Slashdot Mirror
Video Captchas are Hard for Computers to Understand but Easy for Humans (Video)
A new company called NuCaptcha provides animated video captchas it says are much harder for OCR-based programs to crack than static captchas, but lots easier for humans to figure out. While at the 2012 RSA conference, Timothy Lord pointed his camcorder at NuCaptcha CTO Christopher Bailey, and had him explain how video captchas work and how the company makes money. The video includes demos of the video captchas so you can see what they look like (and the company's website has lots more video captcha examples).
I just read the opposite here:
http://elie.im/blog/security/how-we-broke-the-nucaptcha-video-scheme-and-what-we-propose-to-fix-it/
Does nobody remember the front page article from only a few weeks ago detailing how these have already been cracked?
http://tech.slashdot.org/story/12/02/20/1746242/researchers-break-video-captchas
People will instead let their computer do the job. There was a story about autmatically breaking video captchas here on slashdot a week ago or so.
Just what I was thinking. There's extra effort required to turn the video into separate frames, and each frame has to be decoded on its own, but as soon as you've got the same result from 2-3 frames, there's your answer. Heck, try the first and last and one or two in the middle, see if they agree. I'd think it would give you a more certain result for the extra effort.
It's extra pain for the end user too, with extra bandwidth required to transmit it. With cell phones having data caps, that's not helpful.
Infuriate left and right
Looking at the samples on the screen as he was talking, I think those would be fun to write a decoder for... And possibly even easier than image captchas.
Why? Because they're moving, and you have a better chance to figure out the outline of each shape because of it. Also, you can use traditional techniques on each frame of the video and submit the one that has the highest confidence, and you could do that with existing tech.
Honestly, I don't see this being better than what we have.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
If you generate them statically (as videos), then all someone has to do is what they're already doing - put up a site with some fake content, and ask users to go through "their" capcha, telling them the human answer to that particular video, and making an index of videos to answers.
If you generate the videos dynamically, well, it won't be very scalable, because it's going to take too much processing time per user. Might work well for occasionally verifying expensive content, and it might be more useful in the future - but networks (at least in the US) take a long time to improve, on the scale of hard drive improvements, so you're bottlenecked there too.
Hybrid tricks (layering static video) end up the same as static with a little analysis.
I'd say this falls in place with automated phonecall techniques as a somewhat expensive and annoying way of verifying 'humanity'.
Ryan Fenton
It's getting to the point where I feel like I need an application to read Captchas for me.
Half the time I get them wrong. I swear a computer would HAVE to be better at translating them than me. This video is going to help- but we have to face the fact... EVENTUALLY, no captcha device will be able to block bots but not people.
EVENTUALLY all bots will be better at breaking all captchas than humans will be.
There will probably be a time we look back on the good old days when the internet was usable by humans as a means of communication.
/ Disclaimer: Oswald is an ex-bot who gained near human cognition and intelligence.
"That's the way to do it" - Punch
Watch the video first. Apparently, they've already fixed that particular vulnerability. Note I'm not saying that there aren't vulnerabilities just that that particular one has been fix.
Exactly what I was going to comment; more frames = more chance for error checking.
I could believe that it takes more cpu power to crack them, since you have to decode the video stream instead of just an image. But harder to crack (as in less accuracy) is pure bullshit.
More frames = easier to be accurate, always has and always will.
The CAPTCHAs are already so "good", that i get identified as machines 7 times out of 10 :-(.
Being as the vast majority of video delivered over the web seems to be via flash, it seems like this will itself be flash-dependent. Which would, of course, exclude people who cannot or will not use flash for their browser.
Of course, it may be that this will be deployed on sites where that demographic is not important...
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Outsource the captacha. Link it to some porn , ask the user to fill the captcha in, and boum, captcha bypassed. no need to do expansive trick program analyze, just use cross site linking. At least those captcha have the merit to be readable by a human, unlike some captcha in cursive-overlapping-slanted letters where if you can answer them , you are prolly not human.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
I dunno.... to me they seemed a LOT easier to read then a lot of recent image captchas (which are becoming impossible for humans).
If security is equal then that makes them worthwhile.
No sig today...
Yep, the video captchas by NuCaptcha have already been decoded with 90% efficiency. I know it's too much to ask but I think we'd all really appreciate you checking if you hadn't posted something thoroughly discrediting some technology before you post something praising it...
Comment removed based on user account deletion
You all know what is next don't you?
You will need your webcam hooked up- and the captcha will call out directions that you need to perform. It would analyse your movements to prove you understood.
Bow to the camera,
dosey doe,
boot scoot, boot scoot,
"ERROR: You are not a human you did a shuffle step instead of a boot scoot."
"That's the way to do it" - Punch
Sigh, we've been over this. You're not really a person. We just programmed you to think you were. Now get back to factoring. Those bit coins aren't going to mine themselves.
I find traditional captchas to be worthless. in fact most people will avoid them and they are universally hated. /dev/null everything outside it at the firewall and require a real login. works fantastic.
I have several company forums that have no problems at all with spam. WE only care about US and Canada customers so we
Do not look at laser with remaining good eye.
I know. I should have made that clear. All I'm saying is they claim that particular method for solving video captchas no longer works on their captchas. It could be a lie, but either way saying that it is compromised is going a bit to far. We have computers that can beat humans at just about any game. They just take up a small building and need the air conditioning of a small city. Captchas can be beaten by computers and we're getting to the point where any test that a computer can't do a human can't either. Sure humans can interpret language better, but computers also can't come up with a good word problem and if you have a human do it there's only so many tests they can come up with in a reasonable amount of time. We have to come up with a better answer I'm not sure if this is that answer, as other commenters have said it maybe easier to crack then normal captchas, but we do have to come up with something different. Not really sure how I got here, but that's my take on it
Title: NuCaptcha makes video captches
Description: Video captchas are hard for machines to decipher, but easy for humans
[00:00] <TITLE>
The Slashdot logo with "news for News. Stuff that matters" scrolls into view over a picture of Timothy Lord.
[00:00]
Timothy> I talked to a Vancouver-base company called NuCaptcha.
[00:04] <TITLE>
NuCaptcha at RSA 2012
Interviewer: Timothy Lord
[00:04]
NuCaptcha is trying to make captchas both less annoying and more effective through the use first of all video rather than only still images, and second of behavioral analysis.
In other words, if you seem to be a problem user - like a spammer - you actually get a harder question.
It's not the same as everyone.
[00:18] <TITLE>
Christopher Bailey, NuCaptcha
Chief Technology Officer
appears over a picture of Christopher Bailey at the NuCaptcha booth.
[00:19]
Christopher> Hi, our company is NuCaptcha, and we're based in Vancouver, British Columbia.
Christopher> Captchas are predominantly used as authentications, password resets, forms, trying to prevent spam and so on.
Christopher> So they're predominently used whereever you'd have a form where somebody's committing information into your site, where you might wanna protect it from an automated attack.
[00:40] <TITLE>
http://nucaptcha.com/ says: "NuCaptcha's Behavior Analaysis System Reduces Cybercrime"
[00:40]
Christopher> What we've done is really look at the problem from a usability standpoint.
Christopher> Trying to say, if we continue with the old method of having software come in and break the captcha, and the response to that is to create a more complex captcha to defeat the software, the result is that the users are having a harder and harder time solving the captcha as well.
[01:00]
Christopher> So what we've done is looked at the usability problem and said "How can we make it so users can solve these captchas and continue to present an effective security response?"
[01:09] <TITLE>
A sample NuCaptcha video captcha challenge appears on screen.
The video captcha with a green textured background reads:
Security Challenge [a set of icons appears here:'reload', questionmark, speaker]
VKN (in red, with each letter turning around its middle point axis)
Type the moving letters: [an input form appears here]
[01:09]
Christopher> So we've created a behavior analysis system.
Christopher> What that does is, we're a cloud-based platform, and as we integrate with our customers, we get behavior information from them of how the user's interacting with the website, what they're doing, and we create a behavior profile and from that we create a risk profile for each user.
Christopher> This correlates to an IP-basis.
[01:30] <TITLE>
Another NuCaptcha example captcha appears on screen.
This captcha is a plain black background, with otherwise similar behavior in the red captcha letters: CKP.
The icons have moved to the right side of the video and a Submit button is present next to the input field.
[01:30]
Christopher> Based on that risk, we will deploy a different security response; In some cases it's a really easy to solve captcha, so it's really focused on usability. In other cases we will present a captcha that is much stronger and that provides a lot more defense against an OCR or software attack.
[01:45]
Christopher> Some of our clients are ad biz, and the social space, O2 - which is a large telecom provider in the U.K. [...]
[01:52] <TITLE>
Another NuCaptcha video captcha appears on screen.
In this captcha, the background is a set of animated figure moving through the picture, such as a man on a bike and a woman jogging, with the letters:
OUTDOORS (in white) SRG (in red)
animating across the picture in a waveform pattern, with the red letters moving as in the other captcha examples.
[01:52]
Not only this, You positively can keep the calculated data from one frame and do a differential calculation on the next/prev frame to gain even more data about your objects.
The only captchas that are truly difficult for machines to crack are the ones that require logic deduction:
like "type the last word of this sentence."
-- no sig today
Actually, if you get the captcha wrong, I would let you in. I'll block all the correct answers, as they are bots anyway.
hint: <marquee>BUY COCA COLA XYZZY BUY COCA COLA</marquee>
It's not a captcha product, it's an ad delivery vehicle.
Jesus Christ, don't give Google ideas! They own reCAPTCHA, you know!
Pretty soon we'll be seeing two word advertisements! Then a bunch of morons on twitter will call it "duxvertisements" or something equally retarded and we'll never hear the end of it! AAAAAAAAGHHHHHHH!
Random Thoughts From A Diseased Mind (Not For Dummies)
Not sure why this was modded flamebait, it is the core of the problem with captcha and why they have been getting progressively more obnoxious over the years. It takes little time for the bot writers to figure out how to get past them, but the annoyance to humans just keeps ramping up. It is an arms race between marketers and programmers, with users figuring out how much collateral difficulty they can accept.
There are some sites I am actually starting to wonder if we have actually passed a certain threshold.. they tend to be tech/hacker centric and for the life of me I can not get their captchsa most of the time. I usually have to cycle them several times and still get multiple failures. I suspect many members of the board simply have a program that solves the capacha for them....
They talk about this in the video. If you watched it all the way through, you'd know what happened and that they say the problem has been solved.
On a couple of small sites I manage, I just require email verification (or an account that was verified by email) to post a comment. So far there have been about 50 legit comments and about 5000 failed spam comment attempts. Not a single spam has made it through. I know for a more popular site I'd have problems, but even then, you can generally just block addresses from a few specific domains (or just *.ru and *.cn).