first published: 2016/12/07, last updated: 2016/12/15

cpc monopoly abuse, once again -- and the upcoming site expansion :)

we have sent to google a 'cease and desist letter' through their 1000 char-long adwords helpdesk ticket the other day.
it was about them continuing suspending the recaptcha.sucks site in adwords.
they seemed to ignore the very nature of what they received and responded to it as it was a regular helpdesk inquiry.

with a new round of ever-changing nonsense, of course. what else anyone would expect?
this time around with stating that recaptcha.sucks site violates the following two adwords rules:
judge for yourself!

it is a very welcome contribution from google that will go a long way in proving the systematic pattern of monopoly abuses :)

over the past 18 months, the recaptcha.sucks was a shot across the bow to warn the holly shrine of broken ai, aka google, to start looking for culprits, and sort up its antitrust laws compliance, by themselves, at their own pace.
tons of google employees and contractors have seen it over that time; but it didn't work; and nobody from google ever got in touch.

now it will become one of the tools to force google to stop violating antitrust laws, at our own pace.
organic search related antitrust violations topic in posts will no longer be avoided, but put centre and front.

and more resources will be devoted to the site, it will be expanded, and the comments will be added.
the site transition will last for a couple of weeks, and it might be messy at moments.
please be patient, and keep coming back.

first published: 2016/04/07, last updated: 2016/12/07

surprise, surprise; recaptcha is broken; again :)

according to darren pauli's article published on el reg earlier today, the three columbia university guys, suphannee sivakorn, jason polakis, and angelos d. keromytis defeated recaptcha.
however, after reading the original research the guys wrote, and their blackhat asia conference paper, we found darren's use of the word 'defeated' being slightly misleading.
'recaptcha shredded, used as a cat litter, and thrown into a rubbish bin' would be a way more accurate description of what those three guys actually did.

it is worth noting that the columbia guys accomplished it just by observing recaptcha behaviour from the outside -- without even attempting to de-obfuscate recaptcha code.

a few highlights from their papers (all emphasizes added by us):

on how recaptcha determines what type of challenge to present to a visitor:
... Google tracking cookie plays crucial rule in determining the difficulty of challenge that is presented to the user ...

... We constructed experiment and aim to quantify the minimum amount of browsing history required for a specific cookie that appeared to be from legitimate users to be presented a checkbox captcha. ...

... Surprisingly we are able to obtain a checkbox captcha after the beginning of the 9th day from the cookie’s creation, without requiring any browsing activities ...

... Our experiment also revealed that each cookie can receive up to 8 checkbox captchas in a day ...
hey google, from the 9th day, and then 8 per day, they said. it is an amazing idea. give a raise to the guy who invented it.
is it the guy who decided to use cookies and move recaptcha to the google.com domain on the first place. his ingenuity is second to none :)

on defeating recaptcha's 'nocaptcha checkbox' challenges:
... The goal is to create cookies which are to appear as originating from legitimate users and not automated bots. In each case, we create a cookie in a clean virtual machine, where our browser automation system store non-account google.com cookies ...

... The attack’s scale can be increased if we solve captchas on a website we control (attacker.com) but associate the tokens with a target website (example.com). This would facilitate captcha-solving services that harvest and sell tokens to others, as it will reduce the network activity and, thus, cost of the attacks ...

... We setup a virtual host on our server and set the ServerName and other necessary fields to correspond with example.com. By using a2ensite, and modifying the hosts file, we can run our website on the localhost and trick reCaptcha into associating our request to example.com ...

... We are able to create over 63,000 cookies in a single day without triggering any mechanisms or getting blocked, and are only limited by the physical capabilities of the machine ...

... Next, we deployed our system using these cookies after they had “aged”, to identify how many checkbox captchas we can solve in a single day ...

... Assuming a selling price of $2 per 1,000 solved captchas, our token harvesting attack could accrue $104 - $110 daily, per host (i.e., IP address). By leveraging proxy services and running multiple attacks in parallel, this amount could be significantly higher for a single machine ...
we do not see this as a bug that can be fixed -- but as an inherent design flow -- and the direct consequence of recaptcha's use of cookies.

we guess google can do many things to somewhat slow down the intense mass-manufacturing of 'recaptcha cookies' from a single machine as described in those research papers.
however, we do not see google being able to do anything about use of botnets for: on defeating recaptcha's 'select all the pigs' type of photo-challenges that appear after recaptcha determines that the 'nocaptcha checkbox' is too risky to be used:
... Our system is extremely effective, automatically solving 70.78% of the image reCaptcha challenges, while requiring only 19 seconds per challenge ...

... our completely offline captcha-breaking system is comparable to a professional solving service in both accuracy and attack duration, with the added benefit of not incurring any cost on the attacker ...
in fact, it was microsoft who invented the captcha photo-challenge concept (asirra) way back in 2007. in 2014, google just blatantly copied it.
however, what google copycats failed to notice is that asirra was just a concept -- microsoft have never used it -- and they had the good reason why not to.
because anything with a limited set (no matter how big) of captcha challenges is inherently vulnerable to challenge harvesting.

however, the columbia university guys took that harvesting-attack game to a completely new level.
they augmented it with semantic image processing and devised and described multiple ways of attack on recaptcha photo-challenges.
both online and offline ones -- and left an excellent cookbook behind.

we need a bit more time to study this part of their papers.
stay tuned!

first published: 2015/08/26, last updated: 2016/04/07

antitrust violation: adwords monopoly abuse!

first published: 2015/08/11, last updated: 2015/08/11

if recaptcha can doxx you -- then you are human

to the best of our knowledge it was egor homakov of sakurity who first spotted recaptcha use of cookies on the very first day when nocaptcha was released -- albeit what he spotted was actually just a tip of the iceberg.
egor then went after a particular vulnerabilty that existed in that time -- and missed the main story.

then on 2015/02/20 business insider's lara o'reilly wrote an excellent long article about recaptcha's doxxing capabilities revealed by adtruth's engineer marcos perona.
if you are a webmaster, and have even a trace amount of respect toward privacy of your visitors and users we strongly recommend you to read her article from the beginning to the end.

we dropped a few excerpts from her article here (emphasizes added by us):
... device recognition company AdTruth believes it has found evidence Google’s CAPTCHA killer is collecting far more information than mouse coordinates alone, and that it could use the security tool to inform its advertising services too. The new tool isn’t overtly labeled as a Google service, yet anyone clicking through it “consents” to be tracked by Google’s cookies, AdTruth found. And while the service is intended to do only one thing — determine whether you are a human or not — it is also able to identify a lot more information about which specific human you are ...

... In addition, Google’s new CAPTCHA will also make use of any cookies that have been set by other Google properties — like Gmail, Search, Analytics, and so on — in the last six months. The belief is that humans use Google’s services in certain “human” ways, whereas bots do not, and those patterns can be detected. All of this personally identifiable information gets encrypted and sent back to Google. ...

... AdTruth’s lead engineer Marcos Perona was skeptical of Google’s claim to look for “human behavior” to distinguish a real person from a bot and decided to investigate. He wanted to find out what Google actually “captures” from a machine with the No CAPTCHA to work out whether a user is a bot or not ...

... Perona told us: “The use of Google.com’s domain for the CAPTCHA is completely intentional, as that means Google can drop long-lived cookies in any device that comes into contact with the CAPTCHA, bypassing third-party cookie restrictions [like ad blockers] as long as the device has previously used any service hosted on Google.com.” ...

... AdTruth EMEA managing director James Collier told us: “This is a way for Google to indirectly link activity outside of Google’s properties – collected under the guise of security – to Google’s knowledge of that individual, without providing the consumer an opt out for the security fingerprint. When they went to market with reCAPTCHA they spoke about humanity and transparency. But in reality, their intentions appear hidden ...
on the other hand, at its website google says (emphasizes added by us):
... Government agencies, courts and parties in civil litigation regularly ask technology and communications companies for information about how a person has used the companies' services ...

... Generally speaking, for us to produce any data, the request must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law ...

... If a non-U.S. agency goes through a diplomatic process like MLAT to obtain a U.S.-issued ECPA subpoena, court order or search warrant, Google would produce the same information as if the request originated directly from a U.S. agency ...
the old saying goes "if it looks like a duck, swims like a duck, and quacks like a duck, then it is a duck" -- and yes, it is a duck!

that wet-dream of all those cops, attorneys, divorce lawyers, etc finally came true.
intentionally or not, google turned recaptcha into their ultimate doxxing machine.

take a look at that emphasized part 'how a person has used the companies' services' in the first excerpt from the google's website.
please note that it does not say 'how a person has used the companies' services on companies' websites' -- and there are reasons why it doesn't.

once upon a time it all meant a content of your gmail account, history of your google and youtube searches, you tube videos you watched, etc.
but all of those are google's properties and you could reasonably expect that such a use might be disclosed by google under certain legal circumstances.

but nowadays, the things are significantly different.
nowadays, it includes your usage of recaptcha (google service) on third-party websites -- and there are millions of them across the web.
and it is regardless if recaptcha was visible or not -- in fact, there are legitimate reasons why it actually might be hidden from the view.

be it a dating site you frequent, or a news site you read an article at, or a blog post you just commented, or an adult video you watched, or a forum post you left or commented, it just doesn't really matter.
if that particular third-party site uses recaptcha -- it is all a fair game nowadays.
it is all instantly connected with your gmail / youtube / google+ / google account and it will be all revealed as a result of a single legal request.

a real treasure trove for a carefully crafted subpoena, court order, search warrant, or foreign mlat request.

be careful, the big brother is watching you.

somewhere, near the top of her article, lara o'reilly wrote (emphasizes added by us):
... Google declined to comment when reached by Business Insider ...
and what would they say even if they did comment? that google does not collect, record and cross-reference such data?

it would be a statement hard to swallow for anybody who is aware how it can improve ad targeting.
and how much money is actually at stake. and how high temptations will be.

but let's say that we wish to believe them that they did not.
and maybe they even didn't -- only until they did -- following the first wire-tapping / 'evidence preservation' order for an ongoing investigation / litigation :)

in one of the following episodes:
unless we get killed in a suspicious traffic accident in the meantime :)

first published: 2015/08/11, last updated: 2015/08/11

if recaptcha can spy on you -- then you are human

it is not just cops, attorneys, and divorce lawyers who have wet-dreams -- spooks have them too.
and unsurprisingly, for spooks recaptcha works even better!

recaptcha: national security implications for the us government

(stay tuned -- it will be continued)

recaptcha: national security implications for foreign governments

let's be frank and not beautify it.
since 2014/12/04, you guys have been bent over and f....d!

(stay tuned -- it will be continued)

somewhere, near the top of her article, lara o'reilly wrote (emphasizes added by us):
... Google declined to comment when reached by Business Insider ...
and the google website states (emphasizes added by us):
... The U.S. Department of Justice has imposed two delays. First, providers must wait six months before publishing statistics about FISA requests so that, for example, the report published January 1, 2015 will reflect requests received between January 1 and July 1, 2014. Second, providers must wait two years to publish statistics reflecting “New Capability Orders." ...

... In the case of NSLs, the FBI has the power, under 18 U.S.C. section 2709(c)(1), to prohibit the recipient of an NSL from disclosing the fact that it has received an NSL, by certifying that disclosure may result in “a danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person.” In the case of FISA requests, current law prohibits recipients of FISA requests from disclosing the existence of the request.
and what google executives could say to business insider? to disclose the existence of the fisa and nsl requests?
how many years would be the minimum mandatory sentence for disclosing it? and what additional charges might be brought if they did it? aiding of enemy? treason?

and even if they did care enough to send a clueless minion eager to comment and deny who, with a minimum of technical knowledge and a sane mind, would believe them anyway?
what would you do if you are in their shoes? would any of you guys and gals reading this swap a beachfront villa for a solitary confinement in 'a la chelsea manning' cell on a 24/7 suicide watch?

and, to the best of our (limited) understanding of the legal matter involved, fisa and nsl matter only for the surveillance within the us or involving the us subjects anyway.
what might be the chance that there are requests, of kinds that we do not even know about, covering exclusively the surveillance of foreign subjects abroad?
at the end of the day, it is all what the nsa is about, isn't it? not really that jane and john q. public would care, or be against, enough to dig out even the mere existence of such requests.
and why would they care? if we are on their place we certainly wouldn't. how about you?

and, as demonstrated before, for anything abroad those guys can just tap a fibre cable and use that zero-day ssl man-in-the-middle, or cipher weakness, or whatever, and voilà.
not just they do not need any of those pesky requests at all -- they do not even need google to collect, record and cross-reference those cookies.
they need google just to access them -- they can do everything else all by themselves -- without google ever even knowing about it.

obviously, as the old saying goes, there is more than one way to skin a cat.
so, who of you counter-intelligence guys would be willing to bet if recaptcha made you being bent over and f....d, or not -- unless you guys blocked it already :)?

can you help?

yes, you can help!
short-term: link to us, please! seriously, that is probably the single best help you can provide us with in this particular moment.
in order to succeed changing google's behaviour recaptcha.sucks has to either rank really well on recaptcha related queries and start annoying certain google executives, or successfully prove that it is being intentionally buried in search results for recaptcha related queries. to accomplish any of those two things we need links -- a hell lot of them.
long-term: spread the word -- but only after you see the fully functional site up and running, please!


date & revision:

2016/12/15, revision: 11

back to top


legal disclaimer: