Video Video Captchas are Hard for Computers to Understand but Easy for Humans (Video) 128
Video no longer available.
A new company called NuCaptcha provides animated video captchas it says are much harder for OCR-based programs to crack than static captchas, but lots easier for humans to figure out. While at the 2012 RSA conference, Timothy Lord pointed his camcorder at NuCaptcha CTO Christopher Bailey, and had him explain how video captchas work and how the company makes money. The video includes demos of the video captchas so you can see what they look like (and the company's website has lots more video captcha examples).
Re:Love it! (Score:4, Informative)
People will instead let their computer do the job. There was a story about autmatically breaking video captchas here on slashdot a week ago or so.
Re:Love it! (Score:5, Insightful)
I dunno.... to me they seemed a LOT easier to read then a lot of recent image captchas (which are becoming impossible for humans).
If security is equal then that makes them worthwhile.
Re: (Score:1)
I hate the new captchas that are out there. I typically get them wrong. They usually have some noise that covers or is the same color as a key part of the character/number, so it could be 3-4 different letters.
Some time in the last year, I had a captcha so bad that not only did I have to spam the refresh button for a different one several times, but even when I cherry picked "easier" ones, it still took me ~6 attempts to get one right. Of course it has to clear the password field every attempt, so I had to
Re:Love it! (Score:5, Funny)
Sigh, we've been over this. You're not really a person. We just programmed you to think you were. Now get back to factoring. Those bit coins aren't going to mine themselves.
Re:Love it! (Score:5, Funny)
Actually, if you get the captcha wrong, I would let you in. I'll block all the correct answers, as they are bots anyway.
Re: (Score:1)
Re: (Score:2)
For the first time in months, I recently had to fill out a captcha on Facebook. I failed twice, and then tried the audio captcha, which was somehow even harder. After that, my only option to proceed was to provide a mobile phone number.
I couldn't help but think the entire purpose of the process was to collect my phone number.
Re:Love it! (Score:4, Insightful)
I find traditional captchas to be worthless. in fact most people will avoid them and they are universally hated. /dev/null everything outside it at the firewall and require a real login. works fantastic.
I have several company forums that have no problems at all with spam. WE only care about US and Canada customers so we
Re: (Score:1)
Re: (Score:3)
On a couple of small sites I manage, I just require email verification (or an account that was verified by email) to post a comment. So far there have been about 50 legit comments and about 5000 failed spam comment attempts. Not a single spam has made it through. I know for a more popular site I'd have problems, but even then, you can generally just block addresses from a few specific domains (or just *.ru and *.cn).
Re: (Score:3)
There are some sites I am actually starting to wonder if we have actually passed a certain thresh
Re: (Score:2)
Yes, we should all stop giving these snake oil salesmen money. If you honestly think captchas have been anything but a minor annoyance at best to spammers then you truly are gullible.
Re:Love it! (Score:5, Informative)
Re: (Score:3)
They talk about this in the video. If you watched it all the way through, you'd know what happened and that they say the problem has been solved.
Re: (Score:2)
Maybe what we need is captchas that are easy for computers to understand, but impossible for humans. Then anyone who actually tries to log into the site and isn't. like, "screw this" can be positively identified as a bot. Oh wait.
General AI! (Score:2)
See, this is how we'll eventually achieve general purpose AI. People will just keep making more and more elaborate bot checks and AI will just get better and better at fooling them until its able to do anything a human can do, lol.
Re: (Score:2)
Wait, what?! (Score:5, Informative)
I just read the opposite here:
http://elie.im/blog/security/how-we-broke-the-nucaptcha-video-scheme-and-what-we-propose-to-fix-it/
Re: (Score:2)
Re: (Score:3)
well, in OCR one of the first steps is to identify the objects that are characters in the image (calculate bounding boxes for each char)
so the process can be even simplified, you don't need to run the algo on every frame you just do boundary recognition on some
continuous frames, gathering character edge data for the - slightly offset per frame - chars and at the end you evaluate just the edge
data.
Re: (Score:2)
Just looking at the demos, it seems that identifying the characters might be easier for these, in one sense: they're moving.
Seriously? (Score:5, Informative)
Does nobody remember the front page article from only a few weeks ago detailing how these have already been cracked?
http://tech.slashdot.org/story/12/02/20/1746242/researchers-break-video-captchas
Re: (Score:2)
Yes, a video that is nothing but pure marketing for the company.
Transcript: because it would have saved comments! (Score:5, Informative)
Title: NuCaptcha makes video captches
Description: Video captchas are hard for machines to decipher, but easy for humans
[00:00] <TITLE>
The Slashdot logo with "news for News. Stuff that matters" scrolls into view over a picture of Timothy Lord.
[00:00]
Timothy> I talked to a Vancouver-base company called NuCaptcha.
[00:04] <TITLE>
NuCaptcha at RSA 2012
Interviewer: Timothy Lord
[00:04]
NuCaptcha is trying to make captchas both less annoying and more effective through the use first of all video rather than only still images, and second of behavioral analysis.
In other words, if you seem to be a problem user - like a spammer - you actually get a harder question.
It's not the same as everyone.
[00:18] <TITLE>
Christopher Bailey, NuCaptcha
Chief Technology Officer
appears over a picture of Christopher Bailey at the NuCaptcha booth.
[00:19]
Christopher> Hi, our company is NuCaptcha, and we're based in Vancouver, British Columbia.
Christopher> Captchas are predominantly used as authentications, password resets, forms, trying to prevent spam and so on.
Christopher> So they're predominently used whereever you'd have a form where somebody's committing information into your site, where you might wanna protect it from an automated attack.
[00:40] <TITLE>
http://nucaptcha.com/ [nucaptcha.com] says: "NuCaptcha's Behavior Analaysis System Reduces Cybercrime"
[00:40]
Christopher> What we've done is really look at the problem from a usability standpoint.
Christopher> Trying to say, if we continue with the old method of having software come in and break the captcha, and the response to that is to create a more complex captcha to defeat the software, the result is that the users are having a harder and harder time solving the captcha as well.
[01:00]
Christopher> So what we've done is looked at the usability problem and said "How can we make it so users can solve these captchas and continue to present an effective security response?"
[01:09] <TITLE>
A sample NuCaptcha video captcha challenge appears on screen.
The video captcha with a green textured background reads:
Security Challenge [a set of icons appears here:'reload', questionmark, speaker]
VKN (in red, with each letter turning around its middle point axis)
Type the moving letters: [an input form appears here]
[01:09]
Christopher> So we've created a behavior analysis system.
Christopher> What that does is, we're a cloud-based platform, and as we integrate with our customers, we get behavior information from them of how the user's interacting with the website, what they're doing, and we create a behavior profile and from that we create a risk profile for each user.
Christopher> This correlates to an IP-basis.
[01:30] <TITLE>
Another NuCaptcha example captcha appears on screen.
This captcha is a plain black background, with otherwise similar behavior in the red captcha letters: CKP.
The icons have moved to the right side of the video and a Submit button is present next to the input field.
[01:30]
Christopher> Based on that risk, we will deploy a different security response; In some cases it's a really easy to solve captcha, so it's really focused on usability. In other cases we will present a captcha that is much stronger and that provides a lot more defense against an OCR or software attack.
[01:45]
Christopher> Some of our clients are ad biz, and the social space, O2 - which is a large telecom provider in the U.K. [...]
[01:52] <TITLE>
Another NuCaptcha video captcha appears on screen.
In this captcha, the background is a set of animated figure moving through the picture, such as a man on a bike and a woman jogging, with the letters:
OUTDOORS (in white) SRG (in red)
animating across the picture in a waveform pattern, with the red letters moving as in the other captcha examples.
[01:52]
Re: (Score:2)
QuasiSteve, if you contacted me we might figure out a way to pay you for video transcripts. robin (at or near) roblimo (dit dot) com.
Re: (Score:2)
Re: (Score:2)
This just in: company claims that broken system isn't really broken! Film at 11.
Even if they have patched that vulnerability it will be broken again as is always the case with captchas. The only way to make these things unbreakable is to make them completely impossible for even a human to solve them. Anyone who believes otherwise is an idiot or someone trying to scam you out of money.
Re: (Score:2)
Fun to decode? (Score:5, Interesting)
Looking at the samples on the screen as he was talking, I think those would be fun to write a decoder for... And possibly even easier than image captchas.
Why? Because they're moving, and you have a better chance to figure out the outline of each shape because of it. Also, you can use traditional techniques on each frame of the video and submit the one that has the highest confidence, and you could do that with existing tech.
Honestly, I don't see this being better than what we have.
Re: (Score:2)
These would only be more difficult if you actually change the content over time. From what I've seen, they don't, they merely scroll the words across the screen.
They don't even apply time-varying noise to it, which I don't understand at all. The human visual system is really good at using te
Re: (Score:1)
Re: (Score:2, Interesting)
THIS THIS THIS.
They don't even bother to modify the images as they move.
Moving will give a more static object, more so by it moving frame by frame.
If it was those blurry, pixelized texts flowing over a background, it'd be considerably harder to pick out information, even better if they actually noise up the background as well.
It'd be great if they skewed, stretched and warped the image to certain extents as it moves.
I'd still rather see furry animals on a rug strip and you type the first letter for each an
Re:Fun to decode? (Score:4, Interesting)
They don't even bother to modify the images as they move.
Moving will give a more static object, more so by it moving frame by frame.
If it was those blurry, pixelized texts flowing over a background, it'd be considerably harder to pick out information, even better if they actually noise up the background as well.
It'd be great if they skewed, stretched and warped the image to certain extents as it moves.
A lot of that would be easy to defeat with basic video filtering techniques like noise removal, motion compensation, etc.
Re: (Score:2)
Filter This! [postimage.org]
Re: (Score:2)
Re: (Score:2)
I think that's an artifact of having to make it human-accessible. If you make it too complicated, too many people will complain about how hard they are. If you make them too simple, computers can solve them easily.
Unfortunately, what usually happens is that both of the above are true at the same time, which means there's no good solution there. You either let computers in, or you keep some humans out.
They're also expensive... (Score:5, Interesting)
If you generate them statically (as videos), then all someone has to do is what they're already doing - put up a site with some fake content, and ask users to go through "their" capcha, telling them the human answer to that particular video, and making an index of videos to answers.
If you generate the videos dynamically, well, it won't be very scalable, because it's going to take too much processing time per user. Might work well for occasionally verifying expensive content, and it might be more useful in the future - but networks (at least in the US) take a long time to improve, on the scale of hard drive improvements, so you're bottlenecked there too.
Hybrid tricks (layering static video) end up the same as static with a little analysis.
I'd say this falls in place with automated phonecall techniques as a somewhat expensive and annoying way of verifying 'humanity'.
Ryan Fenton
Does anyone know a good app.. (Score:5, Insightful)
It's getting to the point where I feel like I need an application to read Captchas for me.
Half the time I get them wrong. I swear a computer would HAVE to be better at translating them than me. This video is going to help- but we have to face the fact... EVENTUALLY, no captcha device will be able to block bots but not people.
EVENTUALLY all bots will be better at breaking all captchas than humans will be.
There will probably be a time we look back on the good old days when the internet was usable by humans as a means of communication.
/ Disclaimer: Oswald is an ex-bot who gained near human cognition and intelligence.
Re:Does anyone know a good app.. (Score:5, Interesting)
It's much worse than that. Because the botherders can tolerate a very high failure rate the bots can be much worse than humans and still be effective.
Re:Does anyone know a good app.. (Score:4, Insightful)
or CAPTCHAs that are impossible for a Human to solve but trivial for a computer. so if it passes, it's a computer! :D
Re: (Score:2)
It's getting to the point where I feel like I need an application to read Captchas for me.
Half the time I get them wrong. I swear a computer would HAVE to be better at translating them than me. This video is going to help- but we have to face the fact... EVENTUALLY, no captcha device will be able to block bots but not people.
EVENTUALLY all bots will be better at breaking all captchas than humans will be.
There will probably be a time we look back on the good old days when the internet was usable by humans as a means of communication.
/ Disclaimer: Oswald is an ex-bot who gained near human cognition and intelligence.
What you don't realize is that captchas were designed by Skynet! That's right. The AI is working quickly to try and figure out when a human is using the internet and not a computer. Once the captcha technology is complete, only Skynet computers will be able to enter captchas. That is how they will test to make sure that you are really a human, and can be destroyed.
Re: (Score:1)
Most Captchas that we encounter rely on some form of pattern recognition (whether it's static or dynamic) to work. The computer vision community has been studying (and solving!) related problems for decades and for much more complex tasks. It's sad to see how researchers tend to forget about the past.
I do my PhD research in applying computer vision algorithms to the medical field. You would be amazed to see how trivial these Captcha pattern recognition puzzles are compared to problems like brain template
Re: (Score:2)
I just had this vision of a future where captchas are like:
"We need to verify that you are human. Please violate the Third Law Of Robotics."
Re: (Score:2)
It's getting to the point where I feel like I need an application to read Captchas for me.
Right. ReCaptcha, especially. As book scanning OCR gets better, reCaptcha, which uses OCR rejects, tends to display things which are not words typeable on my keyboard. I've seen ink blots, mathematical formulas, and Cyrillic. If today's OCR systems can't read printed text with context information (adjacent words, what the fonts on the page look like) available, a human probably can't read it without context.
Dialup? (Score:1)
And what about the large portion of the world that is still on dialup?
We developers these days just have no fucking clue. HTTP = hyperTEXT transfer protocol.
Technologies that break the web are useless.
I think we need to start a new internet. One that works.
Mechanical Turk ftw! (Score:1)
No captcha will ever be unbreakable by the mechanical turk.
And what if you're blind? (Score:1)
Going to lock out blind people from the video captcha? Or create an alternative that computers can use too?
Honestly (Score:5, Insightful)
The CAPTCHAs are already so "good", that i get identified as machines 7 times out of 10 :-(.
Re: (Score:2)
I don't get it. You're a machine, right?
Re: (Score:2)
<Robotic Voice>YES, i have been sent here to evaluate human sarcasm thresholds.</Robotic Voice>
Is this going to be flash-dependent? (Score:4, Insightful)
Of course, it may be that this will be deployed on sites where that demographic is not important...
Re: (Score:3, Interesting)
Surprisingly it seems the answer is no.
I was all geared up to give my anti-Flash speech and NuCaptcha stunned me by presenting animated GIFs (a format with a bad history but which is now free).
I'm sure if I start digging I'll find something to dislike (NuCaptcha patenting the idea of moving captchas for example or maybe intentionally holding full copyright on captchas that they aim to embed into as many sites as possible) but the GIFs have put me in such a good mood I'm not going to try.
Well done NuCaptcha
They are all vulnerable to the same method (Score:5, Interesting)
Re: (Score:3)
Bidirectional video captcha (Score:5, Funny)
You all know what is next don't you?
You will need your webcam hooked up- and the captcha will call out directions that you need to perform. It would analyse your movements to prove you understood.
Bow to the camera,
dosey doe,
boot scoot, boot scoot,
"ERROR: You are not a human you did a shuffle step instead of a boot scoot."
Re: (Score:2)
... now take off your shirt ... Yes, that looks pretty human, but I need to see more ... Now show me how you move, graceful or robotic ...
what stops a bot (Score:2)
From just taking a snapshot of the screen and cracking the much simpler static image? That said I'm really hating recaptchas. I've had sites where I had to click next about 10 times to find one that I could figure out what it is AND be able to type it (lots of German, Swedish, greek captchas which I can't be bothered figuring out the key strokes to reproduce). Also philosophically I'm against recaptchas because only half of the crap they want you to type is actually used for security the other half is free
Why are these better than images? (Score:1)
Uhh.. single frame capture? (Score:1)
Just capturing a single frame of the video is all you need to decode it... obvious flaw...
Conceptually good, practically useless.
Funny (Score:2)
I've also lost count of how many times I've had to use the "I'm a blind fucker" audio option because I can never read the damn things.
On top of that, I'd imagine it'd be relatively easy to make a computer recognize simple numbers being spoken.
(In before they start making the voices harder to understand too)
Isn't the moving letters captcha easier to beat? (Score:1)
Wow E can really plow (Score:1)
The first one I got had E giving it to F in the rear like a damned pro. F sure can take that central horizontal protuberance. There was a T watching it all, rocking back and forth. Pretty charged scene, all and all.
Gotta hit refresh. I'm hoping for some lowercase action next.
matter of time (Score:2)
So it's a copy of what I implemented years ago (Score:2)
"A new company called NuCaptcha provides animated video captchas it says are much harder for OCR-based programs to crack than static captchas,"
So, IOW, someone took my idea of using video captchas (flashing scenes from an anime series, which you must identify as the captcha code.)
Bet someone there reads slashdot (as I've mentioned that here many times before) or visits my anime forum.
Captcha crypto (Score:1)
My captcha just as good (Score:2)
With the analysis at
* http://elie.im/blog/security/how-we-broke-the-nucaptcha-video-scheme-and-what-we-propose-to-fix-it/ [elie.im]
I find my own CAPTCHA is just as good, but at least you get to look at a nice cup of coffee:
* http://stephansmap.org/sign_up [stephansmap.org]
What if they made it (Score:2)
Indians break Captchas for you for 2$ an hour. (Score:2)
Re: (Score:2)
Chinese "human OCRs" are cheaper than Indian ones...
I failed 75% of my last 4 captcha's (Score:2)
Don't think it will get any better with video ..
Better than Captcha's (Score:2)
Re:what is this bullshit slashvertisement? (Score:5, Informative)
Just what I was thinking. There's extra effort required to turn the video into separate frames, and each frame has to be decoded on its own, but as soon as you've got the same result from 2-3 frames, there's your answer. Heck, try the first and last and one or two in the middle, see if they agree. I'd think it would give you a more certain result for the extra effort.
It's extra pain for the end user too, with extra bandwidth required to transmit it. With cell phones having data caps, that's not helpful.
Re:what is this bullshit slashvertisement? (Score:4, Informative)
Exactly what I was going to comment; more frames = more chance for error checking.
I could believe that it takes more cpu power to crack them, since you have to decode the video stream instead of just an image. But harder to crack (as in less accuracy) is pure bullshit.
More frames = easier to be accurate, always has and always will.
Re: (Score:2)
Yes, was my thought, too, when I saw the examples. But I don't think it has to be that way. What if when no single frame contains the whole information? Several dot clouds in each frame, which only make sense in their completes over several frames? Or something like that. I think it might be possible to improve the video captchas without sacrificing too much of their better readability for humans.
Re: (Score:3)
Not only this, You positively can keep the calculated data from one frame and do a differential calculation on the next/prev frame to gain even more data about your objects.
The only captchas that are truly difficult for machines to crack are the ones that require logic deduction:
like "type the last word of this sentence."
Re: (Score:1)
Re: (Score:1)
hint: <marquee>BUY COCA COLA XYZZY BUY COCA COLA</marquee>
It's not a captcha product, it's an ad delivery vehicle.
Re: (Score:3)
hint: <marquee>BUY COCA COLA XYZZY BUY COCA COLA</marquee>
It's not a captcha product, it's an ad delivery vehicle.
Jesus Christ, don't give Google ideas! They own reCAPTCHA, you know!
Pretty soon we'll be seeing two word advertisements! Then a bunch of morons on twitter will call it "duxvertisements" or something equally retarded and we'll never hear the end of it! AAAAAAAAGHHHHHHH!
Re: (Score:2)
There's a second purpose of reCAPTCHA. There are always two "words." Both are from scanned documentation of some kind. One word is known, and is used as a check to see if you're trying. The other word is unknown, usually a little wonky, and you're being used to help OCR the text for them. The pair of words is checked, and as long as you got the known word right, and gave a try to the second word, you're in good; usually, that is--if they have enough input on the wonkier one, then you're being used to group-
Re: (Score:2)
reCAPTCHA is the worst of them all (owned by the arrogant Google assholes). Is almost impossible to read what's there[...]
I find reCAPTCHA to be one of the easiest captchas to get correct. Sometimes you get an oddball one, but I've never gotten two such in a row. Why all the hate?
Re: (Score:2)
I for one usually have to re-load four times to get one that I think I can read, fail it after all, and have to try again. Maybe you're just lucky or have super-human reading skills.
Re: (Score:2)
I for one usually have to re-load four times to get one that I think I can read, fail it after all, and have to try again.
You do know that you only need to get one of them right, right? And that one is usually pretty easy.
Re: (Score:2)
I just tried to email them at the only address on their site: admin@RingCaptcha.com - to set up an interview.
The email bounced. And their demo didn't work for me in either Chrome or Firefox. These people have a ways to go...
Re: (Score:2)
Even worse if it's a flash one. Why not just GIF?
Re: (Score:1)
When I loaded the demo page with Flash disabled, I saw this [nucaptcha.com]. (The front page does require flash for the video presentation, which isn't terribly surprising.)
Re: (Score:2)
I use flashblock and just got a flashblock logo. When I clicked to allow flash, it gave an error ("could not load movie").
Re: (Score:1)
Apparently whatever script they use to check for Flash can tell that you have Flash installed, but doesn't check to make sure that the Flash plugin was actually able to load, or revert to the gif if it didn't.