Slashdot Mirror
Now Google's CAPTCHA Is Broken
steveit_is writes "Yesterday it was reported that Microsoft's revised CAPTCHA had been cracked. Now it's Google's turn. In a move that is sure to surprise no one, the spammers behind 'Xrumer' have announced that they've not only cracked Google's CAPTCHA, but other forms of image verification as well, including 'pick the cat' style CAPTCHA."
Tis clearly a civil issue.
... you've got to admit that it's one hell of an achievement.
THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel
Announcing that one has cracked something and actually having cracked that something are two different things. Folks like these are not the most trustworthy sources, especially for their own exploits - er, "sploits".
If you want news from today, you have to come back tomorrow.
same answer as to "Why aren't the various bittorrent client authors in jail?"
How about an international treaty to implement the death penalty for spammers all over the world.
I mean, why not? Don't we squish mosquitos when they pester us? Spammers are a thousand times more annoying and just as harmful and useless.
Captcha is a joke. They're become so difficult to read that I can't even decipher what it means!
I don't know what these companies are going to do to keep spammers from running email bot networks.
I want to say verify identity with a credit/debit card, but that won't work very well because of Johnny 13 year old who wants a Gmail account.
I've given up. Please just send me large amounts of email asking me to enlarge my pen15 while remortgaging my sub prime house!
They probably should be, honestly. However, why not be thankful that the opposition is being open about their abilities to crack security? Obviously, a CAPTCHA system isn't going to work for the future; we should be developing a new methodology for verification.
Your ideas are intriguing to me and I wish to subscribe to your newsletter.
Really though, I think we would have been better off if we did this about 10 years ago (maybe even 15). Better late than never though, I guess.
No, they write image recognition software. The people who use their programs defraud Google.
I want to say verify identity with a credit/debit card, but that won't work very well because of Johnny 13 year old who wants a Gmail account.
That won't work for anyone who cares about their own privacy. Why would I want to give anyone my credit or debit card number if I wasn't actually buying something from that site at that particular time?
aren't these guys in jail?
I think the real question is: why are these people not working in research institutes? Image recognition is a hard problem. It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.
The truth of the mater is that there is almost nothing you can do to stop a spammer if they want into your system bad enough. A captcha merely means that they might have to take some time to tweak their image rec. software, or hit your site enough to generate all the possible captchas. The only possible way that I could see companies like google keeping spammers out, would be to require a valid credit card, that matches the user's name and then have them verify their account by entering the small deposit amount that google makes. This obviously has problems, like paranoid customers (such as myself) not wanting to give over financial information for just an email account.
How about an international treaty to implement the death penalty for spammers all over the world.
I mean, why not? Don't we squish mosquitos when they pester us? Spammers are a thousand times more annoying and just as harmful and useless.
How about a death penalty for anyone that buys anything from spam?
well, it's an issue of trust - Google for example could be expected to not leak your card or apply charges to it, vice some other companies - and if 13-yr old Johnny wants an email address he can damn well ask his parents for one
"Captcha is a joke. They're become so difficult to read that I can't even decipher what it means!"
I hear that. I was trying to complete one the other day, and honestly, I was only making educated guesses as to what the characters were, it took me three or four attempts. If they get any tougher, the only people who'll be able to do them will be the spammers using this kind of software!
Oh no... it's the future.
Don't you mean passing turing tests?
The creator of this post (Jacob Smith) hereby releases it, and all of his other posts, into the public domain.
There are people who write vulnerability scanners, attack toolkits and code breaker software. There are people who write encryption software which allows terrorists and criminals to plan with impunity. There are people who make guns which are hard to detect by airport security. There are people who pick locks for a pastime. There are people who sell lock picking tools.
Despite a couple of high-profile CAPTCHAs being cracked, the fundamental principle behind them is still fairly sound. It's at least an order of magnitude easier for a programmer to develop a reasonably difficult CAPTCHA than it is for an attacker to develop the crack for it. Image/character recognition is extremely difficult. Ask anyone who's done any work on OCR or something similar. Even in what would be considered a fairly homogeneous environment, character recognition is still a huge pain in the ass.
Just like with any security measure, a few of the inferior implementations will have to be broken to prove which ones are actually superior.
Soon, the only thing that will be able to read a CAPTCHA will be automated spam bots. The new CAPTCHA test will be: "If you can read this CAPTCHA, you are a spammer."
Those that get the CAPTCHA wrong will get in. Brilliant! Anyone want to subscribe to my newsletter?
Best "String" Ever!
Well, CAPTCHAs aren't true Turing tests; the goal of the classic Turing test is to force the computer to exhibit human intelligence in a back-and-forth interaction with an actual human. A CAPTCHA presents only a single intelligence-based challenge (recognizing the image). But if the CAPTCHA is considered to be a kind of limited/lazy Turing test, passing it "honestly" would consist of being able to recognize images in general, like a human, not by merely knowing how to solve the limited scope of image-puzzles that the particular CAPTCHA uses. So in that sense, these CAPTCHA-breakers do "cheat" or "break" the test by exploiting that limited scope.
It has proven necessary to give up privacy in order to develop security.
This is almost never the case, and can only be the case if the system is already designed to be insecure.
Take flying, for example. You can't fly anonymously - and nowadays (especially) you have to identify yourself multiple times
That is about fear/control, not security. It has not improved security. It would not have prevented the incident which it is a response to. Saying "oops, we were wrong, you actually shouldn't cooperate with hijackers" would have improved security. Giving the crew members stun guns (probably don't want real guns in such a crowded place) would have improved security. Keeping a list of who is allowed to travel does not improve security, but it does provide a useful tool to discourage dissent.
I'd personally be quite happy to use my credit card to sign up for free things if it eradicated a number of problems, such as spam and service abuse.
And whistleblowing, and your credit rating, and protection against "prior restraint", and criticism of those in power, and... oh, wait, those aren't "problems", are they?
This is what is already happening, at the exact rate that we can come up with new tests.
This rate is of course much slower than the rate at which spammers can crack them.
The problem with the word "rotating" is that it implies re-use. Once cracked, the test is worthless forever, not just for a couple of page loads.
-- 'The' Lord and Master Bitman On High, Master Of All
If the spammers can now crack "pick the cat" captchas then they are already able to do some pretty good real life scene recognition. To improve the technology just make some appropriate captchas and wait for those Russians to crack it. (For miltary apps, "click on the arial view of the tank, not the dump truck".) Next, improve machine speech recognition by making some audio based captchas. The possibilities are endless, and much cheaper than handing out grants to university poobahs.
instead of character recognition, ask questions based on a given image
example:
image with a cat on the left and a dog on the right.
question: what's on the left?
answer: cat
example2:
girl crying, next to a broken glass
question: why the girl is crying?
answer: because of a broken glass
it's very human readable, and very dificult for software interpretation
and I just patented that...