http://www.videolan.org/pwntcha/
Hm, "pichan" looks familair. Uh-oh...
Yeah, it's been mentioned before:
http://wakaba.c3.cx/soc/kareha.pl/1121005876/4-5
> An apparently weak captcha.
The master of internet security has spoken.
Yes, I'll be more impressed if somebody actually does crack it. On default settings, though, it's maybe not all that hard, but the settings can be tweaked to make it more difficult. However, it then also gets more annoying.
For now, it's been set to be just hard enough that script kiddies can't crack it, which is enough. And that's all that it takes, which is what this guy and his bragging doesn't seem to get. Captchas are not crypto, and breaking them does not serve the common good in any way.
I'm pretty certain the current settings are easily crackable, although I wouldn't know without trying. If you consider each letter solely as a set's magnitude you may guess where I'm going. Knowing the grammar also helps.
Fortunately, it's beyond the ability of a script kiddy. There seems to be an inverse correlation between knowledge and jackassery (and age snerk).
>>4
I disagree, there is some common good in breaking them. At least, until all sites provide an alternative to people that are colourblind (not all of them take this into account), foreign languages, blind, et cetra.
There is also the issue that they do only provide a minimum of security thanks to the "put the captcha on a porn site" method.
They are also annoying the user constantly, infact they annoy me than even the spam messages do (Note I mean spam, not floods).
Lastly, as long as he doesn't release the code--what harm has been done to the 'security' of the captchas? Research and disclosure about breaking captchas allows for the production of better captchas, and hopefully they will get to the point where humans can read them still.
> There is also the issue that they do only provide a minimum of security thanks to the "put the captcha on a porn site" method.
Only relevant to large sites. Like WAHa said, it raises the bar.
Besides, there are ways to prevent that too. Ensure that the referrer is always your site, and prevent any IP or block of IPs from requesting too many captchas, and their job becomes a lot harder.
If you make it hard enough, hopefully the undesirables will move on.
> They are also annoying the user constantly, infact they annoy me than even the spam messages do
Depends for what. You normally only see it once when signing up for an account somewhere. It's a tiny investment for a large collective return (which is steadily diminishing).
>>7
Yes when you only see it once it really isn't a big deal, but when you have to solve one every time you try to post it becomes a complete pain in the ass (imageboards, comments on blogs, comments on news stories...)
>>and prevent any IP or block of IPs from requesting too many captchas, and their job becomes a lot harder
You don't need to request a lot, only request one when someone conencts to your dummy site and put a timeout on how fast you spam particular sites...preventing lots of captcha gets is exactly equivilant to preventing excessive posting, so the captcha serves no purpose in this case
>>Ensure that the referrer is always your site
This does nothing, the server fetchs a captcha when it needs one and then once the dummy has solved it it then submits it... if it fails fail the dummy and try again, how exactly does a referrer do anything?
>>Only relevant to large sites.
One dummy porn site can service the spamming needs of many, many small sites. Large sites are not likely targets that will be effective, as they will put things into place that deal with them even after they get through (moderators deleting, saging, whatever). The ideal target is one that has an audience but isn't large enough to get hit often. Example: GNAA can spam slashdot all they want, but they will get modded down and dealt with quickly no matter how well they spam/troll/whatever
My point isn't that captchas are bad/should be done away with (which is a whole 'nother discussion), but that breaking them doesn't hurt them if it isn't disclosed
> when you have to solve one every time you try to post
I am only familiar with Wakaba doing this. All other examples of captcha that I can think of work for sites that use accounts.
And Wakaba's captcha is intentionally very easy to read. The only people who need worry about the captcha are mass-posters like Sling, and there's a patch out there that allows them to circumvent that.
> only request one when someone conencts to your dummy site
Which is why you limit IPs. A server-based approach won't work well, containing the damage. You might get several accounts, but that's less of a problem for the target than a few thousand.
> the server fetchs a captcha when it needs one
Because one way around the limitation on IPs is to hotlink the captcha. This prevents that.
> One dummy porn site can service the spamming needs of many, many small sites
Yeah... except that people don't have much reason to do that. Why would I go through all that effort for Joe Blow's Tiny Imageboard? Making a viable porn site so you can crack captchas is a lot of work.
Again, it raises the bar. That's the entire point.
>>Yeah... except that people don't have much reason to do that. Why would I go through all that effort for Joe Blow's Tiny Imageboard? Making a viable porn site so you can crack captchas is a lot of work.
It is, but it is a -one time- investment. Once it is setup you can easily add many, many sites with captchas that you need to deal with... Joe Blow's Tiny Imageboard just becomes one in a list of thousands that can get spammed, even using a single IP you can spam a lot by hitting multiple targets instead of one.
Even then, there are plenty of proxies and zombie machines out there to tunnel through, so an IP limit does not do much.
>>Again, it raises the bar. That's the entire point.
I agree, it does raise the bar. Joe Idiot isn't going to defeat captchas to mass spam his freeipod link or outwar or whatever, but they provide little protection against real spammers
> I agree, it does raise the bar. Joe Idiot isn't going to defeat captchas to mass spam his freeipod link or outwar or whatever, but they provide little protection against real spammers
I think you are overestimating spammers. Most spammers are morons. They use software others have written for them, and those others are not good programmers. Very few decent programmers would do such a thing. I know, I've dealth with spammer software, and even on the receiving end it is often visibly buggy.
For the vast majority of them, I am quite certain spammers and spam software makes are incapable of breaking captchas. UNLESS somebody goes an gives them the tools to do it.
This is gradually changing though, because criminal elements are beginning to move into this arena. With money comes skill.
However, I suspect these people don't bother with sites like yahoo, gmail, livejournal, or whatever else. They use botnets instead.
You can do a lot of things with a botnet, particularly if you're a good coder...
>>I've dealth with spammer software, and even on the receiving end it is often visibly buggy.
Something like 25% of the spam email I get has things like %RND_UCHAR[3-5] and such =D
Yes, Joe Spammer is probably using some crappy bought software, but eventually (if captchas stay around) Joe Spammer is going to be able to defeat them (programatically or through other methods)
The guy who selected his dictionary list for the first name and last name dictionaries was a genius, though. I grepped some 9000 spam emails for the results of that, and found (among other hilarious names), spam from one "Bathroom P. Skills".