The end is nigh.Days after the Windows Live Mail CAPTCHA system was cracked by spammers, reports state that the Gmail CAPTCHA system has fallen as well.
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Ever signed up for an email or forum account, and been required to enter in a group of characters? That's a CAPTCHA system.
Folks are calling this hack the most sophisticated they have seen to date. Whereas cracking Windows Live Mail CAPTCHA required one compromised host, cracking Gmail took the combined efforts of two hosts. And because of Gmail's more sophisticated CAPTCHA system, only one in five breaking requests succeed.
While one in five doesn't sound like much, keep in mind that Spambots are constantly working at registering hundreds of email addresses at a time, 24/7. These Spambots can't be bargained with. They can't be reasoned with. They don't feel pity, or remorse, or fear. And they absolutely will not stop, ever, until you are dead.
Oh, wait, that's another bot we're thinking of...
So for all the spammer's effort, what are they getting in return?
- They gain access to Google's wide portfolio of services
- They gain an address whose domain is highly unlikely to be blacklisted, helping them defeat one aspect of anti-spam defenses.
- Gmail also has the benefit of being free to use.
- Because Gmail has millions of users, it makes the spammers harder to track.
[via ars technica]
Reader Comments (Page 1 of 1)
2-27-2008 @ 4:55PM
zatrix said...
As somebody who has undertaken the feat of defeating captchas for education purposes I salute the spammers. That was likely no easy task.
Reply
2-27-2008 @ 5:41PM
will said...
I think if they used a picture system, it'd be harder to crack. Like display a picture of an apple, and ask the user what is the picture of.
If someone doesn't know what an apple is, they don't deserve to use the service.
2-28-2008 @ 12:07AM
RP said...
You mean like an apple MacBook air or something? j/k :-)
I guess as long as they accept answers in all languages, it should work.
2-28-2008 @ 9:54AM
kingkool68 said...
A picture system would not be as effective due to the limited number of possibilities. Plus it would require a lot more human effort on the backend to come up with pictures/correct answers compared to a computer script of contorted numbers and letters.
Everyone interested in Captchas should listen to Security Now Episode #103 where Steve Gibson talks in depth about the problem -> http://media.grc.com/sn/SN-101.mp3
2-27-2008 @ 6:18PM
lagartoflojo said...
@will
You are assuming that everyone speaks the same language.
Reply
2-27-2008 @ 6:20PM
Nate said...
To Will: But how many pictures can they hold? I mean with random text and numbers billions of combinations can be created. While with the picture system, pictures must be either found or taken, then listed as what they are. Limiting the potetial of the system because the spammer could just make a bitmap of every CAPTCHA due to the smaller amount of them and have it compared to the current image, a resource intensive process, yes, but an easy crack.
Reply
2-27-2008 @ 8:13PM
Marshall said...
If they took the images that had gone through Google Image Labeler http://images.google.com/imagelabeler/ , there would already be a list of words associated with the image, so you wouldn't have to get the exact word that one person thought described the picture.
Suddenly you have a huge pool of pictures to choose from, and more than one word for each.
2-27-2008 @ 8:37PM
Nate said...
@Marshall
Hmm, didn't know that existed. I guess you learn something new everyday.
2-27-2008 @ 8:05PM
kingkool68 said...
Gmail should up the requirements for signing up with their e-mail accounts by stronger identity verification system. After all, Gmail isn't like any old fad website, it's the center of your web life.
I'm not worried, Google has got a lot of smart people who can work up something more robust.
Reply
2-28-2008 @ 12:08AM
RP said...
During the invitation-only phase, didn't they require a cell phone #, to which they would send an SMS message?
How hard would that be to do again?
2-28-2008 @ 12:32AM
michael said...
This obviously disproves some loyal Gmail users saying that Gmail is absolutely the best and invincible web mail. Just kidding.
But obviously, Gmail has it's own issues as well. I wonder how they'll fix this.
Reply