Windows Live Hotmail CAPTCHA Cracked, Exploited 362
eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?
Awesome article (Score:5, Interesting)
Don't need new auth (Score:5, Interesting)
Re:Great (Score:4, Interesting)
If you're too lazy to click it, all it does is ask you to select the kittens from a grouping of photos of animals to verify you're human. Hey, maybe the Turing test could be implemented, then again I wonder how many humans would actually fail it.
Crackers as a resource (Score:3, Interesting)
I certain there are many things in the field of AI where human input is needed. Maybe image recognition or something. When a project is thought up use THAT as the captcha. I'm sure captchas have helped propel text reading applications. I can barely read them sometimes, if they have been cracked this code can be easily applied to text readers. Lets move on to something else.
If it holds you win, if it gets cracked you win and switch projects.
It's a little complicated. (Score:4, Interesting)
With Hotmail (and Gmail and such), I allow them to skip a lot of the checks that other domains go through. There's no need to waste processor cycles or net queries on those domains themselves.
Instead, they go straight to SpamAssassin where checks are run against ALL the addresses in the headers. And the content in the body. The mail admins at Hotmail and Gmail and such have a vested interest in reducing the spam in their systems. So simply rejecting the message at SMTP time should give them enough notice to shut down compromised accounts on their system.
Re:Not the last nail in the coffin by far... (Score:3, Interesting)
If you think about it, how could it know what the word really is? They are using the captcha to digitize books, which means they don't know exactly what the word is since they they are not employing dedicated people to enter the word. So the captcha validation is s only going to be as good as a first pass OCR scan.
1-900 number (Score:4, Interesting)
when you register, it gives you 2 easy to read captcha's (a verification number and password if you will), a simple picture and a 1-900 number thats $1.00 a call. When you dial it, it asks you to enter your verification number. then it asks for the password, which you would have to decode from the phone. (IE the password is vndka and you would have to enter 86352) finally it asks you what the picture is and you would have to say it (if the picture is a cat, you would say Cat, the 1-900 number then says "did you say cat?" in which you say yes or no. if it's a cat you're registered if not it says sorry, asks you to refresh your registration page to get a new challenge password and picture and hangs up.
The big advantage to this is it would be hard to script the phone conversation since you can change the prompt timing with random hold times and other voice information, and no spammer would want to pay the $1.00 a registration via script especially if there's any chance the script could fail. Of course a problem with this is a bot using your PC to ram up your phone bill, But it's not anything new in the spyware business since dialers have been around for years and if their already in your box dialing, they might as well skip spamming altogether and have you dial an offshore 1-900 in the middle of the night for $99.95 a minute.
Re:Kitten Auth (Score:1, Interesting)
Re:Awesome article (Score:1, Interesting)
Google succeeded in filtering spam messages. I suppose that CAPTCHA was an overlook for them and they'll develop some more efficient scheme of filtering spam accounts creation.
(BTW, Slashdot is also using CAPTCHA and pretends to be clever enough to require passing a quest to reedit a message. How do you think, does it improve overall process at all ? If I would be a spammer I wouldn't care about reediting, I'd just to send my spam again and again and would not use 'reedit' button at all.
Re:Invitations only (Score:1, Interesting)
Re:Awesome article (Score:5, Interesting)
Re:Anything is better! (Score:2, Interesting)
Re:Awesome article (Score:3, Interesting)
The CAPTCHA makes it more difficult for the script kiddie to create many accounts. But the logic should be in fingerprinting the account instead.