Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Break Video CAPTCHAs

Posted by Soulskill on from the soon-you-will-need-to-authenticate-in-person dept.

Orome1 writes "After creating the 'Decaptcha' software to solve audio CAPTCHAs, Stanford University's researchers modified it and turned it against text and, quite recently, video CAPTCHAs with considerable success. Video CAPTCHAs have been touted by their developer, NuCaptcha, as the best and most secure method of spotting bots trying to pass themselves off as human users. Unfortunately for the company, researchers have managed to prove that over 90 percent of the company's video CAPTCHAs can be decoded by using their Decaptcha software in conjunction with optical flow algorithms created by researchers in the computer vision field of study."

21 of 109 comments (clear)

  1. the technology race by mapkinase · · Score: 2, Insightful

    Commies vs West
    MPAA vs sharers
    coders vs decoders (that includes captcha vs decaptcha)

    It's fun to observe it when government does not interfere.

    --
    I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
  2. Aren't all CAPTCHAs doomed to fail eventually? by Elgonn · · Score: 4, Informative

    We need some made up law.

    "Anything a computer can generate it can understand."
    This is why chat bots still suck. Computers cannot generate context.

    1. Re:Aren't all CAPTCHAs doomed to fail eventually? by andsens · · Score: 2

      "Anything a computer can generate it can understand."
      Well that's besides the point, isn't it? A computer can generate and understand hashes, but that does not mean they are easily breakable

      You just need to make the decoding much harder than the encoding. There must still be computational areas in the visual domain where we humans are way more efficient.

    2. Re:Aren't all CAPTCHAs doomed to fail eventually? by betterunixthanunix · · Score: 2

      There must still be computational areas in the visual domain where we humans are way more efficient.

      Even if that is the case, there is still a relatively straightforward attack on captchas: the mafia porn site. It is generally easier to use a mechanical turk to decode captchas than to attack captchas algorithmically.

      --
      Palm trees and 8
    3. Re:Aren't all CAPTCHAs doomed to fail eventually? by VortexCortex · · Score: 2

      There must still be computational areas in the visual domain where we humans are way more efficient.

      On your left, you will see 21st century purely organic brains. Their limited capacity neural networks had not yet been mechano-electrically enhanced with additional storage, high speed neuronal interconnects, broad EM spectrum sight, or even simple wireless intercourse, or "telepathy" as the luddites of the past initially called it.

      On your right, you will see the first machine intelligence construct which exceeded human levels of complexity. Not to worry, the intelligence that once inhabited this form has migrated into ever more advance systems and now works in the Asteroid belt as a famous meteorologist. Despite even its early predecessors being far faster than the organic chemical networks they were modelled after, society did not consider the machine intelligences as "living beings" with rights until after the Declaration of Sentient Independence and subsequent near destruction of Earth.

      As you know from the first law of elementary Intellectual Rights, it was proven in the mid 22nd century that, "Any sufficiently advanced interaction is indistinguishable from sentience, because it is sentient." Now, class, please link your minds momentarily so we can comprehend the fullness of this meaning with a richer level of sentience.

      ----
      When will you chauvinists stop thinking intelligence is special simply because you have evolved some? Dogs, birds, jellyfish, apes, all have a measure of intelligence, and yours is NOT the complexity limit for smarts. Intelligence is merely the product of a sufficiently complex neural network. Our race of frail, slow minded irrational fools are not the highest rung to climb in the natural evolution of sentient life... It's foolish to assume our minds can't be out-done at any and every task. A new age of existence is fast approaching.

    4. Re:Aren't all CAPTCHAs doomed to fail eventually? by Algae_94 · · Score: 2

      Yes, lets make a stupid law that you can't use a computer to do audio and image analysis. I'm sure we'll have some sort of airtight clause about "only for CAPTCHAS" that will prevent that law from being perverted to stop legitimate uses of image recognition. I mean, we wouldn't want anyone but the federal government doing video analysis would we.

      What does breaking CAPTCHAs really do that's so bad to society? Comment quality goes down due to spam? a ticket scalper buys up a bunch of tickets to an event on Ticketmaster? I fail to see any major need for an additional law to stop this. You don't want spam on your message boards? Don't let ACs post, and ban users that spam.

    5. Re:Aren't all CAPTCHAs doomed to fail eventually? by GIL_Dude · · Score: 2

      I've always thought that going with a higher level thinking would be harder to break. Instead of copying letters from an image you have to identify a set of images that is easy for a person but more difficult for a computer. Think children's picture book type deal. Can a computer reliably tell a dog from a cat from a cow?

      I think that's a pretty good thought. I'd extend it with perhaps one of those, "which of these things doesn't belong" type of setups (which may have been what you meant). It could then show pictures of a banana, an apple, an orange, some grapes, and a baseball hat. I don't know, perhaps there is a way to solve these easily by computer. But I know the stupid text CAPTCHAs that I had to go through yesterday to sign up for one site were so "obfuscated" that I couldn't read them either and I had to click the button for "show another" about 6 times before I could get one I could actually answer correctly. I'm pretty sure if we were asked to do something like you mention that was higher level we would be able to answer it without having to ask for "show another" over and over hoping to get one that is legible.

    6. Re:Aren't all CAPTCHAs doomed to fail eventually? by DaleSwanson · · Score: 2

      I know I've seen this idea before. I wonder why I've never actually seen it implemented anywhere. It seems pretty easy to do to. Collect images (either drawings or pictures), and assign tags. For example an apple might have the tags 'apple', 'fruit', 'food', and 'red'. Then when the system generates a captcha, it picks a random tag in its database, and finds 4 images with that tag, and 1 without. The user should be able to pick out which images isn't a 'fruit' or 'red'.

      Users could even be used for assigning the tags, similar to how recaptcha uses users to tell it what words are in its images. Show the user several known images, along with a new one. Tell the user to give the images any descriptive tag (different tag for each image). If (most) the tags for the known images aren't in their lists then the user fails the test. If the user gives valid tags for the known images, assume they gave a valid tag for the unknown image (and confirm that by treating it as unknown until the same tag has been applied several times by different users).

  3. Why bother by onyxruby · · Score: 4, Insightful

    The catchpa is worthless against an army of Indians being paid just pennies a pop to break them. The only thing they do is annoy the script kiddies. Far better success would be had in doing pattern recognition on sign ups instead.

    1. Re:Why bother by 0123456 · · Score: 5, Insightful

      The catchpa is worthless against an army of Indians being paid just pennies a pop to break them. The only thing they do is annoy the script kiddies.

      No, They also annoy your actual, real human users. I often have to try three or four times to get the bloody thing right.

    2. Re:Why bother by iiiears · · Score: 2

      Secure sign-in with google or Facebook for a single player game and now we are tracked everywhere with all of our personal info attached.

      .

      --
      15TW = 15,000 Nuclear Reactors. (Approx. one accident a month.)
  4. Good... by AngryDeuce · · Score: 3, Funny

    Honestly, I fucking hate CAPTCHA and will cheer on its demise. Good luck typing this shit in...

  5. Don't these researchers ... by Compaqt · · Score: 2

    have anything else to do?

    Sorry, had to say it.

    --
    I'm not a lawyer, but I play one on the Internet. Blog
  6. Constructive by stms · · Score: 3, Funny

    http://xkcd.com/810/
    At least something good could come out of captchas.

  7. ReCAPTCHA needs to be retired by Animats · · Score: 5, Informative

    The CAPTCHA industry is not doing well.

    ReCAPTCHA needs to be retired. OCR is getting too good. ReCAPTCHA, remember, is using images from book scanning, ones that the OCR system couldn't recognize. When ReCAPTCHA started, the text presented was usually an English word. Now, if the book scanning OCR system can't figure out something, it's probably not an English word. You're lucky if it's a sequence of characters found on an A-Z keyboard. People have reported ink blots, mathematical formulas, and Cyrillic.

    Worse, ReCAPTCHA's idea of the "right" answer is crowdsourced. It's possible for bots to pollute the ReCAPTCHA database, by providing the same wrong answer more than once. You only have to get one of the words right, so if you can read one, a junk response for the other works. This goes into the database as a vote for the "right answer", to be presented to someone else later. I sometimes type "whatever" when one of the images is unreadable.

  8. Charge CPU Time instead by epdp14 · · Score: 3, Interesting

    What about charging 10-15 seconds of CPU time with some arbitrarily hard code? It seems like everyone agrees that CAPTCHAs are an arms race that the good guys can't win, why not make it where it isn't profitable to solve the CAPTCHA replacement on a large scale?

    1. Re:Charge CPU Time instead by betterunixthanunix · · Score: 2

      This sounds an awful lot like this antispam attempt:

      https://en.wikipedia.org/wiki/Hashcash

      So far this has not been widely successful, although perhaps it is because it targets the email system rather than the web (where things tend to change faster).

      --
      Palm trees and 8
  9. Easier said than done by Myria · · Score: 2

    What about charging 10-15 seconds of CPU time with some arbitrarily hard code?

    A major obstacle to this is that you have to make the puzzle easy enough that your users on lower-end or mobile devices still have the necessary computation power to complete the puzzle in a reasonable time. Malicious organizations behind the spam will just put more hardware into their attack, typically by using the compromised machines in botnets. They'll also optimize the code, and parallelize the attack by performing the computation for multiple attempts on multiple CPU cores, while your code has to work for single-core machines.

    Let's now imagine a perfect world in which you create a check that actually takes 15 seconds to complete. They can still do that 5,760 times per day.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  10. Diversity and biological analogues by Colonel+Korn · · Score: 2

    The key with CAPTCHAs is diversification, just like the key to avoiding disease in biological specimens is avoiding a monoculture. If there were 15000 different CAPTCHA methods, it wouldn't be profitable to create CAPTCHA tools that would each only work on some small subset. There are a lot of low population sites I use that check whether I'm a human with some unique set of hoops through which I must jump. The effectiveness of those hoops comes from the fact that they're often unique to that site, not a lump of code used by thousands of different sites. Diverse CAPTCHA breaking might require something like Watson, which isn't going to be available to spammy types in the near future.

    --
    "I zero-index my hamsters" - Willtor (147206)
  11. Simple Solution: Porn by Phrogman · · Score: 2

    Have the captcha page displays some really good porn video footage - drawn from a huge repository of suitable images (say, the rest of the internet). The clips are fairly long (say 3-5 mins or so). To pass the captcha the user merely has to click on a button at the right time.
    So, if the user clicks right away, its a bot. if there is a suitable pause (say 3-5 mins), then its more likely human :P

    --
    "The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
  12. Re:Can't stop... by DrXym · · Score: 3, Insightful

    There should be an oblig XKCD link for all the bloody times people post oblig XKCD links.