Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Porn Rewards Users To Get Past Anti-Spam Captchas

timothy posted more than 10 years ago | from the pull-this-lever-a-few-times dept.

Spam 420

Stalke writes "Spammers are now usings a new technique to circumvent the 'captchas,' the distorted text in graphics, that users must input to receive the free email account. The spammers have cracked the system by displaying the 'captchas' on free porn sites in real time. Since there are always a large number of people signing up for free porn, they do the work of decripting the 'captchas' which is then replayed back into the spammers program to create a new email account. Who thought that porn could be a hacking technique!" Sure sounds plausible, though the link here says only "someone told me."

cancel ×

420 comments

Sorry! There are no comments related to the filter you selected.

STOUFFER'S SALISBURY STEAK IS ON TEH SPOKE!!!11 (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8112221)

Prole-food (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8112371)

Sod the proles!

I'm going to stuff my face with a four course meal at a posh restaurant tonight.

I am not looking at porn (5, Funny)

hetairoi (63927) | more than 10 years ago | (#8112232)

I'm hacking ..... now go away, what I'm doing in here is private.

Re:I am not looking at porn (0)

Anonymous Coward | more than 10 years ago | (#8112402)

Good God! Decripting??? I'll just have to be embarrassed for him (justified sexist assumption). And while I'm at it, how do you defeat slashdot's incorrect default formatting, wherein you are not allowed to use two proper spaces after full stops? Eh?

Re:I am not looking at porn (0)

Anonymous Coward | more than 10 years ago | (#8112444)

Someone told me recently that two spaces is only correct on a typewriter, and the official, corret format on a computer screen is one space. It old him to go fuck himself and that it'll be a cold day in hell before I give up Old Secondy.

I really was horrified to hear about it though. I've been using the guy proudly for so many years, and now to find out I'm not supposed to. I'm thinking of forming some kind of movement to make it correct again, Citizens For Double Spacing, maybe.

I don't want to live in a single spaced world.

Re:I am not looking at porn (-1)

Anonymous Coward | more than 10 years ago | (#8112499)

Click the list box and choose Code. Sample sentence. Another sample sentence.

decripting!??!?! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8112233)

of course you mean decyfring

Easy fix (-1, Troll)

I_am_Rambi (536614) | more than 10 years ago | (#8112234)

Stay away from porn and you don't have to worry about this way of spammers getting your email address.

Easier fix (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8112249)

If you stay away from email, you wont need to worry about spam.

Re:Easier fix (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8112287)

If you stay away from computers you wont have to worry about email.

Re:Easy fix (2, Funny)

Cyno01 (573917) | more than 10 years ago | (#8112259)

Stay away from porn? You're new here, right?

Re:Easy fix (0)

unborn (415272) | more than 10 years ago | (#8112415)

Based on his user id he seems to be older than you here.

Re:Easy fix (2, Funny)

millahtime (710421) | more than 10 years ago | (#8112266)

"Stay away from porn and you don't have to worry about this way of spammers getting your email address."

Yeah, like that is really going to happen. The internet would crash if that happened. So many internet accouts would be caneceled that ISPs would go out of business. It would be the doom of the internet.

Re:Easy fix (1)

binarstu (720435) | more than 10 years ago | (#8112313)

If you read the article more carefully, you'll realize that this technique has nothing to do with cracking existing email accounts. It's a technique for signing up for new accounts for spammers to use. However, I agree with another poster -- the article sounds like BS to me.

Foundation (3, Insightful)

millahtime (710421) | more than 10 years ago | (#8112242)

Porn, the foundation of the internet. It will never go away or die. It has more uses then we can even imagine.

Re:Foundation (5, Funny)

krumms (613921) | more than 10 years ago | (#8112279)

It has more uses then we can even imagine.

And several uses that we just don't WANT to imagine :P

Re:Foundation (4, Funny)

Gogl (125883) | more than 10 years ago | (#8112449)

"Porn, the foundation of the internet. It will never go away or die. It has more uses then we can even imagine."

Agreed. It is an energy field created by all living things. It surrounds us, penetrates us, and binds the galaxy together.

Hrmm...

Re:Foundation (3, Funny)

cartzworth (709639) | more than 10 years ago | (#8112465)

More like BLINDs the galaxy together.

My kingdom (-1)

Anonymous Coward | more than 10 years ago | (#8112525)

for a +1 Funny Mod to this.

Nifty (5, Funny)

turbofisk (602472) | more than 10 years ago | (#8112248)

I'm not for spamming... But if I were a spammer... I would pat myself on my back... Pretty nifty... Bastards!

Re:Nifty (4, Interesting)

acidtripp101 (627475) | more than 10 years ago | (#8112418)

I thought this exact same thing. Every time I see a simple 'sollution' to a 'problem' like this, I always have to give the creator credit due to them... I don't care whether it's for the linux kernel or to send me pills for a larger penis, it's still ingenious.

"I would pat myself on my back" (1, Funny)

Anonymous Coward | more than 10 years ago | (#8112520)

I would pat myself on my back

I doubt it's the back...

somebody told me (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8112251)

Somebody told me
That you were so stupid.
And I didn't beleive them.
But now I believe them!

Somebody told me
That you were so stupid.
And I didn't beleive them.
But now I believe them!

Everybody's stupid
Everybody's stupid
Everybody's stupid but me!

Somebody told me
That you were so stupid.
And I didn't beleive them.
But now I believe them!

Somebody told me
That you were so stupid.
And I didn't beleive them.
But now I believe them!

And I'm cool.

Proof! (5, Funny)

RiscIt (95258) | more than 10 years ago | (#8112261)


Proof once again that porn (and it's usually associated activities... ahem) will NOT make you go blind!

Re:Proof! (4, Funny)

Scarblac (122480) | more than 10 years ago | (#8112327)

Oh yeah? So why do they do it only at the signup page?

Re:Proof! (1)

musikit (716987) | more than 10 years ago | (#8112512)

there is no proof against the supposed rumor though that a large amount of masterbaition causes a small penis though

Can you imagine... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8112262)

...A beowulf cluster of masturbating pr0n haxorz??!?

Spam spam spam spam SPAAM! (4, Insightful)

seidleroniman (740696) | more than 10 years ago | (#8112272)

What is everyone in the Slashdot crowd gonna do? On one hand you dont want to get spammed, but on the other hand you NEED your pr0n. However, i think this will take care of itself because eventually people will be too busy deleting spam to look at pr0n online, reducing the amount of spam....Ok, i'm half kidding, but i really do think this is an ingenius way of spammers getting around certain barriers. Say what you will, but spammers have shown/proven that they can overcome many obstacles to continue their spamming.

Re:Spam spam spam spam SPAAM! (0, Funny)

Anonymous Coward | more than 10 years ago | (#8112297)

If you don't know where to get your porn without "solving" captchas, you're hardly Slashdot material.

Re:Spam spam spam spam SPAAM! (3, Funny)

routerwhore (552333) | more than 10 years ago | (#8112353)

I'm sorry, you incorrectly assumed you had two hands free in this exercise to make your point. I believe one of those would be occupied...

Re:Spam spam spam spam SPAAM! (5, Insightful)

thedillybar (677116) | more than 10 years ago | (#8112376)

What are we going to do?

How about type something other than what's in the box? I seriously doubt you have to sit there waiting while it verifies that what you entered is actually correct. They're probably just assuming most people will type it correctly.

Re:Spam spam spam spam SPAAM! (3, Interesting)

Zeinfeld (263942) | more than 10 years ago | (#8112527)

What are we going to do?

I think half of us are going to flame on slashdot and the other half will go off to find the web site where you can get the free porn.

I hate these C/R schemes, they are OK when they are used for mailing lists or for checking signups to Yahoo! mail or some other forum where the intent is to protect ME. I do not accept that they are at all legitimate when the only purpose is to protect some dweeb who thinks he is really important.

Worst of all are the systems that send out C/R challenges in response to email that was a reply to something that the challenger sent. I get students asking me some question about a Web spec or something else I did. I spend time writing an answer and then get a C/R challenge. Like some student's time is much more important than mine...

Worst of all are the C/R systems that don't whitelist after the first challenge. Dan Bernstein is the worst offender here, I answered three of his challenges and still get his robot if I make the mistake of replying to one of his mails to me. So I have his robot blacklisted in my email.

So on balance I am not at all sad that the nuisance of C/R tests looks like it will be soon ended.

What is worrying though is that the fact such schemes have worked may well mean that hashcash and other CPU payment schemes are not viable either. The senders could run a java component on the porn viewers machine to generate message authentication ids.

Sounds like rubbish (3, Insightful)

Snipet (745417) | more than 10 years ago | (#8112275)

Two reasons this sounds like rubbish: The catchups are generated on a per session basis for the person trying to sign up for the email address . Surely if they then try and get a third party to do the decoding the session will be expired. Also The article points out that Optical Character recognition is more than adequate to break this so I can not see a situation that spammers would do this elaborate probably unworkable method over OCR. No facts and a friend of a friend source makes this sound like total BS.

Re:Sounds like rubbish (0)

Anonymous Coward | more than 10 years ago | (#8112363)

>Also The article points out that Optical Character recognition is more than
>adequate to break this

Surely it's not hard to create images which are OCR proof? odd fonts, 24 bit colour, colourblind-test style dotty patterns, perhaps even animated gifs (or some geek-friendly equivalent)...what's the problem here?

Re:Sounds like rubbish (2, Funny)

ellisDtrails (583304) | more than 10 years ago | (#8112372)

It would not be that hard to use server-side HTTP requests with a scripting language like PHP or "compiled" language like C#/.NET and a Message Queue to accomplish this. Hey, maybe I'll write one of these I am sure the porn people pay more than my shitty company. ellis

Re:Sounds like rubbish (5, Interesting)

superwiz (655733) | more than 10 years ago | (#8112384)

Catchups are constantly designed to be undecodable by OCR. But the porn solution doesn't sound like rubbish at all. It actually sounds quite clever. Here's how it might work: 1.An automated script tries to sign up for public emails (yahoo, hotmail, etc.). 2.At some stage during sign up a page with a catchup is "presented" to the script. 3.The script gets the catchup out of the page and adds it to a pool of catchups to be associated with their perspective words. 4. At some point, shortly after, a visitor to a porn site is presented with a catchup and enters the correct word. THIS IS, BY THE WAY, A PERFECT WAY TO FOIL SPAMMERS AND TO STILL GET YOUR PORN -- since the porn site doesn't, in fact, know what the catchup is supposed to be and is only using you, enter a wrong one. 5. The word entered by the user on the porn site is used to submit a reply to the public email system.

Re:Sounds like rubbish (0)

Anonymous Coward | more than 10 years ago | (#8112452)

The porn site can of course use the reply of the public email system to deny or grant access to the porn. So even if entering wrong words works now, it need not continue to work. They're called "captchas", btw.

Re:Sounds like rubbish (5, Informative)

Z-MaxX (712880) | more than 10 years ago | (#8112391)

Two reasons this sounds like rubbish: The catchups are generated on a per session basis for the person trying to sign up for the email address . Surely if they then try and get a third party to do the decoding the session will be expired.
Not neccesarily. From the writeup:
by displaying the 'captchas' on free porn sites in
real time.
If you have thousands of visitors every hour, then you only have to wait a few seconds on average to have your image shown to a user and a few more seconds for the user to respond.

Re:Sounds like rubbish (2, Interesting)

Peridriga (308995) | more than 10 years ago | (#8112397)

Well.... yes the facts are missing but, I could think of the progam logic.

Load page to harvest captchas
Save the captchas image to DB
Maintain open page where captchas was harvested
Serve captchas to real user on porn site
Capture real user's response to captchas
Re-input user's repsonse to the text field on the harvest page
Voila.

Still the same session on the harvest page, just multi-tasked the captchas out. A script can maintain a session just like a user can.

Now... The band-aid (not the fix) comes by accepting all user information first (name, address, etc) then on the next page request the captchas input. Have that page have a cookie timeout of 30 seconds. If the user can't read 7 charecters in 30 seconds then redisplay another one. After x number of failures ban for 10 minutes etc...

Now this fails if the spam harvester has access to enough concurrent hits on his false verifier to maintain the 30 second window but, I'd hope at that point his profit margin has shrunk a great deal more due to the traffic requirements.

Re:Sounds like rubbish (0)

Anonymous Coward | more than 10 years ago | (#8112438)

You are looking at this in the wrong direction. A user comes to the free p0rn site. The server at that site then opens a connection to the free e-mail server and gets the catchu from the e-mail server. The pOrn server now sends this to the HNG who quickly inputs the decode and presses the "Let Me In" submit button. P0rn server gets HNG input and completes the transaction to e-mail server.

At no time does the HNG client directly connect to the e-mail server. The magic is in having the p0rn server act as server to HNG and client to the e-mail server. Easy coding. I'm willing to bet that a Perl or PHP CGI could be written in a matter of hours to do this.

CTJ2

Re:Sounds like rubbish (0, Offtopic)

Mr2cents (323101) | more than 10 years ago | (#8112507)

If I'd get started about all the things 'someone told me'.. Someone is a big fat liar!
BTW, did you know the USA put two rovers on the moon a few weeks ago?

Re:Sounds like rubbish (1)

MC_Cancer_Pants (728724) | more than 10 years ago | (#8112523)

I don't understand where you're coming from with the "expiration" front. There is a constant supply of people visiting pr0n sites, every time they generate a signup page, the server can run their set-up-an-account script, and get a fresh decryption. No one is saying that these images will be stored on a table, to be decrypted later. this can all happen within the matter of a minute or less, so long as the catchup was generated when the pr0n subscription was generated, which isn't THAT hard to do. This is a beautiful technique, I wouldn't criticize it. IMHO that this would increase accuracy and decrease server processing, optical processing on a large scale isn't exactly CPU friendly. So why not put the world's largest accessable neural network to work? I wish more people could come up with innovative techniques like this. Hopefully not just spammers ;)

Re:Sounds like rubbish (2, Informative)

Anonymous Coward | more than 10 years ago | (#8112526)

'Bot logs into the mail server and attempts to sign up for a new email address. 'Bot recieves page showing the imaged text. 'Bot grabs the image and redisplays it on the entry page for the next person accessing the free porn. That person enters the text, which is sent back to the 'bot. This only takes a few seconds if a person signs in to the porn page in the right time frame. If the porn site gets reasonably heavy traffic, one certainly will. If not and the page times out, the 'bot just tirelessly tries it again. Or the 'bot waits until someone tries to access the free porn, gives them an intro page to distract them while it contacts the email server and gets the imaged text. For every person who accesses the porn site, the 'bot gets a new email address.

OCR may or may not be good enough. However, the whole purpose of the graphics is that the text is obfuscated in such a way that it makes it difficult for OCR but still easy for humans. The article says that which a computer can generate, a computer can often solve. Sometimes perhaps, but certainly not always. For a trivial example, take a photograph and change every pixel in it to black. A computer can do it but another computer can obviously not undo it, as all of the original information is lost. When you blur or otherwise obfuscate text, you're destroying information. The remaining information may be sufficient for a human to understand it, but insufficient for an OCR algorithm. I haven't seen anything reliable which evaluates OCR on captchas, but I know how well OCR does on regular scanned text. It's much better than it used to be but still far from exact.

Re:Sounds like rubbish (3, Redundant)

(trb001) (224998) | more than 10 years ago | (#8112545)

OCR aside (you're right, it's far more advanced than most of the 'captchas' I've seen), this would be easy to do. Follow:

1) Person comes to sign up for porn
2) Porn site requests the captcha from the free email provider
3) Porn site presents the captcha to the user
4) User types in the string
5) Porn site presents the string to the free email provider.
6) If email provider accepts, good to go. If not, throw back exception to the user. Goto step 3.

No sessions are being expired here, you have your basic man in the middle attack.

--trb

Easily countered (4, Interesting)

Yggdrasil42 (662251) | more than 10 years ago | (#8112276)

This can be easily countered if the free e-mail sites configure their servers, so that the 'captchas' can only be loaded into pages that they've served themselves.

I'm not sure how that works, but I've seen it in action on some sites.

Maybe someone else knows how it's done?

Re:Easily countered (2, Insightful)

perlionex (703104) | more than 10 years ago | (#8112311)

I'm sure it's only loaded into pages they've served themselves. The p0rn sites just grab the image, then display from their own sites to the users directly. When the users send the correct text back to the p0rn site, the site then sends it back to the website. It's actually quite trivial, but ingenious.

Re:Easily countered (5, Informative)

Violet Null (452694) | more than 10 years ago | (#8112339)

Wouldn't matter.

Automated spam script goes to sign up new email address, gets presented captcha. Downloads captcha -- as the server would expect any normal web browser to do.

Captcha is copied to some location. Filename probably contains information that can identify the specific script that's running, since there'll undoubtedly be many going simultaneously.

From that point, there's about 20 minutes, give or take, for the porn site to display the copy of the captcha and ask for the user's input. On a site seeing any amount of traffic at all, that should be more than enough.

Once a user has given input, the spam script is notified, and sends the input back to the captcha server. The captcha server never sees the IP address of the human -- it only deals with the spam script -- so it'll never know anything's up.

Re:Easily countered (-1)

Anonymous Coward | more than 10 years ago | (#8112404)

there is no way for the pornsite/spamscript to verify the input of the user, so if you want free porn and the image says abc type xyz and you still get free porn

Re:Easily countered (-1)

Anonymous Coward | more than 10 years ago | (#8112436)

ummmm, no free email account = no porn for you.

Re:Easily countered (1)

PhuCknuT (1703) | more than 10 years ago | (#8112538)

there is no way for the pornsite/spamscript to verify the input of the user

Sure there is, they just have to finish the signup attempt for the free mail account and not give results to the user until they see the results of the email signup. To the porn site luser, this would just look like a 1 or 2 second delay after hitting submit.

Re:Easily countered (1)

ErroneousBee (611028) | more than 10 years ago | (#8112445)

From that point, there's about 20 minutes, give or take, for the porn site to display the copy of the captcha and ask for the user's input. On a site seeing any amount of traffic at all, that should be more than enough.

Or just wait for a punter to hit your pr0n site, and launch the email signup thing at the Yahoo! target whilst they are reading your T&Cs.

Or just always have a signup in the queue, getting a new one every 10 minutes. I'm sure Yahoo! get a load of abbandoned signups anyway.

Re:Easily countered (0)

Anonymous Coward | more than 10 years ago | (#8112366)

It's not possible to restrict data like that. Once you send the http client (spambot) data, it has the data. Sorry, next contestant!

Re:Easily countered (0)

AlphaPB (741406) | more than 10 years ago | (#8112380)

I'd assume that the spammer's program would first capture the graphics then serve them up to the porn-seeker. If this kind of solution gets popular, I bet captchas will start evolving to be more unpredictable, e.g. having the user describe what's happening in animated clips that hide the target at random positions in a field of static.

I eat spam on TOAST! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8112277)

toaster,toaster toaser, do you have toast in you yet i think [rowdyruff.net]
so!!!!!!!!!!!!!!!!!!!Im not a toaster!!!!!!!!!!And one more
thing........YOUR A TOASER!!!!!!!!!!!!!! AND A COOKIE WITH MILK SOAGE
MILK!!!!!!!!!!AND A BUTT WITH POOP IN IT!!!!!!!!!!!!!!!!

good or evil (2, Funny)

nizo (81281) | more than 10 years ago | (#8112278)

Now if we could only get spammers to use their ingenuity for good rather than evil, we could solve all of the worlds problems.

Re:good or evil (3, Interesting)

mlush (620447) | more than 10 years ago | (#8112484)

Now if we could only get spammers to use their ingenuity for good rather than evil, we could solve all of the worlds problems.

I could see this working for some image recognition problems. To get the next page you have to perform some small task. Salt the tasks with 10% control images for which you know the answer and a finders fee where you get a weeks free access if you find X or do Y work units. Could be used in to check survalance video images ...

So they will just get more sophisticated (0)

caston (711568) | more than 10 years ago | (#8112285)

and the server side scripts will check that the IP that the image was served to is the same one that signs up for the free e-mail.

Re:So they will just get more sophisticated (1, Redundant)

PhuCknuT (1703) | more than 10 years ago | (#8112568)

The spammers don't have to link to the original image, they can just copy it and serve it from the porn site. If done correctly, the free email server would never see anything out of the ordinary.

Easy fix. (4, Funny)

Black Parrot (19622) | more than 10 years ago | (#8112286)


For your captcha, use a picture of a really ugly old woman with "click here to see more" written across it, and no one visiting a porn site will help with the decryption.

Re:Easy fix. (1, Funny)

chiller2 (35804) | more than 10 years ago | (#8112377)

Margaret Thatcher naked on a cold day!
Margaret Thatcher naked on a cold day!

(Austin Powers reference)

Re:Easy fix. (1)

orasio (188021) | more than 10 years ago | (#8112389)

Obviously, you know nothing about free porn sites. But the correct title would be "granny shows pink".
People would watch anything.

Valid News Sources (4, Insightful)

akadruid (606405) | more than 10 years ago | (#8112293)

Is it just me or are people becoming less critical about what a valid news sources is?
'Someone told me...' on a 'blog'?

That doesn't carry quite the weight of the BBC and Reuters to me, but I suppose there's a good chance no-one was threatened by a 'democratic' government during the production of the article, so maybe it's less biased than some.

MOD PARENT DOWN (-1)

Anonymous Coward | more than 10 years ago | (#8112403)

This is a known troll - he makes intelligent, critical remarks which doesn't fit into the slashdot mainstream and show common sense.

Re:Valid News Sources (1)

Albanach (527650) | more than 10 years ago | (#8112410)

Is it just me or are people becoming less critical about what a valid news sources is? 'Someone told me...' on a 'blog'?

Sheesh, some folk are never happy. The source is pointed out to us, proving that the Slashdot Editor did actually read the article, and now you want them to be fussy over the sources too. Next thing we know you'll be complaining again tomorrow when this story gets duped.

Valid News sources... on a blog. (4, Insightful)

LinuxParanoid (64467) | more than 10 years ago | (#8112470)

You're right. But. A) you're repeating what the editor already said, and B) you are overstating your case a bit for the following reasons:

In fairness, the poster on the blog was Cory Doctorow, who is a long time, well-known net-citizen and isn't exactly some random guy, although you may not know him. For a sample of his work, see this piece in Salon [salon.com] which mentions that he won the John W. Campbell Award for best new science fiction writer at the 2000 Hugo Awards. He's not a journalist, he's a blogger, but it's an interesting tidbit nonetheless...

And even if he was a random blogger, his credentials are much less important than the core concept he's disclosing: that someone seeking to generate email accounts (or open bank accounts or whatever) could have porn-seeking humans workaround the turing-ish test security measures. The story is less that someone is doing it, than that someone could be doing it. At least to me.

Plus this is a hacker-type story... I wouldn't expect Reuters, etc. to carry it first.

I actually was glad to see the Slashdot editor point out the "someone told me" caveat... it's a sign to me that the editors here are getting better. They're warning us about the weaknesses in the story, not just slapping stuff up here without a care.

--LP

Re:Valid News Sources (2, Insightful)

dabadab (126782) | more than 10 years ago | (#8112487)

Well, this posting is not about "news" but more about an interesting idea - an idea's "interesting" factor does not depend on its source.
It is intriguing and worth think about, a lot more than, say, eweek's zero-content article about the wishlist for linux 2.7.

Re:Valid News Sources (1)

TwistedGreen (80055) | more than 10 years ago | (#8112511)

I see your point, but that's the whole point of the Internet and personal publishing ("blogs"). It's time for the major publishers' granted monopoly on truth to end [slashdot.org] . Who [slashdot.org] can you trust [slashdot.org] these days?

And anyways, that doesn't discount that this is still a very interesting idea. And that's the primary news item.

Re:Valid News Sources (2, Funny)

andih8u (639841) | more than 10 years ago | (#8112517)

I'm sure this is the kind of front page stuff that BBC and Reuters would be reporting.

"This just in...spammers are apparently using pron sites to help decrypt captchas."

Some nuts will find a conspiracy in everything.

Re:Valid News Sources (1, Funny)

ZoneGray (168419) | more than 10 years ago | (#8112557)

I dunno, I think rumors are as valid a news source as Reuters or the BBC. In my experience, the accuracy rate seems to be about the same.

carry quite the weight of the BBC and Reuters (-1)

Anonymous Coward | more than 10 years ago | (#8112571)

carry quite the weight of the BBC and Reuters

You're right. This random bit of "someone told me that..." doesn't carry the anti-American, leftist spin that originates from the BBC and Reuters.

One thing leads to another (1)

MMaestro (585010) | more than 10 years ago | (#8112294)

If 'captchas' are being cracked, then it means its time for a new technique. What do you think will be used next? The old, crude method of 'look at X line in Y paragraph and enter the word?' Or something geared towards countering this crack such as a randomly generated list of instructions requiring the user to scramble the 'captcha'?

Re:One thing leads to another (4, Informative)

cyb97 (520582) | more than 10 years ago | (#8112330)

That method is already in use by several sites that get paid by the number of ad-clicks. To make *dead sure* that the patrons click the banners you have to fill in a missing word in a sentence collected from the banner-site or the 3rd word etc to get into the site.

It's pretty lame, and I guess most ad-agencies frown upon it as the clickers aren't really producing any business..

Re:One thing leads to another (0)

Dogers (446369) | more than 10 years ago | (#8112579)

it might be old, but imagine a bigger captcha image, with a paragraph in it.. could a script not fiddle with the colours and spacing of words to fool scripts?

thi sisapar agra ph exam ple

(obviously you can tell it in html, but as an image?)

mind you, its the same as DRM, I guess if it can be created by script, it can be undone by script..

I've heard of it too (2, Funny)

Maskirovka (255712) | more than 10 years ago | (#8112303)

They like to call the method called "many carrots and more sticks".

In related news... (5, Funny)

Black Parrot (19622) | more than 10 years ago | (#8112314)


A million new Slashdot accounts were added today.

sex fuels innovation (1)

The Tyro (247333) | more than 10 years ago | (#8112316)

pr0n isn't really my thing, so I can't say I've ever seen this done... but it's a nifty way to gather hordes of horny, sweaty human volunteers to willingly generate thousands of spamming accounts for you...

It's just like the Anna Kournikova virus from a few years back... except this one actually gives you free pr0n. Remember the one that asked you to open an attachment to see a free picture of Anna? (yeah, I was overseas, and some lonely airman in the desert opened this virus on our military computer network... took us days to unclog our servers)

Ingenious... they'll be set for years.

Why not... (0)

Anonymous Coward | more than 10 years ago | (#8112318)

...hide a dynamically created PGP key in the captchas, using steganography?

Countermeasure... (3, Interesting)

LinuxParanoid (64467) | more than 10 years ago | (#8112326)

If the image ...has been inlined from Yahoo or Hotmail... as the article says, couldn't Yahoo/etc have their image generation scripts setup dynamically to check the referrer (or should I say referer? ;-)).

I seem to recall this approach being used by online comic strips trying to prevent inline linking from elsewhere...

--LP

Re:Countermeasure... (0)

Anonymous Coward | more than 10 years ago | (#8112399)

Unfortunatly, this doesn't work well. A lot of Internet Antivirus Tools delete the REFERER information int the HTTP GET and thus render this method undoable. I have tried on my web site and go back on it due to a lot of email that the pages with the referer test activated were unaccessibles :-(

Re:Countermeasure... (2, Insightful)

Glog (303500) | more than 10 years ago | (#8112426)

Referer can be spoofed so that won't work. But it's very easy for a large company like Yahoo (or any company for that matter) to setup its images server as an internal server - i.e. accessible to their *own* web servers alone. However, what's to stop spammers from grabbing the image off the browser cache and literally serving it from there on other pages. I can see how the article has a point unless the images appear on a SSL page which can't be cached. But then again I think you can cache even those.

Re:Countermeasure... (4, Insightful)

leoboiko (462141) | more than 10 years ago | (#8112504)

The referrer field is easily forged.

Technology Review (2, Informative)

Anonymous Coward | more than 10 years ago | (#8112333)

This was suggested in an old issue of Technology Review [technologyreview.com]

Human Grid Computing?! (1, Funny)

lunar_legacy (715938) | more than 10 years ago | (#8112335)

Sounds like distributed computing systems. Hmmmm.....maybe we can use this in...yeah that's it!!

It really is true (5, Funny)

The Night Watchman (170430) | more than 10 years ago | (#8112344)

Someone told me once that most technologies that have become successful are those technologies that assist in the dissemination of porn and/or voyeurism. Thinking about it, that's very true. Radio gave way quickly to television, which gave way to cable, and BAM! You get porn. Radio also gave way to the telephone, which gave way to party lines, and BAM! Advances in optics have brought us photography (BAM!), telescopes (BAM!), and eyeglasses (the... the porn is so CLEAR now!), to name a few. Look at the primary achievement of the 90s. The commercialization of the Internet. That's essentially a porn revolution!

So porn is being used to break encryption. Personally, I feel there can be no other way. Porn will lead us to the greatest achievements of our day, and conversely, all roads lead to porn.

It's our past, our present, and our future. Embrace it, or be left behind.

Re:It really is true (0)

DrunkenTerror (561616) | more than 10 years ago | (#8112534)

I didn't know Emeril Legasse was a /.er! Let's kick it up a notch! Hey, Emeril, how 'bout some funky fish tacos [foodtv.com] for lunch?

Re:It really is true (1)

The Night Watchman (170430) | more than 10 years ago | (#8112564)

Yeah, yeah...

I realized later that "bam" was a bit trendy for /., but by then it was too late. I can only hope to not be modded "Troll" for impersonating a well-known chef.

Clever. (1)

cableshaft (708700) | more than 10 years ago | (#8112349)

Porn hustlers are the most brilliant minds alive today. They're the first to embrace new technology, have the most secure websites on the web (well, the major ones, at least), great marketers (TITS!), and can coerce the populace to do their bidding to make even more money. I wish I was even half as brilliant as they are...

Make it copyrighted (2, Insightful)

sabri (584428) | more than 10 years ago | (#8112367)

This is a challenge for the HABEAS [habeas.com] idea (HABEAS uses a copyrighted poem to sue spammers who send spam). The pornspammers are quite obviously circumventing a security-measure. Based on the sending-IP address, aol/hotmail etc should be able to do some sueing.

not new (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8112378)

this technique isn't new. maybe its a little more refined now, but i remember reading stories about this YEARS ago.

too lazy to prove this though...

Genius haha (1)

SparafucileMan (544171) | more than 10 years ago | (#8112393)

That's such a good idea. Have some javascript load the image, thus using their IP address, and you don't even have to worry about the email sites blocking the porn site's IP.

Having millions of people actively looking for your product = millions of human scripters = more powerful than some puny code. Sweet.

Computer Program (4, Interesting)

UPAAntilles (693635) | more than 10 years ago | (#8112408)

The computer science department at Berkeley has already broken the Yahoo-like Captcha [berkeley.edu] . They use an algorithm to break it. They recommend "Gimpy" as a replacement, which their software has yet to crack. The blog is full of crap, the captcha is generated every session, so you can't make a link to the image like they would like because the session would end.

Re:Computer Program (1)

Valdrax (32670) | more than 10 years ago | (#8112530)

No, but you can download the image, rehost it, and keep the session open until the user enters its meaning in. Writing a proxy server isn't exactly rocket science.

Re:Computer Program (1)

UPAAntilles (693635) | more than 10 years ago | (#8112577)

Problem is, they have random file names like this one... sJbUl.dZFemXCqu1f8qeOpy.ugB1Ey31UpybWhHN.6lMOdVy1q P0CA-- Hard to program for methinks.

Holy crap (5, Funny)

osgeek (239988) | more than 10 years ago | (#8112417)

They've harnessed the power of horniness, but for evil. If only that unlimited power could be harnessed for good -- it would be like having controlable fusion and all of the heavy water we'd ever need.

Amazingly clever, those evil spamming bastards.

Where? (1, Insightful)

Bazman (4849) | more than 10 years ago | (#8112431)

Can someone show me a real example of this being used? Please. Pretty please....

From an insider... (2, Interesting)

Mazzie (672533) | more than 10 years ago | (#8112446)

I can tell you that 99% of the illegal or 'gray area' activities like SPAM that go on in the online porn community are likely performed by less than 1% of the companies.

A vast majority of operators I speak with are firmly against SPAM because it simply doesn't result in profit. For one, customers who join up as a result of SPAM, result is a much higher chargeback rate on credit card purchases, and in general being on the receiving end of traffic from SPAM is more than a nightamre dealing with 1000s of pissed of system admins.

Also, porn site operators want to maintain legitimate mailing lists to keep their customers informed, but that is now a pipe dream, as even customer support is difficult over e-mail because much of it gets caught up in SPAM filters.

Personally I won't do contract work for any porn company that uses SPAM because those are the ones that usually try to beat me out of a check. Also, they are the least likely to be around in 6 months, because most of them go under very quickly. In addition, I get sick of moving apps from host to host to host as they routinely get booted for sending, or being associated with SPAM.

I'm a security expert (0)

Anonymous Coward | more than 10 years ago | (#8112477)

Can I have a look at those porn URLs? I really need them for my research.

Someone asked for a real example of this... (3, Funny)

johnthorensen (539527) | more than 10 years ago | (#8112483)

Well I don't have an example of the page, but I do happen to have one of the captcha tests they were using... :)

Click here to decode pr0n captcha [fastsilicon.com]

-JT

Possibly self-solving problem (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8112505)

This technique won't work forever.

This tactic requires porn, which requires porn stars... and there's some things that even porn stars won't do for money.

Easy fix (0)

Anonymous Coward | more than 10 years ago | (#8112563)

Just use java applet instead of an image. It will be a whole lot harder to write a script that take captchas from the sign-up page to pr0n users.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>