Tumblr 101: Tips And Tricks To Get Started
Sebastian Thrun: Google's Driverless Car
Gmail CAPTCHA system cracked by spammers
The end is nigh.Days after the Windows Live Mail CAPTCHA system was cracked by spammers, reports state that the Gmail CAPTCHA system has fallen as well.
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Ever signed up for an email or forum account, and been required to enter in a group of characters? That's a CAPTCHA system.
Folks are calling this hack the most sophisticated they have seen to date. Whereas cracking Windows Live Mail CAPTCHA required one compromised host, cracking Gmail took the combined efforts of two hosts. And because of Gmail's more sophisticated CAPTCHA system, only one in five breaking requests succeed.
While one in five doesn't sound like much, keep in mind that Spambots are constantly working at registering hundreds of email addresses at a time, 24/7. These Spambots can't be bargained with. They can't be reasoned with. They don't feel pity, or remorse, or fear. And they absolutely will not stop, ever, until you are dead.
Oh, wait, that's another bot we're thinking of...
So for all the spammer's effort, what are they getting in return?
- They gain access to Google's wide portfolio of services
- They gain an address whose domain is highly unlikely to be blacklisted, helping them defeat one aspect of anti-spam defenses.
- Gmail also has the benefit of being free to use.
- Because Gmail has millions of users, it makes the spammers harder to track.
[via ars technica]
Comments
11
Subscribe to commentszatrixFeb 27th 2008 4:55PM
As somebody who has undertaken the feat of defeating captchas for education purposes I salute the spammers. That was likely no easy task.
willFeb 27th 2008 5:41PM
I think if they used a picture system, it'd be harder to crack. Like display a picture of an apple, and ask the user what is the picture of.
If someone doesn't know what an apple is, they don't deserve to use the service.
RPFeb 28th 2008 12:07AM
You mean like an apple MacBook air or something? j/k :-)
I guess as long as they accept answers in all languages, it should work.
kingkool68Feb 28th 2008 9:54AM
A picture system would not be as effective due to the limited number of possibilities. Plus it would require a lot more human effort on the backend to come up with pictures/correct answers compared to a computer script of contorted numbers and letters.
Everyone interested in Captchas should listen to Security Now Episode #103 where Steve Gibson talks in depth about the problem -> http://media.grc.com/sn/SN-101.mp3
lagartoflojoFeb 27th 2008 6:18PM
@will
You are assuming that everyone speaks the same language.
NateFeb 27th 2008 6:20PM
To Will: But how many pictures can they hold? I mean with random text and numbers billions of combinations can be created. While with the picture system, pictures must be either found or taken, then listed as what they are. Limiting the potetial of the system because the spammer could just make a bitmap of every CAPTCHA due to the smaller amount of them and have it compared to the current image, a resource intensive process, yes, but an easy crack.
MarshallFeb 27th 2008 8:13PM
If they took the images that had gone through Google Image Labeler http://images.google.com/imagelabeler/ , there would already be a list of words associated with the image, so you wouldn't have to get the exact word that one person thought described the picture.
Suddenly you have a huge pool of pictures to choose from, and more than one word for each.
NateFeb 27th 2008 8:37PM
@Marshall
Hmm, didn't know that existed. I guess you learn something new everyday.
kingkool68Feb 27th 2008 8:05PM
Gmail should up the requirements for signing up with their e-mail accounts by stronger identity verification system. After all, Gmail isn't like any old fad website, it's the center of your web life.
I'm not worried, Google has got a lot of smart people who can work up something more robust.
RPFeb 28th 2008 12:08AM
During the invitation-only phase, didn't they require a cell phone #, to which they would send an SMS message?
How hard would that be to do again?
michaelFeb 28th 2008 12:32AM
This obviously disproves some loyal Gmail users saying that Gmail is absolutely the best and invincible web mail. Just kidding.
But obviously, Gmail has it's own issues as well. I wonder how they'll fix this.