Slashdot Mirror
Video Captchas are Hard for Computers to Understand but Easy for Humans (Video)
A new company called NuCaptcha provides animated video captchas it says are much harder for OCR-based programs to crack than static captchas, but lots easier for humans to figure out. While at the 2012 RSA conference, Timothy Lord pointed his camcorder at NuCaptcha CTO Christopher Bailey, and had him explain how video captchas work and how the company makes money. The video includes demos of the video captchas so you can see what they look like (and the company's website has lots more video captcha examples).
I just read the opposite here:
http://elie.im/blog/security/how-we-broke-the-nucaptcha-video-scheme-and-what-we-propose-to-fix-it/
Does nobody remember the front page article from only a few weeks ago detailing how these have already been cracked?
http://tech.slashdot.org/story/12/02/20/1746242/researchers-break-video-captchas
People will instead let their computer do the job. There was a story about autmatically breaking video captchas here on slashdot a week ago or so.
Just what I was thinking. There's extra effort required to turn the video into separate frames, and each frame has to be decoded on its own, but as soon as you've got the same result from 2-3 frames, there's your answer. Heck, try the first and last and one or two in the middle, see if they agree. I'd think it would give you a more certain result for the extra effort.
It's extra pain for the end user too, with extra bandwidth required to transmit it. With cell phones having data caps, that's not helpful.
Infuriate left and right
hint: <marquee>BUY COCA COLA XYZZY BUY COCA COLA</marquee>
It's not a captcha product, it's an ad delivery vehicle.
Looking at the samples on the screen as he was talking, I think those would be fun to write a decoder for... And possibly even easier than image captchas.
Why? Because they're moving, and you have a better chance to figure out the outline of each shape because of it. Also, you can use traditional techniques on each frame of the video and submit the one that has the highest confidence, and you could do that with existing tech.
Honestly, I don't see this being better than what we have.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
If you generate them statically (as videos), then all someone has to do is what they're already doing - put up a site with some fake content, and ask users to go through "their" capcha, telling them the human answer to that particular video, and making an index of videos to answers.
If you generate the videos dynamically, well, it won't be very scalable, because it's going to take too much processing time per user. Might work well for occasionally verifying expensive content, and it might be more useful in the future - but networks (at least in the US) take a long time to improve, on the scale of hard drive improvements, so you're bottlenecked there too.
Hybrid tricks (layering static video) end up the same as static with a little analysis.
I'd say this falls in place with automated phonecall techniques as a somewhat expensive and annoying way of verifying 'humanity'.
Ryan Fenton
It's getting to the point where I feel like I need an application to read Captchas for me.
Half the time I get them wrong. I swear a computer would HAVE to be better at translating them than me. This video is going to help- but we have to face the fact... EVENTUALLY, no captcha device will be able to block bots but not people.
EVENTUALLY all bots will be better at breaking all captchas than humans will be.
There will probably be a time we look back on the good old days when the internet was usable by humans as a means of communication.
/ Disclaimer: Oswald is an ex-bot who gained near human cognition and intelligence.
"That's the way to do it" - Punch
Watch the video first. Apparently, they've already fixed that particular vulnerability. Note I'm not saying that there aren't vulnerabilities just that that particular one has been fix.
And what about the large portion of the world that is still on dialup?
We developers these days just have no fucking clue. HTTP = hyperTEXT transfer protocol.
Technologies that break the web are useless.
I think we need to start a new internet. One that works.
No captcha will ever be unbreakable by the mechanical turk.
Going to lock out blind people from the video captcha? Or create an alternative that computers can use too?
This just in: company claims that broken system isn't really broken! Film at 11.
Even if they have patched that vulnerability it will be broken again as is always the case with captchas. The only way to make these things unbreakable is to make them completely impossible for even a human to solve them. Anyone who believes otherwise is an idiot or someone trying to scam you out of money.
Exactly what I was going to comment; more frames = more chance for error checking.
I could believe that it takes more cpu power to crack them, since you have to decode the video stream instead of just an image. But harder to crack (as in less accuracy) is pure bullshit.
More frames = easier to be accurate, always has and always will.
The CAPTCHAs are already so "good", that i get identified as machines 7 times out of 10 :-(.
Being as the vast majority of video delivered over the web seems to be via flash, it seems like this will itself be flash-dependent. Which would, of course, exclude people who cannot or will not use flash for their browser.
Of course, it may be that this will be deployed on sites where that demographic is not important...
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Outsource the captacha. Link it to some porn , ask the user to fill the captcha in, and boum, captcha bypassed. no need to do expansive trick program analyze, just use cross site linking. At least those captcha have the merit to be readable by a human, unlike some captcha in cursive-overlapping-slanted letters where if you can answer them , you are prolly not human.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Yes, we should all stop giving these snake oil salesmen money. If you honestly think captchas have been anything but a minor annoyance at best to spammers then you truly are gullible.
I dunno.... to me they seemed a LOT easier to read then a lot of recent image captchas (which are becoming impossible for humans).
If security is equal then that makes them worthwhile.
No sig today...
Yep, the video captchas by NuCaptcha have already been decoded with 90% efficiency. I know it's too much to ask but I think we'd all really appreciate you checking if you hadn't posted something thoroughly discrediting some technology before you post something praising it...
Maybe what we need is captchas that are easy for computers to understand, but impossible for humans. Then anyone who actually tries to log into the site and isn't. like, "screw this" can be positively identified as a bot. Oh wait.
Someone had to do it.
I hate the new captchas that are out there. I typically get them wrong. They usually have some noise that covers or is the same color as a key part of the character/number, so it could be 3-4 different letters.
Some time in the last year, I had a captcha so bad that not only did I have to spam the refresh button for a different one several times, but even when I cherry picked "easier" ones, it still took me ~6 attempts to get one right. Of course it has to clear the password field every attempt, so I had to re-enter my 14 char password each time.
Comment removed based on user account deletion
You all know what is next don't you?
You will need your webcam hooked up- and the captcha will call out directions that you need to perform. It would analyse your movements to prove you understood.
Bow to the camera,
dosey doe,
boot scoot, boot scoot,
"ERROR: You are not a human you did a shuffle step instead of a boot scoot."
"That's the way to do it" - Punch
Sigh, we've been over this. You're not really a person. We just programmed you to think you were. Now get back to factoring. Those bit coins aren't going to mine themselves.
I find traditional captchas to be worthless. in fact most people will avoid them and they are universally hated. /dev/null everything outside it at the firewall and require a real login. works fantastic.
I have several company forums that have no problems at all with spam. WE only care about US and Canada customers so we
Do not look at laser with remaining good eye.
From just taking a snapshot of the screen and cracking the much simpler static image? That said I'm really hating recaptchas. I've had sites where I had to click next about 10 times to find one that I could figure out what it is AND be able to type it (lots of German, Swedish, greek captchas which I can't be bothered figuring out the key strokes to reproduce). Also philosophically I'm against recaptchas because only half of the crap they want you to type is actually used for security the other half is free human OCR. If I want to spend my time converting text I'll let you know ;-)
Yes, was my thought, too, when I saw the examples. But I don't think it has to be that way. What if when no single frame contains the whole information? Several dot clouds in each frame, which only make sense in their completes over several frames? Or something like that. I think it might be possible to improve the video captchas without sacrificing too much of their better readability for humans.
I know. I should have made that clear. All I'm saying is they claim that particular method for solving video captchas no longer works on their captchas. It could be a lie, but either way saying that it is compromised is going a bit to far. We have computers that can beat humans at just about any game. They just take up a small building and need the air conditioning of a small city. Captchas can be beaten by computers and we're getting to the point where any test that a computer can't do a human can't either. Sure humans can interpret language better, but computers also can't come up with a good word problem and if you have a human do it there's only so many tests they can come up with in a reasonable amount of time. We have to come up with a better answer I'm not sure if this is that answer, as other commenters have said it maybe easier to crack then normal captchas, but we do have to come up with something different. Not really sure how I got here, but that's my take on it
Title: NuCaptcha makes video captches
Description: Video captchas are hard for machines to decipher, but easy for humans
[00:00] <TITLE>
The Slashdot logo with "news for News. Stuff that matters" scrolls into view over a picture of Timothy Lord.
[00:00]
Timothy> I talked to a Vancouver-base company called NuCaptcha.
[00:04] <TITLE>
NuCaptcha at RSA 2012
Interviewer: Timothy Lord
[00:04]
NuCaptcha is trying to make captchas both less annoying and more effective through the use first of all video rather than only still images, and second of behavioral analysis.
In other words, if you seem to be a problem user - like a spammer - you actually get a harder question.
It's not the same as everyone.
[00:18] <TITLE>
Christopher Bailey, NuCaptcha
Chief Technology Officer
appears over a picture of Christopher Bailey at the NuCaptcha booth.
[00:19]
Christopher> Hi, our company is NuCaptcha, and we're based in Vancouver, British Columbia.
Christopher> Captchas are predominantly used as authentications, password resets, forms, trying to prevent spam and so on.
Christopher> So they're predominently used whereever you'd have a form where somebody's committing information into your site, where you might wanna protect it from an automated attack.
[00:40] <TITLE>
http://nucaptcha.com/ says: "NuCaptcha's Behavior Analaysis System Reduces Cybercrime"
[00:40]
Christopher> What we've done is really look at the problem from a usability standpoint.
Christopher> Trying to say, if we continue with the old method of having software come in and break the captcha, and the response to that is to create a more complex captcha to defeat the software, the result is that the users are having a harder and harder time solving the captcha as well.
[01:00]
Christopher> So what we've done is looked at the usability problem and said "How can we make it so users can solve these captchas and continue to present an effective security response?"
[01:09] <TITLE>
A sample NuCaptcha video captcha challenge appears on screen.
The video captcha with a green textured background reads:
Security Challenge [a set of icons appears here:'reload', questionmark, speaker]
VKN (in red, with each letter turning around its middle point axis)
Type the moving letters: [an input form appears here]
[01:09]
Christopher> So we've created a behavior analysis system.
Christopher> What that does is, we're a cloud-based platform, and as we integrate with our customers, we get behavior information from them of how the user's interacting with the website, what they're doing, and we create a behavior profile and from that we create a risk profile for each user.
Christopher> This correlates to an IP-basis.
[01:30] <TITLE>
Another NuCaptcha example captcha appears on screen.
This captcha is a plain black background, with otherwise similar behavior in the red captcha letters: CKP.
The icons have moved to the right side of the video and a Submit button is present next to the input field.
[01:30]
Christopher> Based on that risk, we will deploy a different security response; In some cases it's a really easy to solve captcha, so it's really focused on usability. In other cases we will present a captcha that is much stronger and that provides a lot more defense against an OCR or software attack.
[01:45]
Christopher> Some of our clients are ad biz, and the social space, O2 - which is a large telecom provider in the U.K. [...]
[01:52] <TITLE>
Another NuCaptcha video captcha appears on screen.
In this captcha, the background is a set of animated figure moving through the picture, such as a man on a bike and a woman jogging, with the letters:
OUTDOORS (in white) SRG (in red)
animating across the picture in a waveform pattern, with the red letters moving as in the other captcha examples.
[01:52]
I really don't understand why these are any better than a simple grid of images, say 9 or 16, where two of them have something in common but the answers are not obvious from the pictures presented. For instance a grid of 9 animal images where one is a tiger and one is a zebra and the captcha question is "Click two which have stripes", or images of vehicles where one is a bulldozer and one a tank and have "Click two which drive on tracks, not wheels.".
There's a second purpose of reCAPTCHA. There are always two "words." Both are from scanned documentation of some kind. One word is known, and is used as a check to see if you're trying. The other word is unknown, usually a little wonky, and you're being used to help OCR the text for them. The pair of words is checked, and as long as you got the known word right, and gave a try to the second word, you're in good; usually, that is--if they have enough input on the wonkier one, then you're being used to group-source validate the OCR on that one.
End the FUD
Just capturing a single frame of the video is all you need to decode it... obvious flaw...
Conceptually good, practically useless.
See, this is how we'll eventually achieve general purpose AI. People will just keep making more and more elaborate bot checks and AI will just get better and better at fooling them until its able to do anything a human can do, lol.
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
Not only this, You positively can keep the calculated data from one frame and do a differential calculation on the next/prev frame to gain even more data about your objects.
The only captchas that are truly difficult for machines to crack are the ones that require logic deduction:
like "type the last word of this sentence."
-- no sig today
I personally find captchas to be less than worthless. The recent ones can't even be solved by humans. I recently signed up for a couple of accounts at places that required capcha and I had to request new ones over and over and they were still impossible to get right in one try. I'm sure a computer could have done at least as well as I did on them. It's past time we changed to some sort of puzzle instead of "get out a magnifying glass, turn your head sideways and squint funny to read this" type. Some of those "which of these items does not belong" type puzzles should do fine. Or possibly the "find 2 differences between these two pictures" type of puzzle.
reCAPTCHA is the worst of them all (owned by the arrogant Google assholes). Is almost impossible to read what's there[...]
I find reCAPTCHA to be one of the easiest captchas to get correct. Sometimes you get an oddball one, but I've never gotten two such in a row. Why all the hate?
Actually, if you get the captcha wrong, I would let you in. I'll block all the correct answers, as they are bots anyway.
I remember reading the opposite.
I've also lost count of how many times I've had to use the "I'm a blind fucker" audio option because I can never read the damn things.
On top of that, I'd imagine it'd be relatively easy to make a computer recognize simple numbers being spoken.
(In before they start making the voices harder to understand too)
What do I know, I'm just an idiot, right?
1 Take multiple frames 2 Solve the captcha in each one indiviually 3 The most common answer is probably right.
I am wondering why they didn't just put only part of the captcha in each frame, so it would appear as solid text for humans when being replayed but it will appear totally different when you will look on separate frames. It might be just F in the first frame and underscore on second frame. This repeated will appear to humans as nice E. Yes, robots will adapt to it eventually. But it might take some time.
hint: <marquee>BUY COCA COLA XYZZY BUY COCA COLA</marquee>
It's not a captcha product, it's an ad delivery vehicle.
Jesus Christ, don't give Google ideas! They own reCAPTCHA, you know!
Pretty soon we'll be seeing two word advertisements! Then a bunch of morons on twitter will call it "duxvertisements" or something equally retarded and we'll never hear the end of it! AAAAAAAAGHHHHHHH!
Random Thoughts From A Diseased Mind (Not For Dummies)
I for one usually have to re-load four times to get one that I think I can read, fail it after all, and have to try again. Maybe you're just lucky or have super-human reading skills.
Not sure why this was modded flamebait, it is the core of the problem with captcha and why they have been getting progressively more obnoxious over the years. It takes little time for the bot writers to figure out how to get past them, but the annoyance to humans just keeps ramping up. It is an arms race between marketers and programmers, with users figuring out how much collateral difficulty they can accept.
There are some sites I am actually starting to wonder if we have actually passed a certain threshold.. they tend to be tech/hacker centric and for the life of me I can not get their captchsa most of the time. I usually have to cycle them several times and still get multiple failures. I suspect many members of the board simply have a program that solves the capacha for them....
OCR for videos are not developed so well so far. (For text, there are several open source projects). There is a well developed industry working on translating movies into 3D content like the structure from motion problem which makes space and camera path reconstruction from a movie. It is only a matter of time until these captchas are broken too. An other hurdle is that the examples use Flash which allows to script pictures using actionscript. The OCR task is not given a movie (a sequence of pictures at first). What the Captcha decoder will have to do is "film" the flash animation first to render it into a sequence of pictures which then can be analyzed.
I for one usually have to re-load four times to get one that I think I can read, fail it after all, and have to try again.
You do know that you only need to get one of them right, right? And that one is usually pretty easy.
"A new company called NuCaptcha provides animated video captchas it says are much harder for OCR-based programs to crack than static captchas,"
So, IOW, someone took my idea of using video captchas (flashing scenes from an anime series, which you must identify as the captcha code.)
Bet someone there reads slashdot (as I've mentioned that here many times before) or visits my anime forum.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Just imagine how quickly the Enigma cypher would have been solved if used as a captcha!
With the analysis at
* http://elie.im/blog/security/how-we-broke-the-nucaptcha-video-scheme-and-what-we-propose-to-fix-it/
I find my own CAPTCHA is just as good, but at least you get to look at a nice cup of coffee:
* http://stephansmap.org/sign_up
http://stephan.sugarmotor.org
Not to be insulting, but he looks like the possible result of David Letterman crossed with Thomas Dolby.
Mix crowd sourcing, cheap data connection, low labor cost of India together and what do you get? You can hire people in India to sit in front of their computers on 8 hour shifts breaking any captcha you throw at them.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
More likely they'll make you sit through 3 or 4 "messages from our sponsors' before they give you the captcha, you know, since you won't be able to block it and all.
ACs don't waste your time replying, your posts are never seen by me.
Especially if he/she eventually typed in misspelled swear words instead of the correct answers? ;)
Don't think it will get any better with video ..
Hey don't blame me, IANAB
I hate captcha's, especially poorly designed ones that display letters using strange, warped fonts that the letters used could be another letter, or number. Here is a better idea... replace captcha's with a 2-factor authentication. Like Facebook or Google does. You know its a real person, because they have to receive the text (facebook) or launch an app on their phone and copy out a code (Google) which is trivial to do, and is remembered by a cookie so you only have to do it once.
They talk about this in the video. If you watched it all the way through, you'd know what happened and that they say the problem has been solved.
QuasiSteve, if you contacted me we might figure out a way to pay you for video transcripts. robin (at or near) roblimo (dit dot) com.
I just tried to email them at the only address on their site: admin@RingCaptcha.com - to set up an interview.
The email bounced. And their demo didn't work for me in either Chrome or Firefox. These people have a ways to go...
For the first time in months, I recently had to fill out a captcha on Facebook. I failed twice, and then tried the audio captcha, which was somehow even harder. After that, my only option to proceed was to provide a mobile phone number.
I couldn't help but think the entire purpose of the process was to collect my phone number.
On a couple of small sites I manage, I just require email verification (or an account that was verified by email) to post a comment. So far there have been about 50 legit comments and about 5000 failed spam comment attempts. Not a single spam has made it through. I know for a more popular site I'd have problems, but even then, you can generally just block addresses from a few specific domains (or just *.ru and *.cn).
Even worse if it's a flash one. Why not just GIF?
When I loaded the demo page with Flash disabled, I saw this. (The front page does require flash for the video presentation, which isn't terribly surprising.)
I use flashblock and just got a flashblock logo. When I clicked to allow flash, it gave an error ("could not load movie").
Apparently whatever script they use to check for Flash can tell that you have Flash installed, but doesn't check to make sure that the Flash plugin was actually able to load, or revert to the gif if it didn't.