Google ReCAPTCHA Cracked 211
stormdesign writes "Despite denials from Google, a security researcher continues to assert that the Search King's reCAPTCHA system for protecting Web sites from spammers can be successfully exploited by Internet junk mail panderers."
Re:Captcha ZDR .... (Score:5, Interesting)
As long as there's really cheap workforce and economic differences in the world, things like this won't be solved.
Perhaps it is time to use animals (Score:2, Interesting)
Granted this is still in research, and it is an "M$" project at the moment, but using animals for a captcha may be the next thing.
http://research.microsoft.com/en-us/um/redmond/projects/asirra/
Re:News for nerds, stuff that mattered... (Score:5, Interesting)
Yeah but something has happened recently, maybe the spammers got a new tool or something because I have noticed a whole bunch of spam being posted on my reCAPTCHA protected sites. This just started in the last couple of days where previously I had none.
Re:Captcha ZDR .... (Score:3, Interesting)
It's the same reason why powerleveling and gold selling services exist in cheap asian countries, economics make it possible and even a good job.
Re:Does this mean.... (Score:5, Interesting)
Re:Captcha ZDR .... (Score:5, Interesting)
Re:doomed approach (Score:2, Interesting)
What do we do then?
Require posting bonds prior to granting write access, with bond amount greater than whatever profit a spammer thinks they might make from spamming. Or better yet, an amount slightly less than spam profit, so they take the offer. Then you run your taking-spammers'-bonds site at a profit, and if it's enough profit, then its worth your time to keep an eye on the site and delete spam as it appears.
Re:Does this mean.... (Score:3, Interesting)
Spam already leads to mail fraud in some cases, and that fraud is generally prosecuted where possible. Very few legitimate companies use spam any more. The illegitimate ones are harder to catch.
There are actually several problems with this:
1. Not all that many shipping operations that use spammers operate under US law. Products are usually shipped from overseas (if any product is shipped at all!) and you can't fine a foreign entity without an agreement with that entity's native government (which, of course, spammers choose carefully to avoid such things). So you'd be limited to the people the police are already prosecuting, and that population is dwindling.
2. "kill your business for good" fines are what got us into multi-million-dollar fines for "casual" copyright infringement (the large fines were originally designed to drain commercial "piracy factories" of their resources, not to bankrupt a person for life because they shared 3 albums on LimeWire). We'd have to be very careful with any law to target the people we want to hurt, rather than opening anyone who posted an actual personal product recommendation somewhere to a $5,000,000 spammer suit.
3. Many of the products sold are actually counterfeit, and are shipped from faked addresses and just dropped off at the post office. Again, if anything was shipped at all. If I wanted to put Symantec out of business, I could very profitably sell pirated Norton Antivirus and drop a few dozen units off at the post office nearest Symantec's corporate HQ, with a return address label that has their address on it. Symantec would be stuck with the burden of proof that they didn't ship the product. You'd have to check ID every time someone sent a letter and make sure the "from" address matches their ID (which means no more mailbox pickup, all letters and packages must be posted individually).
Re:Captcha ZDR .... (Score:3, Interesting)
We run a not large site that gets 20,000-40,000 spam comment attempts per day. Some simple filters leave us with dozens of items to manually review per year:
1) English (language in general) employs rules that yield statistical patterns. For example, personal names and occupations do not contain 50 per cent upper case letters and 50 per cent lower case letters in English. This bins the bots that fill unmatched fields with random characters, without bothering human users since CSS is good now (our forms sometimes include randomly named fields...). We also test for average word length to catch excessive use of brand names and URLs. These two rules catch almost everything except the human operators.
2) To tarpit the human operators who try to whitelist their accounts/IPs through repeatedly posting benign comments, new users who post a lot (more than four comments an hour) in an initial period (24 hours after signup) and do not interact with others will see their own comments, but others will not.
We have five other filters but have turned them into warnings for the users instead (bots do not want to solve "That's a lot of links. please delete http:/// [http] from your links"). Our next challenge is to better protect the mobile site which has a different set of dynamics.
*this silly form insists on linkifying my http colon slash slash and adding a third slash...
Only Primative Spam is for Direct Profit (Score:4, Interesting)
The nature of Spam is changing. It used to be about penis pill ads being sent indiscriminately by email. Now Spam is being used by major marketers and public relations firms to influence the national discourse and nobody is using email. Spammers are hitting blogs and forums and news sites to try to credibly sway public opinion. They pose as average impartial citizens and try to spread propaganda. Spam is about trying to shout out other people by aggressively inserting the viewpoints of their corporate or political masters. Every major PR firm is going to recommend that it's clients pursue an active online strategy. Not just a website. Not just a responsive blog. Not just a Facebook page. But an army of professional trolls with talking points and corporate directions to sway public opinion in a Web 2.0 setting. Spam has gotten much more insidious because the purveyors of Spam realize that to be effective they must effectively make themselves indistinguishable from the common man.
Digg recently had to reorganize because an army of amateur conservative trolls ("Digg Patriots" and others) was effectively promoting conservative information and burying liberal viewpoints. They got busted because they were ambitious and cocky amateurs. But Burson Marsteller has about 100000000x the money and sophistication and is never going to get caught so easily.
There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!