Skip to navigation
   
Davey Winder's Blog
RSS

CAPTCHA, HACKEDCHA, GOTCHA

By Davey Winder in Editorial

Posted in Uncategorized on January 25, 2008 at 3:49 pm

Permalink | Author Profile

The Completely Automated Public Turing test to tell Computers and Humans Apart security system, thankfully better known by the pseudo-acronym of CAPTCHA, has been well and truly cracked according to reports online. The system uses a set of alpha-numeric characters presented against a background which when combined make it all but impossible for a machine to decipher but easy enough for the human brain to be able to deal with. Or at least that was up until now if these reports are to be believed.

A Russian security ‘researcher’ going by the pseudonym of John Wane has claimed success in bypassing one of the toughest of CAPTCHA implementations, the one to be found at Yahoo! Wane has posted decoder system code online which is said to be accurate to around 35 percent. Now that might not sound significant, but when you are trying to keep the spammer bots at bay I can assure you that it is. As Wane himself says “It’s not necessary to achieve a high degree of accuracy when designing automated recognition software” especially when a spammer can easily hit a rate in excess of 100,000 attempts per day. If they were to manage anything like 30,000 successful account creations then the spam problem, for blogs, forums and the general email population, would rocket overnight.

Application vulnerability software specialists Fortify has warned us all to be vigilant, especially as far as message received from webmail systems are concerned in the light of this possible breach. Fortify Chief Scientist Brian Chess has gone on record to say that “any free email service that is using the CAPTCHA system - or a similar approach to prevent automated sign-ups - is engaged in a never-ending arms race with its attackers.”

It isn’t all bad news though, as CAPTCHA represents just the main gate as it were in the fight against spammers, and the likes of Yahoo! and Google have plenty of other tricks up their collective spam fighting sleeves to prevent an all out flood of malicious mail.

12345
Rated: 100% (1 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Comment by Simon Bisson & Mary Branscombe - January 26, 2008 on 4:21 am

I like the kitten captcha-equivalent that Microsoft came up with; not only is image analysis software harder to write than letter scrapers, but every use donates to animal shelters. In the long run, we have to have a robust identity and reputation system - and maybe an exam to prove you’re not stupid enough to buy from spammers before you get to use a service…

Comment by Davey Winder - January 27, 2008 on 2:08 pm

Yep, I was rather enamoured by the MS kittens thing myself. But as you say, ultimately we do have to address the problem of end users having a trailer trash mentality when it comes to spam and link clicking.

Comment by Nick Kotarski - April 2, 2008 on 5:58 pm

Captcha isn’t accessible and the MS kittens thing can only be worse. I find Akismet works pretty well for stopping comment spam. There must be a similar way that would limit the number of signups from a particular IP address.
And yes I know that just about everything can be forged and dynamic IP addresses complicate things.

Pingback by IT PRO: Blogs: Davey Winder: Hotmail CAPTCHA: cracked in 20 seconds - February 18, 2009 on 12:12 am

[…] Public Turing test to tell Computers and Humans Apart (better known as CAPTCHA) is not foolproof. Yahoo! knows this, Google knows this, and now it would look like Microsoft knows it as […]

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

patent email Eee PC NBC Microsoft ROFL Lotus technology man-in-the-middle help holidays digitise copyright Flash prison computing Jesus Phone Rumour trust green desktop worker campaign Application virtual machine Software snooping HP meme web 2.0 McKinnon theft Apple global spam storage economics fake Kill Switch Death Paris Hilton carbon copy MSN hardware virus smartphone Noro data Steve Jobs Madness Browser Mars betting phishing remote Palm Pre games Project Business Zango Steve Ballmer Silverlight Army Video stupid migration money universe mobile FBI Bill Gates banking BOFH PS3 Ballmer Cisco Mobile Phones YouTube The Federation scam fool Obama Microchip Patents Big Brother Conference transactional security development services archiving Notebooks dumb Russia service Deal books fun Jobs USA MSNBC world of warcraft acquisition economy news staffing fraud christmas Netbook ecommerce Finjan terrorism Google Porn School Study standards Psychic Sex Space exploit hubdub law VeriSign MessageLabs Trousers lawsuit MiniBook NASA IT outsourcing Parenting patch management ASUS Top 500 Children CAPTCHA Gartner shopping Digg Linux Windows Supercomputer open source Firefox statistics Kaspersky Rant InfoSec Eee Palm China Acer crime report OS payment server admin survey search computer size stupidity Adobe Michael Jackson work IDC broadband surveys Psion network EU iPod banks Beta web Blogging XP Olympics Programming Banned spending teleworking IP productivity ID Theft adware AMD VPN Recall Energy documentation information payments Military Vista Research rootkits earth hour Game BSI privacy Web Development Experiment tech Trojan hypervisor Sony President family malware avatar symantec office IBM science Pirate Performance computing DNS iPhone 3GS data protection social networking recession politics virtual world Gadget Blog Education ISPA sick policy code Hack HPC RAM Windows 7 Retail virtualisation Gateway Mobile Phone iPhone Internet innovation printing chips Texting console Facebook museum second life Nintendo workplace SMS Dell biometrics worm millions remote working disclosure credit crunch iPhone 3G management VM hacking SSL credit card fraud e-commerce hacker Health memory botnet Government monetisation gaming Data Centre Texas Instruments Media black hat debian graphics scan Yahoo security environment OCR linkedin scareware Meh tax Funny Google Earth Battery xmas poll library students compromise home Twitter
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement