Skip to navigation
   
Davey Winder's Blog
RSS

CAPTCHA, HACKEDCHA, GOTCHA

By Davey Winder in Editorial

Posted in Uncategorized on January 25, 2008 at 3:49 pm

Permalink | Author Profile

The Completely Automated Public Turing test to tell Computers and Humans Apart security system, thankfully better known by the pseudo-acronym of CAPTCHA, has been well and truly cracked according to reports online. The system uses a set of alpha-numeric characters presented against a background which when combined make it all but impossible for a machine to decipher but easy enough for the human brain to be able to deal with. Or at least that was up until now if these reports are to be believed.

A Russian security ‘researcher’ going by the pseudonym of John Wane has claimed success in bypassing one of the toughest of CAPTCHA implementations, the one to be found at Yahoo! Wane has posted decoder system code online which is said to be accurate to around 35 percent. Now that might not sound significant, but when you are trying to keep the spammer bots at bay I can assure you that it is. As Wane himself says “It’s not necessary to achieve a high degree of accuracy when designing automated recognition software” especially when a spammer can easily hit a rate in excess of 100,000 attempts per day. If they were to manage anything like 30,000 successful account creations then the spam problem, for blogs, forums and the general email population, would rocket overnight.

Application vulnerability software specialists Fortify has warned us all to be vigilant, especially as far as message received from webmail systems are concerned in the light of this possible breach. Fortify Chief Scientist Brian Chess has gone on record to say that “any free email service that is using the CAPTCHA system - or a similar approach to prevent automated sign-ups - is engaged in a never-ending arms race with its attackers.”

It isn’t all bad news though, as CAPTCHA represents just the main gate as it were in the fight against spammers, and the likes of Yahoo! and Google have plenty of other tricks up their collective spam fighting sleeves to prevent an all out flood of malicious mail.

12345
Rated: 100% (1 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Comment by Simon Bisson & Mary Branscombe - January 26, 2008 on 4:21 am

I like the kitten captcha-equivalent that Microsoft came up with; not only is image analysis software harder to write than letter scrapers, but every use donates to animal shelters. In the long run, we have to have a robust identity and reputation system - and maybe an exam to prove you’re not stupid enough to buy from spammers before you get to use a service…

Comment by Davey Winder - January 27, 2008 on 2:08 pm

Yep, I was rather enamoured by the MS kittens thing myself. But as you say, ultimately we do have to address the problem of end users having a trailer trash mentality when it comes to spam and link clicking.

Comment by Nick Kotarski - April 2, 2008 on 5:58 pm

Captcha isn’t accessible and the MS kittens thing can only be worse. I find Akismet works pretty well for stopping comment spam. There must be a similar way that would limit the number of signups from a particular IP address.
And yes I know that just about everything can be forged and dynamic IP addresses complicate things.

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

copyright worm hubdub man-in-the-middle Silverlight web mobile hypervisor open source botnet network technology Facebook Research rootkits Gartner transactional security Internet Health Windows Jesus Phone OS stupid symantec crime terrorism remote money office standards Noro computing hacker ASUS Programming scareware Web Development world of warcraft SMS Supercomputer MessageLabs staffing stupidity MiniBook Application NBC Lotus web 2.0 payments NASA scam tech virus teleworking social networking e-commerce XP Deal Russia Eee help Yahoo theft fool Firefox statistics Space Steve Jobs graphics home workplace Texas Instruments code SSL USA news email exploit biometrics CAPTCHA banks Finjan Obama Ballmer Mars Video hacking productivity BSI Blogging museum computer migration library Top 500 report gaming HPC BOFH Microchip Texting survey black hat Linux linkedin phishing Adobe Google scan payment server printing documentation VPN christmas Big Brother hardware service Rumour shopping Project Flash credit card fraud patch management Windows 7 FBI iPhone Government DNS green politics trust Software ID Theft Eee PC privacy science search storage Paris Hilton archiving Vista China ISPA data malware InfoSec Kill Switch spam fun adware work Digg AMD economics ecommerce universe second life Energy Battery Business The Federation policy Zango banking Performance computing virtual machine Mobile Phone virtual world development security Microsoft digitise chips Twitter remote working Bill Gates students Trojan prison Apple IBM fraud iPhone 3G books VM global broadband IP holidays sick Olympics betting outsourcing IDC OCR data protection carbon copy MSNBC compromise avatar surveys size worker Funny Death Hack debian millions Rant environment MSN dumb xmas
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement
Advertisement