Slashdot Mirror
Google ReCAPTCHA Cracked
stormdesign writes "Despite denials from Google, a security researcher continues to assert that the Search King's reCAPTCHA system for protecting Web sites from spammers can be successfully exploited by Internet junk mail panderers."
Come on Google, we all know that in the Capcha war, we only have one weapon left, capcha porn. There isn't a spambot alive who could answer "In the above movie, how many cocks were inside Jenna Jameson?" or "what sex position is this?"
Monstar L
FTA:
Researcher Jonathan Wilkins published a paper recently that included an analysis of reCAPTCHA’s security. In automated attacks he conducted against the system, he reported he had an alarming success rate of 17.5 percent.
Well, last year someone showed ad DEFCON that he could solve the reCAPTCHA CAPTCHAs with an efficacy of 30% already.
So how is this news? Am I missing something?
Look, all you have do to confirm it is just google for "most popular search engine"...
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
...last year.
Google reCAPTCHA cracked
Written by John P Mello Jr on January 5, 2010
As much as it's nice to know reCAPTCHA is working towards a good cause (digitising old books, if you live under a rock or something), the amount of times I've got incomprehensible jibberish from it makes me rather unsympathetic towards their cause. It'd be nice to think there was some better way of keeping spam out, but I guess developer laziness and Google's endless crusade to rule the Internet we'll be stuck trying to decipher nonsense from the 1900s for a good while yet.
All captchas are practically useless. There is no need to crack them - for example decaptcher solves 1000 captchas for $2. Any captcha type works since they're solved by humans. They also have API's for several different languages which lets the programmer easily to put the process to their programs.
As long as there's really cheap workforce and economic differences in the world, things like this won't be solved.
Granted this is still in research, and it is an "M$" project at the moment, but using animals for a captcha may be the next thing.
http://research.microsoft.com/en-us/um/redmond/projects/asirra/
Just to make things interesting, I binged it (has bing been verbed yet?). The top result was something from 2006 (!) that lists Google with about 49% of the search market, and the 4th said right in the search result headline, "Google is the Most Popular Search Engine in the World".
(Top result in a search for popularity is 4 years old? But just to be fair I checked Google, and it gave the same first result, strangely enough.)
Yesterday I decided to sign up for World of Tanks open beta. It took me 12 tries (including 3 failed sound ones) to fill reCAPTCHA correctly. Most of the time it just displays nonsense.
Who logs in to gdm? Not I, said the duck.
The problem is simple to solve though:
Spamming is profitable. That's why the spammers do it.
What we need is simple: we need to make Spamming unprofitable. (I almost said make Spam unprofitable, but I actually kinda like Hormel's product).
This wouldn't be that hard to do. Spammers hit government addresses like anything else. Hit the purveyors of the product, the people who hire the spammers, with a nasty "kill your business for good" level fine for every product that goes out in a spamming campaign - problem solved, none of these guys will ever be so stupid as to hire a spammer again.
That leaves the virus-purveyors and identity-theft types to deal with, true, but the bulk of the money spent on breaking CAPTCHA solutions and everything else comes from the spam-for-profit guys, so if we hit them first, the rest are more manageable.
It's quite simple to stop that, implement a small none-standard part in your signup process. I put in an extra input text field named "askldjwla" with the text: [Enter "I am not a bot" here (without quotes)] and my spam has reduced to 0. Spammers target the large and easy, just don't be a part of that group.
Indians mostly. Those who solve them actually only get paid $1 per 1000 captchas. But for example, the average daily salary in places like Cambodia is less than $1. Solving 1000 captchas for that starts to sound like a dream job and there is no education needed.
It's the same reason why powerleveling and gold selling services exist in cheap asian countries, economics make it possible and even a good job.
This wouldn't be that hard to do. Spammers hit government addresses like anything else. Hit the purveyors of the product, the people who hire the spammers, with a nasty "kill your business for good" level fine for every product that goes out in a spamming campaign - problem solved, none of these guys will ever be so stupid as to hire a spammer again.
Yes, but they will hire spammers for a different reason. To advertise their competitor's product, in order to nuke the competition. Then once the competition is gone, sales will increase, and they can boost prices
That might work for your vanity blog, but higher traffic sites are more valuable targets and as such attract greater efforts.
My wife moderates a couple of local Freecycle [tm] lists, and she requires new subscribers to mention some nearby landmark in their neighborhood to show they really are local. The result: NO spam, ever. Once or twice in ten years she's actually had someone try to make up a plausible sounding name that they must have picked up from a yellow pages search because it referred to the name you can see on maps and not what everybody actually calls the place.
I remember a message board from a few years ago where some guy had talked about taking a screen shot of a captcha and displaying it on his free porn site making it look like it was really from his site. The person looking at the porn site would type in the captcha answer and his script would in turn use this user provided solution to solve the real captcha on the original site letting his script get past the captchas and spam the message board. So if it really did work he got 1000's of captchas solved by humans for free.
That just goes to show that you're a clueless noob.
Knowledge is power; knowledge shared is power lost.
What do we do then?
Require posting bonds prior to granting write access, with bond amount greater than whatever profit a spammer thinks they might make from spamming. Or better yet, an amount slightly less than spam profit, so they take the offer. Then you run your taking-spammers'-bonds site at a profit, and if it's enough profit, then its worth your time to keep an eye on the site and delete spam as it appears.
they have a marketable skill: English language ability.
What Indian tech support have YOU been talking to?!
With reCaptcha, you don't have to successfully OCR the scanned word, just the control word. Usually they are indistinguishable by sight (you don't know which one is the control word), but I've seen reCaptcha instances where one word is clear and the other one is unreadable. In these cases, you can type the control word correctly and just write some gibberish for the other, and you'll beat the captcha.
Which means that the spammer won't have to OCR the hardest of the words... just the simpler one. Run the OCR to the full text, post both words, and if the simpler one matches, you broke the captcha.
(I make it sound so easy! It really isn't! I'm amazed that they did break it! I just wanted to point out that it isn't "OCR words that haven't been OCRd before", rather than "OCR words that have been OCRd previously and are now a bit distorted".)
I run a small forum that uses recaptcha . I used to get about 5-10 spam registrations a day. On the 6th I got 148, and the 7th I got 230.
I eventually instaled a plugin from StopForumSpam.com which is a combination blacklist/keyword checker to help weed out spammers and it's back to normal, or even below normal levels.
Just to make things interesting, I binged it (has bing been verbed yet?). ...
Well, it's a verb, but it's past tense of binge (as in drinking).
My UID is prime. Hah!
Steve from Kansas.
Apparently he really likes curry chicken. Kinda odd fellow.
Spam already leads to mail fraud in some cases, and that fraud is generally prosecuted where possible. Very few legitimate companies use spam any more. The illegitimate ones are harder to catch.
There are actually several problems with this:
1. Not all that many shipping operations that use spammers operate under US law. Products are usually shipped from overseas (if any product is shipped at all!) and you can't fine a foreign entity without an agreement with that entity's native government (which, of course, spammers choose carefully to avoid such things). So you'd be limited to the people the police are already prosecuting, and that population is dwindling.
2. "kill your business for good" fines are what got us into multi-million-dollar fines for "casual" copyright infringement (the large fines were originally designed to drain commercial "piracy factories" of their resources, not to bankrupt a person for life because they shared 3 albums on LimeWire). We'd have to be very careful with any law to target the people we want to hurt, rather than opening anyone who posted an actual personal product recommendation somewhere to a $5,000,000 spammer suit.
3. Many of the products sold are actually counterfeit, and are shipped from faked addresses and just dropped off at the post office. Again, if anything was shipped at all. If I wanted to put Symantec out of business, I could very profitably sell pirated Norton Antivirus and drop a few dozen units off at the post office nearest Symantec's corporate HQ, with a return address label that has their address on it. Symantec would be stuck with the burden of proof that they didn't ship the product. You'd have to check ID every time someone sent a letter and make sure the "from" address matches their ID (which means no more mailbox pickup, all letters and packages must be posted individually).
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
Wouldn't be so hard to defeat by a script. But the reason why your spam dropped to zero is because your "one of a kind" system wasn't targeted. I have a even simpler system that just requires the same sentence every time you sign up. But the field name in code is gibberish and because my site is low volume spammers don't target my script directly.
And that's what I would suggest for everyone, the sollution is not to have 1 super captcha system that rules it all. Have 1.000.000 of them, once they are cracked they are easy replaced, and it makes it god damn difficulty to target lots of small sites in 1 go.
That's probably enough to prevent a lot of spam. Spam isn't very profitable per post.
xkcd is not in the sudoers file. This incident will be reported.
When Google applies Gmail spam detection technology to blogger that will be the end of blog spam.
Why not just use Akismet.com? It works great.
My small blog was getting a modest amount of spam (about 150/day), and Akismet would miss maybe one every few months. Not bad, but having to sort through the messages in the spam queue was really annoying. I found a decent compromise: messages flagged by Akismet were presented with a captcha. If the captcha was completed successfully, the message went into the moderation queue (as it was still spammy enough to trip Akismet). If not, the message is permanently delete. This has no effect on my commenters, as they don't trip Akismet, and there hasn't been a single message to get through yet.
Probably doesn't scale to enormous sites, but works well for small ones. For what it's worth, I'm using the standard WordPress Akismet plugin and Conditional Captcha.
http://en.wikipedia.org/wiki/Joe_job
We run a not large site that gets 20,000-40,000 spam comment attempts per day. Some simple filters leave us with dozens of items to manually review per year:
1) English (language in general) employs rules that yield statistical patterns. For example, personal names and occupations do not contain 50 per cent upper case letters and 50 per cent lower case letters in English. This bins the bots that fill unmatched fields with random characters, without bothering human users since CSS is good now (our forms sometimes include randomly named fields...). We also test for average word length to catch excessive use of brand names and URLs. These two rules catch almost everything except the human operators.
2) To tarpit the human operators who try to whitelist their accounts/IPs through repeatedly posting benign comments, new users who post a lot (more than four comments an hour) in an initial period (24 hours after signup) and do not interact with others will see their own comments, but others will not.
We have five other filters but have turned them into warnings for the users instead (bots do not want to solve "That's a lot of links. please delete http:/// from your links"). Our next challenge is to better protect the mobile site which has a different set of dynamics.
*this silly form insists on linkifying my http colon slash slash and adding a third slash...
There are 1.1... kinds of people.
So what? It demonstrates a point relevant to the discussion.
--
Discount Helicobacter pylori
There are 1.1... kinds of people.
Another fun trick is how easy it is to catch spambots by using "invisible" form fields. Bots are too "stupid" to negotiate around these traps. They fill in those fields just like they do the visible ones, allowing you, the site operator, to instantly bin their nonsense to /dev/null with scripts and ban their IP addresses.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
All captchas are practically useless. There is no need to crack them - for example decaptcher solves 1000 captchas for $2. Any captcha type works since they're solved by humans.
I bet this type of captcha would still work well on sites like mathoverflow or wolfram...
The nature of Spam is changing. It used to be about penis pill ads being sent indiscriminately by email. Now Spam is being used by major marketers and public relations firms to influence the national discourse and nobody is using email. Spammers are hitting blogs and forums and news sites to try to credibly sway public opinion. They pose as average impartial citizens and try to spread propaganda. Spam is about trying to shout out other people by aggressively inserting the viewpoints of their corporate or political masters. Every major PR firm is going to recommend that it's clients pursue an active online strategy. Not just a website. Not just a responsive blog. Not just a Facebook page. But an army of professional trolls with talking points and corporate directions to sway public opinion in a Web 2.0 setting. Spam has gotten much more insidious because the purveyors of Spam realize that to be effective they must effectively make themselves indistinguishable from the common man.
Digg recently had to reorganize because an army of amateur conservative trolls ("Digg Patriots" and others) was effectively promoting conservative information and burying liberal viewpoints. They got busted because they were ambitious and cocky amateurs. But Burson Marsteller has about 100000000x the money and sophistication and is never going to get caught so easily.
There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!
All captchas are practically useless. There is no need to crack them - for example decaptcher solves 1000 captchas for $2. Any captcha type works since they're solved by humans.
I bet this type of captcha would still work well on sites like mathoverflow or wolfram...
The answer is zero, btw. (which was a little anticlimactic, if you ask me)