

Apple using moving letters as captcha - filleokus
http://www.apple.com/itunes/50-billion-app-countdown/entry-form/

======
nwh
Doesn't this just make the CAPTCHA easier to solve for a bot?

There's 20 frames in each challenge image, 20 different sets of data to
process and compare for a correct result. It's also three letters long.

ED: The form itself is included in an iframe, with the following tag:

    
    
        <meta http-equiv="Expires" content="Sat, 1 Apr 2006 23:59:59 GMT">
    

ED2: The audio CAPTCHA sounds even weaker. You could probably just pipe that
to Googles dictation API and you'd be set.

~~~
joelthelion
It actually makes it a lot easier for humans, while not making it immediately
easier for bots which will need to be tuned to use motion.

Pretty smart.

~~~
lachenmayer
They don't really have to be tuned for motion, you can just consider each
frame individually.

~~~
Retric
With this implementation you don't, but it's not hard to construct it such
that there is no single frame with enough information to construct the whole
message. If you screen capture there are several frames where you really can't
tell what the middle letter is, but it's obvious what the message is.

The real issue is a computer can compare the images individually and combine
them so if it get's 'G_G', 'GF_', and '_FG' it's going to assume 'GFG'.

------
palmr
I tried making an animated gif CAPTCHA a few years back, relying on
persistence of vision (to try and get round the whole screenshot and process
botting issue): <http://sandbox.palmnet.me.uk/gifcaptcha/index.php>

Ended up with roughly 75% correct human responses and 40% correct using a bot.
Which are pretty poor stats for both sides of the equation.

~~~
professorTuring
This looks like a much better idea.

I would continue working in this. I have some feedback to make it harder for
robots and easier for humans. Consider this as some quick ideas that should be
elaborated (and they may be wrong):

\- Move the letters in opposite direction to the windows and maybe rotate them
or make them move inside the canvas. \- Make the windows appear in randomize
locations but move them faster. \- Make the blacked part change colors.

I think this is a very, very good way to make a turing test. Congratulations.

~~~
palmr
Cheers for the feedback. I gave up on it quite a while ago but I could revisit
it some time and try out some of your ideas.

The main issue was that some browsers render the frames so slowly it was
almost impossible. Also, while making it slightly harder to crack with a bot
it can be done by merging the frames together and tracking the lightest parts
to find the letters which can then be put through OCR.

Also, while making it harder for bots to crack it also makes it significantly
harder for people to read, especially people without 20/20 vision which is a
major problem.

------
mef
Looks like it's using <http://nucaptcha.com>

~~~
codeka
According to their website[1], it's supposed to be H.264 video, but it's
clearly an animated GIF.

[1]: <http://nucaptcha.com/features/security-features>

~~~
jvzr
Also, this bit: "It's important to note that NuCaptcha is a video stream and
not a Flash program. This is because it is not secure to create a Captcha in
Flash."

Yet, the Click-to-Plugin feature from Chrome says it's Flash. Worst captcha
company ever?

~~~
smackfu
I think the point is that it's not a Flash program that is taking the Captcha
value as input and then animating it, where it would be easy to sniff the
input value. It's a Flash player for a video stream that is generated
externally to the Flash.

------
neya
The signup form looks horrible because they've mixed serif-fonts with a page
with sans-serif fonts. Probably some intern is going to get fired for this...

~~~
tiziano88
I don't see any serif fonts on that page.

~~~
lucb1e
I do. The text above is sans serif, but the form fields are serif. (Chrome @
Windows 7)

~~~
tommorris
Not seeing that on Firefox for OS X: <http://cl.ly/image/3m3j3E061z1F>

~~~
stickydink
Chrome on OS X doesn't like it, at all :(

<http://i.imgur.com/PMcxkDt.png>

------
mmalone
This is the alternative means of entry page for a contest. This isn't even a
page that Apple _wanted_ to build. It's a legal requirement. The CAPTCHA is
provided by a third party. Who knows why it was chosen. I doubt they put a ton
of thought into this page, or the choice of CAPTCHA, if they even built it
themselves at all.

------
jetru
This still doesn't solve one of the big CAPTCHA issues. Do look at this USENIX
paper in [1]. It's still possible to offshore manual CAPTCHA solving to places
with cheap labour at extremely low costs. I don't know how common software
solvers are, but my impression is that the technology there is only so-so.

[1] Re: CAPTCHAs – Understanding CAPTCHA-Solving Services in an Economic
Context
[http://static.usenix.org/events/sec10/tech/full_papers/Motoy...](http://static.usenix.org/events/sec10/tech/full_papers/Motoyama.pdf)

------
woof
Brilliant! The _real_ captcha must be to type "the RED Moving Letters"

~~~
cmircea
Now if it only had some letters in another color...

------
jamescun
Its very possible that the contest is being run by an outside agency and Apple
have been know to proxy in content from the outside agency and display it
inside an IFrame, similar to here.

------
amitdugar
If this gif CAPTCHA system becomes popular, there will be some smart hacker
who will figure out a way to crack this (read first frame, match different
frames etc.)

I wish there was some better CAPTCHA alternative. CAPTCHA can be really
horrible sometimes.

I know some people who close a webpage when they see a CAPTCHA, unless they
have no other option and are forced to fill the form.

~~~
smcl
You don't even need to be a particularly smart hacker. Even just dumping a
screenshot of the page [1] using phantomjs gives you a relatively legible
image.

[1] <http://blog.mclemon.cz/apple-nucaptcha-easy-to-break>

~~~
amitdugar
so apparently reCaptcha is more secure than this one.

From Nucaptcha's website : "...most secure and usable Captcha solution in the
market." :D

------
edemay
Don't forget that if you're using animation and video to design a captcha,
there are a lot of other design options possible: letters appearing one after
the other, going in and out of blur, playing with colors, etc... A lot more
graphical gimmicks can be added while maintaining comprehension for humans,
and hopefully, improving blocking bots.

------
DonnyV
I wonder if creating an animation using canvas would've been better. Then the
only way to crack it would be to bring the whole page in memory, take a
screenshot and then OCR only the spot the canvas is in. If you made the
animation move around also then I don't think anyone would bother trying to
crack it.

~~~
Achshar
Manipulating canvas requires javascript. It's probably not a good idea to give
out value to captcha via js. Although modern browsers are very strict with who
can access what js scope.

------
canthonytucci
I read that checkbox at the bottom as "I have agreed to all 50 billion of the
rules for this contest"

------
ds9
I know I'm not the only one who turns off gif animation in browser options.
Lots of people can't read text if something is moving on the page. It's going
to be a big hassle to turn it on for certain sites, then off again after the
CAPTCHA, if this catches on.

------
jpalomaki
Maybe it is enough to just try something different? Certainly somebody can
break this, but if its something new, it requires some effort. Compare that to
some well-known captcha system which you can break for something $2 per
thousand captchas.

------
vacri
Ironically it's only shown if you allow javascript from "mzstatic".

~~~
dpcx
mzstatic.com is one of Apple's "CDN" domains.

------
fla
It's also available as an mp4 video if you remove the type=GIF param

------
andyhmltn
They can just take a screenshot and analyse it that way.

------
Y0L0
An animated gif you mean?

