Captchas

I just saw an article saying that the captcha for hotmail (excuse me: windows live mail ) has been defeated. This follows on the heels of defeats for Google and Yahoo as well.

The story makes the point that a single zombie machine can now create about 1440 accounts per day, with a success rate of 10-15%. What in the world!?!

First of all, that number seems inflated. How many zombie computers run 24/7, or can devote their full processing power to a task without alerting the user to the presence of zombie software?

Secondly, you'd think they could keep a look-up table of IP address separating residential (fewer than 5 machines) from corporate (many more) and limit the residential machines to say 5 new accounts per day. For the corporate IPs, limit the number of failed attempts to a reasonable amount (say, 1000) before cutting off that IP as well. That would stop the vast majority of bad accounts, enough that it might not be profitable to the spammer any more.

I haven't heard of anyone doing that, and it seems an obvious enough solution that I'm wondering where the flaw in my process is?

I had a feeling this was inevitable. Computers just keep gettin' smarter, which is both a good and a bad thing.

IP address blocking is obsolete. So many people are using NAT/PAT that you can't tell how many users there might be on the private network behind the router(s) using it.

yeh I didn't think the graphic captchas were very good, its only seemed to have been a matter of time that someone spends enough time to write a program to "crack" it. (and it was)

Now I just wonder, what the next step is to stop bots? There are a lot of captchas I can't even read, and now that bots can read them. What comes next?

I think they really need to find a way to make spam truly ineffective and not worth the time. Rather than trying to stop the spammers, there needs to be a way to make it a costly endeavor on the spammers part, and to weaken the benefits of people who can afford to do this. So in this way they will eventually have to call it quits when they run out of funding.

Of course how can this be done? who knows!

Computers haven't gotten smarter. Programmers have gotten smarter and computers have gotten fast enough to execute their long-drawn-out plans for exploits.

I have never thought that captchas were particularly worth a ****. Mabye that's because I began in OCR back in the mid-80s.

The proponents of captcha believe in distorting an image to the extent that it is barely recognizable by a human, knowing that human brains have analysis abilities that are superior to those of machines (only because no one understands those abilities enough to replicate the process with a machine).

The secret to a good captcha is not to distort it, but to place it with other intruding elements, and background noise. These techniques will defeat the OCR of today. Check back tomorrow for the next step, as the opponents will always improve.

i've often wondered why they didn't just reduce the kerning on the letters and mash them tightly to each other.

Then you probably need to think about it some more. A computer ain't you, bubba, regardless of its perceived superiority.

what are you going on about now ....

When senders carry the burden of the cost of email, rather than the receivers, it will alleviate this problem considerably.

http://homepages.tesco.net/J.deBoyn...oposals/IM2000/

When people refuse to be drawn into Nigerian scams, penis pill scams, stock scams and porn scams, spam will go away. Which is never.

The best approach is active filtering on the backbones and at the ISP level to kill spam at the gateway.

Captchas are still effective in the right places. For a blog, a simple captcha on the comments form is quite effective, and it doesn't even have to be randomly generated.

I'm not surprised at all that so much effort was spent to break the captchas of such big sites.

I have always told new coders to take the security measures that are appropriate for what you have to protect. That of curse includes the server and the network that the site is on.

CAPTCHA's will probably still be effective for run of the mill sites for a while yet. Grin is right, if you introduce some noise and perhaps even some animation into the process, it makes it much harder. I vary the font and the background for mine, and try to introduce as much random noise as possible in the background. The text itself can still be readable. The key is to make it hard for software to pick the text out of a complex background, not mangle the text to the point of un-readability.

So, like i said wouldn't reducing the kerning on the characters such that it's in the negative ranges plus the usual rotation, distortion, skew, noise make it more difficult for computer recognition? I don't see much of that around.

Also doesn't having different font sizes for each character make it a little easier to detect when they intersect with each other.