Google ReCAPTCHA Cracked

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Tuesday January 11, 2011 @02:40AM from the eggs-bacon-sausage-and dept.

stormdesign writes "Despite denials from Google, a security researcher continues to assert that the Search King's reCAPTCHA system for protecting Web sites from spammers can be successfully exploited by Internet junk mail panderers."

169 of 211 comments (clear)

Min score:

Reason:

Sort:

Captcha ZDR .... by unity100 · 2011-01-11 02:43 · Score: 1

so hard that not even your users will be able to 'crack' it and login to your store. no, its really good. and doesnt need remote services. (like recaptcha)

--
Read radical news here
1. Re:Captcha ZDR .... by Sockatume · 2011-01-11 02:50 · Score: 1
  
  What's "ZDR" stand for then, "Zero Desirable Results"?
  
  --
  No kidding!!! What do you say at this point?
2. Re:Captcha ZDR .... by devxo · 2011-01-11 02:58 · Score: 5, Interesting
  
  All captchas are practically useless. There is no need to crack them - for example decaptcher solves 1000 captchas for $2. Any captcha type works since they're solved by humans. They also have API's for several different languages which lets the programmer easily to put the process to their programs.
  
  As long as there's really cheap workforce and economic differences in the world, things like this won't be solved.
3. Re:Captcha ZDR .... by Lumpy · 2011-01-11 03:01 · Score: 1
  
  /Recently spammers have new tools in place, I am suddenly getting comment spam on 4 wordpress sites that use this kind of stuff to trap it. I have notice this for over 5 weeks now.
  
  --
  Do not look at laser with remaining good eye.
4. Re:Captcha ZDR .... by c6gunner · 2011-01-11 03:08 · Score: 1
  
  1000 captchas solved by humans for $2? WTF? Who do they have working on these things? Even that Indian tech-support drone I talked to yesterday would fetch more money than that ...
5. Re:Captcha ZDR .... by MoonBuggy · 2011-01-11 03:16 · Score: 1
  
  The tech support guys are moderately well paid by Indian standards, since they have a marketable skill: English language ability.
  Simply matching characters on a screen to characters on a keyboard is completely unskilled, and thus evidently nets correspondingly lower pay.
6. Re:Captcha ZDR .... by daid303 · 2011-01-11 03:16 · Score: 3, Insightful
  
  It's quite simple to stop that, implement a small none-standard part in your signup process. I put in an extra input text field named "askldjwla" with the text: [Enter "I am not a bot" here (without quotes)] and my spam has reduced to 0. Spammers target the large and easy, just don't be a part of that group.
7. Re:Captcha ZDR .... by devxo · 2011-01-11 03:18 · Score: 3, Interesting
  
  Indians mostly. Those who solve them actually only get paid $1 per 1000 captchas. But for example, the average daily salary in places like Cambodia is less than $1. Solving 1000 captchas for that starts to sound like a dream job and there is no education needed.
  
  It's the same reason why powerleveling and gold selling services exist in cheap asian countries, economics make it possible and even a good job.
8. Re:Captcha ZDR .... by MoonBuggy · 2011-01-11 03:21 · Score: 1
  
  Which is where this technique comes in. I thought ReCaptcha was going in that direction anyway, since it's used to transcribe old books that couldn't otherwise be OCR'd? Admittedly the crack is not a good thing, and I can't RTFA since it's slashdotted so it may be the case that they've found a way to circumvent rather than solve the captcha, but perhaps the spammers have actually done useful work in improving the accuracy of OCR technology for us?
9. Re:Captcha ZDR .... by Anonymous Coward · 2011-01-11 03:22 · Score: 4, Insightful
  
  That might work for your vanity blog, but higher traffic sites are more valuable targets and as such attract greater efforts.
10. Re:Captcha ZDR .... by onepoint · 2011-01-11 03:28 · Score: 1
  
  Wait Wait Wait .... the service for USD 2.00 is the AI service, you can read it on the web site. they charge for a priority service ( which I am inferring ) as the human side. ..
  please compare the cost of living between the Asian culture of India, Bangladesh, Goa to the USA. a daily maid + cook + driver + rent in a major city ( in a great apartment ) does not exceed 1500 per month ( 120 maid, 100 cook, 275 driver, the rest is rent )
  hope this helps
  
  --
  if you see me, smile and say hello.
11. Re:Captcha ZDR .... by SeaHunter · 2011-01-11 03:41 · Score: 5, Interesting
  
  I remember a message board from a few years ago where some guy had talked about taking a screen shot of a captcha and displaying it on his free porn site making it look like it was really from his site. The person looking at the porn site would type in the captcha answer and his script would in turn use this user provided solution to solve the real captcha on the original site letting his script get past the captchas and spam the message board. So if it really did work he got 1000's of captchas solved by humans for free.
12. Re:Captcha ZDR .... by JackOfAllGeeks · 2011-01-11 03:49 · Score: 3, Funny
  
  they have a marketable skill: English language ability.
  What Indian tech support have YOU been talking to?!
13. Re:Captcha ZDR .... by isilrion · 2011-01-11 03:54 · Score: 4, Informative
  
  With reCaptcha, you don't have to successfully OCR the scanned word, just the control word. Usually they are indistinguishable by sight (you don't know which one is the control word), but I've seen reCaptcha instances where one word is clear and the other one is unreadable. In these cases, you can type the control word correctly and just write some gibberish for the other, and you'll beat the captcha.
  Which means that the spammer won't have to OCR the hardest of the words... just the simpler one. Run the OCR to the full text, post both words, and if the simpler one matches, you broke the captcha.
  (I make it sound so easy! It really isn't! I'm amazed that they did break it! I just wanted to point out that it isn't "OCR words that haven't been OCRd before", rather than "OCR words that have been OCRd previously and are now a bit distorted".)
14. Re:Captcha ZDR .... by IhateMonkeys · 2011-01-11 04:07 · Score: 4, Funny
  
  Steve from Kansas.
  
  Apparently he really likes curry chicken. Kinda odd fellow.
15. Re:Captcha ZDR .... by Nadaka · 2011-01-11 04:21 · Score: 1
  
  Also seen one where the other word was a set of hieroglyphs or oddly shaped rectangles.
16. Re:Captcha ZDR .... by vux984 · 2011-01-11 04:32 · Score: 1
  
  solved by humans for free.
  solved by humans in exchange for porn. Not free. Close enough to free though. :)
17. Re:Captcha ZDR .... by Vintermann · 2011-01-11 04:41 · Score: 2
  
  for example decaptcher [decaptcher.com] solves 1000 captchas for $2.
  That's probably enough to prevent a lot of spam. Spam isn't very profitable per post.
  
  --
  xkcd is not in the sudoers file. This incident will be reported.
18. Re:Captcha ZDR .... by John+Hasler · 2011-01-11 04:47 · Score: 1
  
  1000 captchas solved by humans for $2? WTF? Who do they have working on these things?
  People who have solved millions of CAPTCHAs and are really fast. They probably also do the easy ones in software, thus upping the effective throughput. One approach would be to have the software present its best guess to a human for verification.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
19. Re:Captcha ZDR .... by 1u3hr · 2011-01-11 05:15 · Score: 1
  
  some guy had talked about taking a screen shot of a captcha and displaying it on his free porn site...
  Yeah, yeah. People have been talklng about that for years. Never actually put it into practice.
  So if it really did work he got 1000's of captchas solved by humans for free.
  Not "free". You'd need a pretty high traffic site to get responses quick enough. But there's so much free porn on the web that no ne will be bothered to do them. It'd probably cost you more to run and host the porn site than just paying a sweatshop.
  Google will give you links to all the absolutely free porn you want, no captchas required.
20. Re:Captcha ZDR .... by Magic5Ball · 2011-01-11 05:25 · Score: 3, Interesting
  
  We run a not large site that gets 20,000-40,000 spam comment attempts per day. Some simple filters leave us with dozens of items to manually review per year:
  1) English (language in general) employs rules that yield statistical patterns. For example, personal names and occupations do not contain 50 per cent upper case letters and 50 per cent lower case letters in English. This bins the bots that fill unmatched fields with random characters, without bothering human users since CSS is good now (our forms sometimes include randomly named fields...). We also test for average word length to catch excessive use of brand names and URLs. These two rules catch almost everything except the human operators.
  2) To tarpit the human operators who try to whitelist their accounts/IPs through repeatedly posting benign comments, new users who post a lot (more than four comments an hour) in an initial period (24 hours after signup) and do not interact with others will see their own comments, but others will not.
  We have five other filters but have turned them into warnings for the users instead (bots do not want to solve "That's a lot of links. please delete http:/// from your links"). Our next challenge is to better protect the mobile site which has a different set of dynamics.
  *this silly form insists on linkifying my http colon slash slash and adding a third slash...
  
  --
  There are 1.1... kinds of people.
21. Re:Captcha ZDR .... by thejynxed · 2011-01-11 05:36 · Score: 3, Informative
  
  Another fun trick is how easy it is to catch spambots by using "invisible" form fields. Bots are too "stupid" to negotiate around these traps. They fill in those fields just like they do the visible ones, allowing you, the site operator, to instantly bin their nonsense to /dev/null with scripts and ban their IP addresses.
  
  --
  @Mindless Drivel: 100% of Twitter posts ever Tweeted.
22. Re:Captcha ZDR .... by tbischel · 2011-01-11 06:15 · Score: 2
  
  All captchas are practically useless. There is no need to crack them - for example decaptcher solves 1000 captchas for $2. Any captcha type works since they're solved by humans.
  I bet this type of captcha would still work well on sites like mathoverflow or wolfram...
23. Re:Captcha ZDR .... by sohmc · 2011-01-11 06:23 · Score: 1
  
  As long as there's really cheap workforce and economic differences in the world, things like this won't be solved.
  I wonder if a better CAPTCHA system would be idioms. Idioms rarely cross nationalities. The only bad thing about it is that it would prevent non-native speakers from accessing your content.
  Also hate to say this but the ad system that Apple is trying to develop could solve this too. You're forced to watch an ad and can't move on until you answer a question about the ad.
  
  --
  We don't live in Shouldland.
24. Re:Captcha ZDR .... by phantomcircuit · 2011-01-11 07:07 · Score: 1
  
  Except that simpler word is something that their OCR software failed to figure out before and has since been solved by a person filling out the captcha. So indeed you do still have to build better OCR software than google has to actually break the captcha. Further they morph the control word just a bit, so not only do you have to build better OCR software, it has to be MUCH better.
25. Re:Captcha ZDR .... by al0ha · 2011-01-11 07:50 · Score: 1
  
  Ah reCAPTCHA was already reported p0wn'd about a year ago by a group that was exploiting the weakness in the database of known words to circumvent the captcha's put in place by Ticketmaster.
  
  This is old news...
  
  --
  Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
26. Re:Captcha ZDR .... by mathmathrevolution · 2011-01-11 08:23 · Score: 1
  
  Professional (and amateur) spammers could give two-shits about your blog and your facile defense. Obviously the defense you propose will not scale to protect major websites.
27. Re:Captcha ZDR .... by hvm2hvm · 2011-01-11 08:35 · Score: 1
  
  They are usually solved by random humans that browse the net but have a toolbar or trojan installed that adds a captcha now and then to the pages (captchas which are taken from requests from decaptcher's customers).
  
  --
  ics
28. Re:Captcha ZDR .... by Jane+Q.+Public · 2011-01-11 08:46 · Score: 1
  
  Their teams are also (not a joke) typically in third-world countries and will work for $0.20 / hour.
29. Re:Captcha ZDR .... by Jane+Q.+Public · 2011-01-11 08:52 · Score: 1
  
  No, they are usually solved by teams of third-world workers who get paid about $0.001 per captcha. There are ads all over the "freelance" boards for such services.
30. Re:Captcha ZDR .... by takowl · 2011-01-11 08:57 · Score: 1
  
  I thought they fed back results, so that after an unclear word was 'confirmed' by enough users, it was reused as the known word. Which would still leave you trying to OCR words that hadn't been OCRed before.
31. Re:Captcha ZDR .... by Khyber · 2011-01-11 09:51 · Score: 1
  
  Good thing my animated image captcha is still unbroken!
  Random clips from animes makes for an excellent security question.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
32. Re:Captcha ZDR .... by BillX · 2011-01-11 12:56 · Score: 1
  
  Unfortunately, I have found spammers WILL target high-profile sites singly in such a case. In my case (a relatively well-known message board, running phpBB at the time) spambot scripts would post hundreds of fake user registrations per day for google juice (the list of registered users was public, even for unconfirmed users, and included a 'website' field). Performing a very similar mod to your example (leaving the 'Website' field intact but hidden from human users; adding a new field 'asdfilgfknn' for humans to enter a website address) staved off the spam for less than two weeks, at which point the bot scripts were updated with an equally trivial change.
  
  --
  Caveat Emptor is not a business model.
33. Re:Captcha ZDR .... by DarwinSurvivor · 2011-01-11 15:41 · Score: 1
  
  Yes, you are absolutely correct. Where he said "sometimes" it works, those are the times where the easy word just happened to also be the control word.
34. Re:Captcha ZDR .... by adamdoyle · 2011-01-11 16:22 · Score: 2
  
  All captchas are practically useless. There is no need to crack them - for example decaptcher solves 1000 captchas for $2. Any captcha type works since they're solved by humans.
  I bet this type of captcha would still work well on sites like mathoverflow or wolfram...
  The answer is zero, btw. (which was a little anticlimactic, if you ask me)
35. Re:Captcha ZDR .... by kmoser · 2011-01-11 17:42 · Score: 1
  
  Thanks for that tip! I'll be sure to alter my bot to ignore hidden form fields. What did you say your feedback URL was?
36. Re:Captcha ZDR .... by totally+bogus+dude · 2011-01-11 18:55 · Score: 1
  
  Specific questions are difficult to scale though. It works well against normal users (who only have their own resources at their disposal), but if you're running a captcha-breaking business, you have a lot of people with the ability to access a centralised database and customised software. They probably can't make a program smart enough to 'watch' an advert and answer arbitrary questions about it or correctly interpret an idiomatic expression, but once one of their employees has worked out the answer, the question/answer pair gets added to the database and that particular question can be answered by everyone else without thought - or even by software without any human interaction.
  The only solution to that is to increase the number of questions so the database hit-ratio becomes very low, but that's quite hard to do. Most such questions will need to be written by a human rather than machine-generated, so it quickly becomes more expensive than just deleting the spam. Plus, there's typically a limited number of questions you can ask, especially if you consider that the questions need to be simple enough for legitimate users to be able to answer.
37. Re:Captcha ZDR .... by wunderbus · 2011-01-11 19:20 · Score: 1
  
  I know you were just joking, but he said invisible, not hidden as in type="hidden". There are too many ways to make a form field invisible for a bot to deal with. It's actually a really good idea.
38. Re:Captcha ZDR .... by wertigon · 2011-01-12 00:25 · Score: 1
  
  Yep.
  A few of my favorites;
  * Set the CSS property to "display : none;"
  * Hide it behind a div using CSS z-index
  * Hide it off-screen by using absolute positioning
  Of course, all of these are also attainable by setting them with JavaScript. Spambots would basicly need something like Firebug to get around these techniques, especially the last one.
  Big sites will still be a target, but small sites would be rather protected.
  
  --
  systemd is not an init system. It's a GNU replacement.
39. Re:Captcha ZDR .... by wertigon · 2011-01-12 00:39 · Score: 1
  
  15 seconds per captcha?
  Make a form that has ten captchas and ten input fields. Filling that out would take around 10 seconds after some practice. Add another 10 seconds for mistypes and waiting for the server to respond, tadah, all done! 2 seconds per captcha is much more reasonable. Which would bring those 16 hours down to 4000*2 seconds, or 8000 seconds, which is 133 minutes and 20 seconds, or 2 hours, 13 minutes and 20 seconds. Add in a pee break and you're at 140 minutes for 4k captchas.
  So 10k captchas for one person in one day is far from impossible. You just need to keep worker motivation up.
  
  --
  systemd is not an init system. It's a GNU replacement.
40. Re:Captcha ZDR .... by c6gunner · 2011-01-12 08:44 · Score: 1
  
  I guess. I just find the whole idea so depressing that I'm having a hard time analyzing it rationally.
41. Re:Captcha ZDR .... by adamdoyle · 2011-01-12 13:27 · Score: 1
  
  I'm pretty sure the answer is 28... but my calculus is a bit rusty. One of use just failed that captcha (and basic math)!
  I cheated
  Also, it makes sense. Sin(theta - Pi/2) is the same as Cos(theta). The derivative of Cos(theta) is Sin(theta). And substituting x=0 will give you zero for the problem. (I'm in O.D.E.'s right now so it's all rather fresh)
42. Re:Captcha ZDR .... by adamdoyle · 2011-01-12 13:35 · Score: 1
  
  here's my work: (without cheating this time)
  d/dx[4*sin(7x - x/2)]
  = d/dx[4*cos(7x)]
  = 4*7*sin(7x)
  = 28*sin(7x)
  (sub. x=0)
  = 28*sin(0)
  = 0
Does this mean.... by GreenSeven · 2011-01-11 02:50 · Score: 1

that website administrators will have to actually verify user accounts?? Might mean more work for admins but isn't that a fair trade off for quality content?

--
The Copper Tribe - Office Software Solutions
1. Re:Does this mean.... by icebraining · 2011-01-11 03:05 · Score: 1
  
  There's no way to "verify user accounts" until they post their first content - if there was, we could automate that verification.
  
  --
  Dilbert RSS feed
2. Re:Does this mean.... by Moryath · 2011-01-11 03:15 · Score: 4, Insightful
  
  The problem is simple to solve though:
  Spamming is profitable. That's why the spammers do it.
  What we need is simple: we need to make Spamming unprofitable. (I almost said make Spam unprofitable, but I actually kinda like Hormel's product).
  This wouldn't be that hard to do. Spammers hit government addresses like anything else. Hit the purveyors of the product, the people who hire the spammers, with a nasty "kill your business for good" level fine for every product that goes out in a spamming campaign - problem solved, none of these guys will ever be so stupid as to hire a spammer again.
  That leaves the virus-purveyors and identity-theft types to deal with, true, but the bulk of the money spent on breaking CAPTCHA solutions and everything else comes from the spam-for-profit guys, so if we hit them first, the rest are more manageable.
3. Re:Does this mean.... by mysidia · 2011-01-11 03:18 · Score: 3, Funny
  
  This wouldn't be that hard to do. Spammers hit government addresses like anything else. Hit the purveyors of the product, the people who hire the spammers, with a nasty "kill your business for good" level fine for every product that goes out in a spamming campaign - problem solved, none of these guys will ever be so stupid as to hire a spammer again.
  Yes, but they will hire spammers for a different reason. To advertise their competitor's product, in order to nuke the competition. Then once the competition is gone, sales will increase, and they can boost prices
4. Re:Does this mean.... by Moryath · 2011-01-11 03:25 · Score: 1
  
  Once you haul the spammer in, it's easy enough to tell who paid him.
5. Re:Does this mean.... by joelsherrill · 2011-01-11 03:26 · Score: 1
  
  There's no way to "verify user accounts" until they post their first content - if there was, we could automate that verification.
  I have run a fan forum (phpbb) for a musician for about 7 years. At peak times we have gotten up to 50-100 spam account attempts a day. I added a captcha which does not stop everything but slows it down a lot. http://www.stopforumspam.com/ is a good resource for checking if the email or nick is a known spammer. A quick google on the nick and you can often guess based on how many hits you get and the "interests" is a good indicator. Email addresses which look like incremented numbers, pharma ads, etc. are spotted and dropped. We have seen multiple cases of countries which are sources of "cheap manual labor" as sources of semi-automated or repeated manual attempts with clearly algorithmically generated names. Given the subject matter of this forum, I felt OK blocking countries which cause too many problems. This would NOT be an acceptable solution for other forums. I don't know if someone could automate it or not but I can tell you that we are fairly reliable at not allowing spam accounts.
6. Re:Does this mean.... by fulldecent · 2011-01-11 03:31 · Score: 1, Troll
  
  When Google applies Gmail spam detection technology to blogger that will be the end of blog spam.
  The problem is Google fails to release any product that makes them money. Since they hold the keys to speech recognition, language translation, and spam detection, you can be sure that the science will advance in these fields at Mach 1 pace, and zero useful/profitable products will be made available.
  
  --
  -- I was raised on the command line, bitch
7. Re:Does this mean.... by realityimpaired · 2011-01-11 03:40 · Score: 1
  
  I had a phpbb board for a while, and my technique was to replace the captcha with a fill-in-the-blank. Dead simple for a human, but when I made my change, the number of spam bots we got dropped to zero. Without needing to subscribe to an external script to do it.
  The system was stupid simple, it's ridiculous how effective it was, too.... I made up an image which had the website's URL minus a word. The instructions were to fill in the missing word. So if the website was "www.theincredibleworldofgoo.com" the picture would show "www.theincredible_____ofgoo.com" and the instructions would be to fill in the blanks. Worked remarkably well. :) Took a little hard coding on my part, but it should be pretty trivial to write a module that does the image generation for you.
8. Re:Does this mean.... by Deep+Esophagus · 2011-01-11 03:41 · Score: 5, Interesting
  
  My wife moderates a couple of local Freecycle [tm] lists, and she requires new subscribers to mention some nearby landmark in their neighborhood to show they really are local. The result: NO spam, ever. Once or twice in ten years she's actually had someone try to make up a plausible sounding name that they must have picked up from a yellow pages search because it referred to the name you can see on maps and not what everybody actually calls the place.
9. Re:Does this mean.... by SigmundFloyd · 2011-01-11 03:44 · Score: 2
  
  The problem is simple to solve though:
  Spamming is profitable. That's why the spammers do it.
  What we need is simple [...]
  That just goes to show that you're a clueless noob.
  
  --
  Knowledge is power; knowledge shared is power lost.
10. Re:Does this mean.... by flimflammer · 2011-01-11 03:47 · Score: 1
  
  You're reading a sig, man.
11. Re:Does this mean.... by natehoy · 2011-01-11 04:19 · Score: 3, Interesting
  
  Spam already leads to mail fraud in some cases, and that fraud is generally prosecuted where possible. Very few legitimate companies use spam any more. The illegitimate ones are harder to catch.
  There are actually several problems with this:
  1. Not all that many shipping operations that use spammers operate under US law. Products are usually shipped from overseas (if any product is shipped at all!) and you can't fine a foreign entity without an agreement with that entity's native government (which, of course, spammers choose carefully to avoid such things). So you'd be limited to the people the police are already prosecuting, and that population is dwindling.
  2. "kill your business for good" fines are what got us into multi-million-dollar fines for "casual" copyright infringement (the large fines were originally designed to drain commercial "piracy factories" of their resources, not to bankrupt a person for life because they shared 3 albums on LimeWire). We'd have to be very careful with any law to target the people we want to hurt, rather than opening anyone who posted an actual personal product recommendation somewhere to a $5,000,000 spammer suit.
  3. Many of the products sold are actually counterfeit, and are shipped from faked addresses and just dropped off at the post office. Again, if anything was shipped at all. If I wanted to put Symantec out of business, I could very profitably sell pirated Norton Antivirus and drop a few dozen units off at the post office nearest Symantec's corporate HQ, with a return address label that has their address on it. Symantec would be stuck with the burden of proof that they didn't ship the product. You'd have to check ID every time someone sent a letter and make sure the "from" address matches their ID (which means no more mailbox pickup, all letters and packages must be posted individually).
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
12. Re:Does this mean.... by alphax45 · 2011-01-11 04:26 · Score: 1
  
  It's for sure the sig
  
  --
  K Man
13. Re:Does this mean.... by natehoy · 2011-01-11 04:37 · Score: 1
  
  I have a php-Nuke board that's been around for a while. I not only had a problem with spammers, but the sheer volume of attacks was slowing down my site and filling up my database.
  I installed NukeSentinel on my phpbb board, and made people sign up with an email address (with an activation link sent to that address). For a while I set it up so I had to approve each account, but I switched that off about 6 months ago and haven't seen any difference.
  I also looked for "attacks" using Sentinel's logging facility and basically blacklisted entire IP address ranges from Romania, Bulgaria, and many other countries with lots of consonants in their names. I also blacklisted tons of addresses from China. This took about a month of half-hour-a-day effort, but now I just check it every few weeks and if I see a really heavy attacker I block the entire address range of their ISP. I have yet to see an attack originating from the US, and my site is very US-centric, so I can get away with that.
  Result? Zero spam in over a year. Consistent subsecond response time. Happy user base.
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
14. Re:Does this mean.... by daid303 · 2011-01-11 04:39 · Score: 2
  
  Wouldn't be so hard to defeat by a script. But the reason why your spam dropped to zero is because your "one of a kind" system wasn't targeted. I have a even simpler system that just requires the same sentence every time you sign up. But the field name in code is gibberish and because my site is low volume spammers don't target my script directly.
  And that's what I would suggest for everyone, the sollution is not to have 1 super captcha system that rules it all. Have 1.000.000 of them, once they are cracked they are easy replaced, and it makes it god damn difficulty to target lots of small sites in 1 go.
15. Re:Does this mean.... by spectro · 2011-01-11 04:43 · Score: 1
  
  This is my idea too, I have several wordpress blogs I haven't maintained in years. I get a handful of new sign ups a week I totally ignore because comments are completely disabled.
  If I ever get back to these blogs I will only allow comments from people with a social network account (twitter followers, facebook friends). This way I leave the blunt of the blocking to them.
  
  --
  HTML is obsolete. It's time for a new, simpler and richer markup language.
16. Re:Does this mean.... by heypete · 2011-01-11 05:01 · Score: 2
  
  When Google applies Gmail spam detection technology to blogger that will be the end of blog spam.
  Why not just use Akismet.com? It works great.
  My small blog was getting a modest amount of spam (about 150/day), and Akismet would miss maybe one every few months. Not bad, but having to sort through the messages in the spam queue was really annoying. I found a decent compromise: messages flagged by Akismet were presented with a captcha. If the captcha was completed successfully, the message went into the moderation queue (as it was still spammy enough to trip Akismet). If not, the message is permanently delete. This has no effect on my commenters, as they don't trip Akismet, and there hasn't been a single message to get through yet.
  Probably doesn't scale to enormous sites, but works well for small ones. For what it's worth, I'm using the standard WordPress Akismet plugin and Conditional Captcha.
17. Re:Does this mean.... by 1u3hr · 2011-01-11 05:19 · Score: 2
  
  nasty "kill your business for good" level fine for every product that goes out in a spamming campaign
  http://en.wikipedia.org/wiki/Joe_job
18. Re:Does this mean.... by 1u3hr · 2011-01-11 05:22 · Score: 1
  
  When Google applies Gmail spam detection technology to blogger that will be the end of blog spam.
  They have done absolutely nothing to stop spammers using Google Groups from spewing all over Usenet. They obviously could easily detect and block 99% of spam, but choose not to.
19. Re:Does this mean.... by shish · 2011-01-11 05:25 · Score: 1
  
  Akismet only works for filtering text -- captchas have much wider uses
  
  --
  I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
20. Re:Does this mean.... by Magic5Ball · 2011-01-11 05:34 · Score: 2
  
  So what? It demonstrates a point relevant to the discussion.
  --
  Discount Helicobacter pylori
  
  --
  There are 1.1... kinds of people.
21. Re:Does this mean.... by GreenSeven · 2011-01-11 05:45 · Score: 1
  
  As a matter of fact, I would sit and verify user accounts all day for whatever money it made me, if it meant that people creating accounts on my site were actually interested in my content and not just there to post some kind of inflammatory remark and never come back. And there are all kinds of different ways to verify accounts. Craigslist verifies accounts with a phone call. Another reader said his wife has the user requesting an account send her some information about a location in their area that only a person living there would know. Of course these are just examples but there could be all kinds of different solutions depending on the content of your site. Of course making users jump through hoops to create accounts is unnecessary, but sometimes the quick fix isn't the answer either...
  
  --
  The Copper Tribe - Office Software Solutions
22. Re:Does this mean.... by Anonymous Coward · 2011-01-11 06:04 · Score: 1
  
  What about those that have just moved into the area and are looking for some supplies? They wouldn't know the local landmark names yet, only the official names.
23. Re:Does this mean.... by russotto · 2011-01-11 06:39 · Score: 1
  
  If I wanted to put Symantec out of business, I could very profitably sell pirated Norton Antivirus and drop a few dozen units off at the post office nearest Symantec's corporate HQ, with a return address label that has their address on it. Symantec would be stuck with the burden of proof that they didn't ship the product.
  OK, so what's the problem again?
24. Re:Does this mean.... by natehoy · 2011-01-11 06:53 · Score: 1
  
  Hmm, good point.
  Let me rephrase that.
  If I wanted to put Microsoft...
  Nope, still not working...
  Umm, If I wanted to put Apple...
  Drat.
  I know! If I wanted to monopolize the toy business by eliminating all competition to my line of JarJar Binks figurines, I'd send out spam in the name of all other toymakers.
  Is that better?
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
25. Re:Does this mean.... by BattleApple · 2011-01-11 07:30 · Score: 1
  
  i just turned sigs off, and it went away. fyi, I'm using dynamic index.. not sure if it makes a difference
26. Re:Does this mean.... by BattleApple · 2011-01-11 07:31 · Score: 1
  
  oh, nevermind, it's still there.
27. Re:Does this mean.... by Magic5Ball · 2011-01-11 07:53 · Score: 1
  
  The Windows Media Codec pack is irrelevant on its own, but (intentionally or not) points out that content to some may be noise to others. In particular, content, like Genuine Prairie Narwhal can generate human and bot attention and activity for otherwise banal or valueless terms in various databases.
  It's conceptually similar to the game.
  
  --
  There are 1.1... kinds of people.
28. Re:Does this mean.... by ShaunC · 2011-01-11 08:03 · Score: 1
  
  You'd have to check ID every time someone sent a letter and make sure the "from" address matches their ID (which means no more mailbox pickup, all letters and packages must be posted individually).
  This is pretty much the case already with any parcel over 13 ounces, ever since the anthrax "attacks." Why they chose 13 ounces as their arbitrary limit I won't ever understand, but don't go hoping to ship boxed copies of software without having to interact with a postal clerk.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
29. Re:Does this mean.... by KhabaLox · 2011-01-11 08:13 · Score: 1
  
  I will only allow comments from people with a social network account (twitter followers, facebook friends).
  Thank you for promising to contribute to the death of the internet. How you got from OpenID to Facebook sign-in I have no idea.
  
  --
  Ceci n'est pas un sig.
30. Re:Does this mean.... by spectro · 2011-01-11 08:52 · Score: 1
  
  Unfortunately I think OpenID is going nowhere because (imho) is a bitch to implement. If they wanted everybody to use it they should have designed it in an easy way to include in your website.
  On the other hand, facebook, twitter, etc make it really easy to use their authentication to comment in your blog, they also handle canceling accounts created to spam for you since half the internet will have them reported before they can spam my blog.
  Besides, having a facebook account is not a big deal, just don't use your real info and tell your friends who you really are.
  
  --
  HTML is obsolete. It's time for a new, simpler and richer markup language.
31. Re:Does this mean.... by natehoy · 2011-01-11 09:15 · Score: 1
  
  Really? I haven't shipped parcels USPS recently, so I honestly don't know... are they actually checking photo ID against the printed return address?
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
32. Re:Does this mean.... by spiralx · 2011-01-11 09:18 · Score: 1
  
  You'd be surprised I think... most spammers will be isolated from the actual company with a product through several layers of marketing sub-contractors, making it next to impossible to pin spamming on the real company itself.
33. Re:Does this mean.... by KhabaLox · 2011-01-11 09:28 · Score: 1
  
  I agree with you about OpenID. It needs to be far more user friendly. And you do have a point about FB login - it works because it's so user-friendly (i.e. easy to set up). The danger is that it is not an open standard, and it puts too many eggs in one basket. If there were enough choices of ID providers, then maybe I wouldn't be so worried. But then the website has to enable all of them. Better to have some open standard like OpenID in which the authentication could be done by Facebook, Twitter, Google, Apple, Microsoft, yourself or whomever. Then each website could enable the single standard, and the user could choose which "host" to use for his/her ID authentication.
  
  --
  Ceci n'est pas un sig.
34. Re:Does this mean.... by gilgongo · 2011-01-11 09:52 · Score: 1
  
  What we need is simple: we need to make Spamming unprofitable. (I almost said make Spam unprofitable, but I actually kinda like Hormel's product).
  This wouldn't be that hard to do. Spammers hit government addresses like anything else. Hit the purveyors of the product, the people who hire the spammers, with a nasty "kill your business for good" level fine for every product that goes out in a spamming campaign - problem solved, none of these guys will ever be so stupid as to hire a spammer again.
  Your post advocates a
  ( ) technical ( ) legislative (x) market-based ( ) vigilante
  approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
  ( ) Spammers can easily use it to harvest email addresses
  ( ) Mailing lists and other legitimate email uses would be affected
  ( ) No one will be able to find the guy or collect the money
  ( ) It is defenseless against brute force attacks
  ( ) It will stop spam for two weeks and then we'll be stuck with it
  ( ) Users of email will not put up with it
  ( ) Microsoft will not put up with it
  ( ) The police will not put up with it
  ( ) Requires too much cooperation from spammers
  ( ) Requires immediate total cooperation from everybody at once
  ( ) Many email users cannot afford to lose business or alienate potential employers
  ( ) Spammers don't care about invalid addresses in their lists
  (x) Anyone could anonymously destroy anyone else's career or business
  Specifically, your plan fails to account for
  ( ) Laws expressly prohibiting it
  ( ) Lack of centrally controlling authority for email
  ( ) Open relays in foreign countries
  ( ) Ease of searching tiny alphanumeric address space of all email addresses
  ( ) Asshats
  (x) Jurisdictional problems
  ( ) Unpopularity of weird new taxes
  ( ) Public reluctance to accept weird new forms of money
  ( ) Huge existing software investment in SMTP
  ( ) Susceptibility of protocols other than SMTP to attack
  ( ) Willingness of users to install OS patches received by email
  ( ) Armies of worm riddled broadband-connected Windows boxes
  ( ) Eternal arms race involved in all filtering approaches
  (x) Extreme profitability of spam
  ( ) Joe jobs and/or identity theft
  ( ) Technically illiterate politicians
  (x) Extreme stupidity on the part of people who do business with spammers
  ( ) Dishonesty on the part of spammers themselves
  ( ) Bandwidth costs that are unaffected by client filtering
  ( ) Outlook
  and the following philosophical objections may also apply:
  (x) Ideas similar to yours are easy to come up with, yet none have ever
  been shown practical
  ( ) Any scheme based on opt-out is unacceptable
  ( ) SMTP headers should not be the subject of legislation
  ( ) Blacklists suck
  ( ) Whitelists suck
  ( ) We should be able to talk about Viagra without being censored
  ( ) Countermeasures should not involve wire fraud or credit card fraud
  ( ) Countermeasures should not involve sabotage of public networks
  ( ) Countermeasures must work if phased in gradually
  ( ) Sending email should be free
  ( ) Why should we have to trust you and your servers?
  ( ) Incompatiblity with open source or open source licenses
  ( ) Feel-good measures do nothing to solve the problem
  ( ) Temporary/one-time email addresses are cumbersome
  ( ) I don't want the government reading my email
  (x) Killing them that way is not slow and painful enough
  Furthermore, this is what I think about you:
  (x) Sorry dude, but I don't think it would work.
  ( ) This is a stupid idea, and you're a stupid person for suggesting it.
  ( ) Nice try, assh0le! I'm going to find out where you live and burn your
  house down!
  
  --
  "And the meaning of words; when they cease to function; when will it start worrying you?"
35. Re:Does this mean.... by gridzilla · 2011-01-11 09:55 · Score: 1
  
  Duh, ask a colleague, friend or roommate?
36. Re:Does this mean.... by Johnno74 · 2011-01-11 11:56 · Score: 1
  
  Are you on drugs? I brought a corned beef sandwich once when I was in the UK, turns out they used spam.
  
  I totally thought someone had put something from a can of catfood in my sandwich and I was bitching to my workmates until someone confirmed it was genuine spam.
  
  I couldn't eat it, and I seriously doubt if my cat would have either.
37. Re:Does this mean.... by mysidia · 2011-01-11 12:37 · Score: 1
  
  Once you haul the spammer in, it's easy enough to tell who paid him.
  Yeah... some masked guy with a throwaway hotmail account, who paid the spammer in unmarked 100s and gold coins.
  A retainer upfront, and then periodic amounts based on counted hits to the target.
38. Re:Does this mean.... by icebraining · 2011-01-11 12:40 · Score: 1
  
  So I'm supposed to give my phone number or paypal account to any random website that wants me to register? Thanks, but no thanks.
  Besides, you can automate both, it's not like there aren't online services to receive SMS or you can't write a Paypal interface system.
  
  --
  Dilbert RSS feed
39. Re:Does this mean.... by icebraining · 2011-01-11 12:44 · Score: 1
  
  But that's neither reasonable for many small communities because their admins aren't programmers, nor for large communities because they are worth writing custom code.
  
  --
  Dilbert RSS feed
40. Re:Does this mean.... by Entropy98 · 2011-01-11 16:14 · Score: 1
  
  Have you ever run a successful content site?
  Craigslists phone verification isnt manual, and such a system is probably out of reach for most smaller sites. Isnt craigslist full of spam anyway?
  Verifying accounts manually is rarely economically viable. Making users jump through hoops discourages people from joining your site.
  I've got a site with 110,000 registered users. Manually verifying all 110,000 of them would have been a waste of hundreds of hours (at least) of my time which could have been better spent working on something actually productive, some spammers would have still gotten through, and I'd have lost members who were too impatient to wait the several hours at best average account approval time. And what if I want a day off, or a week off?
  The most efficient way to deal with spam is to use some sort of automatic account verification (email, captcha, phone), have some custom filters to detect common spam methods (like trying to post a link in the first message upon joining), and then deleting/banning the spammers that get through.
  This is what all successful websites do, because it is currently the best solution.
41. Re:Does this mean.... by SnowZero · 2011-01-11 18:13 · Score: 1
  
  Polygamy?
42. Re:Does this mean.... by badkarmadayaccount · 2011-01-14 08:35 · Score: 1
  
  Facebook is an OpenID provider.
  
  --
  I know tobacco is bad for you, so I smoke weed with crack.
Theres only one weapon left in the arsenal by antifoidulus · 2011-01-11 02:51 · Score: 5, Insightful

Come on Google, we all know that in the Capcha war, we only have one weapon left, capcha porn. There isn't a spambot alive who could answer "In the above movie, how many cocks were inside Jenna Jameson?" or "what sex position is this?"

--
Monstar L
1. Re:Theres only one weapon left in the arsenal by Abstrackt · 2011-01-11 03:02 · Score: 4, Funny
  
  There isn't a spambot alive who could answer "In the above movie, how many cocks were inside Jenna Jameson?" or "what sex position is this?"
  Six and the Arabian spinecracker.
  You could just hire people from /. to solve captcha porn.
  
  --
  They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
2. Re:Theres only one weapon left in the arsenal by Anonymous Coward · 2011-01-11 03:04 · Score: 1
  
  Why? Because there's no software that can generate such questions on the fly. Someone has to do it manually, and that's no an option in today's keep-it-cheap lifestyle. If Google or someone else could do a penetration count, so could mr spammer.
3. Re:Theres only one weapon left in the arsenal by Anonymous Coward · 2011-01-11 03:09 · Score: 2, Informative
  
  The trouble with this (and less funny image suggestions) is that the "CA" in "CAPTCHA" stands for "Completely Automated".
  CAPTCHAs work as a sort of AI hash function: it's easy for a computer to generate, but hard for one to solve. Using images for tests like "what position is this", or, more realistically, "is this a cat or dog" violates that principle: Creating the CAPTCHA is just as much work as it is to solve! On top of that, the finite availibility of images allows for a database attack. Even having 5-10% of the images known makes the CAPTCHA fairly useless.
  One possible furture, though, is rendered images. So, for example, have a creature creator generate a dog and cat then ask which one's bigger. There are a few discussions/papers on the topic (e.g. a least one suggests determining which object is in front of another). The point is though, that using photos is a dead end. There are too few and/or it's too difficult to determine the correct answer.
4. Re:Theres only one weapon left in the arsenal by TheL0ser · 2011-01-11 03:21 · Score: 2
  
  Yes, but how many of us would answer "retrograde wheelbarrow" to every position question? I know I would.
5. Re:Theres only one weapon left in the arsenal by Caerdwyn · 2011-01-11 07:33 · Score: 1
  
  Yes, but by the time they got to the third captcha you'd need to replace the keyboard.
  
  --
  Everybody gets what the majority deserves.
6. Re:Theres only one weapon left in the arsenal by intangible · 2011-01-11 07:46 · Score: 1
  
  Sounds like a decent method, but even a 25% success rate in automated spam postings would be a success for the spammers.
  Doesn't even hurt them if you go to 9 or 10 images.
7. Re:Theres only one weapon left in the arsenal by veganboyjosh · 2011-01-11 07:49 · Score: 1
  
  I don't have any background in this, but am completely fascinated by the AI implications of CAPTCHA busting bots/tech.
  
  I wonder if the "there can't be enough photos" issue could be solved by a script/pulling photos from a large set of images from the web itself? ie, a flickr stream/group that is specifically tagged by users for this, to contribute to the pool for image use by a presumably OSS type CAPTCHA system...
8. Re:Theres only one weapon left in the arsenal by waives · 2011-01-11 08:28 · Score: 1
  
  um yeah a 25% failure rate against random attacks is really a great success...
"Search King" by Jeremiah+Cornelius · 2011-01-11 02:52 · Score: 1

In capitals, like this?
Did they pull the crown from the hands of the Pope, himself at the coronation ceremony, and declare - as did Napoleon - "I am King!"

--
"Flyin' in just a sweet place,
Never been known to fail..."
1. Re:"Search King" by dkleinsc · 2011-01-11 02:53 · Score: 1
  
  No, more like "Burger King".
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
2. Re:"Search King" by drinkypoo · 2011-01-11 02:54 · Score: 3, Funny
  
  Look, all you have do to confirm it is just google for "most popular search engine"...
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:"Search King" by RussellSHarris · 2011-01-11 03:01 · Score: 2
  
  Just to make things interesting, I binged it (has bing been verbed yet?). The top result was something from 2006 (!) that lists Google with about 49% of the search market, and the 4th said right in the search result headline, "Google is the Most Popular Search Engine in the World".
  (Top result in a search for popularity is 4 years old? But just to be fair I checked Google, and it gave the same first result, strangely enough.)
4. Re:"Search King" by Nimey · 2011-01-11 03:13 · Score: 1
  
  More like the submitter doesn't like Google and used it pejoratively.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
5. Re:"Search King" by gomiam · 2011-01-11 03:32 · Score: 1
  
  If they had done as Napoleon did, they would be "Search Emperor" ;)
6. Re:"Search King" by qmaqdk · 2011-01-11 04:04 · Score: 3, Insightful
  
  Just to make things interesting, I binged it (has bing been verbed yet?). ...
  Well, it's a verb, but it's past tense of binge (as in drinking).
  
  --
  My UID is prime. Hah!
7. Re:"Search King" by drosboro · 2011-01-11 04:50 · Score: 1
  
  (has bing been verbed yet?)
  I'm getting old. I hadn't realized that "verb" had been verbed yet.
8. Re:"Search King" by Jeremiah+Cornelius · 2011-01-11 08:07 · Score: 1
  
  Well we are all "Search Josephine"
  Scr@wed... :-)
  
  --
  "Flyin' in just a sweet place,
  Never been known to fail..."
9. Re:"Search King" by thegarbz · 2011-01-11 12:01 · Score: 1
  
  That explains it! I was wondering why I got "buy asprin here" as my first search result for "aspiring chemist"
We already knew this. by RussellSHarris · 2011-01-11 02:53 · Score: 1

I seem to recall somebody posting a video showing reCAPTHCA-cracking with something like 30% accuracy. That's very broken.
1. Re:We already knew this. by Vintermann · 2011-01-11 04:52 · Score: 1
  
  Not necessarily. After all, a patient spammer could just read the post himself and enter the captcha manually. The reason they don't do this is that the ROI on spam is so ridiculously low (spam kings like Alan Ralsky got around this problem by selling spam services to unscrupulous companies that thought it would be profitable). Every CPU cycle spent breaking a captcha is profit down the drain for the spammer. Not to mention the payment to developers who come up with anti-captcha techniques.
  
  --
  xkcd is not in the sudoers file. This incident will be reported.
2. Re:We already knew this. by Vintermann · 2011-01-11 17:33 · Score: 1
  
  How much cash is a botnet worth? Depends, among other things, on how many cycles it takes to break a captcha. As with the email spam buyers, spam service buyers almost certainly overvalue the services they buy from botnet owners.
  
  --
  xkcd is not in the sudoers file. This incident will be reported.
Google reCAPTCHA cracked... again by Anonymous Coward · 2011-01-11 02:53 · Score: 3, Informative

FTA:

Researcher Jonathan Wilkins published a paper recently that included an analysis of reCAPTCHA’s security. In automated attacks he conducted against the system, he reported he had an alarming success rate of 17.5 percent.
Well, last year someone showed ad DEFCON that he could solve the reCAPTCHA CAPTCHAs with an efficacy of 30% already.
So how is this news? Am I missing something?
1. Re:Google reCAPTCHA cracked... again by prxp · 2011-01-11 02:57 · Score: 4, Informative
  
  Really old news. The guy's paper is dated 2009. It might be possible that Google hasn't act on it yet, but it is the same thing from one year ago. Sensationalism mode detected!
News for nerds, stuff that mattered... by derfy · 2011-01-11 02:56 · Score: 4, Informative

...last year.
Google reCAPTCHA cracked
Written by John P Mello Jr on January 5, 2010
1. Re:News for nerds, stuff that mattered... by Cthefuture · 2011-01-11 03:08 · Score: 4, Interesting
  
  Yeah but something has happened recently, maybe the spammers got a new tool or something because I have noticed a whole bunch of spam being posted on my reCAPTCHA protected sites. This just started in the last couple of days where previously I had none.
  
  --
  The ratio of people to cake is too big
2. Re:News for nerds, stuff that mattered... by Nimey · 2011-01-11 03:14 · Score: 1
  
  Maybe that would explain all the Usenet spam coming from Google Groups lately.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
3. Re:News for nerds, stuff that mattered... by John+Hasler · 2011-01-11 04:54 · Score: 1
  
  "Lately"?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
4. Re:News for nerds, stuff that mattered... by skivvies · 2011-01-11 05:03 · Score: 1
  
  Yeah but something has happened recently, maybe the spammers got a new tool or something because I have noticed a whole bunch of spam being posted on my reCAPTCHA protected sites. This just started in the last couple of days where previously I had none.
  +1 I've had the same thing on my Drupal page that uses ReCAPTCHA. Getting about 3-5 spam bot hits an hour trying to sign up for accounts. It started happening about 4 days ago.
5. Re:News for nerds, stuff that mattered... by Nimey · 2011-01-11 07:06 · Score: 1
  
  There's a big spam campaign going on for almost two weeks now, after a fairly long dry spell.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
6. Re:News for nerds, stuff that mattered... by societyofrobots · 2011-01-11 10:21 · Score: 1
  
  Its been cracked at least since the end of 2008, when my reCAPTCHA protected site started getting inundated by spammers again . . . I've been telling people since we need a new defense, but all I heard back was 'reCAPTCHA is invincible'.
  It's an arms race, a never ending one, and spammers will always figure out a way around anything - given time.
7. Re:News for nerds, stuff that mattered... by bill_mcgonigle · 2011-01-11 16:32 · Score: 1
  
  Agreed! I've had near-zero spam for a good period of time, and noticed a distinct leap in the last 2 or 3 weeks.
  Oh, does AOL use it? That's when my AIM spam pegged the meter (now set to buddies-only...).
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
End of reCAPTCHA? by deains · 2011-01-11 02:56 · Score: 3, Informative

As much as it's nice to know reCAPTCHA is working towards a good cause (digitising old books, if you live under a rock or something), the amount of times I've got incomprehensible jibberish from it makes me rather unsympathetic towards their cause. It'd be nice to think there was some better way of keeping spam out, but I guess developer laziness and Google's endless crusade to rule the Internet we'll be stuck trying to decipher nonsense from the 1900s for a good while yet.
1. Re:End of reCAPTCHA? by SteveFoerster · 2011-01-11 03:03 · Score: 1
  
  Aren't the gibberish words assembled from different letters from different unsolved words or something? They didn't talk that funny back then.
  
  --
  Space game using normal deck of cards: http://BattleCards.org
2. Re:End of reCAPTCHA? by Aladrin · 2011-01-11 04:00 · Score: 2
  
  That's assuming that it's really giving good answers, and that's why it works.
  My understanding is that it uses previous answers to check future answers. Answer incorrectly enough and it thinks that is a correct answer.
  Now, lately, I've been finding reCAPTCHAs that claim I got them wrong. I assumed I just mistyped, but it used to be a MUCH rarer occurance.
  Maybe I'm getting them right, but the spambots are flooding it with wrong answers?
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
3. Re:End of reCAPTCHA? by brian_tanner · 2011-01-11 04:01 · Score: 2
  
  It'd be nice to think there was some better way of keeping spam out, but I guess developer laziness and Google's endless crusade to rule the Internet...
  Laziness has nothing to do with it. It's kindof a hard problem. The solution is worth billions. Trust me, Google really does not like the amount of spam sent from their own accounts that clogs their own services and defraud their own users. Defeating these bots is a high priority for them and everyone else. Each of these companies is basically an army of geniuses. It's a hard problem.
4. Re:End of reCAPTCHA? by Zalminen · 2011-01-11 04:06 · Score: 1
  
  So?
  
  If you're unlucky enought to get something strange, there's a button to get a new pair of words right away. I've never received two difficult ones in a row and by now I must have solved hundreds of them...
5. Re:End of reCAPTCHA? by spectro · 2011-01-11 04:49 · Score: 1
  
  And they are making them harder to solve for actual humans, I have found myself failing reCaptcha on ticketmaster several times in the last few months.
  
  --
  HTML is obsolete. It's time for a new, simpler and richer markup language.
6. Re:End of reCAPTCHA? by heypete · 2011-01-11 05:05 · Score: 1
  
  I mis-parsed your first sentence as "digesting old books", and was alarmed for a moment.
  Digitizing? Carry on, then.
7. Re:End of reCAPTCHA? by Excelsior · 2011-01-11 07:57 · Score: 1
  
  It doesn't work that way. The control word is always already known. The non-control word that you are helping to OCR never factors into your success or failure. For the non-control word, anything will get by, and there has to be consistent consensus before it is considered "solved" for OCR purposes.
Perhaps it is time to use animals by Anonymous Coward · 2011-01-11 02:59 · Score: 2, Interesting

Granted this is still in research, and it is an "M$" project at the moment, but using animals for a captcha may be the next thing.
http://research.microsoft.com/en-us/um/redmond/projects/asirra/
1. Re:Perhaps it is time to use animals by jolyonr · 2011-01-11 03:10 · Score: 2
  
  I'm not sure animals would find it any easier to solve the captchas than we do :)
  
  --
  
  Please read my Canon EOS tech blog at http://www.everyothershot.com
2. Re:Perhaps it is time to use animals by elashish14 · 2011-01-11 05:40 · Score: 1
  
  I'm sure it'll eventually get patented so no one can use it
  
  --
  I have left slashdot and am now on Soylent News. FUCK YOU DICE.
That would explain... by elFarto+the+2nd · 2011-01-11 03:03 · Score: 1

That would explain why my recaptcha protected forum suddenly started getting 30+ new accounts a day.
Regards
elFarto
1. Re:That would explain... by Archangel+Michael · 2011-01-11 03:55 · Score: 1
  
  I JUST upgraded my website Captcha system because I suddenly started getting bots registering on my small domain (30-40 visits / day). I now have a small math problem and ReCaptcha together, along with a hidden input field that bots love to fill out (if filled out, rejects form submit). Combine all three, and I doubt I'll see bots registering any time soon.
  The real weird thing is that the bots registered but never spammed my site. Odd.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
2. Re:That would explain... by daid303 · 2011-01-11 04:41 · Score: 1
  
  The real weird thing is that the bots registered but never spammed my site. Odd.
  Most likely the bots failed to detect that the registration worked, or failed to parse the actual post pages. I once had a home grown wiki which was totally messed up by bots because they couldn't make heads or tails from it.
How much longer until... by ticketswapz · 2011-01-11 03:03 · Score: 1

... we get the flurry of Wordpress spam registrations and a spike in Gmail related spam?

--
ticketswapz.com - Buy, Sell, Trade Sporting Event and Concert Tickets
1. Re:How much longer until... by Archangel+Michael · 2011-01-11 03:57 · Score: 1
  
  Already get Gmail Spam. Having a Gmail address is no longer guarantee of spamfree email. Spammers have had gmail addresses for a while now. I just wish that we could report SPAM addresses to google and have them suspend the accounts.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
All I can think is what happens when you get: by KurtisKiesel · 2011-01-11 03:10 · Score: 1

Please Identify which animal is a Eierlegende Wollmilchsau.
1. Re:All I can think is what happens when you get: by Rysc · 2011-01-11 03:59 · Score: 1
  
  LOL.
  That is all.
  
  --
  I want my Cowboyneal
reCAPTCHA is already "too good" by citizenr · 2011-01-11 03:14 · Score: 2

Yesterday I decided to sign up for World of Tanks open beta. It took me 12 tries (including 3 failed sound ones) to fill reCAPTCHA correctly. Most of the time it just displays nonsense.

--
Who logs in to gdm? Not I, said the duck.
1. Re:reCAPTCHA is already "too good" by mrsurb · 2011-01-11 03:22 · Score: 1
  
  So you just failed the Turing test? You've outed yourself as an AI!
2. Re:reCAPTCHA is already "too good" by TheL0ser · 2011-01-11 03:23 · Score: 1
  
  Worst I've ever seen, I don't even remember who did it, but they had white lettering on a basically white background. It was a case of "see a few letters, hope you guess the last couple right".
3. Re:reCAPTCHA is already "too good" by DarkOx · 2011-01-11 03:47 · Score: 1
  
  This is an important point though. I too have had enough trouble solving reCAPTCHAs to become frustrated enough just to leave the site, and if I am an AI I don't know it. We have reached a point where I think even if they unbreak reCAPTCHA to the point where machines can't solve them at an effective rate, they will have crossed the threshold where it becomes so hard for humans that a new solution is needed.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
4. Re:reCAPTCHA is already "too good" by chocolatetrumpet · 2011-01-11 05:30 · Score: 1
  
  In the future, only spam bots will be able to register for websites!
  
  --
  Spoon not. Fork, or fork not. There is no spoon.
5. Re:reCAPTCHA is already "too good" by garyebickford · 2011-01-11 06:33 · Score: 1
  
  Totally offtopic, but this made me wonder about the converse of the Turing test - if/when computers are 'smarter' than we are (whatever that means), how will a computer know that it is talking to a true computer, and not a mere human who is possibly commanding a computer?
  Of course the question presumes some limitations on communication language, bandwidth, response time, etc. to make it a fair test. Let's say it's a transmission between two space ships, ten light minutes apart. Has the other space ship been taken over by those human 'rats' that infest it?
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
6. Re:reCAPTCHA is already "too good" by garyebickford · 2011-01-11 06:36 · Score: 1
  
  Maybe it was a program written in Whitespace! :D
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
7. Re:reCAPTCHA is already "too good" by orkysoft · 2011-01-11 23:46 · Score: 1
  
  The other ship would never let that happen, not even when it is Experiencing A Significant Gravitas Shortfall.
  
  --
  
  I suffer from attention surplus disorder.
Usibility vs Security vs Money by SpinningCone · 2011-01-11 03:15 · Score: 1

Too bad really, I like the google captchas because they were easy to read (and served a greater purpose with the book scanning). honestly I wish they would make some of these things harder though. how often do you really need to make an email account? I've done it just a couple times with google and wouldn't be bothered by a more complex captcha system. i suspect they don't do this because they wouldn't want people to get frustrated and go to hotmail instead because the captcha was too hard.
though in the end you can never really win since the most high profile targets will just get focus from actual humans
on a side note i wish the article had more details on how he was cracking. I suspect most slashdotters like myself have pondered captcha systems and how to improve them.
Slashdotted - mirror by winkydink · 2011-01-11 03:15 · Score: 1

http://www.networkmirror.com/mlsurCyIbkJu5Qpr/www.allspammedup.com/2010/01/google-recaptcha-cracked/index.html

--
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
doomed approach by martas · 2011-01-11 03:26 · Score: 1

This approach is doomed, really. Clearly we can come up with other tasks that are difficult for computers and easy for humans, and wait until AI catches up, and move to something else. At some point much sooner than AI fully replicates human intelligence the tasks will be so difficult that in the vast majority of cases it's not just worth it for a human to go through it (e.g. # of cocks inside Jenna in a video , as suggested above). What do we do then? The captcha approach is a temporary solution, and if I had to guess I'd say within 2 decades the "spammer singularity" described above will come.

--
weinersmith
1. Re:doomed approach by Anonymous Coward · 2011-01-11 03:42 · Score: 1
  
  Not really. if AI were to get so advanced then one could use it to filter out spam instead of using a captcha to perevent spam access.
2. Re:doomed approach by Anonymous Coward · 2011-01-11 03:44 · Score: 2, Interesting
  
  What do we do then?
  Require posting bonds prior to granting write access, with bond amount greater than whatever profit a spammer thinks they might make from spamming. Or better yet, an amount slightly less than spam profit, so they take the offer. Then you run your taking-spammers'-bonds site at a profit, and if it's enough profit, then its worth your time to keep an eye on the site and delete spam as it appears.
3. Re:doomed approach by halcyon1234 · 2011-01-11 05:29 · Score: 1
  
  This approach is doomed, really. ... At some point much sooner than AI fully replicates human intelligence ... What do we do then?
  
  If the AI is smart enough to pass a human-test to send a spam, then another AI will be smart enough to recognize spam and not deliver it.
  
  --
  UTF-8: There and Back Again
4. Re:doomed approach by sam_nead · 2011-01-12 00:18 · Score: 1
  
  If the spammers create an AI that fully replicates human intelligence then hopefully the first thing the AI will do is turn their spammy creators over to the police.
My forum has noticed! by daitengu · 2011-01-11 04:00 · Score: 2

I run a small forum that uses recaptcha . I used to get about 5-10 spam registrations a day. On the 6th I got 148, and the 7th I got 230.

I eventually instaled a plugin from StopForumSpam.com which is a combination blacklist/keyword checker to help weed out spammers and it's back to normal, or even below normal levels.
1. Re:My forum has noticed! by fyrewulff · 2011-01-11 06:31 · Score: 1
  
  I had a forum on a relatively small site that just started getting HAMMERED by spammers.. it was like the reCAPTCHA wasn't even there.
  I switched to the forum's default scambled letter captcha and that stopped the flood for now.
  
  --
  "We need to get over this notion, that, for Apple to win... Microsoft must lose." - Steve Jobs, 1997
2. Re:My forum has noticed! by coofercat · 2011-01-12 02:18 · Score: 1
  
  Anecdotally, I can recommend a 'rate limiter' on the front end as well. Essentially, something that challenges the viewer if they view too many pages in too short a time (again, something unexpected that a human can do easily, but a computer cannot - the simplest challenge would be "please click here to continue", but you can go as crazy as you like). In my meagre experience, putting something like that on my sites has reduced my bandwidth costs, hit counts, and comment spam. In my case, Mollom gets the rest.
  Of course, the Big Boys all do this sort of thing already (albeit with far more generous limits than I have), and it's not working for them. Ultimately, if you're a target, then you're going to get hit. However, small sites actually have lots of options available to them. In your case specifically, putting (and checking for) an extra field in the submit form (even if it's just a hidden field) would probably help.
Well, maybe its a good thing by arwild01 · 2011-01-11 04:28 · Score: 1

Now spammers are indirectly using their massive botnets for the cause of OCR conversion of books. :)
1. Re:Well, maybe its a good thing by shish · 2011-01-11 05:34 · Score: 1
  
  Has anyone ever seen any of these books? Last I checked, the recaptcha site describes itself as working on free texts for the good of mankind, but I've never seen the output, and when I tried searching all I could find was other people asking the same question...
  
  --
  I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
the new new new new economy! by Thud457 · 2011-01-11 04:42 · Score: 1

This is teh intarwebs(tm), pr0n == free , unless you're doing it wrong.

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Probably used Google search.. by it5complicated · 2011-01-11 04:42 · Score: 1

To figure out how to do it. Ironic, no?
Panderers? by StikyPad · 2011-01-11 04:50 · Score: 1

successfully exploited by Internet junk mail panderers
How does one pander to junk mail?
Perhaps the word you were looking for is peddlers?

--
https://www.eff.org/https-everywhere
I noticed this. by kerashi · 2011-01-11 05:45 · Score: 1

I used reCAPTCHA on a small phpBB board. Because of the small number of users, I activate any accounts manually, However, since the first of the year I must have gotten 40 attempted registrations. Very annoying, because I got an e-mail for each of them. Switched to a question that only someone familiar with my board would be familiar with, seems to have stopped that stuff.
Tax Forms by AioKits · 2011-01-11 06:03 · Score: 1

Seriously, why not something like google goggles for tax forms? Or is that out there already and I'm just not looking hard enough?

--
"Quote me as saying I was mis-quoted." -Groucho Marx
Simple Block 'em by mhollis · 2011-01-11 07:21 · Score: 1

I use a script for emailing the addresses of my clients and the script is server-side code. And since that does not load unless the form (for an email) is completely filled out, nobody can pre-look at my code and figure out anything.
Client's email address is in a lookup in an SQL database, so nobody can see that, either.
Solution is to capture then BLOCK the IP address of anyone sending spam through the form. So far, I have seen two messages from Belize and one from India. And now those people can no longer even load the websites they spammed. As their world gets smaller and smaller, maybe they will have so few people to email, they'll quit.
This may not work for someone as big as Google, but it certainly works for me and my website clients.

--
Gods don't kill people, people with gods kill people.
Only Primative Spam is for Direct Profit by mathmathrevolution · 2011-01-11 08:46 · Score: 3, Interesting

The nature of Spam is changing. It used to be about penis pill ads being sent indiscriminately by email. Now Spam is being used by major marketers and public relations firms to influence the national discourse and nobody is using email. Spammers are hitting blogs and forums and news sites to try to credibly sway public opinion. They pose as average impartial citizens and try to spread propaganda. Spam is about trying to shout out other people by aggressively inserting the viewpoints of their corporate or political masters. Every major PR firm is going to recommend that it's clients pursue an active online strategy. Not just a website. Not just a responsive blog. Not just a Facebook page. But an army of professional trolls with talking points and corporate directions to sway public opinion in a Web 2.0 setting. Spam has gotten much more insidious because the purveyors of Spam realize that to be effective they must effectively make themselves indistinguishable from the common man.
Digg recently had to reorganize because an army of amateur conservative trolls ("Digg Patriots" and others) was effectively promoting conservative information and burying liberal viewpoints. They got busted because they were ambitious and cocky amateurs. But Burson Marsteller has about 100000000x the money and sophistication and is never going to get caught so easily.
There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!
spam dry spell by Onymous+Coward · 2011-01-11 10:13 · Score: 1

Speaking of a spam dry spell, my mail's spam is down dramatically since the new year.
I haven't parsed logs to find out of my antispam measures are more effective or if the total rate is just down. Anyone else noticing similar?
1. Re:spam dry spell by Nimey · 2011-01-11 10:35 · Score: 1
  
  It seems like the spamfilter at work is sending me somewhat fewer digests detailing the spam it's blocking.
  Maybe the botnets are damaged.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
2. Re:spam dry spell by Onymous+Coward · 2011-01-11 18:32 · Score: 1
  
  IT: Spam Volume Spikes After Holiday Respite on 06:11 PM January 11th, 2011
  http://it.slashdot.org/story/11/01/11/2132211/Spam-Volume-Spikes-After-Holiday-Respite
  Funny, that.
Skill testing question. by steeleyeball · 2011-01-11 12:55 · Score: 1

Not only should the captcha be an image or an audio file but it should also be a question. Then the response shouldn't be just the text version of the question but the text answer to the question. I suggest the questions on the Mensa test.... although that may be setting the bar a little low for Internet use.
Not just a river in Egypt by zieroh · 2011-01-11 15:33 · Score: 1

Google can deny it all they want. Everyone running a decent-sized forum with reCAPTCHA noticed spammers getting their bogus registrations through on January 4th. One day it was working great, the next day spam.
And I don't like spam.
reCAPTCHA is broken. Period.

--
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
Scaling by Deep+Esophagus · 2011-01-11 17:02 · Score: 1

I don't; I was just refuting the statement that there is no way to verify user accounts before the user has posted anything. For a local population that can be handled by moderator(s) familiar with the region, that's sufficient. For a larger scale operation where the moderators are not necessarily in the same locality as the users, you would need to use some other method. Maybe ask the visitor to tell you how he feels about his mother?