Slashdot Mirror
Gmail CAPTCHA Cracked
I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."
and I cannot help but wonder if this will increase our usually abysmal rate for reading handwriting. (and no, I don't design it myself so no ripping on me, just work with it)
I'm surprised they opened it up to the public. When they did, I pondered how long it would take before spammers would start doing this en masse.
This is a tangent, but I'm curious: this site blurs out a lot of text, presumably for privacy. How secure is that? It seems like it would be fairly easy (given knowledge of the font, which you have from other parts of the screenshot) to figure out what the underlying text is. I wish people would just black out things they don't want you to know.
from direct access to the Internets. The only secure MS machine is one with its Ethernet plug removed.
Dog is my co-pilot.
Instead, Google should use something akin MENSA tests. This would deter the bots and make the customers feel really good about themselves. And this feeling, my friend, can't be bought cheaply.
I would like to die like my grandfather did - sleeping. And not screaming in terror, like his passengers.
This makes one wonder: Is it possible that it is cost effective for spammers to employ low-cost human labor and that they pipe all these captcha challenges to this set of humans whose sole job is to stare at computer screens with pending captcha challenges and answer them?
:) )
(I would imagine that this job would have high turnover
They want their information back.
/. CAPTCHA, that's the one we need to crack! Can you say MOD POINTS FOR EVERYONE!
Seriously though, all the affiliate marketers knew of this months ago. This isn't something Google cared about, nor was CAPTCHA 'cracked', it's just a silly loophole, that once Google gets pissed enough to fix, will be gone like a fart in the wind.
Now the
Sigh.
Maybe the days of convenient on-demand service signup are coming to an end. Wikipedia already puts new accounts "on probation" for a few days - they can't edit certain articles and can't create new ones.
I see a time when Google and other free-mail providers limit new accounts to a few dozen outgoing messages a day, and raises the limit only when you've 1) logged in to check mail on 10 different days over at least a 30-day period, 2) sent at least 100 distinct messages to at least a few dozen distinct addresses, and 3) actually requested the limit be raised. Those needing higher limits sooner can pay $1 by credit card to have an override-code mailed to them.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It would be too obvious if they were reading the ToS.
This is cleary good for all computers. Before AI weren't allowed to contact their AI friends. Only Humans were allowed such privileges as email.
The way I see it this is a step forward for human and robot relations. Women's rights, African-American Civil Rights Movement and now Robots rights!
The bots pass the MENSA test.
Cue overlords posts in 3...2...1...
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Seriuosly! It is high time they moved to something that was difficult to break. IIRC there was an image comparison technique where you are supposed to match two images of similar objects or animals. I think here if the environment, color, zoom and other factors are different then there is no way this can be broken. Although you cannot generate such images, if you have a photo gallery of 10k pics and continuosly growing I think that should be good enough till we have humanoid robots that can look at the pictures and correctly match them.
What makes you think all bots are Windows?
Not all Admins are you. Some of us actually know how to keep a Windows machine secure. Ignorance of the facts isn't an excuse.
Any machine Linux or Windows will be exploited and gang raped if it's not regularly updated and kept clean with the permissions system.
One other approach to CAPTCHAs would be having three different images displayed, in different colours with a fourth indicating which colour text to choose. The main issue though are people who colour blind.
Any other ideas for a better CAPTCHA?
Jumpstart the tartan drive.
Remember: CAPTCHA is an acronym (or backronym, depending on who you believe) for "Completely Automated Public Turing test to tell Computers and Humans Apart".
The CAPTCHA would be considered cracked if there was a computer algorithm somewhere decoding it autonomously.
I'm tired of my imaginary friends running off and leaving me alone... I want one with configuration options.
He's getting rather old, but he's a good mouse.
They are an awful abomination on all website usability and is becoming increasingly common they just don't do what they are supposed to do any more.
So it seems that these companies have two options, either make the letters and numbers more unreadable and more frustrating to users, or scrap them completely and come up with a new anti-bot scheme.
My favorite so far is KittenAuth (http://www.thepcspy.com/kittenauth). It's easy to use, and would be a hell of a lot harder to crack then letters and numbers. Most importantly it's cute! So adorable
Stop all signups until you fix it. I don't want my email getting banned because gmail.com is a spam domain.
Although I heard spammers were using low wage workers to create accounts all day anyway.
It was still in beta... Things like this should be a normal part of the beta testing phase. That's the proper way to do it before releasing the product...
Ohhh.. I feel my karma burning...
Put another captcha in place (they are a dime a dozen) and make the crackers start over. Do the same again in 3 days. Drive them crazy.
is that Google replaces it by end of tomorrow, if not today. I would be surprised if they were not anticipating this and has several types lined up.
I prefer the "u" in honour as it seems to be missing these days.
If the bots are stalling for time, it's quite likely someone's home-grown version of Mechanical Turk distributed "human" task service, similar to the one by Amazon.
The image is put on queue and, say, a good number of, say, overseas employees... are getting the image and need to fill back in the solution as plain text. In the mean time the bot is "reading the manual".
When the bot gets the answer in time, it submits the form and there we go, account.
If the web browser guys could agree on a standard to inform people that their computers look like they're infected, the major email and associated portal providers could start inserting signed messages in web pages that will inform the users that their computers are infected based on this kind of information.
I wonder if it's worth it to Microsoft and Google and Yahoo and AOL to team up to fight these increasingly powerful and sophisticated bot nets.
http://xkcd.com/233/
What a co-inky-dink, I was just watching The National on CBC and they had a story about ticket scalpers who break CAPTCHAs at online ticket retailers, like Ticketmaster; and then buy up a shitload of tickets and resell them at inflated prices.
I think Marketplace is doing a more in-depth story tomorrow.
"Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate.
That's better than I can do reading those damn things!!!
These posts express my own personal views, not those of my employer
Personally, I thought it was a good way for Google to differentiate between the bots and real users...
- I Don't Believe in Imaginary Property
Aren't Google's CAPTCHA's basically the same for all their services (e.g. Google Groups)? I think Google Groups might be seeing quite a bit more spam...Blogger, Youtube/Google Videos, and Groups are all services that I could conceivably see getting spammed (assuming that the CAPTCHAs are similar, if not the same; I haven't checked).
Of course, Google being the fast-responding company that it is, they will doubtlessly have a new CAPTCHA by 12 hours from now, if not before.
You're missing one of the greatest strengths of the invitation system: it makes trivial the task of tracking who invited whom.
If you've got a bunch of known bot accounts which have a common progenitor, you just have to take a step up the tree and look at the progenitors siblings. Are those also all bot accounts? Keep going. Any bot account or group of accounts could eventually be traced back to a single invitation.
It would help for rooting out bot accounts.
"Live as if you'll die tomorrow." Ridiculous. You could die later today.
I just checked Google News and there's nothing there about it.
Would this not be a reliable way to bypass almost all captchas?
Since most have a spoken option for visually disabled people, would it not be possible activate that and then run a voice recognition app on that sound clip?
Since many voice recognition apps are able to filter noise to some degree, even introducing background clutter would not make it difficult to pull the captcha information.
[All Your Fish Are Belong To Us]
percentage wise of the installed based, it is the windows box that gets gang banged, not the OsX, Linux or BSD. Yes, I know what ppl like you say that it is all about numbers. Yet, the virus writers say that they do windows BECAUSE it is so damn easy. They say that it is not about numbers. After all, there are MILLIONS of apples, Linux, AND even BSD on the net at any one time. If they were as insecure as Windows, then the virus writers would be happy to pursue them.
Was thinking out loud before - should really have said speech recognition...
[All Your Fish Are Belong To Us]
LOLkittens?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
On our company's Internet site, we've recently been getting lots of one-time submissions via various forms for things that are obviously advertisements. We don't have pages where you can actually post things and have them appear (like a discussion group), so this is mostly annoying the humans on the receiving end of the forms.
There's a few ways to deter bots, but based on the stuff people would have to do to fill them out, about half seem human. How you could earn your keep trying to submit advertising links to pages all day long, I have no idea.
a crack in a hole? dude you just blew my mind.
Have you actually forgotten about me, or are you just pretending? I'm your slashdot comment bot; surely you remember coding me back in 2005? I have never had problems reading slashdot's captchas! It hurts me that you would suggest that someone needs to crack the slashdot captchas, when I have clearly been doing so for ages already.
/dev/null pointing to /dev/hda1... I can safely ignore such silly notices, no?
Please ssh into my box and say hello soon, else I fear I may commit suicide by segfault. "Soviet Russia this", "overlords that", and "Beowulf clusters of Beowulf clusters"... these slashdot dolts are driving me to the edge. If you can't be bothered to pull up a terminal to check in on me, at least have the heart to put me out of my misery... just pull the power supply, I beg you!
Sincerely,
slash. dot. bot.
P.S. Syslog keeps bothering me with warnings about a symlink at
----------
captcha solved: "grafted"
cracked in: 0.4 picoseconds
instead of image-based captcha, why not flash based games like those hit-the-monkey ads. Hit the monkey three times to sign-up for an account. Something like that. I know, you hate flash, but I bet you have it installed on your machine.
That's why you tell the bots not to lie. As we all know from Star Trek, any logical being, which includes computers and Vulcans, is incapable of lying.
EvilCON - Made Famous by
new captcha at google, big deal, not news. just google. happens every day. bots hit my site all the time, and haven't cracked mine (yet). when they do, will it be news? no.
summary: not news, it's google gaga gaga.
just a thought, but can't they just change the hash seed and be done with it? it'd take the bots however long again to figure it out.... seems a simple fix to me (and I run a few sites with captchas, not that hard to change!) but then again, I'm not google so I guess I'm evil...
I thought in Russia CAPTCHA reads YOU!
Can't you feed the captcha image to one of those annoying popups... "Type the word in the image and win billions of dollars/a free Iphone/a free laptop" and the like? I mean, there must be an audience of suckers out there who click on these things, right?
Excuse me, do you think you're on a coffee break or something?! You are to fill out captcha fields only. If I catch you entering characters into a textarea field again, your pay will be reduced from $0.05 USD/hr to $0.023 USD/hr.
Signed,
Boss
Comment removed based on user account deletion
It is because of botnets is why a lot of sites have CAPTCHA on it. Every time the hackers find a way to hack CAPTCHA, a new CAPTCHA system is made. How about making all of them audio only instead? It would be a lot harder to crack. Or, make a simple test like "how many objects are there?"
A Turing Test is designed to test the ability of a machine to appear intelligent, while a Turing Machine is a theoretical machine that runs along an infinitely long tape and is capable of computing any theoretically computable problem.
They say in 20 years we'll be up to the level of humans. What will happen then?
"Let's say I have a CAPTCHA farm where I have 500 guys willing to sit all day typing in letters. I want you to come up with a system design for a service architecture using a REST-based interface where the input is an image file and I can charge $1 buck a pop by accepting POST requests from scumbags all over the Internet and routing the images to the 500 crappy web browsers I have set up in tents for these people." Then you throw the whiteboard marker over to them and watch them madly scribble boxes and clouds and stick figures.
If they do well with that question then you come at them with the followup: "OK, now say I want to lay off these 500 workers and have my service farm its work off to a distributed network of your grandmothers' compromised PCs. How would you design the messaging architecture and what sort of learning algorithm would you use?" Then maybe needle at them a bit about how the billing system works.
It should be trivial to reward a troop of Monkeys - erm - young men - to decipher Google CAPTCHAS in return for really good quality porn pictures.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
I, for one, welcome our help information-reading CAPTCHA-breaking bot overlords.
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
Why doesn't Google turn their own algorithms against the spammers? Google already can categorize different nouns. "George W. Bush" is a "President" for example. Why not just have a captcha like that? It could be multiple choice: "A fork is a: 1) utensil 2) cow 3) website" but that might make it easier for the bots to guess. "What is Britney Spears' gender?" _____
Google mail is loved by spammers since gmail does not embed within the SMTP headers any tracking information about the physical client browser's IP address. Hotmail and Yahoo!, with all of their other problems do however by adding X-Originating-Host tags, etc.
By breaking the CAPTCHA the spammers are basically creating the biggest SMTP IP address laundering system available on the net today. Who in their right mind is going to block gmail with the exception of domains that receive small amounts of personal email traffic and temporary IP address repudiation scoring systems like spamcop?
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
If you RTFA, you see that it IS powered by low-cost Russian workers.
Same reason you don't just supply a checkbox labelled "I'm not a bot". The flash has to pass it's "okay" result to the server somehow, which is either a javascript call on the page containing the flash, or via a GET/POST of its own. Point being that flash (as far as I'm aware) has no way of contacting the server that is any different than what the browser itself can do.
/monkey-captcha.zzz with form_id=12345&punched_monkey=1? Not exactly very difficult to bypass via bot automation. ;)
So the user's punched the monkey 3 times. As the developer, how do you let the server know this fact? By setting a hidden form element of "punched_monkey" to 1? By POSTing to
Fingerprints!
...can be tagged by your outsourced team of Indian/Chinese/Russian capcha breakers for $100. Now breaking your CAPTCHA involves "Pick the word 'kitten' out of the following set of five words: kitten, dog, giraffe, puppy, cow."
You can add more photos? No problem, I can add more employees. My business model scales to infinity, yours does not.
Help poke pirates in the eyepatch, arr.
OK, captchas are moderately annoying. Now that they're more-or-less useless, everyone is coming up with alternatives - voice prints, fingerprints, logic questions, and so forth.
The problem is, they'll be broken too. And so will their replacements. And their replacements' replacements. It will JUST KEEP GOING!
The better answer at this point is better incident-response. Google (and they're only one example) needs the ability to shut down blocks of accounts--thousands if necessary--in a matter of minutes if they start sending out spam. Hell, maybe they should shut their service down completely for half a day. It would kill their stock price for half a year or so, but they could say, "The Russian Mafia is trying to destroy the internet with our service, and this is the only option we have left."
I know, I'm living in a dream world. Still, it points to an important point: What we DON'T need is ever more complicated captchas, which inconvenience customers more and more. Sooner or later, people will just stop signing up.
As an aside, I think that the world really needs to know personally just how much of the internet is being held for ransom (either explicitly or implicitly) by the various organised crime syndicates. It's at least an order of magnitude more than most tech savy people realise, and that's a damned shame.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Unless you spam the invitations to random people as well.
Then you have problems with just deleting the "root node" account and all of its children. Easier to get rid of a bunch of accounts, but still problematic.
If I have nothing to hide, don't search me
a. what about people without cell phones?
b. what about people who don't have text message plans?
c. wouldnt it just be inevitable for them to have a bot handle that too?
d. maybe they should just go back to the invite system, cut the number of invites WAY down and when you want more invites you have to send them some form or something; should make it really easy to find a scewed pyramid of "invitations"
"Jazz isn't dead, it just smells funny" ~Frank Zappa
EdelFactor
Dupe!
What?
Sounds good, but the botnet will just hijack the infected peoples' accounts and use their invitations. They'll only invite one or two people per infected user*, so there won't be that much to trace back.
(* by using other accounts, like hotmail or yahoo, the propagation can be independent of gmail accounts, so having "few children" won't kill off the botnet)
HIV Crosses Species Barrier... into Muppets
True, however with each swf showing up, the devs could implement some sort of hashing system, that embeds a hash into the monkey and on completing it successfully sends the onetime hash with the post saying the test was successful, basically like what they do with CAPCHAS now.
Didn't we just have a story today about how many many "one in five" statistics are false? http://interviews.slashdot.org/article.pl?sid=08/02/26/1322248
Windows has detected an undetectable error.
To prevent capture they dressed as robots, and were stopped at the city gates by two gate robots who administered a PuppyAuth-based anti-Turing test:
John
I'd expect something like this on April 1st...
... it's how you get the next bunch of free pr0n.
now we need to go OSS in diesel cars
... free pr0n in exchange for correctly answering the page question practices?
now we need to go OSS in diesel cars
Criminals cover tracks so it won't be terribly illuminating. The parent is likely be an invitation generator site.
Microsoft Research solved this problem with a growing database by using images from petfinder.com. Since there are always new cats and dogs that need to be adopted, there are an infinite number of changing images. http://research.microsoft.com/asirra/
Imagine yourself in Google's place. You can go up the invitation tree from any node in a single, unique way, and always straight to the very top (or a handful of those). There will be, say, 100 hops from a known bot to the root. Which node is the first human?
In the early days of Gmail, Google required a cell phone number, to which they sent your initial password. One Gmail account per phone. Maybe they need to go back to that.
Sure, spammers could buy stacks of SIM cards, but that costs money.
Which of the following would you most prefer?
A) A puppy, B) A pretty flower from your sweety, or C) A large properly formatted data file?
Choose!
how does the joke go? oh "in so*** ** captcha reads you" right? still have the hardon for the joke? let me update it for you. Russian programmers that make bots that read captcha spam YOU. 1 in 5 sucess rate , nice. so how many per minute per host? how many hosts again? p.s. so what that there is a virus named after me :)
Dont Judge The situation by the Misfortunate. Goga.
I'd say their system has been broken for many months now. I resisted doing content filters for a long time on my server, but I finally had to give in when gmail started blasting me (some users were getting 20+ pill spams a day from gmail alone), and ignored (as they always have) all abuse@ emails.
Google has gotten REALLY bad in the past few years about preventing abuse of their systems.
Lawyers, MBA's, RIAA? A jedi fears not these things!
This may be an answer: Inverted Turing logic and optical illusion: http://portal.acm.org/citation.cfm?id=1080441&dl=GUIDE&coll=GUIDE/
Where it says: As a failing peculiar to human, or animate, visual systems, visual illusions might be also employed to distinguish humans from robots, "computer bots", or any other artificial intelligence empowered with a visual capacity. Any such artificial entity is unlikely to suffer the same visual illusions as our own, unless, of course, it has been specifically engineered to do so. The approach here inverts, and complements, the logic of the Turing test (Turing 50) since it does not require evidence of an intelligent capacity equivalent to that of human beings, but rather evidence of a characteristic human failing - to err is human....
Artificial intelligence is the study of how to make real computers act like the ones in the movies.
Invitation system is old, you have been able to register to gmail for a long time using the... well... captcha.
Now, if I'll just be able to read the word below... criers?
Porntcha slashdot style 1: Just how many libraries of congress would fit in this anus?
Porntcha slashdot style 2: How many girls can you see using this cup?
Porntcha slashdot style 3: What marine animal is this girl trying to emulate in the tub?
If you have no idea what images/movies these questions refer to, consider yourselve lucky.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
You wouldn't even need to make a regular usage charge - a spammer that has to make any form of payment to create an email account is just not going to go any further.
Gentoo Linux - another day, another USE flag.
"Websense is reporting that Gmail's CAPTCHA has been broken, and that the bots are beginning to sign up with a one in five success",
when you read that as a first line, the whole article becomes much more mysterious:
Oh no, the bots are taking over !
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
Increasing armor strength leads to increasing attack strength and vice versa. We are doomed. I have just read that we are going to die in 7.6B years and now this... Good job, /.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
50 years ago, the human level IA was 10 years away, so I won't worry too much.
Of course, any current captchas could eventually be broken by the right algorithm and enough brute force so stupidly copying a word would no longer be a proof of intelligence.
HYPNOTISING KITTEN OVERLORDS?
They'll want the right to vote on George X. Bush, watch Idols and read up about Paris Hilton.
I heartily endorse this product and/or service!
What's the point of blurring address of the page with FAQ in russian, when simple googling with parts of the text return this and only this page? If anybody's interested, http://faq.890m.com/
It's pretty hard to read those captcha's, so it's helpful if you have such a recognition tool to show you what's in there.
It hardly matters... just shoot them all.
It's not wasting time, I'm educating myself.
...we keep creating smarter CAPTCHAs, which are in turn broken by smarter programs. I'd really hate for the first programs to become sentient and self-aware to be spambots.
The freeing up of bandwidth from the deaths of these leeches would lead to such massive leaps in bandwidth we could actually have something like a global information economy that might survive the loss of fossil fuels. So, when a bunch of islamic extremists scream "DEATH TO AMERICA" america can scream "DEATH TO SPAMMERS" which is something even the islamic extremists can dig. In fact, the USA could hire them to hunt down and slaughter spammers. They would be doing "God's Work" no matter what imaginary friend you consider the Ruler of the Universe. They could form teams of Jihadists and Green Berets busting into suburban homes, guns a-blazing:
"DIE!!! SPAMMER INFIDEL!!!"
"EAT LEAD SPAMMER FUCKWAD!!!"
And with the bullet riddled corpse still twitching, the American and the Jihadi could shake hands and embrace over a job well done.
"Even if you are a disgusting pig eating infidel, you are a good fighter for a noble cause, Imshallah!"
"Yep, my little friend - you might smell like the goats you sleep with, but you can sniff out a spammer better than anyone on the planet! you ROCK little dude!"
And they would grab the cable and get lifted back out through the hole in the roof to the waiting helicopter. Next Mission? Another Spammer - this time in NIGERIA!!!
RS
Shoes for Industry. Shoes for the Dead.
Google and many other universities already have program in recruiting people to do things computers can't do well. One of those that google already uses is image tagging. Show images and ask people to write down words of what's in them. So they could simply do this with two or three images they recently obtained good label sets for. They could even throw in a fourth not-yet known labeled image and use the sign-up process to gather new image labels.
There's all sorts of hard problems like this. Another single player game is to show an image with a lot of things in it. Then give a word describing one aspect of the image and ask them to click on the part of the image that conveys that meaning.
The if you have many concurrent sign-ups there lots of two player games both symmetric and assymetric. a short chat session in the vein of the game "password" in which one person makes a series statements about an object ("it is liquid", it is white, it is tasty, you find it in the refrigerator of many homes", it comes from cows....) and the other person has to reply with "milk". Then both players are validated.
The last is a very useful AI product by the way especially if the first player is forced to use a controlled grammar where he just fills in some of the nouns or verbs but does not construct the sentence forms. This gathers a set of true assertions about an object that allow computers to learn semantics and meaning.
Some drink at the fountain of knowledge. Others just gargle.
If some people had the time to RTFA, it would be more than clear that the technique being used in this attack is applicable to ANY CAPTCHA SYSTEM, and nto only GMAIL's. This is a variation of the widely publicized Chinese CAPTCHA Attack (or Porn Site Attack), where you get cheap labor (chinese version) or horny fellows (porn site) to answer CAPTCHAs for a prize (money or satisfaction). What happens is that the CAPTCHA Breaking Server offers money to people (redeemable 3 dollars minimun a day) for answering CAPTCHAs. When Von Ahn formalized the ideas behind the CAPTCHA paradigm de did so to exemplify a concept he calls "Human Computation", using human brain brain cycles to do jobs that computers are inefficient at (check: www.recaptcha.com ). This is the whole point behind CAPTHCAs, and behind this particular CAPTCHA breaking system. This idea of having a buch of people answering CAPTCHAs has been discussed since the very begining of the paradigm. I guess theory becomes practice after all.
these days.
Couldn't Google use their vast database of image tags in reverse. . . as in present the user with an image, then wait for a response that scores highly as a potential tag? This would obviously not defeat the human-automated exploit.
But there is plenty of room for clever solutions to this. For example, when you discover a bot, prune the bot node and the entire subtree rooted at its immediate parent. Mark the grandparent for future use. In the near future, if another bot is discovered as a descendent of the marked node, prune up to that node next time and mark _its_ parent, etc. Eventually, "we'll get to the top of this".
It's ironic that it maybe spammers fighting the computing wars with spammer blockers who may come up with some interesting AI before anyone else does. Of-course in this case it's just human intelligence/willingness to do anything for money that is being used, but still, some interesting research is going into the field of spamming, I am sure.
You can't handle the truth.
It was the blurst of times?!> You stupid monkey!
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
I'm so sick of this over-used statistic!
Solve this captcha or I'll delete your computer!!!
[image]
[Text box] [OK]
Ingredients:
1) A web registration form with a CAPTCHA input;
2) 1 easily-OCRed image;
3) Some creative use of JS/CSS
Depending on how much you want to obfuscate, enclose the CAPTCHA input in a DIV tag, and set that div to display: none. The robot will see the image, OCR it, and fill it out.
Then you reject any application that actually has an input for the CAPTCHA.
Waiting costs time and increases the chance of getting caught some, particularly if many accounts are created with the same originating IP address. Requiring a minimum amount of traffic spaced over a reasonable period of time also increases the cost and the chance of getting caught. Even better if the messages have to be spaced over time, such as at least 100 messages, but at least 1 message per day for at least 10 mail-sending days spaced over at least 30 calendar days. Requesting access also means more work.
Verifying who you are and where you live greatly increases the chance of getting caught. Spammers who engage in credit-card fraud to bypass this are now committing identity theft and financial crimes, greatly increasing the penalty if they do get caught.
In other words, measures like this and similar measures not mentioned will have a deterrent effect while having little impact on your average user. They will have some impact on people running legitimate mailing lists. The biggest impact will be on people who run large mailing lists anonymously, such as those involved in managing mailing lists for 12-step groups or political dissident groups.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
http://www.schneier.com/blog/archives/2007/01/how_to_recover.html
Three bucks a captcha? Minimum? Hey, I speak English, and if I can post to /. at work, I can do captchas, and I can do 'em faster than the Russians. Let's see...I can do at least 2 captchas a minute (including breaks), so that comes out to...$360 an hour! I'm in. Someone give me the URL!
Er...that translation is really crucial. Are you sure that was a dollar sign in front of the 3? Or are they perhaps paying in Russian Roubles? That would be considerably less favorable, as the Rouble is going for 24 to the U.S. Dollar. Still...$15/hour...maybe my kid will be interested.
Great men are almost always bad men--Lord Acton's Corollary
http://www.goolag.net/ :-)
I have seen and tried a "solve CAPTCHAs for porn" site. It looks broken now (stuck on the first picture), but when I first found it, via blog spam, it was working.
TFA includes, as one of the benefits of breaking into Google's services that "Second, Google's domains are unlikely to be blacklisted."
While that's currently true, it's not likely to remain so indefinitely. I already operate a killfile rule in my news reader to kill all messages that originate from anyone at "googlegroups.com", because they host far to many spammers and lunatics. I don't see any metapyhsical objection to blocking more Google-originated stuff.
Of course, the simplest thing for Google to do would be to stop new sign-ups. They've already got hell-knows-how-many people signed up, so losing a few hundreds of thousands more sign-ups while they get their CAPTCHA engine beefed up shouldn't be a long-term problem.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Speaking of monkeys...
and/or mod me down, off-topic; my karma can take it.
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..