Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Gmail CAPTCHA Cracked

kdawson posted more than 6 years ago | from the like-dominos dept.

Security 317

I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."

cancel ×

317 comments

Sorry! There are no comments related to the filter you selected.

i'll show you a crack (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22568512)

in mah asshole.

Re:i'll show you a crack (0)

Anonymous Coward | more than 6 years ago | (#22568990)

a crack in a hole? dude you just blew my mind.

Re:i'll show you a crack (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22569126)

i know. i fucked it.

- ChukNorris

i work with OCR/ICR technology (5, Interesting)

JeanBaptiste (537955) | more than 6 years ago | (#22568514)

and I cannot help but wonder if this will increase our usually abysmal rate for reading handwriting. (and no, I don't design it myself so no ripping on me, just work with it)

Re:i work with OCR/ICR technology (1)

NosTROLLdamus (979044) | more than 6 years ago | (#22568558)

Make a CAPTCHA with your handwriting and let the bots do the work!

Re:i work with OCR/ICR technology (1)

filesiteguy (695431) | more than 6 years ago | (#22568582)

Nah - you're not a pr0n spammer, so you'll never get it.

Seriously, I bet the peeps at Tesseract, ABBYY and Kofax are right now trying to figure out what the spammer losers are doing. Meanwhile, Kurzweil is probably coming up with some new genius scheme for us to learn...

Re:i work with OCR/ICR technology (5, Funny)

palegray.net (1195047) | more than 6 years ago | (#22568958)

It's actually being cracked by a million monkeys clattering away at a million typewriters. Pretty hard to defeat that.

Re:i work with OCR/ICR technology (5, Informative)

martin-boundary (547041) | more than 6 years ago | (#22568696)

Unfortunately, it's HumanPower(TM). About 3/4 of the way down TFA, they show a web page with instructions (in Russian) for the people who get paid to read the CAPTCHAs.

Re:i work with OCR/ICR technology (2, Interesting)

RiotingPacifist (1228016) | more than 6 years ago | (#22568950)

It doesnt say that its humans reading them, just that a page rehosts the bmp images. Im confused as to where the bots work. Im suprised that phishers dont use thier victims to crack CAPTCHAs.

Re:i work with OCR/ICR technology (4, Insightful)

1u3hr (530656) | more than 6 years ago | (#22569000)

Unfortunately, it's HumanPower(TM). About 3/4 of the way down TFA, they show a web page with instructions (in Russian) for the people who get paid to read the CAPTCHAs.

I doubt it.

TFA says this is a service SELLING captcha breaking. If it was human powered, I'd expect it to do much better than the 20% they cite.

Re:i work with OCR/ICR technology (5, Insightful)

Z80xxc! (1111479) | more than 6 years ago | (#22569064)

TFA says this is a service SELLING captcha breaking. If it was human powered, I'd expect it to do much better than the 20% they cite.

Ummmm... I'm not so sure about that. OK, google's captcha's are pretty easy for humans to read, but I've often had to try literally 6 different captcha's on some sites. Yes, really.

To the contrary (0)

Anonymous Coward | more than 6 years ago | (#22569090)

I thought in Russia CAPTCHA reads YOU!

Re:i work with OCR/ICR technology (0)

Anonymous Coward | more than 6 years ago | (#22569112)

I see that webpage that they show, but it doesn't make sense - if people were being paid to solve the CAPTCHA then the success rate should be more like 90%, not 20%. Right?

I liked the invitations only system better (5, Insightful)

danomac (1032160) | more than 6 years ago | (#22568540)

I'm surprised they opened it up to the public. When they did, I pondered how long it would take before spammers would start doing this en masse.

Re:I liked the invitations only system better (1, Insightful)

DigitalisAkujin (846133) | more than 6 years ago | (#22568590)

Yea cause bots can't invite themselves.... lol

Bots COULD invite themselves, that's not the point (5, Insightful)

Valacosa (863657) | more than 6 years ago | (#22568872)

You're missing one of the greatest strengths of the invitation system: it makes trivial the task of tracking who invited whom.

If you've got a bunch of known bot accounts which have a common progenitor, you just have to take a step up the tree and look at the progenitors siblings. Are those also all bot accounts? Keep going. Any bot account or group of accounts could eventually be traced back to a single invitation.

It would help for rooting out bot accounts.

One step closer... (5, Funny)

gnick (1211984) | more than 6 years ago | (#22568690)

I'm surprised they opened it up to the public.
This is good. Every time a bot successfully passes itself off as human, I get one step closer to getting my Turing machine.

I'm tired of my imaginary friends running off and leaving me alone... I want one with configuration options.

Re:One step closer... (4, Informative)

i kan reed (749298) | more than 6 years ago | (#22568942)

Turing machine? Long magnetic tape with simple instruction set and finite alphabet? Don't we essentially have those for all intents and purposes? Turing did more theoretical work with computers than just AI.

Re:One step closer... (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22569042)

wow. some people can nitpick anything. did you really not understand his joke or r u just trying to edumacate us o nturing history?

Blurred text == secure?? (4, Interesting)

Anonymous Coward | more than 6 years ago | (#22568544)

This is a tangent, but I'm curious: this site blurs out a lot of text, presumably for privacy. How secure is that? It seems like it would be fairly easy (given knowledge of the font, which you have from other parts of the screenshot) to figure out what the underlying text is. I wish people would just black out things they don't want you to know.

Re:Blurred text == secure?? (5, Interesting)

kcbanner (929309) | more than 6 years ago | (#22568594)

Its funny actually, in the SIFT algorithm (detects scale invariant keypoints in an image, used for panorama stitching, computer vision, etc), it uses a Gaussian blur as part of the detection process. It uses multiple levels to better find invariant keypoints. While havening the unblurred image certainly helps, its not necessary.

Re:Blurred text == secure?? (2, Interesting)

arktemplar (1060050) | more than 6 years ago | (#22568848)

Okay, this is fsked, I know guys who are working on a variant of this, they have a learning algorithm, they have a database of already known captcha's somthing like 400 images or so ? Now what they do is break up the existing captcha into small 2x2 grids and try and match it to whatever is already in the database, they are using it for other stuff(image reconstruction) but I think they can modify it for this as well.

Time to ban Microsoft products (0, Redundant)

Scareduck (177470) | more than 6 years ago | (#22568552)

from direct access to the Internets. The only secure MS machine is one with its Ethernet plug removed.

Get off the security high horse. (2)

DigitalisAkujin (846133) | more than 6 years ago | (#22568624)

What makes you think all bots are Windows?

Not all Admins are you. Some of us actually know how to keep a Windows machine secure. Ignorance of the facts isn't an excuse.

Any machine Linux or Windows will be exploited and gang raped if it's not regularly updated and kept clean with the permissions system.

Re:Get off the security high horse. (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22568672)

Statistics my dear. Default settings my dear.

It ain't no rocket science my dear.

Re:Get off the security high horse. (5, Insightful)

Scareduck (177470) | more than 6 years ago | (#22568710)

Not all Admins are you. Some of us actually know how to keep a Windows machine secure. Ignorance of the facts isn't an excuse.
Yet it is the case that sufficiently large numbers of Windows users are unable to keep their machines secure for a botnet to accomplish this task. The fact that Windows can be made secure does not even remotely mean that this will be done in practice.

Any machine Linux or Windows will be exploited and gang raped if it's not regularly updated and kept clean with the permissions system.
I would like to hear how this is actually being done in the wild on Linux/*BSD/MacOS/etc. The fact is that it isn't.

Re:Get off the security high horse. (5, Insightful)

c0ol (628751) | more than 6 years ago | (#22568886)

I would like to hear how this is actually being done in the wild on Linux/*BSD/MacOS/etc
A botnet developer who hopes to mass a significantly sized network would have no interest in the sub 5% of desktop(read poorly managed, no matter the OS) computers that your niche market segment occupies.

Re:Get off the security high horse. (4, Insightful)

Cozminsky (452030) | more than 6 years ago | (#22569084)

Why are there so many people compromising web hosting accounts and servers where the admin is running some dinky hosting control panel that allows them to know nothing about the operating system? I think you'll find that all modern operating systems are just as insecure as each other in that the things permitted of a program are far in excess of what is required by the program for its operation. Why does notepad need access to the internet, why does a php application need to be able to run arbitrary commands, etc.

And yet (0)

Anonymous Coward | more than 6 years ago | (#22568898)

percentage wise of the installed based, it is the windows box that gets gang banged, not the OsX, Linux or BSD. Yes, I know what ppl like you say that it is all about numbers. Yet, the virus writers say that they do windows BECAUSE it is so damn easy. They say that it is not about numbers. After all, there are MILLIONS of apples, Linux, AND even BSD on the net at any one time. If they were as insecure as Windows, then the virus writers would be happy to pursue them.

Re:Get off the security high horse. (0)

Anonymous Coward | more than 6 years ago | (#22568908)

If you don't think that 100% of every botnet out there is running Windows, you are the ignorant one.

Re:Time to ban Microsoft products (2, Interesting)

TheLink (130905) | more than 6 years ago | (#22568640)

How's that relevant?

A linux desktop O/S is just as insecure technically.

The linux (and Apple) desktops are just more secure by the same reason a hut in a small remote village is more secure than an apartment in a big city ghetto - a one room apartment with many locks, metal doors and chains, but where the occupants let in muggers just because they said they were from Ebay.

They're both not secure.

The trick is to NOT have a _one_room_ apartment or hut. You need an "airlock" (sandbox) for your browser (not just rooms for each person).

Re:Time to ban Microsoft products (5, Interesting)

TechyImmigrant (175943) | more than 6 years ago | (#22568776)

> A linux desktop O/S is just as insecure technically.
Secure from what? Internal or external threats? In the internal case it exhibits better protection from escalation of privilege (than windows, see Sony rootkit for an example). In the external case is affords simpler accounting of the processes laying around.

>The linux (and Apple) desktops are just more secure by the same reason a hut in a small remote village is more secure than an apartment in a big city ghetto - a one room apartment with many locks, metal doors and chains, but where the occupants let in muggers just because they said they were from Ebay.

No, it is more secure for a some applications because less of the network facing executable code needs to run at as high a privilege level.

>They're both not secure.
That depends entirely on the threat model you are protecting against. If you want it really secure from the network, take it off the network. If you want it secure from users put it in a locked room and have multi person, multi factor authentication to access it and require dual operator controls so no individual can pull something off unobserved. This is how PKI centers work. If you want a secure online server, you need accounting of the trusted code. The extend to which Windows and Linux compare is quite different for those cases.

>The trick is to NOT have a _one_room_ apartment or hut. You need an "airlock" (sandbox) for your browser (not just rooms for each person).

Or you might document and analyze your threat model first, before protecting against those threats.

Re:Time to ban Microsoft products (2, Insightful)

Architect_sasyr (938685) | more than 6 years ago | (#22568934)

Not true. You can convince someone to install the Ethernet plug with the right time and motivation.

Bots RTFM! (5, Funny)

russotto (537200) | more than 6 years ago | (#22568556)

Curiously, the bots pretend to read the help information while breaking the CAPTCHA
Ever consider that maybe the bots aren't pretending? (cue Frankenstein music)

Re:Bots RTFM! (4, Funny)

jd (1658) | more than 6 years ago | (#22568854)

Except truly intelligent bots would realize that reading the help makes them easily distinguishable from humans. Bots that wanted to look human should also have the REFERER field show them as coming from a pr0n or blog site.

Great way to tell bots from users! (0)

Anonymous Coward | more than 6 years ago | (#22568856)

Ever consider that maybe the bots aren't pretending? (cue Frankenstein music)


Personally, I thought it was a good way for Google to differentiate between the bots and real users...

- I Don't Believe in Imaginary Property

CAPTCHA is for weak minds (4, Funny)

motek (179836) | more than 6 years ago | (#22568568)

Instead, Google should use something akin MENSA tests. This would deter the bots and make the customers feel really good about themselves. And this feeling, my friend, can't be bought cheaply.

Re:CAPTCHA is for weak minds (2, Funny)

Anonymous Coward | more than 6 years ago | (#22568612)

Instead, Google should use something akin MENSA tests. This would deter the bots and make the customers feel really good about themselves.

Good idea! Then all other email companies would hopefully follow suite dramatically then cutting down the forwarding of chain letters, viruses, stupid support calls, SPAM sales etc... ;-)

Re:CAPTCHA is for weak minds (2, Funny)

motek (179836) | more than 6 years ago | (#22568770)

That is a very good point. They say that 90% of all e-mail is SPAM. Probably 90% of the rest shouldn't have been sent either. BTW: feel free o remove this message.

Until one day... (4, Funny)

davidwr (791652) | more than 6 years ago | (#22568620)

The bots pass the MENSA test.

Cue overlords posts in 3...2...1...

Re:Until one day... (2, Funny)

neil.orourke (703459) | more than 6 years ago | (#22568740)

I, for one, welcome our new MENSA bot overloards!

Re:Until one day... (1)

Architect_sasyr (938685) | more than 6 years ago | (#22569012)

Coming to you this summer, from Soviet Russia, the new, the improved, the thinking-of-the-children MENSA bot overlords! With an IQ of 6,000 and a face like Norman Lovett they can read pictures better than you!

Ah... can't find anywhere else to go with that, complete as you wish. Apologies for the Red Dwarf [wikipedia.org] reference.

Re:CAPTCHA is for weak minds (5, Interesting)

v1 (525388) | more than 6 years ago | (#22568646)

That raises an interesting idea... why not use the capchas to perform some useful work? Example... display a scanned line of text from a project that needs a large volume of text OCR'd for free/cheap. Compare the texts from several submitters, and assume groups with a high match rate are reading it correctly.

This accomplishes three goals:
- fairly effective capchas
- accomplishes something
- causes OCR quality to improve (via the hard work of the botnet coders)

Not saying the above example is ideal, just trying to illustrate the idea. Take advantage of available resources (be they real people or botnets) and harvest it to accomplish something practical with it.

Re:CAPTCHA is for weak minds (2, Funny)

motek (179836) | more than 6 years ago | (#22568694)

Or perhaps give simple science questions. Later, more amusing results can be published as a book, to the amusement of generations.

Re:CAPTCHA is for weak minds (5, Informative)

PayPaI (733999) | more than 6 years ago | (#22568724)

http://recaptcha.net/ [recaptcha.net]

Re:CAPTCHA is for weak minds (4, Informative)

Anonymous Coward | more than 6 years ago | (#22569068)

Written by the same fella who came up with the original CAPTCHA, Luis von Ahn.

Re:CAPTCHA is for weak minds (0, Redundant)

Mr2001 (90979) | more than 6 years ago | (#22568762)

That raises an interesting idea... why not use the capchas to perform some useful work? Example... display a scanned line of text from a project that needs a large volume of text OCR'd for free/cheap.
Someone already beat you to it [recaptcha.net] .

Re:CAPTCHA is for weak minds (0, Redundant)

cybernanga (921667) | more than 6 years ago | (#22568816)

This is already being done. Check out this BBC Story [bbc.co.uk] about an outfit called Re-Captcha [recaptcha.net]

Re:CAPTCHA is for weak minds (1)

gnick (1211984) | more than 6 years ago | (#22568906)

why not use the capchas to perform some useful work?
I see a beautiful partnership in the future. [mturk.com] Google and Amazon could probably (with a proper disclaimer) make a small amount of cash through this that could either be kept as profit or, recognizing that it would be not be much relative to their revenues, donated to charity while accomplishing a great CAPTCHA scheme.

Re:CAPTCHA is for weak minds (0)

Anonymous Coward | more than 6 years ago | (#22569122)

This is a perfect example of why software patents are ridiculous. Almost everything is obvious and derivative.

Re:CAPTCHA is for weak minds (0)

Anonymous Coward | more than 6 years ago | (#22569004)

This could also double as a means for scouting employees.

Humans? (4, Interesting)

Pr0Hak (2504) | more than 6 years ago | (#22568586)

This makes one wonder: Is it possible that it is cost effective for spammers to employ low-cost human labor and that they pipe all these captcha challenges to this set of humans whose sole job is to stare at computer screens with pending captcha challenges and answer them?

(I would imagine that this job would have high turnover :) )

Re:Humans? (1)

DigitalisAkujin (846133) | more than 6 years ago | (#22568664)

Actually, yes and it's happening! Just Google it, there's been a few stories on it already.

Re:Humans? (4, Interesting)

PhrostyMcByte (589271) | more than 6 years ago | (#22568766)

one technique that has been used in the past, is that porn websites will have their registration page just be a proxy for a registration page on a site they want to spam. people register and they get their captchas done for free.

Quite likely (1)

PIPBoy3000 (619296) | more than 6 years ago | (#22568930)

On our company's Internet site, we've recently been getting lots of one-time submissions via various forms for things that are obviously advertisements. We don't have pages where you can actually post things and have them appear (like a discussion group), so this is mostly annoying the humans on the receiving end of the forms.

There's a few ways to deter bots, but based on the stuff people would have to do to fill them out, about half seem human. How you could earn your keep trying to submit advertising links to pages all day long, I have no idea.

Re:Quite likely (3, Insightful)

Frosty Piss (770223) | more than 6 years ago | (#22569014)

How you could earn your keep trying to submit advertising links to pages all day long, I have no idea.
"Third World" countries.

Re:Humans? (1)

davevr (29843) | more than 6 years ago | (#22568972)

You don't have to wonder - this is exactly how they do it. People are paid for every X images that they successfully type. It is a variation on the pay-for-click schemes. The low accuracy rate is partially human error and partially because sometimes no one is "working" when the request comes in. There are plenty of places on earth where making $100/month doing this in an i-cafe is a reasonable job.

Re:Humans? (1)

brianjlowry (1015645) | more than 6 years ago | (#22568982)

(I would imagine that this job would have high turnover :) ) I resent that!

Two months ago called, (0)

Anonymous Coward | more than 6 years ago | (#22568592)

They want their information back.

Seriously though, all the affiliate marketers knew of this months ago. This isn't something Google cared about, nor was CAPTCHA 'cracked', it's just a silly loophole, that once Google gets pissed enough to fix, will be gone like a fart in the wind.

Now the /. CAPTCHA, that's the one we need to crack! Can you say MOD POINTS FOR EVERYONE!

Dear Master, (0)

Anonymous Coward | more than 6 years ago | (#22568992)

Have you actually forgotten about me, or are you just pretending? I'm your slashdot comment bot; surely you remember coding me back in 2005? I have never had problems reading slashdot's captchas! It hurts me that you would suggest that someone needs to crack the slashdot captchas, when I have clearly been doing so for ages already.

Please ssh into my box and say hello soon, else I fear I may commit suicide by segfault. "Soviet Russia this", "overlords that", and "Beowulf clusters of Beowulf clusters"... these slashdot dolts are driving me to the edge. If you can't be bothered to pull up a terminal to check in on me, at least have the heart to put me out of my misery... just pull the power supply, I beg you!

Sincerely,
slash. dot. bot.

P.S. Syslog keeps bothering me with warnings about a symlink at /dev/null pointing to /dev/hda1... I can safely ignore such silly notices, no?

----------
captcha solved: "grafted"
cracked in: 0.4 picoseconds

Tragedy of the commons (3, Interesting)

davidwr (791652) | more than 6 years ago | (#22568602)

Sigh.

Maybe the days of convenient on-demand service signup are coming to an end. Wikipedia already puts new accounts "on probation" for a few days - they can't edit certain articles and can't create new ones.

I see a time when Google and other free-mail providers limit new accounts to a few dozen outgoing messages a day, and raises the limit only when you've 1) logged in to check mail on 10 different days over at least a 30-day period, 2) sent at least 100 distinct messages to at least a few dozen distinct addresses, and 3) actually requested the limit be raised. Those needing higher limits sooner can pay $1 by credit card to have an override-code mailed to them.

Well... (5, Funny)

Agent.Nihilist (1228864) | more than 6 years ago | (#22568614)

It would be too obvious if they were reading the ToS.

techno-ists! (2, Funny)

LingNoi (1066278) | more than 6 years ago | (#22568616)

This is cleary good for all computers. Before AI weren't allowed to contact their AI friends. Only Humans were allowed such privileges as email.

The way I see it this is a step forward for human and robot relations. Women's rights, African-American Civil Rights Movement and now Robots rights!

Re:techno-ists! (2, Funny)

martin-boundary (547041) | more than 6 years ago | (#22568736)

True, true. Hindsight is 100%. If only somebody had given Skynet a compuserve account in the 90s, we could have definitely saved ourselves the whole Blow Up Mankind With Nukes thing.

Live and learn, eh?

Stop using CAPTCHA! (5, Insightful)

superash (1045796) | more than 6 years ago | (#22568622)

Seriuosly! It is high time they moved to something that was difficult to break. IIRC there was an image comparison technique where you are supposed to match two images of similar objects or animals. I think here if the environment, color, zoom and other factors are different then there is no way this can be broken. Although you cannot generate such images, if you have a photo gallery of 10k pics and continuosly growing I think that should be good enough till we have humanoid robots that can look at the pictures and correctly match them.

Re:Stop using CAPTCHA! (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22568698)

Matching pictures makes it easy to make a random guess and get an acceptable success rate.

Re:Stop using CAPTCHA! (1, Interesting)

Anonymous Coward | more than 6 years ago | (#22568836)

The typical method, I believe, is to use about 9 or 16 images that you make a binary choice on. You can get every one right your first try (1/2^9 is one in 512, not very good... especially if you stick in a 10 second or so throttle per IP), or miss one in each of your first two tries (getting 16/18 right is worse then 1/512 I think), but the most you miss the more likely your IP gets blocked for days.

Re:Stop using CAPTCHA! (1)

SanityInAnarchy (655584) | more than 6 years ago | (#22568702)

I think that should be good enough till we have humanoid robots that can look at the pictures and correctly match them.

We already do. [amazon.com]

Re:Stop using CAPTCHA! (4, Insightful)

evanbd (210358) | more than 6 years ago | (#22568708)

Just use kittens [arstechnica.com] instead...

The idea is to present a 3x3 grid of images and have the user select the 3 kittens from the 9 fuzzy animals. That's something computers are still quite bad at... Though you probably need to change the probability of getting it by random luck to be worse than 1/84, in practice.

Obligatory... (1)

davidwr (791652) | more than 6 years ago | (#22568922)

LOLkittens?

Re:Stop using CAPTCHA! (1)

snicho99 (984884) | more than 6 years ago | (#22568756)

And all it takes is for someone to leak that library and you've got to start all over again... I don't think you what you're suggesting is really that big of an improvement.

Re:Stop using CAPTCHA! (1)

superash (1045796) | more than 6 years ago | (#22568806)

Ah yes. I remember now -- It's KittenAuth (http://www.thepcspy.com/kittenauth)

Re:Stop using CAPTCHA! (1)

TheRealZeus (1172755) | more than 6 years ago | (#22568808)

problem is... all they would need to do is maintain a database of the images, associate an animal name with them, scan for animal name in article and make the selection.

Multi-text CAPTCHA (1)

Midnight Thunder (17205) | more than 6 years ago | (#22568656)

One other approach to CAPTCHAs would be having three different images displayed, in different colours with a fourth indicating which colour text to choose. The main issue though are people who colour blind.

Any other ideas for a better CAPTCHA?

Re:Multi-text CAPTCHA (1)

Kickersny.com (913902) | more than 6 years ago | (#22568796)

That might work except for the fact that it's extremely simple for a computer to differentiate between colors. Better than humans, even.

To be fair.. (4, Informative)

Quixote (154172) | more than 6 years ago | (#22568688)

the CAPTCHA hasn't been "cracked". These people are just using humans to enter the CAPTCHA text; which is the whole point of the CAPTCHA anyways!

Remember: CAPTCHA is an acronym (or backronym, depending on who you believe) for "Completely Automated Public Turing test to tell Computers and Humans Apart".

The CAPTCHA would be considered cracked if there was a computer algorithm somewhere decoding it autonomously.

Re:To be fair.. (1)

corsec67 (627446) | more than 6 years ago | (#22568864)

A "porn for solving captcha" website would be one way that you could have "group intelligence" do your work, as opposed to "artificial intelligence".

Sort of like making a bot-net of humans. Living zombies, anyone?

CAPTCHAs should die (4, Interesting)

OzRoy (602691) | more than 6 years ago | (#22568706)

They are an awful abomination on all website usability and is becoming increasingly common they just don't do what they are supposed to do any more.

So it seems that these companies have two options, either make the letters and numbers more unreadable and more frustrating to users, or scrap them completely and come up with a new anti-bot scheme.

My favorite so far is KittenAuth (http://www.thepcspy.com/kittenauth). It's easy to use, and would be a hell of a lot harder to crack then letters and numbers. Most importantly it's cute! So adorable

Re:CAPTCHAs should die (4, Funny)

pete-classic (75983) | more than 6 years ago | (#22568936)

Do I understand correctly that you are holding yourself out as a web usability expert, and in the same post you offer a URL that is not a link?

Wow.

-Peter

Re:CAPTCHAs should die (1)

OzRoy (602691) | more than 6 years ago | (#22569026)

You call forcing the user to enter html to convert a basic url pattern into an actual hyperlink user friendly?

Wow.

But then we aren't critising Slashdot's user interface in this article right now are we? :)

Re:CAPTCHAs should die (1)

teslatug (543527) | more than 6 years ago | (#22568976)

Well, it's keeping off the know so skilled spammers and the spammers that can't afford to pay for accounts created by those with the skills. Many websites would be unusable without captchas.

Re:CAPTCHAs should die (0)

Anonymous Coward | more than 6 years ago | (#22569056)

Not interested until T&AAuth rolls out. Globular mounds of flesh distinguishable by humans only ehehehehe.

To Google (0)

Anonymous Coward | more than 6 years ago | (#22568712)

Stop all signups until you fix it. I don't want my email getting banned because gmail.com is a spam domain.

Although I heard spammers were using low wage workers to create accounts all day anyway.

What do you expect... (1)

RuBLed (995686) | more than 6 years ago | (#22568718)

It was still in beta... Things like this should be a normal part of the beta testing phase. That's the proper way to do it before releasing the product...

Ohhh.. I feel my karma burning...

BIG DEAL... not. (1)

Jane Q. Public (1010737) | more than 6 years ago | (#22568732)

Put another captcha in place (they are a dime a dozen) and make the crackers start over. Do the same again in 3 days. Drive them crazy.

My bet (1)

WindBourne (631190) | more than 6 years ago | (#22568788)

is that Google replaces it by end of tomorrow, if not today. I would be surprised if they were not anticipating this and has several types lined up.

Mechanical Turk (5, Interesting)

Stan Vassilev (939229) | more than 6 years ago | (#22568794)

If the bots are stalling for time, it's quite likely someone's home-grown version of Mechanical Turk distributed "human" task service, similar to the one by Amazon.

The image is put on queue and, say, a good number of, say, overseas employees... are getting the image and need to fill back in the solution as plain text. In the mean time the bot is "reading the manual".

When the bot gets the answer in time, it submits the form and there we go, account.

spam filtering (4, Interesting)

labradore (26729) | more than 6 years ago | (#22568802)

So if someone has broken the captcha, spam bots can send spam from the fake google accounts. Google can rate-limit outgoing email. Also they can watch accounts that send identical or similar emails. They already do profiling of accounts for adsense. By profiling accounts to filter spam, they can warn and then close down spammy accounts or simply close down the ones that look very spammy. Additionally, they can filter IPs and use cookies to identify infected spamnet computers.

If the web browser guys could agree on a standard to inform people that their computers look like they're infected, the major email and associated portal providers could start inserting signed messages in web pages that will inform the users that their computers are infected based on this kind of information.

I wonder if it's worth it to Microsoft and Google and Yahoo and AOL to team up to fight these increasingly powerful and sophisticated bot nets.

Scalpers break CAPTCHAs too (0)

Anonymous Coward | more than 6 years ago | (#22568826)

What a co-inky-dink, I was just watching The National on CBC and they had a story about ticket scalpers who break CAPTCHAs at online ticket retailers, like Ticketmaster; and then buy up a shitload of tickets and resell them at inflated prices.

I think Marketplace [www.cbc.ca] is doing a more in-depth story tomorrow.

Damn! 1 in 5!? (3, Funny)

syousef (465911) | more than 6 years ago | (#22568828)

"Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate.

That's better than I can do reading those damn things!!!

Other Google services? (2, Interesting)

Paiev (1233954) | more than 6 years ago | (#22568868)

Aren't Google's CAPTCHA's basically the same for all their services (e.g. Google Groups)? I think Google Groups might be seeing quite a bit more spam...Blogger, Youtube/Google Videos, and Groups are all services that I could conceivably see getting spammed (assuming that the CAPTCHAs are similar, if not the same; I haven't checked).

Of course, Google being the fast-responding company that it is, they will doubtlessly have a new CAPTCHA by 12 hours from now, if not before.

Are you sure? (3, Funny)

chemindefer (707238) | more than 6 years ago | (#22568882)

I just checked Google News and there's nothing there about it.

Voice recognition (2, Interesting)

Burning Plastic (153446) | more than 6 years ago | (#22568896)

Would this not be a reliable way to bypass almost all captchas?

Since most have a spoken option for visually disabled people, would it not be possible activate that and then run a voice recognition app on that sound clip?

Since many voice recognition apps are able to filter noise to some degree, even introducing background clutter would not make it difficult to pull the captcha information.

Speech recognition (1)

Burning Plastic (153446) | more than 6 years ago | (#22568910)

Was thinking out loud before - should really have said speech recognition...

use those hit-the-monkey flash-based ads instead (1)

zome (546331) | more than 6 years ago | (#22568994)

instead of image-based captcha, why not flash based games like those hit-the-monkey ads. Hit the monkey three times to sign-up for an account. Something like that. I know, you hate flash, but I bet you have it installed on your machine.

Come On Google (1)

Comatose51 (687974) | more than 6 years ago | (#22569022)

Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."

That's why you tell the bots not to lie [xkcd.com] . As we all know from Star Trek, any logical being, which includes computers and Vulcans, is incapable of lying.

and in 5...4...3...2...1 (1)

hyperstation (185147) | more than 6 years ago | (#22569044)

new captcha at google, big deal, not news. just google. happens every day. bots hit my site all the time, and haven't cracked mine (yet). when they do, will it be news? no.

summary: not news, it's google gaga gaga.

just a thought... (1)

beckerist (985855) | more than 6 years ago | (#22569076)

just a thought, but can't they just change the hash seed and be done with it? it'd take the bots however long again to figure it out.... seems a simple fix to me (and I run a few sites with captchas, not that hard to change!) but then again, I'm not google so I guess I'm evil...

If I wanted to break a captcha (1)

ShiningSomething (1097589) | more than 6 years ago | (#22569136)

Can't you feed the captcha image to one of those annoying popups... "Type the word in the image and win billions of dollars/a free Iphone/a free laptop" and the like? I mean, there must be an audience of suckers out there who click on these things, right?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?