Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Live Hotmail CAPTCHA Cracked, Exploited

Posted by kdawson on from the nice-idea-while-it-lasted dept.

eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?

8 of 362 comments (clear)

  1. Not the last nail in the coffin by far... by MrKevvy · · Score: 5, Informative

    No one has cracked ReCAPTCHA yet. (This CAPTCHA had a Slashdot article a few months ago.) As it uses text digitized from old books that the best OCR technology couldn't read, it's continually different and already demonstrated to be unintelligible to machines.

    Plus, using ReCAPTCHA instead of other solutions also helps Carnegie-Mellon digitize old books for posterity.

    From TFA: Microsoft, Google, and all other websites that currently use CAPTCHA, need to find a solution that puts them a step ahead of the spammers. This may well be it.

    --
    -- Insert witty one-liner here. --
    1. Re:Not the last nail in the coffin by far... by Starrk · · Score: 2, Informative

      As far as I understand, ReCAPTCHA uses standard images... which means it simply cannot be secure. I posted about this a little while ago, but here's what I do as a spammer:

      - Spam lots of people offering free porn - only catch is they have to prove they're not a bot (wouldn't want those bots to see my exclusive porn)
      - When somebody clicks on my link, I immediately go to gmail, start creating an account, and get their captcha
      - I pass this captcha on to my would-be porn viewer
      - And pass his answer back to google - presto, free account

      Kitten Auth and every other practical, free, unintrusive solution I have ever heard of can be broken this way as well.

      Back in the day, I interned at Google on the Checkout project when it was just starting up. The opinion of their security experts on stopping bots? Only way to do it reliably at account creation time is to demand a valid credit card number or a small payment.

  2. "Day Old Bread" in Spamassassin. by khasim · · Score: 3, Informative

    Domain age checking has already been implemented in SpamAssassin. Search on "Day Old Bread".

  3. Re:Doubtful by John+Hasler · · Score: 2, Informative

    > And Microsoft simply allow a new account to be registered every single minute of the day
    > from a single IP address?

    No. The spammers control millions of bots. Each new account application is proxied via a different bot.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  4. Re:Anything is better! by Jafafa+Hots · · Score: 5, Informative

    If have accessibility barriers so serious that you can't tell a picture of a kitten from a picture of a dog or tell the difference between a kitten meowing and a dog barking, where are you trying to register? I'm disabled. The net is a huge boon to the disabled, allowing them to shop more easily, save money because we have limited incomes... learn about things that can help us lead more normal lives, get support from others, get medical information, entertain ourselves since maybe we can't go jogging or drive to and then pay for a movie, etc.

    I'd frankly argue that the net is more important for many disabled people such as myself than it is for "normal" people.

    And there are many kinds of disability, some from brain damage, that cause all kinds of cognitive problems. So it's entirely possible for a person to be able to use the net, read text, or have his/her machine read it to them, but who might not be able to tell the different between a cat and a dog.

    What sites might they be trying to get into? Well, Slashdot.org, for example.

    --
    This space available.
  5. Re:Awesome article by kcbanner · · Score: 4, Informative

    These are used by botnets, usually the user has no idea this is running on their PC. Also, there is such a vast number of PCs, many of which could be behind a corp firewall or gateway. Blocking by IP has never worked in the long term.

    --
    Obligatory blog plug: http://www.caseybanner.ca/
  6. Re:Anything is better! by Extide · · Score: 2, Informative

    Generally the people who are blind and use the computer use a program called Jaws (or a similar one but thats the main one, for windows at least). They get very good at listening to computer generated voices and usually end up turning up the speed of the jaws audio playback to speeds that you absolutely cant understand unless you are used to hearing it like that. I have a very close friend that has been completely blind for like 15 years now, and she is a very avvid computer user. She has her Jaws speed up pretty high, and also can usually understand those recordings on websites that offer them.

    --
    Technophile
  7. Re:hotmail ? by Tom · · Score: 2, Informative

    Maybe you should check the facts. My mail servers process a few thousand mails a day, after greylisting, and almost half of it is spam. I've been running mailservers for over 10 years. Thank you, I know the From: line can be faked, been there, done that.

    I stand by my claim. I don't have recent statistics because I stopped caring a year or two ago, but when those filters went into place, hotmail.com was a major source of spam and other abuses. Also, something in their mail system was broken that caused trouble for mailing lists because they didn't bounce mails properly, but I forgot the details.

    --
    Assorted stuff I do sometimes: Lemuria.org