Recaptcha hacked, 4Chan votes moot world's most influential

Time.com hosts an annual poll intended to allow the people to cast votes for the world's most influential person - the Time 100. This year, however, the winner wasn't decided by the general populace, but by a collective 'Anonymous' instead. Despite Time's claims that their IT team "detect[ed] and extinguish[ed] several attempts to hack the vote”, all signs point to a clear and obvious hack by the 4Chan populous. moot, 4Chan's 21-year-old founder & college student, tops this year's results. Atop the board, his first initial, 'm', initiates the second sign of a sure hack - the first-letter schema going down the board spells "mARBLECAKE ALSO THE GAME".

So how did they do it? They started with a collection of autovoters, meant to easily and efficiently stuff the ballot box. However, with just two weeks left before the cut off, TIME wised up and placed ReCAPTCHA on their submittal form, instantly halting the auto-voters and effectively stopping thousands of votes per minute. However, their effort would not stop the team from achieving their goal.

Anonymous soon tried to overcome the new CAPTCHA device by analyzing the words, breaking them into characters, and then using OCR to detect and complete the form. However, this proved to be a difficult challenge, so they moved on to Plan B. ReCAPTCHA always present two words, one a control and the other an unknown. By injecting a single word into all the unknowns enough times, soon enough words would be flagged with the seed word that auto-voting could continue. A large number of digital books would then contain a bit of a vulgar typo for years to come, but Anonymous could get back on track. Weighing out the efforts and the time left in the poll, the team opted for a third option, Plan C.

With the deadline quickly approaching, the team decided that manual votes were the only way to go. They sat down, analyzed the ReCAPTCHA mechanism, and devised a set of rules (found here - PDF) which allowed them to vote as quickly as possible, most times entering only one word, and thus maximized their productivity. Off to work they went, casting votes themselves and allowing others to use a new customized front end to cast votes in favor of their effort. After 40+ hours of dedicated, streamlined voting and a LOT of calculated effort, their hack message had been restored. The poll soon closed, however, TIME overlooked a few loopholes and failed to disable the voting URL's, further allowing the Anonymous team to concrete their results.

Internet crowd, FTW (again).

Interesting timing. I was just reading an article this morning on a CAPTCHA free internet

http://www.slate.com/id/2216837/pagenum/all/

It is very good to read it well done.

ugh 4chan

Here's my take on the CAPTCHA issue, and this is something that I have spent a LOT of time thinking about.

All over the web, there are people proclaiming the death of CAPTCHA, that the bots have won, and that there needs to be a better way to determine bot from human.
Most of them are well-intentioned people frustrated with having to identify squiggly letters and some of them even have good insight, such as the article that Atno linked that said that for a true Turing test, "the goal is to determine whether a computer can behave like a human, not perform tasks that a human can".

The problem, with regards to web implementations of CAPTCHA, is that they are limited by the web. What I mean is this:
In order to trick a bot, any code used must necessarily be hidden from the bot. For the web, that means the generation and validation code for ANY test must run on the server.

Because most of the code that generates content that a user (and a bot) can see is clearly available to the browser, we have to assume that anything that a user can do, a bot can do as well, with one exception: Acting like a human.

THIS is THE reason for the current state of CAPTCHA. The methods we have at our disposal for determining if something is "acting like a human" are run in the browser (tracking mouse movements, keyboard inputs, etc), and can be tricked/emulated by bots. Even with compiled languages, such as Flash or Java, it's only a matter of time before someone writes a bot that can read, interpret and trick them.

There also exists a dichotomy in the two sides of the CAPTCHA equation. Webmasters generally don't want to HAVE to validate everything that happens on their website (because it doesn't really make them money), and spammers who will do anything to post links on a comment board (because it CAN make them money). This is why spammers are willing to pay people to to enter CAPTCHA's and webmasters rely on code that others have written (such as recaptcha) to protect their forms.

With the current state of web technology, there really are only 2 options. The first is writing server-side scripts to make it more difficult for bots to get through. The second is manual validation of form inputs.

The best we can currently do is keep trying to stump the bots. There are things we can do, individually, to help things
1. Don't use popular CAPTCHA software. The more popular it is, the more likely it is to be targeted and broken. Write your own, or pay someone to write some for you.
2. Stop relying on word recognition. Use image recognition, or word/image association.

Either way, until web tech improves, we're pretty much stuck with CAPTCHA.

EDIT: Another thing that the whole CAPTCHA thing completely fails to address is accessibility to people with disabilities.

I think that's the most accurate thing I've ever read about CAPTCHAs.

In that case, CAPTCHA could be reworked so that there are thousands of different tasks that could be presented to the user at random.
Simple things like "Type the words awesome blossom into the second box below" or "Click the 3rd box from the right in the 4th row below" that by themselves could easily be automated, but grouped with several thousand other types of tasks would require automators to write several thousand mini-programs to deal with different types of tasks instead of a single program that deals with the same task over and over again.

Eventually these things would be recognised and automated, but if you start with several thousand types of tasks and create new ones every day coupled with linking messages posted to the tasks performed in order to post that message so the ones being automated can be identified and removed from circulation quickly you should be able to stay ahead of the bots.

Another thing that bugs me about the whole CAPTCHA thing: Fearmongering.

For instance, many sites reported on this incident as "Recaptcha Hacked". Recaptcha was not hacked, not in the least. What 4Chan did was wrote a script that loaded thousands and thousands of instances of the form so they could fill it out at their leisure. The fault here lies with Time magazine, and the fact that they apparently took the form offline at a specific time, but didn't take the form processing script offline at the same time.

I don't think there is anything currently wrong with CAPTCHA (though there probably will be in the future). The problem is that too many people are not able/willing to do anything about bots, they rely on the most popular CAPTCHA methods, and those methods are the ones that are targeted. The other problem is that those of us that do write CAPTCHA scripts generally write one method (myself included)

Joebert, you have some good ideas, and your ideas sparked some ideas in me, and who knows, I may implement them in a rotating/random method

Funny side note: Every time I load this thread, I see the "Captcha Creator" banner ad at the top. My captcha has been available for free for 2 years and has audio, AND sites like that (and mine as well) are a BIG part of the problem with everyone using the same CAPTCHAs.

heh, I was waiting on someone to call me out on this. I felt the same as you, but buzzwords sell.

But how about captcha and one more security addon (I don't how it is named) when you see two numbers, (minus,plus or smt else) and you need to input its sum?
It is not better?

There would be very little difference between the approach to overcome words and to overcome your proposed challenge. If I can use OCR to recognize text, then I can do the same to recognize numbers, and the math, well it's just easy from there.