How does the new reCAPTCHA work?

[Rakehellion]

You just click a box and you're not a robot? Seems like this would be easier to defeat than the old system.

http://googleonlinesecurity.blogspot.com/2014/12/are-you-robot-introducing-no-captcha.html

 

[bzb_Elder]

I realize this post is old, but I need to up my post count so I can access the FS/T forum. With that said, from what I've read on this new captcha system, among other things, it tracks mouse (cursor) movement. Interesting stuff. Not foolproof in any way, but it shows that someone at Google has been thinking outside the box.

 

[Markbnj]

I realize this post is old, but I need to up my post count so I can access the FS/T forum. With that said, from what I've read on this new captcha system, among other things, it tracks mouse (cursor) movement. Interesting stuff. Not foolproof in any way, but it shows that someone at Google has been thinking outside the box.

Haha, well, I guess points for the most honest neff ever.

 

[Ken g6]

I saw more details in [thread=2414287]an off-topic thread[/thread]. At the time I didn't think it was worth bumping this post to link to it, since the OP asked the same question there.

but it shows that someone at Google has been thinking outside the box.

Actually, that's one question I have. Does it measure the mouse cursor only inside its "box" (iframe) or outside it as well? Seems like the one would be a security risk, but the other might not be enough measurement.

P.S. I'm not counting this as a nef because it actually has useful content.

 

[Crusty]

I saw more details in [thread=2414287]an off-topic thread[/thread]. At the time I didn't think it was worth bumping this post to link to it, since the OP asked the same question there.



Actually, that's one question I have. Does it measure the mouse cursor only inside its "box" (iframe) or outside it as well? Seems like the one would be a security risk, but the other might not be enough measurement.

P.S. I'm not counting this as a nef because it actually has useful content.

Just guessing but I'm betting it's a combination of sending your tracking cookie when you load the iframe and them recording your mouse inputs over time throughout various sites that use google analytics. But if you block GA with something like Adblock then they might track your mouse directly on the iframe.

If you're responding to their tracking requests across the intertubes then they most definitely know if you are a robot or not.

 

[bzb_Elder]

P.S. I'm not counting this as a nef because it actually has useful content.

- Thank you.

I would presume they've combined many different layers of verification - previous GA sites, cookies (browser history), cursor starting position, cursor movement, cursor speed, etc. Javascript can detect the cursor position within the context of the browser window, so I would think that should be sufficient for movement analysis.

On the other hand, javascript can also be used to manipulate the cursor, so I wonder how long it will take for the spammers to find a way around the new system.

 

[beginner99]

I assume they use some machine learning technique and can predict in tiny, not noticeable movements that the mouse operator is human. Further assumption is that it is non trivial to mimic such human behavior in a robot. The robot would go to the check boxes in a straight line. You would have to add a tiny randomness but the prediction engine probably will realize it's just random and hence not human.

 

[Ken g6]

Seems like there should be a way to mimic human mouse motion.

Just guessing but I'm betting it's a combination of sending your tracking cookie when you load the iframe and them recording your mouse inputs over time throughout various sites that use google analytics.

But I think tracking across multiple sites would be a game changer in determining who's human. In a kind of big-brother-y dystopian way. :\

 

[sm625]

If you give permission for your mouse then you're probably going to end up giving away permissions on your keyboard as well. Wouldnt google just love to have all its users willingly installing keyloggers for them. All for what? To slow down spam bots for about two weeks until they are all updated with better ai? It's funny how the rights you give away are always permanent, whilethe benefits are only temporary.

 

[Rakehellion]

Seems like there should be a way to mimic human mouse motion.

There is. Just like there'sa way to mimic human optical character recognition. But solving such a problem is nontrivial.

 

[Rakehellion]

If you give permission for your mouse then you're probably going to end up giving away permissions on your keyboard as well. Wouldnt google just love to have all its users willingly installing keyloggers for them. All for what? To slow down spam bots for about two weeks until they are all updated with better ai? It's funny how the rights you give away are always permanent, whilethe benefits are only temporary.

Any website you visit can access your keyboard, mouse, and plenty more. This is nothing new.

 

[Cogman]

It works because google is tracking a whole crapload of information about its users. So much so that they can pretty reasonably deduce whether or not someone is a bot.

This is what the new recaptcha is about. Google pretty reasonably knows who the bots are, for them they give hard tests to pass that are merely annoying to humans.

For the humans that they are reasonably confident are not bots, the tests get easier (while staying hard enough that a fly by night bot can't simply come in and mess things up).

They are tracking a lot of stuff, so if a bot suddenly starts making rapid requests to recaptchas they can pretty quickly flag it as a bot and start pushing harder and harder questions until the bot starts failing.

I don't know if they are going so far as tracking mouse and keyboard stuff. I honestly don't think they need to. They have enough data from just watching when, where, and how fast a user is browsing the web to be able to accurately determine if they are a bot or not.

 

[Spungo]

I realize this post is old, but I need to up my post count so I can access the FS/T forum. With that said, from what I've read on this new captcha system, among other things, it tracks mouse (cursor) movement. Interesting stuff. Not foolproof in any way, but it shows that someone at Google has been thinking outside the box.

Interesting. That's also the way World of Warcraft would detect bots. I don't know the details of how it works, but bots have a very predictable way of moving. They tend to rotate at a fixed speed, their motion is very strange, and they don't jump around like retards. My friend showed me an interesting thing about this. If you ran forward, jumped, and did a 180 turn in the air, it would immediately disconnect you.

 

[MrDudeMan]

Interesting. That's also the way World of Warcraft would detect bots. I don't know the details of how it works, but bots have a very predictable way of moving. They tend to rotate at a fixed speed, their motion is very strange, and they don't jump around like retards. My friend showed me an interesting thing about this. If you ran forward, jumped, and did a 180 turn in the air, it would immediately disconnect you.

I've been botting in WoW for many years and I've never been disconnected for anything like that. The bot detection in WoW pretty much doesn't work like anything your post describes.

 

[disappoint]

Seems like there should be a way to mimic human mouse motion.

Of course there is. Just record human movement and replay it.

But I think tracking across multiple sites would be a game changer in determining who's human. In a kind of big-brother-y dystopian way. :\

Agreed.