Gmail CAPTCHA Cracked

I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."

I liked the invitations only system better

[danomac]

I'm surprised they opened it up to the public. When they did, I pondered how long it would take before spammers would start doing this en masse.

Stop using CAPTCHA!

[superash]

Seriuosly! It is high time they moved to something that was difficult to break. IIRC there was an image comparison technique where you are supposed to match two images of similar objects or animals. I think here if the environment, color, zoom and other factors are different then there is no way this can be broken. Although you cannot generate such images, if you have a photo gallery of 10k pics and continuosly growing I think that should be good enough till we have humanoid robots that can look at the pictures and correctly match them.

Re:Get off the security high horse.

[Scareduck]

Not all Admins are you. Some of us actually know how to keep a Windows machine secure. Ignorance of the facts isn't an excuse.

Yet it is the case that sufficiently large numbers of Windows users are unable to keep their machines secure for a botnet to accomplish this task. The fact that Windows can be made secure does not even remotely mean that this will be done in practice.

Any machine Linux or Windows will be exploited and gang raped if it's not regularly updated and kept clean with the permissions system.

I would like to hear how this is actually being done in the wild on Linux/*BSD/MacOS/etc. The fact is that it isn't.

Bots COULD invite themselves, that's not the point

[Valacosa]

You're missing one of the greatest strengths of the invitation system: it makes trivial the task of tracking who invited whom.

If you've got a bunch of known bot accounts which have a common progenitor, you just have to take a step up the tree and look at the progenitors siblings. Are those also all bot accounts? Keep going. Any bot account or group of accounts could eventually be traced back to a single invitation.

It would help for rooting out bot accounts.

Re:Get off the security high horse.

[c0ol]

I would like to hear how this is actually being done in the wild on Linux/*BSD/MacOS/etc A botnet developer who hopes to mass a significantly sized network would have no interest in the sub 5% of desktop(read poorly managed, no matter the OS) computers that your niche market segment occupies.

Re:i work with OCR/ICR technology

[Z80xxc!]

TFA says this is a service SELLING captcha breaking. If it was human powered, I'd expect it to do much better than the 20% they cite.

Ummmm... I'm not so sure about that. OK, google's captcha's are pretty easy for humans to read, but I've often had to try literally 6 different captcha's on some sites. Yes, really.

Re:Bots COULD invite themselves, that's not the po

[corsec67]

Unless you spam the invitations to random people as well.

Then you have problems with just deleting the "root node" account and all of its children. Easier to get rid of a bunch of accounts, but still problematic.

Re:Get off the security high horse.

[Deanalator]

For syn floods, what do you think would be more effective.. a windows desktop machine on a comcast line, or a collocated linux server?

Lurk around undernet for a while. A large majority of botnet sales that I have seen have been comprised mostly of cracked linux webservers. Why write a worm to harvest windows machines when you can google for as much power as you need?