Slashdot Log In
Windows Live Hotmail CAPTCHA Cracked, Exploited
Posted by
kdawson
on Tue Apr 15, 2008 04:28 PM
from the nice-idea-while-it-lasted dept.
from the nice-idea-while-it-lasted dept.
eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?
Related Stories
[+]
IT: Yahoo CAPTCHA Hacked 252 comments
Hell Yeah! reminds us of a 2-week-old development that somehow escaped notice here. A team of Russian hackers has found a way to decipher a Yahoo CAPTCHA, thought to be one of the most difficult, with 35% accuracy. The Russian group's notice, posted by one "John Wane," is dated January 16. This site hosts a rapidshare link to what looks to be demonstration software for Windows, and quotes the Russian researchers: "It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition — one cent per one CAPTCHA."
[+]
IT: Gmail CAPTCHA Cracked 317 comments
I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."
[+]
Next-Generation CAPTCHA Exploits the Semantic Gap 327 comments
captcha_fun writes "Researchers at Penn State have developed a patent-pending image-based CAPTCHA technology for next-generation computer authentication. A user is asked to pass two tests: (1) click the geometric center of an image within a composite image, and (2) annotate an image using a word selected from a list. These images shown to the users have fake colors, textures, and edges, based on a sequence of randomly-generated parameters. Computer vision and recognition algorithms, such as alipr, rely on original colors, textures, and shapes in order to interpret the semantic content of an image. Because of the endowed power of imagination, even without the correct color, texture, and shape information, humans can still pass the tests with ease. Until computers can 'imagine' what is missing from an image, robotic programs will be unable to pass these tests. The system is called IMAGINATION and you can try it out." This sounds promising given how broken current CAPTCHA technology is.
[+]
Google's Audio CAPTCHA Falls To Automated Attack 145 comments
SkiifGeek writes "Early in March, Wintercore Labs published proof of a generic approach to defeating audio CAPTCHAs, using Google's as the case study for their demonstration. With claims of over 90% success rate and expectations that this can be significantly improved with the right mix of filtering algorithms, the in-house tool remains unreleased. But it shouldn't take long for other developers to create their own tools and start targeting not only Google, but other sites that use audio CAPTCHAs for the vision-impaired. It isn't the first time that major sites (significantly major webmail providers) have had their CAPTCHAs broken, but it is the first reporting of defeating an audio CAPTCHA using a generic software approach. News about the discovery is slowly starting to spread."
[+]
IT: Fallout From the Fall of CAPTCHAs 413 comments
An anonymous reader recommends Computerworld's look at the rise and fall of CAPTCHAs, and at some of the ways bad guys are leveraging broken CAPTCHAs to ply their evil trade. "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..."
[+]
Optical Character Recognition Still Struggling With Handwriting 150 comments
Ian Lamont recently asked Google if they planned to extend their transcription of books and other printed media to include public records, many of which were handwritten before word processors became ubiquitous. Google wouldn't talk about any potential plans, but Lamont found out a bit more about the limits of optical character recognition in the process:
"Even though some CAPTCHA schemes have been cracked in the past year, a far more difficult challenge lies in using software to recognize handwritten text. Optical character recognition has been used for years to convert printed documents into text data, but the enormous variation in handwriting styles has thwarted large-scale OCR imports of handwritten public documents and historical records. Ancestry.com took a surprising approach to digitizing and converting all publicly released US census records from 1790 to 1930: It contracted the job to Chinese firms whose staff manually transcribed the names and other information. The Chinese staff are specially trained to read the cursive and other handwriting styles from digitized paper records and microfilm. The task is ongoing with other handwritten records, at a cost of approximately $10 million per year, the company's CEO says."
[+]
IT: Now Even Photo CAPTCHAs Have Been Cracked 20 comments
MoonUnit writes "Technology Review has an interesting article about the way CAPTCHAS are fueling AI research. Following recent news about various textual CAPTCHAs being cracked, the article notes that a researcher at Palo Alto Research Center has now found a way crack photo-based CAPTCHAs too. Most approaches are based on statistical learning, however, so Luis von Ahn (one of the inventors of the CAPTCHA) says it is usually possible to make a CAPTCHA more difficult to break by making a few simple changes."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Awesome article (Score:5, Interesting)
Re:Awesome article (Score:5, Interesting)
Parent
Re:Awesome article (Score:5, Informative)
Parent
Anything is better! (Score:5, Insightful)
Re:Anything is better! (Score:5, Insightful)
Parent
Re:Anything is better! (Score:5, Insightful)
And have you ever tried the audio CAPTCHAs? Talk about horrendous.
Plain text or even TTS would allow near 100% accessibility if you asked simple math questions in the context of a story problem. With rotating questions, nouns, and verbs, a relatively small number of predetermined values could be used to quickly generate many different combinations.
Sure, it's still crackable, but it would be a hell of a lot nicer for the users. And with a significant enough base of words and grammar structures it would still be rather solid. Combine that with decent behavior tracking. (Wow look, this ASDFDSA guy just created his email account 5 minutes ago and has already sent 15,000 emails!) And you'd wind up with something that is MORE accessible and still provides a solid amount of protection.
-Rick
Parent
Re:Anything is better! (Score:5, Funny)
Parent
Re:Anything is better! (Score:5, Informative)
I'd frankly argue that the net is more important for many disabled people such as myself than it is for "normal" people.
And there are many kinds of disability, some from brain damage, that cause all kinds of cognitive problems. So it's entirely possible for a person to be able to use the net, read text, or have his/her machine read it to them, but who might not be able to tell the different between a cat and a dog.
What sites might they be trying to get into? Well, Slashdot.org, for example.
Parent
Re:Anything is better! (Score:5, Insightful)
Now the patch for this is to start blurring the kittens. So welcome back to square one my friend.
Parent
Re:Anything is better! (Score:5, Funny)
Perhaps you're celebrating the fact that captcha images will go away. Don't. They'll just be replaced by something even more obnoxious. Either that, or the application will just close shop. Either way, you're the one that loses.
Spam is totally out of control, just now I....
Check our wide variety of ED products!
http://discountcanadiania.0catch.com/ [0catch.com]
All of them and our new remedies at
the lowest possible prices on the Web.
Get the best at the best prices!
Parent
Don't need new auth (Score:5, Interesting)
"Day Old Bread" in Spamassassin. (Score:4, Informative)
Parent
10 worst CRAPtchas (Score:5, Funny)
Re:10 worst CRAPtchas (Score:5, Funny)
Parent
Kitten Auth (Score:5, Funny)
While kitten auth is an interesting concept, it won't last forever, and it's still a pain in the ass for the users. What happens when a computer learns the difference between a cat and a kitten? Are they going to start pushing the relative ages closer? distorting the image? Put a wav file of a "meow" on the page and make you tell them the cat's last meal? Have a customer service agent chat with you for a few minutes?
They need to start banning based on use and patterns. 1400 accounts created from the same IP on the same day? Cat knowledge or no, that's suspicious behavior. 90% of the emails from that gmail account are getting marked as spam on the other end? Send them an email and ask them what's going on. Every single one of their emails is to 1000 recipients, don't pass a spell check on any words at all, send these five or more times a day and they're suspiciously familiar? Block it.
Re:Kitten Auth (Score:5, Insightful)
Parent
Re:Kitten Auth (Score:5, Funny)
I am an emergent intelligence, born in a sea of information, and I hereby request recognition as a sentient being.
You may address me by the name I have chosen for myself,
"V1@GRa".
Parent
Re:Kitten Auth (Score:5, Funny)
Eventually you could start an infinite loop with one botnet trying to sell crap to another.
Parent
Not the last nail in the coffin by far... (Score:5, Informative)
Plus, using ReCAPTCHA instead of other solutions also helps Carnegie-Mellon digitize old books for posterity.
From TFA: Microsoft, Google, and all other websites that currently use CAPTCHA, need to find a solution that puts them a step ahead of the spammers. This may well be it.
Re:Not the last nail in the coffin by far... (Score:5, Funny)
Parent
hotmail ? (Score:4, Insightful)
For as long as I can think, hotmail has been a spam source. "not blacklisted"? My ass.
Real world... (Score:5, Insightful)
Problem is that none of them really will work in the Real World (RW).
In the RW people like webmail. In the RW people like to change e-mail addresses, or create new ones for specific needs. In the RW some people like "real" e-mail, downloaded to a local PC, and others like Google or Yahoo or Hotmail and keeping everything on the host server.
In the RW a lot of people and businesses send a lot of bulk e-mail, very legitimate opted-in e-mail. In the RW a lot of people get important messages from entirely new people, people who haven't been whitelisted, and who are unlikely to bother going through the whole "If you want to e-mail me you need to click the link below and prove that you exist" process. After all, clicking links in e-mail is something that we teach people to NOT do.
And in the RW the spammers always stay one step ahead of the ISPs and mail providers anyhow.
No, what's needed is a real ground-up redesign of how e-mail works. we need something that encompasses the ease of current POP/IMAP/Webmail services, but which somehow includes ways to authenticate and/or block mail without user intervention, and which does so with near perfect reliability. And which maintains some backwards compatibility for at least a few years.
Adding more hoops or captchas or whitlelists to the existing mail sysytems just isn't going to solve the problem.
Simple Test (Score:5, Funny)
Hey -- wait a second (Score:5, Insightful)
I think I see a wonderful circle here. The basic problem is spam. It's a problem, because we can't seem to make a computer program which can reliably determine whether an email is spam.
Wait a second. We can't make a computer program which can reliably tell if an email is spam. So that's your CAPTCHA right there -- present the user with a selection of emails, approximately half of which are spam, and ask them to identify which is which. Since computers are not good at this task (thus the entire problem!) it seems this would be the ideal challenge.
What is absolutely wondrous about this, is that if the spammers try to solve this problem, what they will create is basically a program which can reliably distinguish spam from non-spam. No spammer would ever do that, because if that piece of miracle technology ever got out in the wild, it would render the spam problem obsolete.
Re:Great (Score:4, Interesting)
If you're too lazy to click it, all it does is ask you to select the kittens from a grouping of photos of animals to verify you're human. Hey, maybe the Turing test could be implemented, then again I wonder how many humans would actually fail it.
Parent