News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Steven J. Vaughan-Nichols's picture
Steven J. Vaughan-Nichols

Cyber Cynic

More posts | Read bio

April 25, 2008 - 2:41 P.M.

CAPTCHA Meltdown

3 comments

It seems like it was the just the other day that I was writing about how CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) was quickly becoming completely useless for Web security. Actually, it was just the other day-two days ago-but I was wrong. CAPTCHA is already completely useless.

I found the proof of this in the Web security company WebSense's Sumeet Prasad, a threat analyst, latest blog. There, he declared that there's now a botnet-based program that can beat Google's Blogger CAPTCHA.

The program's not terribly good at breaking Blogger's CAPTCHA. WebSense estimates it has an 8% to 13% success rate and it takes about 35-seconds per attempt. But, with hundreds to thousands of zombied home PCs doing nothing but trying to create fake blogs, the program doesn't have to be very good at it.

Once it's cracked a Blogger session, the program then calls on other programs to set up a spam page. Or, and this is where they get really sneaky, the Blogger page itself can contain nothing harmful but it uses JavaScript to send your browser to a site that is filled with spam or malware. Although Prasad didn't mention it, I can easily imagine a bogus Blogger page that sends your PC to a malware-spewing site that will try to infect your system with the Blogger CAPTCHA software. In this way, the Blogger CAPTHCHA botnet can keep growing and growing and… well you get the idea.

I suggested last time that the Web companies might want to start replacing CAPTCHA with image-based authentication systems like ALIPR (Automatic Linguistic Indexing of Pictures) IMAGINATION. There are other security programs that try similar approaches like indentiPIC, which has people identify three images from a pulldown list. Still other security companies, like Securimage, are trying to give new life to CAPTCHA by hiding alphanumeric characters in more complex images.

Many people told me that the image-based systems are just too hard for ordinary people to use, never-mind people with vision impairments. They're right.

However, any CAPTCHA system is already nothing but a frustrating annoyance to the blind or visually impaired. As far as I can tell, there has been no ADA (Americans with Disabilities Act) lawsuits filed against a company using CAPTCHA. If it wasn't for the fact that CAPTCHA is already busted as a security measure, and therefore should be on its way out, I wouldn't be surprised to see an ADA class-action suit against a company using CAPTCHA.

Still, we're left with the problem of what do we do to secure free Web services and e-mail sites without CAPTCHA. The big companies-Google, Microsoft, and Yahoo-that rely the most on CAPTCHA for security don't show any signs of moving to another, better authentication system.

I sometimes wonder what it's going to take to get the corporations to replace CAPTCHA. Blogger being overwhelmed by spam sites? People blocking all Hotmail and Yahoo Mail e-mail from their desktops?

It's going to happen you know. The smart crackers and spammers like to keep the Internet and PCs just poisoned enough for them to continue their work of phishing for your personal information and spreading spam to every e-mail box in creation. The dumb ones, and oh are there some dumb ones out there, will overplay their hand.

Thanks to those dopes, we probably will see a blog site CAPTCHA-breaker that doesn't know when to stop. Can you see a day when people don't look at blogs for the same reason they no longer read Usenet, because the ratio of garbage to useful information is so high that it's not worth the trouble? I can.

I really hope that security companies, and their big online site customers, can implement a solution before that day. Unfortunately, I had a sinking feeling that it going to take a disaster before CAPTCHA is ripped out and replaced with something better.

What People Are Saying

Add new comment

Craiglist does charge in some categories

Submitted by Glenn Fleishman on July 16, 2008 - 4:53 P.M.

In your main article, you noted "With combat costs mounting, it's hard to see how Craigslist, which has always been a free service, can continue to survive with its no-visible-means-of-revenue model."

This is incorrect. Craigslist grosses many millions per year by charging for job listings and apartment broker listings in limited markets. See their FAQ on this. So they have quite a bit of money that they devote to solving a problem that threatens their existence.

Whether they can defeat the spammers is entirely different, of course.

Reply | Report this comment

The Problem

Submitted by Jerry on April 29, 2008 - 9:04 A.M.

The real problem is the system architecture. A Security mechanism that relies on somehow identifying all Attackers is destined to fail.

I understand that some security packages now have over a Million "threats" they have to scan for.

This is a self defeating strategy.

The correct strategy is the one used on IBM's Mainframe systems: Only Authorized Programs execute and Only Authorized Users get to run them. It's a Much Shorter List and one that can be maintained by the Computer's Owner.

The other part of the problem is the Language Architecture. Things like "Buffer Overflows" and "Memory Leaks" are the fault of the "Object Oriented", "break it up into tiny little pieces" methods of programming.

A sane Language/Compiler combo would not Allow the "Buffer Overflow" to occur. The simple act of Checking the Size of the 5 pound bag BEFORE stuffing in 10 pounds of cr@p would solve this problem. Most 8 year olds could figure this out.

"Memory Leaks" are the results of umpteen gazillion "Objects" each asking for it's own little chunk of storage, then, improperly written programs not "knowing" when to release them. Storage management is a time consuming process under the Best of conditions. Yet, we have languages which go out of the way to make it worse. The simple solution is to Plan storage allocation as part of the overall design of the application and allocate the majority of the storage in a single, carefully planned block which can then be worked with by the various routines which make up the program. And released all together when the application Exits.

The time saved in Storage Management would allow the Applications themselves to execute much faster, resulting in Useful Work being accomplished.

Reply | Report this comment

Time and Inconvenience

Submitted by SK on April 28, 2008 - 9:50 A.M.

The only sure-fire way to implement a counter-measure is to make the work-arounds of stopping measures cost too much in time or convenience to be worth it. The problem being that this also costs the legitimate users time and convenience, which is like cutting off an infected limb.

The surest counter-measure I can think of is to make the person signing on talk to a real person. For every programmed question there can be a programmed answer. For every computer-generated pattern there can be a computer generated pattern recognition application. For the time being however, there's no way for a computer to talk to a person and really fool the individual. (For the time being)

The problem is a matter of cost; it doesn't cost the cheaters nearly as much as it costs the service-providers in this game. Using human security is expensive. While the cheaters just have to react to the counter-measures, it's not like they're a legitimate business. Meanwhile, the service providers not only have to pay for security measures to keep their business legitimate in the eyes of the consumers, they also have to keep their customers happy.

The worst part? If the cheater's tactics don't work, it's only a problem for the cheater. If the security measures don't work, not only is it a wasted effort for the service provider but there is the potential spill-over to also create problems for their customers.

I don't see how there can ever be a final solution, because as long as there's money to be made cheating the system someone will figure out a way to exploit it. In the meantime, all security can do is continue to change and evolve in order to make sure the system is never overwhelmed and a limb must be sacrificed.

Reply | Report this comment

Related Posts

Can CAPTCHA be saved?
How to save the Internet from Windows
Strong authentication service comes to gaming
Google Chrome add-in for IE: Speed demon or big, fat security hole?

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
First iPhone worm spreads Rick Astley wallpaper
Mozilla fixes Firefox crash bug
Update fixes iPhone sync problem with Windows 7 for some
First take: Apple's new MacBook offers sleek style, solid performance
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.