>>872342
Easy. With JS you can use event listeners that fire off everytime the mouse moves (or other events like keys ;). This is the premise of the new invisible captcha that's being test-driven on 4chan.
>>872327
You can, it just requires more time and R&D to figure out tricks in CSS/HTML/browsers. JS works extremely well because browser developers regularly forsake security for "features." If you need evidence, the most notable is the mozilla mailing list archives for the "window.navigator" feature and their reactions to users "breaking" its functionality (see: evading spyware).
>>872346
Not when you have a larger dataset than bots. Gulug has the benefit of millions of mouse movement combinations to test against for all valid variations, and then fallback onto image captcha when unsure (which also tests for mouse movements -- for a neat trick, use a chinese IP to search through YouTube videos. When you get captacha'd out and two minutes in you're still clicking through images but getting "invalid," shake your mouse furiously and the next set will pass without any issue). Perfectly emulate is an overstatement. There's a lot of nuance in human movement, and it mostly just looks for averages (which is hard to do without a large and diverse enough dataset).
>>872349
Visual recognition is not the main use anymore. They've mostly exhausted its use, and I believe there is now some other reason at the forefront (besides the aforementioned fallback).
>>??????
There was someone that mentioned obfuscated code, but I can't find your post. So I will reply generally, check these two pieces out. The smallest, is the inline captcha code, and the larger is the "actual" captacha code (which isn't even the full code, the juicy stuff is phoned in).
https://hastebin.com/kakotoyafo.js
https://hastebin.com/unaxucojix.js
A good place to start is to search for mouse and http.
>>872334
Ah, one from the other side! I was working on a team developing a privacy project in this space. We were modifying the Mozilla browser (extensively I might add. So much so you can hardly call it Firefox or any of its derivatives) into a browser that mimics the Win10 Chrome profile. Not just the useragent, which is the most common one used, but also intercepting JS calls (any thing that could be sent back to the server had to be verified client-side and craftily distorted to maintain functionality, while still retaining anonymity), hardware test spoofing (think graphics and processors). We got very good results. Because we didn't just rely on noscript, we could maintain a useable browser for web 3.0, but also trick the trackers into thinking we were .163-.308 SD from the mean. One of the things I was surprised was that not having javascript was a common browser characteristic. I'm not sure this is entirely true (may be a trick!), but we tested flawlessly on all publicly available fingerprinting and tracking services (profiles had to be maintained for anything with cookies and logins, and IPs had to be constantly managed), and some of the commercial tools our devs had access to. In the end, we couldn't do anything with it but sell it TO the companies we were trying to evade. Very few people care enough about security as it is, and the ones that do, will likely not pay enough to make constant development profitable. Oh well, now I'm an owner of an over-glorified distribution platform which pays much better, and doesn't bring with it paranoia!
Besides for a bit of melodramatic scaremongering, the facts are spot on. These utilities are extremely powerful and can be used to do terrible things. However, most who have relatively indiscriminate access to them, are not the ones who have the time, or inclination, to think too deeply on their uses. Governments and corporations do a lot of harm, imagine if they were smart too!