Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Yahoo CAPTCHA Hacked

kdawson posted more than 6 years ago | from the leap-and-frog dept.

Security 252

Hell Yeah! reminds us of a 2-week-old development that somehow escaped notice here. A team of Russian hackers has found a way to decipher a Yahoo CAPTCHA, thought to be one of the most difficult, with 35% accuracy. The Russian group's notice, posted by one "John Wane," is dated January 16. This site hosts a rapidshare link to what looks to be demonstration software for Windows, and quotes the Russian researchers: "It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition — one cent per one CAPTCHA."

cancel ×

252 comments

Sorry! There are no comments related to the filter you selected.

frosty piss? (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22229406)

Why do fireworks die?

Re:frosty piss? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22229430)

I blame the Jews. Fireworks and 9/11 are totally their work...

I thought those things were already broken (5, Funny)

Anonymous Coward | more than 6 years ago | (#22229426)

by having a teenage boy do it in exchange for letting him see porn.

Re:I thought those things were already broken (1, Funny)

Anonymous Coward | more than 6 years ago | (#22229738)

Not an easy job to stay concentrated on.

Re:I thought those things were already broken (4, Insightful)

2.7182 (819680) | more than 6 years ago | (#22229796)

I think the parent is serious. The idea is that your robot goes and grabs the images that needs to be decoded. Then on another website, it is presented and you can see free porn if you type in the word. I've heard of this but never read about it. Sounds like a good idea. Anyone know what this is called or some references ?

Re:I thought those things were already broken (2, Insightful)

Rageon (522706) | more than 6 years ago | (#22229840)

No idea where I first read this, but I too remembering reading something very similar to the "solve the captcha for porn" idea.

Re:I thought those things were already broken (4, Informative)

rthomas6 (1229346) | more than 6 years ago | (#22229916)

http://news.bbc.co.uk/2/hi/technology/7067962.stm [bbc.co.uk]
Here is a link to a BBC article about something like that. It's a Windows program that rewards typing in captchas by showing a woman that takes off progressively more and more clothes.

Captcha farming? (1)

infonography (566403) | more than 6 years ago | (#22230274)

MMORPG gold farming is starting to be locked down now, how much will a spammer pay for 100,000 email addresses?

Re:I thought those things were already broken (0)

Anonymous Coward | more than 6 years ago | (#22230342)

a rough analogy (but not quite the same thing) would be the Chinese Lottery.

Look up Bruce Schneier's Applied Cryptography or RFC 3607 for details.

Re:I thought those things were already broken (4, Interesting)

kesuki (321456) | more than 6 years ago | (#22230268)

that's why it costs 1 cent per 1 captcha, the overall cost of webhosting the porn for exchange boils down to 1 cent per solved captcha. obviously, if you're hosting on root-kited windows boxes in the us (the highest rate of infection is in the us) the cost is still about 1 cent per one captcha because the cost of paying hackers to keep a bot net sizable enough comes to about the same cost.

especially with sp3 coming out now, the cost of bot nets is higher, since sp3 offers a 'easy' bot net removal path, since staying off-line long enough to get all sp2's flaws patched is crucial in preventing reinfection. believe me, having a root-kit installed is easy even for a veteran computer guy to miss.

i have dvd's i burned almost 3 years ago that reinfect any windows machine with a root-kit, and are un-readable in linux, apparently the root-kit was using some hooks in nero burning rom to 'randomly' pick a burn project and put the root-kit installer on there so when windows tried to auto run it would install the root-kit, then show the 'window' that normally shows up on auto-run would show up. the rootkit took an 'extra' session, that was transparent, eg: it would only show using burning software to read the track data, for the burned cd or dvd. no additional files showed up in windows, but the extra session made it unreadable to linux.

also, the root-kit only runs in a 'blank' screen saver, which it protects and makes sure loads when the system is idle, so it never sends data when the user might be there to notice. and i think it sends the data as like, internet explorer, to bypass firewall rules. since none of the firewalls i tried could block it. i actually only found the original root kit when a second root-kit moved the first root-kit's files to the recycle bin. other than that none of the root kit scanners that were recommended to me could even detect this thing. only the 'symptoms' and the fact i could 'remove them' by staying off-line and not using my old discs were proof that i had a root kit.

symptoms included, auto-run becoming disabled, screen saver always resetting to 15 minutes (only when both root-kits were on there), and the 'desktop' showing up 2-3 times a day when in full-screen games (also only with both root kits), and finding root-kit files in recycle bin(only found on networked systems with the root kit, and didn't return on reinstall of both root-kit, likely was a 1 time 'bug' that was fixed later on)

so yeah, I didn't notice it for 3 years. Not that i usually have to deal with virus, but in the past I had only ever had to deal with 3 virus and in my 15 years online. and the third one was really a root-kit. I've also been using open-source software for 11 years, so that probably helped, of course, one of the virus was one that affected my open source software, the other 2 were windows based.

it's still easy to miss windows root-kit's nowadays, especially when hackers have root-kits that aren't published, and they use scripts to make the exe's have unique signatures (using compiler tricks) for known root-kits.

Hey (5, Funny)

Misanthrope (49269) | more than 6 years ago | (#22229440)

They're used to seeing Cyrillic, the captcha has got to be easier to read!

Not really news (5, Insightful)

Anonymous Coward | more than 6 years ago | (#22229446)

A few months ago Yahoo introduced a CAPTCHA to prevent bots entering their chatrooms. Within a few days every room on yahoo was filled with bots once more, and still are to this day.

Given the current situation of the chat rooms on yahoo, it comes as no suprise at all that the other parts of the Yahoo system are inadequately protected from bots either.

Researcher? (0)

Anonymous Coward | more than 6 years ago | (#22229454)

Why are they called a researcher?

Gentlemen, start your spambots (1)

timeOday (582209) | more than 6 years ago | (#22229466)

What other tough AI problems can we foist onto spammers? People who buy V1agra through email ads could be the single largest source of computer science research "grants."

Re:Gentlemen, start your spambots (3, Insightful)

xaxa (988988) | more than 6 years ago | (#22229522)

Natural language processing etc:

To register, answer these questions and click the button on the right
What colour are buses in London?
What is three times three?
[Red] [Green] [Blue]

Re:Gentlemen, start your spambots (5, Funny)

SoupGuru (723634) | more than 6 years ago | (#22229574)

That reminds me of the age check for Leisure Suit Larry back in the day... Who knew that the desire of a horny teen to see pixellated boobs would lead to history research?

Bellybutton (1)

Doc Ruby (173196) | more than 6 years ago | (#22229768)

Bellybutton. Do I get a peek?

Re:Gentlemen, start your spambots (1)

KillerBob (217953) | more than 6 years ago | (#22229788)

There was a hotkey, I think "CTRL-D", which skipped the questions....

Um, don't ask how I know that. >.>

Re:Gentlemen, start your spambots (1)

The Redster! (874352) | more than 6 years ago | (#22229974)

Who knew that the desire of a horny teen to see pixellated boobs would lead to history research?
Especially over such prominent historical subjects like Annette Funicello, Hugh Hefner, and nehru jackets.

Re:Gentlemen, start your spambots (4, Insightful)

paeanblack (191171) | more than 6 years ago | (#22229630)

To register, answer these questions and click the button on the right
What colour are buses in London?
What is three times three?
[Red] [Green] [Blue]


Yes, those are undoubtedly hard questions for a computer. How, exactly, do you plan to generate billions of these questions? For a CAPTCHA to work, it must still be hard even if the generation algorithm is public knowledge.

Re:Gentlemen, start your spambots (3, Insightful)

driftingwalrus (203255) | more than 6 years ago | (#22229714)

What about introducing spelling and grammatical errors? This would be difficult for a computer to interpret, but doable for a human.

Re:Gentlemen, start your spambots (2, Insightful)

LordLucless (582312) | more than 6 years ago | (#22229960)

Not really. After a couple of (thousand) runs through, the attacker would have a reasonably accurate database of the questions. They can then analyze the text to find the nearest match to one of the questions in its database.

Re:Gentlemen, start your spambots (5, Insightful)

omeomi (675045) | more than 6 years ago | (#22230220)

Not really. After a couple of (thousand) runs through, the attacker would have a reasonably accurate database of the questions. They can then analyze the text to find the nearest match to one of the questions in its database.

That's true. I've found, however, that introducing custom spam blocking methods, such as this, no matter how easy to break, often does a better job at stopping spam bots than more robust publicly available methods. For a target as big as Yahoo, this probably won't work, but I've found on PHPbb for instance, instead of using any of the publicly available captchas, which are easily defeated by bots, creating a simple question of this sort does wonders for bot-blocking. Even if it's just one question. If your site isn't big enough to be specifically targeted by bot farmers, sometimes a simple solution is better than a more complex one that everybody else is using.

Re:Gentlemen, start your spambots (3, Interesting)

nazanne (926750) | more than 6 years ago | (#22230374)

That has been my experience, too. I admin a small bb and was having horrible problems with spam sign ups. CAPTCHAs didn't slow the spammers down at all. I went to a simple question that will be easily known by all of my target audience but probably won't be known by someone half way around the world entering CAPTCHAs for a penny a piece and allowed any spelling that is even close. I haven't had any spammers sign up for a couple years now. That obviously won't work for a major target like YAHOO though.

Random Coloration Photos (2, Interesting)

copponex (13876) | more than 6 years ago | (#22230354)

(if anyone uses this and makes a million, at least cut me in 10% for the idea)

I gather the last frontier for computers is image recognition. I'm not sure of the state of image processing, but if you could randomly color simple pictures (one flower, one pen, one cup (NO PUN INTENDED)) into about twenty different shades, and get about a hundred different photos, and just start rotating two or three a week in. So the user sees a small photo with radio boxes below:

The cup is ()red ()blue ()green ()purple ()orange ()yellow orange
The flower petals are ()orange ()blue ()brown ()black
The pen is ()grey ()black ()yellow

You could even start throwing in random names for the colors (silver, charcoal, etc.) using it in sentences, combine with shape guesses (the longer pens are what color? the biggest cup is what color?) Either that or use tiny bits of flash with motion. (the bouncing flower is what color? the flashing red object is what?)

I say a few thousand different sites armed with the same "screen green" paint and tens of thousands of different photos could throw up somewhat of a roadblock.

What say ye?

Re:Gentlemen, start your spambots (1)

webmaster404 (1148909) | more than 6 years ago | (#22229980)

And would make the coders look like they flunked English a few times, really, it would be unprofessional to do that.

Re:Gentlemen, start your spambots (1)

Draek (916851) | more than 6 years ago | (#22230008)

What about introducing spelling and grammatical errors? This would be difficult for a computer to interpret, but doable for a human.

And the best proof of that is, funnily, spam itself.

Re:Gentlemen, start your spambots (2, Funny)

General Wesc (59919) | more than 6 years ago | (#22230044)

What about introducing spelling and grammatical errors? This would be difficult for a computer to interpret, but doable for a human.

Yeah, that would solve the problem until someone developed an automated program to check spelling and grammar, which I'm sure is near-imposible. (By the way, does anyone know why there's a red line under that last word? Is my screen screwed up?)

Re: Imposible red lining. (2, Funny)

bornwaysouth (1138751) | more than 6 years ago | (#22230334)

Red lining ( a motoring term) comes from tiping too fast, typing to fist, typing two farst, um, using more than one finger per hand.

The key is to never type faster than your brains alpha rhythm. Otherwise, you slide into a meditative zone known as 'T-pool bimbo limbo'. On the other hand, I've generally found typists to be saner than managers, so maybe the mediative zone is a defense mechanism. The frontal cortex contemplates what's for dinner tonight while some low reptilian region recognizes scrawled letters and types them.

Which leads back to the main topic.
What is the lowest animal life that could be trained to log into Yahoo?
 

Re:Gentlemen, start your spambots (2, Funny)

TubeSteak (669689) | more than 6 years ago | (#22230082)

What about introducing spelling and grammatical errors? This would be difficult for a computer to interpret, but doable for a human.
LoL! I find ur 1d3as fascntng, & wood lik 2 sbscrbe 2 YR noozl3ter.
kthxby

Re:Gentlemen, start your spambots (1)

Rocketship Underpant (804162) | more than 6 years ago | (#22230024)

Why not just hire a human being to change it every day? Is there any particular reason these quasi-Voight-Kampff tests need to be generated from algorithms? Anything generated by an algorithm can be deciphered by an algorithm, after all.

Re:Gentlemen, start your spambots (1)

alxbtk (1009019) | more than 6 years ago | (#22230152)

Why not just hire a human being to change it every day?

Because the bots owners can hire more to do the same ?

Re:Gentlemen, start your spambots (1)

HiddenL (967659) | more than 6 years ago | (#22230176)

The key is making the forward algorithm easy for computers but the backwards algorithm hard. This is pretty much the basis of a lot of encryption. Its very easy to multiply 2 large prime numbers, but very hard to factor the product of two primes.

For the captcha, its very easy to generate the image but (much) harder to go in the reverse

Re:Gentlemen, start your spambots (1)

Trerro (711448) | more than 6 years ago | (#22230206)

It's not that hard actually.

1. Come up with several question types. You don't need a ton - a dozen is probably sufficient.

2. For each question, have a few variants that can be chosen. For instance, let's say we chose "simple addition problem." If it always asked "what is three plus three", yeah, that wouldn't be hard to code a bot around. What if it did this however?
-randomly chooses numbers from 0 to 20
-randomly chooses whether to display the numbers in number format (3) or word format (three)
-randomly chooses to have you add 2 or 3 numbers together

This gives 20 * 20 * 21 * 2 = 16,800 possible questions, 61 possible answers, and only 1 correct answer each time.

3. Have your account creation script choose 3 of the question types.

Assuming we have 12 question types and assuming a similar answer range, this gives 12 * 11 * 10 = 1,320 possible quiz types, with 61 * 61 ^ 61 = 226,981 possible answer combinations, only 1 of which is correct... and that assumes your bot can even figure out which question type is which!

Of course, given enough time, someone could write a bot that parses every possible question asked in every possible form. However, it takes all of 15 minutes to add new rules to the existing questions and to add a few new question types, retire a couple, etc. Combine this with a temp IP lockout after 3-5 failures, and now the spammer not only needs to constantly update his software, but he needs to control a huge botnet with a massive IP range. A spammer faced with that is simply going to move onto an easier site.

Sure, it isn't absolutely foolproof, but nothing is.

Re:Gentlemen, start your spambots (1)

russ1337 (938915) | more than 6 years ago | (#22229848)

Natural language processing etc: To register, answer these questions and click the button on the right What colour are buses in London? What is three times three? [Red] [Green] [Blue]
There is a good podcast on Security Now [grc.com] (see episode 101)
Here is the transcript - this bit not all that clear as it is an actual transcript from Steve's stenographer.

....But, for example, you could imagine some sort of puzzle-solving solution. There has been JavaScript created which asks simple, English-language problems, like what is one plus one, as a trivial example. The problem is, again, it wouldn't be hard to cause a computer to have, you know, there would be a limited enough vocabulary of permutations of questions that different numbers would get plugged into that you could write some code that would understand that limited subset of questions and be able to answer them. So that's not very exciting.
Basically with natural language questions, there can only be a limited number of questions that have to be answered - it is difficult to have a computer generate a large enough number of questions (that are 'general enough knowledge'). The person attacking this captcha then only has to answer them once, and have his script pick the right answer in an automated fashion. (and from TFA, the attacker only cares if he gets it right 30% of the time, so even if they spend a hour answering a bunch of these, then given enough queries the questions the attacker answered will come around again, and again, and again and be answered by the script.

Highly recommend the episode on captcha's and the couple afterward that address listener feedback.

Re:Gentlemen, start your spambots (1)

hksdot (1128515) | more than 6 years ago | (#22229930)

Good idea, but immediately it occurs to me that there is a problem regarding the source of these questions/answers.

You could have a preset list of questions/answers made by humans, but then there is an immediate limit on the number of them. Plus, if the list got leaked, you'd have to come up with an entirely different set of questions/answers.

Barring that, you'd have to generate the list. I haven't studied natural language processing, but I would posit that generating question/answer pairs would be of a similar level of difficulty as processing questions.

Re:Gentlemen, start your spambots (0)

Anonymous Coward | more than 6 years ago | (#22229950)

A computer that can solve "What is three times three?"

http://www.google.com/search?q=What+is+three+times+three%3F [google.com]

Use Google (1)

xswl0931 (562013) | more than 6 years ago | (#22230072)

Once you get the question in text form, it would be easy for a BOT to use Google to find the answer.

Re:Gentlemen, start your spambots (2, Funny)

Artefacto (1207766) | more than 6 years ago | (#22230292)

That's still not as good as this solution [xkcd.com] . I can't understand why it's not widely adopted.

captcha security (2, Interesting)

primadd (1215814) | more than 6 years ago | (#22229510)

I did my own captcha, but I'm not sure how much its worth - figured any non-standard one is better than none (or a std one).

Please take a look [primadd.net] - are the effects actually helping the recognition process?

--
social bookmarking widget for your site [primadd.net]

Re:captcha security (1)

LiquidCoooled (634315) | more than 6 years ago | (#22229592)

I can't read every letter on them.
I tried multiple different ones and there are some letters which make sense the 5 or 6th time, but others I was still lost with.
H or K
Y or 4
U or n
B or 3

over the top i think.

Re:captcha security (1)

primadd (1215814) | more than 6 years ago | (#22229658)

I tried reducing the letters (like not having 1 and L) to help humans with the recognition. At the moment its 25 characters total to choose from. Guess the K has to go :) thanks for the feedback!

Re:captcha security (1)

Kaitnieks (823909) | more than 6 years ago | (#22229678)

Ironically, bot might be more accurate than human in situations with characters that can be either one thing or another, since we perceive shapes symbolically and don't pay attention to details in letters at all.

Re:captcha security (1)

mindsuck (607395) | more than 6 years ago | (#22229940)

Using a plain background makes the recognition of the characters trivial.

You need a distorted pattern or noise on the background, otherwise it's just a matter of increasing the contrast on the image and those just-slightly distorted characters become easily detected by OCR software.

Re:captcha security (2, Informative)

Kaitnieks (823909) | more than 6 years ago | (#22229608)

The letters are too far away from each other - makes it easy to separate them for proccessing. In fact, the only challenging aspect for OCRs in your captcha is the letter rotation/skewing. However, I don't think anyone will bother to write a captcha OCR for your site, unless it's Yahoo sized.

Re:captcha security (1)

primadd (1215814) | more than 6 years ago | (#22229706)

Sorry, slightly OT..
No, its not yahoo sized! Thought the servers do get quite a lot of traffic, since its like adsense and uses scripting to build the widget - ie every unique user on a site using the widget does one request to the primadd servers.

Re:captcha security (3, Informative)

Carnildo (712617) | more than 6 years ago | (#22229640)

The character outlines are nicely distinct, which means that even basic OCR software should be able to break the CAPTCHA. Since it's so easy to break, you want to hide it from any bots that come by: remove all references to "captcha" from the page source, and you might want to move the HTML for the image away from the HTML for the entry box.

Re:captcha security (1)

primadd (1215814) | more than 6 years ago | (#22229688)

I wasn't sure about the emboss effect - it does smear the edges somewhat, but gives a center highlight. Good suggestions on the var names tho, still using captcha as input field names.

thx :)

Re:captcha security (1)

cheater512 (783349) | more than 6 years ago | (#22229824)

Yeah making a captcha without edges while keeping it readable is incredibly difficult.

I made one once which was absolutely beautiful.
There was no way that it would be cracked because there were no edges to detect.
Readability wasnt great but everyone I tested it on did eventually get it.

Re:captcha security (4, Informative)

yani (50270) | more than 6 years ago | (#22229834)

Although it seems counter-intuitive, character recognition (even with your filtering) is a relatively easy problem for a computer to solve. The hard problem is segmentation. It is relatively easy for a human to segment characters when they are somehow joined together, by artifacts or occlusion, it can be very hard to do with current methods.

Hence all good modern captchas have moved away from character recognition captchas (such as yours) to segmentation based captchas. You only need to read the wikipedia article on CAPTCHAs to see some examples: http://en.wikipedia.org/wiki/Captcha [wikipedia.org] .

Re:captcha security (1)

primadd (1215814) | more than 6 years ago | (#22229954)

Thx! I have updated the captcha to incorporate this feature. Do you think its better now?

That ain't nothing.... (0)

Anonymous Coward | more than 6 years ago | (#22229520)

Teh slashdot captcha has been broken for YEARS on trolltalk...can commander kotex won't fix it.....

go look!

That's really impressive. (5, Insightful)

heyguy (981995) | more than 6 years ago | (#22229530)

I've found Yahoo's CAPTCHA to be really annoying. I probably get it wrong about 20% of the time because the picture is so distorted (and I've been surprised that I got it right a lot of the time). I even considered writing them an email complaining about it, but then I realized they probably don't give a crap.

Re:That's really impressive. (0)

Anonymous Coward | more than 6 years ago | (#22229726)

they probably don't give a crap.

It turns away legitimate users. Of course they give a crap. You think web developers like spending time coding these things? You think companies want to make their sites more difficult to use?

Yahoo have been forced into this arrangement because if they don't do this then their services are abused. Don't think for one second that they don't care about it. It's a drain on resources and if they didn't absolutely have to, then they wouldn't.

If you can think of a better solution than CAPTCHAs, then please, let everybody know. The only people who don't hate them are spammers.

Dude, how often do you create email accounts? (0)

Anonymous Coward | more than 6 years ago | (#22229740)

Nobody should need more than a couple.

I've had mine for years.

You must be signing up for lots of fake porn accounts.

Re:Dude, how often do you create email accounts? (1)

heyguy (981995) | more than 6 years ago | (#22229776)

The CAPTCHA comes up any time you try to join a game room, as they have a problem with bots spamming chat.

Lets all say it togeter. (2, Insightful)

twotailakitsune (1229480) | more than 6 years ago | (#22229548)

We hate CAPTCHA. Most thing they do to make it difficult for computers to decode, make it a lot more difficult for humans to decode. Most of them are not usable by text browsers (dah), and the blind. Some have audio that is hard for people to hear, and sill easy for computer to decode. Last, CAPTCHA's are so over used that people just do them without thinking. For all you know that Porn/ware site is using you to do CAPTCHA for them. Not that it is needed. This is just one more nail in the CAPTCHA coffin.

Only Yahoo? (4, Informative)

Sigma 7 (266129) | more than 6 years ago | (#22229550)

33% of Yahoo capitchas isn't really impressive - you still get a large quantity of negative hits, and unless you have an array of IP addresses (most people don't), there will still be a large quantity of addresses registered from a given IP. Also, a large quantity of negatives would cast doubt on any positive matches from the same IP.

Also, Yahoo captchas aren't that "hard" - they are black text from known font pools on a white background that get slightly warped and have black lines drawn on some characters. This is hardly strong since it doesn't hit all letters within the word (which is done by reCAPTCHA) or use a large font-pool variety.

Even the Slashdot Captcha is harder - it hits the whole image and uses different fonts within the word.

Re:Only Yahoo? (1)

teh moges (875080) | more than 6 years ago | (#22229636)

33% of 100,000 attempts per day is 33,000 posts per day. The idea of Captchas is to reduce this to nearly 0 successful hits per day.

Re:Only Yahoo? (1)

Sigma 7 (266129) | more than 6 years ago | (#22229820)

33% of 100,000 attempts per day is 33,000 posts per day.
That also has 67,000 failed captchas per day - something you generally notice. If your captcha system detects rapid-fire captcha attempts (requests, failed, etc), you can auto-block the IP address that is making that many requests.

You'd probably want to do that anyway, since 1.15 requests per second for captchas is on par with flooding.

Re:Only Yahoo? (1)

KillerBob (217953) | more than 6 years ago | (#22229984)

Botnet. Every connected system has a unique IP address. (or enough of the connected systems do, at least). Enough IP variation to skirt around the detection.

Re:Only Yahoo? (1)

brian.gunderson (1012885) | more than 6 years ago | (#22230010)

Problem is when botnets come into play. Now we're back to square one.

Re:Only Yahoo? (0)

Anonymous Coward | more than 6 years ago | (#22230332)

What about 1 request per machine per day in a botnet of 100k machines?

Even if it is a fairly small 10k machines in the network thats still only 10 requests per day, well below any throttling limits.

Re:Only Yahoo? (0)

Anonymous Coward | more than 6 years ago | (#22229972)

You completely miss the point, that even the poster tried to make. Captcha is not meant for most people, it's for stopping the spammers. As such, 33% is a lot.

Lease time on a botnet... (2, Insightful)

POttedPOrk (3942) | more than 6 years ago | (#22230028)

Botnets have a whole bunch of IP addresses. Simply deploy your Yahoo CAPTCHA cracker code on a botnet that some other fine internet entrepreneur has assembled, and it doesn't matter how many negatives you generate because they will be from a variety of hosts. Certainly with 33% success rate, you're doing pretty well, especially considering your typical spray-and-pray spam blitz.

Malware (1)

Zantetsuken (935350) | more than 6 years ago | (#22229556)

Ya, if its not malware, I'll buy a bridge from somebody, and then go bungee jumping without a chord...

Re:Malware (4, Funny)

wellingtonsteve (892855) | more than 6 years ago | (#22229602)

without a chord is fine... ...it's when you're missing a cord that you need to worry

Re:Malware (2, Funny)

bcdm (1031268) | more than 6 years ago | (#22229786)

Hey now, be fair...what's the point of bungee jumping if you can't have "Thunderstruck" or similar playing on the way down?

Jumping without a chord would be no fun at all.

Re:Malware (1)

The Redster! (874352) | more than 6 years ago | (#22230036)

If you can't have "Thunderstruck," you might as well jump. Go ahead, jump.

Increase In Chat Spam (1)

blueZhift (652272) | more than 6 years ago | (#22229584)

This might account for the recent increase in spam chat messages I've been seeing there. My guess is that the spam filtering is not as effective on chat as email. Indeed, chat may not pass through any kind of filtering at all afaik. That will probably change soon, but in the meantime I suppose the people who cracked the captcha will make a tidy profit.

Re:Increase In Chat Spam (0)

Anonymous Coward | more than 6 years ago | (#22229906)

... in the meantime I suppose the people who cracked the captcha will make a tidy profit.
sheeesh, they released the source code. Did you check the rapidshare link?

Google Hacks (-1, Troll)

RobBebop (947356) | more than 6 years ago | (#22229614)

If CAPTCHAs are easily hackable, why are they the best identification system out there? What is Google doing right that makes it so you never here about Gmail accounts being hacked into? Hell, Microsoft invents their own stupid system [microsoft.com] and Hotmail is still probably the most hacked e-mail accounts on the net.

Honestly, what gives... and more importantly... how come Google does it better?

Re:Google Hacks (2, Interesting)

Anonymous Coward | more than 6 years ago | (#22229744)

Are you bashing MS just to bash them. Honestly, their so called 'stupid system' is the best thing I've seen out there. Please enlighten me wise one, and link me to a better alternative.

p.s. How do you know that Gmail accounts haven't been hacked into? Do you have data validating this?

It's not a challenge to bash MS, that comes way to easy, but to add some useful content to /. , might be a challenge for yourself, wise one.

Re:Google Hacks (1)

mustpax (983305) | more than 6 years ago | (#22229982)

Microsoft's CAPTCHA is very effective against bots, but it doesn't solve the accessibility issue. You can read letters out loud, I don't think you can do that with cats.
Maybe they also have an archive of meows and barks?

Re:Google Hacks (1)

slaingod (1076625) | more than 6 years ago | (#22229858)

I don't know about anymore, but traditionally GMail only allowed people to invite a few of their friends occasionally, thereby limiting the effectiveness of getting one hacked account. For those without an invite, a cell phone number was required to receive your invite code, again limiting this.

I haven't looked at gmail's sign up anymore, but those were obviously pretty good techniques to limit the ability of spammers to get new accounts.

"Pokémon crew" appear to be behind this hack. (0)

Anonymous Coward | more than 6 years ago | (#22229690)

... I mean just look at their tagline: ''Gotta captcha 'em all'' [pokemon.com] !!

INDEED (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22229712)

I poo on your quarries

35%??? (3, Informative)

wbren (682133) | more than 6 years ago | (#22229730)

I'm impressed. That's better than I can do. Some CAPTCHAs take me five or six tries to get right.

Re:35%??? (0)

Anonymous Coward | more than 6 years ago | (#22229792)

are you sure that you aren't not maybe probably not a bot, bot?

Re:35%??? (1)

Typoboy (61087) | more than 6 years ago | (#22230096)

I would have sent you to http:\\botornotcom -- RIP

Re:35%??? (3, Insightful)

GiMP (10923) | more than 6 years ago | (#22229952)

I agree, that is better than I normally do as well. Maybe someone could make this a firefox plugin so that mere mortals can actually access webpages that use CAPTCHAs.

It is sad because with corrective lenses, my vision is 20/20, and I'm highly technical. I should not have any problems with CAPTCHAs; However, my grandmother is another story. She has poor vision, can't figure out how to do a carriage return on her computer, has difficulty understanding the concept of scrollbars, and I'm sure would not be able to deal with even the easiest CAPTCHAs in use today. This is not usability. Granted, given the choice between SPAM or CAPTCHAs, I'll chose the lesser of the two evils...

Re:35%??? Captcha success is lower (1)

WillAffleckUW (858324) | more than 6 years ago | (#22230144)

I have to agree with you here.

When I try to post at the Seattle Times [nwsource.com] their Captcha is nigh unreadable. It's dark and frequently I only succeed with maybe one try out of five.

Which really frosts my cookies and has made it so I try not to buy their print edition, choosing instead the more user-friendly system at the much more urban-focussed Seattle Post-Intelligencer [nwsource.com] instead.

It's a royal pain.

Akismet (1)

TheSpoom (715771) | more than 6 years ago | (#22229812)

This is why you need a queryable, updateable public spam database like Akismet [akismet.com] where, with a little effort in telling it the odd time it gets it wrong, you can eliminate 99% of spam. This might not help for a registration script, but you could use it on the content ultimately used by the registered user to determine whether the signup was likely a bot or a human.

Warning on playing with the demo (5, Insightful)

xynopsis (224788) | more than 6 years ago | (#22229814)

Did anyone notice that the image recognition code is imported from a binary DLL? I was under the impression that the Russian hackers would provide the source for the recognition code as well. But then, the people who released this are only interested in generating as much spam. Why should you trust them? You would be foolish enough to _not_ execute your test program that imports this dll in a vmware instance instead of your actual machine. Anybody done a comprehensive strace to determine sockets/descriptors opened by using this dll?

Dynamic forms? (1)

British (51765) | more than 6 years ago | (#22229890)

What about the form that is around the captcha, generally a new account application, etc? What if those were to be made dynamic so the automated software trying to look for a hard-coded form fail?

Have the captcha be at the beginning, sometimes middle, sometimes at the end of the form. Mix it up a bit. Have no two application forms look the same.

Or better yet, have questions that modern computer AI has yet to break. Show a picture of a circle and ask "is this round?" or "is this not round?". Generally make the questions a bit more complex as AI gets better.

I wonder if there could be some sort of AI research project that works in conjunction with a captcha system.

Re:Dynamic forms? (2, Interesting)

Loplin (1037544) | more than 6 years ago | (#22230084)

>What about the form that is around the captcha, generally a new account application, etc? What if those were to be made dynamic so the automated software trying to look for a hard-coded form fail?

Even if this were dynamic, there is only so many possible methods of displaying a form while still letting it be decipherable by a human. Given this limited set of possibilities, the programmer of a spam bot needs only to take into account any possible page mutations. More likely though, the spammer doesn't even look at a certain spot on the page; they probably do a little javascript to search the DOM for all text boxes and all images and ignores any images it already has copies of, the remainder image is likely the captcha. Then they would just search for context clues around the text boxes to see which box is most likely to be the one that accepts the captcha answer.

>Or better yet, have questions that modern computer AI has yet to break. Show a picture of a circle and ask "is this round?" or "is this not round?". Generally make the questions a bit more complex as AI gets better.

This is also suffers from the problem of limited number of possibilities. If someone can spend time putting questions in, someone can spend time filling in answers, and they only have to fill in answers once, after that, the bot can remember them for the next time it sees the same question.

If some sort of AI was used that could ask common sense questions, like cyc, the problem would be that the spammers have access to the very same AI.

The leading thought is that AI is not going to create better CAPTCHAs, but that bots that break CAPTCHAs are going to create better AI.

>I wonder if there could be some sort of AI research project that works in conjunction with a captcha system.
Not exactly AI, but the reCACPTCHA project does uses CAPTCHAs to decipher text that OCR programs can't when scanning books.

Re:Dynamic forms? (1)

enoz (1181117) | more than 6 years ago | (#22230160)

This arms race is only going to get tougher.

The OCR technology that helps prevent spam (that uses embedded images rather than text) is now being used FOR spam in the breaking of CAPTCHAs. My guess is if these anti-spam tests are made even more complex, spammer are eventually going to build Skynet.

Why not use humans? (1, Interesting)

Besna (1175279) | more than 6 years ago | (#22229976)

Aren't there humans doing CAPTCHA? What is the cost there? I think slashdotters focus more on technology, but putting up a cheap and workable system to get humans anywhere to do this is also important.

Re:Why not use humans? (1)

mastergoon (648848) | more than 6 years ago | (#22230046)

what in the fuck are you talking about?

Re:Why not use humans? (1)

cybereal (621599) | more than 6 years ago | (#22230366)

Aren't there humans doing CAPTCHA? What is the cost there? I think slashdotters focus more on technology, but putting up a cheap and workable system to get humans anywhere to do this is also important.
That is what the summary refers to when stating a cost of USD$0.01 per captcha. Using humans, wrangled in one way or another, to solve the captcha.

The point here is that a hacker would rather get 15000 for free, than 100000 for $1000 in a day. The fact that this method is apparently getting 33000 or something, is rather excellent to these people.

Cost (1)

debrain (29228) | more than 6 years ago | (#22229986)

Soon, the cost of identity on the internet will be money. The technology circumventing human-being verification is growing faster, and with greater economic motivation, than the technology preventing non-humans from registration. Soon there will be no way to distinguish between a human and computer on an independent web-sites.

Cometh the centralized, homogenized, certified verifying-as-human web-sites (vis-à-vis facebook?).

+Co3k (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22230076)

be7ond the scope of another charnel DOG THAT IT IS. IT Man walking. It's architecture. My Numbers continue Lite is straining around return it take a llok at the to you by Penisbird

Maybe Yahoo shouldn't be firing 1000 people (1)

WillAffleckUW (858324) | more than 6 years ago | (#22230106)

My guess is that the lack of security will do more harm than good.

The Net is an unforgiving beast.

Gee, Ya THINK (3, Insightful)

buss_error (142273) | more than 6 years ago | (#22230148)

Yahoo!'s captcha has been hacked, perhaps not as well, in the past. I've seen open http proxies pounding away at Yahoo to the tune of 100,000 per hour and more. Hotmail's is broken, so are others. The real shame is that the Storm Worm controllers are being protected by a national government and law enforecement system.

So what's the answer?

I'm sure I don't know. I do know that the wild west theory of accepting any kind of behaviour isn't acceptable. I know that some minimum standard of what's allowed and what isn't is going to have to take place. Where these limits are placed is a thing for a global conversation, and there will be differances of opinion.

Is cracking a captcha acceptalbe? Is phishing and identity theft acceptable? Is fraud and uncontrolled spam acceptable? What limits, and on what actions?

I'm just not that smart. But I think we can agree on a few things. Let's start to find out what those things are... and acting in concert with other network operators to enforce those standards. Fail to meet them, and your network routing gets dropped...

Other interesting work on CAPTCHAs (3, Interesting)

ChoppedBroccoli (988942) | more than 6 years ago | (#22230216)

Segmentation and intersecting arcs can be difficult for automated attacks: http://portal.acm.org/citation.cfm?id=1054972.1055070 [acm.org]

You know those annoying flash advertisement games (shoot the monkey for a free iPod)? Well, they could potentially be adapted for CAPTCHAs as well: http://cups.cs.cmu.edu/soups/2006/posters/misra-poster_abstract.pdf [cmu.edu]

Lets use Traveling Salesman! (1)

sam_paris (919837) | more than 6 years ago | (#22230322)

I know!

Lets use instances of the travelling sales problem as CAPTCHAS. In a year the Russians will have them cracked and we'll finally know that P = NP!

Yahoo fails even with captcha (2, Informative)

MeditationSensation (1121241) | more than 6 years ago | (#22230344)

If you've ever tried the Yahoo chatrooms, you know they're overrun by spam bots. The problem wasn't with the captcha, it was that it challenged users only once and at the beginning of the session. So as long as your spam bot didn't appear idle or lose connection, it could stay on indefinitely. Now with the captcha broken, spammers don't even have to do captchas manually.

it's all bullshit (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22230394)

those fucking muslims have done it again. down with those bitches!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?