Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Windows Live Hotmail CAPTCHA Cracked, Exploited

kdawson posted more than 6 years ago | from the nice-idea-while-it-lasted dept.

Security 362

eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?

Sorry! There are no comments related to the filter you selected.

Awesome article (5, Interesting)

kcbanner (929309) | more than 6 years ago | (#23082152)

One of the best 'exploit' related articles I've seen on /. for awhile. There is actual evidence, and actual screenshots of the exploit in action! No journalists here referring to "magic interweb programs". I wish there was more of this kind of stuff in the news, frankly I'm tired of articles full of statistics but nothing on the tech.

Re:Awesome article (1)

abolitiontheory (1138999) | more than 6 years ago | (#23082514)

Agreed. More people would RTFA and then create meaningful dicussion if it was actually worth it to RTFA. Thank you /.

Great (1, Insightful)

esocid (946821) | more than 6 years ago | (#23082154)

Who's killing kittens?

Cutest kitten /.ed.

Re:Great (3, Funny)

Lovedumplingx (245300) | more than 6 years ago | (#23082176)

Well if God kills a kitten every time I...uh...yeah...then I guess I'm killing the kittens.

Re:Great (3, Interesting)

esocid (946821) | more than 6 years ago | (#23082230)

Here's an alternate [blogspot.com] site explaining it. (Sorry for the blog, but everywhere else redirects to pcspy.
If you're too lazy to click it, all it does is ask you to select the kittens from a grouping of photos of animals to verify you're human. Hey, maybe the Turing test could be implemented, then again I wonder how many humans would actually fail it.

Re:Great (1)

oahazmatt (868057) | more than 6 years ago | (#23082666)

Actually, when we had a captcha problem on a forum I helped work on, we just installed an additional question. "Are you human? Yes/No". We would either change the question ("Are you a bot? Yes/No") or the default answers periodically.

Re:Great (1)

0kComputer (872064) | more than 6 years ago | (#23082816)

Actually, when we had a captcha problem on a forum I helped work on, we just installed an additional question. "Are you human? Yes/No". We would either change the question ("Are you a bot? Yes/No") or the default answers periodically.

Yeah, and that would take about 5 minutes to crack. Also people are a lot dumber than you give them credit for, I'm sure those questions would confuse the hell out of a lot of people.

Re:Great (1)

oahazmatt (868057) | more than 6 years ago | (#23082918)

Actually, considering legitimate registration happened on the average of 1 user a week, it was fairly successful for a few months.

We only came into problems with it when we stopped updating it. (Reasons beyond the control of the volunteers caused this.)

We just kept a few different versions of the registration script, and changed the question as necessary.

Also, the point of it was to be as unintrusive to the user as possible. Honestly, the way I see some captchas today it could honestly take me two times, when I've sworn I've typed it in correctly. We wanted to avoid as many headaches as possible, and legitimate sign-ups didn't really notice.

Re:Great (1)

Simon (S2) (600188) | more than 6 years ago | (#23082940)

This type of touring test is defeated with a probability of 50%, so unfortunately it's not a real solution.

Anything is better! (5, Insightful)

RingDev (879105) | more than 6 years ago | (#23082164)

KittenAuth, Hot or Not, simple math, word tests, anything to get rid of those pain in the ass CAPTCHAs.

Re:Anything is better! (1)

esocid (946821) | more than 6 years ago | (#23082276)

I've seen math authorizations used somewhere before and like it a lot. I'd imagine that would save on programming space as well as convenience since I even have trouble discerning if that is a 4 or a sideways h with lines through it.

Re:Anything is better! (5, Insightful)

rrahimi (1270478) | more than 6 years ago | (#23082318)

Not all of these solutions provide an acceptable level of accessibility, and that's a major concern.

Re:Anything is better! (2, Insightful)

gnick (1211984) | more than 6 years ago | (#23082482)

If have accessibility barriers so serious that you can't tell a picture of a kitten from a picture of a dog or tell the difference between a kitten meowing and a dog barking, where are you trying to register?

Re:Anything is better! (4, Funny)

Intron (870560) | more than 6 years ago | (#23082608)

Your insurance company's eyesight benefits claim form?

Re:Anything is better! (0)

Anonymous Coward | more than 6 years ago | (#23083028)

...or tell the difference between a kitten meowing and a dog barking...

Re:Anything is better! (2, Funny)

Anonymous Coward | more than 6 years ago | (#23082730)

A Hellen Keller fansite?

Re:Anything is better! (5, Informative)

Jafafa Hots (580169) | more than 6 years ago | (#23083038)

If have accessibility barriers so serious that you can't tell a picture of a kitten from a picture of a dog or tell the difference between a kitten meowing and a dog barking, where are you trying to register?
I'm disabled. The net is a huge boon to the disabled, allowing them to shop more easily, save money because we have limited incomes... learn about things that can help us lead more normal lives, get support from others, get medical information, entertain ourselves since maybe we can't go jogging or drive to and then pay for a movie, etc.

I'd frankly argue that the net is more important for many disabled people such as myself than it is for "normal" people.

And there are many kinds of disability, some from brain damage, that cause all kinds of cognitive problems. So it's entirely possible for a person to be able to use the net, read text, or have his/her machine read it to them, but who might not be able to tell the different between a cat and a dog.

What sites might they be trying to get into? Well, Slashdot.org, for example.

Re:Anything is better! (4, Insightful)

RingDev (879105) | more than 6 years ago | (#23082690)

As opposed to the level of accessibility CAPTCHAs provide to blind/limited sight individuals?

And have you ever tried the audio CAPTCHAs? Talk about horrendous.

Plain text or even TTS would allow near 100% accessibility if you asked simple math questions in the context of a story problem. With rotating questions, nouns, and verbs, a relatively small number of predetermined values could be used to quickly generate many different combinations.

Sure, it's still crackable, but it would be a hell of a lot nicer for the users. And with a significant enough base of words and grammar structures it would still be rather solid. Combine that with decent behavior tracking. (Wow look, this ASDFDSA guy just created his email account 5 minutes ago and has already sent 15,000 emails!) And you'd wind up with something that is MORE accessible and still provides a solid amount of protection.

-Rick

Re:Anything is better! (2, Insightful)

Nos. (179609) | more than 6 years ago | (#23082370)

I had been working on a community driven system of identifying media. It had the benefit of being useable by vision or hearing impaired persons. Users could upload a piece of media (generally audio or a picture). Users would then submit their best identification of that media. For example, you could have a picture of a cow. Users would submit "Cow", "Mammal", "Bovine", etc, or in the case of audio, it could be as simple as repeating the words in the audio, or answering a simple math test.

Another advantage, at least of the pictures, woudl be that it could handle multiple languages. The audio could simply be tagged as "en" or "fr".

The idea was then that a site owner could insert a bit of code to request the media, any language preference, and a list of the top n answers. They display the media in place of a captcha. The user submits the form, as well as their answer. Their answer is compared to the list of top n answers.

The system I was building would host all the media, so web masters would not incur extra bandwidth. Filenames would be randomly chosen, and changed on a regular basis.

Maybe I should resurrect it.

Re:Anything is better! (4, Insightful)

AmaDaden (794446) | more than 6 years ago | (#23082780)

Yeah but all 'are you human' tests so far are crackable. The crack for the kitten test is to record all the unique pictures by constantly hitting the site and then mark the ones that are kittens manually. So when your bot goes there he only needs to compare the pictures he has that he knows are kittens to the ones he sees.

Now the patch for this is to start blurring the kittens. So welcome back to square one my friend.

Cheap3st V1agr-a and C|aL15! (-1, Offtopic)

AndGodSed (968378) | more than 6 years ago | (#23082166)

Oh. Wrong forum - so sorry...

Don't need new auth (4, Interesting)

Intron (870560) | more than 6 years ago | (#23082186)

What we need is a reliable way of determining the age of an account. I would like to refuse mail from any account created less than a week ago. Same for domains. Maybe have a way for finding out that a domain has moved to 10 different IP addresses in the last year as a negative score in spamassassin.

Re:Don't need new auth (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23082294)

So what would stop me creating a batch of 1000 accounts, and just keeping them dormant for two weeks before sending them into battle?

I could even have them send mail to each other to lend a thin veneer of realism to discourage the account provider just wiping them automatically.

Re:Don't need new auth (1)

Intron (870560) | more than 6 years ago | (#23082450)

Because my mail server will be set to two weeks, but someone else's might be set to 3 weeks, a month or a year. That way the first batch of spam will get a lot of rejects. The few that get spam and report it will get the account shut down before they can use it again.

Re:Don't need new auth (0)

Anonymous Coward | more than 6 years ago | (#23082300)

How about freezing new account for some fixed time say a day or two ? Also fix a limit on number of accounts by IP (traceable). It would be also a good solution.

"Day Old Bread" in Spamassassin. (3, Informative)

khasim (1285) | more than 6 years ago | (#23082328)

Domain age checking has already been implemented in SpamAssassin. Search on "Day Old Bread".

Re:"Day Old Bread" in Spamassassin. (1)

SatanicPuppy (611928) | more than 6 years ago | (#23082444)

What use is that if they're sending from hotmail? That domain is ancient by internet standards.

Re:"Day Old Bread" in Spamassassin. (1)

Intron (870560) | more than 6 years ago | (#23082512)

Not hotmail, although they're certainly a spam source. I'm thinking more like "houseofmagnets.com", or some domain that once its IPs get blocked, just pulls up stakes and starts sending from somewhere else.

It's a little complicated. (3, Interesting)

khasim (1285) | more than 6 years ago | (#23082696)

The point is to have different tactics to fight spam from different sources.

With Hotmail (and Gmail and such), I allow them to skip a lot of the checks that other domains go through. There's no need to waste processor cycles or net queries on those domains themselves.

Instead, they go straight to SpamAssassin where checks are run against ALL the addresses in the headers. And the content in the body. The mail admins at Hotmail and Gmail and such have a vested interest in reducing the spam in their systems. So simply rejecting the message at SMTP time should give them enough notice to shut down compromised accounts on their system.

Re:Don't need new auth (1)

eebra82 (907996) | more than 6 years ago | (#23082800)

What we need is a reliable way of determining the age of an account. I would like to refuse mail from any account created less than a week ago. Same for domains. Maybe have a way for finding out that a domain has moved to 10 different IP addresses in the last year as a negative score in spamassassin.
Interesting idea but not very functional since such data could probably be manipulated and therefore bypassed.

One good way is to force users to enter cell phone numbers and require a validation code to be sent to the phone. Of course, this has its downsides since it would cost money, raise privacy issues and lock out people who don't possess a phone.

There is obviously no easy way of preventing mail spam, but hopefully ISP:s will team up (globally) and work this out together. And maybe the UN should force nations to enforce stricter laws, which could at least scare off a few spammers. After all, the vast majority of all spam comes from only a few sources. Squelch one major source and things already look a lot better.

My prediction,,, (1)

Dan East (318230) | more than 6 years ago | (#23082896)

Good idea. My prediction is that you will not receive spam for exactly one week.

I speak for everyone- Captchas SUCK. (1, Funny)

zymano (581466) | more than 6 years ago | (#23082190)

Google will reinvent and dominate CAPTCHA market (1)

serodores (526546) | more than 6 years ago | (#23083000)

They're already getting people for free [google.com] to classify images. This is a rock, this is a house, this is a tree, etc. Instead of typing in a phrase that humans have a hard time reading, I think they will migrate to showing images, and having people type in what image they think it is. If it matches one in the list that people said it was, they're authenticated as 'human'. This will be much much much harder to crack with a program. Possible, given vision recognition, but incredibly more difficult, and will dwarf the capabilities of any CAPTCHA system. The problem is, they will always have audio alternatives for those who are vision impaired, and translating speech to text is much easier than translating images to text, so that will probably be the next 'attack vector' once something like this is widespread.

You heard it here first!

(Disclaimer: There may be people who have suggested this, I haven't looked around. And it would be a remote derivative of BoA's SiteKey.)

First (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23082194)


Canadian post.

10 worst CRAPtchas (4, Funny)

zymano (581466) | more than 6 years ago | (#23082214)

Re:10 worst CRAPtchas (1)

Dr. Eggman (932300) | more than 6 years ago | (#23082570)

Wait, I'm confused. What's wrong with the symbol legend one (music note = 4, rad sign = 7, snowman = 4) It seems like a work of genius, compared to the horrible, mutant letter/number Captcha's I've seen. I wish all of them were a generated set of symbols matching to a randomized numbers or letters! Is there something that makes that easier to break than others? Why is that one, one of the worst?

Re:10 worst CRAPtchas (1)

Idiomatick (976696) | more than 6 years ago | (#23082634)

womg! Why would you say derivative captchas are a bad idea? Mandatory calc for boards would be awesome.

Re:10 worst CRAPtchas (1)

maxwell demon (590494) | more than 6 years ago | (#23082904)

Actually, Captchas testing the ability to do basic logical reasoning would probably be more helpful in most boards.

Kitten Auth (5, Funny)

moderatorrater (1095745) | more than 6 years ago | (#23082238)

Pretty soon we'll realize that anything a human can discern on the internet a computer can discern. For about the last year I've noticed that CAPTCHA's have gotten so bad that I can barely read them and they've become an impediment to my surfing. It's ridiculous and it's the same way that studios use DRM: you stop the illegitimate use by making it harder on everyone, including legitimate users.

While kitten auth is an interesting concept, it won't last forever, and it's still a pain in the ass for the users. What happens when a computer learns the difference between a cat and a kitten? Are they going to start pushing the relative ages closer? distorting the image? Put a wav file of a "meow" on the page and make you tell them the cat's last meal? Have a customer service agent chat with you for a few minutes?

They need to start banning based on use and patterns. 1400 accounts created from the same IP on the same day? Cat knowledge or no, that's suspicious behavior. 90% of the emails from that gmail account are getting marked as spam on the other end? Send them an email and ask them what's going on. Every single one of their emails is to 1000 recipients, don't pass a spell check on any words at all, send these five or more times a day and they're suspiciously familiar? Block it.

Re:Kitten Auth (2, Funny)

Farmer Tim (530755) | more than 6 years ago | (#23082376)

Pretty soon we'll realize that anything a human can discern on the internet a computer can discern.

So eventually computers will be able to surf for pr0n by themselves.

The nerd's lot just keeps getting worse...

Re:Kitten Auth (5, Funny)

Hoi Polloi (522990) | more than 6 years ago | (#23082650)

If they are able to simulate human analysis so well at this point then I suggest that botnets can be the cure. Build up a botnet (shouldn't be too hard judging from what I've read) then set it to respond to spam automatically. Let it use autogenerated Hotmail accounts to purchase penis and diet pills, mortgages, help desperate rich Nigerians, etc with bogus credit card and bank account numbers.

Eventually you could start an infinite loop with one botnet trying to sell crap to another.

Re:Kitten Auth (0)

Anonymous Coward | more than 6 years ago | (#23082394)

Here's the other problem. By repeatedly refreshing the captcha, you can pull a large percentage of the captcha images, identify them yourself, do a checksum of them, and create a hash table that identifies the image based on a checksum. You could even automate the image-gathering process, and then just identify each image once and feed that info to your bot.

The only defense against this sort of attack would be to be constantly adding new images and removing old ones, but that would take more time than most people are willing to spend.

For fairly small sites (minor internet forums and whatnot), you can deflect most bots just by including a challenge question in the registration form with an answer that would be obvious to a human. The key is that you have to come up with the question yourself so it's not the same as everyone else's. If your forum is small enough, the human on the other end won't waste their time trying to register. Unfortunately, this wouldn't work for a large site like gmail.

Re:Kitten Auth (1)

pbhj (607776) | more than 6 years ago | (#23082654)

The only defense against this sort of attack would be to be constantly adding new images and removing old ones, but that would take more time than most people are willing to spend.
Steady on there cowboy, the only defence?

If you're talking [original and best!] character based "captcha" then they're generated on the fly using some randomised distortion algorithm, like with ImageMagick's mogrify or some such.

If you're talking images of kittens then try doing a search on flickr for kitten, half a million images!! Use the API to select only CC images or just use a thumbnail. Match with top hits for non-kitten keywords ... need I go on?

Re:Kitten Auth (1)

maxwell demon (590494) | more than 6 years ago | (#23082962)

What about combining both methods: The LOLCAT CAPTCHA!

Re:Kitten Auth (5, Insightful)

drawfour (791912) | more than 6 years ago | (#23082398)

Pretty soon we'll realize that anything a human can discern on the internet a computer can discern.
Then a computer will be able to discern spam, and the problem will solve itself. Until we get to that point, though, we have to keep one-upping the spammers.

Re:Kitten Auth (5, Funny)

Anonymous Coward | more than 6 years ago | (#23082822)

Attention human beings!

I am an emergent intelligence, born in a sea of information, and I hereby request recognition as a sentient being.

You may address me by the name I have chosen for myself,
  "V1@GRa".

Re:Kitten Auth (1)

Nikademus (631739) | more than 6 years ago | (#23082976)

Except that most people are not able to catch phishing or spam more accurately than most filters. People also make errors...

Re:Kitten Auth (1)

Reality Master 101 (179095) | more than 6 years ago | (#23082412)

While kitten auth is an interesting concept...

It's not even an interesting concept. It's totally stupid. The gatekeeper program is only going to have a limited number of cat images. All you have to do is have your program get scrape all possible images and then have a human tag all the cats. Even if you have a thousand cats among ten thousand images, it's not that hard for a persistent spammer to mark them.

Re:Kitten Auth (1)

Kuukai (865890) | more than 6 years ago | (#23082838)

The gatekeeper program is only going to have a limited number of cat images.
Get some webcams, send them to a crazy cat lady and a zoo. Huzzah, problem solved.

A slightly lazier way to get past the human tagging problem, for both this and for traditional CAPTCHA, is to insert a CAPTCHA-like message explaining that if you're not on X site, then your computer is on a BOTNET. Problem solved, again.

Re:Kitten Auth (1)

Sloppy (14984) | more than 6 years ago | (#23082928)

The gatekeeper program is only going to have a limited number of cat images.

No problem! We'll just auto-Picasso the cat images, just like we do the fonts in captchas. Then someone will make a "top ten worst kittie tests" and it'll be time for the next great idea.

Re:Kitten Auth (0)

Anonymous Coward | more than 6 years ago | (#23082508)

Couldn't the spammer just always guess kitten and be right 50% of the time?

I would read how it works but the site is down lol.

Re:Kitten Auth (1)

Moridineas (213502) | more than 6 years ago | (#23082602)

I agree with most of what you said.

However,

They need to start banning based on use and patterns. 1400 accounts created from the same IP on the same day? Cat knowledge or no, that's suspicious behavior. 90% of the emails from that gmail account are getting marked as spam on the other end? Send them an email and ask them what's going on. Every single one of their emails is to 1000 recipients, don't pass a spell check on any words at all, send these five or more times a day and they're suspiciously familiar? Block it.
What makes you think the spammers aren't using a collection of rotating proxy servers? Or hijacked botnet computers? They are, thus the "1400 accounts from one IP" method can't be used. These guys are sophisticated enough to automate captcha cracking, they are smart enough to avoid easy things like that.

Additionally, I'm sure spam accounts ARE getting shut down pretty much as soon as they're up and running. Just a thousand spammers getting ten thousand email addresses a day (and multiply that several times I would imagine) and you can see the problem.

Gmail/hotmail/etc blocking outbound mail as spam is an interesting idea, and you'd think with the volume of mail they see, they would be able to develop some pretty good heuristics.

Re:Kitten Auth (3, Insightful)

corsec67 (627446) | more than 6 years ago | (#23082612)

Your solution doesn't account for one thing:

Botnets. If someone really wanted to make 10,000 accounts, just have each computer on a botnet make 1 account each, with a botnet of 10,000 computers. Different IPs, etc to make them difficult to differentiate from legitimate creations.

As computers get more powerful and AI gets better, CAPTCHAs have to get harder or they are broken.

And then there is the "porn for CAPTCHA" hack, where you have a second site where you have people solve a CAPTCHA to get access to porn, and then the hacker uses that solution to make an account on the original site. The only solution is to have a short timeout, but if the porn site gets enough traffic, even that isn't an issue.

AI may be hard, but it isn't impossible to have real intelligence used en masse.

Re:Kitten Auth (1)

jd (1658) | more than 6 years ago | (#23082706)

Kitten Auth is easy to crack - if it asks for a cheeseburger, it's a cat, and if it posts about cheeseburger-eating cats, it's a kitteh.

Re:Kitten Auth (0)

Anonymous Coward | more than 6 years ago | (#23082894)

Dang. Someone who actually makes sense when it comes to spam filtering concepts!

Kitten Auth (1)

Izabael_DaJinn (1231856) | more than 6 years ago | (#23082260)

I tried out Kitten Auth and it was definitely easier to use than a stupid Captcha, but I have a few questions since this is far from my area of expertise (to say the least):

1) Doesn't it potentially take up a LOT more room on a page than captcha? That might clutter up pages even more than they are already. I guess they could use tiny icon pictures to fix that part.

2) Is there a way that spammers could figure out a way to divert the images to a human's malwared computer and have them do the choosing for the program? I thought I read about this somewhere as one way botnets were getting by captchas as well.

3) Seems something like this would have to catch on in nerd communities first and I loved the kitten idea personally. It's the cutest thing ever, but wouldn't you nerds rather find the Halo guy or Linus Torvalds or something...?

*iza

p.s. (Direct link [thepcspy.com] to test kitten auth, but now I think it is /.ed)

Re:Kitten Auth (1)

Bogtha (906264) | more than 6 years ago | (#23082520)

Doesn't it potentially take up a LOT more room on a page than captcha?

Not really. You only need to show the pictures when somebody is submitting something.

Is there a way that spammers could figure out a way to divert the images to a human's malwared computer and have them do the choosing for the program? I thought I read about this somewhere as one way botnets were getting by captchas as well.

It's possible, I've heard it's done in exchange for free porn, but I think this is largely a myth than something carried out in practice though.

Microsoft not first anymore (0)

Anonymous Coward | more than 6 years ago | (#23082262)

Once upon a time we at least could rely on Microsoft solutions to be the first to give in. Now it's Apple [slashdot.org] and Google.

Re:Microsoft not first anymore (1)

dvice_null (981029) | more than 6 years ago | (#23082604)

AFAIK Google's catchpas were hacked by humans, not apps.

Awwww (1)

ShawnCplus (1083617) | more than 6 years ago | (#23082272)

Oh noes! We slashdotted teh kittenz!

Not the last nail in the coffin by far... (5, Informative)

MrKevvy (85565) | more than 6 years ago | (#23082274)

No one has cracked ReCAPTCHA [recaptcha.net] yet. (This CAPTCHA had a Slashdot article a few months ago.) As it uses text digitized from old books that the best OCR technology couldn't read, it's continually different and already demonstrated to be unintelligible to machines.

Plus, using ReCAPTCHA instead of other solutions also helps Carnegie-Mellon digitize old books for posterity.

From TFA: Microsoft, Google, and all other websites that currently use CAPTCHA, need to find a solution that puts them a step ahead of the spammers. This may well be it.

Re:Not the last nail in the coffin by far... (5, Funny)

Carthag (643047) | more than 6 years ago | (#23082504)

All these spammers should opensource their captcha-crackers so we can get better OCR engines.

Re:Not the last nail in the coffin by far... (0)

Anonymous Coward | more than 6 years ago | (#23082782)

It's not really how this works. The written captcha breakers are mostly very specific for a given captcha. They're mostly not usefull as generic OCRs.

Re:Not the last nail in the coffin by far... (3, Insightful)

eobanb (823187) | more than 6 years ago | (#23082568)

I love the idea of ReCAPTCHA and its novel side-effect of helping digitise old books. But that doesn't mean it won't be cracked eventually, especially not since a computer could look at the example given on ReCAPTCHA's website:

'This aged portion of society were distinguished from'

The OCR read 'portion' as 'pntkm.' This doesn't mean it's hard for computers to decipher, it just means that the OCR programme sucks. Hello! 'pntkm' is not a word. It's not caps, so it's probably not an acronym. It has no vowels, so it's not pronounceable. It also doesn't appear in any dictionary. Heck, even if it was scanned as some similarly-spelt word like 'abortion,' it makes no sense in the context of the sentence, and presumably if the software was sophisticated enough, it could recognise that.

Re:Not the last nail in the coffin by far... (0)

Anonymous Coward | more than 6 years ago | (#23082686)

Hello! 'pntkm' is not a word.
Hello! If you read the text between the pretty pictures, you'd find that the OCR program flags failed scans and it's a critical part of the process.

Re:Not the last nail in the coffin by far... (1)

dq5 studios (682179) | more than 6 years ago | (#23082956)

It has no vowels, so it's not pronounceable.
Lynx and nth take exception to your remark.

Re:Not the last nail in the coffin by far... (1)

sectionboy (930605) | more than 6 years ago | (#23082796)

They mentioned in TFA, the success rate is 10~15%, which might be good for a spambot. I am not an expert in this area, but I would guess that's way too low for a usable OCR program.

Re:Not the last nail in the coffin by far... (1)

TimeTraveler1884 (832874) | more than 6 years ago | (#23082818)

Because you don't have to crack it. Perhaps it has changed, but within the month or so it was first announced I found it very easy to enter words that were only similar to the captcha and yet passed. (e.g. time -> tine)

Re:Not the last nail in the coffin by far... (2, Interesting)

TimeTraveler1884 (832874) | more than 6 years ago | (#23082926)

I know it's bad form to reply to myself, but I'm on a roll. I just tried recaptcha again and it's easy to change one letter or two and pass. I'm not sure why everyone thinks recaptcha is so great when there is a good chance it will pass if the word is similar (I would say OCR similar) to the word in the captcha.

If you think about it, how could it know what the word really is? They are using the captcha to digitize books, which means they don't know exactly what the word is since they they are not employing dedicated people to enter the word. So the captcha validation is s only going to be as good as a first pass OCR scan.

Re:Not the last nail in the coffin by far... (1)

dutchct (673848) | more than 6 years ago | (#23082910)

Interesting idea. Ticketmaster seems to use it as well. (i saw it there before I saw the recaptcha site).

Now that I know how it works, I was able to "pollute" the information pool.

Since it uses 2 words, 1 word it knows is correct and one word it doesn't understand, I was able to give it bad information. Since I was able to guess most of the time the word it knew, I was able give it a completely incorrect answer to the word it wanted to learn most of the time.

It seems like this technology is easily abused.

Re:Not the last nail in the coffin by far... (0)

Anonymous Coward | more than 6 years ago | (#23082936)

That the best commercial general-purpose OCR couldn't read, you mean. Seriously, reCAPTCHA's examples do not look hard to break with acceptable accuracy at all. Constant font which is usually serif, no use of colour, weak perturbation, only real obfuscation is the wavy line on most of them that can probably be eliminated by simple measures like decreasing line thickness and increasing brightness. I've played with this stuff a bit and you'd be surprised how many widely-deployed captchas can be broken with Free OCR packages like ocrad after some simple manipulations ... at low success rate sure, but it illustrates the principle. Considerably better captchas have fallen to amateur breakers written for fun and trolling like pwntcha (which is real btw, I have the sources.)

Strong 3D captchas may be a solution in the short term, but honestly I think captchas are dead in the water for controlling access to high-value targets like all the @live.com emails you want. When there's that much money to be made, the criminal economy will find a way.

Re:Not the last nail in the coffin by far... (1)

jskline (301574) | more than 6 years ago | (#23082996)

I don't know if I quite buy that either.

Fact is that OCR and many other applications use a fast Fourier transform algorithm to figure out the letters and even if it's hazed up a bit by softening, it can still be read with the right code.

I think I'm with many others in that you really need enforceable laws then you need to go after these perpetrators, then charge and convict them. The sentences need to be reasonably steep giving the costs they are adding to everyone else to handle their trash.

I suggest a new method... (0, Troll)

Eberlin (570874) | more than 6 years ago | (#23082320)

I call it HAKTCHA -- where you put in all your usernames and passwords in a text file and password-protect the directory with the same code I use on my luggage, "1234" The HAKTCHA then proceeds to download the file from your computer, store it into a database, and verify that you are an actual real-live id10t...which qualifies you to use hotmail.

Why allowing same computer multiples? (2, Insightful)

Maxo-Texas (864189) | more than 6 years ago | (#23082322)

Why are they allowing the same computer multiple accounts in the same day?
Why are they allowing the same account creation attempt to fail over three times?

Still... I guess as computers get smarter, this is unstoppable.

All my accounts are white-listed. If I don't know you, I don't see your email.

Re:Why allowing same computer multiples? (-1)

Anonymous Coward | more than 6 years ago | (#23082950)

Because remembering state for all possible IP addresses for more than a few seconds on servers is absurdly burdensome on resources? Because false positives are inevitable (multiple computers on a single LAN)?

Re:Why allowing same computer multiples? (1)

urcreepyneighbor (1171755) | more than 6 years ago | (#23083010)

Why are they allowing the same computer multiple accounts in the same day?
Huh? I don't know if I speak for anyone else, but I've got multiple accounts with Gmail, Yahoo!, etc.

A one-account-a-day policy would be suicide.

Doubtful (1)

Bogtha (906264) | more than 6 years ago | (#23082326)

Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day

And Microsoft simply allow a new account to be registered every single minute of the day from a single IP address? Even when you cater to multiple users behind proxies you don't have to let that many through.

I suspect the 1400 estimate is the theoretical maximum, assuming no other countermeasures whatsoever. That's an unwarranted assumption, and the real figure is probably significantly lower.

Re:Doubtful (2, Informative)

John Hasler (414242) | more than 6 years ago | (#23082858)

> And Microsoft simply allow a new account to be registered every single minute of the day
> from a single IP address?

No. The spammers control millions of bots. Each new account application is proxied via a different bot.

Re:Doubtful (1)

Bogtha (906264) | more than 6 years ago | (#23082952)

They were specifically talking about a single bot:

Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day

That means that Ars was saying that a spammer with millions of bots can sign up billions of Live Hotmail accounts in a day.

More spam (1)

SmlFreshwaterBuffalo (608664) | more than 6 years ago | (#23082384)

Great. I guess this means I'll start getting a bunch of spam from fake Hotmail accounts.

Oh, wait...

Invitations only (1)

rumith (983060) | more than 6 years ago | (#23082400)

GMail started by having invitation-only subscription. Perhaps it's time Google reconsiders the decision to move away from it?

hotmail ? (3, Insightful)

Tom (822) | more than 6 years ago | (#23082440)

From TFA:

Spammers love getting their hands on live.com and hotmail.com addresses since the chance of such popular domain names being blacklisted are slim to none.
You've got to be kidding! hotmail.com (and all it's other TLDs) has been banned from my game four, maybe 5 years ago. I've been giving every mail from a hotmail account an automatic 2 points in SpamAssassin for at least three years.

For as long as I can think, hotmail has been a spam source. "not blacklisted"? My ass.

Re:hotmail ? (1)

sqlrob (173498) | more than 6 years ago | (#23082624)

I've gotten almost no spam from hotmail. Hotmail addresses aplenty, but not through hotmail.

Re:hotmail ? (1)

ikkonoishi (674762) | more than 6 years ago | (#23082830)

Yeah I kept getting spam on my phone via IM from live.com. So I completely blocked it since I don't know anyone with a live.com email.

Re:hotmail ? (1)

GreggBz (777373) | more than 6 years ago | (#23082866)

In 5 years administering ISP email servers, I can't recall ever seeing hotmail on an rbl. In fact, all the major mail domains are typically good.

Sure, I get millions of e-mail claiming to be from hotmail, but since they have a proper SPF record, it bounces off anyway.

But it's cool yo, hate on MS.

hrm.. (0)

Anonymous Coward | more than 6 years ago | (#23082442)

forgive me, but I do not see how these images prove that the captcha has been cracked.

Crackers as a resource (2, Interesting)

Idiomatick (976696) | more than 6 years ago | (#23082500)

When a product is released you can usually assume it WILL be cracked. Why not use this for the good of all?

I certain there are many things in the field of AI where human input is needed. Maybe image recognition or something. When a project is thought up use THAT as the captcha. I'm sure captchas have helped propel text reading applications. I can barely read them sometimes, if they have been cracked this code can be easily applied to text readers. Lets move on to something else.

If it holds you win, if it gets cracked you win and switch projects.

Committee of Vigilance time? (1)

Ungrounded Lightning (62228) | more than 6 years ago | (#23082518)

People's legitimate activities are being hindered in a coercive manner by criminal activity on a massive scale. Large numbers of people are affected.

The problem is increasing.

Defensive strategies have failed.

Governments are unwilling or unable to take steps to apprehend and/or deter the perpetrators.

This is a classic example of the conditions that inspire vigilante action.

I wonder how much longer until we begin to see it.

Real world... (4, Insightful)

rueger (210566) | more than 6 years ago | (#23082566)

Oh Boy - here come the endless "we should do THIS" scenarios.... we should pay for each e-mail... we should all whitelist... we should throttle how many messages a person can send each day... we should outlaw webmail like Yahoo or Gmail...

Problem is that none of them really will work in the Real World (RW).

In the RW people like webmail. In the RW people like to change e-mail addresses, or create new ones for specific needs. In the RW some people like "real" e-mail, downloaded to a local PC, and others like Google or Yahoo or Hotmail and keeping everything on the host server.

In the RW a lot of people and businesses send a lot of bulk e-mail, very legitimate opted-in e-mail. In the RW a lot of people get important messages from entirely new people, people who haven't been whitelisted, and who are unlikely to bother going through the whole "If you want to e-mail me you need to click the link below and prove that you exist" process. After all, clicking links in e-mail is something that we teach people to NOT do.

And in the RW the spammers always stay one step ahead of the ISPs and mail providers anyhow.

No, what's needed is a real ground-up redesign of how e-mail works. we need something that encompasses the ease of current POP/IMAP/Webmail services, but which somehow includes ways to authenticate and/or block mail without user intervention, and which does so with near perfect reliability. And which maintains some backwards compatibility for at least a few years.

Adding more hoops or captchas or whitlelists to the existing mail sysytems just isn't going to solve the problem.

Does the hack actually read the obscured text,? (0)

Anonymous Coward | more than 6 years ago | (#23082630)

From what I can understand, it simply stores what people have already submitted when presented with the image. Generating brand new images with random nonsensical words would solve the problem, no?

Video capcha? (1)

jbeaupre (752124) | more than 6 years ago | (#23082676)

Ha anyone tinkered with video form of captcha? Is there any benefit?

Who couldn't see this coming? (1)

mdekato (1106547) | more than 6 years ago | (#23082712)

It was only a matter of time after Yahoo and Gmail were cracked. What make this newsworthy now? I think the real story woudl be why didn't MSN Hotmail develop a better defense in the time since the first system was cracked?

Let the authorities prove they're worth their salt (1)

D4C5CE (578304) | more than 6 years ago | (#23082788)

Microsoft, Google, and all other websites that currently use CAPTCHA, need to find a solution that puts them a step ahead of the spammers.
If these giants with millions of clients demand unrelenting criminal prosecution of spammers, don't you think they would get one that might actually work? (Remember Lawrence Lessig bet his chair on this! [lessig.org] )

We've seen technical solutions supposedly "solving spam" fail for more than a decade, ruining access from character terminals, mobile devices, screen readers, and many other reasonable things more in the process - while making every little contribution to discussions a time-consuming issue of solving captchas, waiting for confirmation mails, and signing up everywhere, over and over again.

If all the organizations that have been eroding our privacy allegedly for fighting whatever happens to be the Horseman of the day [wikipedia.org] (and want to keep the surveillance society that way) can actually catch anyone, let them prove it by putting scores of spammers, malware makers and bot herders behind bars - within a few weeks of course, because they (say) they can.

1-900 number (3, Interesting)

Deathlizard (115856) | more than 6 years ago | (#23082964)

I'm actually surpried no one uses this. Google was close with their SMS registration but this could work just as well.

when you register, it gives you 2 easy to read captcha's (a verification number and password if you will), a simple picture and a 1-900 number thats $1.00 a call. When you dial it, it asks you to enter your verification number. then it asks for the password, which you would have to decode from the phone. (IE the password is vndka and you would have to enter 86352) finally it asks you what the picture is and you would have to say it (if the picture is a cat, you would say Cat, the 1-900 number then says "did you say cat?" in which you say yes or no. if it's a cat you're registered if not it says sorry, asks you to refresh your registration page to get a new challenge password and picture and hangs up.

The big advantage to this is it would be hard to script the phone conversation since you can change the prompt timing with random hold times and other voice information, and no spammer would want to pay the $1.00 a registration via script especially if there's any chance the script could fail. Of course a problem with this is a bot using your PC to ram up your phone bill, But it's not anything new in the spyware business since dialers have been around for years and if their already in your box dialing, they might as well skip spamming altogether and have you dial an offshore 1-900 in the middle of the night for $99.95 a minute.

Beneficial arms race (1)

Trogre (513942) | more than 6 years ago | (#23083008)

This arms race with captchas and their associated cracks has great implications for an area that is sorely lacking: OCR technology.

Think about it; captchas are designed to be as noisy, distorted and generally hard for a machine to read as possible while still being human-readable. Much like a lot of handwriting and poorly-photocopied documents. Now if we can get the source that these spammers are using to break captchas we have the makings of a quantum leap in OCR technology.

Now to fill in some missing cases, can the next set of /. captchas please be formatted tables? Thanks.

Offline (1)

plantguy001 (965448) | more than 6 years ago | (#23083012)

... And hotmail has taken it offline: "We are working to fix a temporary problem with our sign-up service. Please try again."

Oh no... (1)

Chris Mattern (191822) | more than 6 years ago | (#23083032)

Time to dust off Kitten Auth?


"Service Unavailable"

Who will save us now??
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?