Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google ReCAPTCHA Cracked

CmdrTaco posted more than 3 years ago | from the eggs-bacon-sausage-and dept.

Google 211

stormdesign writes "Despite denials from Google, a security researcher continues to assert that the Search King's reCAPTCHA system for protecting Web sites from spammers can be successfully exploited by Internet junk mail panderers."

cancel ×

211 comments

Sorry! There are no comments related to the filter you selected.

1st (-1)

Anonymous Coward | more than 3 years ago | (#34835362)

Boo Yahh

Captcha ZDR .... (1)

unity100 (970058) | more than 3 years ago | (#34835376)

so hard that not even your users will be able to 'crack' it and login to your store. no, its really good. and doesnt need remote services. (like recaptcha)

Re:Captcha ZDR .... (1)

Sockatume (732728) | more than 3 years ago | (#34835446)

What's "ZDR" stand for then, "Zero Desirable Results"?

Re:Captcha ZDR .... (5, Interesting)

devxo (1963088) | more than 3 years ago | (#34835564)

All captchas are practically useless. There is no need to crack them - for example decaptcher [decaptcher.com] solves 1000 captchas for $2. Any captcha type works since they're solved by humans. They also have API's for several different languages which lets the programmer easily to put the process to their programs.

As long as there's really cheap workforce and economic differences in the world, things like this won't be solved.

Re:Captcha ZDR .... (1)

Lumpy (12016) | more than 3 years ago | (#34835594)

/Recently spammers have new tools in place, I am suddenly getting comment spam on 4 wordpress sites that use this kind of stuff to trap it. I have notice this for over 5 weeks now.

Re:Captcha ZDR .... (3, Insightful)

daid303 (843777) | more than 3 years ago | (#34835728)

It's quite simple to stop that, implement a small none-standard part in your signup process. I put in an extra input text field named "askldjwla" with the text: [Enter "I am not a bot" here (without quotes)] and my spam has reduced to 0. Spammers target the large and easy, just don't be a part of that group.

Re:Captcha ZDR .... (4, Insightful)

Anonymous Coward | more than 3 years ago | (#34835798)

That might work for your vanity blog, but higher traffic sites are more valuable targets and as such attract greater efforts.

Re:Captcha ZDR .... (0)

Anonymous Coward | more than 3 years ago | (#34835812)

So, in order to avoid becoming a target for spammers, I need to avoid having my website become successful? Thanks, great advice...

Re:Captcha ZDR .... (1)

c6gunner (950153) | more than 3 years ago | (#34835648)

1000 captchas solved by humans for $2? WTF? Who do they have working on these things? Even that Indian tech-support drone I talked to yesterday would fetch more money than that ...

Re:Captcha ZDR .... (1)

MoonBuggy (611105) | more than 3 years ago | (#34835726)

The tech support guys are moderately well paid by Indian standards, since they have a marketable skill: English language ability.

Simply matching characters on a screen to characters on a keyboard is completely unskilled, and thus evidently nets correspondingly lower pay.

Re:Captcha ZDR .... (3, Funny)

JackOfAllGeeks (1034454) | more than 3 years ago | (#34836068)

they have a marketable skill: English language ability.

What Indian tech support have YOU been talking to?!

Re:Captcha ZDR .... (5, Funny)

IhateMonkeys (874193) | more than 3 years ago | (#34836244)

Steve from Kansas.

Apparently he really likes curry chicken. Kinda odd fellow.

Re:Captcha ZDR .... (3, Interesting)

devxo (1963088) | more than 3 years ago | (#34835744)

Indians mostly. Those who solve them actually only get paid $1 per 1000 captchas. But for example, the average daily salary in places like Cambodia is less than $1. Solving 1000 captchas for that starts to sound like a dream job and there is no education needed.

It's the same reason why powerleveling and gold selling services exist in cheap asian countries, economics make it possible and even a good job.

Re:Captcha ZDR .... (1)

onepoint (301486) | more than 3 years ago | (#34835846)

Wait Wait Wait .... the service for USD 2.00 is the AI service, you can read it on the web site. they charge for a priority service ( which I am inferring ) as the human side. ..

please compare the cost of living between the Asian culture of India, Bangladesh, Goa to the USA. a daily maid + cook + driver + rent in a major city ( in a great apartment ) does not exceed 1500 per month ( 120 maid, 100 cook, 275 driver, the rest is rent )

hope this helps

Re:Captcha ZDR .... (5, Interesting)

SeaHunter (838892) | more than 3 years ago | (#34835984)

I remember a message board from a few years ago where some guy had talked about taking a screen shot of a captcha and displaying it on his free porn site making it look like it was really from his site. The person looking at the porn site would type in the captcha answer and his script would in turn use this user provided solution to solve the real captcha on the original site letting his script get past the captchas and spam the message board. So if it really did work he got 1000's of captchas solved by humans for free.

Re:Captcha ZDR .... (1)

vux984 (928602) | more than 3 years ago | (#34836528)

solved by humans for free.

solved by humans in exchange for porn. Not free. Close enough to free though. :)

the new new new new economy! (1)

Thud457 (234763) | more than 3 years ago | (#34836642)

This is teh intarwebs(tm), pr0n == free , unless you're doing it wrong.

Re:Captcha ZDR .... (1)

John Hasler (414242) | more than 3 years ago | (#34836732)

1000 captchas solved by humans for $2? WTF? Who do they have working on these things?

People who have solved millions of CAPTCHAs and are really fast. They probably also do the easy ones in software, thus upping the effective throughput. One approach would be to have the software present its best guess to a human for verification.

Re:Captcha ZDR .... (1)

MoonBuggy (611105) | more than 3 years ago | (#34835792)

Which is where this [xkcd.com] technique comes in. I thought ReCaptcha was going in that direction anyway, since it's used to transcribe old books that couldn't otherwise be OCR'd? Admittedly the crack is not a good thing, and I can't RTFA since it's slashdotted so it may be the case that they've found a way to circumvent rather than solve the captcha, but perhaps the spammers have actually done useful work in improving the accuracy of OCR technology for us?

Re:Captcha ZDR .... (4, Informative)

isilrion (814117) | more than 3 years ago | (#34836116)

With reCaptcha, you don't have to successfully OCR the scanned word, just the control word. Usually they are indistinguishable by sight (you don't know which one is the control word), but I've seen reCaptcha instances where one word is clear and the other one is unreadable. In these cases, you can type the control word correctly and just write some gibberish for the other, and you'll beat the captcha.

Which means that the spammer won't have to OCR the hardest of the words... just the simpler one. Run the OCR to the full text, post both words, and if the simpler one matches, you broke the captcha.

(I make it sound so easy! It really isn't! I'm amazed that they did break it! I just wanted to point out that it isn't "OCR words that haven't been OCRd before", rather than "OCR words that have been OCRd previously and are now a bit distorted".)

Re:Captcha ZDR .... (1)

Nadaka (224565) | more than 3 years ago | (#34836408)

Also seen one where the other word was a set of hieroglyphs or oddly shaped rectangles.

Re:Captcha ZDR .... (0)

Anonymous Coward | more than 3 years ago | (#34836452)

Usually they are indistinguishable by sight (you don't know which one is the control word), but I've seen reCaptcha instances where one word is clear and the other one is unreadable.

Not even close. I'd say at least 95% of the time they are easily identifiable by sight if you've done it a few times, and if they aren't you can always click the button to get a different one.

Here's a few to get you started: 20 random reCAPTCHA challenges [ompldr.org] with the control word identified by red outline. In place of the scanned word I entered "indigo" each time. I solved all 20 "correctly". Only 2 of the challenges were even difficult to determine which was the control word, based on appearance alone: "lustrum thralls" and "magenta contrul". In the first one, however, there was just enough difference between the type-faces, and in the other one "magenta" looked slightly less distorted; additionally, more often than not the challenge word tends to be something you don't find in the dictionary.

Re:Captcha ZDR .... (2)

Vintermann (400722) | more than 3 years ago | (#34836622)

for example decaptcher [decaptcher.com] solves 1000 captchas for $2.

That's probably enough to prevent a lot of spam. Spam isn't very profitable per post.

Does this mean.... (1)

GreenSeven (1970506) | more than 3 years ago | (#34835454)

that website administrators will have to actually verify user accounts?? Might mean more work for admins but isn't that a fair trade off for quality content?

Re:Does this mean.... (-1, Offtopic)

Entropy98 (1340659) | more than 3 years ago | (#34835610)

As long as its not you spending the entire day verifying user accounts for almost no money right? How does one manually verify that an account isn't intended to be a spam account anyway?
--
windows media codec [cnet.com]

Re:Does this mean.... (-1, Redundant)

socsoc (1116769) | more than 3 years ago | (#34835854)

What does a windows media codec pack have to do with the discussion?

Re:Does this mean.... (1)

flimflammer (956759) | more than 3 years ago | (#34836054)

You're reading a sig, man.

Re:Does this mean.... (0)

ezzzD55J (697465) | more than 3 years ago | (#34836220)

I don't think so; I have sigs turned off and still see it. And indeed offtopic. So it's spam, imho.

Re:Does this mean.... (1)

alphax45 (675119) | more than 3 years ago | (#34836458)

It's for sure the sig

Re:Does this mean.... (0)

Anonymous Coward | more than 3 years ago | (#34836616)

I'm not logged in, and I see it. Therefore, it is *not* a sig.

Re:Does this mean.... (0)

MyLongNickName (822545) | more than 3 years ago | (#34836734)

I logged out and still saw the "sig". Try it yourself if you don't believe me. I think all of Entropy's comments should be marked off-topic as a result.

Re:Does this mean.... (1)

icebraining (1313345) | more than 3 years ago | (#34835628)

There's no way to "verify user accounts" until they post their first content - if there was, we could automate that verification.

Re:Does this mean.... (4, Insightful)

Moryath (553296) | more than 3 years ago | (#34835716)

The problem is simple to solve though:

Spamming is profitable. That's why the spammers do it.

What we need is simple: we need to make Spamming unprofitable. (I almost said make Spam unprofitable, but I actually kinda like Hormel's product).

This wouldn't be that hard to do. Spammers hit government addresses like anything else. Hit the purveyors of the product, the people who hire the spammers, with a nasty "kill your business for good" level fine for every product that goes out in a spamming campaign - problem solved, none of these guys will ever be so stupid as to hire a spammer again.

That leaves the virus-purveyors and identity-theft types to deal with, true, but the bulk of the money spent on breaking CAPTCHA solutions and everything else comes from the spam-for-profit guys, so if we hit them first, the rest are more manageable.

Re:Does this mean.... (3, Funny)

mysidia (191772) | more than 3 years ago | (#34835752)

This wouldn't be that hard to do. Spammers hit government addresses like anything else. Hit the purveyors of the product, the people who hire the spammers, with a nasty "kill your business for good" level fine for every product that goes out in a spamming campaign - problem solved, none of these guys will ever be so stupid as to hire a spammer again.

Yes, but they will hire spammers for a different reason. To advertise their competitor's product, in order to nuke the competition. Then once the competition is gone, sales will increase, and they can boost prices

Re:Does this mean.... (1)

Moryath (553296) | more than 3 years ago | (#34835816)

Once you haul the spammer in, it's easy enough to tell who paid him.

Re:Does this mean.... (1, Troll)

fulldecent (598482) | more than 3 years ago | (#34835876)

When Google applies Gmail spam detection technology to blogger that will be the end of blog spam.

The problem is Google fails to release any product that makes them money. Since they hold the keys to speech recognition, language translation, and spam detection, you can be sure that the science will advance in these fields at Mach 1 pace, and zero useful/profitable products will be made available.

Re:Does this mean.... (2)

SigmundFloyd (994648) | more than 3 years ago | (#34836022)

The problem is simple to solve though:
Spamming is profitable. That's why the spammers do it.
What we need is simple [...]

That just goes to show that you're a clueless noob.

Re:Does this mean.... (3, Interesting)

natehoy (1608657) | more than 3 years ago | (#34836384)

Spam already leads to mail fraud in some cases, and that fraud is generally prosecuted where possible. Very few legitimate companies use spam any more. The illegitimate ones are harder to catch.

There are actually several problems with this:

1. Not all that many shipping operations that use spammers operate under US law. Products are usually shipped from overseas (if any product is shipped at all!) and you can't fine a foreign entity without an agreement with that entity's native government (which, of course, spammers choose carefully to avoid such things). So you'd be limited to the people the police are already prosecuting, and that population is dwindling.

2. "kill your business for good" fines are what got us into multi-million-dollar fines for "casual" copyright infringement (the large fines were originally designed to drain commercial "piracy factories" of their resources, not to bankrupt a person for life because they shared 3 albums on LimeWire). We'd have to be very careful with any law to target the people we want to hurt, rather than opening anyone who posted an actual personal product recommendation somewhere to a $5,000,000 spammer suit.

3. Many of the products sold are actually counterfeit, and are shipped from faked addresses and just dropped off at the post office. Again, if anything was shipped at all. If I wanted to put Symantec out of business, I could very profitably sell pirated Norton Antivirus and drop a few dozen units off at the post office nearest Symantec's corporate HQ, with a return address label that has their address on it. Symantec would be stuck with the burden of proof that they didn't ship the product. You'd have to check ID every time someone sent a letter and make sure the "from" address matches their ID (which means no more mailbox pickup, all letters and packages must be posted individually).

Re:Does this mean.... (1)

joelsherrill (132624) | more than 3 years ago | (#34835828)

There's no way to "verify user accounts" until they post their first content - if there was, we could automate that verification.

I have run a fan forum (phpbb) for a musician for about 7 years. At peak times we have gotten up to 50-100 spam account attempts a day. I added a captcha which does not stop everything but slows it down a lot. http://www.stopforumspam.com/ [stopforumspam.com] is a good resource for checking if the email or nick is a known spammer. A quick google on the nick and you can often guess based on how many hits you get and the "interests" is a good indicator. Email addresses which look like incremented numbers, pharma ads, etc. are spotted and dropped. We have seen multiple cases of countries which are sources of "cheap manual labor" as sources of semi-automated or repeated manual attempts with clearly algorithmically generated names. Given the subject matter of this forum, I felt OK blocking countries which cause too many problems. This would NOT be an acceptable solution for other forums. I don't know if someone could automate it or not but I can tell you that we are fairly reliable at not allowing spam accounts.

Re:Does this mean.... (1)

realityimpaired (1668397) | more than 3 years ago | (#34835974)

I had a phpbb board for a while, and my technique was to replace the captcha with a fill-in-the-blank. Dead simple for a human, but when I made my change, the number of spam bots we got dropped to zero. Without needing to subscribe to an external script to do it.

The system was stupid simple, it's ridiculous how effective it was, too.... I made up an image which had the website's URL minus a word. The instructions were to fill in the missing word. So if the website was "www.theincredibleworldofgoo.com" the picture would show "www.theincredible_____ofgoo.com" and the instructions would be to fill in the blanks. Worked remarkably well. :) Took a little hard coding on my part, but it should be pretty trivial to write a module that does the image generation for you.

Re:Does this mean.... (2)

daid303 (843777) | more than 3 years ago | (#34836594)

Wouldn't be so hard to defeat by a script. But the reason why your spam dropped to zero is because your "one of a kind" system wasn't targeted. I have a even simpler system that just requires the same sentence every time you sign up. But the field name in code is gibberish and because my site is low volume spammers don't target my script directly.

And that's what I would suggest for everyone, the sollution is not to have 1 super captcha system that rules it all. Have 1.000.000 of them, once they are cracked they are easy replaced, and it makes it god damn difficulty to target lots of small sites in 1 go.

Re:Does this mean.... (1)

natehoy (1608657) | more than 3 years ago | (#34836572)

I have a php-Nuke board that's been around for a while. I not only had a problem with spammers, but the sheer volume of attacks was slowing down my site and filling up my database.

I installed NukeSentinel on my phpbb board, and made people sign up with an email address (with an activation link sent to that address). For a while I set it up so I had to approve each account, but I switched that off about 6 months ago and haven't seen any difference.

I also looked for "attacks" using Sentinel's logging facility and basically blacklisted entire IP address ranges from Romania, Bulgaria, and many other countries with lots of consonants in their names. I also blacklisted tons of addresses from China. This took about a month of half-hour-a-day effort, but now I just check it every few weeks and if I see a really heavy attacker I block the entire address range of their ISP. I have yet to see an attack originating from the US, and my site is very US-centric, so I can get away with that.

Result? Zero spam in over a year. Consistent subsecond response time. Happy user base.

Re:Does this mean.... (5, Interesting)

Deep Esophagus (686515) | more than 3 years ago | (#34835980)

My wife moderates a couple of local Freecycle [tm] lists, and she requires new subscribers to mention some nearby landmark in their neighborhood to show they really are local. The result: NO spam, ever. Once or twice in ten years she's actually had someone try to make up a plausible sounding name that they must have picked up from a yellow pages search because it referred to the name you can see on maps and not what everybody actually calls the place.

Re:Does this mean.... (0)

Anonymous Coward | more than 3 years ago | (#34835768)

99% of websites shouldn't have account signups anyway. Let the OpenID provider do all the hard work, even if they fail at it.

Re:Does this mean.... (1)

spectro (80839) | more than 3 years ago | (#34836668)

This is my idea too, I have several wordpress blogs I haven't maintained in years. I get a handful of new sign ups a week I totally ignore because comments are completely disabled.

If I ever get back to these blogs I will only allow comments from people with a social network account (twitter followers, facebook friends). This way I leave the blunt of the blocking to them.

Theres only one weapon left in the arsenal (5, Insightful)

antifoidulus (807088) | more than 3 years ago | (#34835458)

Come on Google, we all know that in the Capcha war, we only have one weapon left, capcha porn. There isn't a spambot alive who could answer "In the above movie, how many cocks were inside Jenna Jameson?" or "what sex position is this?"

Re:Theres only one weapon left in the arsenal (4, Funny)

Abstrackt (609015) | more than 3 years ago | (#34835602)

There isn't a spambot alive who could answer "In the above movie, how many cocks were inside Jenna Jameson?" or "what sex position is this?"

Six and the Arabian spinecracker.

You could just hire people from /. to solve captcha porn.

Re:Theres only one weapon left in the arsenal (2)

TheL0ser (1955440) | more than 3 years ago | (#34835788)

Yes, but how many of us would answer "retrograde wheelbarrow" to every position question? I know I would.

Re:Theres only one weapon left in the arsenal (1)

Anonymous Coward | more than 3 years ago | (#34835620)

Why? Because there's no software that can generate such questions on the fly. Someone has to do it manually, and that's no an option in today's keep-it-cheap lifestyle. If Google or someone else could do a penetration count, so could mr spammer.

Re:Theres only one weapon left in the arsenal (2, Informative)

Anonymous Coward | more than 3 years ago | (#34835658)

The trouble with this (and less funny image suggestions) is that the "CA" in "CAPTCHA" stands for "Completely Automated".

CAPTCHAs work as a sort of AI hash function: it's easy for a computer to generate, but hard for one to solve. Using images for tests like "what position is this", or, more realistically, "is this a cat or dog" violates that principle: Creating the CAPTCHA is just as much work as it is to solve! On top of that, the finite availibility of images allows for a database attack. Even having 5-10% of the images known makes the CAPTCHA fairly useless.

One possible furture, though, is rendered images. So, for example, have a creature creator generate a dog and cat then ask which one's bigger. There are a few discussions/papers on the topic (e.g. a least one suggests determining which object is in front of another). The point is though, that using photos is a dead end. There are too few and/or it's too difficult to determine the correct answer.

Re:Theres only one weapon left in the arsenal (-1, Offtopic)

interval1066 (668936) | more than 3 years ago | (#34835780)

Nice, non-partisan sig.

"Search King" (1)

Jeremiah Cornelius (137) | more than 3 years ago | (#34835462)

In capitals, like this?

Did they pull the crown from the hands of the Pope, himself at the coronation ceremony, and declare - as did Napoleon - "I am King!"

Re:"Search King" (1)

dkleinsc (563838) | more than 3 years ago | (#34835482)

No, more like "Burger King".

Re:"Search King" (3, Funny)

drinkypoo (153816) | more than 3 years ago | (#34835498)

Look, all you have do to confirm it is just google for "most popular search engine"...

Re:"Search King" (2)

RussellSHarris (1385323) | more than 3 years ago | (#34835590)

Just to make things interesting, I binged it (has bing been verbed yet?). The top result [searchenginewatch.com] was something from 2006 (!) that lists Google with about 49% of the search market, and the 4th said right in the search result headline, "Google is the Most Popular Search Engine in the World".

(Top result in a search for popularity is 4 years old? But just to be fair I checked Google, and it gave the same first result, strangely enough.)

Re:"Search King" (3, Insightful)

qmaqdk (522323) | more than 3 years ago | (#34836204)

Just to make things interesting, I binged it (has bing been verbed yet?). ...

Well, it's a verb, but it's past tense of binge (as in drinking).

Re:"Search King" (1)

drosboro (1046516) | more than 3 years ago | (#34836810)

(has bing been verbed yet?)

I'm getting old. I hadn't realized that "verb" had been verbed yet.

Re:"Search King" (1)

Nimey (114278) | more than 3 years ago | (#34835682)

More like the submitter doesn't like Google and used it pejoratively.

Re:"Search King" (1)

gomiam (587421) | more than 3 years ago | (#34835884)

If they had done as Napoleon did, they would be "Search Emperor" ;)

We already knew this. (1)

RussellSHarris (1385323) | more than 3 years ago | (#34835476)

I seem to recall somebody posting a video showing reCAPTHCA-cracking with something like 30% accuracy. That's very broken.

Re:We already knew this. (1)

Vintermann (400722) | more than 3 years ago | (#34836838)

Not necessarily. After all, a patient spammer could just read the post himself and enter the captcha manually. The reason they don't do this is that the ROI on spam is so ridiculously low (spam kings like Alan Ralsky got around this problem by selling spam services to unscrupulous companies that thought it would be profitable). Every CPU cycle spent breaking a captcha is profit down the drain for the spammer. Not to mention the payment to developers who come up with anti-captcha techniques.

Google reCAPTCHA cracked... again (3, Informative)

Anonymous Coward | more than 3 years ago | (#34835488)

FTA:

Researcher Jonathan Wilkins published a paper recently that included an analysis of reCAPTCHA’s security. In automated attacks he conducted against the system, he reported he had an alarming success rate of 17.5 percent.

Well, last year someone showed ad DEFCON that he could solve the reCAPTCHA CAPTCHAs with an efficacy of 30% already [slashdot.org] .

So how is this news? Am I missing something?

Re:Google reCAPTCHA cracked... again (4, Informative)

prxp (1023979) | more than 3 years ago | (#34835550)

Really old news. The guy's paper is dated 2009. It might be possible that Google hasn't act on it yet, but it is the same thing from one year ago. Sensationalism mode detected!

News for nerds, stuff that mattered... (4, Informative)

derfy (172944) | more than 3 years ago | (#34835522)

...last year.

Google reCAPTCHA cracked
Written by John P Mello Jr on January 5, 2010

Re:News for nerds, stuff that mattered... (4, Interesting)

Cthefuture (665326) | more than 3 years ago | (#34835646)

Yeah but something has happened recently, maybe the spammers got a new tool or something because I have noticed a whole bunch of spam being posted on my reCAPTCHA protected sites. This just started in the last couple of days where previously I had none.

Re:News for nerds, stuff that mattered... (1)

Nimey (114278) | more than 3 years ago | (#34835698)

Maybe that would explain all the Usenet spam coming from Google Groups lately.

End of reCAPTCHA? (3, Informative)

deains (1726012) | more than 3 years ago | (#34835538)

As much as it's nice to know reCAPTCHA is working towards a good cause (digitising old books, if you live under a rock or something), the amount of times I've got incomprehensible jibberish from it makes me rather unsympathetic towards their cause. It'd be nice to think there was some better way of keeping spam out, but I guess developer laziness and Google's endless crusade to rule the Internet we'll be stuck trying to decipher nonsense from the 1900s for a good while yet.

Re:End of reCAPTCHA? (1)

SteveFoerster (136027) | more than 3 years ago | (#34835612)

Aren't the gibberish words assembled from different letters from different unsolved words or something? They didn't talk that funny back then.

Re:End of reCAPTCHA? (2)

Aladrin (926209) | more than 3 years ago | (#34836164)

That's assuming that it's really giving good answers, and that's why it works.

My understanding is that it uses previous answers to check future answers. Answer incorrectly enough and it thinks that is a correct answer.

Now, lately, I've been finding reCAPTCHAs that claim I got them wrong. I assumed I just mistyped, but it used to be a MUCH rarer occurance.

Maybe I'm getting them right, but the spambots are flooding it with wrong answers?

Re:End of reCAPTCHA? (2)

brian_tanner (1022773) | more than 3 years ago | (#34836174)

It'd be nice to think there was some better way of keeping spam out, but I guess developer laziness and Google's endless crusade to rule the Internet...

Laziness has nothing to do with it. It's kindof a hard problem. The solution is worth billions. Trust me, Google really does not like the amount of spam sent from their own accounts that clogs their own services and defraud their own users. Defeating these bots is a high priority for them and everyone else. Each of these companies is basically an army of geniuses. It's a hard problem.

Re:End of reCAPTCHA? (1)

Zalminen (658870) | more than 3 years ago | (#34836224)

So?

If you're unlucky enought to get something strange, there's a button to get a new pair of words right away. I've never received two difficult ones in a row and by now I must have solved hundreds of them...

Re:End of reCAPTCHA? (0)

Anonymous Coward | more than 3 years ago | (#34836624)

As much as it's nice to know reCAPTCHA is working towards a good cause (digitising old books, if you live under a rock or something), the amount of times I've got incomprehensible jibberish from it makes me rather unsympathetic towards their cause. It'd be nice to think there was some better way of keeping spam out, but I guess developer laziness and Google's endless crusade to rule the Internet we'll be stuck trying to decipher nonsense from the 1900s for a good while yet.

Well, most humans would simply click the little icon to redisplay a new reCAPTCHA, and most robots would be baffled by the gibberish. Its also probably funny that the robots have not figured out that only one of the two words are needed for input, and that the impossible one is not the one needed.

Re:End of reCAPTCHA? (1)

spectro (80839) | more than 3 years ago | (#34836788)

And they are making them harder to solve for actual humans, I have found myself failing reCaptcha on ticketmaster several times in the last few months.

Perhaps it is time to use animals (2, Interesting)

Anonymous Coward | more than 3 years ago | (#34835572)

Granted this is still in research, and it is an "M$" project at the moment, but using animals for a captcha may be the next thing.

http://research.microsoft.com/en-us/um/redmond/projects/asirra/

Re:Perhaps it is time to use animals (2)

jolyonr (560227) | more than 3 years ago | (#34835664)

I'm not sure animals would find it any easier to solve the captchas than we do :)

All I can think is what happens when you get: (1)

KurtisKiesel (905982) | more than 3 years ago | (#34835668)

Please Identify which animal is a Eierlegende Wollmilchsau.

Re:All I can think is what happens when you get: (1)

Rysc (136391) | more than 3 years ago | (#34836160)

LOL.

That is all.

Re:Perhaps it is time to use animals (0)

Anonymous Coward | more than 3 years ago | (#34836084)

What the fuck is "M$", is it some sort of retarded as fuck way of saying MS, also known as Microsoft? I think so. End yourself.

That would explain... (1)

elFarto the 2nd (709099) | more than 3 years ago | (#34835608)

That would explain why my recaptcha protected forum suddenly started getting 30+ new accounts a day.

Regards
elFarto

Re:That would explain... (1)

Archangel Michael (180766) | more than 3 years ago | (#34836122)

I JUST upgraded my website Captcha system because I suddenly started getting bots registering on my small domain (30-40 visits / day). I now have a small math problem and ReCaptcha together, along with a hidden input field that bots love to fill out (if filled out, rejects form submit). Combine all three, and I doubt I'll see bots registering any time soon.

The real weird thing is that the bots registered but never spammed my site. Odd.

Re:That would explain... (1)

daid303 (843777) | more than 3 years ago | (#34836620)

The real weird thing is that the bots registered but never spammed my site. Odd.

Most likely the bots failed to detect that the registration worked, or failed to parse the actual post pages. I once had a home grown wiki which was totally messed up by bots because they couldn't make heads or tails from it.

How much longer until... (1)

ticketswapz (1974628) | more than 3 years ago | (#34835616)

... we get the flurry of Wordpress spam registrations and a spike in Gmail related spam?

Re:How much longer until... (1)

Archangel Michael (180766) | more than 3 years ago | (#34836138)

Already get Gmail Spam. Having a Gmail address is no longer guarantee of spamfree email. Spammers have had gmail addresses for a while now. I just wish that we could report SPAM addresses to google and have them suspend the accounts.

reCAPTCHA is already "too good" (2)

citizenr (871508) | more than 3 years ago | (#34835688)

Yesterday I decided to sign up for World of Tanks open beta. It took me 12 tries (including 3 failed sound ones) to fill reCAPTCHA correctly. Most of the time it just displays nonsense.

Re:reCAPTCHA is already "too good" (1)

mrsurb (1484303) | more than 3 years ago | (#34835794)

So you just failed the Turing test? You've outed yourself as an AI!

Re:reCAPTCHA is already "too good" (1)

TheL0ser (1955440) | more than 3 years ago | (#34835802)

Worst I've ever seen, I don't even remember who did it, but they had white lettering on a basically white background. It was a case of "see a few letters, hope you guess the last couple right".

Re:reCAPTCHA is already "too good" (1)

DarkOx (621550) | more than 3 years ago | (#34836050)

This is an important point though. I too have had enough trouble solving reCAPTCHAs to become frustrated enough just to leave the site, and if I am an AI I don't know it. We have reached a point where I think even if they unbreak reCAPTCHA to the point where machines can't solve them at an effective rate, they will have crossed the threshold where it becomes so hard for humans that a new solution is needed.

Usibility vs Security vs Money (1)

SpinningCone (1278698) | more than 3 years ago | (#34835708)

Too bad really, I like the google captchas because they were easy to read (and served a greater purpose with the book scanning). honestly I wish they would make some of these things harder though. how often do you really need to make an email account? I've done it just a couple times with google and wouldn't be bothered by a more complex captcha system. i suspect they don't do this because they wouldn't want people to get frustrated and go to hotmail instead because the captcha was too hard.

though in the end you can never really win since the most high profile targets will just get focus from actual humans [boingboing.net]

on a side note i wish the article had more details on how he was cracking. I suspect most slashdotters like myself have pondered captcha systems and how to improve them.

doomed approach (1)

martas (1439879) | more than 3 years ago | (#34835836)

This approach is doomed, really. Clearly we can come up with other tasks that are difficult for computers and easy for humans, and wait until AI catches up, and move to something else. At some point much sooner than AI fully replicates human intelligence the tasks will be so difficult that in the vast majority of cases it's not just worth it for a human to go through it (e.g. # of cocks inside Jenna in a video , as suggested above). What do we do then? The captcha approach is a temporary solution, and if I had to guess I'd say within 2 decades the "spammer singularity" described above will come.

Re:doomed approach (1)

Anonymous Coward | more than 3 years ago | (#34835996)

Not really. if AI were to get so advanced then one could use it to filter out spam instead of using a captcha to perevent spam access.

Re:doomed approach (2, Interesting)

Anonymous Coward | more than 3 years ago | (#34836024)

What do we do then?

Require posting bonds prior to granting write access, with bond amount greater than whatever profit a spammer thinks they might make from spamming. Or better yet, an amount slightly less than spam profit, so they take the offer. Then you run your taking-spammers'-bonds site at a profit, and if it's enough profit, then its worth your time to keep an eye on the site and delete spam as it appears.

Old news good news ? (0)

Anonymous Coward | more than 3 years ago | (#34836038)

Indeed I had stumbled upon this a few months ago while researching for myspace spamming. From what I gathered, a little weekend project will get you software that solves 10% of reCAPTCHAs, nothing wonderful but enough to render it ineffective. What I'm really wondering though is now that a lot of people know one of the two words is there to train their own captcha solving bot, and put "nigger" instead of the easiest word. Is that bot racist yet ?

mod 04 (-1)

Anonymous Coward | more than 3 years ago | (#34836162)

You don't nned to OS I do, Because Were compounded

My forum has noticed! (2)

daitengu (172781) | more than 3 years ago | (#34836168)

I run a small forum that uses recaptcha . I used to get about 5-10 spam registrations a day. On the 6th I got 148, and the 7th I got 230.

I eventually instaled a plugin from StopForumSpam.com [stopforumspam.com] which is a combination blacklist/keyword checker to help weed out spammers and it's back to normal, or even below normal levels.

Well, maybe its a good thing (1)

arwild01 (7568) | more than 3 years ago | (#34836478)

Now spammers are indirectly using their massive botnets for the cause of OCR conversion of books. :)

Probably used Google search.. (1)

it5complicated (1951824) | more than 3 years ago | (#34836648)

To figure out how to do it. Ironic, no?

Papers on this (0)

Anonymous Coward | more than 3 years ago | (#34836650)

I wrote a paper for a university class about this last year. It was based off of work I found and improved upon. It's been defeated for a while now.

http://www.rodneybeede.com/reCAPTCHA_weakened.html

Panderers? (1)

StikyPad (445176) | more than 3 years ago | (#34836796)

successfully exploited by Internet junk mail panderers

How does one pander to junk mail?

Perhaps the word you were looking for is peddlers?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>