Slashdot Mirror
Gmail CAPTCHA Cracked
I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."
and I cannot help but wonder if this will increase our usually abysmal rate for reading handwriting. (and no, I don't design it myself so no ripping on me, just work with it)
I'm surprised they opened it up to the public. When they did, I pondered how long it would take before spammers would start doing this en masse.
This is a tangent, but I'm curious: this site blurs out a lot of text, presumably for privacy. How secure is that? It seems like it would be fairly easy (given knowledge of the font, which you have from other parts of the screenshot) to figure out what the underlying text is. I wish people would just black out things they don't want you to know.
Instead, Google should use something akin MENSA tests. This would deter the bots and make the customers feel really good about themselves. And this feeling, my friend, can't be bought cheaply.
I would like to die like my grandfather did - sleeping. And not screaming in terror, like his passengers.
This makes one wonder: Is it possible that it is cost effective for spammers to employ low-cost human labor and that they pipe all these captcha challenges to this set of humans whose sole job is to stare at computer screens with pending captcha challenges and answer them?
:) )
(I would imagine that this job would have high turnover
Sigh.
Maybe the days of convenient on-demand service signup are coming to an end. Wikipedia already puts new accounts "on probation" for a few days - they can't edit certain articles and can't create new ones.
I see a time when Google and other free-mail providers limit new accounts to a few dozen outgoing messages a day, and raises the limit only when you've 1) logged in to check mail on 10 different days over at least a 30-day period, 2) sent at least 100 distinct messages to at least a few dozen distinct addresses, and 3) actually requested the limit be raised. Those needing higher limits sooner can pay $1 by credit card to have an override-code mailed to them.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It would be too obvious if they were reading the ToS.
The bots pass the MENSA test.
Cue overlords posts in 3...2...1...
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Seriuosly! It is high time they moved to something that was difficult to break. IIRC there was an image comparison technique where you are supposed to match two images of similar objects or animals. I think here if the environment, color, zoom and other factors are different then there is no way this can be broken. Although you cannot generate such images, if you have a photo gallery of 10k pics and continuosly growing I think that should be good enough till we have humanoid robots that can look at the pictures and correctly match them.
Remember: CAPTCHA is an acronym (or backronym, depending on who you believe) for "Completely Automated Public Turing test to tell Computers and Humans Apart".
The CAPTCHA would be considered cracked if there was a computer algorithm somewhere decoding it autonomously.
I'm tired of my imaginary friends running off and leaving me alone... I want one with configuration options.
He's getting rather old, but he's a good mouse.
They are an awful abomination on all website usability and is becoming increasingly common they just don't do what they are supposed to do any more.
So it seems that these companies have two options, either make the letters and numbers more unreadable and more frustrating to users, or scrap them completely and come up with a new anti-bot scheme.
My favorite so far is KittenAuth (http://www.thepcspy.com/kittenauth). It's easy to use, and would be a hell of a lot harder to crack then letters and numbers. Most importantly it's cute! So adorable
Dog is my co-pilot.
> A linux desktop O/S is just as insecure technically.
Secure from what? Internal or external threats? In the internal case it exhibits better protection from escalation of privilege (than windows, see Sony rootkit for an example). In the external case is affords simpler accounting of the processes laying around.
>The linux (and Apple) desktops are just more secure by the same reason a hut in a small remote village is more secure than an apartment in a big city ghetto - a one room apartment with many locks, metal doors and chains, but where the occupants let in muggers just because they said they were from Ebay.
No, it is more secure for a some applications because less of the network facing executable code needs to run at as high a privilege level.
>They're both not secure.
That depends entirely on the threat model you are protecting against. If you want it really secure from the network, take it off the network. If you want it secure from users put it in a locked room and have multi person, multi factor authentication to access it and require dual operator controls so no individual can pull something off unobserved. This is how PKI centers work. If you want a secure online server, you need accounting of the trusted code. The extend to which Windows and Linux compare is quite different for those cases.
>The trick is to NOT have a _one_room_ apartment or hut. You need an "airlock" (sandbox) for your browser (not just rooms for each person).
Or you might document and analyze your threat model first, before protecting against those threats.
Evil people are out to get you.
If the bots are stalling for time, it's quite likely someone's home-grown version of Mechanical Turk distributed "human" task service, similar to the one by Amazon.
The image is put on queue and, say, a good number of, say, overseas employees... are getting the image and need to fill back in the solution as plain text. In the mean time the bot is "reading the manual".
When the bot gets the answer in time, it submits the form and there we go, account.
If the web browser guys could agree on a standard to inform people that their computers look like they're infected, the major email and associated portal providers could start inserting signed messages in web pages that will inform the users that their computers are infected based on this kind of information.
I wonder if it's worth it to Microsoft and Google and Yahoo and AOL to team up to fight these increasingly powerful and sophisticated bot nets.
http://xkcd.com/233/
"Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate.
That's better than I can do reading those damn things!!!
These posts express my own personal views, not those of my employer
You're missing one of the greatest strengths of the invitation system: it makes trivial the task of tracking who invited whom.
If you've got a bunch of known bot accounts which have a common progenitor, you just have to take a step up the tree and look at the progenitors siblings. Are those also all bot accounts? Keep going. Any bot account or group of accounts could eventually be traced back to a single invitation.
It would help for rooting out bot accounts.
"Live as if you'll die tomorrow." Ridiculous. You could die later today.
I just checked Google News and there's nothing there about it.
If you want news from today, you have to come back tomorrow.
Why are there so many people compromising web hosting accounts and servers where the admin is running some dinky hosting control panel that allows them to know nothing about the operating system? I think you'll find that all modern operating systems are just as insecure as each other in that the things permitted of a program are far in excess of what is required by the program for its operation. Why does notepad need access to the internet, why does a php application need to be able to run arbitrary commands, etc.
"Let's say I have a CAPTCHA farm where I have 500 guys willing to sit all day typing in letters. I want you to come up with a system design for a service architecture using a REST-based interface where the input is an image file and I can charge $1 buck a pop by accepting POST requests from scumbags all over the Internet and routing the images to the 500 crappy web browsers I have set up in tents for these people." Then you throw the whiteboard marker over to them and watch them madly scribble boxes and clouds and stick figures.
If they do well with that question then you come at them with the followup: "OK, now say I want to lay off these 500 workers and have my service farm its work off to a distributed network of your grandmothers' compromised PCs. How would you design the messaging architecture and what sort of learning algorithm would you use?" Then maybe needle at them a bit about how the billing system works.
Google mail is loved by spammers since gmail does not embed within the SMTP headers any tracking information about the physical client browser's IP address. Hotmail and Yahoo!, with all of their other problems do however by adding X-Originating-Host tags, etc.
By breaking the CAPTCHA the spammers are basically creating the biggest SMTP IP address laundering system available on the net today. Who in their right mind is going to block gmail with the exception of domains that receive small amounts of personal email traffic and temporary IP address repudiation scoring systems like spamcop?
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
Unless you spam the invitations to random people as well.
Then you have problems with just deleting the "root node" account and all of its children. Easier to get rid of a bunch of accounts, but still problematic.
If I have nothing to hide, don't search me
For syn floods, what do you think would be more effective.. a windows desktop machine on a comcast line, or a collocated linux server?
Lurk around undernet for a while. A large majority of botnet sales that I have seen have been comprised mostly of cracked linux webservers. Why write a worm to harvest windows machines when you can google for as much power as you need?
To prevent capture they dressed as robots, and were stopped at the city gates by two gate robots who administered a PuppyAuth-based anti-Turing test:
John
Microsoft Research solved this problem with a growing database by using images from petfinder.com. Since there are always new cats and dogs that need to be adopted, there are an infinite number of changing images. http://research.microsoft.com/asirra/
Imagine yourself in Google's place. You can go up the invitation tree from any node in a single, unique way, and always straight to the very top (or a handful of those). There will be, say, 100 hops from a known bot to the root. Which node is the first human?
>> A linux desktop O/S is just as insecure technically.
>Secure from what? Internal or external threats? In the internal case it exhibits better protection from escalation of privilege (than windows, see >Sony rootkit for an example). In the external case is affords simpler accounting of the processes laying around.
You are taking things out of context. You don't need root privileges at all to make a botnet to work.
>>The linux (and Apple) desktops are just more secure by the same reason a hut in a small remote village is more secure than an apartment in a big >city ghetto - a one room apartment with many locks, metal doors and chains, but where the occupants let in muggers just because they said they were >from Ebay.
>No, it is more secure for a some applications because less of the network facing executable code needs to run at as high a privilege level.
I repeat, the privilege level is irrelevant for a worm to infect your computer, they can even run as any user. You can infect your computer using any popular desktop application that faces the internet, think web browsers.
Google and many other universities already have program in recruiting people to do things computers can't do well. One of those that google already uses is image tagging. Show images and ask people to write down words of what's in them. So they could simply do this with two or three images they recently obtained good label sets for. They could even throw in a fourth not-yet known labeled image and use the sign-up process to gather new image labels.
There's all sorts of hard problems like this. Another single player game is to show an image with a lot of things in it. Then give a word describing one aspect of the image and ask them to click on the part of the image that conveys that meaning.
The if you have many concurrent sign-ups there lots of two player games both symmetric and assymetric. a short chat session in the vein of the game "password" in which one person makes a series statements about an object ("it is liquid", it is white, it is tasty, you find it in the refrigerator of many homes", it comes from cows....) and the other person has to reply with "milk". Then both players are validated.
The last is a very useful AI product by the way especially if the first player is forced to use a controlled grammar where he just fills in some of the nouns or verbs but does not construct the sentence forms. This gathers a set of true assertions about an object that allow computers to learn semantics and meaning.
Some drink at the fountain of knowledge. Others just gargle.
Ingredients:
1) A web registration form with a CAPTCHA input;
2) 1 easily-OCRed image;
3) Some creative use of JS/CSS
Depending on how much you want to obfuscate, enclose the CAPTCHA input in a DIV tag, and set that div to display: none. The robot will see the image, OCR it, and fill it out.
Then you reject any application that actually has an input for the CAPTCHA.