Slashdot Mirror
Now Google's CAPTCHA Is Broken
steveit_is writes "Yesterday it was reported that Microsoft's revised CAPTCHA had been cracked. Now it's Google's turn. In a move that is sure to surprise no one, the spammers behind 'Xrumer' have announced that they've not only cracked Google's CAPTCHA, but other forms of image verification as well, including 'pick the cat' style CAPTCHA."
I wonder if their cracks are Human Powered or Computer Powered. I'd imagine it's cheaper to pay someone in China, India, etc to do these things.
"To continue, guess which finger I'm holding up."
n/t
Why should they go to jail?
This time those evil Russian bastards..
That would be why.
I've got all the email addresses I want so lets just consider the internet closed to new entrants. I know it sounds draconian but I think we should build a great big firewall around the internet to stop all these illegal immigrants^H^H^H^H^spammers getting in.
Either that or can we just turn a blind eye while Google DDoSes every server associated with these people into oblivion.
An Eye for an Eye will make the whole world blind - Gandhi
Tis clearly a civil issue.
... you've got to admit that it's one hell of an achievement.
THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel
Announcing that one has cracked something and actually having cracked that something are two different things. Folks like these are not the most trustworthy sources, especially for their own exploits - er, "sploits".
If you want news from today, you have to come back tomorrow.
1. Make the proof for P=NP the new CAPTCHA
2. Wait for crackers to solve it.
3. Profit!!
The grass is always greener on the other side of the light cone.
ewwwww.
I've had a few 'pick the cat' captchas where I couldn't even identify if the thing was actually supposed to be a cat!
This guy's the limit!
same answer as to "Why aren't the various bittorrent client authors in jail?"
Because they are defrauding Google, Spamming US citizens and generally running a muck. That's what jails for for.
Google has become a key enabler in spams and scams, because it's so easy to create GMail accounts in bulk. Many sites block email addresses from Hotmail and AOL, because they're mostly either spammers or losers. GMail once had a better reputation, because it was launched as an "exclusive" service. But we're getting close to the point where probably time to start blocking GMail addresses too.
Want to see a GMail scammer in action right now? Read this.
How about an international treaty to implement the death penalty for spammers all over the world.
I mean, why not? Don't we squish mosquitos when they pester us? Spammers are a thousand times more annoying and just as harmful and useless.
Score one more for the subtitle on the original CAPTCHA paper: "How Lazy Cryptographers do AI"...
Test your net with Netalyzr
Some sites, including one or two Google services, are now requiring verification through text message. Seems like a pretty good solution to me. And as long as you can still buy prepaid SIMs with cash, it shouldn't be a problem for people concerned with anonymity.
Because they are defrauding Google, Spamming US citizens and generally running a muck. That's what jails for for.
Yeah, jail all those muck-runners! (what is a 'muck'?)
This guy's the limit!
Is Fire Hot? Yes or No
Is Paris Hilton Hot? Yes or No
Are you male or female> Male or Female
Are you gay or a lesbian or Bi? Gay or Lesbian or Bi
That's it. Now you would have to seed it with about a billion logical chains like that but it could work.
"including 'pick the cat' style CAPTCHA."
This is excellent news, since it now means that I can rely on this thing to find me suitable pussy instead of having to look for it myself... :)
THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel
Maybe instead of CAPCHA's sites should start using those math problems from DARPA's really hard math problems since these people seem to be so good at solving complex computational problems.
They probably should be, honestly. However, why not be thankful that the opposition is being open about their abilities to crack security? Obviously, a CAPTCHA system isn't going to work for the future; we should be developing a new methodology for verification.
Because they are circumventing a computer security measure. That is a felony in the U.S.
OK can someone pleas hire these guys to work on handwriting recognition software? If they can ready these bizarrely twisted captchas why can't Palm read my name?
501 Not Implemented
No, they write image recognition software. The people who use their programs defraud Google.
TFA links to the website (botmaster.net...you probably don't want to go there) that sells XRumer. And what do I see for contact information? botmaster.net@gmail.com.
Sure hope they don't get spammed. Whatever you do, don't publish that email address! botmaster.net@gmail.com -- don't do it!
Carousel is a lie!
aren't these guys in jail?
I think the real question is: why are these people not working in research institutes? Image recognition is a hard problem. It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.
The truth of the mater is that there is almost nothing you can do to stop a spammer if they want into your system bad enough. A captcha merely means that they might have to take some time to tweak their image rec. software, or hit your site enough to generate all the possible captchas. The only possible way that I could see companies like google keeping spammers out, would be to require a valid credit card, that matches the user's name and then have them verify their account by entering the small deposit amount that google makes. This obviously has problems, like paranoid customers (such as myself) not wanting to give over financial information for just an email account.
If there are people who could write such sophisticated image processing software, and it pays them better to be bot runners bot enablers, the pay must be good on the dark side of the force.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Because they are defrauding Google, Spamming US citizens and generally running a muck. That's what jails for for.
I prefer MUDs too, but I think you're being a bit harsh.
Seriously, I believe you meant "running amok". The reason that these spammers aren't in jail is because they live in another country. Even if what they're doing is illegal there, the people that matter probably don't care.
How about an international treaty to implement the death penalty for spammers all over the world.
I mean, why not? Don't we squish mosquitos when they pester us? Spammers are a thousand times more annoying and just as harmful and useless.
How about a death penalty for anyone that buys anything from spam?
It seems to me that "Pick the cat" captchas are fairly vulnerable. If you put 4 pictures up, there's an automatic 25% chance of breaking the captcha without any intelligence at all. Even with 10 pictures, a total idiot has a 10% chance of dodging.
A 100 picture captcha would still leak 1%. That makes a brute force attack fairly effective. My tiny slashbotnet, submitting 1 post a minute from each of its 100 zombies could land one every minute. For the average blogger, cleaning up 1500 spam posts a day makes their little kitty captcha seem pretty ineffective.
Because they're only defeating a CATCHPA. There's nothing to be said about abusing that. That is a different matter entirely.
That said, I'm glad. I really hope that something better comes along than some shit that I can almost never read and somehow I have to tpe it in. The worst is where there's a bunch of O's o's and 0's next to each other in some weird font that makes them look the same. Gimme a fucking break. Your site isn't that cool that I'm gonna sit there all day guessing some imaginary word with mixed capitalization and a zero.
Muck (verb) 14th century 2 a: to engage in aimless activity â"usually used with about or around b: putter , tinker â"usually used with about or around c: interfere , meddle â"usually used with about or around
You (but mainly parent poster) might be interested to know that the word is actually "amok" which is defined as a "psychic disturbance characterized by depression followed by a manic urge to murder."
Indeed, this is what it means to "run amok." Also refer to the classic Looney Tunes clip, "Duck Amok."
hmmm... this is either Informative or Off-Topic. Guess I'll leave that to the moderators to decide.
sig has been sent away for a few small repairs...
As usual, our firends at DARPA are always one step ahead. Use these to replace of the old CAPTCHAs.
1 - Develop a mathematical theory to build a functional model of the brain that is mathematically consistent and predictive rather than merely biologically inspired.
2 - Develop the high-dimensional mathematics needed to accurately model and predict behavior in large-scale distributed networks that evolve over time occurring in communication, biology, and the social sciences.
3 - Address Mumford's call for new mathematics for the 21st century. Develop methods that capture persistence in stochastic environments. ...
sorry but the GP is wrong it should be rum amok. As is run around doing very crazy things like stabbing people
unless it's the ("wrong") VP candidate's private email ...
Not everyone likes to teach, grade papers, write research grants, go to meetings...
So let me get this straight. They right image (and logic) recognition software with the express written purpose of breaking captchas and then they are magically surprised when it is used to break captchas?
With that kind of reasoning I can write software to break in the DMV system for California and gain access to all kinds of information. Now I won't USE this software. Instead I'll sell it.
It's one thing if software is written for a purpose and it gets misused. It is another entirely if the software is developed to defraud people and organizations by breaking turing tests.
Why would I want to give anyone my credit or debit card number if I wasn't actually buying something from that site at that particular time?
Because you are buying something: a subscription to the site for some nominal price. Something Awful Forums, MetaFilter, and Kuro5hin manage to keep spammers out by charging for write access in this way.
Being a criminal has excellent hours. And the job interview is easy. You never have to worry about being fired, laid off, etc, and you are responsible for your own paychecks. It's kind of like being a contractor, with the added benefit that you can choose your customers whether your customers are happy about it or not (usually not).
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
Be fair, mosquitoes and their larva are very important food sources for other animals.
So grind up spammers and feed them to pigs! We need more bacon!
End of lesson. You may press the button.
How about the Death Penalty for anyone who suggests the Death Penalty for anything besided truly heinous crimes? Oh, no, I just ate my tail.
Over-the-top Response Guy! Giving "Over-the-Top Responses" since 1970.
What with all the effort these spammers have put into cracking what is essentially a Turning test; it's only a matter of time before these programs become self-aware.
Hopefully in the manner of all good science fiction these programs will immediately turn on their creators and attempt to annihilate them.
It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.
Not when you consider how much professors make vs. how much spammers who can beat captchas can make. Hint: if you find a quick way to factor semiprimes, don't snag $1 million from the Clay Institute. Reap $1 billion from credit cards. If you can easily toss aside ethics.
Incidentally, I was just reading Douglas Hofstadter's Metamagical Themas, where he goes in great depth talking about the difficulty of defining the letter "A", and how people are capable of recognizing A's in truly bizarre fonts. (And how it carries over to native readers of Chinese and defining Chinese characters.) He pursuasively argues that ability to recognize any 'A', including all the bizarre fonts with 'A' is AI-complete (though of course he didn't use that term). So it seems there's quite a ways to go in making captchas harder: don't just distort the image; use the craziest fonts you can.
Information theory is life. The rest is just the KL divergence.
Hire all of the Chinese people currently gold farming. Demand that people defeat them in a game of Go in order to register. Solves two problems at once.
Don't forget "Amok Time," a truely great episode of Star Trek (original Star Trek, the only real Star Trek).
It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.
Why $pammer$ in$tead of $chool? I$ that really your que$tion? $omehow, I think you might have mi$$ed the mo$t obviou$ motivation.
HSJ$$*&#^!#+++ATH0
NO CARRIER
I probably did mean amok but a muck works too. It means to meddle or interfere when used as a verb.
Because they are defrauding .... US citizens and generally running a muck. That's what jails for for.
So this is Slashdot's wall-street bailout & politics discussion thread ...
They are being hosted in Texas... my home state. Now as to whether the operators are in state is another matter, but I will fire off a warning letter to the web host informing them that they could be potentially held liable for the criminal acts of this operation in the event charges are pressed.
I for one welcome our new CAPTCHA HaXoR, 'bot overlords.
That's it, I quit the internet!
I always have a hell of a job reading Google's CAPTCHAs; a tool to do it automatically would be very useful.
Why should we believe this any more than we believe a cream can add two inches to your penis?
Possible bad example. Shaving cream along with a razor actually can add visible inches to a man's penis by taking pubic hair out of the way.
Killing people is wrong. Comparing people to pests is something that the Nazis liked to do, with the same intention: to pave the way for killing people.
I hope these black hat methods of cracking fall into the mainstream. We can probably learn a lot in the ways of computer vision and AI from this arms race. Or maybe this isn't "state of the art" but the people who design captchas in the first place don't have good cross-fertilization with the AI crowd.
I love my Gmail account. I have never used my ISP email for anything. The day that people stop blocking Gmail accounts is the day that I cry... I did that once before when mailandnews.com stopped offering free email.
I really wish that Gmail had remained an invite only system. Obviously Captcha isn't stopping people from running bot networks. Can Gmail still remain an open system? I don't know. What about a reverification by everyone who owns a gmail address? Send out a blanket email with instructions for reverifying. Sure, there would be people who couldn't figure out how to get it done, but I'd bet it would eliminate millions of spammer addresses (though certainly not all). Once the verification is done, close it back up to invite only.
This post brought to you by your friendly neighborhood MBA.
And still we don't have a cure for cancer. If you took all the brain power devoted to breaking captchas, we could solve a TON of problems.
Methodology is the study of methods.
You want just plain 'method.'
Couldn't you do a captcha where the first presentation has no cats? The user has to hit the refresh once or twice before seeing a cat, and then pick it; if they pick any of the non-cats, you call them a 'bot...
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
A 1% success rate is good enough to effectively "break" a captchca, but not good enough to really advance the state of machine vision by itself. In the end though, some good OCR work could come of these efforts, but not in comparison to the money and time everyone else loses from spam; We could have just funded the research. Sending spam, and unfortunately writing advanced spam tools, pays better than a university position.
This thread will likely contain a bunch of clever technical solutions to spam. Probably all of them flawed because if there was a good technical solution we would have found it by now.
We know who the spammers are: almost all spam involves some sort of financial transaction which we can track. The only thing that stops us from getting at them is that they are seldom in the jurisdiction where they committed their offence. This however, can be solved. We did it for war crimes and for child porn. The UN just needs to get its act together. Perhaps they can create something like an international criminal court for spam.
This sig is just as redundant as the rest of this posting
Why the heck don't the big companies use 3D captchas? Each letter could have a thickness and be rotated at a random angle.
Why OpalCalc is the best Windows calc
If Captcha technologies could be considered a security measure, which is most certainly is a security measure designed to allow only human users access to services, then it could be a criminal matter in that it is a tool designed and used for the purpose of circumventing security measures. And if the argument that "they don't use it, they just created and sold it" were used, there's always the aiding and abetting parts of criminal law as well as the "beyond a reasonable doubt" that they had to test it during development.
so lets just consider the internet closed to new entrants.
Including children in your family who have just turned 13, 18, or whatever?
yOu bEtTeR, w3 aLs0 pWnEd sLaShDoT$ cApTc|-|4
The latest version of this program has hit a number of forums hard. In the last two days many vBulletin forum administrators have posted to complain and look for assistance--notice the sudden increase in activity on that thread as of the 11th post:
http://www.vbulletin.org/forum/showpost.php?p=1634634&postcount=11
In the last 15 minutes alone 3 spammers have attempted to register on a small forum that I help run, one that would only be of interest to a few hundred people. (We get a valid new user about once a week on average.) A simple tweak has kept them at bay for now, but I doubt it'll be effective for very long.
Of the latest batch of spammers, most of them have been using gmail.com email addresses. The last time we had a significant wave of forum spam, the spammers tended to use Yahoo for email (specifically username####@yahoo.com, where "username" matches the vBulletin username they are signing up with and #### is 4 random digits).
I wonder when they'll start using the same disposable email services that we use to avoid email spam. After all, it's much easier to get a temporary Mailinator email address (for example) than a Gmail address...
Don't they allow sixth graders to use computers at grade school anymore?
How about a death penalty for anyone that buys anything from spam?
We'll file that one behind the death penalty for anyone who has ever used Microsoft Windows or anything besides Gentoo or Slackware.
Besides that, anyone know how they can bypass the "Pick the cutest cat?" type of captcha?
Is it just brute forcing?,Paying 3rd world country people 10 cents per 100 captcha broken? I would imagine that it's much more sophisticated than that, but I dunno.
..........FULL STOP.
Will be Apple's!
How can be circumventing a security measure when the answer is displayed with the question?
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
(what is a 'muck'?)
Among other things, muck is horse manure. To muck a stall is to remove all the droppings and change the bedding.
Another benefit is that the drug tests aren't "Have you?" they are "How much do you want?"
Don't you mean passing turing tests?
The creator of this post (Jacob Smith) hereby releases it, and all of his other posts, into the public domain.
You use it in the sense of "I was mucking around" - you can't "run a muck" - it would have to be a noun there.
The point of these Turing tests is to determine the difference between a man and a machine. Apparently google and microsoft can't do this. Its not the publics fault there are advanced in technology, if anyone Google and Microsoft should understand this.
Great, now what's a "for for"?
It's also a variant of MUD, a la TinyMUCK.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
There are people who write vulnerability scanners, attack toolkits and code breaker software. There are people who write encryption software which allows terrorists and criminals to plan with impunity. There are people who make guns which are hard to detect by airport security. There are people who pick locks for a pastime. There are people who sell lock picking tools.
I probably did mean amok but a muck works too. It means to meddle or interfere when used as a verb.
Except that you used it as a noun.
Unless, you know, they aren't from the US where such silly things as "circumventing security measures" are considered illegal.
The creator of this post (Jacob Smith) hereby releases it, and all of his other posts, into the public domain.
your problem is your applying logic to a leagal issue..
If not in a completly automated way as in OCRing and stuff then by either
a) masses of cheap labor monkeys getting some pennys for every hundreds of solved captchas. And no, that won't change until those monkeys are cheaper than the profit made of spamming, selling valid gmail accounts or what ever the captcha is for. There is even an open market for those captcha solving providers.
b) Tricking joe sixpack into solving this "puzzle" in order to see more of them naked milfs. This will last as long as enough stupid people want so see some porn on the tubes (forever).
Both these methods relay on human interaction (hence the quotation marks around "broken" in the caption), so they can, by definition, break every captcha, which is supposed to "...Tell Computers and Humans Apart", d'oh!
From TFA:
This time those evil Russian bastards..
That would be why.
What does being born out of wedlock have to do with it?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Great. Let's forbid Nmap. Forget that it's a very useful network administration tool. Hackers use it a lot.
Let's forbid cars. Bank robbers use them to escape.
If these people would put their time into doing good, they could probably do some real good in the form of character recognition for scanners and hand held input writing recognition. Think of taking this and using it to understand what someone has written in their pda and converting it to text without someone having to learn a new writing language. Or scanning written letters and other writings and converting them normal print.
Only 'flamers' flame!
Does slashdot hate my posts?
*advances
Do you have the option of "kitten" or "cougar"?
Why, without your clothes, you're naked, Miss Dudley!
That would be a typo. I think way faster then I can reliably type.
Despite a couple of high-profile CAPTCHAs being cracked, the fundamental principle behind them is still fairly sound. It's at least an order of magnitude easier for a programmer to develop a reasonably difficult CAPTCHA than it is for an attacker to develop the crack for it. Image/character recognition is extremely difficult. Ask anyone who's done any work on OCR or something similar. Even in what would be considered a fairly homogeneous environment, character recognition is still a huge pain in the ass.
Just like with any security measure, a few of the inferior implementations will have to be broken to prove which ones are actually superior.
I pick locks. But picking locks has a legitimate use. What these guys are doing is the same as if a lock-picking company advertised something like the following:
Need to break into more Houses so you can steal more stuff in less time? Want an easier way? Use our new automatic picking gun!
Killing people is wrong. Comparing people to pests is something that the Nazis liked to do, with the same intention: to pave the way for killing people.
What if Godwin's Law carried the Death Penalty?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
How about a death penalty for anyone that buys anything from spam?
That wouldn't do anything. By the time a SPAM message has reached your inbox, even before you've decided to filter it or read it and say 'no', the spammer has already been paid. The money comes from advertisers, not customers.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Hint: if you find a quick way to factor semiprimes, don't snag $1 million from the Clay Institute. Reap $1 billion from credit cards. If you can easily toss aside ethics.
Why not do both?
Indeed you can. Running a muck is being the person in charge of an organized mucking around.
The money's better, I imagine...
I think there is a world market for maybe five personal web logs.
The purpose and intent of Capcha (GOD I hate that term's name!) is to allow only human users to access the services provided and to disallow automated users. This measure is being circumvented by software cracking tools enabling a service to be exploited by non-human means. By breaking the means of blockage and accessing the services in a way which is not permitted by ordinary conventional measures, they are in fact circumventing a security measure.
One cannot argue "fair use" arguments in a case like this because this falls neatly within computer intrusion laws. A computer system available to the public is allowed to restrict access by any means they see fit and appropriate. Circumventing those means would be considered a breach of security. In this case, the intent and purpose is to block automated processes from accessing their services. It is being attacked and breached and should be criminally actionable.
Let's also not forget the beautiful rivers of muck on Ferenginar, the homeworld of the Ferengi Alliance
God, so stupid, why are researchers wasting so much time trying to make things so much harder? The solution is so insanely obvious it's painful.
Just ask "Are you a robot?"
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
Make 'em work for it!
That depends on what your definition of "is" is.
"But this one goes to 11!"
This is pretty awesome. Maybe academia should just attach all sorts of computer science problems (that humans are good at and computers are not) to these human-verification systems for large corporations. Soon, we'll have lots of academic papers coming from the spammer community!
Don't you mean passing turing tests?
In this context, "breaking" and "passing" are synonymous. Just like farting.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
nmap was not built for hacking. It's useful for all kind of stuff.
Cars are not built for robbing banks. They are useful for all kind of stuff.
Xrumer was built for cracking CAPTCHAs and posting spam to forums, blogs and other websites. There is no other use case for it.
See a pattern?
Yes, I want an easier way! Where can I buy one of these automatic picking guns??
"But this one goes to 11!"
If we grind up spammers and sell them, will Hormel sue us for selling a processed meat product called "Spammer"?
well, problem is that they are not American citizens, located not in USA and are not spamming their own citizens ... so yea, why should they go to jail?
How about wiggling letters & numbers? Don't go overboard where humans can't read it, but something you can't hotlink from another site(duh). Or have it play a little game that can't have an automated player figure it out?
Respect is. Until we have that, we're not going anywhere.
The problem is, no matter what one country does, it is too easy to circumvent by going international. And no, no country is going to attempt to extradite a spammer or fraudster for ripping people off on the Internet.
Secondly, how exactly do you prosecute someone when everyone, top to bottom, wants to shield people from prosecution? If you have an IP address, a timestamp and a breaking on a server good luck getting anywhere. You will find that without at least $25,000 in damages nobody is going to pay attention. So you lost money? Too bad. Should have been smarter. Your server needed to be rebuilt? Too bad, should have been smarter. Hire a hacker and maybe he will protect you.
The problem is that property rights are meaningless right now. Your email account is my trash basket and anything I can stuff in there is my right to do so. Your server is on the Internet, so therefore it is fair game. Your creative work can make me money, so I will steal it and you can't stop me. Ha ha ha.
Repsect. It is the answer to just about everything today from spamming to child porn.
You're right. However, you can "run amuck"
http://dictionary.reference.com/browse/amuck
Spelling and Grammar errors have been added to this post for your enjoyment
So it seems there's quite a ways to go in making captchas harder: don't just distort the image; use the craziest fonts you can.
I'm pretty sure I wouldn't be able to recognize the letter "A" in Wingdings...
The enemies of Democracy are
That's like saying "we shouldn't have laws for murder, because by the time it's been committed, the victim is already dead".
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
http://www.southord.com/catalog.asp?cat=electric
Wait... what are you going to use this for?
"I think the real question is: why are these people not working in research institutes? Image recognition is a hard problem. It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position."
So, I have a Ph.D. and know how to write this kind of software (well, I know how to go about writing this kind of software and have done it for other domains). Here's why I'm not working at a research institute or pursing a tenured university position:
First off, research institutes don't really exist anymore. There are a few corporate labs left, but they all focus on medium term product development (5 years out). The national labs still exist, but they're managed like businesses now and it's more difficult to do pure research at them. University "institutes" are just glorified research labs. If you're not the PI, you're either a post-doc, grad student, or tech, none of which is a viable long-term career option.
To get tenure, you have to spend 4-8 years working non-stop writing grants to fund students to do research so you can build up a publication record that impresses the tenure committee. Note that grants and pubs are both necessary: grants show you can bring money into the university, publications get the approval of the committee members outside your domain who only know how to assess research abilities by impact factors.
During this time, all your research is done by graduate students, who are often at the beginning of the careers and have limited technical abilities. They may be brilliant, but they are not the most efficient workers. So, not only do you have to publish, but your labor pool consists of people with 1-3 years experience.
Before tenure, you'll also only pull in about $60-90k/yr (and I know two very smart people who worked for free their first year as "visiting professors" just to get their foot in the door). At the end of this, if you don't get tenure, you're unemployable until you build up some marketable skills.
Contrast this with industry positions. While you don't get to work on whatever you want, there are some very interesting problems out there if you take your time to find a good position. At work, you're hired to do a job, not chase down funding, so you can spend more time working on the fun stuff. The hours are reasonable, so you have time in the evenings for other projects/hobbies (you don't have free time in academia). If you're selective in your employer, you'll also work with people with a broad range of experience and skills. You'll also make more money. And, if you're good and publish from time to time, you can get a tenured position later in life without having to go through the tenure process.
Of course, if you're evil, you can also find work breaking CAPTCHAs and building bot nets.
Note that though this sounds bitter, I'm not... I had a blast going back to school and highly recommend it to people mid-career (hint: go to the mid-west where it's cheap to live and your quality-of-life will remain about the same). But, modern academic environments just don't present an enticing career path.
-Chris
who cares, i currently pay 10.00 for 100 social networking accounts from a data entry center in india, their normal business is to create captcha's, they have a program, pops up the picture, they enter what they think they see, when the picture gets a certain percentage of the same entries by multiple agents it completes it, even better, there is another program they use, if they need 1000 gmail accounts, it creates complete profiles on facebook, gmail, myspace, youtube, with pictures, and it just pops up the captcha, thats all they have to type and the account is created. their data entry captcha people work 6 hours a day, 6 days a week, and get between 75 and 100.00 US
Is something like reCAPTCHA as vulnerable? It would seem like with a virtually limitless supply of texts to be digitized, you could minimize the affect of image solvers. Wouldn't there be enough variations of phrases to not make it worth it to document every possibility? And if you've got OCR software good enough to solve scanned texts reliably, that's a win for everyone, right?
Maybe he meant the alternate spelling "amuck" (citation) and misspelled that. You know, the way "a lot" somehow becomes "alot" here on teh intarwebz.
Or maybe he's just confused. Perhaps this is a new eggcorn?
So you can laugh all you want to...
Damn. That looks awfully lot like the test you had to pass to play Larry.
Man, that was one great game. No wonder its creators were ahead of times in other aspects as well
I understand that those Russians have no morals and all but you would think someone would be able to pressure them just a little. Maybe a nice embargo against them? Nah, that won't work. They hold too much shit over Europe's head. Nukes, Oil, and anything else they can think of. Those slimy bastards.
sorry but the GP is wrong it should be rum amok.
Glad to see that someone on Slashdot sees the negative and chaotic consequences of alcohol consumption!
I thought it was, "can you roll a tight one?"
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
Don't you mean passing turing tests?
No, no, no! The software breaks them. You know, by pulling out all the cables and tossing the terminal at the person asking the questions.
That's some software!
A guy that can write AI to crack captchas, clearly can be used to write spam filters instead.
Except that you used it as a noun.
The New Hacker's Dictionary (aka The Jargon File): Chapter 4. Jargon Construction: Overgeneralization
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
The purpose and intent of Capcha (GOD I hate that term's name!)
Maybe you would like it more if you spelled it right.
This software could be very useful for legitimate users too. I look forward to the day when it's integrated into browsers and I don't have to jump through these stupid hoops any more.
I am trolling
Then the world would eventually forget, and I don't think that this is something that we should ever forget.
Before commenting on the Bible, please read it first
That's like saying "we shouldn't have laws for murder, because by the time it's been committed, the victim is already dead".
Uh, no, that's nothing like what I said at all.
It's more like arresting the guy that bought a video of said victim's murder and wanting him to sit in the chair for it.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Well, CAPTCHAs aren't true Turing tests; the goal of the classic Turing test is to force the computer to exhibit human intelligence in a back-and-forth interaction with an actual human. A CAPTCHA presents only a single intelligence-based challenge (recognizing the image). But if the CAPTCHA is considered to be a kind of limited/lazy Turing test, passing it "honestly" would consist of being able to recognize images in general, like a human, not by merely knowing how to solve the limited scope of image-puzzles that the particular CAPTCHA uses. So in that sense, these CAPTCHA-breakers do "cheat" or "break" the test by exploiting that limited scope.
...seeing as how I (a live human bean) cannot read the damn things (haven't had access to good enough drugs lately, I guess), and the spambots apparently _can_, then they're counterproductive and totally useless.
Thank goodness I have my Gmail accounts hooked up to my email client via IMAP; if I had to solve a CAPTCHA to send mail I'd be off the air.
Exceeding the recommended torque is not recommended.
lets reverse the positions. Say you are a spammer. You are an American citizen and live in USA. You also use Russian mail provider ... say mail.ru and start spamming Russian citizens. Now, do you really think your government will throw you into jail for that? What if Russian government or media will say that you are a bad guy?
Hopefully web sites will stop using captchas, those things are getting quite ridiculous, and the worst ones are those that require me to enable javascript from a freaking random domain name... BTW, a lot of people seem to think an automated bot cannot have a javascript interpreter...
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
I suggest: the pop quiz.
Or "Running A Muck", a collection of cartoons by John Caldwell .
Because they are defrauding Google, Spamming US citizens and generally running a muck. That's what jails for for.
Way to hate on multi user chat kingdoms.
Isn't the required success rate much higher than that? Since 1% is quite trivial to accomplish on current captchas, for example slashdot seems to always use about the same 50 words... And those pick the pic ones are incredibly kind on randomized approaches... some even make you pick between TWO images! That's a 50% passing chance baby!
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Sorry, it is getting nearly impossible for humans to understand the image a system generates. Maybe its a reverse type of system, if the user actually manages to "get it," its a bot.
Why would I want to give anyone my credit or debit card number if I wasn't actually buying something from that site at that particular time?
Because you want to use the service?
It has proven necessary to give up privacy in order to develop security. Take flying, for example. You can't fly anonymously - and nowadays (especially) you have to identify yourself multiple times. This can stand for things that are free as well. I'd personally be quite happy to use my credit card to sign up for free things if it eradicated a number of problems, such as spam and service abuse.
So, is a muck a single horseshit?
This guy's the limit!
money equals reputation. Lower transaction costs and implement ubiquitous tollbooths. Contact me via tipjar.com comment forms to help.
in the future they will all look like this trying to increase that limited scope http://geekandpoke.typepad.com/geekandpoke/images/2008/04/23/captcha.jpg
[...]the death penalty for spammers all over the world[...]
How old are you?
8 of 13 people found this answer helpful. Did you?
It was broken before. It isn't going to get fixed. The kittie is out of the bag.
Move on, find another method. Computer imaging and automation have caught up to the current security model.
Time to figgir another method.
--Toll_Free
I stand by what I said. In this instance, I'm saying that they need an entirely new branch of methods and study to verify that a human's on the other end. They've gone so far down that path that it's harder for a human to read it than a computer.
Well, I did see a pattern start to emerge after the first two examples, but wasn't entirely clear. But then I read the third example, and ... well, now I don't see any pattern.
Can you elaborate?
As others have pointed out, money is a big motivator, and we do not really put a great deal of monetary value on being brilliant. Arguably, the greatest value lays in being able to give the brilliant guy a paycheck, because then you can license/own his work.
But suppose the sort of brilliant criminal who is doing this sort of thing actually approached an institute of higher education? Without presupposing anything about them, what do you think the chances are that that person fits the criteria to go to the school, never mind be supported through x years of that school and be let into the somewhat more competitive field of higher academia?
We filter a lot of people out in our class structure, for a lot of reasons. Some of them good. Some of them bad. But one of the choices society seems to have made is that we do sideline any number of brilliant folks.
[Ego]out
Yes the US Government would throw me in jail if they actually found out what I was doing or let's say if the Russians contacted them to inform them of what was going on.
Sometimes I have a hard time reading the answer. CAPTCHA is more annoying then anything now days. It appears to be a flawed technology thats trying to cover up a flawed technology (smtp being one of them)
Why not stop making it free? Ask for a credit card when signing up and then charge per-email sent.
Not only will this deter spammers because of the cost, it will be easier to spot clusters of hijacked accounts because the card numbers will either be stolen or all have the same number on them.
Use the $0.01 you make on each email to help recoup your costs.
Eric Sarjeant
eric[@]sarjeant.com
What does Microsoft have to do with it?
Right here I think one can see the how the desire to make a buck results in herculean efforts, far overpowering any altruistic drive.
The question is, how does one harness that greed and hence energy? :-)
Invite only means simply that a spammer will have to build up an army of email addresses with 100 invites each before the finally start their process of spamming... have 1000 email addresses with 100 invites? 100,000 email addresses can be created from that, with each address being able to invite another 100, etc. etc., ad nauseam.
Before commenting on the Bible, please read it first
Let's make an assumption that the internet will eventually solve any problem you throw at it given enough time...
What if rather than working on the next best CAPTCHA system, sites were to work from a rotating CAPTCHA repository?
Each page load presents a new human interface problem, something simple like a jigsaw puzzle or an image of a tic-tac-toe board with instructions to place an X and an O in a winning/defending position. In addition to each visual directive, there could also be a random text directive inserted to compound the problem (i.e, saying something like "after selecting the item, wait at least X seconds before clicking X button.)"
If your thinking in pseudo-code, the parsing of the text input isn't particularly challenging, and something like the tic-tac-toe is a solvable image problem, given time. However, if the captcha is being drawn from a growing database of imaging problems/verbal directives, then the captcha becomes not only solving the captcha, but identifying what kind of captcha is being presented.
As the captcha count increases a spammer/coder would have less and less time to hit the moving target and distribute their script before the next problem appears. This doesn't solve the problem of 3rd world captcha farming, but at least people might eat as a result of that economy.
This seems to me like a viable solution for the time being, though I'd like to refer to my first assumption for the long-haul.
The goal here is to differentiate between a bot and humans and prevent automated registrations. I think we've gone too far and need to take a step back and ask ourselves "What are the differences between bots and humans?" If you think about it, there aren't many. Both humans and bots interface with the registration page for example, using the HTTP protocol, anything can really be simulated. A good way to prevent automated registrations would be to use different page name everytime a new visitor needs to register, once that page has been visited, it must be deleted by the server, the same would be for the script called by that page. This will prevent a bot from re-using the same page and script. So index.htm would contain a link that points to /registerxyz1.htm, registerxyz1's form points to /cgi-bin/regab9.pl once index.htm has been visited once, the new link would point to /register47g.htm and register47g.htm's form would point to /cgi-bin/rego90.pl. The previous one would get deleted by the system.
This would have to be a feature or module in the HTTP server in order to prevent simultaneous multiple uses of the index.htm page.
TOP DSLR Cameras Reviews of the top DSLRs
Killing people is wrong.
Yeah ! Kill the spammers instead !
May contain traces of nut.
Made from the freshest electrons.
Uh, no, that's nothing like what I said at all.
See http://www.answers.com/analogy
Are you really denying that punishment has no deterrent effect?
Where do you think the advertising revenue for spam comes from? That's right: sales!
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
You don't know what you're talking about. Please do not talk about such things in the future. Thank you, and have a nice day.
-- 'The' Lord and Master Bitman On High, Master Of All
s/denying/claiming/
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Great, now what's a "for for"?
A tutu for conjoined twins?
When our name is on the back of your car, we're behind you all the way!
See http://www.answers.com/analogy
Right, that page agrees with me. The operative word being 'similar'.
Are you really denying that punishment has no deterrent effect?
No. I didn't make any general statements about punishment and deterrents. I said that suggestion won't work.
Where do you think the advertising revenue for spam comes from? That's right: sales!
Wrong. It comes from somebody having something they want to sell. They don't pay the spammer after the sales are made. They pay him/her to send x number of messages out. That's it. It's just like advertising in the New York Times.
Killing people buying stuff from spam, besides being a patently dumb idea, won't do one thing to stop it. You need to understand what a problem is before trying to solve it.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
This is a great point. So, what is the new method? How will we be confirming our humanity and good will to various websites in 5-10 years? There must be some Slashdot readers with insights.
I think it will have to do with building a reputation. Between my gmail account and my slashdot account, I can demonstrate that I am a real person with a history of not spamming or trolling (much.) There needs to be some way for a third website to check with gmail and slashdot to confirm this.
This opens up other problems, though. How does one establish their reputation if they have no web history? And what if a website unfairly reports you as behaving badly - would your reputation be trashed? Would you lose access to your accounts?
I knew there was a good reason I stayed away from MUCKs, MUSHes, and MUDs!
Towards the Singularity.
Wouldn't it work to show photos of easily identifiable objects and have people type in what they see? Dog, cat, house, pencil, etc. I guess the image sizes could be cataloged and answers could be generated from that. Random on-the-fly compression rates might work.
Plus, don't forget about the free prison sex once you are "retired"
Beauty is in the eye of the beerholder.
What about a system that takes photos of everyday objects and dynamically layers them into a new picture. The user is then asked to name a random amount of the objects in the photo (for example, name the closest and furthest objects in the photo). This would be random each time like current methods.
It seems to me that Q&A is the answer, if done properly. The key is to ask something that can only be answered if you're on the site. For example: "Next to the Slashdot logo at the top-left of the page, there is a five-word phrase. What is the second word in that phrase?"
You'd obviously need to change it up fairly often (and large sites would have problems still), but spammers would have a difficult time keeping track of answers for thousands of sites.
To make it even better, have it rotate through a few similar questions for your site, and have the questions be buried CAPTCHA-style in an image.
All told, it would seem to help. They'd have to resolve a very long CAPTCHA (117 characters in my example above) AND be on the site to get the answer. Seems like it would help.
I think the problem lies therein. Most of the people you meet online are going to fail a test for human intelligence. You'd have to test their DNA to conclusively whether or not they're human.
I dream of a better world... one in which chickens can cross roads without their motives being questioned.
So it seems there's quite a ways to go in making captchas harder: don't just distort the image; use the craziest fonts you can.
Already, captchas tends to beat me. I don't want them any harder! In fact, I could use that program of theirs....
ok, so I suck at image recognition. Is that some sort of crime these days?
Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
So let me get this straight. They right image (and logic) recognition software with the express written purpose of breaking captchas and then they are magically surprised when it is used to break captchas?
So let me get this straight. They make handguns (and bullets) with the express written purpose of shooting people and they are magically surprised when they are used to shoot people.
So let me get this straight. They make lock picks (and other tools) with the express written purpose of picking locks and then they are magically surprised when they're used to pick locks.
I've written an image processing tool to CAPTCHAs to show that they're irritating in all cases (especially if you're blind) and ineffective in most cases. Does that mean that my software is the "good" CAPTCHA breaking software and the software that was written by others is "evil"?
Simple. Spamming pays better than academia.
A major issue here is the prevailing attitude problem of the Russian authorities.
As they see it, their turning a blind eye to Russian cybercrime targeting Westerners is a passive-aggressive form of payback for the fall of the Soviet Union. Why should they give a damn that Russian citizens are making massive amounts of money ruining the lives of innocent Westerners, so long as they're not targeting their own kind (e.g. Slavs)?
We've seen in the past that the Russian authorities CAN take care of their festering cybercrime problem when they want to; to wit, the Pinch Trojan authors. It's very simple if you're some Russian shithead with no morals looking for some easy money: as long as you obey the unwritten law that it's okay to victimize Westerners and not Slavs, then you can do what you damned well please. If you cross the line, only then will you find yourself in a camp in Siberia chopping down trees.
If you look at this situation for more than five seconds, then it makes perfect sense. The Russian state is corrupt from top to bottom, and everyone in a position of power is either a gangster, or an FSB agent gangster wannabe. We shouldn't be surprised then, when they behave like gangsters.
Hint: if you find a quick way to factor semiprimes, don't snag $1 million from the Clay Institute. Reap $1 billion from credit cards. If you can easily toss aside ethics.
...Why not just snag the $1 million from Clay, and THEN go to the dark side and reap the $1 billion? :D
Let me spell this out for you:
*** If nobody bought anything as a result of reading spam, spam would cease to exist. ***
To put it another way:
*** People expect some sort of return from an advertising budget. ***
Do you understand it yet?
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
"Being a criminal has excellent hours. And the job interview is easy. You never have to worry about being fired, laid off, etc, and you are responsible for your own paychecks. It's kind of like being a contractor, with the added benefit that you can choose your customers whether your customers are happy about it or not (usually not)." - by WK2 (1072560) on Thursday October 02, @12:04PM (#25234023) Homepage
Sounds suspiciously just like U.S. Politicians, on all fronts noted, and their korporate amerika masters also.
(You forgot to note that when either one of them screws up, they bail one another out, at the cost of the customer in taxpayers as well. Double bonus, to go along with golden parachutes and lifetime pensions at full pay - & don't worry: We'll change the rules of this game of monopoly in your favor, every time, you cannot lose (though everyone else, does)).
Yes - "small wonder" that when kids were asked "why don't you study math & sciences" the majority of them answered along the lines of:
"Why should I? I'd rather lie, cheat, & steal my way to the top, like successful adults do today"...
(I saw this on Glenn Beck's show no less... & yes, it disgusted me, but I can't blame those kids - when in (the new) ROME? Do as "SUCCESSFUL" romans, do.)
Makes me realize how stupid I was actually learning something that is supposed to better the human condition. However, I am more of the view that "nothing good, comes easy" & only leads to ruin in the end... take a look around people, & argue with the numbers is all I can say to naysayers on this account.
Apparently, the 'new trend' is screw it up as much as you can for others, at their expense - as long as you & yours come out filthy rich! Now, you may have to "live a life of quiet desperation" but then, with your masters' "pencil" in your mouth, keeping you silent? Well, it won't taste too bad now will it?? Swallowing your pride & doing what's right along with it will wash the 'fine flavor' down better.
(I.E.-> You're right! You're clearly better off being the worst kind of dishonest criminal there is, in betraying the trust others put into you, nowadays!)
Plus, you "fit in with the team" better that way, too, and get a nice politikal appointee "assistant to the assistant" zero hours required job (or near to it, e.g.-> An assemblyman is required to be @ only 2 meetings in NY State for instance, & draws nearly 45k/yr. annually for it no less) in being a bootlicking sycophant/crony/stooge/yes-man blatant thief, and, even if you get caught or ruin it??
Hey - Don't worry!
No sweat - because the "republican team" will bail you out & best of all? At the dimwit working class SLAVES' expense too (since we've effectively destroyed the middle class already)... & no skin off your behind, so keep stashing your stolen "enron style" millions in offshore accounts in the Kamen islands &/or Switzerland boys!
Oh, you know: the ones we pumped 401k plans we suckered them into & adjustable rate mortgages too, into OUR "hedge funds" (which via insider trading, we know when you ought to pull out your investments from - YAY TEAM!
If I wasn't an "A/C" here, I'd mod you up, but not as funny. More as Insightful, instead.
Signed,
Disgusted, & disgruntled, tax-paying U.S. Citizen Joe Public (soon to have his job outsourced no less, and to be swindled & hoodwinked via more "financial innovations")
P.S. The operative words are in fact "otherwise dissimilar".
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Are you selling it? Are you marketing it to spammers?
Let me spell this out for you:
*** If nobody bought anything as a result of reading spam, spam would cease to exist. ***
To put it another way:
*** People expect some sort of return from an advertising budget. ***
Do you understand it yet?
I've understood what you're saying the whole time. You're just wrong. The money has changed hands before anything's actually sold. The only promise they're made is n thousand people will receieve the message. That's it. It has nothing to do with actual sales.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Obligatory
http://xkcd.com/329/
If only.
That one's easy, just copy the floppy and write the word on the duplicate.
You can hold down the "B" button for continuous firing.
The obvious solution to broken CAPTCHAs is to use a Vulcan mind-training device like Spock was using at the beginning of Star Trek IV: The Voyage Home
(Asked in rapid succession without waiting for an answer):
"Name the last 7 presidents of the United States."
"If a car leaves London at 7:00 AM for Glasgow at 90 KPH and another car leaves Glasgow at 8:00 AM for London at 80 KPH, at what time will they meet?"
"What are the three elements of the human psychie?"
"How do you feel?"
If you give the correct answers within 3 seconds, you're in.
Don't underestimate the power of The Source
Is there any evidence that this actually works against Google and isn't just a slashvertisment for the software?
The are also claiming generic anti-KITTEN capabilities. Generic AI? Run away! Especially if the software recognizes kittens without seeing them before. Yes, I know the argument of kittens not bending or getting spots all over, like letters can, but I call bullshit. Kittens do bend.
They would still need a lot of help from the pr0n squad CAPTCHA breakers. I'm betting my last KITTEN on it.
She made the willows dance
Since when SHOULD politicians get the same rights the citizens have?? They get more power and for that they should lose some of their rights.
Sure "hacking" an idiotic password is technically a crime, but the law is supposed to be interpretative so a reasonable judge can just sentence the guilty person to some community service (which I'm sure they wouldn't mind since they obviously volunteer already.)
Democracy Now! - uncensored, anti-establishment news
Funny, I can't even break that one and I'm human.
It's amazing how spammers are overcoming computer science problems faster than full-time researchers. Someone should make a captcha that asks the user to solve an NP-hard problem in polynomial time.
What about a system that takes photos of everyday objects and dynamically layers them into a new picture. The user is then asked to name a random amount of the objects in the photo (for example, name the closest and furthest objects in the photo). This would be random each time like current methods.
Good luck developing computer software that can generate such a composite picture and know the answers to those types of questions.
I dabbled with a text-based CAPTCHA that generates random questions. It's HARD. Generating questions that make sense to a human (the questions aren't self-contradictory and there's only one right answer) is a lot more complicated than it sounds like it should be. I'd be very surprised if you can design a program that generates an image from composite photographs that knows what the closest and furthest objects are.
You'd have much better luck not using photos, but generating a cartoon-like drawing. Imagine a drawing of an apple tree with three apples on it, four on the ground under it, two on a picnic table, and one being held by a monkey. Other similarly-sized and -shaped items (oranges, pears, alarm clocks, baseballs) are scattered around as well. The user is asked to identify something that there are ten of ("apple"), or where there are only two apples ("table"), or what kind of tree is in the picture ("apple"), or how many of what the monkey is holding have not yet fallen ("four").
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
If the spammers can now crack "pick the cat" captchas then they are already able to do some pretty good real life scene recognition. To improve the technology just make some appropriate captchas and wait for those Russians to crack it. (For miltary apps, "click on the arial view of the tank, not the dump truck".) Next, improve machine speech recognition by making some audio based captchas. The possibilities are endless, and much cheaper than handing out grants to university poobahs.
instead of character recognition, ask questions based on a given image
example:
image with a cat on the left and a dog on the right.
question: what's on the left?
answer: cat
example2:
girl crying, next to a broken glass
question: why the girl is crying?
answer: because of a broken glass
it's very human readable, and very dificult for software interpretation
and I just patented that...
Obviously this is very complicated. If it was easy, it would be solved by now. I'm just thinking out loud.
I am thinking of working on something like this though. It would be a good challenge.
You're setting up a straw man. I'm not denying that the money has already changed hands, any more than I'm denying that the murder victim is already dead. The point is that if people cease to buy things as a result of spam, spam will dry up. Are you seriously claiming I'm wrong about that?
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Does this mean that recaptcha will be spammed soon?
- Oh, wait, they did *not* use the term V1aGrA in 18th century books?
SCNR, but I actually _do_ want to know.
I might not have explained myself properly, but without going into too much detail, I can tell you, I know what I'm talking about.
TOP DSLR Cameras Reviews of the top DSLRs
It depends. There are two kinds of "cat captchas" that I'm aware of. One is the one where you have to identify whether a color image is of a dog or cat, as in KittenAuth or Microsoft's Asirra. That would be very impressive (though the Asirra team points out that KittenAuth is weak because it uses too few images).
The other is the kind where cat & dog icons tell you which letters to pick from a string. If you've actually seen these captchas, it's not *that* hard to believe. Here's a link showing you what one looks like.
All the captcha-breaker has to do is learn to recognize the reused cat & dog icons and separate them out from the letters. It's not that hard compared to recognizing distorted and warped letters, in my opinion.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
The point is that if people cease to buy things as a result of spam, spam will dry up. Are you seriously claiming I'm wrong about that?
Yes.
Here's how it works: You pay spammer money, he delivers messages to n-thousand addresses. That's it. There is no "I'll pay you when I make money." That's how these guys make their living. They get paid something like $200 to deliver a message to like 50,000 people. The people sending the message a.) don't think that's too much to spend just to try it in case b.) they get just 1% of those 50,000 people to read it. The spammer cannot say "I can guarantee you sales", he can just say "I can guarantee a certain percentage will look at it." That's how it works. It doesn't require success. Heck, why would it? All somebody'd have to do is say it works. If the price is low enough, it falls under "what the hell? What do I have to lose?"
Much like advertising, SPAM is driven by potential, not by actual sales.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
There has to be a better way to stop them than CAPTCHA, right? Something like answering a question such as "If I have three apples and you take two..."
nonconformity at work
The people sending the message a.) don't think that's too much to spend just to try it in case b.) they get just 1% of those 50,000 people to read it.
Reading it is not enough. If 1% of 50,000 people read it, but no-one ever buys anything, do you honestly think the people sending the message will continue to employ the spammers?
Seriously, if you don't expect a return on your investments, I'd love to do business with you sometime.
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Why don't they just show a photo of a cat and ask to tell what it is. I wonder if a computer read that picture.
Just get 1000 pictures maybe with random backgrounds. Then show 2 of them and ask to name both. That'd be quite uncrackable for a while.
Or am I missing something?
Ville / Varuste.net
I doubt the terms of use of any software would hold up as such an absolute rule of law in court. Sure, most of them have reasonable conditions; I guess those would hold up. But what if I wrote a program and the EULA said that all users had to wear a funny looking hat with a feather in it and stand on one leg whenever they use the software? I know it's a ridiculous example, but I'm just saying that a EULA can't absolutely override the law. Unless circumventing CAPTCHA is seen as circumventing a security measure, there really would be no case.
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
That sounds like the old manual-based copy protection.
So, after one Christmas, I had a really full backpack, and a bunch of computer games in big boxes, so I pulled out the diskettes and manuals and left the boxes with the wrapping paper.
Get home, and boot up a game, and it asks "What's the third word on page 15 of the manual"... "red". Good...
Next game, "What color are the balls on the left side of the back of the box"... "well, ^%$@^%@&^".
So don't forget to keep the box!
What if someone made a simple plug-in that allowed the site operator to put up a custom graphic of text, a text explanation of what to enter, then the input box. You can actually count on the bots being too smart for their own good. Put the answer to the captcha in plain view -- don't even obfuscate the text, but make it easy to ORC. Kinda like the "speak 'friend' and enter' riddle in LOTR. Put an image of nice, crisp sans serif font saying "This is a dummy captcha. Type FOO in the box below." The bot, at best (if it targets generic captchas) would enter all the text, whereas the human would only enter what it's told to enter.
This raises the bar from simple OCR brute force to something closer to AI. The text can be parsed out of the graphic, but the meaning would be hard for automation. In addition, a little bit of work by the admin for each site would amount to a huge amount for the spammers, since they'd essentially be faced with an almost unique problem for each site they want to tackle. Plus, if some bot targets your site (unlikely, for those of us running small traffic sites) and manages to start spamming, you simply change your custom graphic and text.
Sure, it won't help huge sites like Google and Yahoo, but it'll sure as hell help the little guy out. Decentralizing the exact method to generate the images would go a long way to increasing the workload on the bots/programmers.
Method of processing duck feet
Good point. Breaking the Turing test would be like if you had the human contestant be a teenage girl and conducted it over text-messaging.
Examiner: Okay, tell me your name.
Contestant #1: omlk4rl?
Examiner: hah! Not only did this program give itself away on the FIRST RESPONSE, it spit out some kind of 64-bit memory dump!
Supervisor: Sir, that was the human.
Examiner: !!!
Information theory is life. The rest is just the KL divergence.
An the biggest benefict is: You don't pay taxes!
Hey , I got an idea for a captcha that is 90% easier to read than previous captcha's and pretty much bot-resistant. It focuses on the fact that the user is really looking for a shape, just like the bots, but the user has the brain capacity to dissect data input at a rapid rate.Here is the captcha concept: ,moving lines, and frames containing random garbage... it would take at least 3 hours to decipher one as a bot, and much less time as a human.
([actual captcha phrase]) -> (tool to switch font set randomly every frame, and insert single frames at random intervals containing garbage ) -> (tool to overlay the animation with moving lines of different colors, randomly placed particles for an "old film" look, changing shadow direction randomly) -> (tool that splits up the animation into 30-100 randomly numbered 5x5/10x10/20x20/30x30 animated gifs and arranges them on a grid) -> ([user screen]). This technique totally eliminates most modern bots. The only kind of bot that can feasibly decipher this is one that uses screen capture... and even then... with random shadows , static noise overlays
A mispeled pokemon of course.
Reading it is not enough. If 1% of 50,000 people read it, but no-one ever buys anything, do you honestly think the people sending the message will continue to employ the spammers?
A spammer (or an advertiser, for that matter) cannot promise anybody'll do anything but see the spam/ad. And to answer your question, no, but now you're talking about repeat business, here. You said spam would stop if people quit buying stuff, that's what I'm contesting. There's always somebody trying to sell something without spending a lot of money. There will always be demand for that no matter what the people receiving the SPAM do. Execute a bunch of people? You'll still have people wanting to get messages out there. As long as there's demand, there'll always be supply. That is why your approach won't work. It's like trying to stop prostitution by going after the customers, only without it being plainly clear what the person arrested did wrong.
Seriously, if you don't expect a return on your investments, I'd love to do business with you sometime.
We're talking impulse prices, here. There aren't any new or foreign concepts here, no point in acting like there area.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Put up a picture of tubgirl. If they still want to register for the site then it is probably an automated process and you can safely deny them access.
If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
Actually, it wouldn't work in the slightest. Bots would merely fetch the index page, grab the register link, and defeat the whole purpose.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
The kind of CAPTCHAs that I've found remarkably good at avoiding spam were those that required specific background knowledge on the part of humans. Two examples are the one that requires you to know what a certain ASCII character represents in Nethack, and another that requires you to know the articulatory description of an IPA symbol. Spammers don't care enough about such niche areas to learn how to crack them. In these cases, CAPTCHAs work very well and are even appealing to the audience who enjoys them as an acknowledgement of in-group status.
How about a death penalty for anyone that buys anything from spam?
I would be in support of that.
Why should the rest of us suffer just so some asshole can pay another asshole to make our lives harder.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
Killing people is wrong.
No, killing innocent people is wrong but if the sole purpose of someone's existence is to harm others then they forfeit their right to live.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
As long as there's demand, there'll always be supply.
Indeed. And as long as there's profitability, there'll always be demand. What I can't understand is why you think there'll be profitability when only, say, one in ten billion eyeballs will take the risk to buy viagra upon pain of death.
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Say I marketed the image processing software that I wrote to the vision impaired (near-blind, legally blind, and blind community to be specific). They have problems with image CAPTCHAs because it's hard for them to see, and many sites don't have an alternate, audio CAPTCHA. Would my software be "evil" if fraudsters, posing as vision impaired, bought my software?
I suppose the question is "is CATPCHA breaking software, in and of itself, absent its usage, 'bad'". I've already laid out two examples, systems testing and vision impairment, that are important, good applications of CAPTCHA solving software.
Because I see many people missing the point, let me elaborate on the system testing aspect. It's a sad fact that many people who peddle security solutions are not very good with making secure security solutions. For example, take the recent example of an "AES encrypted" external hard drive that was secured with a RFID dongle. The RFID stored the key with AES, transferred it was AES, but the drive itself used XOR with that key, which is trivial to break if you are serious about recovering the data. Many people either are incapable of doing the research (because they don't understand cryptology) or too lazy to do the research. When someone comes along and proposes a theoretical attack, the snake-oil salesmen laugh and say, "I don't care - you haven't shown me that it's insecure, just that you think it is!" That's where system testing tools come into play. They are crafted to show the maker of a device and the owners of the devices that their devices are insecure, should not be trusted, and that steps should be taken to secure them.
That is the case with my CAPTCHA software. It is to show people who use CAPTCHAs on their site that, in most cases, they are not secure and in all cases that they are annoying. Without a proof of concept, most people wouldn't care. With a proof of concept, it forces them to reconsider their position. Many other auditing tools work this way, such as nmap, Nessus, Wireshark, Kismet, and aircrack. To take a page from your position on the NSA, COINTELPRO, and warrantless wiretapping:
Did the program get misused? Yes it did and I don't defend that. But don't throw out blanket statements about history and expect me to swallow it when it's not completely factual.
I work in the computer security field. I use nmap to portscan my client's network in many different ways and from many different angles. Again, I could probably code something to work by hand, but a tested tool is much better than something that gets thrown together one-off for something like this. Nessus gets used against hosts to see if there are any missing security patches. This is to inform my client that they need to patch their software and work towards a system where patches get applied in a timely manner. Wireshark is used when auditing TLS and IPSec connections to make sure that the connections are actually secured properly. It is also used live if there is an intrusion to log exactly what the attacker did for postmortem analysis. Kismet is used to scan for rogue wireless access points and to determine what information is flowing across them. aircrack is used as a live client demonstration to show clients still using WEP how insecure it is if they don't think an attack is practical. There are about five or six other general purpose tools in my toolbelt, including ettercap, 0phtcrack, and Cain and Abel.
I have several other proof of concept pieces of code that aren't generally available targeting newer exploits to make sure that my clients have protected against them. They are pieced together from vulnerability reports, proof of concept code, and techniques picked up from 'blackhat' exploits. They are more targeted and custom, and if anybody would need them to help secure their systems, I would gladly give them a
What I can't understand is why you think there'll be profitability when only, say, one in ten billion eyeballs will take the risk to buy viagra upon pain of death.
Two reasons:
1.) SPAM is really really cheap.
2.) There'll always be stuff people want to sell.
It's not like a spammer would have to provide any records that utterly and without a doubt prove that stuff actually gets sold in order to get any business.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Of course a spammer doesn't have to prove stuff gets sold. The seller can determine that for themselves. And if nothing gets sold, ever, via spam, sellers will no more use the services of spammers than they use the services of apothecaries to turn lead into gold.
If really really cheap means the same thing as free to you, find out what a spammer would cost to send out a few million emails, and send that money to me. I'll send the same amount of business your way as a spammer would have done if responding to spam carried the death penalty.
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Why run a muck when you can run a spamming service?
I used to run a muck from my mom's basement, but when she finally found out she kicked me out, and the police confiscated all my mucking equipment.
Now I run a round.
No freakin' pinoqachole either!
That depends on what your definition of
Spamming US citizens?
Migod! They must be either furriners like that crazy Ahmadweebijab or Kims-Dong Ill, or possibly even traitors like Alec Baldwin!
Where's TEAM USA when you need them? Cleaning up other rampant muck runners?
.
.
- aqk
F U
The seller can determine that for themselves.
Heh. What exactly are you expecting, here? "Hey Mr. Nigerian scammer, how much money did you get from all the SPAM you had sent out? " Seriously, we're not talking about companies or customers who want to talk about it. Read some of those messages. The goods are usually ill-gotten, scams, or just plain the sort of thing you'd never get from a reputable company.
And if nothing gets sold, ever, via spam, sellers will no more use the services of spammers than they use the services of apothecaries to turn lead into gold.
Wrong. First off, we're not talking about people with business degrees or candidates for the Apprentice. Secondly, when the price is cheap enough, there's always that temptation. "Well, we'd only have to sell 5 to break even." Third, you're assuming no new naieve businesses/individuals with stuff to sell are ever going to appear again. The world's constantly generating new conniving people to fill our inboxes.
Your rationale works fine when talking about McDonald's or Coca Cola, that's because the demand is for their actual products. In the case of SPAM, the demand isn't for products, it's for the advertising. Plain and simple. You don't need successful sales for SPAM to be attractive. All you need is somebody without a lot of money and something to offload.
I'll send the same amount of business your way as a spammer would have done if responding to spam carried the death penalty.
I'd still get SPAM, lots of it. It costs the spammer virtually nothing to send lots of people messages. He doesn't even care if I've got a SPAM filter on because he can tell his potential clients "I can get it to a million addresses out there". He gets paid long before a single sale could ever possibly get back to the client. His pay is not dependent on success. He can just keep making lots of noise and racking in the money. The only possible way the death penalty idea could ever work is if all the spammers out there have a conscience. Heh.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Being a Blackhat is fine in my book. I already said that a few posts ago. My problem with this company in question is that they are fine marketing this stuff to spammers. Also, I'd really think you would be doing a better service if you promote better audio captcha as opposed to trying to crack every captcha out there.
"Well, we'd only have to sell 5 to break even."
Good. We are agreed that even the most idiotic, unscrupulous individuals still have their eye on the bottom line. Now, change the law so those 5 sales do not happen, and QED.
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Good. We are agreed that even the most idiotic, unscrupulous individuals still have their eye on the bottom line. Now, change the law so those 5 sales do not happen, and QED.
By the time the sales did or didn't happen, he's already given money to the spammer. What your saying would only be true if Doc Brown managed to commercialize his time machine. Hindsight is 20/20, you know. ;)
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
You must truly be the conman's dream, if you think that hindsight is the only way to evaluate a proposition.
Now, I have something you might be interested in. It only costs $20, and it'll net you thousands of dollars profit. Do we have a deal?
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
You must truly be the conman's dream, if you think that hindsight is the only way to evaluate a proposition.
That's a creative way to misinterpret what I said. Heh. Like I said, it's info that is difficult to dig up. It's a price low enough to not be too risky. Still, though, if I hadn't already pointed this out before, I'd understand why you'd say something like that.
Now, I have something you might be interested in. It only costs $20, and it'll net you thousands of dollars profit. Do we have a deal?
Not a very valid analogy here, but okay, let's run with it. Do you think out of 6 billion people on this planet, 0 would say yes to that? I admire the faith you have in the people that send out these messages, but they'd disappoint you. A few bucks and their message gets out. They're not going to spend 6 months researching the spammer, finding references, getting customer testimonials "My penis grew 3 inches!", and doing a risk analysis. If they're going to take it that seriously, why bother with SPAM at all?
Those poor people, executed for nothing.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Audio CAPTCHA is just as bad. What if you're deaf and blind? What if you're blind but don't have a sound card and are using a braille TTY?
Like I said, it's info that is difficult to dig up.
We're talking about a hypothetical situation in which people are executed for buying products through spam. You're claiming that in such a world, information about whether or not people buy products as a result of spam is difficult to dig up.
I don't think so. Even if it were, the thought process would run something like: "Hmm, will anyone actually buy this as a result of me employing someone to send out spam? Well, if they do, they'll be executed for it. I guess not, then."
Do you think out of 6 billion people on this planet, 0 would say yes to that?
On the planet as it is, you'd probably get a few takers. On a planet in which they would also lose their lives, you wouldn't. Or at least if you were trying to work out whether asking 6 billion people (which carries some associated cost) would net you enough $20s to make it worthwhile, you'd quickly come to the conclusion that it wouldn't.
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
You're claiming that in such a world, information about whether or not people buy products as a result of spam is difficult to dig up.
Just for clarification: I'm saying that that information is difficult to dig up today in the real world.
I don't think so. Even if it were, the thought process would run something like: "Hmm, will anyone actually buy this as a result of me employing someone to send out spam? Well, if they do, they'll be executed for it. I guess not, then."
Respectfully, I disagree. They wouldn't care if people were executed for it. The responsbility for that would be on the people making the purchase, it would be up to them to avoid being caught. Really, they don't even care now if they ruin somebody's life by transferring all their money out of their account. "Better you than me!"
On a planet in which they would also lose their lives, you wouldn't.
Ha. Yeah, that's why some states in the USA don't have people commiting murder anymore.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Respectfully, I disagree. They wouldn't care if people were executed for it. The responsbility for that would be on the people making the purchase, it would be up to them to avoid being caught. Really, they don't even care now if they ruin somebody's life by transferring all their money out of their account. "Better you than me!"
Yes, but the people being executed would care. I agree that you can't appeal to spammers or their sponsors with moral arguments, but people are largely self-interested when it comes to preserving their own lives!
Ha. Yeah, that's why some states in the USA don't have people commiting murder anymore.
Point taken, but I think the risk-benefit tradeoff weighs more favourably for murderers. And it's hard to believe that people would be off buying fake rolexes as a crime of passion ;)
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Okay Helen Keller. If you are Deaf AND Blind you have bigger problems. I support making the web accessible but I'll only jump through so many hoops. You can't please everyone.
Point taken, but I think the risk-benefit tradeoff weighs more favourably for murderers.
I think that in the real world, assuming that this law would actually be globally AND rigorously enforced, you'd still find people doing it. Maybe I'm being unfair to a lot of people, but just tonight I watched two teenagers steal two cases of beer from a grocery store. That's a pretty stupid thing to risk a criminal record for, especially considering it'd all be gone in the next day or two. Some people do things on impulse. Some people just think they can get away with it. Some wouldn't even know it was illegal. Then there's some guy that comes along who cooks up a neat scam and just needs to get a message out to a bunch of people.
Hope your weekend is going well.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
No, spammers don't care enough about that particular website to crack it.
If your website is a spam target, you will be spammed. Otherwise, you can just have a checkbox that says "check here if you are not a spam bot" and it will provide just as much security.
-- 'The' Lord and Master Bitman On High, Master Of All