Slashdot Mirror

← Back to Stories (view on slashdot.org)

ReCAPTCHA.net Now Vulnerable to Algorithmic Attack

Posted by timothy on from the bless-you! dept.

n3ond4x writes "reCAPTCHA.net algorithms have been developed to solve the current CAPTCHA at an efficacy of 30%. The algorithms were disclosed at DEFCON 18 over the weekend and have since been made available online. Also available is a video demonstration of random reCAPTCHA.net CAPTCHAs being subjected to the algorithms." There's probably an excellent Firefox plugin to render this page's color scheme more bearable. Note: the PowerPoint presentation linked opens fine in OpenOffice, and the video speaks for itself.

51 of 251 comments (clear)

  1. colours by orange47 · · Score: 2, Funny

    "There's probably an excellent Firefox plugin to render this page's color scheme more bearable."
    just select all page, its better.

    1. Re:colours by electrostatic · · Score: 4, Informative

      "...an excellent Firefox plugin to render this page's color scheme more bearable."

      Yep. Color Toggle

      https://addons.mozilla.org/en-US/firefox/addon/9408/

      I have it set so Ctl-Shift-Z set light yellow background, black text, and blue links.

  2. Human Success? by Anonymous Coward · · Score: 5, Insightful

    So what is the average human success rate? I think mine is only about 50%

    1. Re:Human Success? by Anonymous Coward · · Score: 2, Informative

      Mine is 100%. Recaptcha is probably one of the easiest captcha I've ever had to deal with; something is wrong with you, sorry.

    2. Re:Human Success? by Kalriath · · Score: 3, Insightful

      Yeah, I agree with this. Recaptcha is one of the easiest out there.

      Admittedly though, I have around about 3% success rate with vBulletin captchas. Hear that forum owners? I'm not joining your forum because I can't read your captcha!

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  3. My eyes! by Yvan256 · · Score: 2, Funny

    The goggles, they do nothing!

    1. Re:My eyes! by SomeJoel · · Score: 4, Funny

      Did you not learn when I explained this yesterday? The quote is: "My eyes! The goggles do nothing!". There is no "they", nor is there any bad pronunciation. Indeed, it is correctly articulated and enunciated, with an accent.

      Easy there champ, nobody appreciates a Family Guy nerd correcting everyone's quotes.

      --
      <Complete your profile by adding a signature!>
    2. Re:My eyes! by SomeJoel · · Score: 4, Funny

      Judging from the other replies, meta-humor is a little hard for you guys...

      It works wonders though. For instance, the next time someone is talking about "the force" or jedis and such, tell them "Get a life, Star Trek sucks!". You'll find the reaction much more interesting than if you correctly identify the franchise.

      --
      <Complete your profile by adding a signature!>
  4. OCR improvements? by Anonymous Coward · · Score: 3, Interesting

    Can these attack algorithms actually increase the accuracy of normal OCR programs?

    1. Re:OCR improvements? by AusIV · · Score: 2, Informative

      They're not. I saw the presentation these guys gave at DefCon (their presentation was about as painful as their website), and they're only getting the test word correct with about 30% accuracy. They're not completely sure about their success rates on book words, but they believe it to be considerably lower than the test words.

    2. Re:OCR improvements? by n3ond4x · · Score: 2, Funny

      They are not considerably lower because as book words are solved they become verification words. Also, if you didn't enjoy my talk, don't come next time.

    3. Re:OCR improvements? by Sparr0 · · Score: 3, Insightful

      The problem is that since you are *probably* solving the verification words with higher accuracy to begin with, you are actually poisoning the data being gathered regarding the book words. So, while a book word becoming a verification word based on your "solutions" will keep your solution rate constant, it actually damages the system when it comes time for humans to solve the CAPTCHA, or worse when the solutions are used as OCR corrections.

      To clarify, given a classically OCR-able "foo" and a non-OCR-able-but-human-readable "bar", a human is expected to recognize the slightly-deformed-by-reCAPTCHA "foo" and is trusted to get "bar" right more often than OCR would. This attack only defeats the deformation applied by reCAPTCHA, it doesn't actually improve the OCR on the non-deformed words, which means you are going to submit an answer of "foo ban" every time this pair is encounted (or "blah ban" for a different scenario), and the reCAPTCHA system is eventually going to decide that the book word really is "ban".

  5. Speaking about re-captcha by imsabbel · · Score: 3, Informative

    I recently went to their homepage and looked _really_ hard for any statistics about which books are transcriped. I read their Science paper. Tried all sections.
    Its all about the captcha part, and _nothing_ about the RE.
    The way they state how it works ("We are using 100.000 unique words") sounds like they have given up on that part long ago and just recycle their old database again and again...

    --
    HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
    1. Re:Speaking about re-captcha by icebraining · · Score: 4, Informative

      Currently, we are helping to digitize old editions of the New York Times and books from Google Books.

      http://www.google.com/recaptcha/learnmore

      --
      Dilbert RSS feed
    2. Re:Speaking about re-captcha by imsabbel · · Score: 4, Interesting

      Hm.
      So its for-profit work for the biggest advertising firm in the world.
      Sort of expected project gutenberg or something.
      Too bad.

      --
      HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
    3. Re:Speaking about re-captcha by martin-boundary · · Score: 2, Insightful

      Google books isn't really public, though. You can only view a small number of pages of each book, which is pretty useless from the point of view of public uses that come to mind.

    4. Re:Speaking about re-captcha by bill_mcgonigle · · Score: 2, Insightful

      So its for-profit work for the biggest advertising firm in the world.
      Sort of expected project gutenberg or something.

      Google's digitizing hundreds of thousands of historic books from some of the great university libraries. What's the problem here, that they won't lose money on the effort?

      The NYT archive has been done for at least a year, it made reCAPTCHA a feasible company.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  6. I'm a computer, apparently by El_Muerte_TDS · · Score: 2, Funny

    It looks like that tool is better at deciphering the captchas than I am.

  7. far from it by MagicM · · Score: 3, Informative

    I'm watching the video, and the end result is "b:1/78 1.28% s:27/78 34.62%" indicating that out of 78 tests of two words per test it got a single word right 35% of the time, and both words right only once or 1% of the time.

    Since both words need to be correct "solve the current CAPTCHA at an efficacy of 1%" would be closer to the truth.

    1. Re:far from it by NegativeK · · Score: 2, Informative

      35% * 35% ~ 12%. And that ignores that one word is a known control, while the other is a word they're trying to OCR.

      --
      This statement is false.
    2. Re:far from it by BarryJacobsen · · Score: 2, Informative

      I'm watching the video, and the end result is "b:1/78 1.28% s:27/78 34.62%" indicating that out of 78 tests of two words per test it got a single word right 35% of the time, and both words right only once or 1% of the time.

      Since both words need to be correct "solve the current CAPTCHA at an efficacy of 1%" would be closer to the truth.

      My understanding is that only one of the words needs to be correct, but it has to be the "right" one (reCAPTCHA presents two words one it's very certain it knows what it is and one it's less certain, you have to get the one that it's very certain of in order to pass).

      --
      Track your TV Shows with your iPhone - FREE
    3. Re:far from it by rm999 · · Score: 2, Informative

      You are right, there is no need to get both words right.

      But, your 35% * 35% calculation assumes the recognition difficulty of the words is independent, which is a bad assumption in this case; the OCR word is one that is known to be hard to guess. It is probably more like 35% * 5% or something.

    4. Re:far from it by hydrofix · · Score: 5, Informative

      Since both words need to be correct "solve the current CAPTCHA at an efficacy of 1%" would be closer to the truth.

      Actually, that is incorrect. The other word is already positively known by the OCR, and serves as a control, while the other is the one that the OCR could not read. It will of course only check the one that it knowns, and assumes the other one is then correct as well. So, if you get one of the words correct AND this is the same word that as their OCR identified correctly (which is very likely the case), then you pass, but most of the time (99%) give a bad answer for the harder, non-OCR word. Sadly, this leads to pollution of their database in the long run.

    5. Re:far from it by retchdog · · Score: 2, Insightful

      Interesting. If this is true as stated, and one knew/modeled OCR performance, you could use this information in some cases to pick out the plum and boost the crack...

      --
      "They were pure niggers." – Noam Chomsky
    6. Re:far from it by Jorl17 · · Score: 4, Informative

      This is not informative. As many have said. If You read: http://www.google.com/recaptcha/learnmore , you'll get it.

      Here is the deal: reCAPTCHA presents two words. One is picked by it and is previously known. The other one is a word from a book that has been scanned. Said word is unknown to the reCAPTCHA system. When the user enters both words, reCAPTCHA checks to see if the known word has been properly recognized. If that is the case, then reCAPTCHA can assume that a human is answering. Given that a human is answering, then the second unknown word given by the human is most likely correct, because he/she will be able to recognize it as well. Using this system, reCAPTCHA works as a CAPTCHA (spam prevention) mechanism and also helps transforming old books/papers into digital format, such as the New York Times.

      So, in practice, only one word has to be correct -- the word that reCAPTCHA knows. What's sad is that bots may contribute incorrect second words...

      Next time, get informed before going all crazy.

      And here is the relevant info, quoted from the aforementioned website:

      reCAPTCHA improves the process of digitizing books by sending words that cannot be read by computers to the Web in the form of CAPTCHAs for humans to decipher. More specifically, each word that cannot be read correctly by OCR is placed on an image and used as a CAPTCHA. This is possible because most OCR programs alert you when a word cannot be read correctly. But if a computer can't read such a CAPTCHA, how does the system know the correct answer to the puzzle? Here's how: Each new word that cannot be read correctly by OCR is given to a user in conjunction with another word for which the answer is already known. The user is then asked to read both words. If they solve the one for which the answer is known, the system assumes their answer is correct for the new one. The system then gives the new image to a number of other people to determine, with higher confidence, whether the original answer was correct.

      --
      Have you heard about SoylentNews?
  8. Plugin not needed... by knarf · · Score: 3, Informative

    There's probably an excellent Firefox plugin to render this page's color scheme more bearable

    No plugin needed:

    View->Use Style->None

    That is what it looks like in Seamonkey, Firefox will be similar. This more or less always works.

    --
    --frank[at]unternet.org
  9. Hmm by Tailhook · · Score: 5, Funny

    Should I run the DEFCON presenter's giant SWF or not?

    o_O

    --
    Maw! Fire up the karma burner!
    1. Re:Hmm by machxor · · Score: 2, Funny

      Why not. You run Firefox right? If yes then you have no worries because it's not full of hole like IE is...

    2. Re:Hmm by Monkeedude1212 · · Score: 2, Insightful

      I'm glad YOUR common sense kicked in before hundreds of others.

  10. Bad Hacking by pz · · Score: 4, Insightful

    Why would anyone want to do this? It's like attacking the UN peace keeping troops or the Red Cross. reCAPTCHA is doing good work, digitizing scanned printed books so that the the text can be made available for online searching. Breaking reCAPTCHA is like defecating in the village well, ensuring that everyone suffers. No one benefits from reCAPTCHA being broken. No one.

    --

    Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
    1. Re:Bad Hacking by kyrio · · Score: 2, Informative

      4chan already broke it.

    2. Re:Bad Hacking by Dhalka226 · · Score: 5, Insightful

      No one benefits from reCAPTCHA being broken. No one.

      Spammers.

    3. Re:Bad Hacking by maxume · · Score: 5, Insightful

      Actually, it could be of use to reCAPTCHA, they can just pass their test words through this system before they make them public and then use the output to help prevent similar attacks.

      --
      Nerd rage is the funniest rage.
    4. Re:Bad Hacking by Flyne · · Score: 4, Insightful

      The problem of breaking reCAPTHCA is precisely the same problem as increasing computer OCR abilities, since reCAPTCHA by design uses words which current OCR abilities are inadequate for. This is a good thing for AI and computer vision and text digitization.

    5. Re:Bad Hacking by sbayless · · Score: 5, Insightful

      No one benefits from reCAPTCHA being broken. No one

      You couldn't be more wrong. Sure, breaking reCAPTCHA would create a headache for website admins (including me, for example), but in order to break reCAPTCHA someone has to devise a better text recognition program. And that's great news! This is an example of a general side effect of the cat and mouse game that are captchas. Captcha's are a simple form of Turing Test, where website admins are trying to determine who is a computer and who is a real human being. Every time a captcha gets broken, we get a sophisticated new algorithm for doing something that previously only humans could do (or only humans could do well, at least).

    6. Re:Bad Hacking by mysidia · · Score: 2, Insightful

      reCaptcha, and indeed all Captchas have a fundamental flaw.... advances in computer vision will eventually render them all obsolete.

      Most of the CS knowledge is already around to totally defeat captchas of this sort... it's only an Engineering question. They will most likely get broken when sufficiently unethical engineers are hired by sufficiently wealthy spammers.

      It's basically a known fact, that spammers will eventually break conventional captchas totally, by developing algorithms to guess captcha answers. It's only a question of when and how long will it take them to figure out all the systems that matter.

      This does not mean it is a respectable thing for people to specifically target Captcha and attempt to hasten its demise.

      reCaptcha is a big one... but there are other Captcha systems that matter (like Google's).

      And there are other ways around them besides software algorithms... Amazon-style mech turk, for example... find a few thousand folks in certain countries to pay $0.05/hour for breaking captchas, and suddenly reCaptcha is no longer a boundary.

    7. Re:Bad Hacking by Timmmm · · Score: 3, Insightful

      The problem of breaking reCAPTHCA is precisely the same problem as increasing computer OCR abilities

      No it isn't. Well, not unless you read books with wavy crossed-out words and don't mind 30% accuracy.

    8. Re:Bad Hacking by mysidia · · Score: 2, Insightful

      Except the algorithm doesn't really do that... to defeat the captcha, it only needs to get it right about 10 or 20% of the time, to give the malicious script a "good enough guess" to brute-force the Captcha with 5 or 6 retries.

      As long as the number retries are less than those the a fair percentage of humans require....

  11. Re:Offtopic by Anonymous Coward · · Score: 4, Informative

    No, Firefox addons used to be called extensions, plugins are still plugins.

  12. Is this related? by Khyber · · Score: 4, Interesting

    Anybody that pays attention to 4chan recently knows they had to implement captcha due to a massive spamflood of infected morons. recaptcha got busted thanks to someone in /g/ who leaked the vulnerability in the sound system for reCAPTCHA, and the whole site was again inundated with spam, though not to the degree as the original spam attack.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  13. Re:So many better ways than recaptcha by JesseMcDonald · · Score: 3, Informative

    There is ZERO reason to use worthless tests like these as opposed to using real identification. That is instead of using computer generated difficult test, use actual pictures of actual 'difficult text' that an OCR agent failed to identify. Each person is given one alread tested sample and one unknown sample. If you get the already tested sample, then your answer is accepted as 'probable' correct for the unknown sample.

    Congratulations, you've just described ReCAPTCHA! This is exactly how the current system works.

    --
    "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
  14. Re:Offtopic by Cougar+Town · · Score: 3, Informative

    Wrong. Plugins have been around since Netscape and are still called plugins. They have a different function than an extension (and an extension is what we would want in this case to fix the site's colours).

    Both plugins and extensions, along with themes, are collectively referred to as "addons." "Plugin" is the wrong word in the summary. "Extension" or "addon" would have been acceptable.

  15. How is this 30% accurate??? by mwvdlee · · Score: 3, Insightful

    When it is claimed to be 30% accurate, I'd expect some 30% of all captchas being correcly guessed. Watching the video, I noticed the algorithm gives itself 30-40% scores for getting just one of the two words right or sometimes even for getting the right length and a few correct letters. Didn't watch it to the end, but in the few minutes I watched, ZERO entire captcha's were solved. So that's ZERO% acurate in my book. For instance, actual captcha text "ware readiness", guessed captcha "votarry rehabbed", reported accuracy 38.24%... how the hell is that over 38% accurate? If you had that level of accuracy when trying to get past a captcha (which is pretty much the definition of it being vulnerable, right?), you wouldn't get past a single captcha. it's 30% accurate if it correcly guessed about 3 out of every 10 captcha's, not if it fails every single captcha.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  16. New Human Verification Scheme by BlueMonk · · Score: 3, Interesting

    Seeing this article gave me an idea to come up with a new human verification process. I created a C# program in about an hour that loads images from Google images based on searching for 3 of 2000+ nouns. It shows 3 examples of each noun and asks the user to pick the correct noun from a list of 6. This program is just a proof of concept of course. Could this become useful? (Binary and source code included.)
    http://enigmadream.com/misc/HumanVerification.zip

    1. Re:New Human Verification Scheme by KahabutDieDrake · · Score: 2, Interesting

      If you used something that wasn't a public resource based around text strings, then yes.

      Better still... show a bank of images, ask which one has a happy little girl in it. (all images contain a girl, only one obviously happy). Randomize the backend with a cryptographic routine (so the file names don't give anything away) and you are set for a while. Computers are terrible at such things, people are pretty good at it.

  17. Re:My eye's... by Peach+Rings · · Score: 4, Funny

    You know a hacker is hard core when his site is monochrome in a monospace font, and he saves his files as straight up docx.

  18. Let's hope they hit 100% by drinkypoo · · Score: 2, Interesting

    Then we can just put reCAPTCHA on all pages being used for spam, and get transcription services for free.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  19. Re:My eye's... by Peach+Rings · · Score: 2, Insightful

    By the way, that wasn't just a facetious comment. TFA isn't a serious paper. It's not even typeset, just typed into Microsoft Word. And god knows why I'm being warned about VBScript macros when I try to open it.

    And this isn't a case where the little guy is making real scientific progress right under the nose of the obsolete establishment. The author doesn't even have a freshman understanding of big-O notation, it's completely juvenile.

  20. Re:My eye's... by hairyfeet · · Score: 5, Funny

    You young ones and your complaining. "Ohhh the colors suck" SO WHAT! You don't remember when the Internet was invaded by those dual demons from hell, Geocities and Comet Cursors! Now THAT was torture buddy! YOU try dealing with a page that looks like it was designed by Unicorns on a crack binge, while having a fricking pocketwatch suddenly appear and hang from your cursor like a ball of snot on a string, all while having your shotgunned modems drug down to 300 baud land thanks to a bazillion puke inspiring GIFs spinning all out of time!

    Now THAT is real suffering kid! /wanders off muttering/

    --
    ACs don't waste your time replying, your posts are never seen by me.
  21. Multiple choice doesn't work for CAPTCHAs by mrnobo1024 · · Score: 2, Insightful

    The spammers can just choose a random option until they get in. All that will do is slow them down a bit.

  22. Re:Can the mouse cursor be positioned by a script? by IBBoard · · Score: 2, Insightful

    Remember, iPads and touch-screens can't do hover. Plus there's the whole disability accessibility aspect as well ;)