Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail CAPTCHA Cracked

Posted by kdawson on from the like-dominos dept.

I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."

26 of 317 comments (clear)

  1. i work with OCR/ICR technology by JeanBaptiste · · Score: 5, Interesting

    and I cannot help but wonder if this will increase our usually abysmal rate for reading handwriting. (and no, I don't design it myself so no ripping on me, just work with it)

    1. Re:i work with OCR/ICR technology by martin-boundary · · Score: 5, Informative
      Unfortunately, it's HumanPower(TM). About 3/4 of the way down TFA, they show a web page with instructions (in Russian) for the people who get paid to read the CAPTCHAs.

    2. Re:i work with OCR/ICR technology by palegray.net · · Score: 5, Funny

      It's actually being cracked by a million monkeys clattering away at a million typewriters. Pretty hard to defeat that.

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    3. Re:i work with OCR/ICR technology by Z80xxc! · · Score: 5, Insightful

      TFA says this is a service SELLING captcha breaking. If it was human powered, I'd expect it to do much better than the 20% they cite.

      Ummmm... I'm not so sure about that. OK, google's captcha's are pretty easy for humans to read, but I've often had to try literally 6 different captcha's on some sites. Yes, really.

    4. Re:i work with OCR/ICR technology by martin-boundary · · Score: 5, Informative

      TFA says this is a service SELLING captcha breaking
      I'm not sure you're right. Why would the page include instructions such as

      In no case do not enter random characters!

      We pay only correctly recognized pictures!

      That sounds more like instructions for people doing the CAPTCHA breaking, no? Unfortunately, I can only go by the English translation, somebody who can read Russian would be useful.

      I'd expect it to do much better than the 20% they cite.
      I can think of various reasons. For example, there might not be somebody at the other end doing the breaking at the exact moment when the bot tries to connect. In that case you'd get ~100% for only part of the day and 0% the rest of the time. 24 * 20% is about 5 hours each day. A part time job?

      It's also true that _average_ people only break CAPTCHAs successfully about 80% of the time. Here's a relevant experiment

      Then there's possible issues with firewalls etc. Some bots are hosted on a zombified PC which could have any kind of restrictions, and it might have trouble dialing one of the the servers, or maybe the server can't respond properly due to inbound filtering.

    5. Re:i work with OCR/ICR technology by MillionthMonkey · · Score: 5, Funny

      Your ideas intrigue me and I wish to subscribe to your newsletter

    6. Re:i work with OCR/ICR technology by EdIII · · Score: 5, Informative

      Don't listen to the trolls, you are not alone at all.

      It really depends on the captcha being used, but the real problem is that a good percentage of the time on the hard captcha's you just cannot make a definitive choice on a single letter.

      That means you got a 50/50 shot of being right on it. If it was 2 letters, which is more rare, now you got a 1/4 chance of being right.

      I have seen some captcha's that are so ridiculous in their attempts at obfuscating the letters, that it is just next to impossible. Maybe that is the whole point too. A strong captcha may be one that a human fails at half the time.

    7. Re:i work with OCR/ICR technology by joe+slacker · · Score: 5, Funny

      Million monkeys with mod points? Waiddaminute!

  2. I liked the invitations only system better by danomac · · Score: 5, Insightful

    I'm surprised they opened it up to the public. When they did, I pondered how long it would take before spammers would start doing this en masse.

  3. Bots RTFM! by russotto · · Score: 5, Funny

    Curiously, the bots pretend to read the help information while breaking the CAPTCHA
    Ever consider that maybe the bots aren't pretending? (cue Frankenstein music)
  4. Re:Blurred text == secure?? by kcbanner · · Score: 5, Interesting

    Its funny actually, in the SIFT algorithm (detects scale invariant keypoints in an image, used for panorama stitching, computer vision, etc), it uses a Gaussian blur as part of the detection process. It uses multiple levels to better find invariant keypoints. While havening the unblurred image certainly helps, its not necessary.

    --
    Obligatory blog plug: http://www.caseybanner.ca/
  5. Well... by Agent.Nihilist · · Score: 5, Funny

    It would be too obvious if they were reading the ToS.

  6. Stop using CAPTCHA! by superash · · Score: 5, Insightful

    Seriuosly! It is high time they moved to something that was difficult to break. IIRC there was an image comparison technique where you are supposed to match two images of similar objects or animals. I think here if the environment, color, zoom and other factors are different then there is no way this can be broken. Although you cannot generate such images, if you have a photo gallery of 10k pics and continuosly growing I think that should be good enough till we have humanoid robots that can look at the pictures and correctly match them.

  7. Re:CAPTCHA is for weak minds by v1 · · Score: 5, Interesting

    That raises an interesting idea... why not use the capchas to perform some useful work? Example... display a scanned line of text from a project that needs a large volume of text OCR'd for free/cheap. Compare the texts from several submitters, and assume groups with a high match rate are reading it correctly.

    This accomplishes three goals:
    - fairly effective capchas
    - accomplishes something
    - causes OCR quality to improve (via the hard work of the botnet coders)

    Not saying the above example is ideal, just trying to illustrate the idea. Take advantage of available resources (be they real people or botnets) and harvest it to accomplish something practical with it.

    --
    I work for the Department of Redundancy Department.
  8. One step closer... by gnick · · Score: 5, Funny

    I'm surprised they opened it up to the public. This is good. Every time a bot successfully passes itself off as human, I get one step closer to getting my Turing machine.

    I'm tired of my imaginary friends running off and leaving me alone... I want one with configuration options.
    --
    He's getting rather old, but he's a good mouse.
    1. Re:One step closer... by Anonymous Coward · · Score: 5, Funny

      Any machine smart enough to pass a Turing test will be smart enough not to be your friend. Sorry.

  9. Re:Get off the security high horse. by Scareduck · · Score: 5, Insightful

    Not all Admins are you. Some of us actually know how to keep a Windows machine secure. Ignorance of the facts isn't an excuse.
    Yet it is the case that sufficiently large numbers of Windows users are unable to keep their machines secure for a botnet to accomplish this task. The fact that Windows can be made secure does not even remotely mean that this will be done in practice.

    Any machine Linux or Windows will be exploited and gang raped if it's not regularly updated and kept clean with the permissions system.
    I would like to hear how this is actually being done in the wild on Linux/*BSD/MacOS/etc. The fact is that it isn't.
    --

    Dog is my co-pilot.

  10. Re:CAPTCHA is for weak minds by PayPaI · · Score: 5, Informative

    http://recaptcha.net/

  11. Re:Time to ban Microsoft products by TechyImmigrant · · Score: 5, Interesting

    > A linux desktop O/S is just as insecure technically.
    Secure from what? Internal or external threats? In the internal case it exhibits better protection from escalation of privilege (than windows, see Sony rootkit for an example). In the external case is affords simpler accounting of the processes laying around.

    >The linux (and Apple) desktops are just more secure by the same reason a hut in a small remote village is more secure than an apartment in a big city ghetto - a one room apartment with many locks, metal doors and chains, but where the occupants let in muggers just because they said they were from Ebay.

    No, it is more secure for a some applications because less of the network facing executable code needs to run at as high a privilege level.

    >They're both not secure.
    That depends entirely on the threat model you are protecting against. If you want it really secure from the network, take it off the network. If you want it secure from users put it in a locked room and have multi person, multi factor authentication to access it and require dual operator controls so no individual can pull something off unobserved. This is how PKI centers work. If you want a secure online server, you need accounting of the trusted code. The extend to which Windows and Linux compare is quite different for those cases.

    >The trick is to NOT have a _one_room_ apartment or hut. You need an "airlock" (sandbox) for your browser (not just rooms for each person).

    Or you might document and analyze your threat model first, before protecting against those threats.

    --
    Evil people are out to get you.
  12. Mechanical Turk by Stan+Vassilev · · Score: 5, Interesting

    If the bots are stalling for time, it's quite likely someone's home-grown version of Mechanical Turk distributed "human" task service, similar to the one by Amazon.

    The image is put on queue and, say, a good number of, say, overseas employees... are getting the image and need to fill back in the solution as plain text. In the mean time the bot is "reading the manual".

    When the bot gets the answer in time, it submits the form and there we go, account.

  13. Bots COULD invite themselves, that's not the point by Valacosa · · Score: 5, Insightful

    You're missing one of the greatest strengths of the invitation system: it makes trivial the task of tracking who invited whom.

    If you've got a bunch of known bot accounts which have a common progenitor, you just have to take a step up the tree and look at the progenitors siblings. Are those also all bot accounts? Keep going. Any bot account or group of accounts could eventually be traced back to a single invitation.

    It would help for rooting out bot accounts.

    --
    "Live as if you'll die tomorrow." Ridiculous. You could die later today.
  14. Re:Get off the security high horse. by c0ol · · Score: 5, Insightful

    I would like to hear how this is actually being done in the wild on Linux/*BSD/MacOS/etc A botnet developer who hopes to mass a significantly sized network would have no interest in the sub 5% of desktop(read poorly managed, no matter the OS) computers that your niche market segment occupies.
  15. Re:Bots COULD invite themselves, that's not the po by corsec67 · · Score: 5, Insightful

    Unless you spam the invitations to random people as well.

    Then you have problems with just deleting the "root node" account and all of its children. Easier to get rid of a bunch of accounts, but still problematic.

    --
    If I have nothing to hide, don't search me
  16. Re:Get off the security high horse. by Deanalator · · Score: 5, Insightful

    For syn floods, what do you think would be more effective.. a windows desktop machine on a comcast line, or a collocated linux server?

    Lurk around undernet for a while. A large majority of botnet sales that I have seen have been comprised mostly of cracked linux webservers. Why write a worm to harvest windows machines when you can google for as much power as you need?

  17. Futurama to the rescue! by plover · · Score: 5, Funny
    KittenAuth always makes me think of the Futurama episode where the crew had to deliver a package to the uninhabited planet full of robots (sure it's inhabited, like a warehouse is inhabited by boxes).

    To prevent capture they dressed as robots, and were stopped at the city gates by two gate robots who administered a PuppyAuth-based anti-Turing test:

    Robot Guard #1: Be you robot or human?
    Leela: Robot, we be.
    Fry: Yep, just two robots out roboting it up.
    Robot Guard #2: Administer the test.
    Robot Guard #1: Which of these would you prefer? A. a puppy; B. a flower from your sweetie; or C. a properly formatted data file? Choose!
    Fry: Is the puppy mechanical in any way?
    Robot Guard #1: No. It is the bad kind of puppy.
    Leela: Then we'll go with that data file.
    Robot Guard #1: Correct. The flower would have also been acceptable.
    Robot Guard #2: You may pass.
    --
    John
  18. Re:Humans? by karmatic · · Score: 5, Interesting

    Well, it wasn't on a porn site, but I've done proxying of captchas (Proof of Concept) for:

    PayPal
    GMail
    eBay

    It's not hard - use CURL, have it handle cookies. Populate database, give to users (requires decent traffic). My system even used a regex on the registration success page to fail users who failed the captcha.

    Given my system took about half an hour to write, and people are going to lengths like the ones in the article to beat them, it's pretty much a given that people are out there doing it now. FWIW, I was working on ways to watermark a captcha to make the source obvious.