Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Hackers Listened Their Way Around Google's Recaptcha

timothy posted more than 2 years ago | from the listen-to-what-the-flower-children-scream dept.

Google 101

An anonymous reader writes with this story at Ars Technica: "Three self-taught hackers from the DC949 hacker collective managed to use a combination of techniques to beat ReCaptcha with 99.1% accuracy (better than most humans!)" In short, the hackers skipped the visual part of the Recaptcha system entirely, focusing on the audio alternative, which gave them a few convenient angles of attack. Google responded with changes to the system, but that doesn't minimize their accomplishment.

cancel ×

101 comments

Sorry! There are no comments related to the filter you selected.

First! (1, Funny)

Anonymous Coward | more than 2 years ago | (#40173349)

Oh yeah! Not even a recaptcha to worry about!

How far behind were the criminals/spammers? (1)

interkin3tic (1469267) | more than 2 years ago | (#40174131)

Google updated a few hours before these guys revealed their accomplishment. TFA mentions that other groups had found less effective ways of circumventing the audio portion. Is there any indication that this was about to be a problem? How likely is it that anyone wanting to actually abuse it was about to figure this out themselves? Seems to me like there are so many suckers out there, that spammers don't need to spend too much time with things like this.

Re:How far behind were the criminals/spammers? (4, Interesting)

icebike (68054) | more than 2 years ago | (#40174503)

Quote summary:

Google responded with changes to the system, but that doesn't minimize their accomplishment.

On the contrary, yet is does minimize their accomplishment. It makes it all for nothing, a technical exercise, with no near term or long term payback.
Recaptcha is a huge con, no more secure then the original captcha. The second (or first) portion being there only to serve some other purpose, and any answer will do.

Adding the audio option (probably forced by ADA) did nothing for security. At best this demonstrates that adding multiple different keys to the same lock makes things worse, not better.

Captcha's original intent was to slow down bots, by making the user prove they were human. They are seldom used to protect anything
of value, simply to keep the nuisance bots to a dull roar.

Now it appears that machines can beat captcha and recaptcha very easily. So WHY do we still see these schemes in use?

Re:How far behind were the criminals/spammers? (5, Insightful)

Baloroth (2370816) | more than 2 years ago | (#40175157)

Because even a very "high" accuracy machine system is still going to add a significant barrier to automatically cracking the results, especially if Google continues altering reCAPTCHA like they do. While you won't eliminate 100% of attackers, you can eliminate the vast majority, and slow down the attackers that do get through. The alternative is to use nothing, and believe me: you absolutely do not want that. The Internet would be 99.99999999% spam almost overnight if that happened.

Re:How far behind were the criminals/spammers? (2)

crashumbc (1221174) | more than 2 years ago | (#40175393)

intelligence on /. bravo dear sir...

Re:How far behind were the criminals/spammers? (4, Informative)

Animats (122034) | more than 2 years ago | (#40175637)

Re:How far behind were the criminals/spammers?

At about 75%, from what I read on the black hat forums.

There's a whole social spam ecosystem out there now, with tools and services for spamming Facebook, Twitter, Instagram, Google+, Yelp, Tumblr, Youtube, random blogs, and for retro types, Myspace. It's not just a few people doing this. It's an industry with a supply chain. Read my "Social is bad for search, and search is bad for social" [sitetruth.com] paper for an overview. If it feeds into Google search rankings, it's being spammed.

Re:How far behind were the criminals/spammers? (4, Insightful)

Main Gauche (881147) | more than 2 years ago | (#40175419)

Now it appears that machines can beat captcha and recaptcha very easily. So WHY do we still see these schemes in use?

Could you give me your address, and let me know when you won't be home? (I presume you no longer lock your house.)

Re:How far behind were the criminals/spammers? (1)

residieu (577863) | more than 2 years ago | (#40178963)

If the only locks available had keys that didn't fit properly and took multiple attempts to open, while not stopping any real thieves, I'd consider it.

Re:How far behind were the criminals/spammers? (0)

Anonymous Coward | more than 2 years ago | (#40180585)

But your lock *does* slow you down and make it more awkward for you to get into your house, but will not stop a real thief.

Re:How far behind were the criminals/spammers? (4, Interesting)

bill_mcgonigle (4333) | more than 2 years ago | (#40176209)

On the contrary, yet is does minimize their accomplishment. It makes it all for nothing, a technical exercise, with no near term or long term payback. Recaptcha is a huge con, no more secure then the original captcha. The second (or first) portion being there only to serve some other purpose, and any answer will do.

It's funny that you'd complain about a waste of effort and then bemoan Recaptcha, which was developed to prevent all those man-years of solving CAPTCHA's from going to waste.

BTW, the founder of Recaptcha has expressed that he will be happy when it can be defeated trivially because at that point the other job it's trying to do can be completely automated, which is still a win.

Re:How far behind were the criminals/spammers? (1)

Anonymous Coward | more than 2 years ago | (#40177717)

Not if the trivial defeat simply consists of solving the "easy" word and filling in junk for the hard one. Which is what a fair number of humans do.

Re:How far behind were the criminals/spammers? (1)

g0bshiTe (596213) | more than 2 years ago | (#40182567)

Makes me wonder if the founder knows there's an easy way to beat it.

Re:How far behind were the criminals/spammers? (1)

g0bshiTe (596213) | more than 2 years ago | (#40182515)

So when does your arguments for this minimizing their accomplishment come in?

Why do you assume that it comes just as Google makes changes to the system? Are you positive the change to the system did not stem from them reporting this to Google, and then following safe disclosure practices gave Google time to fix it, before going public. Are you sure they didn't do all this, then report it to Google and collect a "reward" for what they found?

Re:How far behind were the criminals/spammers? (0)

Anonymous Coward | more than 2 years ago | (#40174957)

Replying to frosty piss is a cheap way to get top billing.
Shame on you.

Re:How far behind were the criminals/spammers? (1)

interkin3tic (1469267) | more than 2 years ago | (#40175721)

Yeah, I don't respect the sanctity of first post trolling. I have all the shame that goes along with that.

Re:How far behind were the criminals/spammers? (0)

Anonymous Coward | more than 2 years ago | (#40181261)

There is no sanctity. Those posts deserve to get modded into oblivion to be replaced at the top by the earliest worthwhile comment, not someone who gets to the party an hour late.

Re:How far behind were the criminals/spammers? (1)

g0bshiTe (596213) | more than 2 years ago | (#40182585)

I vote for this one

by Anonymous Coward on 31-05-12 20:37 (#40174957) Replying to frosty piss is a cheap way to get top billing. Shame on you.

Re:How far behind were the criminals/spammers? (0)

Anonymous Coward | more than 2 years ago | (#40177507)

I think you, in the eloquence of Mr. George Walker Bush, "misunderestimate" the Internet.

Re:How far behind were the criminals/spammers? (1)

g0bshiTe (596213) | more than 2 years ago | (#40182613)

Would that be overestimating?

Re:First! (1)

Anonymous Coward | more than 2 years ago | (#40177039)

Moderation
    50% redundant
    50% funny

I wonder how the first post can be redundant.

Re:First! (2)

bkaul01 (619795) | more than 2 years ago | (#40179271)

When idiots spam every thread with worthless "First!" posts, how could any one of these posts not be redundant?

Weakest Link (2)

whitesea (1811570) | more than 2 years ago | (#40173375)

They wisely chose the weakest link to attack.

Re:Weakest Link (5, Funny)

amicusNYCL (1538833) | more than 2 years ago | (#40173957)

If they can solve captchas at 99% accuracy, I hope they develop a browser toolbar or plugin I can use.

Re:Weakest Link (0)

Calos (2281322) | more than 2 years ago | (#40174037)

Too late, Google took steps to fix it before the exploit was widely announced, according to TFA.

Re:Weakest Link (1)

kelemvor4 (1980226) | more than 2 years ago | (#40175599)

Too late, Google took steps to fix it before the exploit was widely announced, according to TFA.

The real spammers who most likely had this figured out 6 months ago are probably slightly annoyed.

Re:Weakest Link (1)

multicoregeneral (2618207) | more than 2 years ago | (#40180689)

I've been able to do this since 2008 or so. For awhile, I was using it to make posting to craigslist a little easier.

Re:Weakest Link (0)

Anonymous Coward | more than 2 years ago | (#40176463)

jdowloader does this for download stuff.

Re:Weakest Link (1)

sudonymous (2585501) | more than 2 years ago | (#40180025)

For a handful of sites... but it doesn't have a decrypter plugin for recaptcha.

Re:Weakest Link (1)

interkin3tic (1469267) | more than 2 years ago | (#40174065)

Of two links? (The other link being the image.)

Yes... very wise...

Re:Weakest Link (2)

mattack2 (1165421) | more than 2 years ago | (#40175059)

Audio ReCaptcha is the Weakest Link! Goodbye!

Singularity (3, Insightful)

MrEricSir (398214) | more than 2 years ago | (#40173429)

Since they beat the Turing Test, this means we've reached the AI singularity... right?

Re:Singularity (2)

GodfatherofSoul (174979) | more than 2 years ago | (#40173621)

"More human than human." It just means the Tyrell Corporation was working on it.

Re:Singularity (2)

Quillem (2641391) | more than 2 years ago | (#40173651)

Quoting the coda of the story:

While the changes stymied the Stiltwalker attack, Adam said his own experience using the new audio tests leaves him unconvinced that they are a true improvement over the old system.

"I could only get about one of three right," he said. "Their Turing test isn't all that effective if it thinks I'm a robot."

:)

Re:Singularity (3, Interesting)

mcgrew (92797) | more than 2 years ago | (#40179183)

You bring to mind something I read long ago, too long ago for a citation. A researcher was running a turing test with one subject seeing if he could decide which terminal was a computer and which had a computer on the other end.

The tester just sat there without inputting anything. Pretty soon a message came up on one screen: "Is there anybody there?"

"That's the human," the tester said

Re:Singularity (0)

Anonymous Coward | more than 2 years ago | (#40174525)

Not until it beats it of its own accord.

Re:Singularity (0)

Anonymous Coward | more than 2 years ago | (#40176593)

Eeeeeeek! Skynet! Run for your lives!!!

Re:Singularity (1)

RaceProUK (1137575) | more than 2 years ago | (#40180115)

Weird thing is, I actually work on a product called 'Skynet'. It's a website used to keep track of vehicle fleets.

It's not self-aware yet, but I'll be the first to warn you when it does :)

Snake meet tail (5, Insightful)

V-similitude (2186590) | more than 2 years ago | (#40173449)

I realized there's an interesting aspect to this, in that gVoice transcription is actively trying to do basically the same thing these guys did* (albeit in a far more general way). Wonder how gVoice would do transcribing google's own recaptcha audio. Someone go try that. Either way though, it's an interesting dilemma if they ever got automatic transcription good enough to defeat these audio recaptchas.

* Well, after RTFA, I realize that a fair bit of what they did was actually more related to hashing (and the pseudo-random generator) vs actually trying to parse the audio, but still.

Re:Snake meet tail (1)

SomePgmr (2021234) | more than 2 years ago | (#40173493)

Having seen lots of google voice transcriptions, I'm pretty sure it couldn't transcribe it's way through the most articulate of all audio captchas. Years of training and it's only gotten worse.

Re:Snake meet tail (1)

V-similitude (2186590) | more than 2 years ago | (#40173671)

I don't know, it's nearly perfect on phone numbers, in my experience (which is really helpful). And pretty useful on most stuff to get a good enough idea. Though it does stumble a lot. But yeah, prob doesn't do very well with these, was just a thought.

Re:Snake meet tail (1)

Nonesuch (90847) | more than 2 years ago | (#40175131)

The Google Voice transcription is so uncannily near-perfect with phone numbers, and so awful with everything else, I suspect it is cheating, and using the Caller-ID and other sources to cheat on 'recognizing' a phone number.

Re:Snake meet tail (1)

Aranykai (1053846) | more than 2 years ago | (#40175489)

I use it on android to send about 200 texts a month. Once you learn to speak naturally instead of over-enunciation everything, it does quite well. I suspect a big part of the issues with voicemail transcriptions is partly to do with audio compression on cell phones.

Re:Snake meet tail (0)

Anonymous Coward | more than 2 years ago | (#40177245)

I use it on android to send about 200 texts a month.

Please, please, please stop using a technology-specific service and just send us an e-mail instead. We all have smartphones with data-plans nowadays.

Thanks,

Aranykai's buddies

Re:Snake meet tail (1)

Aranykai (1053846) | more than 2 years ago | (#40189409)

I'm sorry, you can register a google voice number as well if you like. I send about 1/2 those texts from my non cellular enabled android tablet at home via wifi. Get with the times and liberate your phone number from your cell carrier.

Thanks.

Re:Snake meet tail (1)

V-similitude (2186590) | more than 2 years ago | (#40175817)

I think they just put extra emphasis on numbers, since they're limited in scope (only 10ish words, and relatively simple context) and more critical than other words in a VM transcription. I just checked a few VMs and it's perfect on phone numbers even when they're not the same as the caller ID.

Re:Snake meet tail (1)

Anonymous Coward | more than 2 years ago | (#40173927)

I watched the video (hilarious, btw). Someone in the audience asked if they had tried Google's own speech recognition. They had, and it couldn't solve the audio captcha.

Re:Snake meet tail (1)

Beardo the Bearded (321478) | more than 2 years ago | (#40174561)

I did that three years ago. All my posts are by bots.

2

3

5

Re:Snake meet tail (1)

ep32g79 (538056) | more than 2 years ago | (#40181685)

Wonder how gVoice would do transcribing google's own recaptcha audio. Someone go try that. Either way though, it's an interesting dilemma if they ever got automatic transcription good enough to defeat these audio recaptchas.

* Well, after RTFA, I realize that a fair bit of what they did was actually more related to hashing (and the pseudo-random generator) vs actually trying to parse the audio, but still.

In the presentation they did that question was raised and they stated that using gvoice was the first thing they did with no luck.

Another solution.. (5, Informative)

Ziekheid (1427027) | more than 2 years ago | (#40173463)

Most of the spammers who circumvent captcha's use real people to fill in their captcha's for them. How they do it:
1) A pay-per-filled-in-captcha site (where members solve captcha's, not really getting paid eventhough they think they will be) OR a high traffic site (false/scam sites, hacked sites, etc)
2) Mirror the image from the site you want to spam to your own site
3) A person visits your own site with the mirrored image and solves the captcha
4) Mirror the answer back to the site you want to spam
5) ???
6) Profit! (literally)

Re:Another solution.. (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40173779)

Reminds me of the story of the guy who would play 8 games of chess simulataneously in an octagon and absolutely guarantee he'd win 50% of the games at least.

He then proceeded to play the moves of the players opposite each other against each other.

Re:Another solution.. (0)

Anonymous Coward | more than 2 years ago | (#40173925)

You can do that with Chess, it's a neat little trick. No matter how good the people you're playing are, it'll look like you won half the games which seems pretty good for playing a shitton of people at once.

Re:Another solution.. (0)

Anonymous Coward | more than 2 years ago | (#40173951)

Reminds me of the story of the guy who would play 8 games of chess simulataneously in an octagon and absolutely guarantee he'd win 50% of the games at least.

He then proceeded to play the moves of the players opposite each other against each other.

À la Derren Brown in this clip: http://www.youtube.com/watch?v=evZmpsl3jI0 [youtube.com]

Re:Another solution.. (1)

zill (1690130) | more than 2 years ago | (#40173973)

Does this guy take bets and where can I find him?

55% of professional chess matches end in draws. 45% to the power of 4 is 0.17%.

If he had claimed "he would lose less than 50% of the games" then he would be correct, but that sounds a lot less impressive.

Re:Another solution.. (1)

Anonymous Coward | more than 2 years ago | (#40174267)

Does this guy take bets and where can I find him?

  55% of professional chess matches end in draws. 45% to the power of 4 is 0.17%.

If he had claimed "he would lose less than 50% of the games" then he would be correct, but that sounds a lot less impressive.

Sorry, I misspoke. I'm certain the wager was that he would not lose more than half the games, or perhaps that a draw would result in a rematch.

Re:Another solution.. (1)

hellop2 (1271166) | more than 2 years ago | (#40177199)

Not really a great statistic you created there. maybe this guy is better than average.

Also, what you calculated was the probably to not draw in 4 consecutive games, not 4 out of 8. There are the same number of ways to lose 4 out of 8 as there are to win 4 out of 8. Thus, there is a 50-50 chance of winning or losing. Therefore, it doesn't matter if we're talking about 4 out of 8, or just 1 game. Based on your statistic, the probability of winning or losing 4 out of 8 is 45%, not 0.17%.

Re:Another solution.. (1)

hellop2 (1271166) | more than 2 years ago | (#40177247)

Think of it another way. Is the probably of flipping a coin heads 4 (or more) out of 8 times 0.5^4 = 0.125? No, it's 50-50.

Re:Another solution.. (0)

Anonymous Coward | more than 2 years ago | (#40178015)

It's even more. Without any math, the probability that 0, 1, 2, or 3 heads appear equals the probability that 0,1,2 or 3 tails appear. In the latter case, 8,7,6, or 5 heads appear. The only result left out is the probability that 4 heads appear, which is added to the latter case, hence, 4 or more heads out of 8 occur more often than not.

Re:Another solution.. (1)

zill (1690130) | more than 2 years ago | (#40179573)

First of all, it's "probability".

Seconds of all, there are only 4 chess games going on. I don't know where you got the number "8" from.
Ostensibly, the con-artist claims "I'm play 8 chess games against 8 players simultaneously."
What's actually happening is that he's using the moves of A against B, C against D, E against F, and G against H. Thus there are only 4 chess games going on.

Out of 4 chess games, there are precisely 5 possible outcomes:
4 winners: 45%^4 * 55%^0 * 4 choose 4 = 4.1% (I accidentally did 45%^5 before and got 0.17%)
3 winners, 1 game ended in a tie: 45%^3 * 55%^1 * 4 choose 3 = 20%
2 winners, 2 games ended in ties: 45%^2 * 55%^2 * 4 choose 2 = 37%
1 winner, 3 games ended in ties: 45%^1 * 55%^3 * 4 choose 1 = 30%
No winners, 4 games ended in ties: 45%^0 * 55%^4 * 4 choose 0 = 9.1%
(As a sanity check, the percentages add up to 100%)

In order for the con-artist to "win 50% of the games at least", there must be exactly 4 winners, thus only in the first outcome does he fulfill his promise.

This is high school level math. You should really review the material before lecturing someone else.

Re:Another solution.. (0)

Anonymous Coward | more than 2 years ago | (#40173983)

What was the wager and did he pay up when some games ended remis? Should've guaranteed not to lose more than 50% of the games...

Re:Another solution.. (1)

hcs_$reboot (1536101) | more than 2 years ago | (#40175081)

absolutely guarantee he'd win 50% of the games at least

"he wouldn't lose at least 50% of the games" would be more accurate (draws)

Sounds like bull (1)

SmallFurryCreature (593017) | more than 2 years ago | (#40177065)

That would work for an opening move but the whole point of chess is that there are many opening moves and with each additional move the possible moves explode until you need a very special sort of mind or a big computer (IBM big, not your pitiful 6 core big) to sort it all out.

How would your guy make sure the moves of the opposite player have any bearing on the moves on the other board? It would be like playing blackjack by copying what the guy next to you does. SMART, if by some miracle you had the same cards.

Re:Sounds like bull (1)

ThatsMyNick (2004126) | more than 2 years ago | (#40177327)

You should read some of your sibling comments (hell, there was a video clearly explaining this). What GP would do is play off each other player. To be more specific, he would play black for 4 games and white for 4 (this is the usual setup for playing multiple games simultaneously, incase you did not know). He would see the move the white player makes, not respond to him. Move on to the next board, make the same move on this board. Observe the response, and remember it, so that he can play it in the previous board. Now he moves on to the next pair of players. The result would be half wins and half draws (sometimes a draw is also possible)

Re:Another solution.. (2)

doomdoomdoom (2640917) | more than 2 years ago | (#40173895)

I've seen malware that takes over your computer with a "enter the captcha" to get your computer back. The captcha taken from whatever pool of websites they want to deal with.

Collective? (1)

Anonymous Coward | more than 2 years ago | (#40173619)

Every hacking group is now a hacker 'collective'?

"Better than most humans" (5, Funny)

Anonymous Coward | more than 2 years ago | (#40173673)

That's it! Make all users do a SERIES of incredibly hard recaptchas. Those who get too many correct are machines! Brilliant!

Re:"Better than most humans" (5, Interesting)

Anonymous Coward | more than 2 years ago | (#40174011)

...especially if they solve them in less time than the duration of the audio. (Only half kidding: They solved millions of eight second long captchas in a second and a half each and Recaptcha didn't even blink.)

Re:"Better than most humans" (1)

million_monkeys (2480792) | more than 2 years ago | (#40175801)

...especially if they solve them in less time than the duration of the audio. (Only half kidding: They solved millions of eight second long captchas in a second and a half each and Recaptcha didn't even blink.)

or maybe it did blink and that's what tipped off Google to change the system?

Re:"Better than most humans" (0)

Anonymous Coward | more than 2 years ago | (#40175265)

Or make them easy.

On the now-closed j-walk blog he changed the captcha to a question, and the answer was always '12'.

It worked.

Re:"Better than most humans" (1)

omfgnosis (963606) | more than 2 years ago | (#40176633)

I think the captcha on Coding Horror used to always be "orange". I don't know how much time Atwood spent deleting spam, but I certainly never saw any (besides his own).

Gone too far... (4, Interesting)

whydavid (2593831) | more than 2 years ago | (#40173707)

I had one of these the other day that was beyond absurd. The visual was a complete scrambled mess, with nearly every letter seemingly equally likely too be 2 or 3 different letters. The audio was even worse: loud gibberish in the foreground with what sounded like someone whispering the actual text in the background. It wasn't until 2 reloads later that I was lucky enough to get a recaptcha that was only slightly ambiguous, and I was able to get it on the 2nd guess. I was far more annoyed at this than I ever have been at a spambot. I'm not sure this is a step in the right direction. Time to move away from garbled text.

Re:Gone too far... (1)

Anonymous Coward | more than 2 years ago | (#40173855)

I apologize that I'm anonymous coward here - too lazy to log in (copb.phoenix) - but there is a better solution.

Machines are not too good at following natural language, so rather than a capcha, a problem written in natural language would - in theory - work best.

Something clear enough to a human eye, but not too obvious mechanically. One of the best ones I ever saw was not labelled at all, other than "signincheck" on the form and said "tob0rAtONm@i in the reversed proper English, please?"

Re:Gone too far... (1)

ldobehardcore (1738858) | more than 2 years ago | (#40173947)

Even that might not work in the long run. IBM Watson gets better every day. It's good enough already for chatbot and it wasn't even designed to do that. I think watson might be nearing ai complete for natural language. Just give it a couple of years and see what else comes up

Re:Gone too far... (1)

Deep Esophagus (686515) | more than 2 years ago | (#40175461)

That won't stop the captcha-mirrors who will grab a captcha, farm it out to idiots logging in for "free" prizes, and feed the idiots' answer back to the captcha. You can make it totally impossible for an AI to figure it out, but they'll still get through this way.

Re:Gone too far... (1)

LoneBoco (701026) | more than 2 years ago | (#40174083)

I've found that KeyCAPTCHA [keycaptcha.com] is pretty good. I don't know how simple it would be to crack, but I do know that I haven't had issues with automated spam after switching to it.

Re:Gone too far... (0)

Anonymous Coward | more than 2 years ago | (#40174157)

KeyCaptcha looks cute, but I would doubt it would stand up to even a fifth of the effort put into cracking reCaptcha. It looks to be security through obscurity because they put the solution on it.

Re:Gone too far... (1)

Pseudonym Authority (1591027) | more than 2 years ago | (#40176521)

Just type the one you can recognize (the challenge word is in the same style for a few weeks, and you should be able to spot it immediately), and type anything for the other word. The second word is of no consequence to the CAPTCH and only counts towards the Re.

Re:Gone too far... (0)

Anonymous Coward | more than 2 years ago | (#40205267)

I'm getting this more and more. And because I often have sound switched off, especially on my work PC, that means I have to refresh the damned thig five or six times before I get a captcha that I can even guess at. Seriously considering boycotting any site that uses a crap captch (craptcha?).

Better comments (0)

Anonymous Coward | more than 2 years ago | (#40173889)

Sometimes I wonder if the spambots would post better comments, though.

The actual link (0)

Anonymous Coward | more than 2 years ago | (#40173935)

http://www.dc949.org/projects/stiltwalker/

Been waiting for this story to get picked up by Slashdot.

yawn (2)

jkerman (74317) | more than 2 years ago | (#40174049)

It EXACTLY minimizes their accomplishment. Everyone knew the day that was easily exploited, google would get a little less accessable to the disabled. Everyone knew it was the weakest attack point. (jerks!)

Re:yawn (1)

Pseudonym Authority (1591027) | more than 2 years ago | (#40176533)

If they were doing it the the spammers were probably doing it 6 months ago.

Better rate than me (1)

Arancaytar (966377) | more than 2 years ago | (#40174051)

They get harder, and these days I'm four for five at best.

Maybe I'm just a machine dreaming I'm human?

I'd like to find out how to break it too (2)

Zorque (894011) | more than 2 years ago | (#40174105)

Google's captchas are the worst I've ever seen. They're almost always unreadable and need to be refreshed all the time. I like Recaptcha (which isn't what Google uses on their sites despite owning it), they're generally pretty clear and in addition provide a free service to anyone that wants to use it. I have no clue why Google sticks with their awful in-house captchas for Gmail, Youtube, etc.

Re:I'd like to find out how to break it too (0)

Anonymous Coward | more than 2 years ago | (#40174657)

the site you're on and where you're connecting from both play a role in how bad the recaptchas are -- and in some instances, they are not ''almost always unreadable'' but rather they are ""absolutely impossible"" to decipher jibberish.. it's bad enough when you can barely make out the dictionary words -- but when they start really fucking up the display of complete jibberish, and intentionally at that..... shit. google. what the fuck.

i hate recaptcha. i think it was pretty low for google to buy a project like that simply to collect more web usage data from recapcha users and their site visitors (which was the main reason for the acquisition.. regardless of what they may claim, it sure as hell wasn't simply to help digitize books).

I gave up on Recaptcha and now use AreYouAHuman (1)

Anonymous Coward | more than 2 years ago | (#40174191)

Someone recently brought "AreYouAHuman" and its "PlayThru" security test to my attention.
http://areyouahuman.com/

I've been using Recaptcha on a niche website I operate for a couple years now, and people have been increasingly complaining about how hard it's getting. While it's English-only right now, PlayThru is very easy to complete, sorta fun, and best of all it tells you whether you got it right before you submit the form, so there's no hoping or guessing. So after a few quick tests, and users raving about how much better they like it, I switched today. The failure rate on security checks instantly dropped by 3/4 or better.

I wonder how long it will be before someone breaks PlayThru also. But until then, sorry Google but Recaptcha had to go.

Re:I gave up on Recaptcha and now use AreYouAHuman (2)

foniksonik (573572) | more than 2 years ago | (#40176825)

Ah but click on the "accessible" option and lookie lookie, an mp3 audio file with gibberish and a background voice. "enter the words you hear".

So this exploit would at least prevent using that option.

The game concept is pretty good though, they just need to make an accessible version.

Re:I gave up on Recaptcha and now use AreYouAHuman (1)

ThatsMyNick (2004126) | more than 2 years ago | (#40177257)

Funny you should mention areyouhuman.com. It actually relies on recaptcha for accessibility. You would have vulnerable by the attack TFA talks about too.

I bet Siri could solve it. (4, Insightful)

niftymitch (1625721) | more than 2 years ago | (#40174275)

I bet Siri could solve it.
All the voice tools out there could be harnessed to this sad end.

Re:I bet Siri could solve it. (1)

stevenfuzz (2510476) | more than 2 years ago | (#40185719)

Siri has enough trouble searching the web / recognizing most things. Somehow I doubt this.

Don't know why it never occurred to me... (1)

MsWhich (2640815) | more than 2 years ago | (#40175077)

...to use the audio version instead of the text version for those damn things. I bet the audio version doesn't have words that show up with weird non-alphanumeric characters or completely inked-out text in them, like a nontrivial percentage of the recaptchas I see seem to have.

Just goes to show... (0)

Anonymous Coward | more than 2 years ago | (#40175285)

Providing the option of an audio captcha was a bad idea. Blind people are wasted on the internets anyway,

Envy (1)

barv (1382797) | more than 2 years ago | (#40175605)

Rather a neat way to make an employment application.

Google should employ those hackers! (0)

Anonymous Coward | more than 2 years ago | (#40176145)

The hackers toolkit must have had a much better voice recognition system than google's!!!

Anyone tried to use voice on google to do a websearch ?? It is the most inaccurate thing since we believed the moon was made out of cheese!!!

The results are most laughable..

they managed to correctly answer audio captcha? (3, Funny)

ffflala (793437) | more than 2 years ago | (#40176355)

Now *that's* impressive. The closest approximation I've heard to the audio captchas I've encountered would be the few recordings I've heard that John Lennon used to give out as gifts: he'd record multiple radios playing different stations.

I did once get an audio captcha that was almost solvable -- AFAICT, it was a conversation between C'thullu in his native tongue and Tom Waits responding in Aramaic, recorded in a crowded airport terminal that had lots of loudspeaker announcements.

Re:they managed to correctly answer audio captcha? (1)

TeknoHog (164938) | more than 2 years ago | (#40184959)

What?

Only 58 words to crack (1)

mccrew (62494) | more than 2 years ago | (#40176813)

reCAPTCHA was also undermined by its use of just 58 unique words

I'm really surprised the corpus was so small. Would have expected to be on the order of thousands.

Attention whores claim 99.1% accuracy (1)

Rogerborg (306625) | more than 2 years ago | (#40177561)

100% of press believes them 110%.

New idea! (1)

residieu (577863) | more than 2 years ago | (#40178929)

I've got a great new idea. If you can solve the Captcha, you're obviously not a human and are denied access.

CAPTCHA alternative (1)

aclarke (307017) | more than 2 years ago | (#40179755)

I haven't seen an analogue to this idea outside the ColdFusion world, but CFFormProtect [riaforge.org] is an awesome tool for protecting ColdFusion-based sites from spam.

The basic idea behind CFFormProtect is that spam protection shouldn't involve annoying hurdles that users have to jump over, and should be as invisible as possible to the user. It takes what I would say is a similar approach to SpamAssassin, in that it uses multiple heuristic methods to rank form postings for potential spamminess. I've used it extensively and I've been really impressed with it. I'm not saying that it can't be defeated by a machine, but at least it doesn't annoy and flummox the site's users in the process.

These hackers should be awarded. (1)

lvxferre (2470098) | more than 2 years ago | (#40182909)

Yes, they should be awarded. Not for the whole "made in computer to beat computers" thing, but they actually helped in an unintended way - speech recognition. I see this kind of stuff easily joining Praat and software like that, helping linguists to mess with experimental data.

Well done, sirs.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>