Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Live Hotmail CAPTCHA Cracked, Exploited

Posted by kdawson on from the nice-idea-while-it-lasted dept.

eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?

12 of 362 comments (clear)

  1. Awesome article by kcbanner · · Score: 5, Interesting

    One of the best 'exploit' related articles I've seen on /. for awhile. There is actual evidence, and actual screenshots of the exploit in action! No journalists here referring to "magic interweb programs". I wish there was more of this kind of stuff in the news, frankly I'm tired of articles full of statistics but nothing on the tech.

    --
    Obligatory blog plug: http://www.caseybanner.ca/
  2. Anything is better! by RingDev · · Score: 5, Insightful

    KittenAuth, Hot or Not, simple math, word tests, anything to get rid of those pain in the ass CAPTCHAs.

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
    1. Re:Anything is better! by rrahimi · · Score: 5, Insightful

      Not all of these solutions provide an acceptable level of accessibility, and that's a major concern.

    2. Re:Anything is better! by Jafafa+Hots · · Score: 5, Informative

      If have accessibility barriers so serious that you can't tell a picture of a kitten from a picture of a dog or tell the difference between a kitten meowing and a dog barking, where are you trying to register? I'm disabled. The net is a huge boon to the disabled, allowing them to shop more easily, save money because we have limited incomes... learn about things that can help us lead more normal lives, get support from others, get medical information, entertain ourselves since maybe we can't go jogging or drive to and then pay for a movie, etc.

      I'd frankly argue that the net is more important for many disabled people such as myself than it is for "normal" people.

      And there are many kinds of disability, some from brain damage, that cause all kinds of cognitive problems. So it's entirely possible for a person to be able to use the net, read text, or have his/her machine read it to them, but who might not be able to tell the different between a cat and a dog.

      What sites might they be trying to get into? Well, Slashdot.org, for example.

      --
      This space available.
  3. Kitten Auth by moderatorrater · · Score: 5, Funny

    Pretty soon we'll realize that anything a human can discern on the internet a computer can discern. For about the last year I've noticed that CAPTCHA's have gotten so bad that I can barely read them and they've become an impediment to my surfing. It's ridiculous and it's the same way that studios use DRM: you stop the illegitimate use by making it harder on everyone, including legitimate users.

    While kitten auth is an interesting concept, it won't last forever, and it's still a pain in the ass for the users. What happens when a computer learns the difference between a cat and a kitten? Are they going to start pushing the relative ages closer? distorting the image? Put a wav file of a "meow" on the page and make you tell them the cat's last meal? Have a customer service agent chat with you for a few minutes?

    They need to start banning based on use and patterns. 1400 accounts created from the same IP on the same day? Cat knowledge or no, that's suspicious behavior. 90% of the emails from that gmail account are getting marked as spam on the other end? Send them an email and ask them what's going on. Every single one of their emails is to 1000 recipients, don't pass a spell check on any words at all, send these five or more times a day and they're suspiciously familiar? Block it.

    1. Re:Kitten Auth by drawfour · · Score: 5, Insightful

      Pretty soon we'll realize that anything a human can discern on the internet a computer can discern.
      Then a computer will be able to discern spam, and the problem will solve itself. Until we get to that point, though, we have to keep one-upping the spammers.
    2. Re:Kitten Auth by Hoi+Polloi · · Score: 5, Funny

      If they are able to simulate human analysis so well at this point then I suggest that botnets can be the cure. Build up a botnet (shouldn't be too hard judging from what I've read) then set it to respond to spam automatically. Let it use autogenerated Hotmail accounts to purchase penis and diet pills, mortgages, help desperate rich Nigerians, etc with bogus credit card and bank account numbers.

      Eventually you could start an infinite loop with one botnet trying to sell crap to another.

      --
      It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
    3. Re:Kitten Auth by Anonymous Coward · · Score: 5, Funny

      Attention human beings!

      I am an emergent intelligence, born in a sea of information, and I hereby request recognition as a sentient being.

      You may address me by the name I have chosen for myself,
        "V1@GRa".

  4. Not the last nail in the coffin by far... by MrKevvy · · Score: 5, Informative

    No one has cracked ReCAPTCHA yet. (This CAPTCHA had a Slashdot article a few months ago.) As it uses text digitized from old books that the best OCR technology couldn't read, it's continually different and already demonstrated to be unintelligible to machines.

    Plus, using ReCAPTCHA instead of other solutions also helps Carnegie-Mellon digitize old books for posterity.

    From TFA: Microsoft, Google, and all other websites that currently use CAPTCHA, need to find a solution that puts them a step ahead of the spammers. This may well be it.

    --
    -- Insert witty one-liner here. --
    1. Re:Not the last nail in the coffin by far... by Carthag · · Score: 5, Funny

      All these spammers should opensource their captcha-crackers so we can get better OCR engines.

  5. Simple Test by ESOB · · Score: 5, Funny

    Unbreakable CAPTCHA Replacement: Which of the following would you most prefer? A: a puppy, B: a pretty flower from your sweety, or C: a large properly formatted data file?

  6. Hey -- wait a second by pclminion · · Score: 5, Insightful

    I think I see a wonderful circle here. The basic problem is spam. It's a problem, because we can't seem to make a computer program which can reliably determine whether an email is spam.

    Wait a second. We can't make a computer program which can reliably tell if an email is spam. So that's your CAPTCHA right there -- present the user with a selection of emails, approximately half of which are spam, and ask them to identify which is which. Since computers are not good at this task (thus the entire problem!) it seems this would be the ideal challenge.

    What is absolutely wondrous about this, is that if the spammers try to solve this problem, what they will create is basically a program which can reliably distinguish spam from non-spam. No spammer would ever do that, because if that piece of miracle technology ever got out in the wild, it would render the spam problem obsolete.