significant amount of bandwidth.

I don't know exactly how large porn images are, never having looked at them, but if you guess a round number of 0.1 MB per picture, it's only about $0.0001, or 0.01 cent per captcha. I suppose it's better than nothing, but it's not yet very cost-prohibitive.

Re:I thought those things were already broken

I don't know exactly how large porn images are, never having looked at them.

Posting on /. and you've never seen porn? Bullshit.

Re:I thought those things were already broken

[1u3hr]

No idea where I first read this, but I too remembering reading something very similar to the "solve the captcha for porn" idea.

It was suggested a few years ago. I've never seen any evidence of it being put into practice. I think it would be simpler to pay some computer sweatshop in Delhi to do this for a few cents each. I can find as more free porn than have any desire to see without any problem, so it's hard to see why users would bother. The site would very soon be common knowledge and interested parties could sign up and see whose captchas were being attacked, and then various attacks could be made on the server, or poison their solutions -- one can imagine a robot signing up for this to give wrong captchas. Would you have to solve a captcha to prove you were human enough to solve captchas?

Re:I thought those things were already broken

[mlush]

I can find as more free porn than have any desire to see without any problem, so it's hard to see why users would bother.

I think this is the key point why work for it if you can get it for free. A more cunning varient would be to have a Far East site that uses lots of captchas that are spookly similar to say US Hotmail. The site could be profitable in its own right with a nice side line on captcha solving.

Re:I thought those things were already broken

[Agripa]

I have heard it called a mechanical turk.

Re:I thought those things were already broken

[m50d]

Many hosts will charge more for porn. Or not allow it at all.

Re:I thought those things were already broken

[nb+caffeine]

Maybe he only watches movies

Re:I thought those things were already broken

[novakyu]

Many hosts will charge more for porn. Or not allow it at all. Hundred times more? I think at some point, it's probably cheaper for those in porn industry to get their own T1 line and a data center.

Do you have any evidence for this? At least at NearlyFreeSpeech.net, they don't have anything saying that they won't allow porn, and given the intimate connection between porn industry and the fight for first amendment rights (Larry Flint, anyone?), I doubt that they would disallow it, even unofficially. I am just saying this, because if what you say is true, and other webhosts will either charge 100 times more for porn or disallow it, and somehow porn entrepreneurs don't want to get their own data center, NearlyFreeSpeech.net could make a decent profit by hosting them (especially given that they charge by the bandwidth).

And I thought I heard at some point that porn sites actually tend to be better customers for most small web hosts (always pay with cash and never late with a payment, or something like that).

Re:I thought those things were already broken

I must admit that I too prefer adult entertainment as video.

Re:I thought those things were already broken

[CastrTroy]

However, if you pay $1 per GByte, then you are already paying more than most hosts charge. You can go to Dreamhost and pay only $10 a month for 500 TB of transfer. Sure, you would probably never be able to use it, based on the speed the servers send pages at, but at least you have a little room. You could easily serve up 10 GB of traffic to make up for the $10 a month you don't have to pay extra for the space you use. I mean, you could probably pay less if you had a really low traffic site on NearlyFreeSpeech, but you could easily spend a lot more, if for some reason, your site got a lot of visits.

Re:I thought those things were already broken

[Goaway]

It's a theoretical attack that got posted on boingboing and then the entire blogosphere thought it was real because the "remembered reading something" about it.

Only recently did anyone attempt to do it in real life, after the idea had been spread far and wide for years.

Re:I thought those things were already broken

I don't know exactly how large porn images are, never having looked at them. Posting on /. and you've never seen porn? Bullshit. /. is my porn.

Re:I thought those things were already broken

[foniksonik]

My friends and I back in 2002 came up with a phrase for this. We dubbed it "Porn Sourcing".

We thought about patenting it but then we sobered up and forgot about it ;-p

Sounds like maybe we should have done it anyways but in a more flexible manner.

Re:I thought those things were already broken

[stonecypher]

Yeah, or you could go to any place that sells cheap unmetered (like my ISP) and get as much as you can eat for about 20 bucks a month. Nearly Free Speech isn't as nearly free as their name suggests.

Re:I thought those things were already broken

[Grishnakh]

I don't know exactly how large porn images are, never having looked at them, but if you guess a round number of 0.1 MB per picture, it's only about $0.0001, or 0.01 cent per captcha. I suppose it's better than nothing, but it's not yet very cost-prohibitive.

Maybe you should try looking at them. You can see them for free all over the web.

High-quality porn images are between 500kB and 3MB each. 100kB pictures aren't that great, as that doesn't give you much resolution, though they're better than the really lousy 10-30k images.

Re:I thought those things were already broken

[Phroggy]

I only read it for the articles.

Re:I thought those things were already broken

On that subject (human computation) : http://video.google.com.au/videoplay?docid=-8246463980976635143

Re:I thought those things were already broken

[Cajun+Hell]

Anyone know what this is called .. ?

It's called "getting humans to perform tedious mundane tasks for their computer overlords."

Re:I thought those things were already broken

he was talking about the cost of captcha-farming, not bandwidth. Hence the reference to cost/captcha, not bytes transferred

(and you've never seen porn? Must make you special. Hint, the file size depends on the image resolution and quality settings, just like any other image)

Re:I thought those things were already broken

[rav0]

Firstly, one megabyte per picture is a more reasonable estimate than 0.1 megabytes for the size of a picture. Furthermore, these websites would be serving pages with the captcha and preview picture many times, while only some of these times would result in a user attempting to solve the captcha. On top of that, not every attempt would be valid, meaning that several megabytes of bandwidth has been used to solve only one captcha. Thus, the cost per solved captcha with this method could well be more than one cent per captcha.

Re:I thought those things were already broken

[novakyu]

All valid comments. Nonetheless, my website statistics says, over last 5 days, I transfered: 6.33 MB.

Even if I were to get Slashdotted (I can't imagine why—it's only a personal vanity site), over the course of a month, I would save $10 by hosting with a web host who charges me for what I actually use.

I have nothing against Dreamhost (it was my first host, and the first year, I got a great deal), but I don't want to pay $10/month for a personal website whose only regular users are me, myself, and novakyu.

Re:I thought those things were already broken

[kesuki]

bandwidth is only part of the cost, servers, co-location fees, DNS fees, advertisment, server administration costs (which may be part of the hosting fee.) it all costs money, how much it costs for you to lease the fiber-optic lines isn't the sum of all costs.

Re:I thought those things were already broken

[novakyu]

bandwidth is only part of the cost, servers, co-location fees, DNS fees, advertisment, server administration costs (which may be part of the hosting fee.) it all costs money, how much it costs for you to lease the fiber-optic lines isn't the sum of all costs. However, much of that cost is a simple lump sum. If you'd care to see:

1. servers: especially if you are doing your own hosting, you buy the hardware once. And replace every once in a while as they fail. You do not have to spend more on servers as you serve more porn (presumably to "crack" more CAPTCHAs).
2. co-location fee: I suppose there are monthly costs associated with these (and I wouldn't have a clue how much they are), but again, you do not pay more in these as you serve more porn.
3. DNS fees: Er, are you serious? If they are doing it normally, these are about $7 per name per year. Compared to all other costs, this is pocket change, and if they are big enough to do the whole "domain tasting" thing, it's actually free (or constant cost with respect to the number of domains). Not to mention, again, that this cost does not rise as they serve more porn.
4. ads: Given that what they are doing is probably illegal (i.e. cracking CAPTCHAs; if not illegal, it's bound to violate some ToS), I'd hope that they are smart enough not to advertise. Do you see many mafia recruitment ads on the TV?
5. server administration costs: If they are hiring sysadmins, again, like co-location above, this will be some monthly fee, but again, the cost is constant with more porns served (except, of course, more highly paid sysadmins might be able to serve porns better, but that's going into too much detail).

If anything, the "costs" that you listed would actually encourage them to enlarge their "business" and "make it up in volume", so to speak. The only cost that, in some way, goes up with more porn served is bandwidth usage (and even this can be made up in volume).

Yes, if these were really small operations with huge overheads like these, they could spend well over $10 per CAPTCHA "broken" in this way. But, while we are at it, why don't we hope that wishes were horses and beggars could ride unicorns?

Re:I thought those things were already broken

well you never know, the 'captcha' crackers could be doing it 'as a service' for the online blind community.

and of course, the big thing that could drive there costs up, is the fact that they're doing so illegally, and are unable to use 'cheap' us based site hosting services and instead have 'moved' to Iran. I know all the major credit card theft 'portals' have switched to Iran based co-location services.

Hey

[Misanthrope]

They're used to seeing Cyrillic, the captcha has got to be easier to read!

Re:Hey

[Janek+Kozicki]

The 3D captcha seems to be a good solution here (that's a link from wikipedia article)

You pick several 3d models, like people, chairs or flowers. Name all their parts, like "chair leg", "human head" etc. The CAPTCHA is generated by placing a several 3D models randomly rotated on a scene and rendering them with easily readable letters "A", "B" placed on the named parts. The captcha questions are: "what is the letter on human head", "what is the letter on chair leg", etc..

People can answer pretty easily. The 3D models are always randomly placed and rotated on a scene, so bots have a problem.

Re:Hey

[PietjeJantje]

It's an interesting idea, but the only part that elevates it from just being another step in a war of arms, is the last part where it deals with compromises. It says attacks need to be recognized and then the captcha is modified. But this is what they already do or should be doing. Recognition is hard though with requests coming from any possible computer from a huge botfarm. But sites like Yahoo should simply rotate their captcha generation algorithms as soon as they know they have been compromised or even sooner. One can't win a weapon's race, the only step left is to embrace it and always be a step ahead. Just like no captcha, in the end, will be save from hackers - no hacker is save from a captcha routine changing just before or after you hacked the previous one. Game over.

Re:Hey

[chris_eineke]

People who can see can answer pretty easily.

There, fixed that for you.

Re:Hey

Get someone to (gasp!) help you then.

There, solved that for you.

Re:Hey

[Actually,+I+do+RTFA]

People who can see can answer pretty easily.

There, fixed that for you.

Actually, that would probably obliviate the need to use similar colors for the grids/backgrounds/letters/etcetera, and thus would be more accessable to color-blind people. But CAPTCHAs always have that as an issue.

Not really news

A few months ago Yahoo introduced a CAPTCHA to prevent bots entering their chatrooms. Within a few days every room on yahoo was filled with bots once more, and still are to this day.

Given the current situation of the chat rooms on yahoo, it comes as no suprise at all that the other parts of the Yahoo system are inadequately protected from bots either.

Re:Not really news

[Hojima]

Probably the best thing I can come up with in order to prevent bots is have a recognition question of some sort. Just have a picture of something simple and ask what it is (a dog for instance), or have a very simple question like, "Is Paris Hilton a whore?"

Re:Not really news

[Main+Gauche]

"Just have a picture of something simple and ask what it is (a dog for instance), or have a very simple question like, "Is Paris Hilton a whore?""

No matter how you tweak the captcha idea, the spammers can simply transplant the entire "task" to the person who wants porn.

Before I realized this, I was thinking of convoluted things like: having a huge list of questions about a huge collection of photos, embedding the question itself in a captcha, then asking the person to answer the question. But what's to stop the spammers from serving up virtually the entire page (from say, Yahoo!), asking the human to solve it, and then delivering the porn? It's a method you can't beat. If the intended subjects (Yahoo customers) can solve it, so can anybody else, on behalf of the spammer.

Re:Not really news

[Macka]

You're correct, but you're also missing the point a bit. Until now, spammers have had to rely on human assistance to translate captchas. It doesn't stop them, but it does slow them down somewhat. If spammers develop a software method to reliably translate captchas (and it will only get better over time) then the speed at which they are able to generate successful intrusions will increase, which is worse for everyone else.

So the battle must be fought on as many fronts as possible. And captcha solutions must improve to keep pace with new attacks. The 3-D captcha solution linked to elsewhere on this discussion looks like the best one I've seen to date.

Re:Not really news

[ookabooka]

Heh, yeah. . . .I used to hook up my computer using Rybka to yahoo chess. I played against other bots, other players(always a glorious win), and tolerated the unending spam from other bots that would just want you to go to some porn website. Eventually, they instituted a CAPTCHA. . .Oh noes, my bot was broken. Turns out I could just manually enter the CAPTCHA and grab the session ID info before the applet loaded and forward that manually to the bot. Once I'm "logged in" with the bot, it's no big deal. Point is: If a spammer has to type in one CAPTCHA and can then spam for days in God knows how many chat rooms. . is it really that effective? Should we interrupt logged in users with more CAPTCHA's? Quite the interesting problem indeed, perhaps some sort of feedback where people would mark someone as a bot, if enough people did it, it would present the bot with a CAPTCHA. *shrug*

Re:Not really news

[Pikoro]

"So the battle must be fought on as many fonts as possible."

There, fixed that for you.

Re:Not really news

[Macka]

LOL :-)

Re:Not really news

[g0rAngA]

I believe xkcd has come up with the best captcha to date
http://xkcd.com/233/

Researcher?

Why are they called a researcher?

Gentlemen, start your spambots

[timeOday]

What other tough AI problems can we foist onto spammers? People who buy V1agra through email ads could be the single largest source of computer science research "grants."

Re:Gentlemen, start your spambots

[xaxa]

Natural language processing etc:

To register, answer these questions and click the button on the right
What colour are buses in London?
What is three times three?
[Red] [Green] [Blue]

Re:Gentlemen, start your spambots

[SoupGuru]

That reminds me of the age check for Leisure Suit Larry back in the day... Who knew that the desire of a horny teen to see pixellated boobs would lead to history research?

Re:Gentlemen, start your spambots

[paeanblack]

To register, answer these questions and click the button on the right
What colour are buses in London?
What is three times three?
[Red] [Green] [Blue]

Yes, those are undoubtedly hard questions for a computer. How, exactly, do you plan to generate billions of these questions? For a CAPTCHA to work, it must still be hard even if the generation algorithm is public knowledge.

Re:Gentlemen, start your spambots

[driftingwalrus]

What about introducing spelling and grammatical errors? This would be difficult for a computer to interpret, but doable for a human.

Re:Gentlemen, start your spambots

[KillerBob]

There was a hotkey, I think "CTRL-D", which skipped the questions....

Um, don't ask how I know that. >.>

Re:Gentlemen, start your spambots

[russ1337]

Natural language processing etc: To register, answer these questions and click the button on the right What colour are buses in London? What is three times three? [Red] [Green] [Blue]

There is a good podcast on Security Now (see episode 101)
Here is the transcript - this bit not all that clear as it is an actual transcript from Steve's stenographer.

....But, for example, you could imagine some sort of puzzle-solving solution. There has been JavaScript created which asks simple, English-language problems, like what is one plus one, as a trivial example. The problem is, again, it wouldn't be hard to cause a computer to have, you know, there would be a limited enough vocabulary of permutations of questions that different numbers would get plugged into that you could write some code that would understand that limited subset of questions and be able to answer them. So that's not very exciting.

Basically with natural language questions, there can only be a limited number of questions that have to be answered - it is difficult to have a computer generate a large enough number of questions (that are 'general enough knowledge'). The person attacking this captcha then only has to answer them once, and have his script pick the right answer in an automated fashion. (and from TFA, the attacker only cares if he gets it right 30% of the time, so even if they spend a hour answering a bunch of these, then given enough queries the questions the attacker answered will come around again, and again, and again and be answered by the script.

Highly recommend the episode on captcha's and the couple afterward that address listener feedback.

Re:Gentlemen, start your spambots

[hksdot]

Good idea, but immediately it occurs to me that there is a problem regarding the source of these questions/answers.

You could have a preset list of questions/answers made by humans, but then there is an immediate limit on the number of them. Plus, if the list got leaked, you'd have to come up with an entirely different set of questions/answers.

Barring that, you'd have to generate the list. I haven't studied natural language processing, but I would posit that generating question/answer pairs would be of a similar level of difficulty as processing questions.

Re:Gentlemen, start your spambots

A computer that can solve "What is three times three?"

http://www.google.com/search?q=What+is+three+times+three%3F

Re:Gentlemen, start your spambots

[LordLucless]

Not really. After a couple of (thousand) runs through, the attacker would have a reasonably accurate database of the questions. They can then analyze the text to find the nearest match to one of the questions in its database.

Re:Gentlemen, start your spambots

[The+Redster!]

Who knew that the desire of a horny teen to see pixellated boobs would lead to history research? Especially over such prominent historical subjects like Annette Funicello, Hugh Hefner, and nehru jackets.

Re:Gentlemen, start your spambots

[webmaster404]

And would make the coders look like they flunked English a few times, really, it would be unprofessional to do that.

Re:Gentlemen, start your spambots

[Draek]

What about introducing spelling and grammatical errors? This would be difficult for a computer to interpret, but doable for a human.

And the best proof of that is, funnily, spam itself.

Re:Gentlemen, start your spambots

[Rocketship+Underpant]

Why not just hire a human being to change it every day? Is there any particular reason these quasi-Voight-Kampff tests need to be generated from algorithms? Anything generated by an algorithm can be deciphered by an algorithm, after all.

Re:Gentlemen, start your spambots

[General+Wesc]

What about introducing spelling and grammatical errors? This would be difficult for a computer to interpret, but doable for a human.

Yeah, that would solve the problem until someone developed an automated program to check spelling and grammar, which I'm sure is near-imposible. (By the way, does anyone know why there's a red line under that last word? Is my screen screwed up?)

Re:Gentlemen, start your spambots

[TubeSteak]

What about introducing spelling and grammatical errors? This would be difficult for a computer to interpret, but doable for a human. LoL! I find ur 1d3as fascntng, & wood lik 2 sbscrbe 2 YR noozl3ter.
kthxby

Re:Gentlemen, start your spambots

[alxbtk]

Why not just hire a human being to change it every day?

Because the bots owners can hire more to do the same ?

Re:Gentlemen, start your spambots

[HiddenL]

The key is making the forward algorithm easy for computers but the backwards algorithm hard. This is pretty much the basis of a lot of encryption. Its very easy to multiply 2 large prime numbers, but very hard to factor the product of two primes.

For the captcha, its very easy to generate the image but (much) harder to go in the reverse

Re:Gentlemen, start your spambots

[Trerro]

It's not that hard actually.

1. Come up with several question types. You don't need a ton - a dozen is probably sufficient.

2. For each question, have a few variants that can be chosen. For instance, let's say we chose "simple addition problem." If it always asked "what is three plus three", yeah, that wouldn't be hard to code a bot around. What if it did this however?
-randomly chooses numbers from 0 to 20
-randomly chooses whether to display the numbers in number format (3) or word format (three)
-randomly chooses to have you add 2 or 3 numbers together

This gives 20 * 20 * 21 * 2 = 16,800 possible questions, 61 possible answers, and only 1 correct answer each time.

3. Have your account creation script choose 3 of the question types.

Assuming we have 12 question types and assuming a similar answer range, this gives 12 * 11 * 10 = 1,320 possible quiz types, with 61 * 61 ^ 61 = 226,981 possible answer combinations, only 1 of which is correct... and that assumes your bot can even figure out which question type is which!

Of course, given enough time, someone could write a bot that parses every possible question asked in every possible form. However, it takes all of 15 minutes to add new rules to the existing questions and to add a few new question types, retire a couple, etc. Combine this with a temp IP lockout after 3-5 failures, and now the spammer not only needs to constantly update his software, but he needs to control a huge botnet with a massive IP range. A spammer faced with that is simply going to move onto an easier site.

Sure, it isn't absolutely foolproof, but nothing is.

Re:Gentlemen, start your spambots

[omeomi]

Not really. After a couple of (thousand) runs through, the attacker would have a reasonably accurate database of the questions. They can then analyze the text to find the nearest match to one of the questions in its database.

That's true. I've found, however, that introducing custom spam blocking methods, such as this, no matter how easy to break, often does a better job at stopping spam bots than more robust publicly available methods. For a target as big as Yahoo, this probably won't work, but I've found on PHPbb for instance, instead of using any of the publicly available captchas, which are easily defeated by bots, creating a simple question of this sort does wonders for bot-blocking. Even if it's just one question. If your site isn't big enough to be specifically targeted by bot farmers, sometimes a simple solution is better than a more complex one that everybody else is using.

Re:Gentlemen, start your spambots

[Artefacto]

That's still not as good as this solution. I can't understand why it's not widely adopted.

Re:Gentlemen, start your spambots

[nazanne]

That has been my experience, too. I admin a small bb and was having horrible problems with spam sign ups. CAPTCHAs didn't slow the spammers down at all. I went to a simple question that will be easily known by all of my target audience but probably won't be known by someone half way around the world entering CAPTCHAs for a penny a piece and allowed any spelling that is even close. I haven't had any spammers sign up for a couple years now. That obviously won't work for a major target like YAHOO though.

Re:Gentlemen, start your spambots

[nguy]

Computers don't understand grammar very well anyway, and spelling errors are trivial to correct or account for.

Re:Gentlemen, start your spambots

[aliquis]

Just put some hard to read perl code in there and ask the user to say what it does. If the answer is correct it's a bot, if the answer is wrong it's probably a human ;)

Re:Gentlemen, start your spambots

[jma05]

> What about introducing spelling and grammatical errors?

Ever typed a query into Google with a spelling mistake :-)? Most IR algorithms don't place much weight on grammar (if at all) to begin with. Many just consider sentences to be a bag of words. Some interpret basic rules. An error there won't change results much.

Re:Gentlemen, start your spambots

[aliquis]

What about doing the captchas the other was around, like:

George Washington, and then the user has to draw him ;)

Or not.

Re:Gentlemen, start your spambots

[aliquis]

2) Yeah because it's insanely hard for a script to replace any words meaning a number with the actual number, find the part which says add and then add them all? It's not like you will have to code an answer for each possible string ..

Re:Gentlemen, start your spambots

[gnarfel]

Please enter the correct response: [ k 4wesum wh3n d0 1 git mi int4rwubs? ]

Re:Gentlemen, start your spambots

[tkw954]

As an ex-underage Leisure Suit Larry player, I've wondered whether the game was really adult oriented, or was just a subtle attempt to teach kids recent history.

Re:Gentlemen, start your spambots

[glitch23]

That reminds me of the age check for Leisure Suit Larry back in the day... Who knew that the desire of a horny teen to see pixellated boobs would lead to history research?

Or what about the copy protection used for X-Wing series from LucasArts? They would ask you to enter in the symbol at the bottom of a randomly picked page of the manual. If you gave away the disks without the manual the player couldn't use X-Wing. Of course, Yahoo would need to distribute something to users for that to work (and there are probably other things wrong with the idea too). Seeing Leisure Suit Larry just brought back memories of how LucasArts handled copy protection since both X-Wing and LSL were out around the same time (mid to late 90s). I played X-Wing and the subsequet TIE Fighter series but never played LSL.

Re:Gentlemen, start your spambots

[goatpunch]

I have a little site, only really intended to share stuff with family and friends, served with custom scripts. I couldn't believe it when it was targetted by spammers. I could even see the test posts they made, checking to see if html was allowed etc., before unleashing the the bot to post dozens of links a day.

Re:Gentlemen, start your spambots

[flyingfsck]

My solution is even easier - a 10 second delay on every login attempt. It doesn't bother human beings, but bots give up and move on before the timer expires.

Re:Gentlemen, start your spambots

[Lobster+Quadrille]

Your 'solution' is trivial to crack. The problem here is that these questions have all been answered online a million times. Math problems are the easiest- try googling "3 + two", "three plus 2", or even "four times two to the third power". Every time, the solution is sitting there on the top of the front page.

Other text-processing problems are only slightly harder to solve. The internet has a huge amount of data on it, and it has search engines that are designed for finding particular answers. The hard part has already been done. Google "Is Paris Hilton a whore?" or "What color is the sky", send the first page of results through some basic contextual processing algorithms, and 9 times out of 10, you'll have the answer.

The real problem with captchas is that they fundamentally are, and always will be, a kludge.

Re:Gentlemen, start your spambots

[totally+bogus+dude]

If it's really not that hard, then why don't you tell us to how to create such a system then? What you described certainly doesn't match what paeanblack suggested.

In addition to being pretty much trivial to write a script for, you're also forgetting that many people are a lot less intelligent than computers and will actually fail at even simple maths. For an elitist site like /. it's probably okay to say "we don't want people who can't do simple sums to be able to sign up, anyway". If you're a big player like Yahoo! that's not really an option. Failing at CAPTCHAs is very frustrating for most people, and doubly so if they make the user feel stupid in the process.

This is actually also a problem with paenblack's first question, "What colour are buses in London?" Offhand I think they might be red, but I'm not sure and unless your site is the best thing since sex it's unlikely I'd take even the few seconds it would require to do a Google search to find out the answer. However the reason this is a good question is precisely because it's somewhat obscure; there is no algorithm to work out that buses in a particular city are a particular colour; the only way to popular such a database is by manually entering a whole bunch of information. Things like the maths questions are trivially easy to parse and therefore easy for a computer to answer. In fact, it's easier for a computer to answer them than for many humans, so it's likely if such a scheme became widespread there'd be Firefox plugins to answer such CAPTCHAs for you.

In addition, having to answer three questions that actually require some amount of thought and comprehension is going to piss people off. There's a lot of people (including myself) who find even simple "type the letters in this image" CAPTCHA annoying, and those I don't even need to think about. Having to read and parse a sentence and then do a calculation -- unless the site's super special, I'm likely not to bother.

I think a lot of people creating these things forget that most websites aren't unique and special, and if you make it too much of a nuisance people will go elsewhere. For your personal site that doesn't matter, but for people who are actually trying to make a living from their websites that's completely unacceptable.

Just yesterday I bought some stuff from an online store, and during the signup process they requested my home telephone number for credit card verification purposes. Since I don't know my home phone number and my bank certainly doesn't either, this posed a bit of a problem. If I hadn't used this store before (years ago; my old account was apparently deleted, which is actually pretty nice considering how many sites seem to never remove your info) I would have gone to a competitor's site and bought from them instead.

As it happens, they accept other methods of payment and so the "telephone number for verification" field is optional. I left it blank, and was able to make the purchase with my credit card without any issue; but had it said "you must supply your phone number for verification purposes!" then I would have just gone elsewhere and they would've lost a sale.

Now this isn't a CAPTCHA, and it's actually a security feature to protect people and themselves from credit card fraud; but it's a good example that if you make things even slightly inconvenient for your (potential) customers/visitors, they can very easily decide not to bother with you.

Combine this with a temp IP lockout after 3-5 failures, and now the spammer not only needs to constantly update his software, but he needs to control a huge botnet with a massive IP range. A spammer faced with that is simply going to move onto an easier site.

Again, this sort of strategy might work for your pissweak tiny site that nobody reads anyway, but for targets with actual value to a spammer they're not even a speed bump. Firstly ask yourself: why would a spambot submit an answer to a CAPTCHA that it wasn't able to p

Re:Gentlemen, start your spambots

[icsx]

Damn, i thought everyone knew the hotkey thing :(

Re:Gentlemen, start your spambots

[wall0159]

"difficult for a computer to interpret, but doable for a human."

V1agra is used for what condition?
If you "make your girlfriend really happy" what are you doing?
What are p1lls and ph@rma?
Where do I go for a j0b, paying $3000/month and all I need to do is use the intenet at home?

Seems to me like someone's got it worked out already...

Re:Gentlemen, start your spambots

I'm using Voight-Kampff for a forum and is working very nice...

Re:Gentlemen, start your spambots

[Jussi+K.+Kojootti]

Seeing Leisure Suit Larry just brought back memories of how LucasArts handled copy protection since both X-Wing and LSL were out around the same time (mid to late 90s)

Late 90s? Don't kid yourself you old geezer. Larry came out in the eighties and even X-Wing is from -93.

Re:Gentlemen, start your spambots

[ecavalli]

Agreed.

4 isntcae Y dnot tehy certae A cpachta lkie tihs?

There is a good deal of research supporting the idea that recognizing words spelled improperly but with their first and last letters in the right place is easy for the human brain, but how difficult would it be for a computer to do the same?

Re:Gentlemen, start your spambots

[Mike89]

That has been my experience, too. I admin a small bb and was having horrible problems with spam sign ups. CAPTCHAs didn't slow the spammers down at all. I went to a simple question that will be easily known by all of my target audience but probably won't be known by someone half way around the world entering CAPTCHAs for a penny a piece and allowed any spelling that is even close. I haven't had any spammers sign up for a couple years now. That obviously won't work for a major target like YAHOO though.

That's because you introduced a new form field. Simply renaming your old CAPTCHA form field name (in the source code too, obviously) would've done the trick. Most spammers use automated software that doesn't bother (or, work) with anything other than stock standard.

Re:Gentlemen, start your spambots

[BananaBender]

I think it is exactly the right idea to use question-answer pairs based on common knowledge. In the time and age of SPARQL and DBpedia, this common knowledge is no longer hard to obtain. DBpedia makes it possible to ask sophisticated queries, such as as to select "people influenced by Friedrich Nietzsche" or "German musicians who were born in Berlin" formulated in SPARQL.

Now all you need to do is to build a query scheme with some exchangeable parameters like "which famous %AAA was born in %XXX in the city of %ZZZ". You put sensible values for %XXX, %ZZZ and let the SPARQL query execute. The query result will give you the answer (n.b. it does not need to be unique! It just has to exist.)

Then you use this question as your CAPTCHA, and display the right answer and some obviously wrong choices. A human will figure it out, but not a computer.

Finally, we found a use for this strange semantic web :) ..cu

Re:Gentlemen, start your spambots

[houghi]

What is three times three?

And the answer is right here!

Re:Gentlemen, start your spambots

Actually, it was Alt-X in LSL1 (Leisure Suit Larry in the Land of the Lounge Lizards) and Ctrl-Alt-X in LSL3 (Passionate Patti in Pursuit of the Pulsating Pectorals), although in the latter game, wrong answers to the questions just censored the game to varying degrees instead of locking you out completely, anyway (the different levels were "Mother Goose", "Rather Risque", "Pretty Dirty", "Really Filthy" and "Totally Raunchiest"). IIRC, attempting to use Alt-X in LSL3 also had a different effect - starting the game at the "cleanest" level.

LSL2 as well as the later games (from LSL5 onward) didn't have a system like this at all.

Re:Gentlemen, start your spambots

[onepoint]

I would love to agree with you. I think your idea is well worth the effort to sites you really want to be on. The problem is the drop off rate that will be experienced by new users.

a study ( which I can not find at this time ), stated that if you exceed 6 seconds or more in load time, you would loose 30% or more of your clients.

So, the problem of your 10second delay might just cost your web site a lot of clients.

Re:Gentlemen, start your spambots

[glitch23]

Late 90s? Don't kid yourself you old geezer. Larry came out in the eighties and even X-Wing is from -93.

Maybe the first LSL did but there were at least 6 of them and the latter ones were available into the 90s. Also, X-Wing may have came out around 93 but I said they were out, not came out, in the late 90s, meaning they were still around. I started playing X-Wing in 97.

Re:Gentlemen, start your spambots

[danger42]

Ok, I give up. What colour are buses in London?

Re:Gentlemen, start your spambots

[xaxa]

Red

Wiki says, "The London Bus is one of London's principal icons, the archetypal red rear-entrance double-deck Routemaster being recognised world-wide."

It would be very difficult to get a question that's really world-wide general knowledge, that was the best I could think of at 01:20 this morning.

Re:Gentlemen, start your spambots

"The opposite of 'tight' is _____, the opposite of 'win' is ____; choose from: lose loose"

If it gets it right, it's a bot. People (at least on the Internet) seem unaware of the difference between lose and loose

Re:Gentlemen, start your spambots

What colour are buses in London?

Red!! No, blue!!

*** gets hurled over side of bridge ***

Aaaauuugh!!

Re:Gentlemen, start your spambots

[Kram_Gunderson]

I agree. I've had pretty good luck with the following method: Give all form fields (or at least the email address field) gibberish names. Then create an input called "email", and hide it with CSS. (I also include a message in case someone has CSS turned off for some reason). A human user won't fill in the 'email' field, but a bot will. The processing script then ignores (or better yet, redirects) when it sees that the 'email' field is filled in. Example:

<form>
<label for="asf">Name:</label><input type="text" name="asf" />
<div style="display:none">
LEAVE THIS FIELD BLANK!! <input type="text" name="email" />
</div>
</form>

Then in the processing script:

if($_POST['email']){
header('Location:http://www.google.com');
}

Certainly not fool-proof, but it's worked pretty well for me, and I avoid the CAPTCHA headache entirely.

Re:Gentlemen, start your spambots

That bus is in Winchester!

As a Londoner, I have no idea where that is, so I'll assume it's another country. Or maybe Up North. :-)

Re:Gentlemen, start your spambots

[Phroggy]

4 isntcae Y dnot tehy certae A cpachta lkie tihs? Google was able to decipher a significant portion of that:

Did you mean: 4 isntcae Y not they create A cpachta like this ? And considering how long it took me to decipher "isntcae" myself, I don't think your idea would really work that well.

Re:Gentlemen, start your spambots

[Phroggy]

Your 'solution' is trivial to crack. The problem here is that these questions have all been answered online a million times. Math problems are the easiest- try googling "3 + two", "three plus 2", or even "four times two to the third power". Every time, the solution is sitting there on the top of the front page. Or my personal favorite.

Re:Gentlemen, start your spambots

[supermidget]

http://www.google.com/search?hl=en&q=What+is+three+times+three%3F

three times three = nine /quote

Re:Gentlemen, start your spambots

[kamathln]

Try asking those questions to http://pandorabots.com/pandora/talk?botid=c96f911b3e35f9e1 I have not seen buses in London and do not know the right answer, So i do not know if the bot is just bluffing.

captcha security

[primadd]

I did my own captcha, but I'm not sure how much its worth - figured any non-standard one is better than none (or a std one).

Please take a look - are the effects actually helping the recognition process?

--
social bookmarking widget for your site

Re:captcha security

[LiquidCoooled]

I can't read every letter on them.
I tried multiple different ones and there are some letters which make sense the 5 or 6th time, but others I was still lost with.
H or K
Y or 4
U or n
B or 3

over the top i think.

Re:captcha security

[Kaitnieks]

The letters are too far away from each other - makes it easy to separate them for proccessing. In fact, the only challenging aspect for OCRs in your captcha is the letter rotation/skewing. However, I don't think anyone will bother to write a captcha OCR for your site, unless it's Yahoo sized.

Re:captcha security

[Carnildo]

The character outlines are nicely distinct, which means that even basic OCR software should be able to break the CAPTCHA. Since it's so easy to break, you want to hide it from any bots that come by: remove all references to "captcha" from the page source, and you might want to move the HTML for the image away from the HTML for the entry box.

Re:captcha security

[primadd]

I tried reducing the letters (like not having 1 and L) to help humans with the recognition. At the moment its 25 characters total to choose from. Guess the K has to go :) thanks for the feedback!

Re:captcha security

[Kaitnieks]

Ironically, bot might be more accurate than human in situations with characters that can be either one thing or another, since we perceive shapes symbolically and don't pay attention to details in letters at all.

Re:captcha security

[primadd]

I wasn't sure about the emboss effect - it does smear the edges somewhat, but gives a center highlight. Good suggestions on the var names tho, still using captcha as input field names.

thx :)

Re:captcha security

[primadd]

Sorry, slightly OT..
No, its not yahoo sized! Thought the servers do get quite a lot of traffic, since its like adsense and uses scripting to build the widget - ie every unique user on a site using the widget does one request to the primadd servers.

Re:captcha security

[cheater512]

Yeah making a captcha without edges while keeping it readable is incredibly difficult.

I made one once which was absolutely beautiful.
There was no way that it would be cracked because there were no edges to detect.
Readability wasnt great but everyone I tested it on did eventually get it.

Re:captcha security

[yani]

Although it seems counter-intuitive, character recognition (even with your filtering) is a relatively easy problem for a computer to solve. The hard problem is segmentation. It is relatively easy for a human to segment characters when they are somehow joined together, by artifacts or occlusion, it can be very hard to do with current methods.

Hence all good modern captchas have moved away from character recognition captchas (such as yours) to segmentation based captchas. You only need to read the wikipedia article on CAPTCHAs to see some examples: http://en.wikipedia.org/wiki/Captcha.

Re:captcha security

[mindsuck]

Using a plain background makes the recognition of the characters trivial.

You need a distorted pattern or noise on the background, otherwise it's just a matter of increasing the contrast on the image and those just-slightly distorted characters become easily detected by OCR software.

Re:captcha security

[primadd]

Thx! I have updated the captcha to incorporate this feature. Do you think its better now?

Re:captcha security

[primadd]

sorry, spoken to soon - please have a look here http://primadd.net/helper/areuape-new.php its quite unreadable tho.

Re:captcha security

[Verte]

Of course, most CAPTCHA that do this make the junk lines a different thickness to the text, which makes them easy to pick out algorithmically. Further, most segmentation-based CAPTCHA can be solved by looking at derivatives of edges of colour and thus continuing the line. Fuzzy-homological methods are probably the way to go with the current round of captcha. The question then will be, how do you fool that kind of algorithm? Perhaps by being creative with colour and texture?

Re:captcha security

[glitch23]

The character outlines are nicely distinct, which means that even basic OCR software should be able to break the CAPTCHA. Since it's so easy to break, you want to hide it from any bots that come by: remove all references to "captcha" from the page source, and you might want to move the HTML for the image away from the HTML for the entry box.

OCR software isn't as good as you think. It is also highly sensitive to the type of work you are using it for. At work we instituted an automated fax server system to read particular areas of inbound faxes and to use the text that it read as part of the incoming fax's filename. Well, we had to use specific types of fonts (san-serif fonts) on the forms that were outbound (which were eventually sent back in as the inbound faxes) and specific font size (larger than 12pt I believe). The OCR engine that was used in the COTS software was capable of realizing when characters were totally upside down but it would have trouble with certain characters such as 'e' and 'o' or even 'b' and 'd' especially when they were right next to each other in the field we were reading. Sufficient background noise that got picked up on the line and subsequently added to the page's text would confuse the OCR software so any CAPTCHA that uses the diagonal-lined background (I think they all do that for the very reason of making it hard for software to read them but even humans have trouble with them) can cause OCR to not work correctly. Not to mention that the characters in a CAPTCHA are not perfectly straight but squiggly.

Now these all seems to fly in the face of OCR software that I hear about that runs at post offices around the country to read mailing addresses on envelopes and those are reading thousands of envelopes a day and don't seem to make too many mistakes so why some types of OCR software doesn't work as good is beyond me. I think they are highly specialized after my experience at work concerning fonts and font sizes.

Obviously in this case we wouldn't be going from analog to digital prior to OCR so maybe that would tremendously help, especially with having a noise phone line out of the picture but I still think the OCR wouldn't be as good as you think it would be.

Re:captcha security

[Ratface]

I doubt that would work in the long run. All it takes is for a bot owner to go and look at the page and identify which image is the captcha for the bot.

Personally I would stick with what the original poster has and if spam posts start to show up on the site again, then change the algorithm behind the captcha. If it works for a year or two first then it's done its job.

Re:captcha security

[Carnildo]

I doubt that would work in the long run. All it takes is for a bot owner to go and look at the page and identify which image is the captcha for the bot.

It works because it's not worth the bot-owner's time to do that. Spamming a typical small forum is worth about $0.001 -- if it takes more than a second or two to adjust the bot, he's lost money spamming it.

That ain't nothing....

Teh slashdot captcha has been broken for YEARS on trolltalk...can commander kotex won't fix it.....

go look!

That's really impressive.

[heyguy]

I've found Yahoo's CAPTCHA to be really annoying. I probably get it wrong about 20% of the time because the picture is so distorted (and I've been surprised that I got it right a lot of the time). I even considered writing them an email complaining about it, but then I realized they probably don't give a crap.

Re:That's really impressive.

they probably don't give a crap.

It turns away legitimate users. Of course they give a crap. You think web developers like spending time coding these things? You think companies want to make their sites more difficult to use?

Yahoo have been forced into this arrangement because if they don't do this then their services are abused. Don't think for one second that they don't care about it. It's a drain on resources and if they didn't absolutely have to, then they wouldn't.

If you can think of a better solution than CAPTCHAs, then please, let everybody know. The only people who don't hate them are spammers.

Re:That's really impressive.

[BryanL]

Yea. I was going to respond that 35% accuracy is pretty good because that is about how accurate I am. Yahoo captchas are not even legible for a human.

Re:That's really impressive.

[stry_cat]

I'm glad I'm not the only one who has trouble with Yahoo!'s captcha. I wish I only got it wrong 20% of the time. My error rate is closer to 50%. And this isn't just Yahoo!. I don't know what the answer is, but these captchas have to go. It makes using your account quite annoying.

and here we have the /. captcha below. It's not as bad as Yahoo!, but I still get it wrong about 33% of the time.

Lets all say it togeter.

[twotailakitsune]

We hate CAPTCHA. Most thing they do to make it difficult for computers to decode, make it a lot more difficult for humans to decode. Most of them are not usable by text browsers (dah), and the blind. Some have audio that is hard for people to hear, and sill easy for computer to decode. Last, CAPTCHA's are so over used that people just do them without thinking. For all you know that Porn/ware site is using you to do CAPTCHA for them. Not that it is needed. This is just one more nail in the CAPTCHA coffin.

Re:Lets all say it togeter.

I have a blog that get next to zero visitors, yet before I implemented a CAPTCHA, I got COUNTLESS blog spam.

I'd implement CAPTCHAs on anything that accepts form input that is ultimately posted. If you're not a business, I'd use it on everything. It's just a shame it isn't easier to implement audible captchas for those who don't want to pay for a solution.

Only Yahoo?

[Sigma+7]

33% of Yahoo capitchas isn't really impressive - you still get a large quantity of negative hits, and unless you have an array of IP addresses (most people don't), there will still be a large quantity of addresses registered from a given IP. Also, a large quantity of negatives would cast doubt on any positive matches from the same IP.

Also, Yahoo captchas aren't that "hard" - they are black text from known font pools on a white background that get slightly warped and have black lines drawn on some characters. This is hardly strong since it doesn't hit all letters within the word (which is done by reCAPTCHA) or use a large font-pool variety.

Even the Slashdot Captcha is harder - it hits the whole image and uses different fonts within the word.

Re:Only Yahoo?

[teh+moges]

33% of 100,000 attempts per day is 33,000 posts per day. The idea of Captchas is to reduce this to nearly 0 successful hits per day.

Re:Only Yahoo?

[Sigma+7]

33% of 100,000 attempts per day is 33,000 posts per day. That also has 67,000 failed captchas per day - something you generally notice. If your captcha system detects rapid-fire captcha attempts (requests, failed, etc), you can auto-block the IP address that is making that many requests.

You'd probably want to do that anyway, since 1.15 requests per second for captchas is on par with flooding.

Re:Only Yahoo?

You completely miss the point, that even the poster tried to make. Captcha is not meant for most people, it's for stopping the spammers. As such, 33% is a lot.

Re:Only Yahoo?

[KillerBob]

Botnet. Every connected system has a unique IP address. (or enough of the connected systems do, at least). Enough IP variation to skirt around the detection.

Re:Only Yahoo?

[brian.gunderson]

Problem is when botnets come into play. Now we're back to square one.

Re:Only Yahoo?

What about 1 request per machine per day in a botnet of 100k machines?

Even if it is a fairly small 10k machines in the network thats still only 10 requests per day, well below any throttling limits.

Re:Only Yahoo?

[arth1]

33% of Yahoo capitchas isn't really impressive

I think it's pretty damn impressive; it's better than what I do. I usually need 4-5 tries before I get a captcha all correct. 33%, or 1 in 3 would be an improvement.

Re:Only Yahoo?

> Even the Slashdot Captcha is harder

And it is too hard. I've been a reader and poster here since I first heard about the site at the /. booth at the 1998 Atlanta Linux Expo. I still have the T-shirt. Most of the people I know that post here gave-up on this site after for some reason it was decided that annoying the commenters with the annoying preview step and later the annoying captcha was a good thing. I still don't understand why getting rid of your oldest posters is so important to the morons that run this site now.

Re:Only Yahoo?

[tepples]

Most of the people I know that post here gave-up on this site after for some reason it was decided that annoying the commenters with the annoying preview step and later the annoying captcha was a good thing. As I understand it, if you create an account and remember its password, you only have to do that once.

Re:Only Yahoo?

That's a great solution for the new users that don't know what /. is supposed to be or why it became great. For the rest of us, we'll keep posting anon.

Malware

[Zantetsuken]

Ya, if its not malware, I'll buy a bridge from somebody, and then go bungee jumping without a chord...

Re:Malware

[wellingtonsteve]

without a chord is fine... ...it's when you're missing a cord that you need to worry

Re:Malware

[bcdm]

Hey now, be fair...what's the point of bungee jumping if you can't have "Thunderstruck" or similar playing on the way down?

Jumping without a chord would be no fun at all.

Re:Malware

[The+Redster!]

If you can't have "Thunderstruck," you might as well jump. Go ahead, jump.

Re:Malware

[Mathiasdm]

Thunderstruck? I'd go with 'Highway to Hell' when jumping without a cord (seems more fitting...), but of course that's a personal choice.

Increase In Chat Spam

[blueZhift]

This might account for the recent increase in spam chat messages I've been seeing there. My guess is that the spam filtering is not as effective on chat as email. Indeed, chat may not pass through any kind of filtering at all afaik. That will probably change soon, but in the meantime I suppose the people who cracked the captcha will make a tidy profit.

Re:Increase In Chat Spam

... in the meantime I suppose the people who cracked the captcha will make a tidy profit.
sheeesh, they released the source code. Did you check the rapidshare link?

"Pokémon crew" appear to be behind this hack.

... I mean just look at their tagline: ''Gotta captcha 'em all'' !!

35%???

[wbren]

I'm impressed. That's better than I can do. Some CAPTCHAs take me five or six tries to get right.

Re:35%???

are you sure that you aren't not maybe probably not a bot, bot?

Re:35%???

[GiMP]

I agree, that is better than I normally do as well. Maybe someone could make this a firefox plugin so that mere mortals can actually access webpages that use CAPTCHAs.

It is sad because with corrective lenses, my vision is 20/20, and I'm highly technical. I should not have any problems with CAPTCHAs; However, my grandmother is another story. She has poor vision, can't figure out how to do a carriage return on her computer, has difficulty understanding the concept of scrollbars, and I'm sure would not be able to deal with even the easiest CAPTCHAs in use today. This is not usability. Granted, given the choice between SPAM or CAPTCHAs, I'll chose the lesser of the two evils...

Re:35%???

[Typoboy]

I would have sent you to http:\\botornotcom -- RIP

Re:35%???

[Bairradino]

Good Point...

Re:35%???

[glitch23]

Granted, given the choice between SPAM or CAPTCHAs, I'll chose the lesser of the two evils...

So which one did you pick?

Re:35%???

Like the one here? This site exists only because of the user contributions. I don't understand why the moron that runs the site now does so much to prevent us from posting. Here's a hint from Marketing 101, you don't piss off or try to get rid of your oldest and best customers. Even when you're gaining new customers faster than getting rid of the old ones, there will always be one day when your aquisition rate slows down. I only post about one a week. From late 1998 until about 2003 I used to submit new stories about once a week and post about once a day. After the new policies to try to get users to not post, I only post about once a week now. If I find something interesting I now post it elsewhere because it was easier and faster.

PS: Get rid of the buggy Slow Down Cowboy! message. If I haven't posted in a week, don't lie and tell me that I posted five minutes ago. People will only put up with that for a while before being driven off.

Re:35%???

[Carewolf]

Are you sure your grandmother is not a bot?

Re:35%???

my grandmother is another story. She has poor vision, can't figure out how to do a carriage return on her computer, has difficulty understanding the concept of scrollbars

If your grandmother lacks the most basic of computing skills then I'd say that the captcha issue is the LEAST of her problems.

Dude, how often do you create email accounts?

Nobody should need more than a couple.

I've had mine for years.

You must be signing up for lots of fake porn accounts.

Re:Dude, how often do you create email accounts?

[heyguy]

The CAPTCHA comes up any time you try to join a game room, as they have a problem with bots spamming chat.

Re:Google Hacks

Are you bashing MS just to bash them. Honestly, their so called 'stupid system' is the best thing I've seen out there. Please enlighten me wise one, and link me to a better alternative.

p.s. How do you know that Gmail accounts haven't been hacked into? Do you have data validating this?

It's not a challenge to bash MS, that comes way to easy, but to add some useful content to /. , might be a challenge for yourself, wise one.

Bellybutton

[Doc+Ruby]

Bellybutton. Do I get a peek?

Akismet

[TheSpoom]

This is why you need a queryable, updateable public spam database like Akismet where, with a little effort in telling it the odd time it gets it wrong, you can eliminate 99% of spam. This might not help for a registration script, but you could use it on the content ultimately used by the registered user to determine whether the signup was likely a bot or a human.

Warning on playing with the demo

[xynopsis]

Did anyone notice that the image recognition code is imported from a binary DLL? I was under the impression that the Russian hackers would provide the source for the recognition code as well. But then, the people who released this are only interested in generating as much spam. Why should you trust them? You would be foolish enough to _not_ execute your test program that imports this dll in a vmware instance instead of your actual machine. Anybody done a comprehensive strace to determine sockets/descriptors opened by using this dll?

Re:Warning on playing with the demo

[HellYeahAutomaton]

All binaries are open source when you have a good disassembler.
Nothing can hide from one.

How paranoid do you want to be today?

Re:Google Hacks

[slaingod]

I don't know about anymore, but traditionally GMail only allowed people to invite a few of their friends occasionally, thereby limiting the effectiveness of getting one hacked account. For those without an invite, a cell phone number was required to receive your invite code, again limiting this.

I haven't looked at gmail's sign up anymore, but those were obviously pretty good techniques to limit the ability of spammers to get new accounts.

Dynamic forms?

[British]

What about the form that is around the captcha, generally a new account application, etc? What if those were to be made dynamic so the automated software trying to look for a hard-coded form fail?

Have the captcha be at the beginning, sometimes middle, sometimes at the end of the form. Mix it up a bit. Have no two application forms look the same.

Or better yet, have questions that modern computer AI has yet to break. Show a picture of a circle and ask "is this round?" or "is this not round?". Generally make the questions a bit more complex as AI gets better.

I wonder if there could be some sort of AI research project that works in conjunction with a captcha system.

Re:Dynamic forms?

[Loplin]

>What about the form that is around the captcha, generally a new account application, etc? What if those were to be made dynamic so the automated software trying to look for a hard-coded form fail?

Even if this were dynamic, there is only so many possible methods of displaying a form while still letting it be decipherable by a human. Given this limited set of possibilities, the programmer of a spam bot needs only to take into account any possible page mutations. More likely though, the spammer doesn't even look at a certain spot on the page; they probably do a little javascript to search the DOM for all text boxes and all images and ignores any images it already has copies of, the remainder image is likely the captcha. Then they would just search for context clues around the text boxes to see which box is most likely to be the one that accepts the captcha answer.

>Or better yet, have questions that modern computer AI has yet to break. Show a picture of a circle and ask "is this round?" or "is this not round?". Generally make the questions a bit more complex as AI gets better.

This is also suffers from the problem of limited number of possibilities. If someone can spend time putting questions in, someone can spend time filling in answers, and they only have to fill in answers once, after that, the bot can remember them for the next time it sees the same question.

If some sort of AI was used that could ask common sense questions, like cyc, the problem would be that the spammers have access to the very same AI.

The leading thought is that AI is not going to create better CAPTCHAs, but that bots that break CAPTCHAs are going to create better AI.

>I wonder if there could be some sort of AI research project that works in conjunction with a captcha system.
Not exactly AI, but the reCACPTCHA project does uses CAPTCHAs to decipher text that OCR programs can't when scanning books.

Re:Dynamic forms?

[enoz]

This arms race is only going to get tougher.

The OCR technology that helps prevent spam (that uses embedded images rather than text) is now being used FOR spam in the breaking of CAPTCHAs. My guess is if these anti-spam tests are made even more complex, spammer are eventually going to build Skynet.

Why not use humans?

[Besna]

Aren't there humans doing CAPTCHA? What is the cost there? I think slashdotters focus more on technology, but putting up a cheap and workable system to get humans anywhere to do this is also important.

Re:Why not use humans?

[mastergoon]

what in the fuck are you talking about?

Re:Why not use humans?

[cybereal]

Aren't there humans doing CAPTCHA? What is the cost there? I think slashdotters focus more on technology, but putting up a cheap and workable system to get humans anywhere to do this is also important. That is what the summary refers to when stating a cost of USD$0.01 per captcha. Using humans, wrangled in one way or another, to solve the captcha.

The point here is that a hacker would rather get 15000 for free, than 100000 for $1000 in a day. The fact that this method is apparently getting 33000 or something, is rather excellent to these people.

Re:Google Hacks

[mustpax]

Microsoft's CAPTCHA is very effective against bots, but it doesn't solve the accessibility issue. You can read letters out loud, I don't think you can do that with cats.
Maybe they also have an archive of meows and barks?

Cost

[debrain]

Soon, the cost of identity on the internet will be money. The technology circumventing human-being verification is growing faster, and with greater economic motivation, than the technology preventing non-humans from registration. Soon there will be no way to distinguish between a human and computer on an independent web-sites.

Cometh the centralized, homogenized, certified verifying-as-human web-sites (vis-à-vis facebook?).

Lease time on a botnet...

[POttedPOrk]

Botnets have a whole bunch of IP addresses. Simply deploy your Yahoo CAPTCHA cracker code on a botnet that some other fine internet entrepreneur has assembled, and it doesn't matter how many negatives you generate because they will be from a variety of hosts. Certainly with 33% success rate, you're doing pretty well, especially considering your typical spray-and-pray spam blitz.

Use Google

[xswl0931]

Once you get the question in text form, it would be easy for a BOT to use Google to find the answer.

Maybe Yahoo shouldn't be firing 1000 people

[WillAffleckUW]

My guess is that the lack of security will do more harm than good.

The Net is an unforgiving beast.

Re:Maybe Yahoo shouldn't be firing 1000 people

[Ilgaz]

My guess is that the lack of security will do more harm than good.

The Net is an unforgiving beast. What suggests that those 1000 people have anything to do with security?

Yahoo and all major sites should start firing the ever infected, ever abused IP's from their network. Put the blame on ISP. Start with open proxies. People should see difference between using a stupid, non managed ISP vs. a real ISP which takes care about security issues on their network. "Based on our records, you are using a listed open proxy which generally means your machine is virus/worm infected. Please click this link for a free virus remover from (xxxx) brand". There, I even made sponsorship money for them :)

They allow open proxies, IP blocks known to be purchased by spammers to send junk to their network. Captcha, anything can happen. It is like opening a neighbourhood jail doors wide open and expecting nothing would happen.

South Korea didn't give a F to their thousands of spamcop.net reports until they figured Samsung started to have trouble sending mails to their own customers. They also figured millions of non geeks started to ban Korea entire net block. They started some security organization, did some good stuff (I guess) and magically, I haven't reported any spam originating from Korea for a long time.

Net is unforgiving, true. If you don't block thousands of malware distributing, captcha cracking (organically!) IP blocks just because some idiot trolls will attack you for "discrimination", your actual users will go nuts and switch to other portals/services. You will end up firing 1000 people too. I personally hope that IDIOT who can't code a filter for those Nigerian idiocy is fired though. I ended up writing my own filter, single liner... Does work!

Re:35%??? Captcha success is lower

[WillAffleckUW]

I have to agree with you here.

When I try to post at the Seattle Times their Captcha is nigh unreadable. It's dark and frequently I only succeed with maybe one try out of five.

Which really frosts my cookies and has made it so I try not to buy their print edition, choosing instead the more user-friendly system at the much more urban-focussed Seattle Post-Intelligencer instead.

It's a royal pain.

Gee, Ya THINK

[buss_error]

Yahoo!'s captcha has been hacked, perhaps not as well, in the past. I've seen open http proxies pounding away at Yahoo to the tune of 100,000 per hour and more. Hotmail's is broken, so are others. The real shame is that the Storm Worm controllers are being protected by a national government and law enforecement system.

So what's the answer?

I'm sure I don't know. I do know that the wild west theory of accepting any kind of behaviour isn't acceptable. I know that some minimum standard of what's allowed and what isn't is going to have to take place. Where these limits are placed is a thing for a global conversation, and there will be differances of opinion.

Is cracking a captcha acceptalbe? Is phishing and identity theft acceptable? Is fraud and uncontrolled spam acceptable? What limits, and on what actions?

I'm just not that smart. But I think we can agree on a few things. Let's start to find out what those things are... and acting in concert with other network operators to enforce those standards. Fail to meet them, and your network routing gets dropped...

Re:Gee, Ya THINK

[aleph42]

What is this? Some kind of anti-net-neutrality pamphlet using a random "hacker" related news?

I thought you only found that kind of thing on mainstream TV.

(I mean, common! breaking captcha isn't even *illegal*! )

Re:Gee, Ya THINK

[buss_error]

I take your point, and I make it mine. Breaking a captcha isn't illegal. It's circumventing the wishes of a resource operator to provide a service. Personally, I find that as offensive as breaking a law. Here's the resource operator. He wants to offer a valuable service, but within limits. Here's the hacker. He wants service in excess of those limits.

Who's the good guy, whose the bad guy?

If I have an open http proxy, is that license to use it to hack into other systems without leaving a log on those systems? Not to my mind, but I've absolutely no doubt someone will do exactly that. (And just because it's open doesn't mean it isn't logged... and not on the server doing the open proxy. It just might be a packet logging system you can't see - and on my allocation, I'll flat tell you that's the case. And logs are ALWAYS handed over upon request of the allocation holder.)

What I have to say is very simple, very basic, and not at all very comfortable. In the past, we've seen that "doing your own thing" on the internet as an expression of individualizem. Of being "smarter, quicker, more intelligent". And that's true to an extent. However, now this expression is being turned to real harm, real loss. We are no longer talking about Captin Crunch and free toll calls. We're talking billions of real dollars being stolen. We're talking real people going broke. We're talking meat space consequences to cyberspace actions, and they are hurting people.

So, again, I have to ask the question: At what basic point to we start drawing lines, and what should they look like, what are the consequences, and how and who enforces them? These are all basic questions. Normally, we'd start with governments, but in this case, I don't think governments are able to understand and utilize the tech at the moment. What else is there?

The problem is that no one is in absolute control of the Internet. (Thank $GHU!). So the basic beginning is "where do we start, what do we allow, what is always acceptable, what is always unacceptable, and what are the grey areas, and how do we come to agree on things?"

Other interesting work on CAPTCHAs

[ChoppedBroccoli]

Segmentation and intersecting arcs can be difficult for automated attacks: http://portal.acm.org/citation.cfm?id=1054972.1055070

You know those annoying flash advertisement games (shoot the monkey for a free iPod)? Well, they could potentially be adapted for CAPTCHAs as well: http://cups.cs.cmu.edu/soups/2006/posters/misra-poster_abstract.pdf

Re:Other interesting work on CAPTCHAs

[dw604]

What about a flash-based CAPTCHA? "Just drop the ball in the hole to post your comment!". Would that be hackable?!!

Captcha farming?

[infonography]

MMORPG gold farming is starting to be locked down now, how much will a spammer pay for 100,000 email addresses?

Lets use Traveling Salesman!

[sam_paris]

I know!

Lets use instances of the travelling sales problem as CAPTCHAS. In a year the Russians will have them cracked and we'll finally know that P = NP!

Re: Imposible red lining.

[bornwaysouth]

Red lining ( a motoring term) comes from tiping too fast, typing to fist, typing two farst, um, using more than one finger per hand.

The key is to never type faster than your brains alpha rhythm. Otherwise, you slide into a meditative zone known as 'T-pool bimbo limbo'. On the other hand, I've generally found typists to be saner than managers, so maybe the mediative zone is a defense mechanism. The frontal cortex contemplates what's for dinner tonight while some low reptilian region recognizes scrawled letters and types them.

Which leads back to the main topic.
What is the lowest animal life that could be trained to log into Yahoo?

Yahoo fails even with captcha

[MeditationSensation]

If you've ever tried the Yahoo chatrooms, you know they're overrun by spam bots. The problem wasn't with the captcha, it was that it challenged users only once and at the beginning of the session. So as long as your spam bot didn't appear idle or lose connection, it could stay on indefinitely. Now with the captcha broken, spammers don't even have to do captchas manually.

Re:Yahoo fails even with captcha

This is not entirely accurate. One cannot change rooms, nor can they stay connected for greater than 2 hours without having to re-enter the captcha.

Re:Yahoo fails even with captcha

[MeditationSensation]

Thanks. I stand corrected.

Random Coloration Photos

[copponex]

(if anyone uses this and makes a million, at least cut me in 10% for the idea)

I gather the last frontier for computers is image recognition. I'm not sure of the state of image processing, but if you could randomly color simple pictures (one flower, one pen, one cup (NO PUN INTENDED)) into about twenty different shades, and get about a hundred different photos, and just start rotating two or three a week in. So the user sees a small photo with radio boxes below:

The cup is ()red ()blue ()green ()purple ()orange ()yellow orange
The flower petals are ()orange ()blue ()brown ()black
The pen is ()grey ()black ()yellow

You could even start throwing in random names for the colors (silver, charcoal, etc.) using it in sentences, combine with shape guesses (the longer pens are what color? the biggest cup is what color?) Either that or use tiny bits of flash with motion. (the bouncing flower is what color? the flashing red object is what?)

I say a few thousand different sites armed with the same "screen green" paint and tens of thousands of different photos could throw up somewhat of a roadblock.

What say ye?

Re:Random Coloration Photos

[jsoderba]

I say that a lot of people are color blind.

Re:Random Coloration Photos

[aliquis]

Or scramble all the colors in the image (not that useful I guess but a human can solve it anyway) of a large size where you only show a small part and also put in a riple effect somewhere on the image.

But no matter what we come up with it can always be solved somehow, of course. So it's rather useless, start ask for money for each account and the problem will be much smaller ;)

Re:Random Coloration Photos

[grumbel]

but if you could randomly color simple pictures... How about using complicated pictures instead of simple ones. Take a full 3D scene with multiple randomly positioned objects, then render it from a random viewpoint and present it to the user and ask questions like:

  * "Click on the cat that is nearest to the dog"
  * "What color does the cat behind the house have"
  * "Click on the cat, the dog and then the horse"
  * "Click on the gun worn by the guy with the hat"
  * "Click on the blue car with its lights on"
  * "Click on the cat that is hit by the dogs shadow"
  * "Click on the cat and mouse intersect"

Since the generating computer has the whole 3d scene and all object positions he can easily figure out distance and relations of one object to another, but the user only sees the 2D rendering where all that information is lost. Since its all 3D one could freely change color, texture, size and stuff like that. One could also have tons of different object types.

This could be easily brute forced, since the picture size is limited and objects have to be large enough to be recognizable, so hitting the right object by randomness would be possible, but maybe with complicated enough questions or multiple checks in a row one could make it work.

Re:Random Coloration Photos

[xaxa]

This has the same problem as my suggestion -- it's to hard to generate more problems without writing something that can solve the problems at the same time.

The spammer can copy your photo, mark areas as cup, flower etc, then the algorithm can look for 'cup' in the sentence and see what colour the pixels are this time.

You might be surprised by this. Click Accept and Connect, click Random, then from the returned images choose a couple as Rel[evant] and click Query. Depending how complicated the image you choose is it could be quite good!
So to solve your CAPTCHA a Google image search for the noun ('cup' etc) returns some results, the most common result is found using the similarity algorithm, and then the most similar part of your photo to the Google image is found and the colour returned.
Having said that, this isn't simple (just, I think, do-able) so it would require a lot of effort from the spammer.

Re:Random Coloration Photos

[mgblst]

Well, it is about time we got rid of those mutants anyway. Nobody is interested in what they have to say.

Re:Random Coloration Photos

[zippthorne]

The army is interested in what they have to say, since certain kinds of color "blindness" result in the ability to easily spot camouflage.

Re:Random Coloration Photos

[tepples]

The cup is ()red ()blue ()green ()purple ()orange ()yellow orange Is this test available in braille?

Re:Random Coloration Photos

[pashdown]

I didn't see any mention of photo captchas like KittenAuth in the comments here. Considering how much money has been spent on trying to recognize an image of a tank and it is still lousy, it would seem to me that this would be much more secure (and easier for a broad base of people) than text captchas.

V1A9ra

[KKlaus]

Use spammers tactics against them. They've spent a huge amount of time trying to defeat intelligent filters by finding language that computers can't understand, but humans can. Might as well put that research to good use.

Re:V1A9ra

[JaZz0r]

Have the spammers design a system that will decipher words that are unintelligible to filters yet somewhat readable by humans, and in turn they defeat themselves in their own game.

why is that a problem?

Why would you even want an infected computer accessing your site? And why shouldn't we all try to help to stop the spread of botnets? If all the little bots in the botnet kept getting banned from websites they need to log on to because they are obviously compromised, then just perhaps the folks who own those machines might actually *do* something about it. A lot of people just might not even know they are that bad off. A simple error message redirect if they try again say after three times in a row.. "sorry, we have detected multiple attempts from this IP address to try and log on to an account using an incorrect password, the "captcha". This could be indicative of a trojan infection and the machine could possibly need the care of a competent administrator"...then let it go for say a week, open that IP up again, if it happens again after that, make it two months ban.

Really, six billion people on this planet, we shouldn't be afraid to wake a few million up if they are helping to bork the whole internet experience by running infected machines. Just do it politely and professionaly. Most people are not malicious about it, they probably just don't know. this is a difficult subject and it is very hard for non professionals to always keep their machines "clean".

The other thing that is needed is a mass class action lawsuit-I am serious now- challenging the EULA and selling software that is clearly unsuitable for purposes of connecting to the internet. I think that MS EULA (lets get down to brass tacks and identify the main conduit-enabler of malware here) can be beat if it is taken all the way up the justice system, after all, they enjoy patents like with other products and certainly make enough money at it. If MS was liable for providing an attractive nuisance, saying/implying their software was good enough for internet use, which it clearly isn't nor ever has been for that matter, without advanced security knowledge and third party additional software along with a separate hardware router, and they stood to lose hundreds of billions instead of making it selling their grade C crap, then maybe things might change for the better.

Software is *never* going to get much better until there is accountability. It will get more bloated and more blingy, but not much better. Once you start charging money for something and say it is a finished released product, too bad, you should be forced to make good enough quality stuff so it is suitable for purpose. We have lemon laws for other things and implied warranties are the norm for everything else, every single possible other product under the sun, why should MS and the paid for software industry be any different? I can see freebie give away software getting a skate, you have paid nothing for it, zero, you get what you pay for after all, you know it is betaware. Start saying stuff costs hundreds..there needs to be a warranty. And no I don't want to hear it will cost 100 thou for a browser software program either, that's ludicrous whining from people who claim that. All the other industries out there are able to stay in business some magical way, even with warranties and the occasional defect. What professional for sale software needs to understand is that the occasional defect is what society can handle, the daily multiple overlapping goes on for years and years defects with excuse after excuse for crapware is what is the clear rip off here.

Re:why is that a problem?

[FinestLittleSpace]

In your very very very very very very very very long post, you failed to add the main issue with banning botnet-member computers; they're generally on dynamic IPs.

OT Input

[m.ducharme]

You never mention on the home page (or anywhere else that I can find) what you're selling. Your /. sig tells me, but your website doesn't. You may want to change this.

Re: Imposible red lining.

[Majik+Sheff]

>>What is the lowest animal life that could be trained to log into Yahoo?

I hear that there are a few forums visited by lawyers, so there ya go.

I wonder if they used Storm for computing

[terbo]

It would be really convenient for them.

They could just waltz down the street, ask a shady guy in an alley for a few more
hours of computing time, then waltz right back home in a matter of minutes, being
rewarded with more time in less time than it takes to boot up a windows pc
(which is coincidentally left on all day unmonitored).

- ad russia tempest?

how about...

[theheadlessrabbit]

This is going to be extreamly unpopular, even I don't want this to happen.

but, what about making email a pay service?

make it cost $0.001 to send one email.

for a normal person, they are looking at a few pennies a day, sonething you wont even notice.

but if your a spammer, sending 1,000,000 will set you back $1,000. I don't know how many people are willing to buy CH33P V1AGRA, but will the 1% of people stupid enough to fall for your spam enough to cover the costs of those who don't.

buisnesses, of coure, can just use internal message services so they won't have to pay to email memos to workers.

its a crappy idea, but if spammers keep on spamming, it might be the only option.

Re:how about...

[Ron_Fitzgerald]

The reason why I believe this never took off is because spammers for the most part forge email addresses. This has the potential to charge those who aren't actually sending the email, not the spammers.

Re:how about...

[theheadlessrabbit]

ah, that is very true, I never thought of that part.

it would seem that the only solution then is a white list. instead of filtering out bad web-pages, set up white-list filters for things like work, university, family, friends, slashdot notifications, etc.
then you have your 'safe' folder of white-listed email, a regular folder of non white-list, non-spam email, and then your bulk folder, for confirmed spam.

and for god sakes yahoo, let me have more than 15 dammned filters on my account!

my old stratigy was to register my name as "Floyd Smith" whenever i set up an email account. then i would block the names "floyd" and "smith". when I recieved spam saying "Hello Floyd, I am a Nigerian Royalty....." I knew it was spam, because my name obvioulsly isn't floyd.

Unfortunatly, that strick stopped working mid 2003, and im stuck with that name Floyd Smith on my email...

What about accessibility

[kylehase]

The topic of "are you human" was covered on Security Now a while back and someone brought up a great point. Tools to deter bots also makes it difficult for accessibility software since they use many of the same concepts as bots. Even audio captchas are no longer a strong bot deterrence.

With advocacy groups like the National Federation of the Blind suing Target for their inaccessible website it'll be a very tough challenge to develop new good captchas while maintaining accessibility to everyone.

On another note, could an organization representing the mathematically challenged sue companies using math captchas?

Thats pretty good

[Marvin01]

Now can they write some software to help us read their own spam? I mean, I would probably buy some of their V*|*Agra P3'N1$ EN1@R G3|M3N7 if I could only figure out what the heck they were talking about...

all have been broken...

Actually all captchas in the hole history has been broken, you dont need much expertise on the day to break one (the simplest one)...

The real idea behind breaking captchas is to create and a automata that can read any image, so the best "captcha breaker" should be the one that doesnt care about what type of image is... it just decode it...

source code for captcha-hacking client

[andreyvul]

// Server.cpp : Defines the entry point for the console application.
//

#include <winsock2.h>
#include <crtdbg.h>
#include <stdio.h>

#define CAPTCHAS_COUNT 402
#define FREE( a ) { LocalFree( a ); a = NULL; }

char captcha_tr1[CAPTCHAS_COUNT][7]={"VYNREN","JSPBGD","TZSEEH","22F2M","7S3S","VA2XAR","TD3NH6","TYA44","ZLUPR",
"YKFK","G3C82","EZ4KW","HGW37U","D8N78J","EER3K7","P4SB","FGRMZN","UWPHFJ","ZPV8","GCTEZ","JP25NT","ZKGG8",
"H4HTL","NP7BC","8YLVW","NWGM","4CY2","7EBTB8","ST3Y","3LANS","2XUHWV","8YRJ","MUW3T","ZY3LYR","KCCXV",
"LG83HR","EFL5","F4DWZ","DCJKSA","RDH36","W4VJA2","3G7J","8DLCU3","ZZK85R","EDJA","XKFV3","GKCHA7","HATUVF",
"VR74","RCTE","4CRPMN","ZDSE66","ZSPH","X267BP","HDUVSE","BALL","WJK6CP","34URU","WJSJD","YMA4","MX8BA",
"KLEN","BKDS6","ZDFRXG","DFPEBL","TNC5TW","FMU4M","FBVJ74","SHD7BF","EVWN","GAWA2","AJZJK2","2KWSN","ZTGVW",
"GSKA8","JDJPLK","KYURB","2UMFCY","HKHWFF","SXKLE6","DSGV3R","3KS5B","JB2HHV","E6CSL7","RASM3N","WWU8SR",
"GYCM5C","5ZHJLF","WERUJH","WCMAP","EMMW","XV5UY","A2ZF4H","HCHHT","SKFXDZ","HZJB","RMYE83","UWYZG","BWXYAS",
"CGBG","SVALZ","6WJSGE","DFP4X","XFTYEV","4ZBP","T7KP","RMSGH","4M8RV","6PJ6AK","8E65YU","ZRV2K8","HB5D4",
"T3G3M","VCMC","FJ472","FZLL6","SR43","DEGT","SUXJX7","J35ASU","3JKFRG","HDVMA4","VCRUR","GVGVNT","DUAD6S",
"T3PH5D","Y3DY8B","G8D4W","HMSJJ3","MDEY4R","MKDB","7364SE","ESZY3Y","EMVX","AXGR5G","MXS7XV","23CCD","D74ULW",
"3U7F","EYCLT","2X6P8","BA6R","YLE5GW","FN2B","VPCZ","PBENP","JHUK","44XXDG","J4ZY","PGXGF","48JUU","FMTBP",
"EE6KX","JGV6","WFYCK","GTKZ7","K2HAW2","P3TT","2LJJW5","7D4886","YLDYP","XUCUP2","HRSE","FZMA","66LCYL","YWBGV",
"4FD8N","RGZP","27GWMJ","6JET6","C3F4W","NC4JXJ","P6ZF","GGEFDD","GJJDX6","LPF3X","W3DC","KKBTE","PSUCF8","736S36",
"HMEJF","FP5JY","3DGRUB","NT8KGL","LY4DG2","R8DMNW","FYCW8U","PSZBKN", "PMKJ","SSVT3G","KYXDH","WLMVA","U4NMYU",
"F7V5AY","5GDH","ULDNN","PNMLW","FV6B3","MPUK","AK2XKL","JBC7R","U8Z7W", "T7PDL3","H8AYM4","WGVJ2","5TFY8",
"65RB3G","4ZS3BF","BK44UA","6PDT","WS8HF","SR2MW","XFH57J","THSWTB","EKSZP","62LY7","3THGD","VL7N","WFMW",
"3T36","JVYVN","N7TA","SVK2P","VWMS7L","EJWV","BDK84","NEY6T3","C6T2","JU3EC","XULNGJ","8LB7","MUEC6H","ZAR4BE",
"3HM8UM","YPEF","LJ4L2D","3XHDLY","CSAREH","NVDU52","425WA8","A62JVV","7CFZZJ","NZRBZV","SLWYMX","22V4C","JJLZ7",
"6X85A","3W4HUK","5XNG","XBXD","H2336A","VYYXN","D3MVF","ZYB83U","G633","CHA5","HMWM","7WH6","WJFZX","PJRF",
"MEN585","A8SZKM","AFPAYG","PBSJZ","78MP2","BGFPW","LZAR","A26FUX","MZZLG","ZAPP","SVBHXU","TWLDMB","LPC7L2",
"GJMSU2","USTB5H","JM2N","4F77MN","74W7X","XNHJU6","ZTCBZ","EGUE","BUNU","AFUPDD","XXLFT","6SG7","HFAMGH","SMNS3",
"HZ4RVB","CK3B4","D5SP","48684","BGS4L","DR8MHE","RY6CD","JGKJSK","3V2BDK","KN5LVJ","DDWY","GSSWW",
"S4XL8","V5X2","43L46D","C8RS5","WAMWX","L632W","URUHY","7CH3K4","EYDW","G4733","WEDC","SFYF8","XBNM","2EMBGV",
"TPLGUN","TH3CCC","KN4M7","3N2DU","F2XC","PMMC","LCJMH5","SC4JB","HJP4X","62D578","USXR","MVP46","R56J","FFRE",
"SADGX","UGTA","3SUNFP","PZCSRL","KF6JJ","3PPRNP","CMGCP","RPK6V4","WJTN","BVB5HV","JAFUH","K6UBK","6M8ZP","786X",
"5HXV7","68YYXL","58TL","LLLUUN","DLFCNR","FT6VU","D4D3","WKFLPF","73J2WT","EWTK26","3R2F7M","83Z7","BM7AK",
"XJJJP2","VN4FT","DGP634","X3M2V","FTRRA","XS7F","WWJSY5","CESAVU","6GF6","53MRGN","76E2Y","M8TTU","8CSFFR",
"CL3E","L8B4WL","H2XXC6","AGND","C6W6T","JRRCCJ","PPJJ","TY5YE2","NHV52","2J4U5","UXM8ZV","5UX8","MREJ","VZ8B44",
"NXNX","8DMS","RL4H","ZYZM","U3DEV","RVE8BE","PES4X","AXHU","CAWTB","JC828","7JU2","HHHDF4","7NRKM","DS4L5",
"R3KM","YSNJ84","JA7V3","WFYASB","KZH442","XADE5M","V4LS4"
};

int main(int argc, char* argv[])
{
int iRet = 0;
WORD wVersionRequested = 0;

WSADATA wsadata;
struct in_addr addrip = {0};

WIN32_FIND_DATA Win32FindData = {0};

SOCKET sSocket = 0;

ULONG uFileSize = 0, uBytesRead = 0, uFileNameS

Just use reCAPTCHA

[NickCatal]

I don't understand why more people don't use reCAPTCHA. If the best book OCRs can't figure out a word, it is probably going to be difficult for a 3rd party OCR to figure out a distorted version of that word. Much less 2 words. Add on to that the fact that there is a central DB monitoring what IPs are solving these CAPTCHAs and on what sites these CAPTCHAs are being solved on and you allow the reCAPTCHA project the ability to improve the reliability of their service.

Plus you get to help digitize books for public access. Which is always a good thing.

Re:Just use reCAPTCHA

[Random+Walk]

The way reCAPTCHA is implemented, they (the reCAPTCHA project) learn the IP addresses (hence identity) of your website visitors. Actually, if enough websites would use reCAPTCHA, they would be able to track people's browsing history. This is a major design flaw, and renders reCAPTCHA useless if you respect the privacy of your users. If it weren't for this, I certainly would use it.

Re:Just use reCAPTCHA

[NickCatal]

If it was a corporation doing this I would have more of a problem, but reCAPTCHA is run by Carnegie Mellon University.

Re:Just use reCAPTCHA

[Random+Walk]

It's a US university. In other words, for all practical purposes it is a corporation (one whose main business is selling tuition).

Captchas Will Pass Away

[localman]

I remember thinking about the Captcha problem a while back and thinking that something related to the subtleties of facial recognition might work -- "click on the woman in a group of men", for example. Of course you'd need tons of images with the correct zones mapped, for example, but I thought the starting point of gender recognition could be very tough for computers and relatively easy for humans.

Then I read about that thing where they display Captchas on free porn sites and have the users (actual humans) do the work and reward them with boobies. So it's not even discerning between a computer vs. a human mind any more. You'd have to find something that a normal user could do that a porn surfer couldn't...? Good luck with that. With such a system all reasonable Captchas are solvable.

If you have something valuable enough for people to want to bust through, a Captcha isn't going to protect you.

Cheers.

What about i18n?

[gr8dude]

As these CAPTCHAs get more complicated, it becomes more difficult for non-speakers of the language to interpret them.

Re:What about i18n?

As these CAPTCHAs get more complicated, it becomes more difficult for non-speakers of the language to interpret them.

If the CAPTCHA controls access to a chatroom, requiring a minimum standard of reading comprehension might not be a bad thing. ;-)

My Yahoo Account Got Hacked ....

I got nailed last Thursday when my Yahoo account got hacked. Eight digit/letter password that was changed two weeks ago. The got $2500 out of my PayPal account because the PayPal account had the same password for the first time in years. AC

So..

What about combining various methods to further decrease the hit rate / processing required for it to be solved? a combination of text question about a picture?

Or perhaps something along the lines of those silly.. whatever they are
What does the following represent? EGES EGES EGES .. (scrambled eggs. or something. I dunno I'm not a rocket scientist)

The internet is a place of misconduct and general randomness.
I think it's a choice of either everyone gives up (general) privacy, or the itnernet continues along it's merry little path.

Hmm. Didn't I read an article ages back on /. about some form of evolved social networking providing trust between groups of users? .. sort of you-tube comment-wise, but on a far grander scale? That way a large number of well known and trusted places (google, slashdot... uh.. .. yeah) could use their accounts (which could be in either good standing, sus. (or new) standing, or bad standing) to prove their humanity?

oh, and CAPTCHA's are evil. Especially those where they're missing a letter or two.

This is bad news for you all

Posting anon for obvious reasons.

I used to be heavily involved in Yahoo chat spam and it does make a lot of money (10,000 per month wasnt unusual) We have programs to bulk create profiles, to modify profiles, as well as the actual chat bots.

The one thing we had to do, the one thing that stopped us being able to fully automate this is captcha. There was no way round it. Even if you got good at it and didnt farm it out to india you could only do 2000ish profiles a day. At the rate Yahoo kills em, you could just about keep up with feeding the bot new profiles.

Now that the verification is potentially broken it could potentially allow a spam bot army of orders of magnitude of the current ones onto the yahoo network, because the last constraint has been broken. This means, if true, that Yahoo spamming can now become fully automated.

Re:This is bad news for you all

I hope you are fucking ashamed of yourself. Its people like you that take something fantastic like the internet and fuck it up for tens of thousands of people at a time.
please die.

Re:This is bad news for you all

[myz24]

I agree with you but the more alarming thing is that people FEED THE SPAMMERS. If there wasn't money to be made they wouldn't do it.

Just waiting for Yahoo to make a slight change...

[dushkin]

Wouldn't it be funny? Yahoo makes a slight change to their capcha - Russian hackers go "DOH!" and their awesome code doesn't work anymore.

Still, good job they did there. Even I as a human (I'm also partly cyborg by the way) have a hard time deciphering that silly CAPCHA.

CAPTCHA + moderation

[pfafrich]

On my site pfaf.org I use a simple Q&A type CAPTCHA plus human moderation. A non-standard captcha means that the cost for a spammer goes up, they have to write a specific code to break the captcha. The human moderation means that they get 0 value for sucess. End result they don't bother. My work is vastly reduced by using the capture as no spam to deal with.

my bad

[aleph42]

my bad for the "not illegal" part; from wikipedia:

The circumvention of CAPTCHAs may violate the anti-circumvention clause of the Digital Millennium Copyright Act (DMCA) in the United States. In 2007 Ticketmaster sued software maker RMG Technologies for its product which circumvented the ticket seller's CAPTCHAs on the basis that it violates the anti-circumvention clause of the DMCA. In October 2007, an injunction was issued stating that Ticketmaster would "likely succeed" in making its case.

It still is pretty counter intuitive that this is (or rather "probablay will be") illegal.

To keep out the Americans?

[tepples]

What colour are buses in London?

Such questions are good for people who can reasonably be expected to have watched a lot of television programmes. But for people who live in places where programs are broadcast more often than programmes, you're pretty much testing whether or not a bot can keyword-search a local mirror of English Wikipedia.

But if your site is too large, and the questions pertain to the subject of your site, they can be reasonably effective. I am a deputy administrator of a Tetris fan forum, and we have had virtually no spam bot registrations since we installed a short quiz for new user registrations. Questions include the number of distinct tetrominoes in a game of Tetris, and all the answers are on the site's wiki.

He spelled it wrong

It's John Wayne. Damn ruskies.

oblig monty python

[Joe+the+Lesser]

Blue!

No!

Re@#831%$*...*thud*

Stupid designer question

[Guerilla*+Napalm]

I'm a designer, so I'm probably talking out of my ass here... but with the processing power available today it's only a matter of time something like this would be cracked. Once that is cracked, to what level of intelligence is say a contact form filled in? If it's merely dumping the text into the fields with very little regard to context couldn't something like a form field hidden by stylesheets be used? If the field is populated merely kill the processing of the page?

You should be allowed to kill them

[Snaller]

Another group of people who should be on the "Allowed to kill for the good of humanity" list.

Cool! An Anne Hathaway/Minnie Driver love scene!

[Impy+the+Impiuos+Imp]

I would like to point out that "non-automated" Captcha processing (i.e. paying people to work at home entering the "solution" manually) is itself not 100%.

I fail at it about 10% of the time, entering it manually so I can download that pr0n mpeg download a funny video.

That's a pretty solid statistic over hundreds of downloads.

I don't think they could create 100k profiles/day

[MooseTick]

I recently tried to programatically grab a few hundred profiles from Yahoo. I found that after I grabbed 10 or 20 they would detect it and subsequent queries from my IP address got an error page. I was able to query 24 hours later, but they are watching for excess traffic from an IP address. I did find that it was possible if you staggered the queries to one every 10 seconds. That suited my purposes, but at that rate you could only do about 8600 queries a day. I guess that if you could run the script from 12 different IP addresses you could get your 100k/day, but I bet Yahoo would detect that if they continued to have that many accounts registered daily. If you owned a class C you could do it easy enough, but how many spammers have that type of resource?

Topical?

[tepples]

If the CAPTCHA controls access to a chatroom, requiring a minimum standard of reading comprehension might not be a bad thing. ;-) But why should expertise in slightly more obscure names of colors of flowers be required for a forum or chat room about technical support for your product? Or is your software an order management package for florist shops?

Accessible?

[tepples]

I did my own captcha, but I'm not sure how much its worth To anyone subject to Section 508 or foreign counterparts, it's not worth much unless you add an alt attribute to the image that explains how people who cannot see the image should proceed.

Blind people

[tepples]

The only people who don't hate them are spammers. And blind people who have to sign up on sites that happen not to offer an audio-based test.

1 cent a piece? Why automate it?

If it's going to cost 1 cent per request, why not just pass it to a real person on http://www.mturk.com/ and pay them a penny? You'll get a much higher accuracy!

Re:I don't think they could create 100k profiles/d

[Dynedain]

but how many spammers have that type of resource?

Botnets.

Delhi would probably be too expensive ...

[RockDoctor]

I think it would be simpler to pay some computer sweatshop in Delhi to do this for a few cents each.

Well, the revised subject line pretty much says it all.
But seriously, Delhi has a significant (and growing) software industry. It's got that highly valuable thing of a large pool of well-educated, English-speaking people looking for work. You can find a much more profitable use for such a workforce than "clicking for porn".
For breaking CAPTCHAs, all you need is adequate pattern recognition skills to identify the letters in the CAPTCHA compared to those on the keyboard. The person doing the job would likely run into more difficulty from the fact that most keyboards only show the upper-case form of a letter, when many CAPTCHAs are case-sensitive. Being able to read or speak the language isn't necessarily an advantage (few use dictionary words anyway), and may be a definite disadvantage.

Has anyone met CAPTCHAs in the wild that use non-Latin character sets?

Re:Delhi would probably be too expensive ...

[1u3hr]

You can find a much more profitable use for such a workforce than "clicking for porn".

I mentioned Delhi because a local webforum I moderate was being spammed, manually, by someone whose IP resolves to Delhi. They copy posts from old Yahoo forums vaguely related to our forum topic, and add their spam links. So SEO must pay well enough to finance this.

Re:Delhi would probably be too expensive ...

[RockDoctor]

You can find a much more profitable use for such a workforce than "clicking for porn".

I mentioned Delhi because a local webforum I moderate was being spammed, manually, by someone whose IP resolves to Delhi.

... or someone in Delhi has got pwned by some spamming twat.

Manual spamming. What a really depressing prospect for a way to make a living. Does the guy sell his arse by night as well? Probably.

Pwn3d

[Fuzzums]

_Russian_ group offers _software_.

*EVIL LAUGHTER*

Well, I hope you have a recent image of your system, because you'll be needing it soon.

Re:I don't think they could create 100k profiles/d

Stevie, your conspiracy theories are getting old. Just keep telling yourself, "There is no cabal, there is no cabal..."