How Captcha was foiled: Are you a man or a mouse? August 30, 2008
Posted by Suyash Kumar in General Talk.Tags: captcha, hack, messaging, security, tech
add a comment
Captcha systems to stop automated posting have been “completely broken” by spammers, experts say. So what’s the alternative?
Tim Anderson
The Guardian, Thursday August 28 2008
Article history
“Captcha is the bane of the internet,” says Matt Mullenweg, who runs the massively popular blogging site WordPress.com. “I can’t figure them out myself half the time!”
He is referring to those squiggly, distorted images commonly seen when registering for internet services such as free email accounts or blogging sites. The user has to type the letters in the image before proceeding. Captcha stands for Completely Automated Public Turing test to tell Computers and Humans Apart. The idea is that humans can read the letters, but computers cannot, thus preventing automated scripts from registering.
Websites use Captchas in an attempt to disrupt the spam and malware economy – but they are not working. “Spammers and malware authors are able to break Captcha process,” says Carl Leonard, a threat research manager at Websense Security Labs. “As a result, we’ve seen an increase in the amount of mail sent out from reputable mail services such as Gmail, Hotmail and Windows Live Mail, and an increase in the number of blogs that host malicious content, or content that the spammers wish to advertise.” Email accounts on such services are particularly valuable because spam filters cannot block them without also blocking genuine mail.
Techniques to break Captcha are nothing new. First, if a human can read an image then the chances are that software can do the same thing. In 2005, a software developer, Casey Chesnut, wrote a Captcha-breaking algorithm and demonstrated it by posting automated comments to nearly 100 blogs to demonstrate their vulnerability. In response to this kind of attack, Captcha authors have devised tests that are harder to solve. Images may be more squiggly than they used to be, making them harder to break but also more troublesome for legitimate users. Other ideas include 3D Captcha, relying on object recognition rather than character recognition; or framing questions that are trivial for humans to answer but hard for software to parse. Some approaches work better than others, but there are a number of inherent problems. One is that many Captchas are inaccessible to the visually impaired, and will fall foul of accessibility legislation unless there is an alternative. Another snag is that spammers may play their trump card, using humans.
Human resources
“Many attackers have found creative ways to entice humans to unknowingly solve the Captchas for them,” says Jamie de Guerre, chief technology officer at Cloudmark. “This relay attack involves copying the image served in a Captcha to a user somewhere else, having them solve the Captcha, and then copying their response back to the original website.”
Another option is to pay. Spammers have employed large teams of temporary staff to solve Captchas, effectively “rooms of people”, usually in a third world country, sitting at a computer and solving Captchas.
“Most Captchas have been completely broken” says Leonard, adding that the problem is getting worse. “We’re seeing more Captchas targeted, more Captchas broken. I don’t see how the targeting by the malicious authors right now is going to go away. It’s still in their interests to get hold of these valued accounts.”
Despite these issues, heavily attacked companies such as Microsoft are not abandoning the system. “We are updating our Captcha system to be both more readable for customers but more difficult to break through,” a spokesman said. “Improvements include new image distortion logic, overlapping characters and dynamic monitoring capabilities to observe attacks in real time and make necessary adjustments to mitigate them. In addition, we continue to make advances to better prevent spammers from using Hotmail accounts, once created, to successfully send spam.”
That is all very well, but the failings of Captcha impact every internet user. It is not only a matter of more spam choking inboxes. Breaking Captcha enables networks of computers to post malicious content to legitimate sites. “The huge increase in numbers of legitimate sites affected radically changes traditional trust relationships on the web,” says Pete Simpson, the ThreatLab manager at ClearSwift. “Steering clear of dubious sites has always been sound advice, but steering clear of legitimate sites is not an option.”
What can replace Captcha? “There’s probably going to have to be some kind of layered security,” says Leonard, “It’s up to the industry sectors which and how many layers of security they wish to employ, dependent on what sort of site they have.”
Layered security means adding human or third-party checks to actions like registration, and then monitoring content later to check for malicious use. The trade-off is that as security increases, usability decreases. Heavy-handed security can easily kill the conversation on social networking sites which depend on making it easy for new users to engage with the community.
Safety net
In the end, it is just another angle on the woeful security that characterises today’s internet. New authentication schemes such as OpenID, or Microsoft’s CardSpace, may help as adoption increases. These systems make it possible to register for one site using credentials verified by another. Instead of having many sites with poor verification procedures, the internet could have a few sites with strong verification procedures, that are then used by others. The advantage for the user is that they no longer have to jump through multiple hoops for each new site they encounter. Such a system depends on receiving sites being selective about which third parties they trust to verify a user’s identity. That said, the internet is a long way from adopting this level of security, and there is always a danger that whatever steps the industry takes to improve authentication, the scammers will keep up with innovations of their own.
Mullenweg’s answer is to focus on the content rather than the user. His Akismet system for preventing spam comments relies on a combination of secret algorithms and community reports, and has proved remarkably effective.
“Ultimately Captchas are useless for spam because they’re designed to tell you if someone is ‘human’ or not, but not whether something is spam or not. Just because something came from a real human being doesn’t mean it isn’t spam, which is why content-based solutions like Akismet are the only long-term solution to the spam problem.”
Glossary August 26, 2008
Posted by Suyash Kumar in General Talk.Tags: Glossary, Linux, LUG, Manipal, Terms and definitons, wiki
add a comment
Started my work on a glossary on wiki where the definitions and brief explanations are given for some basic terms that we come across in our daily life while using GNU/Linux.
Here’s the link:
http://wiki.lugmanipal.org/Common_Words_and_Definitions
LOL, this is hilarious August 26, 2008
Posted by Suyash Kumar in General Talk.Tags: funny, jokes, Linux
1 comment so far
i caught hold of this thing on the Ubuntu forum- read it ROFL
Trying to please the wife with Linux
Trying to break the hold that Windows has over my wife, and hoping to wipe the hard drive to leave room for Linux only. I felt almost certain that Ubuntu would move her in a better direction.
I said: Try this out darling, its the most popular Linux… and rightfully so. I’m sure you’ll adore it.
She said: What’s this gay orange bird on the background? What do you think I am? You are sick! Then she bitchslapped me.
So next I installed Xubuntu, feeling confident that the mouse mascot would win her over.
I said: Try this one dear. It is so very fast and efficient. She took one look at it.
She said: Do you think I want a friggin mouse on my desktop? Are you some kind of idiot? You’ve got an efficient mouse up your butt! Then she bitchslapped me.
So I then installed Debian thinking that going to the very heart of Linux would stir her sense of tradition.
I said: Look honey, this is the most stable of them all.
She said: You fool, it looks more gay than the Ubuntu ostrich. Then she bitchslapped me.
So, thinking that super-fast might get her hotrod blood pumping, I installed Mepis antiX.
I said: Try this one sweetheart, there are faster ones but this is very cool.
She said: WTF!!! Now you think I’m some sort of devil worshipper? Then she bitchslapped me.
So, thinking that something a bit more conservative would un-stimulate the Windows brainwashing she had succumbed to, I installed Mint.
She said: Ohh, that’s nice.
I said: But Mint is just a blatant ripoff of Ubuntu. I’d rather have Ubuntu.
She said: How dare you accuse them of being ripoffs. It’s very professional looking. Then she bitchslapped me.
So, finally admitting defeat….
I said: OK sugar pie, I’ll just leave Windows on the computer.
She said: Actually, I kind of enjoy trying out all the distros. Then she bitchslapped me.
MORAL: For some people, the artwork means everything. Let my story be a warning to all well-intentioned husbands.
Hello world! August 25, 2008
Posted by Suyash Kumar in General Talk.Tags: CSE, Fedora, Linux, OS
1 comment so far
After making my previous blog, i felt the necessity to make my own technical blog for myself for 2 reasons:
1, Because i am an engineering student in the field of computer science and engineering.
2 After switching from Microsoft Windows(blech!!!) to Linux(Fedora to be more precise), i felt it neceessary to have platform of my own where i could praise it to my hearts fill.
Hope it proves helpful to all those linux newbies out there.
Enjoy
