Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Live Hotmail CAPTCHA Cracked, Exploited

Posted by kdawson on from the nice-idea-while-it-lasted dept.

eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?

3 of 362 comments (clear)

  1. I suggest a new method... by Eberlin · · Score: 0, Troll

    I call it HAKTCHA -- where you put in all your usernames and passwords in a text file and password-protect the directory with the same code I use on my luggage, "1234" The HAKTCHA then proceeds to download the file from your computer, store it into a database, and verify that you are an actual real-live id10t...which qualifies you to use hotmail.

  2. Re:Anything is better! by UbuntuDupe · · Score: 1, Troll

    I think that's the point of rotating the images. At least it adds the difficulty of having to check a bunch of rotations first.

    Then they'll add squiggles, so you'll have to do a Monte Carlo weighted scattershot sample of pixels on various rotations, then they'll increase the picture database, then they'll have more spammers working on it...

    I think we need to put together a "your post advocates ..." form for CAPTCHAs. I'll kick it off. Add entries as desired.

    Your post advocates a/n:

    ( ) text-recognition- ( ) object-recognition ( ) word-problem- ( ) registration-

    based test for keeping out spambots. Your idea will not work. Here is why it won't work:

    ( ) It would force users to strain too hard to pass.
    ( ) Most humans wouldn't pass.
    ( ) It can be farmed out to India.
    ( ) It would violate the ADA or accessibility standards.

    Specifically, your plan fails to account for:

    ( ) The inability of humans to distinguish across abitrarily-small differences.
    ( ) Non-native speakers trying to use the forum.
    ( ) Requirement to continually update the database.
    ( ) This recent advance in AI: _______
    ( ) The possibility of someone passing the test questions right on down to a human wanting access to a different restricted area.
    ( ) Botnets with more computational power than the world's top ten supercomputers put together.

    Additionally, the following philosophical objections may also apply:

    ( ) Why should I have to learn esoteric cultural knowledge to make a post?
    ( ) Why should I have to give you my email address to post?
    ( ) Blurry images suck.

    Finally, here is what I think of you:

    ( ) Nice try, but probably won't work.
    ( ) dddod dydodud dldidkded drdedadddidndgd dtdhdidsd,d dadsdsdhdodlded?

    --
    Apology to Ubuntu forum.
  3. Re:Anything is better! by Anonymous Coward · · Score: 0, Troll

    > What sites might they be trying to get into? Well, Slashdot.org, for example.

    I'm also one of those. The crappy captcha here usually takes me five or six tries. I don't understand why such a huge barrier to contributors was added to this site. Usually I start a reply and then give-up before successfully posting because of the horrific one here.

    The "You failed to confirm you are a human" error message makes it insulting. So according to this site I'm a subhuman because I can't read that crappy image.