Slashdot Mirror
Now Google's CAPTCHA Is Broken
steveit_is writes "Yesterday it was reported that Microsoft's revised CAPTCHA had been cracked. Now it's Google's turn. In a move that is sure to surprise no one, the spammers behind 'Xrumer' have announced that they've not only cracked Google's CAPTCHA, but other forms of image verification as well, including 'pick the cat' style CAPTCHA."
"To continue, guess which finger I'm holding up."
This time those evil Russian bastards..
That would be why.
I've got all the email addresses I want so lets just consider the internet closed to new entrants. I know it sounds draconian but I think we should build a great big firewall around the internet to stop all these illegal immigrants^H^H^H^H^spammers getting in.
Either that or can we just turn a blind eye while Google DDoSes every server associated with these people into oblivion.
An Eye for an Eye will make the whole world blind - Gandhi
Tis clearly a civil issue.
... you've got to admit that it's one hell of an achievement.
THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel
Announcing that one has cracked something and actually having cracked that something are two different things. Folks like these are not the most trustworthy sources, especially for their own exploits - er, "sploits".
If you want news from today, you have to come back tomorrow.
1. Make the proof for P=NP the new CAPTCHA
2. Wait for crackers to solve it.
3. Profit!!
The grass is always greener on the other side of the light cone.
I've had a few 'pick the cat' captchas where I couldn't even identify if the thing was actually supposed to be a cat!
This guy's the limit!
Google has become a key enabler in spams and scams, because it's so easy to create GMail accounts in bulk. Many sites block email addresses from Hotmail and AOL, because they're mostly either spammers or losers. GMail once had a better reputation, because it was launched as an "exclusive" service. But we're getting close to the point where probably time to start blocking GMail addresses too.
Want to see a GMail scammer in action right now? Read this.
How about an international treaty to implement the death penalty for spammers all over the world.
I mean, why not? Don't we squish mosquitos when they pester us? Spammers are a thousand times more annoying and just as harmful and useless.
Because they are defrauding Google, Spamming US citizens and generally running a muck. That's what jails for for.
Yeah, jail all those muck-runners! (what is a 'muck'?)
This guy's the limit!
"including 'pick the cat' style CAPTCHA."
This is excellent news, since it now means that I can rely on this thing to find me suitable pussy instead of having to look for it myself... :)
THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel
Maybe instead of CAPCHA's sites should start using those math problems from DARPA's really hard math problems since these people seem to be so good at solving complex computational problems.
They probably should be, honestly. However, why not be thankful that the opposition is being open about their abilities to crack security? Obviously, a CAPTCHA system isn't going to work for the future; we should be developing a new methodology for verification.
Because they are circumventing a computer security measure. That is a felony in the U.S.
OK can someone pleas hire these guys to work on handwriting recognition software? If they can ready these bizarrely twisted captchas why can't Palm read my name?
501 Not Implemented
No, they write image recognition software. The people who use their programs defraud Google.
aren't these guys in jail?
I think the real question is: why are these people not working in research institutes? Image recognition is a hard problem. It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.
The truth of the mater is that there is almost nothing you can do to stop a spammer if they want into your system bad enough. A captcha merely means that they might have to take some time to tweak their image rec. software, or hit your site enough to generate all the possible captchas. The only possible way that I could see companies like google keeping spammers out, would be to require a valid credit card, that matches the user's name and then have them verify their account by entering the small deposit amount that google makes. This obviously has problems, like paranoid customers (such as myself) not wanting to give over financial information for just an email account.
If there are people who could write such sophisticated image processing software, and it pays them better to be bot runners bot enablers, the pay must be good on the dark side of the force.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
How about an international treaty to implement the death penalty for spammers all over the world.
I mean, why not? Don't we squish mosquitos when they pester us? Spammers are a thousand times more annoying and just as harmful and useless.
How about a death penalty for anyone that buys anything from spam?
You (but mainly parent poster) might be interested to know that the word is actually "amok" which is defined as a "psychic disturbance characterized by depression followed by a manic urge to murder."
Indeed, this is what it means to "run amok." Also refer to the classic Looney Tunes clip, "Duck Amok."
hmmm... this is either Informative or Off-Topic. Guess I'll leave that to the moderators to decide.
sig has been sent away for a few small repairs...
As usual, our firends at DARPA are always one step ahead. Use these to replace of the old CAPTCHAs.
1 - Develop a mathematical theory to build a functional model of the brain that is mathematically consistent and predictive rather than merely biologically inspired.
2 - Develop the high-dimensional mathematics needed to accurately model and predict behavior in large-scale distributed networks that evolve over time occurring in communication, biology, and the social sciences.
3 - Address Mumford's call for new mathematics for the 21st century. Develop methods that capture persistence in stochastic environments. ...
unless it's the ("wrong") VP candidate's private email ...
Being a criminal has excellent hours. And the job interview is easy. You never have to worry about being fired, laid off, etc, and you are responsible for your own paychecks. It's kind of like being a contractor, with the added benefit that you can choose your customers whether your customers are happy about it or not (usually not).
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
How about the Death Penalty for anyone who suggests the Death Penalty for anything besided truly heinous crimes? Oh, no, I just ate my tail.
Over-the-top Response Guy! Giving "Over-the-Top Responses" since 1970.
It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.
Not when you consider how much professors make vs. how much spammers who can beat captchas can make. Hint: if you find a quick way to factor semiprimes, don't snag $1 million from the Clay Institute. Reap $1 billion from credit cards. If you can easily toss aside ethics.
Incidentally, I was just reading Douglas Hofstadter's Metamagical Themas, where he goes in great depth talking about the difficulty of defining the letter "A", and how people are capable of recognizing A's in truly bizarre fonts. (And how it carries over to native readers of Chinese and defining Chinese characters.) He pursuasively argues that ability to recognize any 'A', including all the bizarre fonts with 'A' is AI-complete (though of course he didn't use that term). So it seems there's quite a ways to go in making captchas harder: don't just distort the image; use the craziest fonts you can.
Information theory is life. The rest is just the KL divergence.
It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position.
Why $pammer$ in$tead of $chool? I$ that really your que$tion? $omehow, I think you might have mi$$ed the mo$t obviou$ motivation.
HSJ$$*&#^!#+++ATH0
NO CARRIER
I always have a hell of a job reading Google's CAPTCHAs; a tool to do it automatically would be very useful.
Why should we believe this any more than we believe a cream can add two inches to your penis?
Possible bad example. Shaving cream along with a razor actually can add visible inches to a man's penis by taking pubic hair out of the way.
Couldn't you do a captcha where the first presentation has no cats? The user has to hit the refresh once or twice before seeing a cat, and then pick it; if they pick any of the non-cats, you call them a 'bot...
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
A 1% success rate is good enough to effectively "break" a captchca, but not good enough to really advance the state of machine vision by itself. In the end though, some good OCR work could come of these efforts, but not in comparison to the money and time everyone else loses from spam; We could have just funded the research. Sending spam, and unfortunately writing advanced spam tools, pays better than a university position.
(what is a 'muck'?)
Among other things, muck is horse manure. To muck a stall is to remove all the droppings and change the bedding.
Another benefit is that the drug tests aren't "Have you?" they are "How much do you want?"
Don't you mean passing turing tests?
The creator of this post (Jacob Smith) hereby releases it, and all of his other posts, into the public domain.
From TFA:
This time those evil Russian bastards..
That would be why.
What does being born out of wedlock have to do with it?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Great. Let's forbid Nmap. Forget that it's a very useful network administration tool. Hackers use it a lot.
Let's forbid cars. Bank robbers use them to escape.
Despite a couple of high-profile CAPTCHAs being cracked, the fundamental principle behind them is still fairly sound. It's at least an order of magnitude easier for a programmer to develop a reasonably difficult CAPTCHA than it is for an attacker to develop the crack for it. Image/character recognition is extremely difficult. Ask anyone who's done any work on OCR or something similar. Even in what would be considered a fairly homogeneous environment, character recognition is still a huge pain in the ass.
Just like with any security measure, a few of the inferior implementations will have to be broken to prove which ones are actually superior.
Killing people is wrong. Comparing people to pests is something that the Nazis liked to do, with the same intention: to pave the way for killing people.
What if Godwin's Law carried the Death Penalty?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Yes, I want an easier way! Where can I buy one of these automatic picking guns??
"But this one goes to 11!"
"I think the real question is: why are these people not working in research institutes? Image recognition is a hard problem. It's baffling that someone with that kind of talent would be working for spammers instead of in a tenured university position."
So, I have a Ph.D. and know how to write this kind of software (well, I know how to go about writing this kind of software and have done it for other domains). Here's why I'm not working at a research institute or pursing a tenured university position:
First off, research institutes don't really exist anymore. There are a few corporate labs left, but they all focus on medium term product development (5 years out). The national labs still exist, but they're managed like businesses now and it's more difficult to do pure research at them. University "institutes" are just glorified research labs. If you're not the PI, you're either a post-doc, grad student, or tech, none of which is a viable long-term career option.
To get tenure, you have to spend 4-8 years working non-stop writing grants to fund students to do research so you can build up a publication record that impresses the tenure committee. Note that grants and pubs are both necessary: grants show you can bring money into the university, publications get the approval of the committee members outside your domain who only know how to assess research abilities by impact factors.
During this time, all your research is done by graduate students, who are often at the beginning of the careers and have limited technical abilities. They may be brilliant, but they are not the most efficient workers. So, not only do you have to publish, but your labor pool consists of people with 1-3 years experience.
Before tenure, you'll also only pull in about $60-90k/yr (and I know two very smart people who worked for free their first year as "visiting professors" just to get their foot in the door). At the end of this, if you don't get tenure, you're unemployable until you build up some marketable skills.
Contrast this with industry positions. While you don't get to work on whatever you want, there are some very interesting problems out there if you take your time to find a good position. At work, you're hired to do a job, not chase down funding, so you can spend more time working on the fun stuff. The hours are reasonable, so you have time in the evenings for other projects/hobbies (you don't have free time in academia). If you're selective in your employer, you'll also work with people with a broad range of experience and skills. You'll also make more money. And, if you're good and publish from time to time, you can get a tenured position later in life without having to go through the tenure process.
Of course, if you're evil, you can also find work breaking CAPTCHAs and building bot nets.
Note that though this sounds bitter, I'm not... I had a blast going back to school and highly recommend it to people mid-career (hint: go to the mid-west where it's cheap to live and your quality-of-life will remain about the same). But, modern academic environments just don't present an enticing career path.
-Chris
who cares, i currently pay 10.00 for 100 social networking accounts from a data entry center in india, their normal business is to create captcha's, they have a program, pops up the picture, they enter what they think they see, when the picture gets a certain percentage of the same entries by multiple agents it completes it, even better, there is another program they use, if they need 1000 gmail accounts, it creates complete profiles on facebook, gmail, myspace, youtube, with pictures, and it just pops up the captcha, thats all they have to type and the account is created. their data entry captcha people work 6 hours a day, 6 days a week, and get between 75 and 100.00 US
Well, CAPTCHAs aren't true Turing tests; the goal of the classic Turing test is to force the computer to exhibit human intelligence in a back-and-forth interaction with an actual human. A CAPTCHA presents only a single intelligence-based challenge (recognizing the image). But if the CAPTCHA is considered to be a kind of limited/lazy Turing test, passing it "honestly" would consist of being able to recognize images in general, like a human, not by merely knowing how to solve the limited scope of image-puzzles that the particular CAPTCHA uses. So in that sense, these CAPTCHA-breakers do "cheat" or "break" the test by exploiting that limited scope.
Well, I did see a pattern start to emerge after the first two examples, but wasn't entirely clear. But then I read the third example, and ... well, now I don't see any pattern.
Can you elaborate?
It has proven necessary to give up privacy in order to develop security.
This is almost never the case, and can only be the case if the system is already designed to be insecure.
Take flying, for example. You can't fly anonymously - and nowadays (especially) you have to identify yourself multiple times
That is about fear/control, not security. It has not improved security. It would not have prevented the incident which it is a response to. Saying "oops, we were wrong, you actually shouldn't cooperate with hijackers" would have improved security. Giving the crew members stun guns (probably don't want real guns in such a crowded place) would have improved security. Keeping a list of who is allowed to travel does not improve security, but it does provide a useful tool to discourage dissent.
I'd personally be quite happy to use my credit card to sign up for free things if it eradicated a number of problems, such as spam and service abuse.
And whistleblowing, and your credit rating, and protection against "prior restraint", and criticism of those in power, and... oh, wait, those aren't "problems", are they?
What does Microsoft have to do with it?
This is what is already happening, at the exact rate that we can come up with new tests.
This rate is of course much slower than the rate at which spammers can crack them.
The problem with the word "rotating" is that it implies re-use. Once cracked, the test is worthless forever, not just for a couple of page loads.
-- 'The' Lord and Master Bitman On High, Master Of All
Great, now what's a "for for"?
A tutu for conjoined twins?
When our name is on the back of your car, we're behind you all the way!
It seems to me that Q&A is the answer, if done properly. The key is to ask something that can only be answered if you're on the site. For example: "Next to the Slashdot logo at the top-left of the page, there is a five-word phrase. What is the second word in that phrase?"
You'd obviously need to change it up fairly often (and large sites would have problems still), but spammers would have a difficult time keeping track of answers for thousands of sites.
To make it even better, have it rotate through a few similar questions for your site, and have the questions be buried CAPTCHA-style in an image.
All told, it would seem to help. They'd have to resolve a very long CAPTCHA (117 characters in my example above) AND be on the site to get the answer. Seems like it would help.
If the spammers can now crack "pick the cat" captchas then they are already able to do some pretty good real life scene recognition. To improve the technology just make some appropriate captchas and wait for those Russians to crack it. (For miltary apps, "click on the arial view of the tank, not the dump truck".) Next, improve machine speech recognition by making some audio based captchas. The possibilities are endless, and much cheaper than handing out grants to university poobahs.
instead of character recognition, ask questions based on a given image
example:
image with a cat on the left and a dog on the right.
question: what's on the left?
answer: cat
example2:
girl crying, next to a broken glass
question: why the girl is crying?
answer: because of a broken glass
it's very human readable, and very dificult for software interpretation
and I just patented that...