
Gmail and Hotmail Captchas Cracked - soundsop
http://arstechnica.com/news.ars/post/20081002-right-back-at-ya-captcha-bad-guys-crack-gmail-hotmail.html
======
kleevr
I like how the turing test is reversed.... It isn't so much a concern whether
human's can recognize a computer (these days anyway), but rather, can a
computer recognize a human.

~~~
kajecounterhack
Hmm actually no, its a concern whether a computer can recognize another
computer, because captchas just prove that the end user isn't a computer.

then again, I guess its the same thing...its the "glass half full/empty"
scenario.

------
iigs
Maybe it's time to beat the captcha-cracking guys at their own game: use
mechanical turk to "interview" people signing up for a new email account.

If you signed up via an IM session rather than a web form it would leave a lot
more context in the communication, which might be useful for making a
determination. You could also give the Turker additional money for an account
that hasn't been flagged for spam in 30 days.

I don't know if this idea has any merit at all, but it seems like a natural
response to the arms race at hand.

~~~
mrtron
So two turkers will end up talking to each other during signups?

I would rather a technical solution .

~~~
LogicHoleFlaw
I swear, the first program to pass the turing test will have been programmed
to break captchas.

Now there's a way to bring about the Singularity.

~~~
elai
Yes, matching distorted shapes w/ noise attached to a set of 26 to 62 unique
shapes will bring self-aware AI.

~~~
technoguyrob
With the history of unusual ways things have been discovered in science, I'm
not sure if that is sarcasm.

------
olefoo
There is a solution to this, but it's one that won't be implemented for some
time because it is properly a government function.

Verified Identity.

The swiss have something like this, and are offering it to users in other
countries see <http://www.incamail.ch/english/home.html?language=english>

But to really work, it needs the force of law (not that it wouldn't be gamed,
but it's a lot easier to throw someone in jail for crossing the post office
than some random companies TOS).

~~~
there
you don't think a person should be able to sign up for a gmail or hotmail
account anonymously without tying it to their real identity?

~~~
olefoo
I'm not suggesting doing away with internet anonymity.

But I do think I would be a lot more comfortable transacting business remotely
with people I knew had gone in to the post office or DMV and engaged in a
legally binding act of self-identification.

This is completely orthogonal to free speech.

------
palish
Does anyone know technical details about how to crack Gmail's captcha system?
I've no interest (or reason) to actually implement this, but it is very
interesting.

~~~
ash
It seems captcha is being "broken" by people tirelessly entering captcha text
by hand. For money of course. See:

<http://securitylabs.websense.com/content/Blogs/2919.aspx>

<http://blogs.zdnet.com/security/?p=1835>

------
shadytrees
> ... the list of CAPTCHA's it now understands and can bypass is reportedly
> fully up-to-date, and includes newer designs that ask the user to identify a
> cute cat or other distinct animal.

Basically, they've discovered a way to automate cuteoverload.com. And they're
using this power to break captchas. _Bastards._

------
schtog
why not extend the "click the kitten" with a huge database of pictures?

noone can do image recognition that well yet right?

~~~
thamer
Isn't that what the article says?

 _There's no further information on how the program has accomplished this
feat, but the list of CAPTCHA's it now understands and can bypass is
reportedly fully up-to-date, and includes newer designs that ask the user to
identify a cute cat or other distinct animal._

I assume the cute cat picture is displayed among other pictures.

~~~
schtog
Yes but have a lage database of tagged pics and choose randomly what should be
identified.

Well I guess the programs could learn a huge database too eventually.

Only solution is give these people a chance to make money in an honest way...

~~~
jcl
I wonder if one couldn't use the large tagged database of images from the ESP
Game for this:

<http://en.wikipedia.org/wiki/ESP_Game>

To get a database that large, the spammers would have to set up their own ESP
Game and tag a big chunk of the web.

Even better, show _two_ images, one with known tags and one unknown, so that
you can build the database further, like RECAPTCHA does.

