Comments on: CAPTCHA arbitrage

By: brian

brian — Sun, 20 Feb 2011 02:19:56 +0000

@Neo, @ movax:

There’s a link in my second paragraph to a freely accessible copy of the paper by Savage et al., which acknowledges funding sources, as most research publications do. What’s your point?

By: Neo

Neo — Sat, 19 Feb 2011 18:12:28 +0000

Was this research one using public funding.?

By: Carl Witty

Carl Witty — Tue, 30 Nov 2010 17:39:01 +0000

I have a theory about the reCAPTCHA weakness described in the update. Perhaps reCAPTCHA “retired” an image after it was successfully solved, and the Wiseguys harvester deliberately did not successfully solve the images?

By: Barry Cipra

Barry Cipra — Thu, 25 Nov 2010 22:58:52 +0000

Brian, are you sure those positives are necessarily false ones? Your filtering service could be trying to tell you something about the friends you keep….

By: brian

brian — Thu, 25 Nov 2010 16:48:41 +0000

Savage et al. discuss the idea of “opportunistic” solving—using pornography (or some other kind of popular content) to induce unpaid users to solve CAPTCHAs harvested from other sites. They conclude: “we do not believe that opportunistic solving plays a major role in the market today.”

As for the numeric-sequence tests I use here at bit-player, writing a program to solve them would be trivial; they work for me simply because this is a home-brewed system, and it’s not worth the effort to create software to break into one site. Furthermore, these days almost all the comment spam is coming from paid human authors, who are not going to be stopped by any sort of CAPTCHA. (Meanwhile, the Akismet filtering service is working quite efficiently to catch comment spam, apart from one or two embarrassing false positives, where friends were classified as spammers. Sorry Bill. Sorry Barry.)

By: bruno

bruno — Thu, 25 Nov 2010 13:58:32 +0000

Cody: indeed, it is interesting. I believe it should be easy to set up. And many people would be happy to have a good-quality porn video for decoding a captcha (if the quality is not high, they could as well go to ponhub or any website so). Question is : is it really profitable?
You would have to pay bandwith + rights to publish the video (although it is optional, I believe it is needed if you don’t want your website to be temporary - and therefore gaining customer loyalty).

Something totally different: wait, it this economy a bad thing? Sure, it annoys lawful people. But it makes spammers pay poor guys in the world! Without the system, the only difference would be that the working poor would no longer have this (lean) source of income. (I believe that people that do this job could not have any other)

By: Joel Reyes Noche

Joel Reyes Noche — Thu, 25 Nov 2010 00:31:24 +0000

Does anyone know of any studies involving the completion of number sequences instead of the solving of CAPTCHAs? (Like what is being done to prevent spammers’ comments on this blog. :)

By: Cody

Cody — Wed, 24 Nov 2010 13:30:58 +0000

From the wikipedia page on “Man-in-the-middle attack”:

Another example of a non-cryptographic man-in-the-middle attack is the “Turing porn farm.” Brian Warner says this is a “conceivable attack” that spammers could use to defeat CAPTCHAs. The spammer sets up a pornographic web site where access requires that the user solves the CAPTCHAs in question. However, Jeff Atwood points out that this attack is merely theoretical — there is no evidence that any spammer has ever built a Turing porn farm. However, as reported in an October, 2007 news story while perhaps not being a farm as such, spammers have indeed built a Windows game in which users type in CAPTCHAs acquired from the Yahoo webmail service, and are rewarded with pornographic pictures. This allows the spammers to create temporary free email accounts with which to send out spam.

I’m curious: if this hasn’t been done yet, why not? I suppose 0.50$/1000 is awfully cheap.

By: YM

YM — Wed, 24 Nov 2010 11:15:26 +0000

Really ? Can somebody please illustrate which part of the world finds $0.17/hour economically appealing ?

I know the study mentions that solvers are fluent in Chinese, Russian and Hindi. I don’t know about India, but I’m sure the Russian and Chinese can find better work.

By: l

Wed, 24 Nov 2010 07:02:06 +0000

Linux: this was addressed at the top of the post. The resources spent developing a new CAPTCHA are far less than the resources that would be spent developing a program to solve a new CAPTCHA. The spammers would fight a never-ending and expensive battle with this strategy. Simply buying human labor ensures that their “algorithm” (send it to someone that knows how to solve it) is more adaptable to new CAPTCHA techniques, particularly because the concept of a CAPTCHA requires that it be solvable by humans.

By: Linux

Linux — Wed, 24 Nov 2010 02:58:07 +0000

Why would they ask people to break CAPTCHA when they could make a great OCR with that money and break CAPTCHA faster and easier ?

By: finack

finack — Wed, 24 Nov 2010 02:35:02 +0000

Arbitrage plays a big part in criminal economies due to lack of transparency and disincentives against large marketplaces. Arbitrage opportunities in drug distribution, for instance, often far exceed the opportunities in licit supplier networks.

By: movax

movax — Wed, 24 Nov 2010 00:26:50 +0000

Ethics. I would only care here if this research was done using public funding. Was it?

By: John Cowan

John Cowan — Tue, 23 Nov 2010 20:47:30 +0000

Criminal economies aren’t free of regulation. They are regulated by guys who show up on your doorstep at 3 A.M. with AK-47s instead of court papers.