Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail CAPTCHA Cracked

Posted by kdawson on from the like-dominos dept.

I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."

20 of 317 comments (clear)

  1. I liked the invitations only system better by danomac · · Score: 5, Insightful

    I'm surprised they opened it up to the public. When they did, I pondered how long it would take before spammers would start doing this en masse.

    1. Re:I liked the invitations only system better by DigitalisAkujin · · Score: 1, Insightful

      Yea cause bots can't invite themselves.... lol

  2. Stop using CAPTCHA! by superash · · Score: 5, Insightful

    Seriuosly! It is high time they moved to something that was difficult to break. IIRC there was an image comparison technique where you are supposed to match two images of similar objects or animals. I think here if the environment, color, zoom and other factors are different then there is no way this can be broken. Although you cannot generate such images, if you have a photo gallery of 10k pics and continuosly growing I think that should be good enough till we have humanoid robots that can look at the pictures and correctly match them.

    1. Re:Stop using CAPTCHA! by Anonymous Coward · · Score: 1, Insightful

      Matching pictures makes it easy to make a random guess and get an acceptable success rate.

    2. Re:Stop using CAPTCHA! by evanbd · · Score: 4, Insightful

      Just use kittens instead...

      The idea is to present a 3x3 grid of images and have the user select the 3 kittens from the 9 fuzzy animals. That's something computers are still quite bad at... Though you probably need to change the probability of getting it by random luck to be worse than 1/84, in practice.

  3. Re:Get off the security high horse. by Scareduck · · Score: 5, Insightful

    Not all Admins are you. Some of us actually know how to keep a Windows machine secure. Ignorance of the facts isn't an excuse.
    Yet it is the case that sufficiently large numbers of Windows users are unable to keep their machines secure for a botnet to accomplish this task. The fact that Windows can be made secure does not even remotely mean that this will be done in practice.

    Any machine Linux or Windows will be exploited and gang raped if it's not regularly updated and kept clean with the permissions system.
    I would like to hear how this is actually being done in the wild on Linux/*BSD/MacOS/etc. The fact is that it isn't.
    --

    Dog is my co-pilot.

  4. Bots COULD invite themselves, that's not the point by Valacosa · · Score: 5, Insightful

    You're missing one of the greatest strengths of the invitation system: it makes trivial the task of tracking who invited whom.

    If you've got a bunch of known bot accounts which have a common progenitor, you just have to take a step up the tree and look at the progenitors siblings. Are those also all bot accounts? Keep going. Any bot account or group of accounts could eventually be traced back to a single invitation.

    It would help for rooting out bot accounts.

    --
    "Live as if you'll die tomorrow." Ridiculous. You could die later today.
  5. Re:Get off the security high horse. by c0ol · · Score: 5, Insightful

    I would like to hear how this is actually being done in the wild on Linux/*BSD/MacOS/etc A botnet developer who hopes to mass a significantly sized network would have no interest in the sub 5% of desktop(read poorly managed, no matter the OS) computers that your niche market segment occupies.
  6. Re:Time to ban Microsoft products by Architect_sasyr · · Score: 2, Insightful

    Not true. You can convince someone to install the Ethernet plug with the right time and motivation.

    --
    Me failed English...
    FreeBSD over Linux. If my comments seem odd, this may explain...
  7. Re:i work with OCR/ICR technology by 1u3hr · · Score: 4, Insightful
    Unfortunately, it's HumanPower(TM). About 3/4 of the way down TFA, they show a web page with instructions (in Russian) for the people who get paid to read the CAPTCHAs.

    I doubt it.

    TFA says this is a service SELLING captcha breaking. If it was human powered, I'd expect it to do much better than the 20% they cite.

  8. Re:Quite likely by Frosty+Piss · · Score: 3, Insightful

    How you could earn your keep trying to submit advertising links to pages all day long, I have no idea.
    "Third World" countries.
    --
    If you want news from today, you have to come back tomorrow.
  9. Re:i work with OCR/ICR technology by Z80xxc! · · Score: 5, Insightful

    TFA says this is a service SELLING captcha breaking. If it was human powered, I'd expect it to do much better than the 20% they cite.

    Ummmm... I'm not so sure about that. OK, google's captcha's are pretty easy for humans to read, but I've often had to try literally 6 different captcha's on some sites. Yes, really.

  10. Re:Get off the security high horse. by Cozminsky · · Score: 4, Insightful

    Why are there so many people compromising web hosting accounts and servers where the admin is running some dinky hosting control panel that allows them to know nothing about the operating system? I think you'll find that all modern operating systems are just as insecure as each other in that the things permitted of a program are far in excess of what is required by the program for its operation. Why does notepad need access to the internet, why does a php application need to be able to run arbitrary commands, etc.

  11. Re:Bots COULD invite themselves, that's not the po by corsec67 · · Score: 5, Insightful

    Unless you spam the invitations to random people as well.

    Then you have problems with just deleting the "root node" account and all of its children. Easier to get rid of a bunch of accounts, but still problematic.

    --
    If I have nothing to hide, don't search me
  12. Re:Get off the security high horse. by Deanalator · · Score: 5, Insightful

    For syn floods, what do you think would be more effective.. a windows desktop machine on a comcast line, or a collocated linux server?

    Lurk around undernet for a while. A large majority of botnet sales that I have seen have been comprised mostly of cracked linux webservers. Why write a worm to harvest windows machines when you can google for as much power as you need?

  13. MSR Asirra by xswl0931 · · Score: 3, Insightful

    Microsoft Research solved this problem with a growing database by using images from petfinder.com. Since there are always new cats and dogs that need to be adopted, there are an infinite number of changing images. http://research.microsoft.com/asirra/

  14. Re:Time to ban Microsoft products by TheLink · · Score: 2, Insightful

    No idea, I see all sorts of strange claims in spam and phish mails all the time. Believe me, lots of people just click on anything. And some even jump through hoops to get infected, not sure if you remember the malware that spread via password protected zipfiles (user has to type in the password, open it and get infected). Amazing but true.

    There have been plenty of exploitable firefox bugs. Most desktop linux users don't run firefox using a separate user from the user account that holds their important information - work, private data etc.

    But even running as a separate user leaves you vulnerable if you are using a kernel that's vulnerable to the vmsplice kernel bug or other similar bugs.

    For untrusted sites I currently use IE in a vmware virtual machine, while that's vulnerable to VM bugs and CPU bugs, I'm currently betting that most attackers won't bother exploiting that yet. The vmsplice kernel bug has exploit code out already, and it's not very kernel version specific either.

    --
  15. Re:Time to ban Microsoft products by rgo · · Score: 4, Insightful

    >> A linux desktop O/S is just as insecure technically.
    >Secure from what? Internal or external threats? In the internal case it exhibits better protection from escalation of privilege (than windows, see >Sony rootkit for an example). In the external case is affords simpler accounting of the processes laying around.

    You are taking things out of context. You don't need root privileges at all to make a botnet to work.

    >>The linux (and Apple) desktops are just more secure by the same reason a hut in a small remote village is more secure than an apartment in a big >city ghetto - a one room apartment with many locks, metal doors and chains, but where the occupants let in muggers just because they said they were >from Ebay.

    >No, it is more secure for a some applications because less of the network facing executable code needs to run at as high a privilege level.

    I repeat, the privilege level is irrelevant for a worm to infect your computer, they can even run as any user. You can infect your computer using any popular desktop application that faces the internet, think web browsers.

  16. Re:Bots RTFM! by MORB · · Score: 4, Insightful

    Maybe they already do.

  17. Re:i work with OCR/ICR technology by Marcos+Eliziario · · Score: 2, Insightful

    Promise to show them some porn, and you'll get your million typist monkeys in a really short amount of time.

    --
    Your ad could be here!