Slashdot Mirror
Video Captchas are Hard for Computers to Understand but Easy for Humans (Video)
A new company called NuCaptcha provides animated video captchas it says are much harder for OCR-based programs to crack than static captchas, but lots easier for humans to figure out. While at the 2012 RSA conference, Timothy Lord pointed his camcorder at NuCaptcha CTO Christopher Bailey, and had him explain how video captchas work and how the company makes money. The video includes demos of the video captchas so you can see what they look like (and the company's website has lots more video captcha examples).
And making the captcha video longer will make the "pay some 3'rd world guy 1c to do 1000 of these" a little less feasible!
I just read the opposite here:
http://elie.im/blog/security/how-we-broke-the-nucaptcha-video-scheme-and-what-we-propose-to-fix-it/
Does nobody remember the front page article from only a few weeks ago detailing how these have already been cracked?
http://tech.slashdot.org/story/12/02/20/1746242/researchers-break-video-captchas
A shame it has already been broken. Found out about this two weeks ago on this cool tech site below - a word of warning, the editing is a bit hit and miss though.
http://tech.slashdot.org/story/12/02/20/1746242/researchers-break-video-captchas
It's a way to get unavoidable advertisements into a site. You can tell if it's a human, because anything that isn't sick of seeing these ads every time they want to post is almost certainly a computer. Or a very determined troll. Brilliant.
Just what I was thinking. There's extra effort required to turn the video into separate frames, and each frame has to be decoded on its own, but as soon as you've got the same result from 2-3 frames, there's your answer. Heck, try the first and last and one or two in the middle, see if they agree. I'd think it would give you a more certain result for the extra effort.
It's extra pain for the end user too, with extra bandwidth required to transmit it. With cell phones having data caps, that's not helpful.
Infuriate left and right
as any other captcha? freeze the screen and let the old algorithims run.
hint: <marquee>BUY COCA COLA XYZZY BUY COCA COLA</marquee>
It's not a captcha product, it's an ad delivery vehicle.
Looking at the samples on the screen as he was talking, I think those would be fun to write a decoder for... And possibly even easier than image captchas.
Why? Because they're moving, and you have a better chance to figure out the outline of each shape because of it. Also, you can use traditional techniques on each frame of the video and submit the one that has the highest confidence, and you could do that with existing tech.
Honestly, I don't see this being better than what we have.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
If you generate them statically (as videos), then all someone has to do is what they're already doing - put up a site with some fake content, and ask users to go through "their" capcha, telling them the human answer to that particular video, and making an index of videos to answers.
If you generate the videos dynamically, well, it won't be very scalable, because it's going to take too much processing time per user. Might work well for occasionally verifying expensive content, and it might be more useful in the future - but networks (at least in the US) take a long time to improve, on the scale of hard drive improvements, so you're bottlenecked there too.
Hybrid tricks (layering static video) end up the same as static with a little analysis.
I'd say this falls in place with automated phonecall techniques as a somewhat expensive and annoying way of verifying 'humanity'.
Ryan Fenton
It's getting to the point where I feel like I need an application to read Captchas for me.
Half the time I get them wrong. I swear a computer would HAVE to be better at translating them than me. This video is going to help- but we have to face the fact... EVENTUALLY, no captcha device will be able to block bots but not people.
EVENTUALLY all bots will be better at breaking all captchas than humans will be.
There will probably be a time we look back on the good old days when the internet was usable by humans as a means of communication.
/ Disclaimer: Oswald is an ex-bot who gained near human cognition and intelligence.
"That's the way to do it" - Punch
Flash bitstreams are much easier for computers to understand than humans.
Why would an attacker not play back the animation at whatever speed they choose, exclude the color range that appears to be background, and analyze each frame for lines that are horizonal or vertical? Take the frame(s) that score highest for "squareness" and OCR from there?
Really, it's a question.
I watched it for a minute or two, and it seems like the letters are plain, block letters, with high contrast, and they line up regularly. I don't think this looks like strong CAPTCHA so much as not-previously-seen CAPTCHA. I don't get what makes this so hard to beat.
Something more annoying we have to deal with before being allowed to post, register, search, etc.
And what about the large portion of the world that is still on dialup?
We developers these days just have no fucking clue. HTTP = hyperTEXT transfer protocol.
Technologies that break the web are useless.
I think we need to start a new internet. One that works.
No captcha will ever be unbreakable by the mechanical turk.
Going to lock out blind people from the video captcha? Or create an alternative that computers can use too?
Exactly what I was going to comment; more frames = more chance for error checking.
I could believe that it takes more cpu power to crack them, since you have to decode the video stream instead of just an image. But harder to crack (as in less accuracy) is pure bullshit.
More frames = easier to be accurate, always has and always will.
The CAPTCHAs are already so "good", that i get identified as machines 7 times out of 10 :-(.
Being as the vast majority of video delivered over the web seems to be via flash, it seems like this will itself be flash-dependent. Which would, of course, exclude people who cannot or will not use flash for their browser.
Of course, it may be that this will be deployed on sites where that demographic is not important...
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Outsource the captacha. Link it to some porn , ask the user to fill the captcha in, and boum, captcha bypassed. no need to do expansive trick program analyze, just use cross site linking. At least those captcha have the merit to be readable by a human, unlike some captcha in cursive-overlapping-slanted letters where if you can answer them , you are prolly not human.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
reCAPTCHA is the worst of them all (owned by the arrogant Google assholes). Is almost impossible to read what's there, although there is software out there that can bypass it. So why waste people's time?
This is all utterly pointless when you can outsource breaking catchpas to India for well less than a penny per catchpa broken. All this does is annoy legitimate users. If you want to get real about you need to geo restrict account creation to and from certain IP addresses based on geographic distribution. Yes this can be bypassed, but it would make it easier to prevent fraud.
Comment removed based on user account deletion
You all know what is next don't you?
You will need your webcam hooked up- and the captcha will call out directions that you need to perform. It would analyse your movements to prove you understood.
Bow to the camera,
dosey doe,
boot scoot, boot scoot,
"ERROR: You are not a human you did a shuffle step instead of a boot scoot."
"That's the way to do it" - Punch
From just taking a snapshot of the screen and cracking the much simpler static image? That said I'm really hating recaptchas. I've had sites where I had to click next about 10 times to find one that I could figure out what it is AND be able to type it (lots of German, Swedish, greek captchas which I can't be bothered figuring out the key strokes to reproduce). Also philosophically I'm against recaptchas because only half of the crap they want you to type is actually used for security the other half is free human OCR. If I want to spend my time converting text I'll let you know ;-)
Slashdot, Could you please identify these advertisements as such in the title so I can filter them out of the RSS feed or something? I appreciate that you may enjoy the ad revenue, but I come here really just for news articles.
Yes, was my thought, too, when I saw the examples. But I don't think it has to be that way. What if when no single frame contains the whole information? Several dot clouds in each frame, which only make sense in their completes over several frames? Or something like that. I think it might be possible to improve the video captchas without sacrificing too much of their better readability for humans.
Title: NuCaptcha makes video captches
Description: Video captchas are hard for machines to decipher, but easy for humans
[00:00] <TITLE>
The Slashdot logo with "news for News. Stuff that matters" scrolls into view over a picture of Timothy Lord.
[00:00]
Timothy> I talked to a Vancouver-base company called NuCaptcha.
[00:04] <TITLE>
NuCaptcha at RSA 2012
Interviewer: Timothy Lord
[00:04]
NuCaptcha is trying to make captchas both less annoying and more effective through the use first of all video rather than only still images, and second of behavioral analysis.
In other words, if you seem to be a problem user - like a spammer - you actually get a harder question.
It's not the same as everyone.
[00:18] <TITLE>
Christopher Bailey, NuCaptcha
Chief Technology Officer
appears over a picture of Christopher Bailey at the NuCaptcha booth.
[00:19]
Christopher> Hi, our company is NuCaptcha, and we're based in Vancouver, British Columbia.
Christopher> Captchas are predominantly used as authentications, password resets, forms, trying to prevent spam and so on.
Christopher> So they're predominently used whereever you'd have a form where somebody's committing information into your site, where you might wanna protect it from an automated attack.
[00:40] <TITLE>
http://nucaptcha.com/ says: "NuCaptcha's Behavior Analaysis System Reduces Cybercrime"
[00:40]
Christopher> What we've done is really look at the problem from a usability standpoint.
Christopher> Trying to say, if we continue with the old method of having software come in and break the captcha, and the response to that is to create a more complex captcha to defeat the software, the result is that the users are having a harder and harder time solving the captcha as well.
[01:00]
Christopher> So what we've done is looked at the usability problem and said "How can we make it so users can solve these captchas and continue to present an effective security response?"
[01:09] <TITLE>
A sample NuCaptcha video captcha challenge appears on screen.
The video captcha with a green textured background reads:
Security Challenge [a set of icons appears here:'reload', questionmark, speaker]
VKN (in red, with each letter turning around its middle point axis)
Type the moving letters: [an input form appears here]
[01:09]
Christopher> So we've created a behavior analysis system.
Christopher> What that does is, we're a cloud-based platform, and as we integrate with our customers, we get behavior information from them of how the user's interacting with the website, what they're doing, and we create a behavior profile and from that we create a risk profile for each user.
Christopher> This correlates to an IP-basis.
[01:30] <TITLE>
Another NuCaptcha example captcha appears on screen.
This captcha is a plain black background, with otherwise similar behavior in the red captcha letters: CKP.
The icons have moved to the right side of the video and a Submit button is present next to the input field.
[01:30]
Christopher> Based on that risk, we will deploy a different security response; In some cases it's a really easy to solve captcha, so it's really focused on usability. In other cases we will present a captcha that is much stronger and that provides a lot more defense against an OCR or software attack.
[01:45]
Christopher> Some of our clients are ad biz, and the social space, O2 - which is a large telecom provider in the U.K. [...]
[01:52] <TITLE>
Another NuCaptcha video captcha appears on screen.
In this captcha, the background is a set of animated figure moving through the picture, such as a man on a bike and a woman jogging, with the letters:
OUTDOORS (in white) SRG (in red)
animating across the picture in a waveform pattern, with the red letters moving as in the other captcha examples.
[01:52]
I really don't understand why these are any better than a simple grid of images, say 9 or 16, where two of them have something in common but the answers are not obvious from the pictures presented. For instance a grid of 9 animal images where one is a tiger and one is a zebra and the captcha question is "Click two which have stripes", or images of vehicles where one is a bulldozer and one a tank and have "Click two which drive on tracks, not wheels.".
Just capturing a single frame of the video is all you need to decode it... obvious flaw...
Conceptually good, practically useless.
See, this is how we'll eventually achieve general purpose AI. People will just keep making more and more elaborate bot checks and AI will just get better and better at fooling them until its able to do anything a human can do, lol.
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
Not only this, You positively can keep the calculated data from one frame and do a differential calculation on the next/prev frame to gain even more data about your objects.
The only captchas that are truly difficult for machines to crack are the ones that require logic deduction:
like "type the last word of this sentence."
-- no sig today
I remember reading the opposite.
I've also lost count of how many times I've had to use the "I'm a blind fucker" audio option because I can never read the damn things.
On top of that, I'd imagine it'd be relatively easy to make a computer recognize simple numbers being spoken.
(In before they start making the voices harder to understand too)
What do I know, I'm just an idiot, right?
1 Take multiple frames 2 Solve the captcha in each one indiviually 3 The most common answer is probably right.
The first one I got had E giving it to F in the rear like a damned pro. F sure can take that central horizontal protuberance. There was a T watching it all, rocking back and forth. Pretty charged scene, all and all.
Gotta hit refresh. I'm hoping for some lowercase action next.
captchanim (which is provided for free) was doing it before:
http://captchanim.cs.technion.ac.il/
I am wondering why they didn't just put only part of the captcha in each frame, so it would appear as solid text for humans when being replayed but it will appear totally different when you will look on separate frames. It might be just F in the first frame and underscore on second frame. This repeated will appear to humans as nice E. Yes, robots will adapt to it eventually. But it might take some time.
hint: <marquee>BUY COCA COLA XYZZY BUY COCA COLA</marquee>
It's not a captcha product, it's an ad delivery vehicle.
Jesus Christ, don't give Google ideas! They own reCAPTCHA, you know!
Pretty soon we'll be seeing two word advertisements! Then a bunch of morons on twitter will call it "duxvertisements" or something equally retarded and we'll never hear the end of it! AAAAAAAAGHHHHHHH!
Random Thoughts From A Diseased Mind (Not For Dummies)
OCR for videos are not developed so well so far. (For text, there are several open source projects). There is a well developed industry working on translating movies into 3D content like the structure from motion problem which makes space and camera path reconstruction from a movie. It is only a matter of time until these captchas are broken too. An other hurdle is that the examples use Flash which allows to script pictures using actionscript. The OCR task is not given a movie (a sequence of pictures at first). What the Captcha decoder will have to do is "film" the flash animation first to render it into a sequence of pictures which then can be analyzed.
"A new company called NuCaptcha provides animated video captchas it says are much harder for OCR-based programs to crack than static captchas,"
So, IOW, someone took my idea of using video captchas (flashing scenes from an anime series, which you must identify as the captcha code.)
Bet someone there reads slashdot (as I've mentioned that here many times before) or visits my anime forum.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Just imagine how quickly the Enigma cypher would have been solved if used as a captcha!
Suspicion
For the sakes of all the lonely IRC addicts, I hope we manage to stay ahead of the 'bots in this field...
With the analysis at
* http://elie.im/blog/security/how-we-broke-the-nucaptcha-video-scheme-and-what-we-propose-to-fix-it/
I find my own CAPTCHA is just as good, but at least you get to look at a nice cup of coffee:
* http://stephansmap.org/sign_up
http://stephan.sugarmotor.org
Not to be insulting, but he looks like the possible result of David Letterman crossed with Thomas Dolby.
Mix crowd sourcing, cheap data connection, low labor cost of India together and what do you get? You can hire people in India to sit in front of their computers on 8 hour shifts breaking any captcha you throw at them.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Don't think it will get any better with video ..
Hey don't blame me, IANAB
I hate captcha's, especially poorly designed ones that display letters using strange, warped fonts that the letters used could be another letter, or number. Here is a better idea... replace captcha's with a 2-factor authentication. Like Facebook or Google does. You know its a real person, because they have to receive the text (facebook) or launch an app on their phone and copy out a code (Google) which is trivial to do, and is remembered by a cookie so you only have to do it once.
Much better look for RingCaptcha. Nucaptcha has been broken more than one time. It seems this new start up has a new contender. http://vimeo.com/36160988
QuasiSteve, if you contacted me we might figure out a way to pay you for video transcripts. robin (at or near) roblimo (dit dot) com.
Spammers, here ya go: robin@roblimo.com
WHO ARE YOU, PSYCHO DOUCHE!?! Your gay videos of timothy are incredibly annoying!
Maybe ticketmaster can use this so i can actually buy a ticket at price instead of letting the digital ticket scalpers buying 80% of all seats within 5minutes of tickets going onsale.
Even worse if it's a flash one. Why not just GIF?
When I loaded the demo page with Flash disabled, I saw this. (The front page does require flash for the video presentation, which isn't terribly surprising.)
I use flashblock and just got a flashblock logo. When I clicked to allow flash, it gave an error ("could not load movie").
Apparently whatever script they use to check for Flash can tell that you have Flash installed, but doesn't check to make sure that the Flash plugin was actually able to load, or revert to the gif if it didn't.