PayPal
Software beats CAPTCHA, the web’s ‘are you human?
Are you human? It just got a lot harder for websites to tell. An artificial intelligence system has cracked the most widely used test of whether a computer user is a bot. And according to its designers, it is more than a curiosity – it is a step on the way to human-like artificial intelligence.
Asking people to read distorted text is a common way for websites to determine whether or not a user is human. These CAPTCHAs – which stands for Completely Automated Public Turing test to tell Computers and Humans Apart – can theoretically take on any form, but the text version has proven effective in stopping spam and malicious software bots.
That’s because software has trouble deciphering text when letters are warped, overlapping or obfuscated by random lines, dots and colours. Humans, on the other hand, can recognise nearly endless variations of a letter after having only seen it a few times.
Vicarious, a start-up firm in Union City, California, announced this week that it has built an algorithm that can defeat any text-based CAPTCHA – a goal that has long eluded security researchers. It can pass Google’s reCAPTCHA, regarded as the most difficult, 90 per cent of the time, says Dileep George, co-founder of the firm. And it does even better against CAPTCHAs from Yahoo, Paypal and CAPTCHA.com.
Virtual neurons
George says the result isn’t as important as the methods, which he and CEO Scott Phoenix hope will lead to more human-like AI. Their program uses virtual neurons connected in a network modelled on the human brain. The network starts with nodes that detect input from the real world, such as whether a specific pixel in an image is black or white. The next layer of nodes “fires” only if they detect a particular arrangement of pixels. A third layer fires only if its nodes recognise arrangements of pixels that form whole or partial shapes. This process repeats on between three and eight levels of nodes, with signals passing between as many as 8 million nodes. The network eventually settles on a best guess for which letters are contained in the image.
The strength of each neural connection is determined by training the network with solved CAPTCHAs and videos of moving letters. This allows the system to develop its own representation of, say, the letter “a”, instead of cross-referencing against a database of instances of the letter. “We are solving it in a general way, similar to how humans solve it,” says George.
Yann LeCun, an AI researcher at New York University, says neural network-based systems are widely deployed. He thinks it is hard to know whether Vicarious’s system represents a technological leap, because the company hasn’t revealed details about it.
If Vicarious’s claims pan out, it would be very significant, says Selmer Bringsjord, a computer scientist at Rensselaer Polytechnic Institute in Troy, New York. He says breaking text-based CAPTCHAs requires a high-level understanding of what letters are.
Rather than bringing a product to market, Vicarious will pit its tool against more Turing tests. The aim is for it to tell what is happening in complex scenes or to work out how to adapt a simple task so it works somewhere else, says Phoenix (see “More than words”, below). This kind of intelligence might enable things like robotic butlers, which can function in messy, human environments.
“Our focus is to solve the fundamental problems,” says Phoenix. “We’re working on artificial intelligence, and we happened to solve CAPTCHA along the way.”
This article will appear in print under the headline “CAPTCHAs cracked”
More than words
A CAPTCHA doesn’t have to involve text – it can be any automated test that sorts humans from software. Vicarious in Union City, California, has a system that can read distorted text, but the firm has greater ambitions for artificial intelligence. Next up will be coping with optical illusions. Dileep George, one of the firm’s co-founders, thinks more training could help the algorithm with tasks such as recognising three-dimensional symbols in a two-dimensional image.
After that, the challenge might be to identify an object in a clean or distorted image. After that, it would have to work out what is happening in an image, rather than just recognise objects in a picture.
Billionaire Elon Musk unveils futuristic “Hyperloop” transport.
California billionaire Elon Musk took the wraps off his vision of a futuristic “Hyperloop” transport system on Monday, proposing to build a solar-powered network of crash-proof capsules that would whisk people from San Francisco to Los Angeles in half an hour.
In a blog post, Musk, the chief executive of electric car maker Tesla Motors Inc described in detail a system that, if successful, would do nothing short of revolutionizing intercity transportation. But first the plan would have to overcome questions about its safety and financing.
The Hyperloop, which Musk previously described as a cross between a Concorde, rail gun and air-hockey table, would cost an estimated $6 billion to build and construction would take 7 to 10 years. Eventually, according to the plan, it would jettison more than 7 million people a year along one of the U.S. West Coast‘s busiest traffic corridors.
As many as 28 passengers could ride in each pod and the system could even transport vehicles through a low-pressure steel tube at up to 800 miles (1,287 km) per hour, according to the 57-page design plan.
Musk, who in the past has hinted at the hopes of building such a system, proposed the Hyperloop as an alternative to a $68 billion high-speed rail project that’s a major priority of California Governor Jerry Brown. It would be safer, faster, less expensive and more convenient, Musk said in the blog post.
But not everyone is convinced the project is a good idea.
Jim Powell, a co-inventor of the bullet train and director of Maglev 2000, which develops high-speed transport systems using magnetic levitation, said the system would be highly vulnerable to a terrorist attack or accident.
“The biggest overall problem is the idea of the low pressure tube from a terrorist standpoint,” he told Reuters after taking an initial look at Musk’s specifications. “All a terrorist driving along the highway has to do is pull over, toss a net of explosives at it, and then everyone in the tube dies,” he said.
Musk said that since the tube will be low- but not zero-pressure, standard air pumps could easily overcome an air leak. He also said the transport pods could handle variable air densities.
Musk may also have neglected to factor in a few costs. Powell said that since an extensive monitoring system would be needed to keep track of the tube’s pressure, the cost of the project could double Musk’s estimate, coming closer to $12 billion.
Hyperloop, detailed: http://www.teslamotors.com/blog/hyperloop
QUESTIONS STILL
Musk, who made his name as a PayPal founding member before going on to start SpaceX and Tesla, envisions capsules departing every 30 seconds at peak times and traversing the roughly 400 miles between Los Angeles and San Francisco along an elevated tube erected along the I-5 interstate highway.
The capsules ride an air cushion blasted from “skis” beneath, propelled via a magnetic linear accelerator.
The expected half-hour travel time for Hyperloop passengers compares with current travel times of an hour and 15 minutes by jet, about 5 and a half hours by car, as well as about 2 hours and 40 minutes via California’s planned high-speed rail.
Other major questions remain, notably whether the California state government will ever approve the massive project, and whether any private companies are willing to step in and build it. The design remains theoretical and has yet to be tested in the field.
Musk has said he is too busy running electric car company Tesla and rocket manufacturer SpaceX to build the Hyperloop himself. He said the design plans were open-source, meaning others can build on them.
On Monday, however, he told reporters on a conference call he could kick off the project.
“I’ve come around a little bit on my thinking here,” he said. “Maybe I could do the beginning bit… and then hand it over to somebody else.”
He said he would be willing to put some of his personal fortune toward the project but stressed that building the Hyperloop was a low priority for him as he continues to focus primarily on SpaceX and Tesla.
He also asked the public for help to improve the design. Corporations have resorted in the past to public assistance on their products. In 2009, Netflix Inc awarded a cash prize to a team that succeeded in improving by 10 percent the accuracy of its system for movie recommendations.
Source: Yahoo news
Time to forget your online passwords?
Passwords are either too hard to remember or too easy to crack. Paul Rubens considers some of the technologies that could replace them – including an edible, electronic capsule.
The days of storing passwords in your brain are numbered. In a few years’ time you may be able to log into your online bank account using anelectronic tattoo on your arm, or a pill that, once swallowed, broadcasts a password through the wall of your stomach.
Functional prototypes of these products already exist. The tattoo has bendy and stretchy components—sensors and an aerial that lie flat on your skin. It works by the aerial transmitting your password to an electronic reader when you pick up your phone or sit at a computer. Stomach acid in place of battery acid powers the pill. This tiny device is being designed to pulse a code that would be picked up by a sensor in a laptop, shortly after it exits the oesophagus.
The motivation for developing such bizarre technologies comes from a widespread and growing problem: the existing authentication systems that log you into online services rely on passwords, and passwords aren’t really up to the job.
‘Nonsensical and unrealistic’
There are many reasons why. Passwords can be ‘phished’, which happens when users are tricked into revealing them to fake sites made to look like legitimate ones. About 50,000 unique sites get phished each month, which leads to online thefts totalling an estimated $1.5 billion each year. People also tend to choose passwords that are easy to remember. This means they are easy to guess. Of 32 million passwords revealed during one security breach, more than 290,000 turned out to be ‘123456’, according to Imperva, a Californian security company.
Moreover, when criminals hack into a online storeroom of passwords – a
service provider’s encrypted list of all of its users’ entry codes – they can crack potentially many thousands of passwords at once with the aid of special software. A password containing six lower case letters takes just a fraction of a second to crack in this way. But a longer and more complex one with 11 random upper and lowercase letters, numbers and special characters could take hundreds of years. It presents many orders of magnitude more combinations for the software to work through. The rule with passwords is simple: the more complex it is, the better the level of security it provides. But expecting people to remember long, nonsensical combinations is unrealistic.
Often, users pick the same password for many different services, which is ill-advised. If you sign up for an account on an unimportant website and that website gets hacked, your password could find its way into the hands of criminals who would then be able to access your online bank account. The problem is that people simply have too many passwords to remember, says Michael Barrett, Paypal’s chief information security officer. “When I talked to consumers ten years ago, they would tell me that they had four or five usernames and passwords to remember. Now they give me a glazed look, and tell me they have 35 of the damned things.” A typical adult between 25 and 34 years of age has 40 online accounts, according to a 2012 study by credit-checking firm Experian.
Random data
One way around these drawbacks is to beef up existing password-based authentication systems by providing more than one kind of hoop for users to jump through. This already happens when you use a number-generating security token, or have to input a random number that was sent via SMS to your phone. Paypal has offered this ‘two-factor authentication’ for some years. And recently, many other high profile internet companies such as Google, Apple, Facebook, LinkedIn and Twitter have included it for those who choose it.
Some companies are trying biometrics as a second authentication factor, taking advantage of the cameras and microphones in smartphones to carry out face or voice recognition—or even for iris scans. But many users worry that biometric data brings its own suite of concerns. Unlike passwords, which can be changed, voice prints and faces cannot. The worriers say that if cybercriminals were to hack a website and steal biometric information, the same information could forevermore be used to break into other accounts that rely on biometric authentication. This is unlikely, however, because fingerprint data is typically combined with random data to create a biometric based on your fingerprint. So any hacker that gained access to a scan of your fingerprint would not be able to break into a biometrically secured site.
But there’s a problem, even with two-factor authentication. While is makes life harder for criminals, users don’t like the extra hassle. “What we have found at PayPal with our security key is that if you market it hard you get a take-up rate of about 1-2%. If you don’t market it then only about 0.1% will take it up,” says Barrett. “Consumers just want to go out and buy things and they expect you to take care of security.”
Here, Fido
In the hope of making life easier for users, a few companies have created a consortium called the Fast Identity Online (Fido) Alliance. PayPal, Google, and PC-maker Lenovo, are among its founders. First and foremost, Fido aims to reduce reliance on passwords.
The Fido system’s specifications are still being developed, but what is clear is that it will work using a piece of hardware called an authenticator. Users will be able to enrol this at each website that they wish to log into. The enrolment process will involve the Fido authenticator and the website exchanging digital keys that will allow each to recognize the other.
As the user, when you visit a site from a PC with an authenticator connected—or perhaps a mobile device with an authenticator built in—you will still have to identify yourself. What’s different is that you will do so to your Fido authenticator, not to the website that you wish to visit. Once that is done, the Fido authenticator can vouch for you. Effectively, the device will tell the site “you know me because I can present a digital signature that proves who I am, and I can vouch for who is using me because I have authenticated them at my end”.
The researchers developing Fido authenticators intend them to work with all kinds of authentication: a simple PIN number, a fingerprint reader on a USB stick, or the camera on a mobile phone. The major benefit of this system is that no information will be stored remotely: the biometric data, or the PIN number, will remain on the Fido authenticator. And because it won’t be transmitted over the internet, this data won’t be stored on a remote site from which it could be hacked. The arrangement also avoids the need for a long and complex password to provide good security. If the wrong PIN is entered more than a handful of times on a Fido authenticator, the device would simply lock itself, as an ATM at a high street bank does today. Crucially, phishing could become a thing of the past because no one will ever need to enter a password on a website again.
Or would it? There are, of course, weaknesses in any system. In Fido’s case, the most obvious vulnerability is during the set up. To work properly, the Fido system will rely on you enrolling your authenticator at a genuine site. But what if you mistakenly enrolled it on a phishing site? “You have to go home or somewhere you trust when you register, and you need to be paying attention,” says Mayank Upadhyay, a security engineer at Google. “When you are fixated on another task and not paying attention, that’s when you end up getting phished.”
A second drawback of Fido is that it provides no easy means of revoking an authentication device that gets lost or stolen. A user would have to contact each site separately to cancel it, Upadhyay says, which would lead to the possibility of a hacker locking you out of your own accounts by impersonating you and revoking your device.
Creatures of habit
Perhaps Fido’s biggest criticism is that it still doesn’t achieve what PayPal’s Michael Barrett says users really want: for websites like PayPal to take care of security for them. For this to happen, online services may have to more frequently employ behavioural analysis. This kind of security can help verify that a password is being typed by the appropriate person, explains Kevin Bailey, a security analyst at IDC. Such systems examine vast amounts of data about people to recognize them based on their usage habits.
Your location, the internet address of the computer you tend to connect from, and even the time of day that you normally sign in, are all details that could be fed into an authentication analysis. Even your click stream—how quickly you type and how long you stay on different web pages for—could become a telling detail about you. If any of these factors gave a website reason to doubt that you are who you claim to be, it could block you from doing anything sensitive, like withdrawing large amounts of money from a bank account.
Bailey predicts that this approach, which he calls persona-based authentication, will take off. “The angle you hold a mobile phone, the way you key things in, the tone you use when you speak—even the ear you put the phone to and the height of that ear above ground,” could be used to add authenticating evidence, he says.
Ultimately, authentication is a problem that is unique to computers. Humans generally have no difficulty recognising other people with whom they already have a relationship, which is why no one demands a password from their spouse or children before letting them in the house. It is also why researchers are unlikely to develop easy, reliable authentication systems for online services until computers can be programmed to learn like people, Bailey says. “Self-learning and artificial intelligence are the things that will allow computers to recognize individuals and authenticate them without them having to do anything,” he concludes.
Before that day, if you want to log into your online accounts quickly and safely, you may be asked to pop a password pill.
A second drawback of Fido is that it provides no easy means of revoking an authentication device that gets lost or stolen. A user would have to contact each site separately to cancel it, Upadhyay says, which would lead to the possibility of a hacker locking you out of your own accounts by impersonating you and revoking your device.
Creatures of habit
Perhaps Fido’s biggest criticism is that it still doesn’t achieve what PayPal’s Michael Barrett says users really want: for websites like PayPal to take care of security for them. For this to happen, online services may have to more frequently employ behavioural analysis. This kind of security can help verify that a password is being typed by the appropriate person, explains Kevin Bailey, a security analyst at IDC. Such systems examine vast amounts of data about people to recognize them based on their usage habits.
Your location, the internet address of the computer you tend to connect from, and even the time of day that you normally sign in, are all details that could be fed into an authentication analysis. Even your click stream—how quickly you type and how long you stay on different web pages for—could become a telling detail about you. If any of these factors gave a website reason to doubt that you are who you claim to be, it could block you from doing anything sensitive, like withdrawing large amounts of money from a bank account.
Bailey predicts that this approach, which he calls persona-based authentication, will take off. “The angle you hold a mobile phone, the way you key things in, the tone you use when you speak—even the ear you put the phone to and the height of that ear above ground,” could be used to add authenticating evidence, he says.
Ultimately, authentication is a problem that is unique to computers. Humans generally have no difficulty recognising other people with whom they already have a relationship, which is why no one demands a password from their spouse or children before letting them in the house. It is also why researchers are unlikely to develop easy, reliable authentication systems for online services until computers can be programmed to learn like people, Bailey says. “Self-learning and artificial intelligence are the things that will allow computers to recognize individuals and authenticate them without them having to do anything,” he concludes.
Before that day, if you want to log into your online accounts quickly and safely, you may be asked to pop a password pill.
Source:BBC
PayPal founder to build small city on Mars for vegetarians.
Kill the Password: Why a String of Characters Can’t Protect Us Anymore.
You have a secret that can ruin your life.
It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.
Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.
No matter how complex, no matter how unique, your passwords can no longer protect you.
Look around. Leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.
This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.
The age of the password is over. We just haven’t realized it yet.
Since that awful day, I’ve devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.
First thing I do? Search for the word “bank” to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.
This summer I learned how to get into, well, everything. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address. Allow me five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, Microsoft, and Netflix. With yet 10 more, I could take over your AT&T, Comcast, and Verizon. Give me 20—total—and I own your PayPal. Some of those security holes are plugged now. But not all, and new ones are discovered every day.
The common weakness in these hacks is the password. It’s an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just haven’t realized it yet.
Passwords are as old as civilization. And for as long as they’ve existed, people have been breaking them.
In 413 BC, at the height of the Peloponnesian War, the Athenian general Demosthenes landed in Sicily with 5,000 soldiers to assist in the attack on Syracusae. Things were looking good for the Greeks. Syracusae, a key ally of Sparta, seemed sure to fall.
But during a chaotic nighttime battle at Epipole, Demosthenes’ forces were scattered, and while attempting to regroup they began calling out their watchword, a prearranged term that would identify soldiers as friendly. The Syracusans picked up on the code and passed it quietly through their ranks. At times when the Greeks looked too formidable, the watchword allowed their opponents to pose as allies. Employing this ruse, the undermatched Syracusans decimated the invaders, and when the sun rose, their cavalry mopped up the rest. It was a turning point in the war.
The first computers to use passwords were likely those in MIT’s Compatible Time-Sharing System, developed in 1961. To limit the time any one user could spend on the system, CTSS used a login to ration access. It only took until 1962 when a PhD student named Allan Scherr, wanting more than his four-hour allotment, defeated the login with a simple hack: He located the file containing the passwords and printed out all of them. After that, he got as much time as he wanted.
During the formative years of the web, as we all went online, passwords worked pretty well. This was due largely to how little data they actually needed to protect. Our passwords were limited to a handful of applications: an ISP for email and maybe an ecommerce site or two. Because almost no personal information was in the cloud—the cloud was barely a wisp at that point—there was little payoff for breaking into an individual’s accounts; the serious hackers were still going after big corporate systems.
So we were lulled into complacency. Email addresses morphed into a sort of universal login, serving as our username just about everywhere. This practice persisted even as the number of accounts—the number of failure points—grew exponentially. Web-based email was the gateway to a new slate of cloud apps. We began banking in the cloud, tracking our finances in the cloud, and doing our taxes in the cloud. We stashed our photos, our documents, our data in the cloud.
Eventually, as the number of epic hacks increased, we started to lean on a curious psychological crutch: the notion of the “strong” password. It’s the compromise that growing web companies came up with to keep people signing up and entrusting data to their sites. It’s the Band-Aid that’s now being washed away in a river of blood.
Source: http://www.wired.com
Cosmo, the Hacker ‘God’ Who Fell to Earth.
Cosmo is huge — 6 foot 7 and 220 pounds the last time he was weighed, at a detention facility in Long Beach, California on June 26. And yet he’s getting bigger, because Cosmo — also known as Cosmo the God, the social-engineering mastermind who weaseled his way past security systems at Amazon, Apple, AT&T, PayPal, AOL, Netflix, Network Solutions, and Microsoft — is just 15 years old.
He turns 16 next March, and he may very well do so inside a prison cell.
Cosmo was arrested along with dozens of others in a recent multi-state FBI sting targeting credit card fraud. It is the day before his court date, but he doesn’t know which task force is investigating him or the name of his public defender. He doesn’t even know what he’s been charged with. It’s tough to narrow it down; he freely admits to participation in a wide array of crimes.
With his group, UGNazi (short for “underground nazi” and pronounced “you-gee” not “uhg”), Cosmo took part in some of the most notorious hacks of the year. Throughout the winter and spring, they DDoS’ed all manner of government and financial sites, including NASDAQ, ca.gov, and CIA.gov, which they took down for a matter of hours in April. They bypassed Google two step, hijacked 4chan’s DNS and redirected it to their own Twitter feed, and repeatedly posted Mayor Michael Bloomberg’s address and Social Security number online. After breaking into one billing agency using social-engineering techniques this past May, they proceeded to dump some 500,000 credit card numbers online. Cosmo was the social engineer for the crew, a specialist in talking his way past security barriers. His arsenal of tricks held clever-yet-idiot-proof ways of getting into accounts on Amazon, Apple, AOL, PayPal, Best Buy, Buy.com, Live.com (think: Hotmail, Outlook, Xbox) and more. He can hijack phone numbers from AT&T, Sprint, T-Mobile and your local telco.
“UGNazi was a big deal,” Mikko Hypponen, the chief security researcher at F-Secure, told Wired via email. “The Cloudflare hack was a big deal. They could have done much more with that technique.”
So, yes, he is Cosmo the God. But before he was Cosmo, he was Derek*. And while Cosmo may be a god, Derek is just a kid. A high school dropout. A liar, fraud, vandal and thief. But ultimately a kid, without much adult supervision or guidance.
I met Cosmo by accident and opportunity, after hackers used social-engineering techniques to circumvent Apple’s and Amazon’s security mechanisms and break into my accounts. They wrought enormous damage, wiping my computer, phone and tablet, deleting my Google account, and hijacking my Twitter account.
After it happened I fell into their world and began communicating regularly with the very hacker who jacked me, a kid named Phobia. He introduced me to Cosmo, who wanted to tell me about all manner of other account vulnerabilities. And last month, I flew down to Long Beach to talk to him face to face.
His real name is classified by FBI.
Source: weird.com
ARYAN'S BLOG 