Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fallout From the Fall of CAPTCHAs

kdawson posted more than 6 years ago | from the script-kiddie-fodder dept.

Security 413

An anonymous reader recommends Computerworld's look at the rise and fall of CAPTCHAs, and at some of the ways bad guys are leveraging broken CAPTCHAs to ply their evil trade. "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..."

cancel ×

413 comments

Sorry! There are no comments related to the filter you selected.

Well (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24203259)

Just use a one time pad

Cracaked CAPTHAs!!! oh no! (5, Interesting)

xpuppykickerx (1290760) | more than 6 years ago | (#24203279)

I hate the fact that a computer can view these things better than I can. Lately, a lot of the CAPTCHAs have become unreadable by human viewers.

or Windows Specific. (2, Funny)

twitter (104583) | more than 6 years ago | (#24203379)

There is irony, force people to use the platform that's responsible for botnets in the first place.

Re:or Windows Specific. (-1, Troll)

Kalriath (849904) | more than 6 years ago | (#24203887)

Man you're a really dumb shit, twitter. There's no such thing as a "Windows specific" CAPTCHA, a CAPTCHA is a fucking picture. Go spread your moronic vitriol elsewhere.

Re:Cracaked CAPTHAs!!! oh no! (5, Insightful)

Anders (395) | more than 6 years ago | (#24203421)

I hate the fact that a computer can view these things better than I can. Lately, a lot of the CAPTCHAs have become unreadable by human viewers.

They don't view it better than you, they just do not get impatient from failing 4 out of 5 times.

And they share better. (2, Interesting)

khasim (1285) | more than 6 years ago | (#24203515)

Put 1,000 computers on the problem and allow them to share information from their successes ... and you've cracked a CAPTCHA implementation.

And there are hundreds of thousands of zombies out there.

Re:Cracaked CAPTHAs!!! oh no! (3, Interesting)

fm6 (162816) | more than 6 years ago | (#24203959)

Or from failing 999 times out of 1,000. Computers have an infinite amount of patience. Security schemes that don't acknowledge that are doomed to failure.

Re:Cracaked CAPTHAs!!! oh no! (3, Insightful)

nbert (785663) | more than 6 years ago | (#24203665)

Makes one feel like an idiot if some site starts to require impossible Captchas. Rapidshare for example had one where you were supposed to only write the letters featuring a cat (other letters had a dog). I had to enable some zoom feature of my DE to get a closer look but still the dogs and cats looked like some screen-dirt to me. Never managed to solve this one properly.

Looks like I'm not the only one not smart enough - they replaced this CAPTCHA with some "Happy Hour" mode, which didn't require any form.

Re:Cracaked CAPTHAs!!! oh no! (2, Interesting)

xpuppykickerx (1290760) | more than 6 years ago | (#24203951)

It's come to a point where the messages are so jumbled, faded, etc etc that i'm avoiding sites that use them.

Anyone usinging specialised tests? (5, Interesting)

niceone (992278) | more than 6 years ago | (#24203291)

Heh, at the end of the article they have a link to a site that requires you to solve a calculus problem to register (it gets easier if you reload the page a few times, down to simple arithmetic). I have a site that is only of interest to people who use verilog (a hardware design language) I've toyed with requiring a some digital logic problem to be solved, but the volume of spam signups it's big enough for me to be bothered yet...

Of course this solution isn't going to work for gmail - which seems to be the preferred email provider for the spam signups I do get these days.

Re:Anyone usinging specialised tests? (1)

abstract daddy (1307763) | more than 6 years ago | (#24203361)

There are lots of simple, foolproof ways of stopping bots that are still easy for humans to solve, but nobody bothers to implement them. Maybe website admins are just masochists who enjoy having this arms race against bots while humans have to reload the fucking thing five times because it's all just gibberish.

Re:Anyone usinging specialised tests? (1)

jim.hansson (1181963) | more than 6 years ago | (#24203511)

please enlight all of us with with more information about these ways you talk about.

Re:Anyone usinging specialised tests? (4, Interesting)

stomv (80392) | more than 6 years ago | (#24203829)

what is the opposite of up?
what day is after friday?
what does seven plus three equal?
what letter of the alphabet comes before d?
how many wheels does a bicycle have?
what is the third word of this sentence?

These are generally difficult for computers to solve, can be programed to have permutations, and since the quiz answer can be tied to the account, if a particular question or style is getting spammed frequently, it can be removed from the list of questions.

It's an arms race, and this system won't work forever, but it's fairly easy to implement and fairly difficult to overcome.

Re:Anyone usinging specialised tests? (2, Insightful)

suggsjc (726146) | more than 6 years ago | (#24204023)

It's an arms race, and this system won't work forever, but it's fairly easy to implement and fairly difficult to overcome.

Not really, its all about scale. That system wouldn't last more than just a few seconds if a full "attack" were performed by a large botnet. The number of permutations is relatively finite, therefore with a large number of computers trying to "solve" the problem, once the correct answers were "cracked" then they could be shared and eventually the bots either know all of the answers, or you removed *all* of the questions from the list. I'm not saying this is an ineffective system for small/medium sites, but it wouldn't cut it for really large sites.

Re:Anyone usinging specialised tests? (1)

tepples (727027) | more than 6 years ago | (#24204025)

if a particular question or style is getting spammed frequently, it can be removed from the list of questions.

Which could leave the list of questions empty before the site's administrator has a chance to react.

Re:Anyone usinging specialised tests? (1)

genericpoweruser (1223032) | more than 6 years ago | (#24204035)

Those are actually rather easy for a computer to solve. Mathematical questions can be solved by typing them into google. There is such thing as natural language parsing. It would be another challenge for the spammers, but it would amount to no more than another weapon in the arms race.

Re:Anyone usinging specialised tests? (3, Funny)

AndGodSed (968378) | more than 6 years ago | (#24203605)

No.

You see there is an ongoing war against the postmasters by the webmasters. I am a postmaster, and I get roughly 300ish spam mails per site.

And the webmasters sit and chuckle. Bastards, they could make it stop!

But they don't... animals...

Re:Anyone usinging specialised tests? (1)

Shikaku (1129753) | more than 6 years ago | (#24203371)

What about that captcha system where you identify a type of animal, like whether this picture is a dog or a cat?

Why not captchas like that, or similar? I'm pretty sure that identification of an object or animal would be much harder than letters.

Re:Anyone usinging specialised tests? (2, Informative)

blueg3 (192743) | more than 6 years ago | (#24203503)

While that's a class of problem that's tricky (though not impossible) to address, giving you the choice of a few different animals it might be is insufficient. Even if there are 10 choices, random guessing will be right 10% of the time, and that's enough for spammers. Subjective answers (showing a picture of a dog and having someone type "dog") are tricky because not everyone will type "dog", and you don't want to reject humans.

The current design fits the requirements well because the answer is distinctly objective (you're entering exactly the letters you see), but the number of possible answers is enormous, so learning the answers or hoping to guess well is unreasonable.

Re:Anyone usinging specialised tests? (5, Insightful)

jandrese (485) | more than 6 years ago | (#24203525)

The problem is that to set up that CAPTCHA you have to have a person sift through a huge picture archive of cats and dogs and mark each one. However, that limits the size of your CAPTCHA dictionary to however many entries a person can parse in a reasonable amount of time. This means the bad guys can sit down a person (or two, or ten) and go through all of your images to seed a database with the correct answers for their bots.

Re:Anyone usinging specialised tests? (4, Insightful)

Lehk228 (705449) | more than 6 years ago | (#24203537)

not really, unless the catalog is huge and you expect your legitimate users to be biologists. if there are even as many as 100 animals the script can just guess, and 1% of attempts get through. when thousands of bots are signing up simultaniously 1% is a whole lot of bots

Re:Anyone usinging specialised tests? (3, Funny)

jim.hansson (1181963) | more than 6 years ago | (#24203559)

then you write a little program that will show nude pictures, if users identify pictures for you. do not underestimate the length some people will go to for seing mostly skin.

Re:Anyone usinging specialised tests? (0)

Anonymous Coward | more than 6 years ago | (#24204095)

I'd give you mod points for that one except I don't believe you actually meant that double entendre.

Re:Anyone usinging specialised tests? (1)

jfmiller (119037) | more than 6 years ago | (#24203621)

http://www.youtube.com/watch?v=AyzOUbkUf3M [youtube.com]

This Video is from the Google Tech Talks about neural networks an talks not only about identifying pictures of hand written numbers, but also about sorting pictures and text.

It seems that categorizing visual data is now a solved (if CPU intensive) problem.

Re:Anyone usinging specialised tests? (0)

Anonymous Coward | more than 6 years ago | (#24203713)

It's nowhere near solved, yet you talk as if you know what you're talking about. So sad.

Re:Anyone usinging specialised tests? (0)

Anonymous Coward | more than 6 years ago | (#24203481)

Heh, at the end of the article they have a link to a site that requires you to solve a calculus problem to register

So the ones who solve it correctly are the bots and smart humans and the ones who screw it up are the dumb humans? Sounds like a good idea. I'd rather deal with spam than have to read 90% of the comments on a site like Digg or Fark. Spam is easy to ignore. Idiotic comments, on the other hand, latch on to you and suck out your brains.

captcha crackers use cheap human labor (1)

peter303 (12292) | more than 6 years ago | (#24203895)

I thought the cracker for Ticketmaster just forwarded the unsolvable piece to cheap labor in China. You could do this for math problems too.

Mix it up a bit? (4, Interesting)

Hektor_Troy (262592) | more than 6 years ago | (#24203303)

Combine it with a mix of simple math and image recognition? I.e.

"What colour hair does the (2+four)/3 girl from the left have?"

Hell, skip the math part if that's too easy.

Re:Mix it up a bit? (5, Insightful)

jandrese (485) | more than 6 years ago | (#24203473)

Computers are pretty good at math last time I checked. Asking for something that would require a full on AI to answer is good (the hair color part), but the problem is that it requires a human to seed the questions, which means they will be limited in number. If they're limited in number then the spammers will just go through and keep reloading the screen until they've seen all (or mostly all) of the answers and program their bot with the correct answers.

CAPTCHAs need to be able to be generated algorithmically by a computer, but not answered by one, which is a surprisingly difficult problem. Anything that requires human intervention on the creation of each variation is doomed to fail because spammers have more free time than you do.

Re:Mix it up a bit? (1)

spydabyte (1032538) | more than 6 years ago | (#24203635)

I'd say ask the user/bot to solve an algorithm. That way, whoever does it, everyone wins. Then we can finally get to developing computers that develop better algorithms, ie themselves. I for one...

Re:Mix it up a bit? (5, Funny)

jandrese (485) | more than 6 years ago | (#24203699)

I can't wait until someone's daughter tries to make an account on Barbie's Horse Talk website and is presented with the following CAPTCHA:

Prove that a 3-manifold space has the additional property that each loop in the space can be continuously tightened to a point then it is just a three-dimensional sphere.

Re:Mix it up a bit? (1)

mathimus1863 (1120437) | more than 6 years ago | (#24203981)

but the problem is that it requires a human to seed the questions, which means they will be limited in number. If they're limited in number then the spammers will just go through and keep reloading the screen until they've seen all (or mostly all) of the answers and program their bot with the correct answers.

That is partially a true statement. You can use your limited number of items, and combine them in such a way that you are combinatorically increasing the answer space. For instance, you have 100 items in your limited database -- if you require two things be identified at once, there's 10,000 items in your answer space. Make that 4 things, and it's almost a billion unique captchas. Of course, this is an over simplification, but the concept is there if it's done correctly. I prefer the math word-problems approach. A friend of mine who did his Master's in AI said the best AI can do on true/false kindergarten word-questions (i.e. "A dozen bagels is 12 bagels?") is like 60%. General comprehension of sentences and language constructs is very far behind human abilities, even at the kindergarten level. Of course, though, this requires more time to complete a CAPTCHA, but sounds like there aren't many other options.

Re:Mix it up a bit? (1)

autocracy (192714) | more than 6 years ago | (#24203527)

That would too quickly fall to a computer. The reason CAPTCHAs (did) work is because the number of possible answers was respectably high. If you put 10 people in a line, a computer would probably get the right answer the 5th time around. If you put 100 people in a line, you'd get a very pissed off user.

Re:Mix it up a bit? (1)

pete-classic (75983) | more than 6 years ago | (#24203745)

Whoops [google.com] , a computer can easily solve your Math problem.

-Peter

Re:Mix it up a bit? (3, Insightful)

evilviper (135110) | more than 6 years ago | (#24203801)

"What colour hair does the (2+four)/3 girl from the left have?"

"On the internet, only CAPTCHAs know you're a dog." Because, of course, there aren't any color-blind people on the internet...

First, hair color is a terrible test... You've got about a 24% chance of getting it right without looking...

Putting together a set of images with full extensive descriptions such as that would be prohibitive, while numbers and letters can be pretty easily automatically generated.

Re:Mix it up a bit? (3, Funny)

QuantumRiff (120817) | more than 6 years ago | (#24203913)

You just eliminated one third of the US population from accessing your site..  Sad, isn't it.
Now if you had said,
What color of hair does the 3rd girl on the right have,
A: green
B: brown
c: Blond
D: I drive a ferrari, I don't care about hair color!
you would only eliminate about one eighth

location of CAPTCHA cracking programs (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24203313)

You can get those CAPTCHA CRACKING programs at

http://www.pasteplace.net/archives/capt_crack.html

You're welcome.

Automate CAPTCHA attacks? (2, Insightful)

DriedClexler (814907) | more than 6 years ago | (#24203329)

Correct me if I'm wrong, but wouldn't something capable of "automating captcha attacks" be, um, a major advance in artificial cognition, and quite a wealth of scientific information, since that means it can solve an arbitrary captcha like a human can?

Re:Automate CAPTCHA attacks? (2, Funny)

Anonymous Coward | more than 6 years ago | (#24203425)

I'm wrong

Fixed.

Re:Automate CAPTCHA attacks? (2, Informative)

rwillard (1323303) | more than 6 years ago | (#24203463)

It automates the attack by repeating the known method of defeating the CAPTCHA (say, by grayscaling the image, adjusting the brightness thresholds then reading from the font; I don't know the actual method, that's just a guess). It's not that you point it at a website and it'll discover the method to defeat the CAPTCHA on its own, it's just repeating a method an actual person developed. That's how I read it, anyway.

If ... but it is not. (1)

khasim (1285) | more than 6 years ago | (#24203663)

They don't do anything amazing with the images. They just attempt to reverse what is known about how the source site modifies the images.

With enough machines aimed at the problem, it becomes simple to brute-force it and then share the information amongst the other machines.

Remember, the CAPTCHA's are limited in that they still have to be understandable to humans.

Re:Automate CAPTCHA attacks? (1)

wild_quinine (998562) | more than 6 years ago | (#24203827)

Correct me if I'm wrong, but wouldn't something capable of "automating captcha attacks" be, um, a major advance in artificial cognition, and quite a wealth of scientific information, since that means it can solve an arbitrary captcha like a human can?

Even if a universal tool existed, which could read all and any CAPTCHAs better than humans did exist, it would not necessarily solve it 'like a human can'. Speech recognition software, which I work with a lot as an Accessible Technologist, has become very, very good this days - certainly in comparison with a few years ago. However, just because it can now recognise 98% of speech from a brand new, untrained user does not mean that it understands that speech, much less processes it like a human.

The point, I suppose, is that we're a long way from having any AI that can do anything 'like a human can'. We mostly just fake it for individual tasks. Some new, more annoying, human detection software will hit the web soon enough.

Security through obscurity (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24203345)

There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks.

Why shouldn't as many people as possible have access to CAPTCHA breaking schemes if the spammers do anyway? Shame on the poster for not including some links himself.

Re:Security through obscurity (1)

deft (253558) | more than 6 years ago | (#24203899)

So, you're saying security through obscurity is working against you?

Damn that failed methodology :)

Sure, i want to be in a tank during a fire fight, but id much rather be in a -hidden- tank during a fire fight, even if it's temporary.

Re:Security through obscurity (1)

Kalriath (849904) | more than 6 years ago | (#24203939)

Indeed. Perhaps if more webmasters actually downloaded these programs and tried them against their CAPTCHA implementations, we'd have less easily broken ones.

Captchas are only good for protecting cheap stuff. (5, Insightful)

nweaver (113078) | more than 6 years ago | (#24203385)

CAPTCHAs are only able to protect things worth $.0025, no matter how good they are. Simply because at about that price, you can pay humans to solve them for you.

Thus for preventing mail spam, it can work. But to prevent, say, bots from harvesting Ticketmaster, they will always fail, no matter how good they are.

Actually, they are more potent then that (2, Informative)

explodingspleen (1267860) | more than 6 years ago | (#24203983)

You may be able to pay humans to solve them for you, but you can't pay humans to solve them for you at the same quantity. Human beings are slow and require extensive resources.

It makes a big difference when you're talking about creating a crime syndicate with thousands of employees vs. one lonely script kiddie. The former solution doesn't scale very well, and has a much higher barrier to entry. Even if you don't stop spam you are certainly cutting back on the quantity.

If they can break the captcha, that's a bit less helpful, because whoever did it can sell the solution. However, it's still better than if setting up an automated agent for spamming your site is nothing more than a scant few hours of work to anyone who can program. And the quicker you can change your captcha the less profitable/useful it becomes to crack it.

It's not about being utterly victorious. That would involve tracking down spammers and hiring hitmen to take them out. What it is about is harms mitigation, and captchas will still do that even after being broken.

Bound to happen (1)

bobwrit (1232148) | more than 6 years ago | (#24203389)

When you have something online that is as popular as this, Someone is bound to crack it some time or another.

Re:Bound to happen (1)

snl2587 (1177409) | more than 6 years ago | (#24203423)

What about reCaptcha? Anyone break that yet?

Re:Bound to happen (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24203513)

>What about reCaptcha? Anyone break that yet?

Yes. For $0.25 each I'm willing to answer the questions for you. You might find people in third world countries who will do it for much less.

Re:Bound to happen (2, Interesting)

Dekortage (697532) | more than 6 years ago | (#24204011)

I dunno. I recently installed reCaptcha on a site that received dozens of spam messages through its online forms, and they all instantly stopped. None of them have returned. It's a low-traffic site, but still... made me think reCaptcha was doing a decent job.

I wonder.. (1)

fiannaFailMan (702447) | more than 6 years ago | (#24203393)

...if this is connected to what I could swear is an increase in spam lately. Has anyone else noticed an unusually high amount of sensational false headlines and Russian nonsense appearing in their inboxes?

Re:I wonder.. (1)

Mordok-DestroyerOfWo (1000167) | more than 6 years ago | (#24203457)

Queue the Soviet Russia jokes in 5, 4, 3, 2, 1...

Re:I wonder.. (1)

ragethehotey (1304253) | more than 6 years ago | (#24203469)

Has anyone else noticed an unusually high amount of sensational false headlines and Russian nonsense appearing in their inboxes?

I was actually wondering the same thing the other day, as I got a spam titled "Will Smith Dead From Oxycontin Overdose Upside Down In Bathtub"

I KNEW it had to be spam, but opened the email anyway just to reward a subject line that actually gave me a small giggle.

Re:I wonder.. (0)

Anonymous Coward | more than 6 years ago | (#24203791)

Well hopefully you have good anti-spyware installed, it seems to be the new way of infecting machines with the storm worm. Being a slashdot reader I will assume you do... :)

http://redtape.msnbc.com/2008/07/no-presidential.html

Re: Your sig (0)

Anonymous Coward | more than 6 years ago | (#24203517)

If guns kept people safer we'd be allowed to carry them on commercial flights.

Are you arguing (or making an argument which assumes as a premise) that the rules relating to security for commercial flights are actually sane? My baggie of liquids disagrees.

That said, commercial flights are very much a corner case; the potential for collateral damage, for instance, is greatly amplified; thus, rules which are appropriate for commercial flights are not necessarily appropriate everywhere else.

Re: Your sig (0)

Anonymous Coward | more than 6 years ago | (#24204003)

life is a corner case.

Re:I wonder.. (2, Funny)

Illbay (700081) | more than 6 years ago | (#24203849)

Nyet, but haf you conzidered ze amazing affordability uff zer timezhare at Lake Baikal? Operatorz iz schtanding by!

The problem isnt the CAPTCHA itself... (2, Interesting)

ragethehotey (1304253) | more than 6 years ago | (#24203415)

But rather an over-reliance on turnkey solutions to the problem. The overwhelming majority of places that use them all use the same format (hard to read words) which in turn creates an incentive for someone to break it as it will be easily applied to other CAPTCHAs. The solution is for there to be a wide variety of them that come up at any given time of the "what number is on the picture of the girl in the blue shirt" one day, but "pick the picture of the elephant" a week later. I predict that a company like google will step up to implement a turnkey system like this for adwords users and the like in the near future.

Thank god (0)

Anonymous Coward | more than 6 years ago | (#24203433)

Screw everyone, you assholes!

Good thing I can break CAPTCHAs to post this.

Oh, and by the way don't forget to check out goatse.cx

Where are they? (0)

Anonymous Coward | more than 6 years ago | (#24203437)

There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks.

INFORMATION WANTS TO BE FREE!!!!!!!

How can we evaluate the CAPTCHAs that we are developing if we can't test them against the available crackers?

So much for open source!

Depressing (2, Insightful)

MarkPNeyer (729607) | more than 6 years ago | (#24203439)

Does anyone else find it as depressing as I do that such obviously intelligent, motivated individuals can't find a more productive use of their talents?

Re:Depressing (3, Interesting)

cowscows (103644) | more than 6 years ago | (#24203753)

It's depressing to me that things like viagra spam are still profitable enough to make spamming them financially useful. Sure, the way the economics of it work out you only need a really low response rate to break even, but hasn't everyone already gotten enough of those emails? I'd imagine that whatever market there is for sketch viagra distributors would be saturated by now.

At least with phishing spam I get to see new scams on a regular basis (some quite cleverly disgused too). But some of the more vanilla spam just seems pointless.

Re:Depressing (1)

thewesterly (953211) | more than 6 years ago | (#24203955)

Does anyone else find it as depressing as I do that such obviously intelligent, motivated machines can't find a more productive use of their talents?

FTFY

What, CAPTCHA is causing malware?!? (1)

noidentity (188756) | more than 6 years ago | (#24203447)

CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work.

So if they removed the CAPTCHA, malware authors and spammers wouldn't have an easy and useful way to do their dirty work?!? Hmmm, a term comes to mind: CRAPTCHA

Still useful (4, Insightful)

truthsearch (249536) | more than 6 years ago | (#24203453)

CAPTCHA is still useful for small to medium sites that aren't specifically targeted. Your average blog, for example, is only hit by random bots that try to get quick and easy posts. Only the largest sites like GMail need to find something better today.

For example, I use reCAPTCHA [recaptcha.net] on DocForge [docforge.com] to block the standard wiki spam bots. Since my site's not large enough to be under heavy attack very little gets through. Someday CAPTCHA may be so easy to break that everyone's at risk, but not today.

Re:Still useful (1)

g0bshiTe (596213) | more than 6 years ago | (#24203755)

I call bulls**t on this one, my clansite gets 1000 new zombie accounts created per day.
I've tried CAPTCHA, I've tried the 3 kittens (click the 3 pictures of kittens) I've tried 1 dog, 1 kitten, 1 wheel.
They all fail.

The only way to keep them from posting is to require an admin to approve the account before they can post.

Re:Still useful (2, Insightful)

truthsearch (249536) | more than 6 years ago | (#24203979)

Well, you can check my site's recent changes [docforge.com] to see nothing gets through that contains external links, which are the only anonymous submissions protected with CAPTCHA.

Maybe your site's running some very common software. I have a Drupal site [seenonslash.com] for example, that sometimes hit by bots that are obviously specifically written to attack Drupal sites. Or maybe your CAPTCHA implementations have already been broken, or aren't (pseudo-)random enough.

Re:Still useful (1)

fm6 (162816) | more than 6 years ago | (#24204061)

It's even useful for big sites that just want to keep out BBS spam. Suppose you want to solicit customer feedback and you don't want to make your customers login. If you put out a simple text form, it will quickly be found by numerous bots that will keep posting comments like "Great site! Check out my web site at www.bigtits.com." These bots aren't really targeting you, they just are too stupid to realize that you're not a BBS. It doesn't even require a good CAPTCHA to keep them out, even a simple thing like making people add two random small integers is effective. The system doesn't have to be tough to beat, because nobody's really interested in beating it (excuse the pun).

The best part is.. (4, Interesting)

QuantumG (50515) | more than 6 years ago | (#24203487)

Spammers are cracking some of the hardest problems of AI research.

How can they do that, and yet all the great academic minds can't? Two things:

* funding
* a willingness to use "anything that works"

What's really scary is that, in the end, spamming may turn out to be an agent of good.

But they're not, really (2, Informative)

XanC (644172) | more than 6 years ago | (#24203817)

Much of this is finding a way to brute-force the methods used on particular sites, overwhelming randomness, etc. It's not really a computer reading any difficult text.

Re:The best part is.. (1)

CorporateSuit (1319461) | more than 6 years ago | (#24203859)

Because the only thing academia is good for in CS is removing the ability to think outside the box.

Re:The best part is.. (0)

Anonymous Coward | more than 6 years ago | (#24203917)

Academics can do this, however I don't think anyone will ever claim to have cracked a turing test with:

Human: Hi how are you today?
bot: food, what are you?
bot: Green, where are you?
bot: How are you good?
bot: neard, are what is you?
bot: Good, how are you?
Human: Oh, I'm fine thank you.

Re:The best part is.. (1)

QuantumG (50515) | more than 6 years ago | (#24203943)

No-one takes the Turing Test seriously anymore dude.

A dumb question: (4, Interesting)

AndGodSed (968378) | more than 6 years ago | (#24203507)

Howcome /. is so spam free?

Do the hackers just not care about us,
or:
is this like one of those "safe zones" where geeks and hackers can hang out as long as nobody asks or tells? (looks at guy to his left..."say is that a CAPTCHA in your pocket or are you just excited to be here...")

Re:A dumb question: (5, Informative)

EkriirkE (1075937) | more than 6 years ago | (#24203667)

a combo if requiring an account, and having to wait at least 30 seconds before writing a reply, plus moderation. However, the firehose is littered with spam ads...

Re:A dumb question: (3, Interesting)

p0tat03 (985078) | more than 6 years ago | (#24203709)

Because it's difficult to get spam accounts *and* have good karma. Spam posts get modded to oblivion nice and quick :)

Suggested New CAPTCHA method. (2, Interesting)

gurps_npc (621217) | more than 6 years ago | (#24203541)

This CAPTCHA has text from six emails. Five are randomly selected from those sent by people that have opened an email account in the past month. One is from an email account that is a honeypot. "Please select all emails that that are spam." Note, the obvious secondary benefit is that it is used as a spam detector. Then of course there is the simple rule: "Our free email accounts can not be used to send more than 20 emails per day. If you need more, please sign up for our deluxe account, that charges you $1 per year. of service"

fall of open email (4, Insightful)

drDugan (219551) | more than 6 years ago | (#24203551)

it is no wonder that the "under 25" crowd now says "myspace me" or "facebook me" and no longer use email. why would they?

in a globally connected world with several billion possible users - open email simply won't work much longer.

when we need are permission based systems - ones in which people need permission before they can contact another person. it would eliminate spam entirely, by integrating whitelists into mail clients. because no one has built a system like this that leverages and extends existing email servers - private organizations leveraging social connections have moved in to fill the gap. sadly, because facebook messages and myspace messages are not built on an open standard - you have to go through those companies to contact people.

Re:fall of open email (1, Flamebait)

g0bshiTe (596213) | more than 6 years ago | (#24203793)

You could always start this initiative at Source Forge.

Re:fall of open email (2, Insightful)

robogun (466062) | more than 6 years ago | (#24203873)

I think they've gone there because a social network provides much more than just email communication - the networks monitor your friends for you. Also they include the profile posturing that AOL profiles were so good at in the 90s. But it will suck for them when Myspace and any other proprietary setup fails, or is purchased by evil(tm) organizations, or when then evolve past usability (suck as Hotmail, AOL, ebay etc) and believe me they never stop tinkering because they have to make a profit. Remember the AOL outages and dialup access issues, people acted as if the whole Internet was down when in reality they couldn't connect to some company.

Open is stil the best way.

Re:fall of open email (1)

happytechie (661712) | more than 6 years ago | (#24204081)

bandwidth is so cheep that the next free open social networking site will set up the next day, remember friends reunited ?

Re:fall of open email (1)

Illbay (700081) | more than 6 years ago | (#24203889)

I can't get any of my kids to answer email. "Oh, I only check it about once a month," they tell me.

I've tried SO hard NOT to become technologically irrelevant, alas, to no avail!

Re:fall of open email (2, Interesting)

91degrees (207121) | more than 6 years ago | (#24203937)

There's spam on myspace. I get people friending my virtually empty page from time to time. Myspace deletes them pretty quickly but I presume they just have a front page with a load of spam on it.

Re:fall of open email (5, Funny)

TheLostSamurai (1051736) | more than 6 years ago | (#24204045)

it is no wonder that the "under 25" crowd now says "myspace me" or "facebook me" and no longer use email. why would they?

Whatever happened to giving someone your phone number and actually talking to them. I asked a girl for her number the other night and she gave me her myspace address. Thanks, but no thanks. At least make the effort and give me a fake phone number if you don't ever really want to talk to me again.

Just use (5, Insightful)

linhares (1241614) | more than 6 years ago | (#24203673)

BONGARD PROBLEMS [scribd.com] . No machine can crack them in at least 10 years time. And when one does, baby, we'll have genuine AI.

Re:Just use (4, Insightful)

BitHive (578094) | more than 6 years ago | (#24203953)

Can you generate them algorithmically?

Re:Just use (2, Insightful)

blueg3 (192743) | more than 6 years ago | (#24204077)

It seems you'd have to provide a list of possible ways in which the two sets of images are different. Any solution where random-guessing has a non-negligible solution rate isn't a solution for spam. Anything vaguely multiple-choice fails. The CAPTCHA scheme, on the other hand, has an enormous solution space.

Ok, I can give you some idea from the other side (0)

Anonymous Coward | more than 6 years ago | (#24203715)

Although it's not a part of my history that i'm proud of I did chatbot spam. It was easy money, and pumping out the spam was easy.

The one real pain was creating the account and although there were customised programs to speed up creating the accounts (approx 20 a minute) you still had to manually enter the captcha codes. This is what limited everything (ie yahoo would kill swathes of spam accounts in one go). Going through 500 accounts an hour wasn't unheard of.

Now that captcha is broken, there is no limit to stop you spamming every single room if you wanted. This means that yahoo chat room spam levels will have gone through the roof, not that I have been anywhere near of late.

Surge in IM spam (1)

mellestad (1301507) | more than 6 years ago | (#24203735)

I have noticed a big surge in spam on MSN messenger. I get three or four messages from people not on my contact list a day for Viagra or "sexy singles", all from names like, "kghemvi837276fgk" Last year I was getting maybe one a week.

turing test (4, Funny)

Anonymous Coward | more than 6 years ago | (#24203775)

The first thing to actually pass the Turing test will probably be a spam-bot. Isn't that disgusting?

there is no general captcha cracking algorithm... (0)

Anonymous Coward | more than 6 years ago | (#24203779)

...so all you have to do is change the algorithm used to create the captcha every few days/hours.

The bigger sites could do the latter in-house, the smaller sites can have a dedicated service which hires people writing the image generators/intelligence-requiring questions/etc.

The Irony (4, Funny)

techsoldaten (309296) | more than 6 years ago | (#24203869)

The irony about this is that a CAPTCHA is a Turing test, a form of authentication designed to prove that a human is making the request. Given that some CAPTCHAs are rapidly becoming too hard for people to read, the outcomes of the tests are reversed - humans cannot win the test, only computers.

I have CAPTCHAs on my blog, but only deny posters who actually fill them in. Goes a long way to deterring spammers.

M

On sites like gMail.. (4, Insightful)

bill_kress (99356) | more than 6 years ago | (#24203901)

On gMail some simple rules should suffice. Don't allow a brand-new account to send out more than a few (20?) emails a day. Make sure that most of the email varies. Make sure the account gets and reads email as well as sends it, and that the email is accessed.

The trick is, you keep rotating these measures and don't tell anyone just what they are. You don't automatically disable anyone who breaks the rules, you just hold on to any large number of similar messages until a human reviews them--possibly through some mechanism similar to the "picture matching game" where multiple people identify a message as spam.

If it's determined to be spam, never tell them you caught on, just stop email from that account from being sent, silently. Log the ip addresses and use them to help you identify other accounts from the same computer if possible.

You could also use the ip addresses to notify people that they are a spambot next time that IP address is used to look up something on any google service.

Wow, that's a broad action with a lot of chances for failure, but I bet it could be refined enough to work--and worst case failure isn't bad at all--just one time when you go to search google you get a warning page back instead of your search results.

Really this just takes some dedicated effort and creative thinking by a strong, creative engineer with some power within google (I know there are quite a few of those)

Idea (1)

mellestad (1301507) | more than 6 years ago | (#24203929)

What about having a few images in a row, say dog, cat, horse, cow, building, and then having words below them and asking people to match the words to the pictures? You take out spelling errors and such, it is easy to use, but the possible combination are still very high. Maybe throw in a junk word to make it harder. Or has this already been done?

the solution being .. (1)

rs232 (849320) | more than 6 years ago | (#24203947)

What have all the supreme innovators being doing the past decade. Why is this still happening in late 2008. The solution being to design an email transport system that is immune to spam/phishing and doesn't rely on CAPTCHAs to authenticate endusers. Don't bother telling me how *you* can't figure out how to do it.

Misleading phrasing (4, Insightful)

merreborn (853723) | more than 6 years ago | (#24204039)

CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work

This is misleadingly implies that CAPTCHA somehow enables spammers. On the contrary, broken CAPTCHA does not enable spammers to do anything they couldn't already do -- we're just back where we were before CAPTCHA.

And to be fair, CAPTCHA is still reducing the rate at which attackers are able to create accounts, keeping some smaller, less sophisticated players out of the game entirely, and protecting lower-value targets (e.g., most small-time bloggers with comment spam problems still see a drastic improvement when they set up CAPTCHA)

If everyone stopped using CAPTCHA, the spam problem would get noticeably worse.

CAPTCHA != Turing (3, Insightful)

oljanx (1318801) | more than 6 years ago | (#24204049)

In a Turing test, obviously, a human does the verification. Unless you have an army of extremely low-wage laborers doing the verification, or a machine capable of passing a real Turing test, the CAPTCHA will *never* work. The only solution for now, I think, would be to force multiple layers of authentication on users. ie, you can have your craigslist account, but you're gonna need to pay 2.95 S&H and wait 5-7 days to get your key chain dongle before you can log in. Obviously, the average user is not going to be up for that. So you're stuck with spam. It sucks, but there's no way around it.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>