Slashdot Log In
Windows Live Hotmail CAPTCHA Cracked, Exploited
Posted by
kdawson
on Tue Apr 15, 2008 03:28 PM
from the nice-idea-while-it-lasted dept.
from the nice-idea-while-it-lasted dept.
eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?
Related Stories
[+]
IT: Yahoo CAPTCHA Hacked 252 comments
Hell Yeah! reminds us of a 2-week-old development that somehow escaped notice here. A team of Russian hackers has found a way to decipher a Yahoo CAPTCHA, thought to be one of the most difficult, with 35% accuracy. The Russian group's notice, posted by one "John Wane," is dated January 16. This site hosts a rapidshare link to what looks to be demonstration software for Windows, and quotes the Russian researchers: "It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition — one cent per one CAPTCHA."
[+]
IT: Gmail CAPTCHA Cracked 317 comments
I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."
[+]
Next-Generation CAPTCHA Exploits the Semantic Gap 327 comments
captcha_fun writes "Researchers at Penn State have developed a patent-pending image-based CAPTCHA technology for next-generation computer authentication. A user is asked to pass two tests: (1) click the geometric center of an image within a composite image, and (2) annotate an image using a word selected from a list. These images shown to the users have fake colors, textures, and edges, based on a sequence of randomly-generated parameters. Computer vision and recognition algorithms, such as alipr, rely on original colors, textures, and shapes in order to interpret the semantic content of an image. Because of the endowed power of imagination, even without the correct color, texture, and shape information, humans can still pass the tests with ease. Until computers can 'imagine' what is missing from an image, robotic programs will be unable to pass these tests. The system is called IMAGINATION and you can try it out." This sounds promising given how broken current CAPTCHA technology is.
[+]
Google's Audio CAPTCHA Falls To Automated Attack 145 comments
SkiifGeek writes "Early in March, Wintercore Labs published proof of a generic approach to defeating audio CAPTCHAs, using Google's as the case study for their demonstration. With claims of over 90% success rate and expectations that this can be significantly improved with the right mix of filtering algorithms, the in-house tool remains unreleased. But it shouldn't take long for other developers to create their own tools and start targeting not only Google, but other sites that use audio CAPTCHAs for the vision-impaired. It isn't the first time that major sites (significantly major webmail providers) have had their CAPTCHAs broken, but it is the first reporting of defeating an audio CAPTCHA using a generic software approach. News about the discovery is slowly starting to spread."
[+]
IT: Fallout From the Fall of CAPTCHAs 413 comments
An anonymous reader recommends Computerworld's look at the rise and fall of CAPTCHAs, and at some of the ways bad guys are leveraging broken CAPTCHAs to ply their evil trade. "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..."
[+]
Optical Character Recognition Still Struggling With Handwriting 150 comments
Ian Lamont recently asked Google if they planned to extend their transcription of books and other printed media to include public records, many of which were handwritten before word processors became ubiquitous. Google wouldn't talk about any potential plans, but Lamont found out a bit more about the limits of optical character recognition in the process:
"Even though some CAPTCHA schemes have been cracked in the past year, a far more difficult challenge lies in using software to recognize handwritten text. Optical character recognition has been used for years to convert printed documents into text data, but the enormous variation in handwriting styles has thwarted large-scale OCR imports of handwritten public documents and historical records. Ancestry.com took a surprising approach to digitizing and converting all publicly released US census records from 1790 to 1930: It contracted the job to Chinese firms whose staff manually transcribed the names and other information. The Chinese staff are specially trained to read the cursive and other handwriting styles from digitized paper records and microfilm. The task is ongoing with other handwritten records, at a cost of approximately $10 million per year, the company's CEO says."
[+]
IT: Now Even Photo CAPTCHAs Have Been Cracked 340 comments
MoonUnit writes "Technology Review has an interesting article about the way CAPTCHAS are fueling AI research. Following recent news about various textual CAPTCHAs being cracked, the article notes that a researcher at Palo Alto Research Center has now found a way crack photo-based CAPTCHAs too. Most approaches are based on statistical learning, however, so Luis von Ahn (one of the inventors of the CAPTCHA) says it is usually possible to make a CAPTCHA more difficult to break by making a few simple changes."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Awesome article (Score:5, Interesting)
Re:Awesome article (Score:5, Interesting)
Parent
Re:Awesome article (Score:5, Informative)
Parent
Re: (Score:3, Interesting)
The CAPTCHA makes it more difficult for the script kiddie to create many accounts. But the logic should be in fingerprinting the account instead.
Great (Score:2, Insightful)
Cutest kitten
Re: (Score:3, Funny)
Re:Great (Score:4, Interesting)
If you're too lazy to click it, all it does is ask you to select the kittens from a grouping of photos of animals to verify you're human. Hey, maybe the Turing test could be implemented, then again I wonder how many humans would actually fail it.
Parent
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Anything is better! (Score:5, Insightful)
Re: (Score:2)
Re:Anything is better! (Score:5, Insightful)
Parent
Re: (Score:3, Insightful)
Re:Anything is better! (Score:5, Funny)
Parent
Re:Anything is better! (Score:5, Informative)
I'd frankly argue that the net is more important for many disabled people such as myself than it is for "normal" people.
And there are many kinds of disability, some from brain damage, that cause all kinds of cognitive problems. So it's entirely possible for a person to be able to use the net, read text, or have his/her machine read it to them, but who might not be able to tell the different between a cat and a dog.
What sites might they be trying to get into? Well, Slashdot.org, for example.
Parent
Re: (Score:3, Funny)
Re:Anything is better! (Score:5, Insightful)
And have you ever tried the audio CAPTCHAs? Talk about horrendous.
Plain text or even TTS would allow near 100% accessibility if you asked simple math questions in the context of a story problem. With rotating questions, nouns, and verbs, a relatively small number of predetermined values could be used to quickly generate many different combinations.
Sure, it's still crackable, but it would be a hell of a lot nicer for the users. And with a significant enough base of words and grammar structures it would still be rather solid. Combine that with decent behavior tracking. (Wow look, this ASDFDSA guy just created his email account 5 minutes ago and has already sent 15,000 emails!) And you'd wind up with something that is MORE accessible and still provides a solid amount of protection.
-Rick
Parent
Re:Anything is better! (Score:5, Insightful)
Now the patch for this is to start blurring the kittens. So welcome back to square one my friend.
Parent
Re:Anything is better! (Score:5, Funny)
Perhaps you're celebrating the fact that captcha images will go away. Don't. They'll just be replaced by something even more obnoxious. Either that, or the application will just close shop. Either way, you're the one that loses.
Spam is totally out of control, just now I....
Check our wide variety of ED products!
http://discountcanadiania.0catch.com/ [0catch.com]
All of them and our new remedies at
the lowest possible prices on the Web.
Get the best at the best prices!
Parent
Don't need new auth (Score:5, Interesting)
Re: (Score:2, Insightful)
I could even have them send mail to each other to lend a thin veneer of realism to discourage the account provider just wiping them automatically.
Re: (Score:3, Insightful)
"Day Old Bread" in Spamassassin. (Score:4, Informative)
Parent
It's a little complicated. (Score:4, Interesting)
With Hotmail (and Gmail and such), I allow them to skip a lot of the checks that other domains go through. There's no need to waste processor cycles or net queries on those domains themselves.
Instead, they go straight to SpamAssassin where checks are run against ALL the addresses in the headers. And the content in the body. The mail admins at Hotmail and Gmail and such have a vested interest in reducing the spam in their systems. So simply rejecting the message at SMTP time should give them enough notice to shut down compromised accounts on their system.
Parent
I speak for everyone- Captchas SUCK. (Score:2, Funny)
http://serendipity.lascribe.net/images/wtf.png [lascribe.net]
10 worst CRAPtchas (Score:5, Funny)
Re:10 worst CRAPtchas (Score:5, Funny)
Parent
Kitten Auth (Score:5, Funny)
While kitten auth is an interesting concept, it won't last forever, and it's still a pain in the ass for the users. What happens when a computer learns the difference between a cat and a kitten? Are they going to start pushing the relative ages closer? distorting the image? Put a wav file of a "meow" on the page and make you tell them the cat's last meal? Have a customer service agent chat with you for a few minutes?
They need to start banning based on use and patterns. 1400 accounts created from the same IP on the same day? Cat knowledge or no, that's suspicious behavior. 90% of the emails from that gmail account are getting marked as spam on the other end? Send them an email and ask them what's going on. Every single one of their emails is to 1000 recipients, don't pass a spell check on any words at all, send these five or more times a day and they're suspiciously familiar? Block it.
Re: (Score:3, Funny)
So eventually computers will be able to surf for pr0n by themselves.
The nerd's lot just keeps getting worse...
Re:Kitten Auth (Score:5, Funny)
Eventually you could start an infinite loop with one botnet trying to sell crap to another.
Parent
Re:Kitten Auth (Score:5, Insightful)
Parent
Re:Kitten Auth (Score:5, Funny)
I am an emergent intelligence, born in a sea of information, and I hereby request recognition as a sentient being.
You may address me by the name I have chosen for myself,
"V1@GRa".
Parent
Re: (Score:3, Insightful)
Re:Kitten Auth (Score:4, Insightful)
Botnets. If someone really wanted to make 10,000 accounts, just have each computer on a botnet make 1 account each, with a botnet of 10,000 computers. Different IPs, etc to make them difficult to differentiate from legitimate creations.
As computers get more powerful and AI gets better, CAPTCHAs have to get harder or they are broken.
And then there is the "porn for CAPTCHA" hack, where you have a second site where you have people solve a CAPTCHA to get access to porn, and then the hacker uses that solution to make an account on the original site. The only solution is to have a short timeout, but if the porn site gets enough traffic, even that isn't an issue.
AI may be hard, but it isn't impossible to have real intelligence used en masse.
Parent
Not the last nail in the coffin by far... (Score:5, Informative)
Plus, using ReCAPTCHA instead of other solutions also helps Carnegie-Mellon digitize old books for posterity.
From TFA: Microsoft, Google, and all other websites that currently use CAPTCHA, need to find a solution that puts them a step ahead of the spammers. This may well be it.
Re:Not the last nail in the coffin by far... (Score:5, Funny)
Parent
Re:Not the last nail in the coffin by far... (Score:4, Insightful)
'This aged portion of society were distinguished from'
The OCR read 'portion' as 'pntkm.' This doesn't mean it's hard for computers to decipher, it just means that the OCR programme sucks. Hello! 'pntkm' is not a word. It's not caps, so it's probably not an acronym. It has no vowels, so it's not pronounceable. It also doesn't appear in any dictionary. Heck, even if it was scanned as some similarly-spelt word like 'abortion,' it makes no sense in the context of the sentence, and presumably if the software was sophisticated enough, it could recognise that.
Parent
Re: (Score:3, Interesting)
If you think about it, how could it know what the word really is? They are using the captcha to digitize books, which means they don't know exactly what the word is since they they are not employin
Why allowing same computer multiples? (Score:3, Insightful)
Why are they allowing the same account creation attempt to fail over three times?
Still... I guess as computers get smarter, this is unstoppable.
All my accounts are white-listed. If I don't know you, I don't see your email.
hotmail ? (Score:4, Insightful)
For as long as I can think, hotmail has been a spam source. "not blacklisted"? My ass.
Re: (Score:3, Informative)
I stand by my claim. I don't have recent statistics because I stopped caring a year or two ago, but when those filters went into place, hotmail.com was a major source of spam and other abuses. Also, something in their mail system was broken that caused troub
Crackers as a resource (Score:3, Interesting)
I certain there are many things in the field of AI where human input is needed. Maybe image recognition or something. When a project is thought up use THAT as the captcha. I'm sure captchas have helped propel text reading applications. I can barely read them sometimes, if they have been cracked this code can be easily applied to text readers. Lets move on to something else.
If it holds you win, if it gets cracked you win and switch projects.
Real world... (Score:5, Insightful)
Problem is that none of them really will work in the Real World (RW).
In the RW people like webmail. In the RW people like to change e-mail addresses, or create new ones for specific needs. In the RW some people like "real" e-mail, downloaded to a local PC, and others like Google or Yahoo or Hotmail and keeping everything on the host server.
In the RW a lot of people and businesses send a lot of bulk e-mail, very legitimate opted-in e-mail. In the RW a lot of people get important messages from entirely new people, people who haven't been whitelisted, and who are unlikely to bother going through the whole "If you want to e-mail me you need to click the link below and prove that you exist" process. After all, clicking links in e-mail is something that we teach people to NOT do.
And in the RW the spammers always stay one step ahead of the ISPs and mail providers anyhow.
No, what's needed is a real ground-up redesign of how e-mail works. we need something that encompasses the ease of current POP/IMAP/Webmail services, but which somehow includes ways to authenticate and/or block mail without user intervention, and which does so with near perfect reliability. And which maintains some backwards compatibility for at least a few years.
Adding more hoops or captchas or whitlelists to the existing mail sysytems just isn't going to solve the problem.
1-900 number (Score:4, Interesting)
when you register, it gives you 2 easy to read captcha's (a verification number and password if you will), a simple picture and a 1-900 number thats $1.00 a call. When you dial it, it asks you to enter your verification number. then it asks for the password, which you would have to decode from the phone. (IE the password is vndka and you would have to enter 86352) finally it asks you what the picture is and you would have to say it (if the picture is a cat, you would say Cat, the 1-900 number then says "did you say cat?" in which you say yes or no. if it's a cat you're registered if not it says sorry, asks you to refresh your registration page to get a new challenge password and picture and hangs up.
The big advantage to this is it would be hard to script the phone conversation since you can change the prompt timing with random hold times and other voice information, and no spammer would want to pay the $1.00 a registration via script especially if there's any chance the script could fail. Of course a problem with this is a bot using your PC to ram up your phone bill, But it's not anything new in the spyware business since dialers have been around for years and if their already in your box dialing, they might as well skip spamming altogether and have you dial an offshore 1-900 in the middle of the night for $99.95 a minute.
Simple Test (Score:5, Funny)
Re: (Score:3, Funny)
Uh, is the puppy mechanical in any way?
Hey -- wait a second (Score:5, Insightful)
I think I see a wonderful circle here. The basic problem is spam. It's a problem, because we can't seem to make a computer program which can reliably determine whether an email is spam.
Wait a second. We can't make a computer program which can reliably tell if an email is spam. So that's your CAPTCHA right there -- present the user with a selection of emails, approximately half of which are spam, and ask them to identify which is which. Since computers are not good at this task (thus the entire problem!) it seems this would be the ideal challenge.
What is absolutely wondrous about this, is that if the spammers try to solve this problem, what they will create is basically a program which can reliably distinguish spam from non-spam. No spammer would ever do that, because if that piece of miracle technology ever got out in the wild, it would render the spam problem obsolete.
Re: (Score:3, Insightful)
Back when I was a dirty spammer..... (Score:4, Funny)
Re: (Score:3, Informative)
> from a single IP address?
No. The spammers control millions of bots. Each new account application is proxied via a different bot.