Web Fraud 2.0 — Point-and-Click Cracking Tools

An anonymous reader writes "The Washington Post's Security Fix blog is running a fascinating series that peers inside some of the Web-based services cyber crooks are using to ply their trade: from masking their identity, to defeating CAPTCHAs, to creating counterfeit documents and validating stolen credit and debit cards. Everyone familiar with this space hears about these kinds of tools and services all the time in the abstract, but the Post blog includes screen shots and background details on the popularity of the services and how each one is helping to bring cyber crime that much closer to the realm of even the most newbie scam artists." Many of these tools require a working knowledge of Russian. Wouldn't surprise me to learn that Chinese-language tools exist too.

Language Support

[introspekt.i]

Many of these tools require a working knowledge of Russian. Wouldn't surprise me to learn that Chinese-language tools exist too.

Damn. And here I was looking for fraud tools in Klingon. No wonder I can't ever find anything.

Holy Stereotypes!

[ghoti]

Many of these tools require a working knowledge of Russian. Wouldn't surprise me to learn that Chinese-language tools exist too.

Way to throw around those stereotypes! I bet they all run on Windows, too! Windows - the first choice for crooks and scammers!

Re:Holy Stereotypes!

[Jack9]

Except it isn't a stereotype...it's a statistical certainty. Wouldn't surprise me to learn that English-language tools exist too?
See how stereotype doesn't apply? Probably not.

Re:Holy Stereotypes!

http://www.spamhaus.org/statistics/countries.lasso

1 United States 1571
2 China 428
3 Russian Federation 305
4 South Korea 197
5 Germany 180
6 United Kingdom 180
7 France 177
8 India 153
9 Japan 147
10 Brazil 147

In other words, the US beats the next 7 countries combined, Germany, France and the UK together beat China and every two of them beat Russia.

We'd be a lot better at fighting the bad guys if we wouldn't assume that "we" are the good guys.

Re:Holy Stereotypes!

http://www.spamhaus.org/statistics/spammers.lasso

  1 HerbalKing India
  2 Vincent Chan / yoric.net Hong Kong
  3 Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov Ukraine
  4 Nikhil Kumar Pragji / Dark-Mailer Australia
Queensland
  5 Ruslan Ibragimov / send-safe.com Russian Federation
  6 Leo Kuvayev / BadCow Russian Federation
  7 Pavka / Artofit Russian Federation
  8 Russian Business Network Russian Federation
  9 Yambo Financials Ukraine
10 Alexey Panov - ckync.com Russia

Re:Holy Stereotypes!

The stereotype doesn't imply that the statement is wrong, but why was that statement made about Chinese and not English tools? According to the Spam origin data, English tools are a lot more likely then Chinese tools, so while in itself not wrong the decision to focus on one correct statement while omitting another correct statement speaks of bias and creates an incorrect impression to the casual reader (and if you know the data then you don't need news articles in the first place).

Re:Holy Stereotypes!

A list of countries where spam originates from is irrelevant (and note that that is the originating country of the spam, not the country of origin of the spammer).

These tools and services are not equal to spam. Not saying you're wrong or right, but your evidence is bogus.

Re:Holy Stereotypes!

Register of *known* Spammers. I'd expect the much better/less bribe-able police services in the US would encourage Spammers there to stay much deeper underground...

Re:Holy Stereotypes!

[clarkkent09]

It is a classic example of a stereotype, and I can't believe that a comment saying that it isn't so is modded as insightful. It is a stereotype that many cybercrimes are committed by Russians and Chinese and kdawkins is obviously affected by it. It is incidental in this case that the stereotype is not even true, as just as much, and probably much more online nastiness is coming from USA.

What if he said "many burglaries are committed by blacks, I bet many are also committed by latinos" while not mentioning those committed by other races. Yes the statement is strictly speaking true, but but it is also a stereotype, and racist too, because of what it leaves out.

Re:Holy Stereotypes!

[BPPG]

Many years ago, English was once thought to be the universal hacking language. Of course, not just focused around malicious hacking...

Re:Holy Stereotypes!

[palegray.net]

This data looks good until you consider the fact that a major profit center for certain Chinese nationals is the practice of compromising huge numbers of servers hosted outside China, for the purpose of sending SPAM that won't be stopped by GeoIP restrictions.

Who's making assumptions now?

Re:Holy Stereotypes!

[hclewk]

It is not a stereotype to say that many burglaries are committed by blacks, as this can easily be backed by data. It is stereotypical, however, to say, "All blacks commit burglaries", "Most blacks commit burglaries", or "He is black so he's probably committed burglary."

Re:Holy Stereotypes!

[ahabswhale]

Utterly meaningless statistic. Foreign spammers know that their spam must originate from the U.S. or it has an almost 0% chance of reaching American mailboxes. Consequently, they search constantly for server and user machines in the U.S. they can easily compromise.

Re:Holy Stereotypes!

[Colonel+Korn]

The botnets that send those spam messages from the Unites States are controlled by Russia(ns). Remember the news a few weeks ago when Russia invaded Georgia and 80% of the world's spam stopped while the botnets switched to attacking the Georgian government's web page?

Re:Holy Stereotypes!

[benjfowler]

One of the golden rules of cracking/stealing online, is to avoid cracking machines, or ripping people off in your own country.

Assuming that the authorities are making at least a token effort and regularly take the 'low hanging fruit' off the streets, I imagine it would skew the remaining pool of scum and villainry towards people who actually know what they're doing and have some idea of how to avoid getting caught.

Russia and China also have a major attitude problem viz the West in general, and the US in particular, so it's little surprise they're not doing anything to rein in rampant online criminality affecting us, originating from within their borders.

Based on this, and considering the pool of potential victims who are 1) online, 2) naiive, 3) have the same language and culture, and 4) have something worth stealing is concentrated in the US... then it's little wonder that most of the abuse _appears_ to originate from the US. Just because the US is full of bots doesn't mean the criminal shitheads behind it are necessarily based in the US!

Re:Holy Stereotypes!

ahahahaha

Horror Show!

[ColdWetDog]

Finally, a use for all the Russian courses I took in high school and college.

Re:Horror Show!

Finally, a use for all the Russian courses I took in high school and college.

With Commie Putin bringing back the 'old ways,' I don't think you'll have any trouble finding employment by Uncle Sam shortly ...

Re:Horror Show!

[gr8dude]

Ne znayu kak vy, no lichno ea privetstvuyu nashih novyh, russko-govoreashih poveliteley!

If you want to exercise your Russian skills, try coming up with a better interpretation of the WALL-E acronym (story here: http://railean.net/index.php/2008/08/15/translation_challange_wall_e_russian)

Re:Horror Show!

Actually I think its a use for computer scientists formerly employed by the former soviet union.

The global criminal underworld also benefited from a large increase in the supply of security personnel from the former USSR.

There is an excellent talk about this at the world affairs councils audio archive site:
http://wacsf.vportal.net/?fileid=5363

Excellent work kdawson

Why not demonize some other nations while you're at it? Maybe throw in a jab at Africa?

Re:Excellent work kdawson

[palegray.net]

Africa is not a nation. Africa is a continent containing many nations.

Re:Excellent work kdawson

Duh. Notice I stopped one sentence about countries with a period, then I started a new sentence about Africa. I see how this might be confusing, but the period represented the end of a particular thought.

Re:Excellent work kdawson

[LibertarianWackJob]

Well, we know that very little SPAM comes from South Korea. Only old people even use email there.

Re:Excellent work kdawson

The train of thought there is quite easy to follow, and I am very glad you were modded "Informative" by some sarcastic moderators. Try parsing the post in this fashion, and realize that the added words (in bold) were actually implied:

Why not demonize some other nations while you're at it? Maybe throw in a jab at Africa as well?

Re:Excellent work kdawson

Whoosh.

hehe

[extirpater]

is this text from a russian language course commercial?

Using postal information to validate cards

[davidwr]

It won't help with intangible goods and isn't practical with gift items, but stores that ship tangible goods can require that the shipping address be the same as the billing address and verify the billing address against information held by the credit card company.

Even verifying only the postal code will make it hard for me to order a computer using your credit card if I'm not prepared to visit your locale to take delivery.

Another technique is to allow exceptions but only if a person picks up the item at the post office or carrier's depot in person, presents ID, and smiles for the camera.

There will need to be a solution for gifts and intangible items.

Re:Using postal information to validate cards

[snowraver1]

To me, this is a problem for the Credit Card companies to fix. I think that some companies offer this already, but there should be a service that is included in the credit card that you can to to your bank's website and request a one-time credit card number. It can only be used once, and only for the amount that you specify.

Re:Using postal information to validate cards

[palegray.net]

No matter who you bank with, you can make one-time payments using the PayPal Plugin, even to merchants who only accept traditional bank cards.

Re:Using postal information to validate cards

[snowraver1]

Interesting. I'll try that with my next purchase. Thanks!

Re:Using postal information to validate cards

[Carlosos]

I heard one the show "Security Now" that those one-time payments are NOT one-time payments. It only means that a virtual credit card is created that will expire next month which could leave 60 days of abuse. You have to remember to close the virtual credit card manually after every use. I know Citi Bank has a similar service that I use but they also allow to set a limit for the virtual credit card so that not more can be charged.

Re:Using postal information to validate cards

[julesh]

stores that ship tangible goods can require that the shipping address be the same as the billing address and verify the billing address against information held by the credit card company.

There is a problem with this approach, which is that it alienates certain customers. For instance, I'm a director of a company and hold a credit card in the name of that company. The billing address on the account is our accountant's office. I don't want everything I order to go via our accountant, so any company that requires delivery to the billing address (and I do find quite a few of them) doesn't get our business.

One thing you can do, though, is to ensure you send an invoice to the billing address, and make sure that matches the account details. That way, at least the owner of the credit card finds out what's going on quickly.

The banks are starting to wise up to this, at least for high risk businesses. One of our clients was a company that sold replica blank-firing weapons online -- stuff that looks identical to real firearms. Their bank decided that they were quite a likely target for credit card fraud and insisted that they only deliver to cards' billing addresses. From what I understand, this restriction is pretty much universal in this line of business.

stereotype day

[jacquesm]

Is today global stereotype day and did I miss the memo ?

Hitting on the Russians seems to be in real fashion these days, you'd almost think there was a political motive behind it. Is France out of fashion or so ?

Really, the reason these tools exist is because there are several requirements before you can deploy these tools, which are:

- access to international banking
- a large base of hackers, preferably unemployed
(I use 'hacker' in its original form)
- organized crime

The USA, China, Germany and Russia all have these in abundance so that's where you will find your toolkits.

Re:stereotype day

[camperdave]

Hitting on the Russians seems to be in real fashion these days, you'd almost think there was a political motive behind it. Is France out of fashion or so ?

You should move to Canada, where it's always in fashion to hit on Americans.

Re:stereotype day

You should move to Canada, where it's always in fashion to hit on Americans.

And don't think we haven't noticed, and no, we won't go out with you.

Re:stereotype day

[LoRdTAW]

"Hitting on the Russians seems to be in real fashion these days, you'd almost think there was a political motive behind it."

Nah. We just miss the good ol days of the cold war.

Re:stereotype day

Speaking of "fashions these days," the phrase "hitting on" can be defined as: Flirting with another person beyond a general acceptance of friendship.

Perhaps you were thinking of "hating on" the Russians? As in, when one puts down the success or fortune of others due to jealousy. I think you'll find this slang more fitting.

And to add to your list of deployment requirements: a service provider who won't shut you down if you host or link to these tools, which might eliminate many English speaking countries, or simply make Russia more promising. Or maybe I'm just stereotyping the image of Russia having a lax response to ethics and business concerns.

Re:stereotype day

it's always in fashion to hit on Americans

No, it's always in fashion to hit on America, not Americans. As it is everywhere, seemingly. Like Lance Armstrong used to say, I love the French, its France I hate. Never met a Canadian that wasnt gracious and courteous (well, except waiters in Quebec) and the same follows for Russians/Iraqis/Mexicans/Japanese/etc. People generally villify Big Faceless Stereotypes and not other people.

Re:stereotype day

[Zontar_Thing_From_Ve]

You forget the main reason the tools and the crime exists in Russia:
- a weak, corrupt legal system.

Russians (and quite a few people in the other states of the ex-USSR) have a weird sense of entitlement that causes them to believe that it's perfectly acceptable to steal from the rich. They suffered under communism for so long that it's quite all right to get some payback by stealing from the West now.

Since Russian law really doesn't care about crimes that are committed outside of Russia against non-Russians and anyway you can just bribe a judge to get whatever ruling you want, there really is no stopping these people. Well, I can think of ways to stop them, but let's just say that I don't think the USA or the EU has the stomach for what it would take. The weak legal system argument probably applies to China too.

Re:stereotype day

[corbettw]

Hitting on the Russians seems to be in real fashion these days

I didn't think anybody actually hit on Russians, I thought they just met them online through a broker and married them.

Re:stereotype day

[Bearhouse]

To expand on your post, lots of cheap under/unemployed people also make automated tools redundant or not required. Also makes countermeasures, (necessarily automated)less efficient & effective. Don't bother trying to crack the latest Craiglist captcha, just get a load of poor (in both senses of the word) people to do it. It's a service that's even 'advertised'...

Re:stereotype day

As a Canadian I resent that. Americans are too fat and lazy to hit on.

Re:stereotype day

[Ma8thew]

You could replace America in that sentence with everywhere else in the world. Not a troll, sadly entirely true.

Re:stereotype day

[jacquesm]

Been there, done that, and again, that's just another stereotype. Canadians do not routinely bash Americans more than the Americans probably deserve on account of abusing tariffs and nafta.

Re:stereotype day

[jacquesm]

Thank you for improving my English, I'll never be as good as a native speaker though.

Russian bashing was closer to what I had in mind.

Re:stereotype day

You forget the main reason the tools and the crime exists in Russia: - a weak, corrupt legal system.

so its similar to the US legal system?

Re:stereotype day

Russian bashing was closer to what I had in mind.

Russian bashing?

If Russians could use bash then they wouldn't need point and click cracking tools now would they? Apparently they even fail at being script kiddies. Perhaps we can refer to them as click kiddies?

Re:stereotype day

You could replace America in that sentence with everywhere else in the world. Not a troll, sadly entirely true.

You could replace Canada in that sentence with everywhere else in the world. Not a troll, sadly entirely true.

There, fixed that for ya.

Re:stereotype day

Good news for you then, since russian president Poutine^WMedvedev just announced he is not afraid of a new cold war.

Re:stereotype day

[CyberPack]

I would have not trouble hitting on an American, provided she was attractive and available :).

This shouldn't be terribly surprising

[Enlarged+to+Show+Tex]

All this really means is that script kiddies can now do identity theft as easily as they can perform DDoS attacks...

Made in USA versions sold by Google

[Animats]

If you want made-in-USA tools for this, try searching Google for "craigslist auto posting tool". Google offers seven paid ads for spamming tools and crackers. ("The worlds Best Selling Craigslist software. Works with new CAPTCHA!") Three of them (including one that advertises "Only Automated Solution for the new captcha. Nobody else is automated.") are available through Google Checkout.

This has been going on for months, despite press coverage. I'm beginning to wonder if Google is deliberately promoting tools to kill Craigslist.

Re:Made in USA versions sold by Google

[garcia]

I'm beginning to wonder if Google is deliberately promoting tools to kill Craigslist.

They're deliberately promoting advertisements that make them money. If you notice, if you search for something like AdSense and you'll find links to such treasures as Google Massacre. Whatever pays the bills I guess.

Re:Made in USA versions sold by Google

[Jherek+Carnelian]

This has been going on for months, despite press coverage. I'm beginning to wonder if Google is deliberately promoting tools to kill Craigslist.

If I were Craigslist, I would rather see those tools easily available instead of pushed underground. Because it makes it easier to identify them and thus to create countermeasures.

For example, instead of just shutting down the exploits and their distrubtion, I would study the tools and see if they have a recognizable 'fingerprint' when used. Then I would make the craigslist software look for such 'fingerprints' and treat the postings differently - for example instead of just blocking the post, I would set the threshold for other user's tagging it as spam to be very low, or even set a timer to delete the post after an hour or two.

The end result being that the most common and easily available tools would be compromised in non-obvious ways, reducing the rate of escalation in the "arms race" of cracker/anti-cracker tools and simultaneously making abuse less effective for most (ab)users.

Re:Made in USA versions sold by Google

[smooth+wombat]

I would study the tools and see if they have a recognizable 'fingerprint' when used.

Forget the tools, it's much easier to identify the fake ads because they use the same phrases over and over. To wit:

• a body that will make you melt
• I haven't had much luck on Craigslist

to name just two I can remember. All CL has to do is to scan their postings every hour, identify ads which use these phrases and delete them. Sure, the postings still get put up but they get taken down just as easily.

Re:Made in USA versions sold by Google

And so what are you going to do once the craigslist spam tools take a cue from email spam tools which use hundreds of different phrasings?

Re:Made in USA versions sold by Google

Yeah, that would work *right now* ... then you're trapped in the same old spam arms race. If they can get past the posting defences, which currently they can, you're basically screwed.

erm.

Wouldn't surprise me to learn that Chinese-language tools exist too.

Uh, not such a fan of Chinese people, I take it?

Re:erm.

[palegray.net]

I interpret it to me mean the poster isn't a fan of the multitude of Chinese nationals who use cracking tools to compromise machines operating in other geographic regions, with the express purpose of using them to send SPAM while getting around GeoIP restrictions.

I take it you haven't administered a network of any reasonable size recently, at least not one which hosts mail servers...

cyber crooks validating stolen credit cards ..

[rs232]

What method do the 'cyber crooks' utilize in gathering the stolen credit cards in the first place ?

"I managed to acquire an account on this exclusive service, and found some 78,628 individual MasterCard and Visa credit and debit accounts for sale at various prices there"

Re:cyber crooks validating stolen credit cards ..

[ShaunC]

What method do the 'cyber crooks' utilize in gathering the stolen credit cards in the first place ?

Best Western.

Re:cyber crooks validating stolen credit cards ..

[T3Tech]

Or Now on Ebay!

SANTA

[commodoresloat]

English pointy clicky tools like this certainly do exist and certainly pre-date any Russian or Chinese tools; when was SATAN first developed? Remember SATAN? Security Analysis Tool for Analyzing Networks was I think the name.... I don't remember the year but it was long before the current wave of Russian script kiddie gangsters....

Re:SANTA

Offtopic, but I'm glad to learn that there's at least one other person out there who shares my view that santa == satan.

Re:SANTA

[T3Tech]

I recall seeing it in the mid 90's... ah, according to wikipedia it was released in 95, and on freshmeat it showed up in 2000, last update being in 2006. I also remember SAINT, which came out in 98, but I'm more familiar with Nessus which also first came out in 98.

Re:SANTA

[julesh]

English pointy clicky tools like this certainly do exist and certainly pre-date any Russian or Chinese tools; when was SATAN first developed?

Except, well, no.

The two aren't really comparable. SATAN is a tool designed to fulfil a perfectly legitimate purpose, which happens to also be able to do some things that aren't exactly legal.

These tools are (mostly, at least) things that have no legitimate purpose. What's the legitimate purpose behind a service to provide forged ID? A marketplace for stolen credit card data? Running authorization requests to find the likely amount of cash you can get away with taking from one of those cards via hijacked merchant accounts? Producing custom botnets on-demand using pre-compromised end-user PCs?

The point is that in Russia and some other Eastern European countries (many of which have populations that speak Russian due to Soviet occupation), and probably also China, you can get away with providing this kind of service, because the local police in these countries don't generally cooperate with international investigations, so as long as the people being ripped off are in another country, they won't bother you.

In most English-speaking countries, you can't get away with doing this kind of thing because the local police will proactively investigate this kind of activity regardless of who the victim is likely to be, and will definitely cooperate with international requests for assistance with this kind of criminal activity.

Which is why these tools are predominantly Russian-language. I'm not so sure about Chinese, but I'd certainly not be surprised to find Chinese tools in this field significantly outnumbering native-English ones (i.e., not counting those that are produced in English to attract an international market but are clearly run from countries such as those I mention above).

You need to look for Klingon tools

[wiredog]

here.

Fighting spam with spam.

[Yuan-Lung]

We could sign up for the anti-captcha.com service, and constantly send them faked CAPTCHA that are impossible to solve. (make maybe 100 of them and rotate) Thus waste their resources without getting charged for it. According to their feature page, they can only take on 1,000,000 CAPTCHA a day. I am sure the the order can easily be filled.

Scamming Klingons is too dangerous

[phorm]

I'd imagine that Klingons would dish out some pretty massive punishment when scammers get caught, so you're unlikely to see many Klingons using these tools.

Perhaps you'd be better to search in Ferenghi?

Re:Scamming Klingons is too dangerous

[julesh]

I'd imagine that Klingons would dish out some pretty massive punishment when scammers get caught, so you're unlikely to see many Klingons using these tools.

I don't know which would be worse... scamming, or being so weak as to require a _tool_ to help you do it.

Typical Slashdotzz comment!

[BoredSillyNZ]

I don't understand how slashdot can constantly get away with these types of racist quips about the Chinese. Why do you as Americans feel so threatened by them? Why do slashdot staff let through these constant stories that are designed to do nothing more then instill distrust and hatred for the Chinese? Clearly that last comment was put in place simply to taint the Chinese with the same brush, it serves no other purpose. It's time you people realised you're being manipulated.

Re:Typical Slashdotzz comment!

[gujo-odori]

Your comment just proves how clueless you are about the spam situation in China.

China is, and has been for several years, a bastion of "bulletproof" hosting. Since you're so clueless about spam, I probably have to explain bulletproof hosting. Bulletproof hosting is a contract with a hosting provider and/or ISP with IP space to burn that doesn't care what you do with that hosting/IP space so long as you pay your bills.

China is also a haven of phishing sites, largely for the same reason and courtesy of a few rogue registrars operating in China.

There's nothing racist about criticizing China for its conduct. What next? You'll be telling us it's racist to criticize Nigeria for being the source of most of the world's 419 spam?

Silly me. I hadn't heard that scammers, spammers, and those who give them shelter constituted a race.

Re:Typical Slashdotzz comment!

[BoredSillyNZ]

Your comment just proves how clueless you are about the spam situation in China.

China is, and has been for several years, a bastion of "bulletproof" hosting. Since you're so clueless about spam, I probably have to explain bulletproof hosting. Bulletproof hosting is a contract with a hosting provider and/or ISP with IP space to burn that doesn't care what you do with that hosting/IP space so long as you pay your bills.

China is also a haven of phishing sites, largely for the same reason and courtesy of a few rogue registrars operating in China.

There's nothing racist about criticizing China for its conduct. What next? You'll be telling us it's racist to criticize Nigeria for being the source of most of the world's 419 spam?

Silly me. I hadn't heard that scammers, spammers, and those who give them shelter constituted a race.

"Chinese language tools" implies they are Chinese who use it (i.e the Chinese RACE), what part of that can't you understand as being racist? It's already been shown earlier that the top spammers aren't from China so why the quip about the Chinese language tools? Yes you are silly and dare I use your own words "clueless' if you try to justify that blatantly racist statement.

Re:Typical Slashdotzz comment!

[gujo-odori]

Actually, Chinese is one of the leading languages for spam. They've got quite a homegrown spam industry there. I work for one of the leading anti-spam vendors, and the Chinese spam problem is so large that we opened a local office in China to deal with it. The big three languages for spam are English, Spanish, and Chinese. I suppose you're now going to suggest it's racist for saying Spanish is a big spamming language too?

Re:Typical Slashdotzz comment!

[fscking_coward_2001]

"Chinese Race"? I know there are many, many Chinese people but I don't beleive that alone qualifies them as a "race" or are you also thinking there's a "European" race too? Perhaps you really meant "blatantly ignorant statement" or "fear-mongering statement"?

Re:Typical Slashdotzz comment!

[gujo-odori]

I'll further back this up with a number: 95% of the spam received in China is in Chinese. Still doubt that spamming tools might be available in Chinese?

Re:Typical Slashdotzz comment!

[pipingguy]

I hadn't heard that scammers, spammers, and those who give them shelter constituted a race.

If they are a race, is it then OK to wipe this "race" out?

Re:Typical Slashdotzz comment!

There is no racism here. I would say 98% of the attacks on my SSH come from China. The 2% of others have included a box in the US that was compromised (by Chinese), and other Eastern Bloc countries.

These attacks happen every every day of every week of every month.

Re:SANTA -- not really offtopic :)

[commodoresloat]

heheh... I don't recall the backstory behind this, but SATAN actually distributed for a while with a utility called "SANTA" that would change the name of the tool (and all references in the docs and so forth) from "Security Analysis Tool for Analyzing Networks" to something like "Security Analysis Network Tool for Administration" in order to get rid of the potentially disturbing acronym.

Wages...

Some numbers:

$1 for 1000 CAPTCHAs = $0.001/CAPTCHA

Assuming the people running this scam keep 50% of the profits (they probably keep more) that means $0.0005/CAPTCHA for their lackeys.

If you managed 5 seconds to solve each CAPTCHA (they say in the article they are usually returned in a minimum of 20 seconds), and they were always streaming to you:

(3600/5) * $0.0005 = $0.36 / hour

Average wages in the poorest parts of China: $0.41/hour.

This might be an attractive alternative, but the profit margin (for an essentially illegal operation) would need to be decidedly low to attract people from any other jobs even in the poorest areas. Consider also that the sorts of areas that have workers who will work for food (tm) are the sorts of places that *DON'T* have internet access at all.

If only there was a way to make CAPTCHAs take a minimum amount of time to solve, like say 10 seconds... This system would be beat.

Re:Wages...

[julesh]

This might be an attractive alternative, but the profit margin (for an essentially illegal operation) would need to be decidedly low to attract people from any other jobs even in the poorest areas.

Why would you say the operation is illegal? What (Russian/Chinese) laws are being broken?

dual uses

[NynexNinja]

just like hammers can be used for doing construction projects or they can be used to bash peoples heads in, the same can be said with these controversial tools.

As long as packets can traverse from one point to another, it will be impossible to prevent automation tools from being used to automate various interfaces to access public online systems. If web sites think they can get rid of people by putting various challenges in their way, i.e. captcha, they are wrong. Given enough resources, people will get around this.

Not everyone is a terrorist or criminal gang, some people are just trying to access systems that otherwise would be impossible to accomplish by hand. I've been writing and using automation tools for dozens of application for decades now, so I always think its funny when some online site tries to prevent me from accessing their network -- they will 100% of the time be on the losing end of this battle.

Sites like Craigslist (especially), MySpace, Facebook, GMail that go to great lengths to hire large groups of staff who sit there and write software tools that prevent people from using their site, all they do at the end of the of the day is push people away who are legitimately trying to use their site, and eventually they lose market share because people will find something less cumbersome to use. One of Backpage.com, Kijiji.com and other sites selling points is that they don't have 100 different filters in place to prevent you from posting your ad.

It's a real waste of time when you have to use a site like craigslist and spend your whole daying to post 10 ads and only one of them shows up on the site -- for 20 minutes until it gets auto-flagged off their anti-spam aka "anti-use" tools...

It's kind of pathetic really -- the majority of the work that Craig Newmark has done over the last five years has been to prevent people from using his site... I've seen large groups of people who used to post ads regularly promoting their business on that site who have been driven away because the ads just don't stay up anymore because of Craig's overuse of anti-use tools.

Mm,Russians are bad, m'kay

Mm, Chinese are bad, m'kay

Money

[Nonillion]

Get rid of the "monetary" system. As long as we have money people will always conjure up creative ways to steal it. Our global society needs to move forward to the "star trek" world where money doesn't exist. I know, I'm asking for the impossible.

Re:Money

[julesh]

Get rid of the "monetary" system. As long as we have money people will always conjure up creative ways to steal it. Our global society needs to move forward to the "star trek" world where money doesn't exist. I know, I'm asking for the impossible.

Not impossible. Just not likely to happen in the near future. I consider a moneyless society plausible in the future, if you have the following situation:

* nearly-free energy (e.g. large-scale fusion reactors)
* no shortage of resources for any substance that is important in people's lives (e.g., either we find ways to live without elements that are scarce, or we find ways of producing those elements via nuclear reactions from other more common elements)
* highly automated manufacturing and agricultural industries (e.g. production of everything people need with very little human input)
* no shortage of living space

Once this situation is reached, you can basically have a useful, working civilization without money. Citizens would, under some circumstances, be required to work for the state, to perform the small amount of necessary work that cannot be automated.

Money might still exist in such a civilization, but it would not be a basis around which virtually the entirity of one's life revolved. It would likely only be used for acquiring luxuries, such as artwork. A person could live perfectly adequately without any. In absence of a state-sponsored currency, it is plausible that a barter system of some kind might arise in its place.

A much-needed product

I've long wanted an easy-to-use penetration testing tool, something that allows you to scan for vulnerabilities in your network without having to fully understand all the ins and outs of everything that may be possible on your network. I'm talking about something more than, say, GRC.com's "Shields Up" - I want to check on WiFi weak spots, overlooked port forwarding mistakes, unpatched Apache setups, misconfigured FTP or other services, no-password Samba shares, buffer overrun vulnerabilities, whatever.

Right now I feel like I'm virtually stuck behind my NAT - I know I'm safe from pretty much everything (except stuff like browser vulnerabilities), but I'm limited to wired networking and no access from the outside world. I'd like to set up stuff like VNC tunneled via SSH, or WiFi for my wife's iPhone that bypasses the internal lan but gives outside access, but I know just enough about how these things work to worry about misconfiguring something and opening up my server to drive-by hackers...

It doesn't have to be 100% perfect or comprehensive, just something that can scan for low-hanging fruit and do it easily, as close to pushbutton as possible. It could even be a service rather than an application - I'd pay a monthly fee for periodic checks.

the next step, lolcat?

[ya+really]

Don't forget about lolcat support. Sure, script kiddies and others will be able to break the law, but what about our feline friends?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion