Slashdot Mirror
Fallout From the Fall of CAPTCHAs
An anonymous reader recommends Computerworld's look at the rise and fall of CAPTCHAs, and at some of the ways bad guys are leveraging broken CAPTCHAs to ply their evil trade. "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..."
Correct me if I'm wrong, but wouldn't something capable of "automating captcha attacks" be, um, a major advance in artificial cognition, and quite a wealth of scientific information, since that means it can solve an arbitrary captcha like a human can?
Information theory is life. The rest is just the KL divergence.
There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks.
Why shouldn't as many people as possible have access to CAPTCHA breaking schemes if the spammers do anyway? Shame on the poster for not including some links himself.
CAPTCHAs are only able to protect things worth $.0025, no matter how good they are. Simply because at about that price, you can pay humans to solve them for you.
Thus for preventing mail spam, it can work. But to prevent, say, bots from harvesting Ticketmaster, they will always fail, no matter how good they are.
Test your net with Netalyzr
I hate the fact that a computer can view these things better than I can. Lately, a lot of the CAPTCHAs have become unreadable by human viewers.
They don't view it better than you, they just do not get impatient from failing 4 out of 5 times.
Does anyone else find it as depressing as I do that such obviously intelligent, motivated individuals can't find a more productive use of their talents?
My blog
CAPTCHA is still useful for small to medium sites that aren't specifically targeted. Your average blog, for example, is only hit by random bots that try to get quick and easy posts. Only the largest sites like GMail need to find something better today.
For example, I use reCAPTCHA on DocForge to block the standard wiki spam bots. Since my site's not large enough to be under heavy attack very little gets through. Someday CAPTCHA may be so easy to break that everyone's at risk, but not today.
Developers: We can use your help.
Computers are pretty good at math last time I checked. Asking for something that would require a full on AI to answer is good (the hair color part), but the problem is that it requires a human to seed the questions, which means they will be limited in number. If they're limited in number then the spammers will just go through and keep reloading the screen until they've seen all (or mostly all) of the answers and program their bot with the correct answers.
CAPTCHAs need to be able to be generated algorithmically by a computer, but not answered by one, which is a surprisingly difficult problem. Anything that requires human intervention on the creation of each variation is doomed to fail because spammers have more free time than you do.
I read the internet for the articles.
>What about reCaptcha? Anyone break that yet?
Yes. For $0.25 each I'm willing to answer the questions for you. You might find people in third world countries who will do it for much less.
The problem is that to set up that CAPTCHA you have to have a person sift through a huge picture archive of cats and dogs and mark each one. However, that limits the size of your CAPTCHA dictionary to however many entries a person can parse in a reasonable amount of time. This means the bad guys can sit down a person (or two, or ten) and go through all of your images to seed a database with the correct answers for their bots.
I read the internet for the articles.
not really, unless the catalog is huge and you expect your legitimate users to be biologists. if there are even as many as 100 animals the script can just guess, and 1% of attempts get through. when thousands of bots are signing up simultaniously 1% is a whole lot of bots
Snowden and Manning are heroes.
it is no wonder that the "under 25" crowd now says "myspace me" or "facebook me" and no longer use email. why would they?
in a globally connected world with several billion possible users - open email simply won't work much longer.
when we need are permission based systems - ones in which people need permission before they can contact another person. it would eliminate spam entirely, by integrating whitelists into mail clients. because no one has built a system like this that leverages and extends existing email servers - private organizations leveraging social connections have moved in to fill the gap. sadly, because facebook messages and myspace messages are not built on an open standard - you have to go through those companies to contact people.
Makes one feel like an idiot if some site starts to require impossible Captchas. Rapidshare for example had one where you were supposed to only write the letters featuring a cat (other letters had a dog). I had to enable some zoom feature of my DE to get a closer look but still the dogs and cats looked like some screen-dirt to me. Never managed to solve this one properly.
Looks like I'm not the only one not smart enough - they replaced this CAPTCHA with some "Happy Hour" mode, which didn't require any form.
I don't read replies by ACs.
BONGARD PROBLEMS. No machine can crack them in at least 10 years time. And when one does, baby, we'll have genuine AI.
"On the internet, only CAPTCHAs know you're a dog." Because, of course, there aren't any color-blind people on the internet...
First, hair color is a terrible test... You've got about a 24% chance of getting it right without looking...
Putting together a set of images with full extensive descriptions such as that would be prohibitive, while numbers and letters can be pretty easily automatically generated.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
On gMail some simple rules should suffice. Don't allow a brand-new account to send out more than a few (20?) emails a day. Make sure that most of the email varies. Make sure the account gets and reads email as well as sends it, and that the email is accessed.
The trick is, you keep rotating these measures and don't tell anyone just what they are. You don't automatically disable anyone who breaks the rules, you just hold on to any large number of similar messages until a human reviews them--possibly through some mechanism similar to the "picture matching game" where multiple people identify a message as spam.
If it's determined to be spam, never tell them you caught on, just stop email from that account from being sent, silently. Log the ip addresses and use them to help you identify other accounts from the same computer if possible.
You could also use the ip addresses to notify people that they are a spambot next time that IP address is used to look up something on any google service.
Wow, that's a broad action with a lot of chances for failure, but I bet it could be refined enough to work--and worst case failure isn't bad at all--just one time when you go to search google you get a warning page back instead of your search results.
Really this just takes some dedicated effort and creative thinking by a strong, creative engineer with some power within google (I know there are quite a few of those)
Maybe the poster should've RTFA. But this is Slashdot after all. Nobody reads the articles.
http://it.slashdot.org/comments.pl?sid=467856&cid=22568696
It's an arms race, and this system won't work forever, but it's fairly easy to implement and fairly difficult to overcome.
Not really, its all about scale. That system wouldn't last more than just a few seconds if a full "attack" were performed by a large botnet. The number of permutations is relatively finite, therefore with a large number of computers trying to "solve" the problem, once the correct answers were "cracked" then they could be shared and eventually the bots either know all of the answers, or you removed *all* of the questions from the list. I'm not saying this is an ineffective system for small/medium sites, but it wouldn't cut it for really large sites.
When I have a kid, I want to put him in one of those strollers for twins and then run around the mall looking frantic.
This is misleadingly implies that CAPTCHA somehow enables spammers. On the contrary, broken CAPTCHA does not enable spammers to do anything they couldn't already do -- we're just back where we were before CAPTCHA.
And to be fair, CAPTCHA is still reducing the rate at which attackers are able to create accounts, keeping some smaller, less sophisticated players out of the game entirely, and protecting lower-value targets (e.g., most small-time bloggers with comment spam problems still see a drastic improvement when they set up CAPTCHA)
If everyone stopped using CAPTCHA, the spam problem would get noticeably worse.
In a Turing test, obviously, a human does the verification. Unless you have an army of extremely low-wage laborers doing the verification, or a machine capable of passing a real Turing test, the CAPTCHA will *never* work. The only solution for now, I think, would be to force multiple layers of authentication on users. ie, you can have your craigslist account, but you're gonna need to pay 2.95 S&H and wait 5-7 days to get your key chain dongle before you can log in. Obviously, the average user is not going to be up for that. So you're stuck with spam. It sucks, but there's no way around it.
Or you can be smart and realize that sites like petfinder already have to sift through.
http://research.microsoft.com/asirra/
over 3 million photos in the dataset.
That's better, but it still has only 720 unique solutions, which is still within brute-force range. Your image library would need to be vast, or paying someone a small amount to label all the images once is an effective attack.
By comparison, a text CAPTCHA has something like 56 billion unique solutions for a 6-digit string.
Or you can be smart and realise that if you use a public site then the bots can use it too. ;-)
"How can they do that, and yet all the great academic minds can't?"
Simple.
First:
Academics often fall pray to dogmatism and group think. Years of bureaucracy addles their minds.
Second:
The thing is that academics are not smarter than average. Academics are simply average people that work in research. They tend to know more within their fields not because they are inherently smarter, but because they are more motivated. And guess what happens with spammers and motivation? That's right! They are highly motivated and there is no bureaucracy and dogma to blind their way of thinking. They just need anything that works and they don't assume anything based on "prior research". Prior research is both a blessing and an iron ball with a chain. It's legacy and it's baggage. You're standing on the heads of the giants or on a pile of rotting corpses. You take your pick.
Learning is a good thing, but academicians, or the so-called "professional" learners should really be criticized more often than they are.
A botnet with 10,000 zombies randomly guessing which of them might be kittens (without ever look at the pictures themselves) will breeze through that like it's not even there.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
A lot of blind people surf the web too, you know. How do you think they like to be confronted with a CAPTCHA?
The end of CAPTCHAs is a win for web usability.
"What's the problem? The solution to the problem is simple... just solve it!"
Brilliant! Why didn't any of us think of that?
And your solution is...?
Please bear in mind "The system does not do X and Y" is not generally the form a real solution takes. Although it gives me one hell of an idea for the next joke computer language, one that requires you to enumerate all the things it shouldn't do...
Boredom is something you get when you run out of patience. Computers never get bored because they never run out of patience!
The word is "use".
http://www.urbandictionary.com/define.php?term=leverage
Try reading page where every second word is a link and tell me how pleasant it is. And why, for God's sake, would you want to? You just need ONE link to the front page at the top.
It makes the site stink of SEO and I'm likely to give up on it immediately.
"There is no wrong answer for that test, and their answer is recorded. Soon, that same question will be asked for that same picture. As soon as its confirmed 2 times, it gets classified as having n people."
How do you know that those 2 confirmed times weren't bots, and that you've just allowed those bots to effectively choose the answer to your question?
Way to go use a post about the cracking of captchas, which is done by the way using standard techniques developed by academic researchers and using the 'let an unwary human solve it to get to porn' approach, both of which were foreseen by researchers as reasons why captchas would not work in the long term, to deliver a baseless critique of academia.
Academia is probably the least dogmatic and bureaucratic environment there is. My personal experience with this comes from a physics lab, but I've heard similar stories from colleagues researching biology and information science, so I think this'll hold true for most exact sciences. People are researching whatever looks promising to them, sometimes radically changing the landscape of their field in the process.
Academics may start out as regular folk, but people do get smarter when they have to use their brain. Most academics are actually a lot smarter than normal folk, not because they were born smarter per se, but because they have during their career honed their thinking skills to an extent that normal people cannot even begin to appreciate. Thinking doesn't come naturally to people. When you're born, you're just a (relatively bad) pattern matcher, prone to seeing things that arent there, to invent causes where none exist. To get a grasp of logic, and how people often unwittingly abuse it, on the advanced math that is needed to understand how the world works, to understand how people can delude themselves, and so on, and of course to actually learn all the theory, you actually have to work hard. And in doing so, you will get smarter.
As for prior research being just a load of baggage, if people start to do research in field without prior knowledge, they almost always end up like Neal Adams.
Further, academia is made of critique. Academia is pretty much the only environment where really everything stands up for discussion and no theory or argument stands longer than the time it takes to refute it. Try to find that in the private sector or politics, with their power games, or the personal sphere where what counts is only the number of adherents of an idea, even if it's totally debunked. Oh the bitter irony of a Slashdotter accusing academia of groupthink.
Instead of solving the catchpa they want you to pay up for the payed service that doesn't have the catchpa.
Rapidshare WANTS to delay you and make it hard because the free users just cost them money.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Has anyone tried flash for capatcha? Seems like that might stop em' for a little bit.
Or better yet Silverlight! That'll stop even more of 'em