Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail CAPTCHA Cracked

Posted by kdawson on from the like-dominos dept.

I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."

6 of 317 comments (clear)

  1. i work with OCR/ICR technology by JeanBaptiste · · Score: 5, Interesting

    and I cannot help but wonder if this will increase our usually abysmal rate for reading handwriting. (and no, I don't design it myself so no ripping on me, just work with it)

  2. Re:Blurred text == secure?? by kcbanner · · Score: 5, Interesting

    Its funny actually, in the SIFT algorithm (detects scale invariant keypoints in an image, used for panorama stitching, computer vision, etc), it uses a Gaussian blur as part of the detection process. It uses multiple levels to better find invariant keypoints. While havening the unblurred image certainly helps, its not necessary.

    --
    Obligatory blog plug: http://www.caseybanner.ca/
  3. Re:CAPTCHA is for weak minds by v1 · · Score: 5, Interesting

    That raises an interesting idea... why not use the capchas to perform some useful work? Example... display a scanned line of text from a project that needs a large volume of text OCR'd for free/cheap. Compare the texts from several submitters, and assume groups with a high match rate are reading it correctly.

    This accomplishes three goals:
    - fairly effective capchas
    - accomplishes something
    - causes OCR quality to improve (via the hard work of the botnet coders)

    Not saying the above example is ideal, just trying to illustrate the idea. Take advantage of available resources (be they real people or botnets) and harvest it to accomplish something practical with it.

    --
    I work for the Department of Redundancy Department.
  4. Re:Time to ban Microsoft products by TechyImmigrant · · Score: 5, Interesting

    > A linux desktop O/S is just as insecure technically.
    Secure from what? Internal or external threats? In the internal case it exhibits better protection from escalation of privilege (than windows, see Sony rootkit for an example). In the external case is affords simpler accounting of the processes laying around.

    >The linux (and Apple) desktops are just more secure by the same reason a hut in a small remote village is more secure than an apartment in a big city ghetto - a one room apartment with many locks, metal doors and chains, but where the occupants let in muggers just because they said they were from Ebay.

    No, it is more secure for a some applications because less of the network facing executable code needs to run at as high a privilege level.

    >They're both not secure.
    That depends entirely on the threat model you are protecting against. If you want it really secure from the network, take it off the network. If you want it secure from users put it in a locked room and have multi person, multi factor authentication to access it and require dual operator controls so no individual can pull something off unobserved. This is how PKI centers work. If you want a secure online server, you need accounting of the trusted code. The extend to which Windows and Linux compare is quite different for those cases.

    >The trick is to NOT have a _one_room_ apartment or hut. You need an "airlock" (sandbox) for your browser (not just rooms for each person).

    Or you might document and analyze your threat model first, before protecting against those threats.

    --
    Evil people are out to get you.
  5. Mechanical Turk by Stan+Vassilev · · Score: 5, Interesting

    If the bots are stalling for time, it's quite likely someone's home-grown version of Mechanical Turk distributed "human" task service, similar to the one by Amazon.

    The image is put on queue and, say, a good number of, say, overseas employees... are getting the image and need to fill back in the solution as plain text. In the mean time the bot is "reading the manual".

    When the bot gets the answer in time, it submits the form and there we go, account.

  6. Re:Humans? by karmatic · · Score: 5, Interesting

    Well, it wasn't on a porn site, but I've done proxying of captchas (Proof of Concept) for:

    PayPal
    GMail
    eBay

    It's not hard - use CURL, have it handle cookies. Populate database, give to users (requires decent traffic). My system even used a regex on the registration success page to fail users who failed the captcha.

    Given my system took about half an hour to write, and people are going to lengths like the ones in the article to beat them, it's pretty much a given that people are out there doing it now. FWIW, I was working on ways to watermark a captcha to make the source obvious.