After so much work, gotta love the footnote here: "Note: In the hours before our presentation/release, Google pushed a new version of reCAPTCHA which fully nerfs our attack."
This isn't a huge problem for security people. Indeed, at most academic security conferences, by the time you present your work it has usually already been broken and/or countered.
To goal of good research (and one that differentiates researchers from criminals) is to present a proof of concept and to advance the state of security. The fact that security is a perpetual arms race is incidental.
Well, at least that's what security researchers tell themselves anyway to avoid going mad. :)
What makes it funny is that the bulk of the article isn't "here's how we did it and what we learned," but "here's what you need to do to get our code running on Ubuntu." Then you get to the footnote: "PS: It's pointless to get our code running on Ubuntu."
I spent the whole article wondering why they were so interested not only in presenting a proof of concept, but in getting as many people as possible actively breaking captchas. Then I got to the end and switched to wondering whether the whole thing is an elaborate prank.
Yes, I thought this particular link was perhaps not the best way to present the work, mainly because the interesting part is actually this: "We accomplished this with a combination of Machine Learning, hashing methods, keyspace reduction tactics, and taking advantage of an overall limited number of captchas. Specifically, Stiltwalker goes head to head against reCAPTCHA'S audio captcha system and defeats all but a sliver of it's challenges."
I'd be willing to wager that Google has many different versions of ReCaptcha sitting on ice, to be shifted into production if a flaw in the current system is found. I've noticed some different image captchas floating around too.
Still, the important takeaway for webapp developers is never to rely on just one form of protection. Add timestamp checks, honeypots, etc, in addition to captcha and use them appropriately for your application.
Alas, I'm running a handful of websites, and nearly nothing works, outside of stopping the most egregious of automated bots. Every new protection technique seems to be broken fairly fast. The best results so far have been combining basic WAF techniques (like placing poisoned form fields re-named as regular form fields and randomizing the names of standard form fields, one-time hash values in required fields, etc.) with some form of captcha.
However, every day five or six make it through. Observing their patterns and timing, and the fact that they make zero mistakes while interacting very slowly with the site, I can only presume that humans are directly involved as well, either as mechanical turks or simply manually posting the spam.
notably, they follow normal, guided flows through the site - not like robots at all, but hit pages that would obviously be interesting to a human (say, have a certain type of image content linking them versus another), while avoiding the least popular pages - never hit urls that are hidden via CSS, etc.
Yup; human spammers are awful. Labor is so cheap now that it's financially viable to pay people to spam sites in some cases. The Internet is a sad place indeed.
