Slashdot Mirror
Google ReCAPTCHA Cracked
stormdesign writes "Despite denials from Google, a security researcher continues to assert that the Search King's reCAPTCHA system for protecting Web sites from spammers can be successfully exploited by Internet junk mail panderers."
so hard that not even your users will be able to 'crack' it and login to your store. no, its really good. and doesnt need remote services. (like recaptcha)
Read radical news here
that website administrators will have to actually verify user accounts?? Might mean more work for admins but isn't that a fair trade off for quality content?
The Copper Tribe - Office Software Solutions
Come on Google, we all know that in the Capcha war, we only have one weapon left, capcha porn. There isn't a spambot alive who could answer "In the above movie, how many cocks were inside Jenna Jameson?" or "what sex position is this?"
Monstar L
In capitals, like this?
Did they pull the crown from the hands of the Pope, himself at the coronation ceremony, and declare - as did Napoleon - "I am King!"
"Flyin' in just a sweet place,
Never been known to fail..."
I seem to recall somebody posting a video showing reCAPTHCA-cracking with something like 30% accuracy. That's very broken.
FTA:
Researcher Jonathan Wilkins published a paper recently that included an analysis of reCAPTCHA’s security. In automated attacks he conducted against the system, he reported he had an alarming success rate of 17.5 percent.
Well, last year someone showed ad DEFCON that he could solve the reCAPTCHA CAPTCHAs with an efficacy of 30% already.
So how is this news? Am I missing something?
...last year.
Google reCAPTCHA cracked
Written by John P Mello Jr on January 5, 2010
As much as it's nice to know reCAPTCHA is working towards a good cause (digitising old books, if you live under a rock or something), the amount of times I've got incomprehensible jibberish from it makes me rather unsympathetic towards their cause. It'd be nice to think there was some better way of keeping spam out, but I guess developer laziness and Google's endless crusade to rule the Internet we'll be stuck trying to decipher nonsense from the 1900s for a good while yet.
Granted this is still in research, and it is an "M$" project at the moment, but using animals for a captcha may be the next thing.
http://research.microsoft.com/en-us/um/redmond/projects/asirra/
That would explain why my recaptcha protected forum suddenly started getting 30+ new accounts a day.
Regards
elFarto
... we get the flurry of Wordpress spam registrations and a spike in Gmail related spam?
ticketswapz.com - Buy, Sell, Trade Sporting Event and Concert Tickets
Please Identify which animal is a Eierlegende Wollmilchsau.
Yesterday I decided to sign up for World of Tanks open beta. It took me 12 tries (including 3 failed sound ones) to fill reCAPTCHA correctly. Most of the time it just displays nonsense.
Who logs in to gdm? Not I, said the duck.
Too bad really, I like the google captchas because they were easy to read (and served a greater purpose with the book scanning). honestly I wish they would make some of these things harder though. how often do you really need to make an email account? I've done it just a couple times with google and wouldn't be bothered by a more complex captcha system. i suspect they don't do this because they wouldn't want people to get frustrated and go to hotmail instead because the captcha was too hard.
though in the end you can never really win since the most high profile targets will just get focus from actual humans
on a side note i wish the article had more details on how he was cracking. I suspect most slashdotters like myself have pondered captcha systems and how to improve them.
http://www.networkmirror.com/mlsurCyIbkJu5Qpr/www.allspammedup.com/2010/01/google-recaptcha-cracked/index.html
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
This approach is doomed, really. Clearly we can come up with other tasks that are difficult for computers and easy for humans, and wait until AI catches up, and move to something else. At some point much sooner than AI fully replicates human intelligence the tasks will be so difficult that in the vast majority of cases it's not just worth it for a human to go through it (e.g. # of cocks inside Jenna in a video , as suggested above). What do we do then? The captcha approach is a temporary solution, and if I had to guess I'd say within 2 decades the "spammer singularity" described above will come.
weinersmith
Indeed I had stumbled upon this a few months ago while researching for myspace spamming. From what I gathered, a little weekend project will get you software that solves 10% of reCAPTCHAs, nothing wonderful but enough to render it ineffective. What I'm really wondering though is now that a lot of people know one of the two words is there to train their own captcha solving bot, and put "nigger" instead of the easiest word. Is that bot racist yet ?
I run a small forum that uses recaptcha . I used to get about 5-10 spam registrations a day. On the 6th I got 148, and the 7th I got 230.
I eventually instaled a plugin from StopForumSpam.com which is a combination blacklist/keyword checker to help weed out spammers and it's back to normal, or even below normal levels.
Now spammers are indirectly using their massive botnets for the cause of OCR conversion of books. :)
This is teh intarwebs(tm), pr0n == free , unless you're doing it wrong.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
To figure out how to do it. Ironic, no?
I wrote a paper for a university class about this last year. It was based off of work I found and improved upon. It's been defeated for a while now.
http://www.rodneybeede.com/reCAPTCHA_weakened.html
successfully exploited by Internet junk mail panderers
How does one pander to junk mail?
Perhaps the word you were looking for is peddlers?
https://www.eff.org/https-everywhere
I used reCAPTCHA on a small phpBB board. Because of the small number of users, I activate any accounts manually, However, since the first of the year I must have gotten 40 attempted registrations. Very annoying, because I got an e-mail for each of them. Switched to a question that only someone familiar with my board would be familiar with, seems to have stopped that stuff.
Seriously, why not something like google goggles for tax forms? Or is that out there already and I'm just not looking hard enough?
"Quote me as saying I was mis-quoted." -Groucho Marx
From http://webcache.googleusercontent.com/search?q=cache:Rg7W1a3ULmgJ:www.allspammedup.com/2010/01/google-recaptcha-cracked/+http://www.allspammedup.com/2010/01/google-recaptcha-cracked/&cd=1&hl=en&ct=clnk
Google reCAPTCHA cracked
Written by John P Mello JrgravatarcloseAuthor: John P Mello Jr Name: John P Mello
Email: jpmello@cox.net
Site: http://twitter.com/jpmello
About: John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston GlobeSee Authors Posts (68) on January 5, 2010
Despite denials from Google, a security researcher continues to assert that the Search King’s reCAPTCHA system for protecting Web sites from spammers can be successfully exploited by Internet junk mail panderers.
Researcher Jonathan Wilkins published a paper recently that included an analysis of reCAPTCHA’s security. In automated attacks he conducted against the system, he reported he had an alarming success rate of 17.5 percent.
CAPTCHA–which stands for Completely Automated Public Turing test to tell Computers and Humans Apart–is a method for foiling automated attacks by spammers on Web sites. Before a Net surfer can perform at a site a task, such as setting up an email account or adding comments to a blog posting, he or she is presented with the image of a word or phrase that has been distressed in some way. The warped image is intended to thwart scanners and optical recognition software programs used to automate the compromising of web sites by spammers. The idea is that humans can read the characters in the image and type them into a form while machines can’t.
Some simple math reveals just how alarming Wilkins’ findings are. The operator of even a modest botnet of 10,000 machines would be perfectly happy with a success rate of 0.01 percent. That would mean 10 new gmail accounts could be created every second or 864,000 new accounts a day from which spam could be launched.
Google counters that Wilkins test targeted an old form of reCAPTCHA from 2008 that’s been changed. “[T]his study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” a Google spokesperson told The Register. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”
Wilkins acknowledged that his initial tests were on an older version of reCAPTCHA, but since that time, he has conducted tests on the new images produced by the system and found them to be even weaker than the older ones. In one of his original tests on the system, his success rate was five in 200. When that test was run on the new reCAPTCHA, the rate was 23 in 100.
The major difference between the old and new versions of reCAPTCHA, according to Wilkins, is the use of horizontal lines to obscure the characters in the image. While the use of the lines makes it harder for machines to recognize a reCAPTCHA phrase–although Wilkins asserts the lines can be subverted easily by spammers–it also makes the phrase harder to read by humans, too. New reCAPTCHA images drop the lines but add distortion to the image. They’re easier to read for humans, but, alas, they’re also easier for machines to crack.
Unlike most CAPTCHA systems, Google’s uses images with two words. That’s because Google uses reCAPTCHA for two purposes. Like other CAPTCHA systems, it’s designed to frustrate spammers, bu
I use a script for emailing the addresses of my clients and the script is server-side code. And since that does not load unless the form (for an email) is completely filled out, nobody can pre-look at my code and figure out anything.
Client's email address is in a lookup in an SQL database, so nobody can see that, either.
Solution is to capture then BLOCK the IP address of anyone sending spam through the form. So far, I have seen two messages from Belize and one from India. And now those people can no longer even load the websites they spammed. As their world gets smaller and smaller, maybe they will have so few people to email, they'll quit.
This may not work for someone as big as Google, but it certainly works for me and my website clients.
Gods don't kill people, people with gods kill people.
It's called /r/inglip
I'm a application administrator for a website with a few thousand users, over the last few weeks we've been getting 30 spam registrations an hour and we use ReCAPTCHA. So it's been used in the wild for a while now.
The nature of Spam is changing. It used to be about penis pill ads being sent indiscriminately by email. Now Spam is being used by major marketers and public relations firms to influence the national discourse and nobody is using email. Spammers are hitting blogs and forums and news sites to try to credibly sway public opinion. They pose as average impartial citizens and try to spread propaganda. Spam is about trying to shout out other people by aggressively inserting the viewpoints of their corporate or political masters. Every major PR firm is going to recommend that it's clients pursue an active online strategy. Not just a website. Not just a responsive blog. Not just a Facebook page. But an army of professional trolls with talking points and corporate directions to sway public opinion in a Web 2.0 setting. Spam has gotten much more insidious because the purveyors of Spam realize that to be effective they must effectively make themselves indistinguishable from the common man.
Digg recently had to reorganize because an army of amateur conservative trolls ("Digg Patriots" and others) was effectively promoting conservative information and burying liberal viewpoints. They got busted because they were ambitious and cocky amateurs. But Burson Marsteller has about 100000000x the money and sophistication and is never going to get caught so easily.
There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!
Speaking of a spam dry spell, my mail's spam is down dramatically since the new year.
I haven't parsed logs to find out of my antispam measures are more effective or if the total rate is just down. Anyone else noticing similar?
Not only should the captcha be an image or an audio file but it should also be a question. Then the response shouldn't be just the text version of the question but the text answer to the question. I suggest the questions on the Mensa test.... although that may be setting the bar a little low for Internet use.
Google can deny it all they want. Everyone running a decent-sized forum with reCAPTCHA noticed spammers getting their bogus registrations through on January 4th. One day it was working great, the next day spam.
And I don't like spam.
reCAPTCHA is broken. Period.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
I don't; I was just refuting the statement that there is no way to verify user accounts before the user has posted anything. For a local population that can be handled by moderator(s) familiar with the region, that's sufficient. For a larger scale operation where the moderators are not necessarily in the same locality as the users, you would need to use some other method. Maybe ask the visitor to tell you how he feels about his mother?
Some of the solutions posted here are down right provoking to the users, such as that to answer a question about local landmarks. I'm more of a "nerd" myself, and couldn't care less about local landmarks. I don't even remember the name of the streets, near to the one I'm living on.
You need to keep in mind, that you are running a website, and some policing is to be expected. If you can't handle that, well then you shouldn't be running a website.
Unless you are running some sort of pony CMS system, then you, or the developers of your site, should be more then capable to prevent automated spam trough other means.
Sadly its become a trend in most CMS system, and sadly these developers ain't qualified to create other security features. CAPTCHAs is an easy solution for them, and they don't even have to create their own with lame "plugin" versions developed by companies such as google.
I also don't like the fact that these companies are forcing us to help in their digitalizing projects. You should also keep in mind that not all your users want to participate in these schemes, you should provide them with an alternative method of login, and inform them what exactly the CAPTCHAs are used for, including what the companies behind them are using them for.
Having that said, its no rocket-science to create your own image-CAPTCHAs.
As for alternatives, then I'd like to mention pattern matching, which is pretty easy to develop, and rarely gets any false positives. It should never be programmed to automatically take action, but it should bring tagged accounts up for review by admins.
You can also integrate advanced removal tools, such that you are able to delete all messages posted by certain IPs, instead of deleting based on the accounts level. That would ensure that you only delete the spam, for the accounts which have been exposed.
On sites like Facebook, who require people to create an account to post, this would be very effective at reducing spam.
You can combine this with other security checks, such as disallowing the sudden change of IPs within a reasonable time. That would pretty much efficiently prevent automated spam from the same accounts.
It is also suspicious if a user suddenly change IPs, this should trigger an alarm under all circumstances.
My point is that CAPTCHAs, in any form, are totally unnecessary, and more then anything just reflect the mentality that many developers think in. You can't prevent all spam anyway, and keeping in mind that automated spam can be prevented more efficiently, you should aim for those goals. Hire some "police" for your website if you have to. The bigger sites where spam "could" become a problem, would likely also afford some extra admins to keep an eye on things anyway.
Some of you mentioned that x security check wouldn't work on bigger sites. While simply asking a logic question likely wouldn't work on bigger sites, its actually the wrong approach to the problem.
As a developer you shouldn't be looking at the spam problem, as being automated or manual. Spam is just spam, no matter who is submitting it. So in short, get your fingers out, and start working on some pattern matching.
Aside from the above, you should understand that some policing is required when running a website, no matter the size of your website. Yes some CMS systems are impractical to work with in that regard, but that is your own problem.
Just imagine the sick kind of world we would be living in, if the police started to think like your average website owner, and started to replace colleges with computers and robots.
Just noticed on my site that there are changes to the reCaptcha. Some of the lettering is now white and outlined. I am still getting spam sign ups though. It looks as though they are on the case.