Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

Windows Live Hotmail CAPTCHA Cracked, Exploited 362

Posted by kdawson from the nice-idea-while-it-lasted dept.
eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?
This discussion has been archived. No new comments can be posted.

Windows Live Hotmail CAPTCHA Cracked, Exploited More

Windows Live Hotmail CAPTCHA Cracked, Exploited

Comments Filter:

  • Not the last nail in the coffin by far... (Score:5, Informative)

    by MrKevvy ( 85565 ) on Tuesday April 15, 2008 @04:39PM (#23082274)
    No one has cracked ReCAPTCHA [recaptcha.net] yet. (This CAPTCHA had a Slashdot article a few months ago.) As it uses text digitized from old books that the best OCR technology couldn't read, it's continually different and already demonstrated to be unintelligible to machines.

    Plus, using ReCAPTCHA instead of other solutions also helps Carnegie-Mellon digitize old books for posterity.

    From TFA: Microsoft, Google, and all other websites that currently use CAPTCHA, need to find a solution that puts them a step ahead of the spammers. This may well be it.

  • "Day Old Bread" in Spamassassin. (Score:4, Informative)

    by khasim ( 1285 ) <brandioch.conner@gmail.com> on Tuesday April 15, 2008 @04:43PM (#23082328)
    Domain age checking has already been implemented in SpamAssassin. Search on "Day Old Bread".

  • Re:Doubtful (Score:3, Informative)

    by John Hasler ( 414242 ) on Tuesday April 15, 2008 @05:21PM (#23082858) Homepage
    > And Microsoft simply allow a new account to be registered every single minute of the day
    > from a single IP address?

    No. The spammers control millions of bots. Each new account application is proxied via a different bot.

  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Tuesday April 15, 2008 @06:01PM (#23083038)
    Comment removed based on user account deletion

  • Re:Not the last nail in the coffin by far... (Score:2, Informative)

    by Starrk ( 1268600 ) on Tuesday April 15, 2008 @06:20PM (#23083190)
    As far as I understand, ReCAPTCHA uses standard images... which means it simply cannot be secure. I posted about this a little while ago, but here's what I do as a spammer:

    - Spam lots of people offering free porn - only catch is they have to prove they're not a bot (wouldn't want those bots to see my exclusive porn)
    - When somebody clicks on my link, I immediately go to gmail, start creating an account, and get their captcha
    - I pass this captcha on to my would-be porn viewer
    - And pass his answer back to google - presto, free account

    Kitten Auth and every other practical, free, unintrusive solution I have ever heard of can be broken this way as well.

    Back in the day, I interned at Google on the Checkout project when it was just starting up. The opinion of their security experts on stopping bots? Only way to do it reliably at account creation time is to demand a valid credit card number or a small payment.

  • Re:Awesome article (Score:5, Informative)

    by kcbanner ( 929309 ) * on Tuesday April 15, 2008 @07:31PM (#23083846) Homepage Journal
    These are used by botnets, usually the user has no idea this is running on their PC. Also, there is such a vast number of PCs, many of which could be behind a corp firewall or gateway. Blocking by IP has never worked in the long term.

  • Re:Anything is better! (Score:2, Informative)

    by Extide ( 1002782 ) on Tuesday April 15, 2008 @08:58PM (#23084606) Homepage
    Generally the people who are blind and use the computer use a program called Jaws (or a similar one but thats the main one, for windows at least). They get very good at listening to computer generated voices and usually end up turning up the speed of the jaws audio playback to speeds that you absolutely cant understand unless you are used to hearing it like that. I have a very close friend that has been completely blind for like 15 years now, and she is a very avvid computer user. She has her Jaws speed up pretty high, and also can usually understand those recordings on websites that offer them.

  • Re:hotmail ? (Score:3, Informative)

    by Tom ( 822 ) on Wednesday April 16, 2008 @02:38PM (#23094008) Homepage Journal
    Maybe you should check the facts. My mail servers process a few thousand mails a day, after greylisting, and almost half of it is spam. I've been running mailservers for over 10 years. Thank you, I know the From: line can be faked, been there, done that.

    I stand by my claim. I don't have recent statistics because I stopped caring a year or two ago, but when those filters went into place, hotmail.com was a major source of spam and other abuses. Also, something in their mail system was broken that caused trouble for mailing lists because they didn't bounce mails properly, but I forgot the details.

Slashdot Top Deals

Life is a whim of several billion cells to be you for a while.

Close