Google ReCAPTCHA Cracked 211
stormdesign writes "Despite denials from Google, a security researcher continues to assert that the Search King's reCAPTCHA system for protecting Web sites from spammers can be successfully exploited by Internet junk mail panderers."
Captcha ZDR .... (Score:2)
Re: (Score:2)
What's "ZDR" stand for then, "Zero Desirable Results"?
Re:Captcha ZDR .... (Score:5, Interesting)
As long as there's really cheap workforce and economic differences in the world, things like this won't be solved.
Re: (Score:2)
/Recently spammers have new tools in place, I am suddenly getting comment spam on 4 wordpress sites that use this kind of stuff to trap it. I have notice this for over 5 weeks now.
Re:Captcha ZDR .... (Score:4, Insightful)
It's quite simple to stop that, implement a small none-standard part in your signup process. I put in an extra input text field named "askldjwla" with the text: [Enter "I am not a bot" here (without quotes)] and my spam has reduced to 0. Spammers target the large and easy, just don't be a part of that group.
Re:Captcha ZDR .... (Score:4, Insightful)
That might work for your vanity blog, but higher traffic sites are more valuable targets and as such attract greater efforts.
Re: (Score:3, Interesting)
We run a not large site that gets 20,000-40,000 spam comment attempts per day. Some simple filters leave us with dozens of items to manually review per year:
1) English (language in general) employs rules that yield statistical patterns. For example, personal names and occupations do not contain 50 per cent upper case letters and 50 per cent lower case letters in English. This bins the bots that fill unmatched fields with random characters, without bothering human users since CSS is good now (our forms somet
Re: (Score:3, Informative)
Another fun trick is how easy it is to catch spambots by using "invisible" form fields. Bots are too "stupid" to negotiate around these traps. They fill in those fields just like they do the visible ones, allowing you, the site operator, to instantly bin their nonsense to /dev/null with scripts and ban their IP addresses.
Re: (Score:2)
1000 captchas solved by humans for $2? WTF? Who do they have working on these things? Even that Indian tech-support drone I talked to yesterday would fetch more money than that ...
Re: (Score:2)
Re:Captcha ZDR .... (Score:4, Funny)
they have a marketable skill: English language ability.
What Indian tech support have YOU been talking to?!
Re:Captcha ZDR .... (Score:4, Funny)
Apparently he really likes curry chicken. Kinda odd fellow.
Re: (Score:3, Interesting)
It's the same reason why powerleveling and gold selling services exist in cheap asian countries, economics make it possible and even a good job.
Re:Captcha ZDR .... (Score:5, Interesting)
Re: (Score:2)
solved by humans for free.
solved by humans in exchange for porn. Not free. Close enough to free though. :)
the new new new new economy! (Score:2)
Re: (Score:2)
Yeah, yeah. People have been talklng about that for years. Never actually put it into practice.
So if it really did work he got 1000's of captchas solved by humans for free.
Not "free". You'd need a pretty high traffic site to get responses quick enough. But there's so much free porn on the web that no ne will be bothered to do them. It'd probably cost you more to run and host the porn site than jus
Re: (Score:2)
People who have solved millions of CAPTCHAs and are really fast. They probably also do the easy ones in software, thus upping the effective throughput. One approach would be to have the software present its best guess to a human for verification.
Re: (Score:2)
Re:Captcha ZDR .... (Score:5, Informative)
With reCaptcha, you don't have to successfully OCR the scanned word, just the control word. Usually they are indistinguishable by sight (you don't know which one is the control word), but I've seen reCaptcha instances where one word is clear and the other one is unreadable. In these cases, you can type the control word correctly and just write some gibberish for the other, and you'll beat the captcha.
Which means that the spammer won't have to OCR the hardest of the words... just the simpler one. Run the OCR to the full text, post both words, and if the simpler one matches, you broke the captcha.
(I make it sound so easy! It really isn't! I'm amazed that they did break it! I just wanted to point out that it isn't "OCR words that haven't been OCRd before", rather than "OCR words that have been OCRd previously and are now a bit distorted".)
Re: (Score:2)
Also seen one where the other word was a set of hieroglyphs or oddly shaped rectangles.
Re: (Score:2)
Except that simpler word is something that their OCR software failed to figure out before and has since been solved by a person filling out the captcha. So indeed you do still have to build better OCR software than google has to actually break the captcha. Further they morph the control word just a bit, so not only do you have to build better OCR software, it has to be MUCH better.
Re: (Score:3)
That's probably enough to prevent a lot of spam. Spam isn't very profitable per post.
Re: (Score:2)
All captchas are practically useless. There is no need to crack them - for example decaptcher [decaptcher.com] solves 1000 captchas for $2. Any captcha type works since they're solved by humans.
I bet this type of captcha [wordpress.com] would still work well on sites like mathoverflow or wolfram...
Re: (Score:3)
All captchas are practically useless. There is no need to crack them - for example decaptcher [decaptcher.com] solves 1000 captchas for $2. Any captcha type works since they're solved by humans.
I bet this type of captcha [wordpress.com] would still work well on sites like mathoverflow or wolfram...
The answer is zero, btw. (which was a little anticlimactic, if you ask me)
Theres only one weapon left in the arsenal (Score:5, Insightful)
Re:Theres only one weapon left in the arsenal (Score:5, Funny)
There isn't a spambot alive who could answer "In the above movie, how many cocks were inside Jenna Jameson?" or "what sex position is this?"
Six and the Arabian spinecracker.
You could just hire people from /. to solve captcha porn.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2, Informative)
The trouble with this (and less funny image suggestions) is that the "CA" in "CAPTCHA" stands for "Completely Automated".
CAPTCHAs work as a sort of AI hash function: it's easy for a computer to generate, but hard for one to solve. Using images for tests like "what position is this", or, more realistically, "is this a cat or dog" violates that principle: Creating the CAPTCHA is just as much work as it is to solve! On top of that, the finite availibility of images allows for a database attack. Even having
Re: (Score:2)
I wonder if the "there can't be enough photos" issue could be solved by a script/pulling photos from a large set of images from the web itself? ie, a flickr stream/group that is specifically tagged by users for this, to contribute to the pool for image use by a presumably OSS type CAPTCHA system...
"Search King" (Score:2)
In capitals, like this?
Did they pull the crown from the hands of the Pope, himself at the coronation ceremony, and declare - as did Napoleon - "I am King!"
Re: (Score:2)
No, more like "Burger King".
Re:"Search King" (Score:4, Funny)
Look, all you have do to confirm it is just google for "most popular search engine"...
Re: (Score:2)
Just to make things interesting, I binged it (has bing been verbed yet?). The top result [searchenginewatch.com] was something from 2006 (!) that lists Google with about 49% of the search market, and the 4th said right in the search result headline, "Google is the Most Popular Search Engine in the World".
(Top result in a search for popularity is 4 years old? But just to be fair I checked Google, and it gave the same first result, strangely enough.)
Re:"Search King" (Score:4, Insightful)
Just to make things interesting, I binged it (has bing been verbed yet?). ...
Well, it's a verb, but it's past tense of binge (as in drinking).
Re: (Score:2)
(has bing been verbed yet?)
I'm getting old. I hadn't realized that "verb" had been verbed yet.
Re: (Score:2)
More like the submitter doesn't like Google and used it pejoratively.
Re: (Score:2)
Google reCAPTCHA cracked... again (Score:3, Informative)
FTA:
Researcher Jonathan Wilkins published a paper recently that included an analysis of reCAPTCHA’s security. In automated attacks he conducted against the system, he reported he had an alarming success rate of 17.5 percent.
Well, last year someone showed ad DEFCON that he could solve the reCAPTCHA CAPTCHAs with an efficacy of 30% already [slashdot.org].
So how is this news? Am I missing something?
Re:Google reCAPTCHA cracked... again (Score:5, Informative)
News for nerds, stuff that mattered... (Score:5, Informative)
...last year.
Google reCAPTCHA cracked
Written by John P Mello Jr on January 5, 2010
Re:News for nerds, stuff that mattered... (Score:5, Interesting)
Yeah but something has happened recently, maybe the spammers got a new tool or something because I have noticed a whole bunch of spam being posted on my reCAPTCHA protected sites. This just started in the last couple of days where previously I had none.
Re: (Score:2)
Maybe that would explain all the Usenet spam coming from Google Groups lately.
Re: (Score:2)
"Lately"?
Re: (Score:2)
There's a big spam campaign going on for almost two weeks now, after a fairly long dry spell.
End of reCAPTCHA? (Score:3, Informative)
Re: (Score:2)
Aren't the gibberish words assembled from different letters from different unsolved words or something? They didn't talk that funny back then.
Re: (Score:3)
That's assuming that it's really giving good answers, and that's why it works.
My understanding is that it uses previous answers to check future answers. Answer incorrectly enough and it thinks that is a correct answer.
Now, lately, I've been finding reCAPTCHAs that claim I got them wrong. I assumed I just mistyped, but it used to be a MUCH rarer occurance.
Maybe I'm getting them right, but the spambots are flooding it with wrong answers?
Re: (Score:3)
It'd be nice to think there was some better way of keeping spam out, but I guess developer laziness and Google's endless crusade to rule the Internet...
Laziness has nothing to do with it. It's kindof a hard problem. The solution is worth billions. Trust me, Google really does not like the amount of spam sent from their own accounts that clogs their own services and defraud their own users. Defeating these bots is a high priority for them and everyone else. Each of these companies is basically an army of geniuses. It's a hard problem.
Re: (Score:2)
And they are making them harder to solve for actual humans, I have found myself failing reCaptcha on ticketmaster several times in the last few months.
Perhaps it is time to use animals (Score:2, Interesting)
Granted this is still in research, and it is an "M$" project at the moment, but using animals for a captcha may be the next thing.
http://research.microsoft.com/en-us/um/redmond/projects/asirra/
Re: (Score:3)
I'm not sure animals would find it any easier to solve the captchas than we do :)
Re: (Score:2)
I'm sure it'll eventually get patented so no one can use it
That would explain... (Score:2)
That would explain why my recaptcha protected forum suddenly started getting 30+ new accounts a day.
Regards
elFarto
Re: (Score:2)
I JUST upgraded my website Captcha system because I suddenly started getting bots registering on my small domain (30-40 visits / day). I now have a small math problem and ReCaptcha together, along with a hidden input field that bots love to fill out (if filled out, rejects form submit). Combine all three, and I doubt I'll see bots registering any time soon.
The real weird thing is that the bots registered but never spammed my site. Odd.
Re: (Score:2)
The real weird thing is that the bots registered but never spammed my site. Odd.
Most likely the bots failed to detect that the registration worked, or failed to parse the actual post pages. I once had a home grown wiki which was totally messed up by bots because they couldn't make heads or tails from it.
reCAPTCHA is already "too good" (Score:3)
Yesterday I decided to sign up for World of Tanks open beta. It took me 12 tries (including 3 failed sound ones) to fill reCAPTCHA correctly. Most of the time it just displays nonsense.
Re: (Score:2)
Re: (Score:2)
Totally offtopic, but this made me wonder about the converse of the Turing test - if/when computers are 'smarter' than we are (whatever that means), how will a computer know that it is talking to a true computer, and not a mere human who is possibly commanding a computer?
Of course the question presumes some limitations on communication language, bandwidth, response time, etc. to make it a fair test. Let's say it's a transmission between two space ships, ten light minutes apart. Has the other space ship be
Re: (Score:2)
Re: (Score:2)
Maybe it was a program written in Whitespace [wikipedia.org]! :D
Re: (Score:2)
This is an important point though. I too have had enough trouble solving reCAPTCHAs to become frustrated enough just to leave the site, and if I am an AI I don't know it. We have reached a point where I think even if they unbreak reCAPTCHA to the point where machines can't solve them at an effective rate, they will have crossed the threshold where it becomes so hard for humans that a new solution is needed.
Re: (Score:2)
In the future, only spam bots will be able to register for websites!
Usibility vs Security vs Money (Score:2)
Too bad really, I like the google captchas because they were easy to read (and served a greater purpose with the book scanning). honestly I wish they would make some of these things harder though. how often do you really need to make an email account? I've done it just a couple times with google and wouldn't be bothered by a more complex captcha system. i suspect they don't do this because they wouldn't want people to get frustrated and go to hotmail instead because the captcha was too hard.
though in the en
Slashdotted - mirror (Score:2)
http://www.networkmirror.com/mlsurCyIbkJu5Qpr/www.allspammedup.com/2010/01/google-recaptcha-cracked/index.html [networkmirror.com]
doomed approach (Score:2)
Re: (Score:2, Interesting)
What do we do then?
Require posting bonds prior to granting write access, with bond amount greater than whatever profit a spammer thinks they might make from spamming. Or better yet, an amount slightly less than spam profit, so they take the offer. Then you run your taking-spammers'-bonds site at a profit, and if it's enough profit, then its worth your time to keep an eye on the site and delete spam as it appears.
Re: (Score:2)
If the AI is smart enough to pass a human-test to send a spam, then another AI will be smart enough to recognize spam and not deliver it.
My forum has noticed! (Score:3)
I eventually instaled a plugin from StopForumSpam.com [stopforumspam.com] which is a combination blacklist/keyword checker to help weed out spammers and it's back to normal, or even below normal levels.
Re: (Score:2)
I had a forum on a relatively small site that just started getting HAMMERED by spammers.. it was like the reCAPTCHA wasn't even there.
I switched to the forum's default scambled letter captcha and that stopped the flood for now.
Panderers? (Score:2)
successfully exploited by Internet junk mail panderers
How does one pander to junk mail?
Perhaps the word you were looking for is peddlers?
Tax Forms (Score:2)
Simple Block 'em (Score:2)
I use a script for emailing the addresses of my clients and the script is server-side code. And since that does not load unless the form (for an email) is completely filled out, nobody can pre-look at my code and figure out anything.
Client's email address is in a lookup in an SQL database, so nobody can see that, either.
Solution is to capture then BLOCK the IP address of anyone sending spam through the form. So far, I have seen two messages from Belize and one from India. And now those people can no longer
Re: (Score:2)
There's no way to "verify user accounts" until they post their first content - if there was, we could automate that verification.
Re:Does this mean.... (Score:5, Insightful)
The problem is simple to solve though:
Spamming is profitable. That's why the spammers do it.
What we need is simple: we need to make Spamming unprofitable. (I almost said make Spam unprofitable, but I actually kinda like Hormel's product).
This wouldn't be that hard to do. Spammers hit government addresses like anything else. Hit the purveyors of the product, the people who hire the spammers, with a nasty "kill your business for good" level fine for every product that goes out in a spamming campaign - problem solved, none of these guys will ever be so stupid as to hire a spammer again.
That leaves the virus-purveyors and identity-theft types to deal with, true, but the bulk of the money spent on breaking CAPTCHA solutions and everything else comes from the spam-for-profit guys, so if we hit them first, the rest are more manageable.
Re: (Score:3, Funny)
This wouldn't be that hard to do. Spammers hit government addresses like anything else. Hit the purveyors of the product, the people who hire the spammers, with a nasty "kill your business for good" level fine for every product that goes out in a spamming campaign - problem solved, none of these guys will ever be so stupid as to hire a spammer again.
Yes, but they will hire spammers for a different reason. To advertise their competitor's product, in order to nuke the competition. Then once the compet
Re: (Score:2)
Once you haul the spammer in, it's easy enough to tell who paid him.
Re: (Score:2, Troll)
When Google applies Gmail spam detection technology to blogger that will be the end of blog spam.
The problem is Google fails to release any product that makes them money. Since they hold the keys to speech recognition, language translation, and spam detection, you can be sure that the science will advance in these fields at Mach 1 pace, and zero useful/profitable products will be made available.
Re: (Score:2)
When Google applies Gmail spam detection technology to blogger that will be the end of blog spam.
Why not just use Akismet.com? It works great.
My small blog was getting a modest amount of spam (about 150/day), and Akismet would miss maybe one every few months. Not bad, but having to sort through the messages in the spam queue was really annoying. I found a decent compromise: messages flagged by Akismet were presented with a captcha. If the captcha was completed successfully, the message went into the moderation queue (as it was still spammy enough to trip Akismet). If not, the message is permanently del
Re: (Score:2)
Re: (Score:2)
They have done absolutely nothing to stop spammers using Google Groups from spewing all over Usenet. They obviously could easily detect and block 99% of spam, but choose not to.
Re: (Score:2)
That just goes to show that you're a clueless noob.
Re: (Score:3, Interesting)
Spam already leads to mail fraud in some cases, and that fraud is generally prosecuted where possible. Very few legitimate companies use spam any more. The illegitimate ones are harder to catch.
There are actually several problems with this:
1. Not all that many shipping operations that use spammers operate under US law. Products are usually shipped from overseas (if any product is shipped at all!) and you can't fine a foreign entity without an agreement with that entity's native government (which, of cou
Re: (Score:2)
OK, so what's the problem again?
Re: (Score:3)
http://en.wikipedia.org/wiki/Joe_job
Only Primative Spam is for Direct Profit (Score:4, Interesting)
The nature of Spam is changing. It used to be about penis pill ads being sent indiscriminately by email. Now Spam is being used by major marketers and public relations firms to influence the national discourse and nobody is using email. Spammers are hitting blogs and forums and news sites to try to credibly sway public opinion. They pose as average impartial citizens and try to spread propaganda. Spam is about trying to shout out other people by aggressively inserting the viewpoints of their corporate or political masters. Every major PR firm is going to recommend that it's clients pursue an active online strategy. Not just a website. Not just a responsive blog. Not just a Facebook page. But an army of professional trolls with talking points and corporate directions to sway public opinion in a Web 2.0 setting. Spam has gotten much more insidious because the purveyors of Spam realize that to be effective they must effectively make themselves indistinguishable from the common man.
Digg recently had to reorganize because an army of amateur conservative trolls ("Digg Patriots" and others) was effectively promoting conservative information and burying liberal viewpoints. They got busted because they were ambitious and cocky amateurs. But Burson Marsteller has about 100000000x the money and sophistication and is never going to get caught so easily.
There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!
Re: (Score:2)
There's no way to "verify user accounts" until they post their first content - if there was, we could automate that verification.
I have run a fan forum (phpbb) for a musician for about 7 years. At peak times we have gotten up to 50-100 spam account attempts a day. I added a captcha which does not stop everything but slows it down a lot. http://www.stopforumspam.com/ [stopforumspam.com] is a good resource for checking if the email or nick is a known spammer. A quick google on the nick and you can often guess based on how many hits you get and the "interests" is a good indicator. Email addresses which look like incremented numbers, pharma ads, etc.
Re: (Score:2)
I had a phpbb board for a while, and my technique was to replace the captcha with a fill-in-the-blank. Dead simple for a human, but when I made my change, the number of spam bots we got dropped to zero. Without needing to subscribe to an external script to do it.
The system was stupid simple, it's ridiculous how effective it was, too.... I made up an image which had the website's URL minus a word. The instructions were to fill in the missing word. So if the website was "www.theincredibleworldofgoo.com" the p
Re: (Score:3)
Wouldn't be so hard to defeat by a script. But the reason why your spam dropped to zero is because your "one of a kind" system wasn't targeted. I have a even simpler system that just requires the same sentence every time you sign up. But the field name in code is gibberish and because my site is low volume spammers don't target my script directly.
And that's what I would suggest for everyone, the sollution is not to have 1 super captcha system that rules it all. Have 1.000.000 of them, once they are cracked
Re:Does this mean.... (Score:5, Interesting)
Re: (Score:2)
You're reading a sig, man.
Re: (Score:2)
Re: (Score:2)
So what? It demonstrates a point relevant to the discussion.
--
Discount Helicobacter pylori [bit.ly]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This is my idea too, I have several wordpress blogs I haven't maintained in years. I get a handful of new sign ups a week I totally ignore because comments are completely disabled.
If I ever get back to these blogs I will only allow comments from people with a social network account (twitter followers, facebook friends). This way I leave the blunt of the blocking to them.
Re: (Score:2)
Already get Gmail Spam. Having a Gmail address is no longer guarantee of spamfree email. Spammers have had gmail addresses for a while now. I just wish that we could report SPAM addresses to google and have them suspend the accounts.
Re: (Score:2)
Not necessarily. After all, a patient spammer could just read the post himself and enter the captcha manually. The reason they don't do this is that the ROI on spam is so ridiculously low (spam kings like Alan Ralsky got around this problem by selling spam services to unscrupulous companies that thought it would be profitable). Every CPU cycle spent breaking a captcha is profit down the drain for the spammer. Not to mention the payment to developers who come up with anti-captcha techniques.
Re: (Score:2)