Slashdot Mirror
Now Google's CAPTCHA Is Broken
steveit_is writes "Yesterday it was reported that Microsoft's revised CAPTCHA had been cracked. Now it's Google's turn. In a move that is sure to surprise no one, the spammers behind 'Xrumer' have announced that they've not only cracked Google's CAPTCHA, but other forms of image verification as well, including 'pick the cat' style CAPTCHA."
aren't these guys in jail?
I wonder if their cracks are Human Powered or Computer Powered. I'd imagine it's cheaper to pay someone in China, India, etc to do these things.
"To continue, guess which finger I'm holding up."
n/t
http://news.google.com/news/url?sa=t&ct=us/2-0-1&fp=48e400dd5725ad5b&ei=3OnkSNrqKJPKywT45508&url=http%3A//www.cnn.com/2008/POLITICS/10/02/stevens.trial/&cid=1250196629&npp=POP&usg=AFQjCNGUNhlKFhi-DsroGfTzUTHVlVO6Iw
we'll be seeing more&more of that. if you're not a party member, you won't even get/need a 'trial'.
I've got all the email addresses I want so lets just consider the internet closed to new entrants. I know it sounds draconian but I think we should build a great big firewall around the internet to stop all these illegal immigrants^H^H^H^H^spammers getting in.
Either that or can we just turn a blind eye while Google DDoSes every server associated with these people into oblivion.
An Eye for an Eye will make the whole world blind - Gandhi
... you've got to admit that it's one hell of an achievement.
THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel
Announcing that one has cracked something and actually having cracked that something are two different things. Folks like these are not the most trustworthy sources, especially for their own exploits - er, "sploits".
If you want news from today, you have to come back tomorrow.
1. Make the proof for P=NP the new CAPTCHA
2. Wait for crackers to solve it.
3. Profit!!
The grass is always greener on the other side of the light cone.
ewwwww.
I've had a few 'pick the cat' captchas where I couldn't even identify if the thing was actually supposed to be a cat!
This guy's the limit!
Google has become a key enabler in spams and scams, because it's so easy to create GMail accounts in bulk. Many sites block email addresses from Hotmail and AOL, because they're mostly either spammers or losers. GMail once had a better reputation, because it was launched as an "exclusive" service. But we're getting close to the point where probably time to start blocking GMail addresses too.
Want to see a GMail scammer in action right now? Read this.
Score one more for the subtitle on the original CAPTCHA paper: "How Lazy Cryptographers do AI"...
Test your net with Netalyzr
Some sites, including one or two Google services, are now requiring verification through text message. Seems like a pretty good solution to me. And as long as you can still buy prepaid SIMs with cash, it shouldn't be a problem for people concerned with anonymity.
Is Fire Hot? Yes or No
Is Paris Hilton Hot? Yes or No
Are you male or female> Male or Female
Are you gay or a lesbian or Bi? Gay or Lesbian or Bi
That's it. Now you would have to seed it with about a billion logical chains like that but it could work.
"including 'pick the cat' style CAPTCHA."
This is excellent news, since it now means that I can rely on this thing to find me suitable pussy instead of having to look for it myself... :)
THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel
Maybe instead of CAPCHA's sites should start using those math problems from DARPA's really hard math problems since these people seem to be so good at solving complex computational problems.
OK can someone pleas hire these guys to work on handwriting recognition software? If they can ready these bizarrely twisted captchas why can't Palm read my name?
501 Not Implemented
TFA links to the website (botmaster.net...you probably don't want to go there) that sells XRumer. And what do I see for contact information? botmaster.net@gmail.com.
Sure hope they don't get spammed. Whatever you do, don't publish that email address! botmaster.net@gmail.com -- don't do it!
Carousel is a lie!
The truth of the mater is that there is almost nothing you can do to stop a spammer if they want into your system bad enough. A captcha merely means that they might have to take some time to tweak their image rec. software, or hit your site enough to generate all the possible captchas. The only possible way that I could see companies like google keeping spammers out, would be to require a valid credit card, that matches the user's name and then have them verify their account by entering the small deposit amount that google makes. This obviously has problems, like paranoid customers (such as myself) not wanting to give over financial information for just an email account.
If there are people who could write such sophisticated image processing software, and it pays them better to be bot runners bot enablers, the pay must be good on the dark side of the force.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
It seems to me that "Pick the cat" captchas are fairly vulnerable. If you put 4 pictures up, there's an automatic 25% chance of breaking the captcha without any intelligence at all. Even with 10 pictures, a total idiot has a 10% chance of dodging.
A 100 picture captcha would still leak 1%. That makes a brute force attack fairly effective. My tiny slashbotnet, submitting 1 post a minute from each of its 100 zombies could land one every minute. For the average blogger, cleaning up 1500 spam posts a day makes their little kitty captcha seem pretty ineffective.
As usual, our firends at DARPA are always one step ahead. Use these to replace of the old CAPTCHAs.
1 - Develop a mathematical theory to build a functional model of the brain that is mathematically consistent and predictive rather than merely biologically inspired.
2 - Develop the high-dimensional mathematics needed to accurately model and predict behavior in large-scale distributed networks that evolve over time occurring in communication, biology, and the social sciences.
3 - Address Mumford's call for new mathematics for the 21st century. Develop methods that capture persistence in stochastic environments. ...
Why would I want to give anyone my credit or debit card number if I wasn't actually buying something from that site at that particular time?
Because you are buying something: a subscription to the site for some nominal price. Something Awful Forums, MetaFilter, and Kuro5hin manage to keep spammers out by charging for write access in this way.
How about the Death Penalty for anyone who suggests the Death Penalty for anything besided truly heinous crimes? Oh, no, I just ate my tail.
Over-the-top Response Guy! Giving "Over-the-Top Responses" since 1970.
What with all the effort these spammers have put into cracking what is essentially a Turning test; it's only a matter of time before these programs become self-aware.
Hopefully in the manner of all good science fiction these programs will immediately turn on their creators and attempt to annihilate them.
Hire all of the Chinese people currently gold farming. Demand that people defeat them in a game of Go in order to register. Solves two problems at once.
Because they are defrauding .... US citizens and generally running a muck. That's what jails for for.
So this is Slashdot's wall-street bailout & politics discussion thread ...
They are being hosted in Texas... my home state. Now as to whether the operators are in state is another matter, but I will fire off a warning letter to the web host informing them that they could be potentially held liable for the criminal acts of this operation in the event charges are pressed.
I for one welcome our new CAPTCHA HaXoR, 'bot overlords.
That's it, I quit the internet!
I always have a hell of a job reading Google's CAPTCHAs; a tool to do it automatically would be very useful.
Why should we believe this any more than we believe a cream can add two inches to your penis?
Possible bad example. Shaving cream along with a razor actually can add visible inches to a man's penis by taking pubic hair out of the way.
I hope these black hat methods of cracking fall into the mainstream. We can probably learn a lot in the ways of computer vision and AI from this arms race. Or maybe this isn't "state of the art" but the people who design captchas in the first place don't have good cross-fertilization with the AI crowd.
I love my Gmail account. I have never used my ISP email for anything. The day that people stop blocking Gmail accounts is the day that I cry... I did that once before when mailandnews.com stopped offering free email.
I really wish that Gmail had remained an invite only system. Obviously Captcha isn't stopping people from running bot networks. Can Gmail still remain an open system? I don't know. What about a reverification by everyone who owns a gmail address? Send out a blanket email with instructions for reverifying. Sure, there would be people who couldn't figure out how to get it done, but I'd bet it would eliminate millions of spammer addresses (though certainly not all). Once the verification is done, close it back up to invite only.
This post brought to you by your friendly neighborhood MBA.
And still we don't have a cure for cancer. If you took all the brain power devoted to breaking captchas, we could solve a TON of problems.
Couldn't you do a captcha where the first presentation has no cats? The user has to hit the refresh once or twice before seeing a cat, and then pick it; if they pick any of the non-cats, you call them a 'bot...
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
This thread will likely contain a bunch of clever technical solutions to spam. Probably all of them flawed because if there was a good technical solution we would have found it by now.
We know who the spammers are: almost all spam involves some sort of financial transaction which we can track. The only thing that stops us from getting at them is that they are seldom in the jurisdiction where they committed their offence. This however, can be solved. We did it for war crimes and for child porn. The UN just needs to get its act together. Perhaps they can create something like an international criminal court for spam.
This sig is just as redundant as the rest of this posting
Why the heck don't the big companies use 3D captchas? Each letter could have a thickness and be rotated at a random angle.
Why OpalCalc is the best Windows calc
so lets just consider the internet closed to new entrants.
Including children in your family who have just turned 13, 18, or whatever?
yOu bEtTeR, w3 aLs0 pWnEd sLaShDoT$ cApTc|-|4
The latest version of this program has hit a number of forums hard. In the last two days many vBulletin forum administrators have posted to complain and look for assistance--notice the sudden increase in activity on that thread as of the 11th post:
http://www.vbulletin.org/forum/showpost.php?p=1634634&postcount=11
In the last 15 minutes alone 3 spammers have attempted to register on a small forum that I help run, one that would only be of interest to a few hundred people. (We get a valid new user about once a week on average.) A simple tweak has kept them at bay for now, but I doubt it'll be effective for very long.
Of the latest batch of spammers, most of them have been using gmail.com email addresses. The last time we had a significant wave of forum spam, the spammers tended to use Yahoo for email (specifically username####@yahoo.com, where "username" matches the vBulletin username they are signing up with and #### is 4 random digits).
I wonder when they'll start using the same disposable email services that we use to avoid email spam. After all, it's much easier to get a temporary Mailinator email address (for example) than a Gmail address...
Don't they allow sixth graders to use computers at grade school anymore?
Besides that, anyone know how they can bypass the "Pick the cutest cat?" type of captcha?
Is it just brute forcing?,Paying 3rd world country people 10 cents per 100 captcha broken? I would imagine that it's much more sophisticated than that, but I dunno.
..........FULL STOP.
Will be Apple's!
If not in a completly automated way as in OCRing and stuff then by either
a) masses of cheap labor monkeys getting some pennys for every hundreds of solved captchas. And no, that won't change until those monkeys are cheaper than the profit made of spamming, selling valid gmail accounts or what ever the captcha is for. There is even an open market for those captcha solving providers.
b) Tricking joe sixpack into solving this "puzzle" in order to see more of them naked milfs. This will last as long as enough stupid people want so see some porn on the tubes (forever).
Both these methods relay on human interaction (hence the quotation marks around "broken" in the caption), so they can, by definition, break every captcha, which is supposed to "...Tell Computers and Humans Apart", d'oh!
If these people would put their time into doing good, they could probably do some real good in the form of character recognition for scanners and hand held input writing recognition. Think of taking this and using it to understand what someone has written in their pda and converting it to text without someone having to learn a new writing language. Or scanning written letters and other writings and converting them normal print.
Only 'flamers' flame!
Does slashdot hate my posts?
Do you have the option of "kitten" or "cougar"?
Why, without your clothes, you're naked, Miss Dudley!
Despite a couple of high-profile CAPTCHAs being cracked, the fundamental principle behind them is still fairly sound. It's at least an order of magnitude easier for a programmer to develop a reasonably difficult CAPTCHA than it is for an attacker to develop the crack for it. Image/character recognition is extremely difficult. Ask anyone who's done any work on OCR or something similar. Even in what would be considered a fairly homogeneous environment, character recognition is still a huge pain in the ass.
Just like with any security measure, a few of the inferior implementations will have to be broken to prove which ones are actually superior.
God, so stupid, why are researchers wasting so much time trying to make things so much harder? The solution is so insanely obvious it's painful.
Just ask "Are you a robot?"
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
Make 'em work for it!
This is pretty awesome. Maybe academia should just attach all sorts of computer science problems (that humans are good at and computers are not) to these human-verification systems for large corporations. Soon, we'll have lots of academic papers coming from the spammer community!
How about wiggling letters & numbers? Don't go overboard where humans can't read it, but something you can't hotlink from another site(duh). Or have it play a little game that can't have an automated player figure it out?
Respect is. Until we have that, we're not going anywhere.
The problem is, no matter what one country does, it is too easy to circumvent by going international. And no, no country is going to attempt to extradite a spammer or fraudster for ripping people off on the Internet.
Secondly, how exactly do you prosecute someone when everyone, top to bottom, wants to shield people from prosecution? If you have an IP address, a timestamp and a breaking on a server good luck getting anywhere. You will find that without at least $25,000 in damages nobody is going to pay attention. So you lost money? Too bad. Should have been smarter. Your server needed to be rebuilt? Too bad, should have been smarter. Hire a hacker and maybe he will protect you.
The problem is that property rights are meaningless right now. Your email account is my trash basket and anything I can stuff in there is my right to do so. Your server is on the Internet, so therefore it is fair game. Your creative work can make me money, so I will steal it and you can't stop me. Ha ha ha.
Repsect. It is the answer to just about everything today from spamming to child porn.
who cares, i currently pay 10.00 for 100 social networking accounts from a data entry center in india, their normal business is to create captcha's, they have a program, pops up the picture, they enter what they think they see, when the picture gets a certain percentage of the same entries by multiple agents it completes it, even better, there is another program they use, if they need 1000 gmail accounts, it creates complete profiles on facebook, gmail, myspace, youtube, with pictures, and it just pops up the captcha, thats all they have to type and the account is created. their data entry captcha people work 6 hours a day, 6 days a week, and get between 75 and 100.00 US
Is something like reCAPTCHA as vulnerable? It would seem like with a virtually limitless supply of texts to be digitized, you could minimize the affect of image solvers. Wouldn't there be enough variations of phrases to not make it worth it to document every possibility? And if you've got OCR software good enough to solve scanned texts reliably, that's a win for everyone, right?
Damn. That looks awfully lot like the test you had to pass to play Larry.
Man, that was one great game. No wonder its creators were ahead of times in other aspects as well
A guy that can write AI to crack captchas, clearly can be used to write spam filters instead.
...seeing as how I (a live human bean) cannot read the damn things (haven't had access to good enough drugs lately, I guess), and the spambots apparently _can_, then they're counterproductive and totally useless.
Thank goodness I have my Gmail accounts hooked up to my email client via IMAP; if I had to solve a CAPTCHA to send mail I'd be off the air.
Exceeding the recommended torque is not recommended.
Hopefully web sites will stop using captchas, those things are getting quite ridiculous, and the worst ones are those that require me to enable javascript from a freaking random domain name... BTW, a lot of people seem to think an automated bot cannot have a javascript interpreter...
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Or "Running A Muck", a collection of cartoons by John Caldwell .
Isn't the required success rate much higher than that? Since 1% is quite trivial to accomplish on current captchas, for example slashdot seems to always use about the same 50 words... And those pick the pic ones are incredibly kind on randomized approaches... some even make you pick between TWO images! That's a 50% passing chance baby!
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Sorry, it is getting nearly impossible for humans to understand the image a system generates. Maybe its a reverse type of system, if the user actually manages to "get it," its a bot.
Why would I want to give anyone my credit or debit card number if I wasn't actually buying something from that site at that particular time?
Because you want to use the service?
It has proven necessary to give up privacy in order to develop security. Take flying, for example. You can't fly anonymously - and nowadays (especially) you have to identify yourself multiple times. This can stand for things that are free as well. I'd personally be quite happy to use my credit card to sign up for free things if it eradicated a number of problems, such as spam and service abuse.
It was broken before. It isn't going to get fixed. The kittie is out of the bag.
Move on, find another method. Computer imaging and automation have caught up to the current security model.
Time to figgir another method.
--Toll_Free
I stand by what I said. In this instance, I'm saying that they need an entirely new branch of methods and study to verify that a human's on the other end. They've gone so far down that path that it's harder for a human to read it than a computer.
As others have pointed out, money is a big motivator, and we do not really put a great deal of monetary value on being brilliant. Arguably, the greatest value lays in being able to give the brilliant guy a paycheck, because then you can license/own his work.
But suppose the sort of brilliant criminal who is doing this sort of thing actually approached an institute of higher education? Without presupposing anything about them, what do you think the chances are that that person fits the criteria to go to the school, never mind be supported through x years of that school and be let into the somewhat more competitive field of higher academia?
We filter a lot of people out in our class structure, for a lot of reasons. Some of them good. Some of them bad. But one of the choices society seems to have made is that we do sideline any number of brilliant folks.
[Ego]out
Why not stop making it free? Ask for a credit card when signing up and then charge per-email sent.
Not only will this deter spammers because of the cost, it will be easier to spot clusters of hijacked accounts because the card numbers will either be stolen or all have the same number on them.
Use the $0.01 you make on each email to help recoup your costs.
Eric Sarjeant
eric[@]sarjeant.com
Invite only means simply that a spammer will have to build up an army of email addresses with 100 invites each before the finally start their process of spamming... have 1000 email addresses with 100 invites? 100,000 email addresses can be created from that, with each address being able to invite another 100, etc. etc., ad nauseam.
Before commenting on the Bible, please read it first
Let's make an assumption that the internet will eventually solve any problem you throw at it given enough time...
What if rather than working on the next best CAPTCHA system, sites were to work from a rotating CAPTCHA repository?
Each page load presents a new human interface problem, something simple like a jigsaw puzzle or an image of a tic-tac-toe board with instructions to place an X and an O in a winning/defending position. In addition to each visual directive, there could also be a random text directive inserted to compound the problem (i.e, saying something like "after selecting the item, wait at least X seconds before clicking X button.)"
If your thinking in pseudo-code, the parsing of the text input isn't particularly challenging, and something like the tic-tac-toe is a solvable image problem, given time. However, if the captcha is being drawn from a growing database of imaging problems/verbal directives, then the captcha becomes not only solving the captcha, but identifying what kind of captcha is being presented.
As the captcha count increases a spammer/coder would have less and less time to hit the moving target and distribute their script before the next problem appears. This doesn't solve the problem of 3rd world captcha farming, but at least people might eat as a result of that economy.
This seems to me like a viable solution for the time being, though I'd like to refer to my first assumption for the long-haul.
The goal here is to differentiate between a bot and humans and prevent automated registrations. I think we've gone too far and need to take a step back and ask ourselves "What are the differences between bots and humans?" If you think about it, there aren't many. Both humans and bots interface with the registration page for example, using the HTTP protocol, anything can really be simulated. A good way to prevent automated registrations would be to use different page name everytime a new visitor needs to register, once that page has been visited, it must be deleted by the server, the same would be for the script called by that page. This will prevent a bot from re-using the same page and script. So index.htm would contain a link that points to /registerxyz1.htm, registerxyz1's form points to /cgi-bin/regab9.pl once index.htm has been visited once, the new link would point to /register47g.htm and register47g.htm's form would point to /cgi-bin/rego90.pl. The previous one would get deleted by the system.
This would have to be a feature or module in the HTTP server in order to prevent simultaneous multiple uses of the index.htm page.
TOP DSLR Cameras Reviews of the top DSLRs
You don't know what you're talking about. Please do not talk about such things in the future. Thank you, and have a nice day.
-- 'The' Lord and Master Bitman On High, Master Of All
Wouldn't it work to show photos of easily identifiable objects and have people type in what they see? Dog, cat, house, pencil, etc. I guess the image sizes could be cataloged and answers could be generated from that. Random on-the-fly compression rates might work.
It seems to me that Q&A is the answer, if done properly. The key is to ask something that can only be answered if you're on the site. For example: "Next to the Slashdot logo at the top-left of the page, there is a five-word phrase. What is the second word in that phrase?"
You'd obviously need to change it up fairly often (and large sites would have problems still), but spammers would have a difficult time keeping track of answers for thousands of sites.
To make it even better, have it rotate through a few similar questions for your site, and have the questions be buried CAPTCHA-style in an image.
All told, it would seem to help. They'd have to resolve a very long CAPTCHA (117 characters in my example above) AND be on the site to get the answer. Seems like it would help.
A major issue here is the prevailing attitude problem of the Russian authorities.
As they see it, their turning a blind eye to Russian cybercrime targeting Westerners is a passive-aggressive form of payback for the fall of the Soviet Union. Why should they give a damn that Russian citizens are making massive amounts of money ruining the lives of innocent Westerners, so long as they're not targeting their own kind (e.g. Slavs)?
We've seen in the past that the Russian authorities CAN take care of their festering cybercrime problem when they want to; to wit, the Pinch Trojan authors. It's very simple if you're some Russian shithead with no morals looking for some easy money: as long as you obey the unwritten law that it's okay to victimize Westerners and not Slavs, then you can do what you damned well please. If you cross the line, only then will you find yourself in a camp in Siberia chopping down trees.
If you look at this situation for more than five seconds, then it makes perfect sense. The Russian state is corrupt from top to bottom, and everyone in a position of power is either a gangster, or an FSB agent gangster wannabe. We shouldn't be surprised then, when they behave like gangsters.
That one's easy, just copy the floppy and write the word on the duplicate.
You can hold down the "B" button for continuous firing.
The obvious solution to broken CAPTCHAs is to use a Vulcan mind-training device like Spock was using at the beginning of Star Trek IV: The Voyage Home
(Asked in rapid succession without waiting for an answer):
"Name the last 7 presidents of the United States."
"If a car leaves London at 7:00 AM for Glasgow at 90 KPH and another car leaves Glasgow at 8:00 AM for London at 80 KPH, at what time will they meet?"
"What are the three elements of the human psychie?"
"How do you feel?"
If you give the correct answers within 3 seconds, you're in.
Don't underestimate the power of The Source
Is there any evidence that this actually works against Google and isn't just a slashvertisment for the software?
The are also claiming generic anti-KITTEN capabilities. Generic AI? Run away! Especially if the software recognizes kittens without seeing them before. Yes, I know the argument of kittens not bending or getting spots all over, like letters can, but I call bullshit. Kittens do bend.
They would still need a lot of help from the pr0n squad CAPTCHA breakers. I'm betting my last KITTEN on it.
She made the willows dance
Since when SHOULD politicians get the same rights the citizens have?? They get more power and for that they should lose some of their rights.
Sure "hacking" an idiotic password is technically a crime, but the law is supposed to be interpretative so a reasonable judge can just sentence the guilty person to some community service (which I'm sure they wouldn't mind since they obviously volunteer already.)
Democracy Now! - uncensored, anti-establishment news
Funny, I can't even break that one and I'm human.
It's amazing how spammers are overcoming computer science problems faster than full-time researchers. Someone should make a captcha that asks the user to solve an NP-hard problem in polynomial time.
If the spammers can now crack "pick the cat" captchas then they are already able to do some pretty good real life scene recognition. To improve the technology just make some appropriate captchas and wait for those Russians to crack it. (For miltary apps, "click on the arial view of the tank, not the dump truck".) Next, improve machine speech recognition by making some audio based captchas. The possibilities are endless, and much cheaper than handing out grants to university poobahs.
instead of character recognition, ask questions based on a given image
example:
image with a cat on the left and a dog on the right.
question: what's on the left?
answer: cat
example2:
girl crying, next to a broken glass
question: why the girl is crying?
answer: because of a broken glass
it's very human readable, and very dificult for software interpretation
and I just patented that...
Does this mean that recaptcha will be spammed soon?
- Oh, wait, they did *not* use the term V1aGrA in 18th century books?
SCNR, but I actually _do_ want to know.
I might not have explained myself properly, but without going into too much detail, I can tell you, I know what I'm talking about.
TOP DSLR Cameras Reviews of the top DSLRs
It depends. There are two kinds of "cat captchas" that I'm aware of. One is the one where you have to identify whether a color image is of a dog or cat, as in KittenAuth or Microsoft's Asirra. That would be very impressive (though the Asirra team points out that KittenAuth is weak because it uses too few images).
The other is the kind where cat & dog icons tell you which letters to pick from a string. If you've actually seen these captchas, it's not *that* hard to believe. Here's a link showing you what one looks like.
All the captcha-breaker has to do is learn to recognize the reused cat & dog icons and separate them out from the letters. It's not that hard compared to recognizing distorted and warped letters, in my opinion.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
There has to be a better way to stop them than CAPTCHA, right? Something like answering a question such as "If I have three apples and you take two..."
nonconformity at work
Why don't they just show a photo of a cat and ask to tell what it is. I wonder if a computer read that picture.
Just get 1000 pictures maybe with random backgrounds. Then show 2 of them and ask to name both. That'd be quite uncrackable for a while.
Or am I missing something?
Ville / Varuste.net
That sounds like the old manual-based copy protection.
So, after one Christmas, I had a really full backpack, and a bunch of computer games in big boxes, so I pulled out the diskettes and manuals and left the boxes with the wrapping paper.
Get home, and boot up a game, and it asks "What's the third word on page 15 of the manual"... "red". Good...
Next game, "What color are the balls on the left side of the back of the box"... "well, ^%$@^%@&^".
So don't forget to keep the box!
What if someone made a simple plug-in that allowed the site operator to put up a custom graphic of text, a text explanation of what to enter, then the input box. You can actually count on the bots being too smart for their own good. Put the answer to the captcha in plain view -- don't even obfuscate the text, but make it easy to ORC. Kinda like the "speak 'friend' and enter' riddle in LOTR. Put an image of nice, crisp sans serif font saying "This is a dummy captcha. Type FOO in the box below." The bot, at best (if it targets generic captchas) would enter all the text, whereas the human would only enter what it's told to enter.
This raises the bar from simple OCR brute force to something closer to AI. The text can be parsed out of the graphic, but the meaning would be hard for automation. In addition, a little bit of work by the admin for each site would amount to a huge amount for the spammers, since they'd essentially be faced with an almost unique problem for each site they want to tackle. Plus, if some bot targets your site (unlikely, for those of us running small traffic sites) and manages to start spamming, you simply change your custom graphic and text.
Sure, it won't help huge sites like Google and Yahoo, but it'll sure as hell help the little guy out. Decentralizing the exact method to generate the images would go a long way to increasing the workload on the bots/programmers.
Method of processing duck feet
Hey , I got an idea for a captcha that is 90% easier to read than previous captcha's and pretty much bot-resistant. It focuses on the fact that the user is really looking for a shape, just like the bots, but the user has the brain capacity to dissect data input at a rapid rate.Here is the captcha concept: ,moving lines, and frames containing random garbage... it would take at least 3 hours to decipher one as a bot, and much less time as a human.
([actual captcha phrase]) -> (tool to switch font set randomly every frame, and insert single frames at random intervals containing garbage ) -> (tool to overlay the animation with moving lines of different colors, randomly placed particles for an "old film" look, changing shadow direction randomly) -> (tool that splits up the animation into 30-100 randomly numbered 5x5/10x10/20x20/30x30 animated gifs and arranges them on a grid) -> ([user screen]). This technique totally eliminates most modern bots. The only kind of bot that can feasibly decipher this is one that uses screen capture... and even then... with random shadows , static noise overlays
Put up a picture of tubgirl. If they still want to register for the site then it is probably an automated process and you can safely deny them access.
If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
Actually, it wouldn't work in the slightest. Bots would merely fetch the index page, grab the register link, and defeat the whole purpose.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
The kind of CAPTCHAs that I've found remarkably good at avoiding spam were those that required specific background knowledge on the part of humans. Two examples are the one that requires you to know what a certain ASCII character represents in Nethack, and another that requires you to know the articulatory description of an IPA symbol. Spammers don't care enough about such niche areas to learn how to crack them. In these cases, CAPTCHAs work very well and are even appealing to the audience who enjoys them as an acknowledgement of in-group status.
Why run a muck when you can run a spamming service?
I used to run a muck from my mom's basement, but when she finally found out she kicked me out, and the police confiscated all my mucking equipment.
Now I run a round.
No freakin' pinoqachole either!
Spamming US citizens?
Migod! They must be either furriners like that crazy Ahmadweebijab or Kims-Dong Ill, or possibly even traitors like Alec Baldwin!
Where's TEAM USA when you need them? Cleaning up other rampant muck runners?
.
.
- aqk
F U
No, spammers don't care enough about that particular website to crack it.
If your website is a spam target, you will be spammed. Otherwise, you can just have a checkbox that says "check here if you are not a spam bot" and it will provide just as much security.
-- 'The' Lord and Master Bitman On High, Master Of All