Slashdot Mirror
Fallout From the Fall of CAPTCHAs
An anonymous reader recommends Computerworld's look at the rise and fall of CAPTCHAs, and at some of the ways bad guys are leveraging broken CAPTCHAs to ply their evil trade. "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..."
I hate the fact that a computer can view these things better than I can. Lately, a lot of the CAPTCHAs have become unreadable by human viewers.
Heh, at the end of the article they have a link to a site that requires you to solve a calculus problem to register (it gets easier if you reload the page a few times, down to simple arithmetic). I have a site that is only of interest to people who use verilog (a hardware design language) I've toyed with requiring a some digital logic problem to be solved, but the volume of spam signups it's big enough for me to be bothered yet...
Of course this solution isn't going to work for gmail - which seems to be the preferred email provider for the spam signups I do get these days.
ccalam - acoustic versions of new songs.
Combine it with a mix of simple math and image recognition? I.e.
"What colour hair does the (2+four)/3 girl from the left have?"
Hell, skip the math part if that's too easy.
We do not live in the 21st century. We live in the 20 second century.
Correct me if I'm wrong, but wouldn't something capable of "automating captcha attacks" be, um, a major advance in artificial cognition, and quite a wealth of scientific information, since that means it can solve an arbitrary captcha like a human can?
Information theory is life. The rest is just the KL divergence.
There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks.
Why shouldn't as many people as possible have access to CAPTCHA breaking schemes if the spammers do anyway? Shame on the poster for not including some links himself.
There is irony, force people to use the platform that's responsible for botnets in the first place.
Friends don't help friends install M$ junk.
CAPTCHAs are only able to protect things worth $.0025, no matter how good they are. Simply because at about that price, you can pay humans to solve them for you.
Thus for preventing mail spam, it can work. But to prevent, say, bots from harvesting Ticketmaster, they will always fail, no matter how good they are.
Test your net with Netalyzr
When you have something online that is as popular as this, Someone is bound to crack it some time or another.
-- (this is a sig) My Computer Programming Forumhttp://www.programers.co.nr/
...if this is connected to what I could swear is an increase in spam lately. Has anyone else noticed an unusually high amount of sensational false headlines and Russian nonsense appearing in their inboxes?
Drill baby drill - on Mars
But rather an over-reliance on turnkey solutions to the problem. The overwhelming majority of places that use them all use the same format (hard to read words) which in turn creates an incentive for someone to break it as it will be easily applied to other CAPTCHAs. The solution is for there to be a wide variety of them that come up at any given time of the "what number is on the picture of the girl in the blue shirt" one day, but "pick the picture of the elephant" a week later. I predict that a company like google will step up to implement a turnkey system like this for adwords users and the like in the near future.
Screw everyone, you assholes!
Good thing I can break CAPTCHAs to post this.
Oh, and by the way don't forget to check out goatse.cx
There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks.
INFORMATION WANTS TO BE FREE!!!!!!!
How can we evaluate the CAPTCHAs that we are developing if we can't test them against the available crackers?
So much for open source!
Does anyone else find it as depressing as I do that such obviously intelligent, motivated individuals can't find a more productive use of their talents?
My blog
So if they removed the CAPTCHA, malware authors and spammers wouldn't have an easy and useful way to do their dirty work?!? Hmmm, a term comes to mind: CRAPTCHA
CAPTCHA is still useful for small to medium sites that aren't specifically targeted. Your average blog, for example, is only hit by random bots that try to get quick and easy posts. Only the largest sites like GMail need to find something better today.
For example, I use reCAPTCHA on DocForge to block the standard wiki spam bots. Since my site's not large enough to be under heavy attack very little gets through. Someday CAPTCHA may be so easy to break that everyone's at risk, but not today.
Developers: We can use your help.
Spammers are cracking some of the hardest problems of AI research.
How can they do that, and yet all the great academic minds can't? Two things:
* funding
* a willingness to use "anything that works"
What's really scary is that, in the end, spamming may turn out to be an agent of good.
How we know is more important than what we know.
Howcome /. is so spam free?
Do the hackers just not care about us,
or:
is this like one of those "safe zones" where geeks and hackers can hang out as long as nobody asks or tells? (looks at guy to his left..."say is that a CAPTCHA in your pocket or are you just excited to be here...")
Seven Days with Ubuntu Unity
Put 1,000 computers on the problem and allow them to share information from their successes ... and you've cracked a CAPTCHA implementation.
And there are hundreds of thousands of zombies out there.
Are you arguing (or making an argument which assumes as a premise) that the rules relating to security for commercial flights are actually sane? My baggie of liquids disagrees.
That said, commercial flights are very much a corner case; the potential for collateral damage, for instance, is greatly amplified; thus, rules which are appropriate for commercial flights are not necessarily appropriate everywhere else.
This CAPTCHA has text from six emails. Five are randomly selected from those sent by people that have opened an email account in the past month. One is from an email account that is a honeypot. "Please select all emails that that are spam." Note, the obvious secondary benefit is that it is used as a spam detector. Then of course there is the simple rule: "Our free email accounts can not be used to send more than 20 emails per day. If you need more, please sign up for our deluxe account, that charges you $1 per year. of service"
excitingthingstodo.blogspot.com
it is no wonder that the "under 25" crowd now says "myspace me" or "facebook me" and no longer use email. why would they?
in a globally connected world with several billion possible users - open email simply won't work much longer.
when we need are permission based systems - ones in which people need permission before they can contact another person. it would eliminate spam entirely, by integrating whitelists into mail clients. because no one has built a system like this that leverages and extends existing email servers - private organizations leveraging social connections have moved in to fill the gap. sadly, because facebook messages and myspace messages are not built on an open standard - you have to go through those companies to contact people.
http://computerworld.com/action/article.do?command=printArticleBasic&articleId=9104619
They don't do anything amazing with the images. They just attempt to reverse what is known about how the source site modifies the images.
With enough machines aimed at the problem, it becomes simple to brute-force it and then share the information amongst the other machines.
Remember, the CAPTCHA's are limited in that they still have to be understandable to humans.
BONGARD PROBLEMS. No machine can crack them in at least 10 years time. And when one does, baby, we'll have genuine AI.
Although it's not a part of my history that i'm proud of I did chatbot spam. It was easy money, and pumping out the spam was easy.
The one real pain was creating the account and although there were customised programs to speed up creating the accounts (approx 20 a minute) you still had to manually enter the captcha codes. This is what limited everything (ie yahoo would kill swathes of spam accounts in one go). Going through 500 accounts an hour wasn't unheard of.
Now that captcha is broken, there is no limit to stop you spamming every single room if you wanted. This means that yahoo chat room spam levels will have gone through the roof, not that I have been anywhere near of late.
I have noticed a big surge in spam on MSN messenger. I get three or four messages from people not on my contact list a day for Viagra or "sexy singles", all from names like, "kghemvi837276fgk" Last year I was getting maybe one a week.
The first thing to actually pass the Turing test will probably be a spam-bot. Isn't that disgusting?
...so all you have to do is change the algorithm used to create the captcha every few days/hours.
The bigger sites could do the latter in-house, the smaller sites can have a dedicated service which hires people writing the image generators/intelligence-requiring questions/etc.
Much of this is finding a way to brute-force the methods used on particular sites, overwhelming randomness, etc. It's not really a computer reading any difficult text.
The irony about this is that a CAPTCHA is a Turing test, a form of authentication designed to prove that a human is making the request. Given that some CAPTCHAs are rapidly becoming too hard for people to read, the outcomes of the tests are reversed - humans cannot win the test, only computers.
I have CAPTCHAs on my blog, but only deny posters who actually fill them in. Goes a long way to deterring spammers.
M
I thought the cracker for Ticketmaster just forwarded the unsolvable piece to cheap labor in China. You could do this for math problems too.
On gMail some simple rules should suffice. Don't allow a brand-new account to send out more than a few (20?) emails a day. Make sure that most of the email varies. Make sure the account gets and reads email as well as sends it, and that the email is accessed.
The trick is, you keep rotating these measures and don't tell anyone just what they are. You don't automatically disable anyone who breaks the rules, you just hold on to any large number of similar messages until a human reviews them--possibly through some mechanism similar to the "picture matching game" where multiple people identify a message as spam.
If it's determined to be spam, never tell them you caught on, just stop email from that account from being sent, silently. Log the ip addresses and use them to help you identify other accounts from the same computer if possible.
You could also use the ip addresses to notify people that they are a spambot next time that IP address is used to look up something on any google service.
Wow, that's a broad action with a lot of chances for failure, but I bet it could be refined enough to work--and worst case failure isn't bad at all--just one time when you go to search google you get a warning page back instead of your search results.
Really this just takes some dedicated effort and creative thinking by a strong, creative engineer with some power within google (I know there are quite a few of those)
What about having a few images in a row, say dog, cat, horse, cow, building, and then having words below them and asking people to match the words to the pictures? You take out spelling errors and such, it is easy to use, but the possible combination are still very high. Maybe throw in a junk word to make it harder. Or has this already been done?
What have all the supreme innovators being doing the past decade. Why is this still happening in late 2008. The solution being to design an email transport system that is immune to spam/phishing and doesn't rely on CAPTCHAs to authenticate endusers. Don't bother telling me how *you* can't figure out how to do it.
davecb5620@gmail.com
Maybe the poster should've RTFA. But this is Slashdot after all. Nobody reads the articles.
http://it.slashdot.org/comments.pl?sid=467856&cid=22568696
You may be able to pay humans to solve them for you, but you can't pay humans to solve them for you at the same quantity. Human beings are slow and require extensive resources.
It makes a big difference when you're talking about creating a crime syndicate with thousands of employees vs. one lonely script kiddie. The former solution doesn't scale very well, and has a much higher barrier to entry. Even if you don't stop spam you are certainly cutting back on the quantity.
If they can break the captcha, that's a bit less helpful, because whoever did it can sell the solution. However, it's still better than if setting up an automated agent for spamming your site is nothing more than a scant few hours of work to anyone who can program. And the quicker you can change your captcha the less profitable/useful it becomes to crack it.
It's not about being utterly victorious. That would involve tracking down spammers and hiring hitmen to take them out. What it is about is harms mitigation, and captchas will still do that even after being broken.
life is a corner case.
This is misleadingly implies that CAPTCHA somehow enables spammers. On the contrary, broken CAPTCHA does not enable spammers to do anything they couldn't already do -- we're just back where we were before CAPTCHA.
And to be fair, CAPTCHA is still reducing the rate at which attackers are able to create accounts, keeping some smaller, less sophisticated players out of the game entirely, and protecting lower-value targets (e.g., most small-time bloggers with comment spam problems still see a drastic improvement when they set up CAPTCHA)
If everyone stopped using CAPTCHA, the spam problem would get noticeably worse.
In a Turing test, obviously, a human does the verification. Unless you have an army of extremely low-wage laborers doing the verification, or a machine capable of passing a real Turing test, the CAPTCHA will *never* work. The only solution for now, I think, would be to force multiple layers of authentication on users. ie, you can have your craigslist account, but you're gonna need to pay 2.95 S&H and wait 5-7 days to get your key chain dongle before you can log in. Obviously, the average user is not going to be up for that. So you're stuck with spam. It sucks, but there's no way around it.
I've toyed with the idea of making users write a 500 word essay on a random topic. I would then send this to my high school English teacher, and if it got maybe a B or above I would consider it legit.
Saying "I'll probably get modded down for this" in a post is the best way to get it modded up.
Obligitory XKCD reference: http://imgs.xkcd.com/comics/a_new_captcha_approach.png
The article points out that the crackers are available for free online. This is a triumph of the EVIL open source. Will the GOOD open source rise up and defeat it? Stay tuned for next week's episode.
Why dont we just show different animals and ask them to name the animal?
If we are lucky Spammers will solve an age old AI problem in the process!
Integrate OpenID based signatures with email by inserting a line into the email header.
Not a new idea, its the same old 3rd party trust situation-- so clearly the trusted OpenID servers would be targeted; however, if you added a simplistic peer ranking system on those user IDs (extending openID a little) then the bad IDs would get ranked down by real people.
This would also provide a means for verification for multiple emails used by the same individual's OpenID which could shield their actual identity (but not any better privacy than you have already.)
Additional headers for point of origin server could also be useful as some servers are less trust worthy than others (note: spam ranking is fuzzy and a slight nudge either way near the threshold value can make a noticeable difference. ) Server identity issues are already being worked on; but emails are not tied securely to the original server.
I'd like to see a standard email header line for spam ranking (0-100?); I'm sick of these "{spam?}" lines inserted in subject lines that I see time to time.
An OpenID based solution would get OpenID heavily tested since spammers may solve the big AI problems as well as letting us know where to get Viagra.
Democracy Now! - uncensored, anti-establishment news
The spammers have a new solution to CAPTCHAs in place - offshore outsourcing. This has become a sizable operation. System status earlier today:
Current Status: Volumes are exceedingly high. -- Automatically dispatching more labor
Queued Captchas: 91
Total outsourced volume: 4564301
This service is integrated with Craigslist auto posting tools, allowing high-speed spamming of Craigslist. It's also used for other services, like obtaining GMail accounts.
Even Craigslist's callback-by-phone system is starting to crack. Temporary phone numbers for Craiglist verification, provided by marginal telephony providers, have dropped to $1.50 in bulk.
The overall effect of Craigslist's new protections is that the cost of spamming has gone up, enough to slow down the low-rent operators but not by enough to stop it.
As I've pointed out previously, Google plays a central role in this. Google's services provide a facade of anonymity for scammers to hide behind. GMail for anonymous mail, YouTube for anonymous infomercials, AdWords for anonymous advertising, Checkout for anonymous money transfer, and Blogger/Blogspot for anonymous redirectors to zombie machines are all valuable services for scammers and spammers. All those services are used heavily by Craigslist spammers.
Others have provided some of the same services, but the competing services had bad reputations. Anybody trying to do business via Hotmail just had to be phony. Many mail agents just block all Hotmail mail. Anyone running a business off of "freewebpage.org" probably wasn't someone you'd want to deal with. So you had some strong indications of lack of legitimacy there.
Google, though, still has a good reputation. The combination of Google's reputation and low customer standards offers a great opportunity for scammers, and they're taking it.
Quite right, no matter what the problem you can always use man in the middle and pass the problem along to someone wanting to access a pr0n site. Not quite up to the same volumes as a machine but getting there
thou discernest my thoughts from afar
The basic problem is instant gratification. Spammers need to be able to create accounts or authenticate for posting quickly. Their business model doesn't allow for individual tries taking any significant amount of time, or requiring a side-channel conversation. CAPTCHAs and other anti-spam tactics all have one thing in common: they want to allow rapid authentication or account creation. And plain and simple, as long as those methods allow what the spammers need, you'll never keep the spammers out. If a computer can do it, a computer can un-do it.
You want to solve the spammer problem? Slow the process down. Make it involve a side-channel exchange. When someone creates an account to post, leave the account inactive and send them an e-mail with a verification code they need to enter to activate the account. Don't send it instantly, delay it by a couple of minutes. No need for fancy graphics or HTML, just plain text with the code in the middle of an explanatory paragraph that's word-wrapped automatically to a random 48-78 character column width to make it annoying to parse out the code automatically. Or if you don't want to block the account completely until verification, make it so any comments posted by it pre-verification aren't visible until a moderator approves them.
What we really need is a global identification scheme that acknowledges that what we want isn't accurate identification, it's continuity of identification. When someone posts to my journal, I don't need to know for certain who they truly are in real life. What I need is to be confident that the same physical person couldn't have gotten very many different, unconnected identities, and that when I see two different posts by the same identity that it's the same person behind both.
Why isn't anyone making systematic IP blacklists? I mean, after the usual kind of spam crap, you've just identified the attacker, or a piece of a botnet. Keep it all in a list and just deny those IP any access at all. (e.g. firewall rules) By sharing these rules, you nullify the effect of the botnets. Tough shit for the people with cracked computers. They should have been more dilligent in applying patches...
I do this with denyhosts which checks logs for ssh dictionary attacks and then blocks them. By sharing these lists, and cross referencing them between different hosts, you should have a very reliable list, and can remove the effect of IP spoofing which may be possible with some protocols/attacks.
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
Digital Spy have an interesting, but unfortunately very annoying, way of dealing with Captcha. If you sign up from a Hotmail, Gmail or Yahoo account, then you have to pay Digital Spy £5 to register that account. Business email addresses or ones from ISPs don't require a fee.
A simple albeit incredibly annoying solution.
Summation 2
I had thought of using something similar to what I have posted at the link below. The user must solve three of these in a row. Of course the number of fonts/numbers/backgrounds would be much large. Also I planned to introduce letters, letter pairs and shapes. But the key concept is that the instructions to solve are also embedded in the image. Much tougher I would think.
/. think?
And what does
Next gen CAPTCHA link here.
Note - this is just a random sample image, not an actual implementation.
when we need are permission based systems - ones in which people need permission before they can contact another person.
I don't see how such systems would work too well for people whose occupation requires that other people contact them, such as people who provide a product or service. This includes a lot of Slashdot users, who maintain free software.
I have CAPTCHAs on my blog, but only deny posters who actually fill them in. Goes a long way to deterring spammers.
M
That's actually an ingenious solution: Leaving a field blank. Let's expand this a bit further.
Let the computer present a captcha, three images (each one with a textbox under it) and a text question to the user (the question will also be in graphic format).
Please fill in captcha under the image of a blue parrot. Under the image that is not a yellow cat, answer this question with a number: "How much is three plus seven?" Leave the remaining space blank.
So the bot will not only have to guess which image is the captcha, but will also have to identify the description, recognize the sentence, and then find out which images belong to the blue bird and the yellow cat. Adding to that, it will have to recognize that an arithmetic question has been asked, and then use its AI to answer the question in the appropriate slot.
I'm a fan of the old Fidonet method of authentications.
It was an envelope with an SAS post card inside addressed to the admin. They admin would write your first password on it. If he was smart he'd mail you your new password when he got your SASPC.
It does not scale. That can be a good thing.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
Programs can be written to easily beat CAPTCHA, but somehow, I need to do it at least three times before I get it right... Sometimes a 0 looks like an O, but others, I'm confusing a noise line with part of a letter.
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
your post advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. your idea will not work. here is why it won't work. (one or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) spammers can easily use it to harvest email addresses
( ) mailing lists and other legitimate email uses would be affected
(X) no one will be able to find the guy or collect the money
(X) it is defenseless against brute force attacks
(X) it will stop spam for two weeks and then we'll be stuck with it
( ) users of email will not put up with it
( ) microsoft will not put up with it
( ) the police will not put up with it
( ) requires too much cooperation from spammers
( ) requires immediate total cooperation from everybody at once
( ) many email users cannot afford to lose business or alienate potential employers
(X) spammers don't care about invalid addresses in their lists
( ) anyone could anonymously destroy anyone else's career or business
specifically, your plan fails to account for
( ) laws expressly prohibiting it
( ) lack of centrally controlling authority for email
( ) open relays in foreign countries
( ) ease of searching tiny alphanumeric address space of all email addresses
( ) asshats
( ) jurisdictional problems
( ) unpopularity of weird new taxes
( ) public reluctance to accept weird new forms of money
( ) huge existing software investment in smtp
( ) susceptibility of protocols other than smtp to attack
( ) willingness of users to install os patches received by email
(X) armies of worm riddled broadband-connected windows boxes
(X) eternal arms race involved in all filtering approaches
(X) extreme profitability of spam
( ) joe jobs and/or identity theft
( ) technically illiterate politicians
( ) extreme stupidity on the part of people who do business with spammers
( ) dishonesty on the part of spammers themselves
( ) bandwidth costs that are unaffected by client filtering
( ) outlook
and the following philosophical objections may also apply:
(X) ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) any scheme based on opt-out is unacceptable
( ) smtp headers should not be the subject of legislation
( ) blacklists suck
( ) whitelists suck
( ) we should be able to talk about viagra without being censored
( ) countermeasures should not involve wire fraud or credit card fraud
( ) countermeasures should not involve sabotage of public networks
( ) countermeasures must work if phased in gradually
( ) sending email should be free
( ) why should we have to trust you and your servers?
( ) incompatiblity with open source or open source licenses
( ) feel-good measures do nothing to solve the problem
(X) temporary/one-time email addresses are cumbersome
( ) i don't want the government reading my email
( ) killing them that way is not slow and painful enough
furthermore, this is what i think about you:
(X) sorry dude, but i don't think it would work.
(X) this is a stupid idea, and you're a stupid person for suggesting it.
( ) nice try, assh0le! i'm going to find out where you live and burn your house down!
OK, Kurt
and make it a learning experience at the same time. let people guess what the country of origin of the person in the picture is :P
A good solution here is to include this as part of the turing test itself.
As I mentioned upthread, I'm a partner in a web dev shop. We do a lot of social networking (of course) and about a year ago we developed a utility to create just this type of turing test. For example, we'll have a picture, and ask the question "What is the color of the 3rd fish from the left?"
What we do, is we pair these tests on a page. We'll include a known test, like the one above. And we'll also show an unclassified image and we might ask "how many people are in this picture?"
There is no wrong answer for that test, and their answer is recorded. Soon, that same question will be asked for that same picture. As soon as its confirmed 2 times, it gets classified as having n people. Soon after it would be displayed again asking "how many females are in this pic?" or "what color shirt is the person on the right wearing?"
When we created the app, the DB had about 5000 turing tests in it. We then attached a DB of about 100,000 images that were pre-classified but not to an extent that would allow us to write a test off it.
Now, after a year in use across a couple dozen moderately trafficked websites, we have nearly 25,000 turing tests. All 20,000 new tests have been created thru the technique I described above.
The real reason we did it wasn't to save on some development costs. We could've hired temp workers and paid them $8 an hour to classify pictures.
We did it because I believe strongly that the key to simple turing tests like this is a large corpus of data. If a bot only encounters the same test once or twice EVER, then the problem becomes difficult to solve. This is like the ANTI-CAPTCHA.
CAPTCHA was all about taking a specific technique to its maximum extent: Challenge a computer system by taking a narrow field (OCR) and pushing it beyond the current state-of-the-art.
These tests are all about a general technique thats broad where CAPTCHA is just deep.
The only way to build a bot to solve each test in our DB would be to give it genuine intelligence. It would have to be capable of determining context, reference, connotation, image ID, etc.
As a programmer, if you say "Here's a captcha, write a program to solve it" I wouldn't know HOW, but I'd at least have an idea of where to begin.
Now, if you show me a picture with the turing test of "What object is in the hands of the 3rd woman from the left" ... well... i wouldn't know where to begin.
o0o0o0 I like the look of it. So in the middle it tells the 'person' to click on a number, letter, or a symbol. Once clicked the 'person' is passed on/authenticated..?
Do they read /.?
They have to solve three in a row. That way it works out that random clicks within the image would have approximately one chance in 27,000 of getting through. I figure that even one chance in 100 is still good enough odds to make it worthwhile having a bot run up against it. But not 27,000:1.
Please change the moderation of my parent post from "Just barely worth reading" to "Dang it, I'm so stupid, I'll probably end up living in a van, down by the river"
A lot of blind people surf the web too, you know. How do you think they like to be confronted with a CAPTCHA?
The end of CAPTCHAs is a win for web usability.
Search Engines help humans find web pages that the humans might find interesting, and they do this by having robots spider the web looking for patterns. Search Engine Optimizers try to get humans to read their customers' web pages in three ways:
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You actually have a shot if you're small, though.
We just rolled out something simple -- I think it was even a FOSS library -- which sends some sort of challenge in JavaScript. Someone would either have to be automating a real web browser, or targeting our site specifically -- which might eventually force them to at least run a JavaScript engine.
That pretty much killed our comment spam overnight.
Obviously, it can't last -- as I said before, they could use a real browser (or use Mechanical Turk and use real people) -- or they could specifically target our platform (SpiderMonkey would pretty much take care of it).
Don't thank God, thank a doctor!
Humans may not be as fast as robots, but they can be surprisingly cheap. There's enough of the world where $1/hour* is an attractive wage that speak some English, and if the people there can solve a CAPTCHA in 9 seconds, that's at the $0.0025 price level that Nick was referring to. (Hi, Nick!)
If you're a scammer and there's a website that you want to crack, but it's not big enough to pay somebody to develop an algorithm for (either because the CAPTCHA's too hard or changes too often etc.), you can find some corrupt Nigerian generals' orphaned children who'll do it, or some Chinese guys who are tired of beating up monsters to get gold pieces or magic swords.
I don't know the going price of zombies or mail relay accounts, and it's probably dropping at faster than Moore's Law, but some sites are probably worth attacking.
* "Make good money $5 a day... Made any more I might move away..."
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
...when people think they are smarter than machines. Such people will die in the first wave.
Source code me someone. I dont want to do evil, but I do want to read the code of how this was acheived.
Comment removed based on user account deletion
I am not surprised. No one expect that to be a permanent solution either. On the good side it did slowed spammers down quite a bit.
CAPTCHA is too simple a Turing test for humans vs. machines, but it isn't fair to blame such a cool opened source idea for all these proprietary imitations' failures.
To complete your web registration, please prove that you're human:
When Littlefoot's mother died in the orginial "Land Before Time." Did you feel sad?
() YES
() NO
(Bots: No lying.)
http://xkcd.com/233/
The word is "use".
http://www.urbandictionary.com/define.php?term=leverage
If images are used more often, spammers will just start hashing pictures and doing the same with pornographic sites and the current captcha breaking technique of having them identify the object. You compare the hash of the image from the 'gmail' or 'hotmail' account, look it up in your database, and post the lemmings response.
> But if I have a website selling Apple Pies and I link every
> instance of the word "Apple Pie" to the front page of the site,
> how, really, can you have an issue with that?
Personally, I wouldn't that consider that "evil" as long as all those internal words and links are displayed to the viewer of the website and not hidden somewhere by magic. This way websites can trade off being annoying and appearing brain-dead (by increasing the number of such links) and having better search rankings.
OTOH, now that you tell me about this technique, I wish that Google would have a preference which I could set which would enable me to either disable that part of their evaluation algorithm, or even invert the sign on it (so those sites would get lower rankings). But somehow, I don't think that's going to happen in the near future. Google could do this automatically for me if it would base its rankings not (only) on what I click from the search results, but in addition, enable me to send it my personal ranking info about a website which I just clicked and found useless.
In order for that to work, I have to let Google assemble a personal profile for myself, which other people view as "evil". YMMV.
Is logic puzzles. "You are in a room with three guards, one of these guards always lies, one of them always tells the truth, and one of them lets you register this email address. Who do you ask?" Let's see a computer solve that!
Has anyone tried flash for capatcha? Seems like that might stop em' for a little bit.
just keep the current trajectory of making them harder and harder to read, and then only the bots will be able to give the right answer!
Way to go use a post about the cracking of captchas, which is done by the way using standard techniques developed by academic researchers and using the 'let an unwary human solve it to get to porn' approach, both of which were foreseen by researchers as reasons why captchas would not work in the long term, to deliver a baseless critique of academia.
Academia is probably the least dogmatic and bureaucratic environment there is. My personal experience with this comes from a physics lab, but I've heard similar stories from colleagues researching biology and information science, so I think this'll hold true for most exact sciences. People are researching whatever looks promising to them, sometimes radically changing the landscape of their field in the process.
Academics may start out as regular folk, but people do get smarter when they have to use their brain. Most academics are actually a lot smarter than normal folk, not because they were born smarter per se, but because they have during their career honed their thinking skills to an extent that normal people cannot even begin to appreciate. Thinking doesn't come naturally to people. When you're born, you're just a (relatively bad) pattern matcher, prone to seeing things that arent there, to invent causes where none exist. To get a grasp of logic, and how people often unwittingly abuse it, on the advanced math that is needed to understand how the world works, to understand how people can delude themselves, and so on, and of course to actually learn all the theory, you actually have to work hard. And in doing so, you will get smarter.
As for prior research being just a load of baggage, if people start to do research in field without prior knowledge, they almost always end up like Neal Adams.
Further, academia is made of critique. Academia is pretty much the only environment where really everything stands up for discussion and no theory or argument stands longer than the time it takes to refute it. Try to find that in the private sector or politics, with their power games, or the personal sphere where what counts is only the number of adherents of an idea, even if it's totally debunked. Oh the bitter irony of a Slashdotter accusing academia of groupthink.
This method will suffice to crack ANY CAPTCHA!
... any human solvable CAPTCHA. And we seem to be well on our way to CAPTCHAs on major sites which don't fall into that category anymore.
"Please enter the characters from the the CAPTCHA in reverse order" solved our problem with OCR-capable Spambots. Of course you also can modify this idea: "Please only enter the 3rd and 5th character from the CAPTCHA", etc.
I believe the trick for having a Spambot-proof CAPTCHA is that every site has it's own rules what info from the CAPTCHA shall be entered.
A bit of a strange idea, but... If AI can solve captcha's it must also be able to solve useful problems. If they used real-life problems in captcha's (e.g. "does this blueberry look rotten or not?", "is this PCB nicely printed or not", ...), then cybercriminals would actually design algoritmhs that solve useful real-life computer vision, and that would make the cybercriminals automatically do something useful!
Instead of solving the catchpa they want you to pay up for the payed service that doesn't have the catchpa.
Rapidshare WANTS to delay you and make it hard because the free users just cost them money.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I remember reading once about a solution to the TCP SYN flood problem. I think that one of the RSA guys (maybe Rivest) wrote it. Client puzzles. Would it work in lieu of CAPTCHA?
In addition to checking that the user is human, slow him down. Send his computer a cryptographic puzzle, something like, "What is the DES key that can decrypt _______ to get message text ______?" Now you've got his computer busy for a few seconds trying to break a password. If a spammer has to break a CAPTCHA but his computer can ony muster up the CPU to do it a few times a minute, will that slow him down enough?
You'd have to install some add-on into browsers to accept and try to solve client puzzles. The point is, maybe distinguishing humans from computers isn't enough.
I wonder what effect it would have on spam if say yahoo, google, hotmail, and all of the other FREE email solutions started charging say $5-$10 per month for an email account?
"And your solution is...?"
.. :)
I don't have to produce a solution, I don't advertise myself as some kind of research guru. What have the various research departments being doing for the past decade, while they've been about innovating Web 2 and integrated INNOVA~1. I do know given their research funds and I could come up with a better solution than CAPTCHAs.
"Please bear in mind "The system does not do X and Y" is not generally the form a real solution takes"
The system does x and Y and doesn't do everything else, is a form of enumerating goodness, as Marcus Ranum said enumerating badness is a dumb idea, as I've previously quoted on a number of occasions here.
I did say don't tell me how not to do it
davecb5620@gmail.com
Why cant google (or whoever) just embed some text like "This captcha is for gmail only, if you are seeing this, the site is hacking gmail"? That way maybe most users wouldnt sign up for that free porn site or whatever that is exploiting a captcha.
In quite a few cases, there's a human-based workaround to CAPTCHA-"protected" sites. For example, I often buy tickets to performances at a local theater. Their site is CAPTCHA-protected -- you select your seat price range, then solve a CAPTCHA, and the system picks the best available seats in that range for you. You then have 3 minutes to purchase the seats.
What happens is that what the system considers the best seats may not necessarily be the best seats. I don't like sitting in the first 2 or 3 rows for a ballet performance, for example; it's too close to see everything. So if it gives me seats that are too close, I open another browser window and repeat the process -- the "best" seats are still on hold for me so I get the next best seats; and so on, until I have the seats I want.
Where there's a will, there's a way.
Absurdity: A statement or belief manifestly inconsistent with one's own opinion. -- Ambrose Bierce
I hate Ticketmaster and wish CAPTCHA hacking on them until their head asplode.
All you have to do is put "you must be under 18 to solve this captcha" built into the captcha itself. Anyone on the porn site is over 18 because that's the law, and then they won't be allowed to solve the captcha because they are too old*!
* does not work in areas of the world where you can view porn under 18, or on anyone who lies about their age, or any porn sites where there isn't an age requirement, and it means your site won't allow any users over the age of 18 to contribute
hey, it's not perfect
There is one Captcha implementation which is so far impervious to bot attacks, reCAPTCHA. That said, there are myriad "Companies" offering human-based Captcha solving solutions, as well as freelancers out there offering similar services. The price? Down to fractions of a penny per Captcha solved.
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
Everybody wants to self sign their stuff (for free) but due to browser warning boxes etc. the big Cert providers have a business. Could be a similar situation here where 'ID' providers get a reputation and you end up with a similar mix of a few big providers + the self-signed providers. Sadly, big ID providers could bribe email clients to include their brand as more trustworthy by default similar to Signed Certs.
I'm applying CONCEPTS from digital certificates/signing while trying to limit the downsides.
We ALREADY accept fake users from any email server; and blackhole server lists are next to dead today. Sure, this just makes user accounts get verified with a server-- which could be done with some sort of secure mechanism; although, using DNS (which would have to be better locked down, which is in the works already) it could point to account servers for verification. At this point, messing with SMTP more just doesn't seem like a great idea and OpenID is trying to create a new framework for problems like this.
Verification of the sender's address isn't something that has been done yet and would help combat spam greatly-- but to do so without compromising privacy. My own experiments with email servers shows massive drops in spam simply by DNS verification of the mail server alone. Grey lists stopped spam completely until spammers got wind of it.
Spam is fuzzy, server identity and email user identity don't have to be white/black listed they can also be RANKED 0-100 to give hints to the existing spam filters. Blackhole lists didn't work except for the worse offenders-- and a blacklisted server might put out largely legitimate email. Bad servers should be ranked-- by services, peers, or by user marked spam.
I'd like to see a peer ranking, open SSL signing model as well.
Democracy Now! - uncensored, anti-establishment news
Well come on, be fair. $0.01 is a proper price. Head over to mturk.com and get your captchas answered by humans for 1 cent a pop ! They'll eat em up. It'll take seconds for one to be solved. There is a webservice-interface, so all the hard work is already done. Oh, and Amazon apparently has no people checking for that kind of stuff, the amount of people asking you to sign up or do fraudulent things there is quite large.
Then again, why pay $0.01 when you can simply find an algorithm that gets it right most of the time for the cost of electricity ...
My bank has adopted a scheme of "choose your image from the following twenty", and they only allow three failures.
A scheme that would last until the Turing challenge was broken would be simply to ask the user to identify the thing, animal, or person in a given image.
-- Juanco
I am mildly dyslexic and I have trouble with them and have probably wasted several hours on the stupid things. Where do I send the bill? Apparently Pittsburgh.
I hate CAPTCHAs and Congress needs to pass a law that if you see the smug asshole, Luis von Ahn, who invented them every citizen has the right, no duty, to sucker punch him and have the option to kick him in the balls.
In India there are some shady business that pays people 2 dollars an hour to view CAPTCHA and submit for spammers and etc. So there is no possible way to stop determined spammers. It is a cat and mouse game.
this reminds me of Fatigue in runescape with Coldfeet & Sleepwalker pwned (3 Dylock), but then AROCR was the best.