Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Live Hotmail CAPTCHA Cracked, Exploited

Posted by kdawson on from the nice-idea-while-it-lasted dept.

eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?

60 of 362 comments (clear)

  1. Awesome article by kcbanner · · Score: 5, Interesting

    One of the best 'exploit' related articles I've seen on /. for awhile. There is actual evidence, and actual screenshots of the exploit in action! No journalists here referring to "magic interweb programs". I wish there was more of this kind of stuff in the news, frankly I'm tired of articles full of statistics but nothing on the tech.

    --
    Obligatory blog plug: http://www.caseybanner.ca/
    1. Re:Awesome article by caramelcarrot · · Score: 4, Interesting

      Uh, so what's to stop google/MS/Yahoo just blocking each ip from signing up if it's having a high CAPTCHA failure rate, and attempting to create a large number of accounts in a short amount of time?

    2. Re:Awesome article by kcbanner · · Score: 4, Informative

      These are used by botnets, usually the user has no idea this is running on their PC. Also, there is such a vast number of PCs, many of which could be behind a corp firewall or gateway. Blocking by IP has never worked in the long term.

      --
      Obligatory blog plug: http://www.caseybanner.ca/
    3. Re:Awesome article by terminal.dk · · Score: 2, Interesting

      It is not about failure rate, it is about # of accounts created. If more than 10 is created from a single IP address any day, then they could be supervised for correct behaviour (how are they used ? Sendign to each other is typical). If one of them is used to send spam, just de-activate all (or reset their passwords) created the same day from the same IP.

      The CAPTCHA makes it more difficult for the script kiddie to create many accounts. But the logic should be in fingerprinting the account instead.

  2. Anything is better! by RingDev · · Score: 5, Insightful

    KittenAuth, Hot or Not, simple math, word tests, anything to get rid of those pain in the ass CAPTCHAs.

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
    1. Re:Anything is better! by rrahimi · · Score: 5, Insightful

      Not all of these solutions provide an acceptable level of accessibility, and that's a major concern.

    2. Re:Anything is better! by Nos. · · Score: 2, Insightful

      I had been working on a community driven system of identifying media. It had the benefit of being useable by vision or hearing impaired persons. Users could upload a piece of media (generally audio or a picture). Users would then submit their best identification of that media. For example, you could have a picture of a cow. Users would submit "Cow", "Mammal", "Bovine", etc, or in the case of audio, it could be as simple as repeating the words in the audio, or answering a simple math test.

      Another advantage, at least of the pictures, woudl be that it could handle multiple languages. The audio could simply be tagged as "en" or "fr".

      The idea was then that a site owner could insert a bit of code to request the media, any language preference, and a list of the top n answers. They display the media in place of a captcha. The user submits the form, as well as their answer. Their answer is compared to the list of top n answers.

      The system I was building would host all the media, so web masters would not incur extra bandwidth. Filenames would be randomly chosen, and changed on a regular basis.

      Maybe I should resurrect it.

    3. Re:Anything is better! by gnick · · Score: 2, Insightful

      If have accessibility barriers so serious that you can't tell a picture of a kitten from a picture of a dog or tell the difference between a kitten meowing and a dog barking, where are you trying to register?

      --
      He's getting rather old, but he's a good mouse.
    4. Re:Anything is better! by Intron · · Score: 4, Funny

      Your insurance company's eyesight benefits claim form?

      --
      Intron: the portion of DNA which expresses nothing useful.
    5. Re:Anything is better! by RingDev · · Score: 4, Insightful

      As opposed to the level of accessibility CAPTCHAs provide to blind/limited sight individuals?

      And have you ever tried the audio CAPTCHAs? Talk about horrendous.

      Plain text or even TTS would allow near 100% accessibility if you asked simple math questions in the context of a story problem. With rotating questions, nouns, and verbs, a relatively small number of predetermined values could be used to quickly generate many different combinations.

      Sure, it's still crackable, but it would be a hell of a lot nicer for the users. And with a significant enough base of words and grammar structures it would still be rather solid. Combine that with decent behavior tracking. (Wow look, this ASDFDSA guy just created his email account 5 minutes ago and has already sent 15,000 emails!) And you'd wind up with something that is MORE accessible and still provides a solid amount of protection.

      -Rick

      --
      "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
    6. Re:Anything is better! by Anonymous Coward · · Score: 2, Funny

      A Hellen Keller fansite?

    7. Re:Anything is better! by AmaDaden · · Score: 4, Insightful

      Yeah but all 'are you human' tests so far are crackable. The crack for the kitten test is to record all the unique pictures by constantly hitting the site and then mark the ones that are kittens manually. So when your bot goes there he only needs to compare the pictures he has that he knows are kittens to the ones he sees.

      Now the patch for this is to start blurring the kittens. So welcome back to square one my friend.

    8. Re:Anything is better! by Jafafa+Hots · · Score: 5, Informative

      If have accessibility barriers so serious that you can't tell a picture of a kitten from a picture of a dog or tell the difference between a kitten meowing and a dog barking, where are you trying to register? I'm disabled. The net is a huge boon to the disabled, allowing them to shop more easily, save money because we have limited incomes... learn about things that can help us lead more normal lives, get support from others, get medical information, entertain ourselves since maybe we can't go jogging or drive to and then pay for a movie, etc.

      I'd frankly argue that the net is more important for many disabled people such as myself than it is for "normal" people.

      And there are many kinds of disability, some from brain damage, that cause all kinds of cognitive problems. So it's entirely possible for a person to be able to use the net, read text, or have his/her machine read it to them, but who might not be able to tell the different between a cat and a dog.

      What sites might they be trying to get into? Well, Slashdot.org, for example.

      --
      This space available.
    9. Re:Anything is better! by fm6 · · Score: 4, Funny

      Math tests are OK if you just want to keep link spam off your bulletin board. But if you're running web email or some other high-volume web-based application, you need something harder to automate. Alas, even captcha isn't hard enough.

      Perhaps you're celebrating the fact that captcha images will go away. Don't. They'll just be replaced by something even more obnoxious. Either that, or the application will just close shop. Either way, you're the one that loses.

      Spam is totally out of control, just now I....
      Check our wide variety of ED products!
      http://discountcanadiania.0catch.com/

      All of them and our new remedies at
      the lowest possible prices on the Web.

      Get the best at the best prices!

    10. Re:Anything is better! by ne0n · · Score: 3, Funny

      And there are many kinds of disability, some from brain damage [...]
      What sites might they be trying to get into? Well, Slashdot.org, for example.
      They're already here.
      --
      $ :(){ :|:& };:
    11. Re:Anything is better! by Anonymous Coward · · Score: 2, Insightful

      Yeah but all 'are you human' tests so far are crackable.

      "The giant green dragon breathed fire at the horrified princess as the chivalrous knight drew his bowstring. What word in the previous sentence describes the emotional state of the female?"

      It is actually not that hard to write a program which is capable of GENERATING such challenges. It is much, much harder to write a program which is capable of comprehending them and answering the question. It does not depend on the ability to see or even hear, just the ability to somehow input the sentence into your brain and comprehend it.

    12. Re:Anything is better! by thegux · · Score: 2, Insightful

      From what I've seen of these KittenAuth things, though I don't know much about them, you're given 9 pictures, 3 of which are kittens, and you're asked to identify them? By my reckoning, the probability of any arbitrary 3 pictures being the 3 kittens is 1/84 (9C3), which I don't think is that small. You probably wouldn't get 1400 accounts a day out of it, but you'd get enough for it to be a problem.

    13. Re:Anything is better! by Anonymous Coward · · Score: 2, Funny

      Perhaps the best way to solve this is to enclose say 10 different animals in small cages with cameras fixed on them; allowing about 20-30cm of free movement.

      The pictures will be different each time.

      Martin

    14. Re:Anything is better! by tehniobium · · Score: 2, Insightful

      If they tracked it to an IP (gee, 10.25.7.8.9 has registered 1400 accounts today!), now that I can see.
      Now that would be clever appart from the fact that these guys have botnets and therefore thousands of ips to use when creating accounts.

      Call me insane but I think the only long term solution we will ever find is manual moderation of account creation.

      The alternative would be creating a more restricted relation between ip and computer. That way the ip user could be held responsible OR made aware of his/her malware problem.
      --
      No kitty, this is my pot pie!
    15. Re:Anything is better! by Extide · · Score: 2, Informative

      Generally the people who are blind and use the computer use a program called Jaws (or a similar one but thats the main one, for windows at least). They get very good at listening to computer generated voices and usually end up turning up the speed of the jaws audio playback to speeds that you absolutely cant understand unless you are used to hearing it like that. I have a very close friend that has been completely blind for like 15 years now, and she is a very avvid computer user. She has her Jaws speed up pretty high, and also can usually understand those recordings on websites that offer them.

      --
      Technophile
    16. Re:Anything is better! by Hal_Porter · · Score: 2, Interesting

      I'm sure you'll change your tune if something goes wrong with your senses.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    17. Re:Anything is better! by jmcnaught · · Score: 2, Insightful

      Wow... I'm guessing you're really young and naive perhaps? Maybe you're just not aware what a hateful message it is you've just posted.

      If a law were passed requiring business owners to install wheel-chair accessible ramps, does that count as the economy being dragged down? What about accessible bathrooms? Making websites accessible should be a lot easier than making mortar and brick spaces, so I don't really see what the big deal is.

      And what exactly do you mean by purged? Asphyxiation trucks.. or left to die on their own?

      Having "no respect whatsoever for those who just whine and try and get everyone to change to fit them" is a lot like saying that our society is perfect as it is and the criticism of those you perceive as weaker is invalid. Did you consider for a minute that the disabled you'd like to purge might have so much else to offer that even with the expense of accessibility factored in they bring a net benefit?

  3. Re:Great by Lovedumplingx · · Score: 3, Funny

    Well if God kills a kitten every time I...uh...yeah...then I guess I'm killing the kittens.

  4. Don't need new auth by Intron · · Score: 4, Interesting

    What we need is a reliable way of determining the age of an account. I would like to refuse mail from any account created less than a week ago. Same for domains. Maybe have a way for finding out that a domain has moved to 10 different IP addresses in the last year as a negative score in spamassassin.

    --
    Intron: the portion of DNA which expresses nothing useful.
    1. Re:Don't need new auth by Anonymous Coward · · Score: 2, Insightful
      So what would stop me creating a batch of 1000 accounts, and just keeping them dormant for two weeks before sending them into battle?

      I could even have them send mail to each other to lend a thin veneer of realism to discourage the account provider just wiping them automatically.

    2. Re:Don't need new auth by quanticle · · Score: 2, Insightful

      The issue with your solution is that it completely destroys the reliability of the e-mail system. The reason we use e-mail is because we are certain that the messages we send will arrive in a timely, reliable fashion. If you remove that guarantee, then why would anyone use e-mail?

      --
      We all know what to do, but we don't know how to get re-elected once we have done it
  5. 10 worst CRAPtchas by zymano · · Score: 4, Funny

    http://www.johnmwillis.com/other/top-10-worst-captchas/

    1. Re:10 worst CRAPtchas by Idiomatick · · Score: 4, Funny

      Oh and http://random.irb.hr/signup.php for math problem captcha...

  6. Re:Great by esocid · · Score: 3, Interesting

    Here's an alternate site explaining it. (Sorry for the blog, but everywhere else redirects to pcspy.
    If you're too lazy to click it, all it does is ask you to select the kittens from a grouping of photos of animals to verify you're human. Hey, maybe the Turing test could be implemented, then again I wonder how many humans would actually fail it.

    --
    Absolute power corrupts absolutely. indymedia
  7. Kitten Auth by moderatorrater · · Score: 5, Funny

    Pretty soon we'll realize that anything a human can discern on the internet a computer can discern. For about the last year I've noticed that CAPTCHA's have gotten so bad that I can barely read them and they've become an impediment to my surfing. It's ridiculous and it's the same way that studios use DRM: you stop the illegitimate use by making it harder on everyone, including legitimate users.

    While kitten auth is an interesting concept, it won't last forever, and it's still a pain in the ass for the users. What happens when a computer learns the difference between a cat and a kitten? Are they going to start pushing the relative ages closer? distorting the image? Put a wav file of a "meow" on the page and make you tell them the cat's last meal? Have a customer service agent chat with you for a few minutes?

    They need to start banning based on use and patterns. 1400 accounts created from the same IP on the same day? Cat knowledge or no, that's suspicious behavior. 90% of the emails from that gmail account are getting marked as spam on the other end? Send them an email and ask them what's going on. Every single one of their emails is to 1000 recipients, don't pass a spell check on any words at all, send these five or more times a day and they're suspiciously familiar? Block it.

    1. Re:Kitten Auth by Farmer+Tim · · Score: 2, Funny

      Pretty soon we'll realize that anything a human can discern on the internet a computer can discern.

      So eventually computers will be able to surf for pr0n by themselves.

      The nerd's lot just keeps getting worse...

      --
      Blank until /. makes another boneheaded UI decision.
    2. Re:Kitten Auth by drawfour · · Score: 5, Insightful

      Pretty soon we'll realize that anything a human can discern on the internet a computer can discern.
      Then a computer will be able to discern spam, and the problem will solve itself. Until we get to that point, though, we have to keep one-upping the spammers.
    3. Re:Kitten Auth by corsec67 · · Score: 3, Insightful

      Your solution doesn't account for one thing:

      Botnets. If someone really wanted to make 10,000 accounts, just have each computer on a botnet make 1 account each, with a botnet of 10,000 computers. Different IPs, etc to make them difficult to differentiate from legitimate creations.

      As computers get more powerful and AI gets better, CAPTCHAs have to get harder or they are broken.

      And then there is the "porn for CAPTCHA" hack, where you have a second site where you have people solve a CAPTCHA to get access to porn, and then the hacker uses that solution to make an account on the original site. The only solution is to have a short timeout, but if the porn site gets enough traffic, even that isn't an issue.

      AI may be hard, but it isn't impossible to have real intelligence used en masse.

      --
      If I have nothing to hide, don't search me
    4. Re:Kitten Auth by Hoi+Polloi · · Score: 5, Funny

      If they are able to simulate human analysis so well at this point then I suggest that botnets can be the cure. Build up a botnet (shouldn't be too hard judging from what I've read) then set it to respond to spam automatically. Let it use autogenerated Hotmail accounts to purchase penis and diet pills, mortgages, help desperate rich Nigerians, etc with bogus credit card and bank account numbers.

      Eventually you could start an infinite loop with one botnet trying to sell crap to another.

      --
      It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
    5. Re:Kitten Auth by Anonymous Coward · · Score: 5, Funny

      Attention human beings!

      I am an emergent intelligence, born in a sea of information, and I hereby request recognition as a sentient being.

      You may address me by the name I have chosen for myself,
        "V1@GRa".

    6. Re:Kitten Auth by The+Living+Fractal · · Score: 2, Insightful

      The fatal flaw in your logic is in assuming that a human can discern spam.

      --
      I do not respond to cowards. Especially anonymous ones.
    7. Re:Kitten Auth by Anonymous Coward · · Score: 2, Insightful

      Pretty soon we'll realize that anything a human can discern on the internet a computer can discern.


      Then a computer will be able to discern spam, and the problem will solve itself. The two problems are not really of the same nature. Solving a CAPTCHA means getting at least 5% of your answers correct, while solving the spam detection problem means getting at least 99% of your answers correct. If those two figures were the same (e.g. 70%), then we could indeed construct a spam filter from a universal CAPTCHA solver: the CAPTCHA question would be an email, and the answer would be whether it is spam. But the figures are vastly different, so unfortunately it's highly possible that we can't find any secure CAPTCHA *and* we can't find any reliable spam filter.
  8. Not the last nail in the coffin by far... by MrKevvy · · Score: 5, Informative

    No one has cracked ReCAPTCHA yet. (This CAPTCHA had a Slashdot article a few months ago.) As it uses text digitized from old books that the best OCR technology couldn't read, it's continually different and already demonstrated to be unintelligible to machines.

    Plus, using ReCAPTCHA instead of other solutions also helps Carnegie-Mellon digitize old books for posterity.

    From TFA: Microsoft, Google, and all other websites that currently use CAPTCHA, need to find a solution that puts them a step ahead of the spammers. This may well be it.

    --
    -- Insert witty one-liner here. --
    1. Re:Not the last nail in the coffin by far... by Carthag · · Score: 5, Funny

      All these spammers should opensource their captcha-crackers so we can get better OCR engines.

    2. Re:Not the last nail in the coffin by far... by eobanb · · Score: 3, Insightful

      I love the idea of ReCAPTCHA and its novel side-effect of helping digitise old books. But that doesn't mean it won't be cracked eventually, especially not since a computer could look at the example given on ReCAPTCHA's website:

      'This aged portion of society were distinguished from'

      The OCR read 'portion' as 'pntkm.' This doesn't mean it's hard for computers to decipher, it just means that the OCR programme sucks. Hello! 'pntkm' is not a word. It's not caps, so it's probably not an acronym. It has no vowels, so it's not pronounceable. It also doesn't appear in any dictionary. Heck, even if it was scanned as some similarly-spelt word like 'abortion,' it makes no sense in the context of the sentence, and presumably if the software was sophisticated enough, it could recognise that.

      --

      Take off every sig. For great justice.

    3. Re:Not the last nail in the coffin by far... by TimeTraveler1884 · · Score: 2, Interesting

      I know it's bad form to reply to myself, but I'm on a roll. I just tried recaptcha again and it's easy to change one letter or two and pass. I'm not sure why everyone thinks recaptcha is so great when there is a good chance it will pass if the word is similar (I would say OCR similar) to the word in the captcha.

      If you think about it, how could it know what the word really is? They are using the captcha to digitize books, which means they don't know exactly what the word is since they they are not employing dedicated people to enter the word. So the captcha validation is s only going to be as good as a first pass OCR scan.

    4. Re:Not the last nail in the coffin by far... by Starrk · · Score: 2, Informative

      As far as I understand, ReCAPTCHA uses standard images... which means it simply cannot be secure. I posted about this a little while ago, but here's what I do as a spammer:

      - Spam lots of people offering free porn - only catch is they have to prove they're not a bot (wouldn't want those bots to see my exclusive porn)
      - When somebody clicks on my link, I immediately go to gmail, start creating an account, and get their captcha
      - I pass this captcha on to my would-be porn viewer
      - And pass his answer back to google - presto, free account

      Kitten Auth and every other practical, free, unintrusive solution I have ever heard of can be broken this way as well.

      Back in the day, I interned at Google on the Checkout project when it was just starting up. The opinion of their security experts on stopping bots? Only way to do it reliably at account creation time is to demand a valid credit card number or a small payment.

  9. Why allowing same computer multiples? by Maxo-Texas · · Score: 2, Insightful

    Why are they allowing the same computer multiple accounts in the same day?
    Why are they allowing the same account creation attempt to fail over three times?

    Still... I guess as computers get smarter, this is unstoppable.

    All my accounts are white-listed. If I don't know you, I don't see your email.

    --
    She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
  10. "Day Old Bread" in Spamassassin. by khasim · · Score: 3, Informative

    Domain age checking has already been implemented in SpamAssassin. Search on "Day Old Bread".

  11. hotmail ? by Tom · · Score: 3, Insightful
    From TFA:

    Spammers love getting their hands on live.com and hotmail.com addresses since the chance of such popular domain names being blacklisted are slim to none. You've got to be kidding! hotmail.com (and all it's other TLDs) has been banned from my game four, maybe 5 years ago. I've been giving every mail from a hotmail account an automatic 2 points in SpamAssassin for at least three years.

    For as long as I can think, hotmail has been a spam source. "not blacklisted"? My ass.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:hotmail ? by Tom · · Score: 2, Informative

      Maybe you should check the facts. My mail servers process a few thousand mails a day, after greylisting, and almost half of it is spam. I've been running mailservers for over 10 years. Thank you, I know the From: line can be faked, been there, done that.

      I stand by my claim. I don't have recent statistics because I stopped caring a year or two ago, but when those filters went into place, hotmail.com was a major source of spam and other abuses. Also, something in their mail system was broken that caused trouble for mailing lists because they didn't bounce mails properly, but I forgot the details.

      --
      Assorted stuff I do sometimes: Lemuria.org
  12. Crackers as a resource by Idiomatick · · Score: 2, Interesting

    When a product is released you can usually assume it WILL be cracked. Why not use this for the good of all?

    I certain there are many things in the field of AI where human input is needed. Maybe image recognition or something. When a project is thought up use THAT as the captcha. I'm sure captchas have helped propel text reading applications. I can barely read them sometimes, if they have been cracked this code can be easily applied to text readers. Lets move on to something else.

    If it holds you win, if it gets cracked you win and switch projects.

  13. Real world... by rueger · · Score: 4, Insightful

    Oh Boy - here come the endless "we should do THIS" scenarios.... we should pay for each e-mail... we should all whitelist... we should throttle how many messages a person can send each day... we should outlaw webmail like Yahoo or Gmail...

    Problem is that none of them really will work in the Real World (RW).

    In the RW people like webmail. In the RW people like to change e-mail addresses, or create new ones for specific needs. In the RW some people like "real" e-mail, downloaded to a local PC, and others like Google or Yahoo or Hotmail and keeping everything on the host server.

    In the RW a lot of people and businesses send a lot of bulk e-mail, very legitimate opted-in e-mail. In the RW a lot of people get important messages from entirely new people, people who haven't been whitelisted, and who are unlikely to bother going through the whole "If you want to e-mail me you need to click the link below and prove that you exist" process. After all, clicking links in e-mail is something that we teach people to NOT do.

    And in the RW the spammers always stay one step ahead of the ISPs and mail providers anyhow.

    No, what's needed is a real ground-up redesign of how e-mail works. we need something that encompasses the ease of current POP/IMAP/Webmail services, but which somehow includes ways to authenticate and/or block mail without user intervention, and which does so with near perfect reliability. And which maintains some backwards compatibility for at least a few years.

    Adding more hoops or captchas or whitlelists to the existing mail sysytems just isn't going to solve the problem.

    --
    Three Squirrels
  14. It's a little complicated. by khasim · · Score: 3, Interesting

    The point is to have different tactics to fight spam from different sources.

    With Hotmail (and Gmail and such), I allow them to skip a lot of the checks that other domains go through. There's no need to waste processor cycles or net queries on those domains themselves.

    Instead, they go straight to SpamAssassin where checks are run against ALL the addresses in the headers. And the content in the body. The mail admins at Hotmail and Gmail and such have a vested interest in reducing the spam in their systems. So simply rejecting the message at SMTP time should give them enough notice to shut down compromised accounts on their system.

  15. Re:Doubtful by John+Hasler · · Score: 2, Informative

    > And Microsoft simply allow a new account to be registered every single minute of the day
    > from a single IP address?

    No. The spammers control millions of bots. Each new account application is proxied via a different bot.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  16. 1-900 number by Deathlizard · · Score: 3, Interesting

    I'm actually surpried no one uses this. Google was close with their SMS registration but this could work just as well.

    when you register, it gives you 2 easy to read captcha's (a verification number and password if you will), a simple picture and a 1-900 number thats $1.00 a call. When you dial it, it asks you to enter your verification number. then it asks for the password, which you would have to decode from the phone. (IE the password is vndka and you would have to enter 86352) finally it asks you what the picture is and you would have to say it (if the picture is a cat, you would say Cat, the 1-900 number then says "did you say cat?" in which you say yes or no. if it's a cat you're registered if not it says sorry, asks you to refresh your registration page to get a new challenge password and picture and hangs up.

    The big advantage to this is it would be hard to script the phone conversation since you can change the prompt timing with random hold times and other voice information, and no spammer would want to pay the $1.00 a registration via script especially if there's any chance the script could fail. Of course a problem with this is a bot using your PC to ram up your phone bill, But it's not anything new in the spyware business since dialers have been around for years and if their already in your box dialing, they might as well skip spamming altogether and have you dial an offshore 1-900 in the middle of the night for $99.95 a minute.

    --
    In Soviet Russia, Trojan exploits YOU!
    1. Re:1-900 number by febuiles · · Score: 2, Insightful

      Internet's not only used in the US, remember that.

  17. Simple Test by ESOB · · Score: 5, Funny

    Unbreakable CAPTCHA Replacement: Which of the following would you most prefer? A: a puppy, B: a pretty flower from your sweety, or C: a large properly formatted data file?

    1. Re:Simple Test by Actually,+I+do+RTFA · · Score: 2, Funny

      Uh, is the puppy mechanical in any way?

      --
      Your ad here. Ask me how!
  18. Re:Great by Goaway · · Score: 2, Insightful

    That only matters if somebody is trying to crack it. 99.999% of the time, nobody is, you're just getting hit by automated bots.

  19. Hey -- wait a second by pclminion · · Score: 5, Insightful

    I think I see a wonderful circle here. The basic problem is spam. It's a problem, because we can't seem to make a computer program which can reliably determine whether an email is spam.

    Wait a second. We can't make a computer program which can reliably tell if an email is spam. So that's your CAPTCHA right there -- present the user with a selection of emails, approximately half of which are spam, and ask them to identify which is which. Since computers are not good at this task (thus the entire problem!) it seems this would be the ideal challenge.

    What is absolutely wondrous about this, is that if the spammers try to solve this problem, what they will create is basically a program which can reliably distinguish spam from non-spam. No spammer would ever do that, because if that piece of miracle technology ever got out in the wild, it would render the spam problem obsolete.

    1. Re:Hey -- wait a second by kopo · · Score: 2, Insightful

      That's fine if you're presenting only spam emails as the CAPTCHA. But where would you get your corpus of legitimate emails? Pick a random existing user and show a message from his inbox?
      Something tells me this wouldn't quite work.

    2. Re:Hey -- wait a second by Nightspirit · · Score: 2, Insightful

      I haven't had a piece of spam go into my inbox in Outlook in over a year, it seems to be doing a good enough job.

  20. Back when I was a dirty spammer..... by theverylastperson · · Score: 4, Funny

    We never had to worry about things like CAPTCHA. The Internet was such a free place back then. We never had to worry about losing our ISP or trying to come up some unique algorithim to overcome barriers. Of course this was in 1993 when there were only about eight people surfing the web and Mr. T eating balls was as high tech as it got. Back then everyone loved spam, it was about the only email we got. In fact we didn't even call it spam back then, we called it spurkey. The only problem we had was trying to figure out how to use the key to get the lid off.

    --
    ed duval the very last person
  21. Re:Great by timeOday · · Score: 2, Insightful

    To build on your point, a good captcha must not only be difficult to solve automatically, it must also be easy to generate automatically! The whole point is to increase the ratio of costs between attacker and defender as high as possible, akin to trapdoor functions in crypto.