I’ve had a number of reCAPTCHA incidents where I could not pass the test for tens of images, it was a very frustrating experience. Please do not use reCAPTCHA.
The items one is supposed to select often overlap the grids, so it becomes a kind of Keynesian Beauty Contest[1] at that point; I assume they validate based on how much in alignment you are with previous answers, so it becomes a problem of “What nearby grids would a person reasonably select when there’s overlap”, or, you’re tasked at selecting <some_item> and you see <some_item> in the distant background of the image you’re supposed to classify and you need to determine “How visible would <some_item> need to be for a reasonable person to classify <some_item> as being in this image”.
On top of this, when you’re clicking through image after image after image, the additional frustrating thing is that you’re helping train their algorithms; you’re doing work because their service isn’t smart enough to know you’re human, or, you’re seen as a marginal customer they can piss off by forcing you to work for them for free.
It’s a frustrating experience when it fails, and my current strategy is to leave the website when the ‘I’m not a robot’ checkbox fails.
You’re overthinking it. I have had a similar experience. The worst were the “stop light” questions. Does it mean the pole, the light, the tiny corner overlapping another square? I used to try to include everything as it was technically true. Very frustrating – until I finally started to not care. Click on the most obvious pictures. Click click click. Done. Get it wrong? Click click click on the next one. Way faster with a much better success rate doing so. It usually only takes a couple of tries now.
Maybe a cultural thing? For me, "you're over thinking it" is a familiar/friendly way of expressing an idea, similar to how you would approach a friend. It was not intended to be dismissive.
you are right. it is a cultural thing. that being said, the advice is sound. the internet is a mishmash of cultures :)
if i would bring my culture to the internet, everyone would think i'm troll or horrible person. just because ppl from my culture are a bit direct and cynical :D if you'd like people to respect and take into account your culture it's good to do vice versa.
That would only work if everyone who got the same image gave the same wrong answer. Otherwise, the system just keeps sending the same image to more random people until it's satisfied with the consensus. Also, it keeps sending YOU more random images if you obviously don't comply with previously observed consensus.
reCAPTCHA is horrible. I am almost certain that some tests are intentionally marked as failed even if they are correct, simply so they can get more training in. And if you take any anonymizing measures, reCAPTCHA makes much of the web nigh impossible to use.
It's easily the worst UX I encounter online. I can't describe the relief I feel when I come across a "normal" CAPTCHA. It's coming to the point that if I could pay a few cents to outsource every reCAPTCHA, I gladly would simply to avoid this atrocity.
The tests are often poorly defined. I've been caught in reCAPTCHA hell a few times (but not recently), and it's often the case that I'm guessing... is this a bus? I'm not sure.
It's interesting to find out that this might have nothing to do with my ability or inability to recognize objects in blurry photos.
Are reCAPTCHA images used to train or classify data like Mechanical Turk? I thought at one point the word ones were used that way and was a major incentive for their usage.
Original reCAPTCHA images were used to transcribe text for Google Books, and later to transcribe house numbers for Google Street View.
I don't think Google's publicly said what they do with any data derived from the new "I'm not a robot" reCAPTCHA, but, given the content it usually uses, it seems likely that they're still using it for image classification in Street View, or for their self-driving car projects.
Lately I've been getting reCAPTCHA prompts all the time even though I'm not browsing in incognito mode and haven't cleared cookies. All I'm doing is running a very basic ad blocker, using Safari (which blocks third-party tracking), and very rarely loading a Google site. The most interaction I have with Google is when I end up having to use my corporate Google account as SSO for some other site.
Given that I'm not doing anything unusual, it really feels to me like reCAPTCHA, for all its complexity, boils down to "what's your history using Google software? Oh you rarely use it? I'm gonna give you a captcha". It didn't used to be this aggressive, but it's really ramped up in the past few weeks.
I recently replaced a bunch of securimage captchas with reCAPTCHA v2. During testing I had to shut it off because it became increasingly more complicated every page reload. First it was just one page of traffic lights, but 20 minutes later I was having to click through 5-6 pages of images. This worries me that user's might get pissed off. I'd really like to know if I've made life harder for my users in an attempt to stop the spam from the horribly broken securimage captcha.
I cancelled and deleted my Spotify account because of that. Now any site that asks me to fill a Google recaptcha is met with a swift click on the Back button.
Really? You gave up one of the best streaming music services because you had to use a captcha every now and then? Huh. Good data point. But you're probably not our target audience if you give up that easy, we sell engineering tools for solving difficult problems.
> During testing I had to shut it off because it became increasingly more complicated every page reload. First it was just one page of traffic lights, but 20 minutes later I was having to click through 5-6 pages of images. This worries me that user's might get pissed off.
Why are you now badmouthing someone else for deleting Spotify over this exact same issue?
Anecdotally, I've gotten way more reCAPTCHA prompts since disabling third-party cookies and installing Cookie AutoDelete, so I suspect you are correct.
What's their solution for any other website? It seems like they'd have a very difficult time accessing ANY site.
In a quick search it seems like NoCaptcha is the accessible answer for the issues with regular Captchas. For the most part it seems to work, most of the complaints here seem to stem from people trying to actively block some of the evaluation metrics used by the checkbox (cookies,javascript,user strings,fingerprinting,etc) which makes them look very different from normal traffic which kind of by necessity makes them look a lot more like bots.
>which makes them look very different from normal traffic which kind of by necessity makes them look a lot more like bots.
But if they are doing so because they are disabled, and the difference means they receive a worse experience, may result in an ADA complaint (especially if a government service falling under section 508 is involved).
Nonono, disabled people might be barred from using a service because of excessive recaptcha. That's what he means. I also think he really meant CVAA rather than ADA though.
That only really leaves blind deaf people out, at which point we might be reaching the limits of any technology to provide access to everyone without a tooooon of work.
Yeah but most people won't trigger that. Seems like most of the complaints here about triggering it often are from people who are blocking js/cookies/randomizing user strings. The NoCaptcha check box itself is better than the old system where everyone had to do the Captcha at least.
It happens to me occasionally and I am basically blacklisted from the internet. I have to solve 5 in a row and if I screw up its idea of what a streetsign is, I have to start over. It has made me cut out usage of most sites that use this broken and abusive tech. Welcome to the digital ghetto.
I have noticed this too. I've switched to DuckDuckGo for everything and I haven't changed my habits. Started getting more captchas a couple weeks ago and I know I answered several of them correctly (I'd get tested 3 times in a row).
It is also plausible that because google analytics runs on so many sites that they could do something shady like put you in a pester segment if they see you coming from duckduckgo to other sites frequently. It is not hard to imaging using Recaptcha as a nuisance against other search traffic providers.
I doubt that many people would make a connection between their search engine and seeing captchas on other sites. So limited gain for, if anything, many unnecessary complaints.
This is why I love container tabs in Firefox. I like putting all of the recaptcha stuff in one container so it can't snoop on my other stuff (I'm too lazy to look into what it's doing with cookies and whatnot).
It'd be a good strategy if we were aiming for a totalitarian Google-sponsored police state..
Making (online or offline) life more difficult for people who don't want to use company X products could escalate to the point where you either accept the yoke and are admitted to the walled garden of "society" which company X has firmly cemented themselves under -- or you say no and find yourself unable to drive/fly/get a job/go to college/buy groceries in your town. It sounds like a big leap to make right now, but is a real possibility if Amazon/Google/FB don't get broken up soon.
Using a verified human Google history to allow people who would otherwise be flagged as potentially a bot to skip the CAPTCHA is justifiable. Setting up your reCAPTCHA such that the lack of a verified Google history is used as a "probably bot" signal is really quite awful.
This is likely due to the new canvas fingerprinting protections introduced in iOS 12 and Safari for Mojave. Google's NHT analyzers probably don't take well to these measures that attempt to defeat canvas fingerprinting.
Same here. I have an alternative browser with no ad blocker, no tracking blocker, and sometimes I just copy the website from Safari to that other browser to avoid CAPTCHA.
Sometime ago we have a provider that give us everyday different IP. Some days we just were not able to do anything without captcha. It seems that some IP addresses were in some sort of spam base
Slightly related, but I have a fun conspiracy to share:
I'm convinced that part of the reason Google released headless Chrome is as a honeypot for bot authors to use. The idea is that instead of going through the effort of fingerprinting and identifying new bot software, release something that bot authors will use instead that you have a capability to detect.
Somewhere inside of headless Chrome, there's one or more subtle changes that make it so Google can detect whether you're using headless Chrome or normal Chrome. There's no limit to how subtle the indicator could be - maybe headless Chrome renders certain CSS elements slightly slower than normal Chrome, etc.
It sounds pretty crazy/complicated but I could definitely see it being worth it if it means detecting $X,000,000 worth of ad fraud every year
It's actually not that complicated. Most headless browser drivers have some global JavaScript functions in the `window` namespace that immediately identify themselves.
I once ran into a piece of code from the scammy advertising world that tried to redirect users to a phishing site. They cleverly tried to hide themselves from the automated quality checks some ad networks do, by checking for these functions and appearing benign if they saw them. One of the checks even created an exception and then inspected the stack trace for certain flags that apparently are only there on some type of headless browser. Clever!
Most modern credential stuffers use headless browsers with all the bells and whistles, html5, javascript, etc.
Login attempts are usually spread over a massive botnet of residential IPs as well, where they'll only use each IP for one or two login attempts before moving on to the next.
Does it mean that you're breaking the experience for users who deliberately disable js by default? Can I ask you not to do that? Modern web is unusable if you let js on any webpage
Every time I fill one of these out I get the picture test, and I answer them correctly...but am asked 3-5 times to identify which blocks contain a school bus or stop light. It's very annoying.
I think it's speculated that you're recorded as being a useful classifier if you answer correctly on initial test captchas, so you get given Google's datasets for machine learning. It would explain why you get picture tests even after you should definitely pass the check.
In a parallel universe of fluffy niceness we willingly provide our help and in that way we get all those old books converted to ASCII and available for us to read online. Our efforts are for the good of mankind. Similarly with the newer challenges, we help the maps be up to date and again this is for the good of mankind and those needing help getting around.
Clearly this doesn't work in an era where the 'don't be evil' mantra is long forgotten and people only see Google as some advertiser friendly capitalist monopolist beast.
Google need to work on their relationship with their customers, to be a benevolent dictatorship of sorts. They are lousy at customer service and there are other pain points that they are ignorant to. I don't see how this helps.
By offering a free service to website operators that mitigates the ever-growing challenge of abuse on the internet that they and their users have to deal with.
At SerpApi.com, we built a bot to check these boxes and an AI to solve the actual CAPTCHA.
Checking the box is actually not that hard. There is no advanced measurements of your mouse and touch speed. This is an Internet myth. It's more a game of cookies, making them age well, and having an organic set of headers.
The misconceptions about nonhuman/invalid traffic (NHT) seem like a problem brewing. There's an arms race between the NHT guys (e.g. ad fraud networks) and the guys trying to detect it (e.g. ad providers). Meanwhile, a lot of people are using analytics to inform decision making assuming most traffic is legitimate (e.g. news organizations, anyone doing A/B testing). The guys naively using analytics with weak feature detection may be totally unprepared to deal with nonhuman traffic from repurposed networks which have been optimized to defeat the more advanced countermeasures =/
My first thought as well, looks like the business is 100% based on breaking TOS.
From their site:
Is scraping legal?
In the United States, scraping public resources falls under the Fair Use doctrine, and is protected by the First Amendment. See the LinkedIn Vs. hiQ scraper ruling for more information. This does not constitute legal advice, and you should seek the counsel of an attorney on your specific matter to comply with the laws in your jurisdiction.
ROFL, I guess if you are able to ignore the layers of other issues TOS, breaking of technology to specifically exclude your use case, etc and are only willing to apply some very tangential case law against your reasoning it is "legal".
Isn't this a typical Quora answer? Full of filler and shitty hard-to-verify details that provide no value to the answer ("the language is encrypted twice", what the hell), and very little effort on answering the actual question (what is the purpose of CAPTCHA).
And the community rules try to block people from writing firm "you're full of shit"-like answers, even though every other answer of Quora is full of lies like "Linux is fast, because it was designed for 16-bit computers".
I had my “wow” this place might not be that good experience with Quora yesterday when I was trying to google evaluate AWS workmail.
Quite a lot of the “extremely good looking” answers on Quora straight up said that you couldn’t do e-mail in AWS. These were answers from after workmail was a thing by the way.
So I started looking at other Quora answers on stuff I wouldn’t normally need an answer for, and it’s frighteningly how often completely wrong answers look correct.
Don’t get me wrong, there is a lot of truly amazing answers as well, and it’s entirely possible that I just suck at it, but I don’t think I can always tell the amazing answer from the completely wrong one.
My experience with Quora has been that more often than not the older the answer, the better it is. I find that answers in history, are often better than in tech. It always seems like the community that initially built Quora, stopped building it further several years ago and now it's floating out in space Wile E. Coyote style.
Quora went significantly downhill a few years back. It was a combination of hordes of new users, bad moderation, and bad incentives (order in which answers get shown etc).
I was going to say the same. I don't use Quora at the moment but when I did, I'd be more interested in subjective questions (history, geographical - ie. travel etc., and more philosophical questions) rather than objective and technical questions (and answers) as I've found many of them to be simply untrue.
I looked at that and it’s pretty nifty. It actually looks like google did encrypt the client side code and implement their own JavaScript VM and that the decryption key for the source is based on variables inside the VM during execution (some kind of state) in some way and other properties from the webpage (css is mentioned). It all falls into the realm of obfuscation.
Mobile device movement variability (IMU, compass, soft vs hard press, and so on) and mouse movement variability are relatively analogous, and both can be measured and analyzed in very similar ways.
It also links to a patent describing a novel mobile captcha invented by the author, so they might have some knowledge about the domain.
> And the community rules try to block people from writing firm "you're full of shit"
That's what you get when you value niceness over competence. Just look at any typical discussion of "Linus' rants" here on HN - people (or, I must clarify, americans) seem to care more about whether you hurt someone's feelings rather than if you're right or not.
I don't know a better environment for professional bullshitters to thrive.
It absolutely is. By appealing to nicety, you can screw people over subtly enough that it doesn't register to observers as offense, and then act offended yourself when you get pushback.
You can also add in some fundamental attribution error, as in "I am just looking out for everyone. You are being difficult. They are engaging in bad faith."
The box has made browsing using TOR insufferable! It fusses and makes me click storefronts and traffic lights until I run out of patience and close out of whatever webpage I was trying to visit. I assume it has to do with a lack of Google cookies on the browser, essentially punishing me for trying to protect my privacy.
This might surprise you, but it actually has to do with what traffic coming out of TOR looks like. Well in excess of 90% of traffic coming out of TOR is spam, bots, malicious, or some combination!
Google isn't going out of their way to punish you for trying to protect your privacy. They're trying to stop unwanted traffic. By unfortunate happenstance, you appear to be disguising yourself in the exact same way a shocking amount of bad traffic is.
I use Firefox with a few basic extensions (Privacy badger, uBlock, Google Container) yet every time I am presented with having to pick out traffic lights over and over and over again. I usually have about 5 or 6 "challenges" before I give up and use another site.
My timezone has not changed, my IP address and rough location has not changed, my screensize has not changed, my broadband speed has not changed, and my general computer dexterity has not changed, yet I am relentlessly targeted. On chrome I never saw these challenges, but on firefox with the privacy plug-ins I am always always always challenged.
At this stage I think the only signal it is using is "is there a google cookie in this browser? and if so has the google cookie got some 'normal' looking activity logged against it?" I.e. they are checking their server-side logs for a given cookie ID and seeing if that looks normal or not (i.e. seen on google search, seen on youtube, seen ads from a variety of third parties on various different sites, mixed up with time of day and speed of viewing etc etc).
Since I have got Google in a container in Firefox, I am guessing that my google cookie is not present when the captcha loads (due to the containers and privacy badger et al) so there is no identity back in the mothership to compare me against.
captcha is google master blow against ad blockers.
a regular user, who they have all the info, give them dollars per ad impression. You, with your doNotTrack (ha! that was a joke) and privacy addons makes them only cents per ad impressions.
you are google's enemy. remember this when you get stuck in captcha hell (and consequently censored from most sites until changing device/ip)
I think quora over states what Google looks at by a wide margin, just try to access a captcha in incognito, they won't have access to as much info as they do on you and yet you're still presented with the same level of captcha (if not more of them, which is to be expected)
Sometimes just checking the checkbox is enough. Sometimes you need to identify cars and store fronts. I think the better Google knows who you are, the more likely just the checkbox is going to be enough. If you go incognito, you have to train their neural nets, if you give up your privacy, you get in for free.
The clever part from Google's perspective is that you have to trade one of these things to Google in order to get access to sites that do not belong to Google at all. Google convinced site owners to have their users pay a tax to Google.
There are many services out there that can solve Google's recaptcha for fraction's of a penny. When someone puts one up, they can make things more expensive, and perhaps sometimes uneconomical, but in general, the cost is low (~$2.00 for 1,000 recaptchas).
When someone uses a recaptcha, they should think about why they are doing so. It's one thing to use it to save a business model, but it's another to use it to protect information that should be free anyway. The elephant in the room is government data. Many government agencies think that selling their data can be a nice source of side revenue, and a recaptcha is a good way of enforcing it. In reality, they just increase the costs for everyone, and those with means can obtain the information while those without means cannot.
Governments need to release their data, freely, without captchas or fees for single users and bulk users, no exceptions.
I've actually been pleasantly surprised at how much data /is/ available, and how much of it is available through common formats like Socrata Open Data API (for use with tools like https://github.com/xmunoz/sodapy)
The counter argument is that they do a great job with trivial stuff like registered dog's names, and less well with sensitive/important issues like policing.
What's the right way to leverage the platform developed for the first into the second?
Totally agree. Fortunately the Dutch government is trying to make as much data open as they reasonably can, and regularly organise events to encourage developers to use their open APIs.
> My timezone has not changed, my IP address and rough location has not changed, my screensize has not changed, my broadband speed has not changed, and my general computer dexterity has not changed, yet I am relentlessly targeted. On chrome I never saw these challenges, but on firefox with the privacy plug-ins I am always always always challenged.
That's because Google isn't just profiling "Tor users". They're going after anyone who values privacy in any way or technology.
Simply put, you're being punished for ensuring privacy. And anybody who uses Google's captcha services is an accessory to that.
I think that Google is more than happy to punish people for protecting their privacy. That may or may not be the main goal, but it doesn't appear to be something Google considers a downside.
I use chrome with Privacy Badger + uBlock Origin and I have to solve the CAPTCHAs every single fucking time. I even have to solve them multiple times. At this point I just leave a page if they have one of those captchas.
>This might surprise you, but it actually has to do with what traffic coming out of TOR looks like.
That's a massive load of bullshit. Google has a captcha challenge that only humans can solve. That alone is already sufficient to prevent unwanted traffic. That is how every captcha system works. However google is an exception. If you're logged in to a google account or are using chrome then google can use that information to track your captcha history. Privacy minded people avoid google like the plague and therefore they cannot be tracked.
>Google isn't going out of their way to punish you for trying to protect your privacy.
Except this is exactly what happens. It's not "unfortunate". It works like this by design.
If google cannot track you then the captcha will force you to do something that no other captcha system does: give you even more challenges even if you have solved them correctly. You will spend the next 5 minutes solving captchas correctly and then at the end it will tell you you've failed. This again is unique to google: correct answers lead to failure. The problem immediately goes away if you let google track you, it doesn't matter how bot infested the network is. No other captcha system does it this way.
Google is clearly doing this to get free labour to label their datasets, force people to have a google account and encourage them to use chrome.
If you are using TOR, and not accepting cookies, they are going to have no way of knowing that you are the same user who just solved the CAPTCHA. Every request is going to appear to be from a new user.
If you do everything you can to prevent google from knowing who you are, don't be surprised when they behave like they don't know who you are.
A botnet doesn't need Tor in the first place. And you can limit the use of a single captcha solution. It's not much different from the problem of a legitimate google account being borrowed by a bot.
It punishes humans more than computers because computers are more efficient multitaskers. A computer can find a productive way to use the second between each tile fade in, but a human has no realistic way to productively use that second. The human sits there staring at the screen waiting, while the captcha-solving computer does other things (perhaps solve other captchas given to it through other connections.)
Slight nitpick but past captcha successes are a characteristic of cyborg accounts, which still act as a bot most of the time.
A lot of the behavior that captcha exhibits is in part a function of feature analysis from ML models - features that may seem ridiculous to layman humans but make sense to a neural net plugged into the data.
> That's a massive load of bullshit. Google has a captcha challenge that only humans can solve. That alone is already sufficient to prevent unwanted traffic.
It's not bullshit, it just depends whether your website is being targeted directly or not. We're targeted directly and the robots hitting us are getting the CAPTCHAs solved, presumably with human help.
I think you are partially wrong. Maybe Google is not doing this intentionally but it also doesn't happen just because traffic is coming out of a tor node. I am using ff with some of the recommended extensions from https://www.privacytools.io/ and I get to fill in traffic signs all the time. And yes I am logged into Google.
I think what OP is talking about is Cloudflare not Google's decision. Google provides the CATCHPA API but Cloudflare decides to flag nearly all Tor traffic and make it go through the CATCHPA.
In the case of Cloudflare specifically, they support Privacy Pass[0], an extension that allows solving one captcha to allow you through to multiple sites without de-anonymizing or reducing the security properties that tor provides.
Cloudflare is a good actor, they offer the PrivacyPass extension that basically generates 30 auth tokens from one CAPTCHA challenge and then uses those until it needs new tokens. Sadly the overwhelming majority of sites doesn't use CAPTCHA through CloudFlare but directly through Google, rendering PrivacyPass moot.
Cloudflare is not a good actor in this, they have shown that they do not care about encryption (allowing non-https backends while showing https to the end user) and embedding trackers in verification pages (the CAPTCHAs on random pages).
Cloudflare is the scum of the internet. They've put a crazy amount of effort towards making wide swathes of the internet unusable for people trying to protect their identity and privacy. I wouldn't trust their implementation of Privacy Pass.
Sigh. We changed this so long ago yet people repeat this over and over again. Do you use the Tor Browser? Please show me a site on Cloudflare which uses CAPTCHA on Tor.
I don't know about TOR, but a couple of years ago we had a site on Cloudflare that had the CAPTCHA come up for visitors from mainland China - where the great firewall blocked the requests to Google. Chinese users were effectively locked out. We contacted Cloudflare about this and got dismissive replies.
I ended up removing a chrome extension that randomises user-agents because of this. It dramatically cut down google captchas.
Another thing that sets it off is virtual machine usage, I can be logged into chrome and gmail on the same residential IP for hours but the moment I try to search google for a problem inside a VM it's a minute of slow loading captchas.
Have moved to bing instead, that sort of wasted productivity is a burden.
This. The reality is, Google (and Cloudflare, and everyone else trying to block scrapers and malicious traffic) use heuristics that boil down to "99% of our traffic behaves like this". If you go out of your way to fall into the 1%, e.g. using Tor, disabling Javascript, randomizing your user-agent, etc., you're going to get CAPTCHAed.
Yeah, blending in seems to work better in many cases. Remember the guy who sent a bomb threat over TOR? The only reason he was caught so quickly was because he's the only person on the organisation's network to have accessed TOR before the incident.
> Google isn't going out of their way to punish you for trying to protect your privacy. They're trying to stop unwanted traffic. By unfortunate happenstance, (...)
This does not agree with my experience. I browse without cookies and severely limited javascript (using umatrix), and I also encounter the myriad of ridiculous inconveniences that the OP was referring to. On the good side, however, the web is much faster and generally less annoying.
> I browse without cookies and severely limited javascript (using umatrix), and I also encounter the myriad of ridiculous inconveniences that the OP was referring to.
Isn't this also something that many bots do (don't run javascript and don't have realistic cookies)? It seems like just another instance of reducing your distance from the "bot" cluster in agent-space.
As a webmaster I can confirm that I hard block all TOR traffic for this exact reason. 90% of this traffic is malicious robotic junk of some form.
Also, I’m just not interested in the remaining 10% "legit" traffic from people who are aggressively paranoid about their privacy. Almost all of them ended up being dickheads who were using TOR to abuse other members of our community.
To the people who think every website should treat TOR users with respect, please understand that you are intentionally making yourself indistinguishable from the mountain of robotic junk, abuse and human dickheads. It's not my fault that you have chosen to do this, and it's not my job to provide you with tools to prove you're not a dickhead.
To the people voting me down, please understand that I am relaying factual information about my specific experience as webmaster of various large-ish regional websites. If you don't like the facts, voting them down won't change them.
Google seems to do the same even if you check the box while in an incognito window; I doubt the issue is TOR itself, but rather the lack of tracking data that Google has on that particular session.
Have you used Captcha on TOR? It really does feels like they're trying to punish you. They give you about 4 pages of "identify the traffic light", all of which are difficult for humans, then reject and give you another 4 pages. Or that thing where it fades out for about 7 seconds before you click the next image, and then wait another 7 seconds.
If Google wants to do that, that’s their prerogative. What pisses me off is when a bank or similar “secure” type of service forces me to train Google’s ML models in order to access my stuff. I didn’t agree to provide unpaid labor to Google.
This is a horrible argument. What gave Google the right to be the moral authority of the internet (we, we did)? Even if 99% of exits from tor nodes are malicious, Google should have absolutely no capability to throttle this traffic. Unless you claim most of the traffic in tor are from bots, your argument doesn't make any sense. Captchas serve 2 purposes: slowing down bots, annoying humans. By putting captcha to tor exits, Google not only slows down miniscule amount of bots, but also annoys human traffic (good or bad). It is by no means a "good" thing that Google is capable of this.
I have exactly the same experience without using Tor, living in Germany...
I personally don't care too much about the hassle, but I really don't like the idea that I'm basically playing Artificial "Intelligence"/doing clickworking for the not so community oriented efforts of Google.
> On the other hand, anonymity is also something that provides value to online attackers. Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious. That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network.
The obvious caveats apply, of course. It's completely possible what Cloudflare saw at the time is no longer true and TOR is no longer mostly spam. It's equally fully possible that the traffic Cloudflare sees is wildly unrepresentative of what TOR traffic actually looks like, and it's mostly people worried about their privacy. This is just the data we have at the moment.
A small percentage of bad actors using automaton can produce a lot of traffic. So although it may be true that a large portion of the requests coming from TOR exit nodes is malicious, it would be unwise to conclude that most users of TOR have bad intentions.
True, but from the perspective of an org like CloudFlare, that doesn't matter. They don't know (or care) about the user breakdown coming from Tor; they just know that the vast majority of traffic coming from it is malicious. And since part of the point of Tor is to make it hard to determine who's who, the good traffic gets binned with the bad.
Cloudflare's documented experience aligns closely with mine; I've been limiting or blocking TOR ever since 2008 because over 90% of the traffic was malicious bots, and the majority of the remainder was malicious humans.
And when you have malicious traffic swimming in an anonymous pool, there's no practical alternative but to block all of it.
Isn't cloudflare the org that "Doesnt censor under any circumstances", and then turned around and censored white supremacists? Not that I agree with them (I DONT!), but it was a full 180.
And also, isn't cloudflare also the one to allow booters and stressers to be online behind CF - and they used stolen CC's to boot?
The Tor decisions to screw users over is just the cherry on top. Especially is egregious is when a captcha is demanded on even a simple static page. Seems pretty obvious what's going on here.
Everyone should censor and shun white supremacists. They have no place in modern society. When they shed their noxious views, we can all welcome them back with open arms.
The obvious explanation is that people were downvoting and flagging your comment because it was unsubstantive and ideological flamewar, not because they are white supremacists.
You continued to post flamewar comments. We ban accounts that do that repeatedly, so could you please stop? We've already had to ask you more than once before.
Just like the ACLU. Free speech is very important. If someone has something objectionable to say, let them expose themselves. Censorship solves nothing.
Just look at how state-backed censorship laws have turned Germany and Canada into totalitarian hellholes.
Yeah, right.
HN stans for white supremacy because it's mostly white and extremely online and never gets out to see the results of "give everyone a soapbox" on the streets where the proud boys are out there beating the shit out of people.
You people are cowards, and nothing more. There's no bravery here, no principled stand, just a bunch of fucking cowards.
I think you're doing a great job demonstrating why allowing people to expose their horrible ideas does more to dissuade other people than censorship. I'm glad your replies are on display even if I strongly disagree with them.
Ok, so you've decided that being white supremacist is bad. I can agree with you on that, but still the question remains: who get's do decide what has a place in modern society? Who decides what "modern society" even is? Today Google might decide to censor white supremacists, tomorrow it can be human rights advocates. I think that allowing any type of censorship, even for such a noble cause as fighing racism is a slippery slope. Especially when done by a private company that is outside of our control (and governments are only marginally better).
You're trying to generalize a useful rule ("shun white supremacists") but it doesn't work in this case. I don't think we need to, either.
We're not robots. We can shun white supremacists and leave everyone else alone. This isn't a slippery slope, it's just good sense (no more white supremacists, hey!). Humankind will get along just fine if we tack on that one extra rule and all follow it.
> Good thing the definition of white supremacist is commonly agreed upon and noncontroversial and absolutely isnt subject to definition creep :)
The definition is commonly agreed upon, and what "white supremacist" means is not at all controversial to most people. It certainly isn't so arbitrary as to be meaningless.
Now, the term may be misapplied at times, as may any term, but for it to be misapplied, it has to have an accepted application to begin with. A term without a definition can't be subject to definition creep, and the possible creep of a term like "white supremacist" is that wide to begin with.
Whether or not abortion is a murder is not about definition of "murder" it is about definition of "human being".
There's no doubt that abortion involves killing a living creature, the whole pro-choice vs pro-life debate is basically about one simple question: "is fetus a human being?". If you answer that with "yes", then every abortion becomes a murder, plain and simple.
This also explains why there will never be a compromise between two crowds: it is logically impossible to compromise on yes/no questions.
Isn’t the compromise position essentially ‘after X weeks’, where the value of X is highly contested? (And on the binary yes/no question there’s nuances too which get debated eg if continuing the pregnancy would be a significant threat to the mother’s life)
I think they do exactly that. For example disabling browser fingerprinting in firefox and not being logged into Google causes the majority of sites to display the captcha, especially when using a VPN.
Not really, because spam isn't done on the spammer's hardware. Not to mention, an expensive hashing function is precisely something bots can do but humans cannot.
If you're putting constraints on Tor traffic, it's not because of raw throughput. It's because it's extremely poor quality traffic.
Nah, it was released back in 2017. I've seen it discussed periodically ever since.
The issue with just doing memory-consuming work client-side is that it only marginally slows down spamming. Spammers tend to use compromised machines they don't own. Unless you can make it prohibitively expensive to calculate something using machines you don't pay for - perhaps not a trivial ask - you wind up needing a different set of tools. This is why Google tends to look at things that will exhibit human variation rather than pure computation.
It's not that your ideas aren't good. I'm sure ARGON2 has a use here! It's that this might not be a problem easily solved by consuming more resources.
Cool, I'll try it out the next time I have a problem with using TOR. You're right that ARGON2 doesn't help if CPUs/RAM are free, it just makes parallelization hard.
Click all boxes with traffic lights. Ok, well, this one box just barely contains the bottom right corner of the traffic light. Click. Nope, that little corner didn't count. Try again. Ok, well on this one, the right side of the traffic light is only barely over the line, so I won't click it. Nope, that sliver of the light mattered this time. MF!
Heh, maybe one day they can show a bunch of pictures of sand, where each subsequent pic has a grain removed, with the instructions "click on all the heaps".
I actually have a few screenshots where the task was impossible since the data was mislabeled. The latest example was "click all of the buses". It wouldn't let me continue because I wouldn't select the fire truck.
My naive assumption is that you should click the "refresh" button in these cases.
Just click whatever you suspect is needed to pass. Don't go above and beyond trying to give the actual right answer; you're just feeding some proprietary database owned by Google. QA for it is their problem.
> " It wouldn't let me continue because I wouldn't select the fire truck."
Another one is "click the mountains". It typically won't let you through unless you click anything with trees on the horizon, even if the terrain is clearly flat. Google's robot thinks mountains are made out of wood, and any human who disagrees is labeled a robot. It's insanity.
I've recently gotten caught in one of these, where it was "click all of the bicycles" and after a few clicks (it was one of those which fade out to present a new picture) the only "bicycle" left was a bicycle-shaped street decoration. It wouldn't let me proceed unless I clicked on something, so I had to refresh to get a new task.
I assumed the infuriating ambiguity is intentional, in order to train some algorithm they need to know what the prevailing human correct judgement is in dicey situations
I don't think it's intentional -- it probably just emerges from the training process.
I'm guessing they do something like load up a batch of images and once N people agree on one, record the answer and remove it from the rotation. You end up left with the ambiguous images where people couldn't agree.
I always figure they're looking for a population consensus. They're doing image recognition at scale and these are clearly ambiguous, hard images to classify. They could easily have a few people at Google say, "I determine this is a storefront" and make that the "correct" answer, but I think they're more interested in a consensus of what most "normal" people would classify as a storefront, especially in potentially-volatile classifications where real humans might argue over the answer. They can skip the argument and just know which side will win it.
What they're actually getting though is the population consensus of what normal people believes Google's image classifier believes. The system incentivizes users to reinforce misconceptions their classifier has.
Google's image classifier would think that's a mountain. If you disagree, google will classify you as a robot. After failing these sort of challenges a few times the user decides to play along and tell google what they think google wants to hear, rather than the truth.
What makes you think Google's image classifer would think that's a mountain?
Especially if this is all used for learning, enough people saying "that is clearly not a mountain" would reinforce that it's, in fact, probably not a mountain. Even if I got classified as a robot, I'm not sure I would think "oh, a system designed to classify images would think this not-a-mountain is a mountain", so I definitely wouldn't double down and keep marking it as a mountain. I'd, well, not. And assume the system is at least as good as classifying the images it chooses to use as I am.
> "What makes you think Google's image classifer would think that's a mountain?"
Because every single time it asks me to classify mountains it rejects my answers if I don't click on trees on the horizon (and often trees on the horizon are the only "mountains" presented) and every single time it accepts the answer that such trees are mountains. I've gotten the mountains challenge dozens of times, the results are very consistent. If there is a group of trees on the horizon, that is asserted to be a mountain.
> "enough people saying "that is clearly not a mountain" would reinforce that it's, in fact, probably not a mountain."
Totally irrelevant because if I am trying to get through a google captcha, it's because that captcha is standing in the way of me doing something. My interest is in passing the captcha, not correcting Google's shitty image classifier. So I have absolutely no incentive to make my life harder by insisting on correct answers, and every incentive to tell Google what they want to hear.
>So I have absolutely no incentive to make my life harder by insisting on correct answers, and every incentive to tell Google what they want to hear.
I guess this is where the misunderstanding is. You don't think Google wants to hear the correct answer?
Trying to guess at what the daily/monthly flavor of "correct" is seems like it'd do more harm than good, resulting in some kind of nondeterministic guessing game of "well, trees on the horizon are probably assumed to be a mountain" that never settles on actually-correct answers (and, I'd wager, is often more inconvenient to the user than just answering correctly would be, because now there's a layer of indirection on what they think a system thinks of an image, rather than just what they think of that image).
If everyone just answered "no, that's trees" instead of a hand-wavy "I think you think it's a mountain", I feel like this captcha would be significantly easier for us humans (because we could actually give real answers), as well as less inconvenient for people who just want to pass on through and get on with whatever they were doing before a site wanted to verify they weren't a bot (because they can just, well, identify images instead of playing a game of "what does the machine think?").
> "You don't think Google wants to hear the correct answer?"
They may want it but they don't reward it. I don't care what sort of answer they want, I only care what sort of answer they accept. I'm not going to donate my time to these bastards by doing anything more than what's necessary to pass their captcha.
> "If everyone just answered "no, that's trees" instead of a hand-wavy "I think you think it's trees","
It is just a consequence of other humans also having problems with these cases. They do not mind that you have to make multiple attempts, it is just more yummy data for their bots (their machine learning algorithms are trained on this stuff).
I'm pretty convinced they're not really using these for ML, but that their ML algorithms have already run on these and they already know these difficult (read: ambiguous) enough to make you give up. These cases specifically only come up when they seem to think you're probably a bot (based on cookies or IP or whatever). They seem to deliberately put the photo boundaries such that they slice through whatever object they want you to look for. And they intentionally make the delays extremely long. These don't happen when they think you're probably a human and just want to throw an extra hurdle (like if you're Googling a little too frequently from your usual browser/location).
Thankfully they'll eventually fall back to the "click the images of _object_ until there are no pictures left with a(n) _object_" in it, but those clicking block ones of a specific picture are super frustrating.
It goes like this: "so you want to be anonymous and won't let us track every single thing you do? ok, then you'll help us train our AI so we can improve our self-driving cars and improve how Google Maps extracts information from Street View images"
They seem to keep adding categories though, which makes me suspect that it is all about ML training. Recently it's chimneys and bridges (although that one may be older).
The likely answer is a bit of both. They use the image tests because it's something that is still kind of hard to do for computers and then uses a small percentage of the boxes as unknown tests to improve some ML algorithm. Unfortunately as computer vision has gotten better they've had to make the challenges harder to the point where they're quite low quality and sometimes count very small features qualifying images. My least favorite is labeling 'cars' because it can be hard to tell if it wants to count cars way off in the distance through the adversarial noise they add to the images.
CloudFlare at least is using a thing where you only have to solve a ReCaptcha once, and then you can cryptographically prove you did, without compromising anonymity.
TOR doesn't protect your privacy, it just lumps you in with—and makes you indistinguishable from—the worst crap on the internet. If you don't want to be treated like crap, don't try to blend in with the crap.
I get the feeling that 90% of the check is if you are signed into a Google account, otherwise you're going to click some images. I've noticed this a lot of incognito mode where I will almost always have to do a captcha.
I don't think so. When I was traveling in Malaysia a few months ago I was always signed into my Google account, but constantly needed to fill in captchas and even got suspended from Google Scholar for a few hours for "suspicious traffic".
I guess Mozilla hasn't noticed that one yet. They've been removing captcha bypassing add-ons from their site. And because all Firefox versions that aren't buggy require add-ons to be signed by Moz it makes distributing them through other channels rather tedious.
that's good. tor traffic should not leak on the open web. that just diminish tor network and cause headaches to node operators.
if you care about all that, run a node without internet exit, and also strive to make your sites available on tor (hate the "hidden service" nomenclature)
As a user who's constantly clicking on the crosswalk or storefront images you can't help but to think that you're essentially working for free training Google's machine learning models by providing them with supervised data points.
That's what ReCaptcha always was... it was originally a known and another unsure text blurb from scanned books/text documents. Now it's street signs etc.
It's actually pretty interesting to see how the captchas have evolved as, presumably, Google decides "OK, we have enough data to consistently identify this thing" and moves on to the next challenge.
I recall the modern (non-text) captchas used to be cars pretty much every time. Then, the images started getting grainier as they apparently wanted to improve their recognition in different conditions. Then crosswalks and store fronts became quite common, eventually with the same kinds of noise distorting images. Now I've started seeing things like buses, bridges, motorcycles, bicycles, etc. It feels like they've finished getting enough data for improving Google Maps and have begun moving towards collecting data for their self-driving car projects.
Machines have been able to beat captchas for years and years. The point is that it costs money and that's good enough to prevent free and scalable abuse.
Those really grainy images, they always seemed like they had to have noise added on purpose? It was like really badly processed film grain, but if the images were enlargements then wouldn't they be pixelated?
Stuff you get now often requires cultural information, like "sidewalk" isn't a cross-cultural name, I'd guess almost everyone knows it, but meh. What classes as a store, is a lawyers office a store? Also, I seem to recall I had "click on all minivans"?? Not sure what one of those is, nor really what is classed as a car in USA, is an MPV a car [I'd guess that's what a minivan is?]? Do pedestrian crossing lights (green/red man) count as [part of] traffic lights? I've often wanted a short description of the locus of the terms they're using. Of course it never tells you if you failed, just gives you a further captcha, which it might have done anyway.
The fire hydrant one always annoyed me - in many countries stand-up fire hydrants are nonexistent or at least look very different. I guess they're banking on people having seen enough American movies/TV shows?
In the UK we call them fire hydrants and they’re typically placed underground with a small metal cover in the middle of the road and a sign on the pavement (sidewalk for Americans) saying where it is.
Yeah, a lot of the storefront ones are just plan hit things randomly until it lets you through - how am I supposed to know if a building with some writing on it in Korean is a store or something else? Are you supposed to include the poles in traffic lights or not?
The V2 was just annoyingly badly designed because the questions were badly put.
I think it might be the same when they switch to other types of objects (like crosswalks or bikes). Someone's model got too good, so they had to change to something else. I also get the impression that they add delays to the tile refresh before they do that.
I suspect Google now uses robots to generate captchas for humans, under the assumption their image recognizers are far better than anyone else's. They already have some very well ones for other products (self driving cars, street view) and lots of street-level city imagery. That would explain why their captchas are so difficult for humans to solve -- they're testing if you see things like their "AI," not like other humans.
>I'd always assumed that was noise carefully tuned to throw off one machine learning model or another that was being used to beat the captcha
I was thinking it was trying to dirty up the image just like the lenses on cameras get dirty. What happens to the image recognition when there's water spots, dirt, mud, etc on the lens that keeps parts of the image obscured?
what would be the training data value in getting humans to classify images you have clean versions of, after applying simulated noise?
If you have the clean version of the image, you need to get that classified by a human - then you can throw noisy versions of it into the training set for your AI. You don’t need to ask a human, hey, I added noise to a picture of a yield sign. Is it still a picture of a yield sign?
With the possibility of almost uniquely identifying us on the web through fingerprinting... Google, of all companies is in the perfect position to know that my web request was made by me... And therefore I'm not a robot.
You can only conclude that recaptcha is a ml training exercise.
> With the possibility of almost uniquely identifying us on the web through fingerprinting... Google, of all companies is in the perfect position to know that my web request was made by me... And therefore I'm not a robot.
The article explains that this is part of what reCAPTCHA does, e.g.:
> Finally they combine all of this data with their knowledge of the person using the computer. Almost everyone on the Internet uses something owned by Google – search, mail, ads, maps – and as you know Google Tracks All Of Your Things. When you click that checkbox, Google reviews your browser history to see if it looks convincingly human.
But your point is otherwise right in that it's used for ML training, which Google admits as another commenter pointed out.
> Finally they combine all of this data with their knowledge of the person using the computer. Almost everyone on the Internet uses something owned by Google – search, mail, ads, maps – and as you know Google Tracks All Of Your Things.
Human [n]: Entity that uses Google®-brand services.
Maybe, maybe not. From time to time google forces me to prove I'm not a robot because of unusual search queries. Either my queries are unusual or I have an infected computer. The thing is, it also happens to me on my iPhone.
Or, maybe they feel I'm not pulling my own weight, seeing as I rarely ever click on adds. They probably need more monkeys to feed the beast so I get selected to train their AI beast.
Edit: It could also be that I'm always running on incognito mode.
And I find it equally interesting to think about what happened to Google Books project after half the world was entering text into captchas perhaps close to a decade? Is the project still going on?
Helping scan all the world's books as part of a plan to make them freely available to all is much easier to get behind than tuning map objects for their self driving cars. Particularly when most books that were scanned never, ever showed up on Google books.
> Particularly when most books that were scanned never, ever showed up on Google books.
If one looks at the history of Google Books one can see that they started with big ambitions, but hit copyright in quite intensive ways. That also changed their approach to other projects. Clearing all rights internationally isn't easy.
And if they succeed to much they can monopolize transportation and thus mobility. Not a power I want to have in a private company. Especially not in a company from outside my country's jurisdiction. Where I can't have an impact via democratic law making process.
> Especially not in a company from outside my country's jurisdiction. Where I can't have an impact via democratic law making process.
This is false. EU governments have already placed significant restrictions and fines upon US tech companies in the past. There is no reason to believe that they won't be able to again.
Those fines are the perfect representation of the lack of control EU has over US tech giants. They are essentially opaque and impossible to inflence through normal regulatory and political channels so the only options are the big guns. You can be sure Google is not going to heavily invest in the EU tech sector under such adversarial set-up. There's a subtle blackmail here: we push the envelope as far as it goes and the EU can choose to submit or risk technological backwardness.
It's a great situation for the US economy but a very bad strategical position for Europe.
Not if Google has collected enough other identifying information about you to determine whether or not you're a robot.
But I'm kinda hoping that the reason I keep having to identify cars and store fronts is that my refusal of third-party cookies is causing them to have no idea who I am. But that might be the optimistic view.
In any case, I wouldn't mind if sites stopped using recaptcha.
Identifying text for public domain works that Google is making available online is much different than forcing the web to train their models for their profit.
they stopped using the text because some forum campaign that promoted typing cursewords instead of the unkown word. they probably started showing cursewords on the rendered search highligths on google books.
there was a decent write up from a whitehat showing the damage, but I can't find it
I can't imagine some forum has enough traffic to meaningfully screw up their data, and they don't tell you which of the two words is the unknown word, so you're just going to fail a lot doing that.
This was extremely common on 4chan maybe 7 or so years back I can't remember the exact year and it worked for a very long time before anything was done about it and everyone knew to do it. Google asked for two words and presented them as two different fonts. The real word that needed transcribing was always identifiable and you could just write what you wanted as long as you got the second test word correct. Much fun was had.
So what's going to happen if you write "nigger" that you're so unwilling to write it? It's not like you'd be calling someone a nigger, you'd be using it in a clearly informative manner,
> they stopped using the text because some forum campaign that promoted typing cursewords instead of the unkown word. they probably started showing cursewords on the rendered search highligths on google books.
If I remember correctly, Google later on also sometimes showed two "known" words or, if they had actual other evidence that you are human, two unknown words.
> I'm doubtful about any good solution for having computers decide whether we are sufficiently human.
Two questions:
- Couldn't a computer just temporarily hire a human to prove there is a human involved?
- Why are we using recaptcha or verifying humanity anyway? I understand stopping spam, scams, and fraud, but scraping already public data doesn't present significant harm.
Yeah, it shouldn't be used to limit public data. The main use is to prevent spammers from spamming fora or registering thousands of throwaway email addresses.
I've been thinking about this a lot lately. Where is our compensation? It's our time and brain power training Google's AI that will one day be sold back to us. I'm really not into this.
Because Google can extract value from captchas, it makes world-class captchas and bot detection AI available to every webmaster for free. I don't know what that level of service would otherwise cost, but it almost certainly wouldn't be affordable for low-traffic blogs and the like, which would end up vulnerable using weaker captchas or trying to roll their own. Everywhere else the cost would just get passed on to users.
I don't love the compromise of paying for things with my data or by training Google's AI, but it's hard to say users aren't getting anything out of it. That said, I do miss the old reCaptcha.
> it almost certainly wouldn't be affordable for low-traffic blogs and the like
Very few low-traffic blogs that I see use (or need) CAPTCHAs. I know that the ones I run don't.
> I don't love the compromise of paying for things with my data or by training Google's AI, but it's hard to say users aren't getting anything out of it.
I don't think they are getting much, if anything out of it -- aside from being increasingly punished for defending themselves against being spied on by Google.
Often a trivial non-standard thing like "what's the name of the author" works well enough. Especially outside the English language. Spammers won't spend the time to bother adopting their scripts for that.
If this somple thing comes from a popular WordPress plugin the equation for the spammer changes, of course.
There's certainly a period of time where that solution is sufficient as it stops the lowest level of drive-by <form> spam.
But it also sucks the first day you get an attacker who solves it once and then spams you thousands of times.
Modern spam tools are pretty impressive these days and minimize the targeted work the human spammer needs to do in these cases. In the early 2000s, you could set a custom question and then assume no attacker is going to manually code for your little blog.
But even in 2008 I was using spam software (out of curiosity) where you could import a massive blog list, and it would pause spamjobs with failed comment submissions, let you pencil in a value for this unknown field, and then click resume.
You could also choose other actions for that field like "prompt me each time" and sit at your computer multiplexing your labor across hundreds of blogs. And that was pretty polished ten years ago.
I do this. Funnily enough one of the reasons I did it was because Google’s spam filters gave me too many false positives and my gmail account attracted enough spam that sorting through manually was a pain.
Has it been a good experience for you? What are you using?
My point was just that even if something is provided to the customer for free, doesn't mean it's easy to produce. That causes a lot of the issues my non-tech friends have with understanding the scope of work. Just because social media is free and easy to set up as a customer doesn't mean developing a social media is easy at all.
I’ve been using exim and dovecot with rspamd for spam filtering. Have two VPSs on different providers to provide MX backup properly (they’re cheap these days and for low traffic I don’t need much more than the smallest VPS). I do DKIM and SPF but not DMARC and it gets through gmails spam filter fine and passes the various other tests you can find online. Took a while to set up right (in the end I found the best route to predictability to be writing my own exim config file rather than using someone else’s template) but pretty simple to run after that - there’s some effort to make sure I keep up to date with security patches and monitor log files for anything untoward but it’s relatively small. Using letsencrypt certs so email clients have been relatively simple to set up.
Overall it’s been a good experience. I run into a few sites which when I send to them classify my email as spam or grey list my sending IP so mail doesn’t get through quickly but then I used to have the same spam problem with some sites running my own domain through google apps.
And there's going to be a lot of discussion of the idea at the RadicalxChange conference in March (https://radicalxchange.org/), including with Jaron himself as well as the book authors. (Disclosure: I do the conference website as a volunteer).
Are you kidding? Your compensation is all the free apps you get (Gmail, Maps, etc.) You’ll rarely see a Captcha for a paid product once they have your cc info.
It's actually not that hard, assuming you control your form generation. Bots usually fill in fields using the actual field name - not the label the user sees. So provide a field labelled "Age" but named "email", and simply check it contains digits. If it's got an email address in it, it's a bot.
Labels can also be obfuscated with javascript, replacing the raw HTML "Email" with "Age"on page load. Getting this right will require the bot to parse both HTML and JS, and we can force them to handle CSS too. Add a "zip" field, and hide it with complex CSS rules. If it contains a zip code, it's a bot.
If you're really paranoid, randomise combinations of distinguishable fields (name, email, phone, age and hidden fields) every time you generate the form, so even if a bot herder manually maps names to fields one time, it'll fail the next. At this stage it'll be cheaper for the bot herder to use Mechanical Turk, after which even Google's captcha is compromised.
>So provide a field labelled "Age" but named "email", and simply check it contains digits. If it's got an email address in it, it's a bot.
Or a blind user who might actually rely on both labels and names. That's a bit like what arxiv does, they have hidden links that ban your ip when you crawl, but the links aren't hidden for AT users. I got myself banned that way once.
I've found that the tech industry often is. Trying to get managers to set aside time to iron out accessibility issues is like pulling teeth. Trying to get other developers to take it seriously is almost as bad. Often you count yourself lucky if the bare legal minimum is implemented.
Accessibility is very important, and if accessibility features are implemented well they'll often be useful even to people without disabilities, but do any CS/SE or code bootcamp programs take the topic seriously? I'm sure it must be taught somewhere, but it doesn't seem to be common at all. Can you even imagine 21st century university architecture department that didn't cover ADA compliance? That'd be unthinkable.
wonder if someone is collecting actual data instead of listening to udfalkso, the google sales rep here.
maybe to save them a few $ from bots and spam (bandwidth and storage is very cheap today) they might be losing new users by the thousands (and traffic acquisition is far more expensive than the formers)
Off the shelf spam software like Xrumer[0] has been cracking those captchas for 10+ years.
Recaptcha isn't obnoxious for fun, it's obnoxious because this is the state of the arms race right now. There's also the challenge of creating a captcha that allows blind people in.
Yeah, that is what annoys me. “Thanks for paying us to use our product. Now do free work for us for the privilege of using the product you already paid for!”
> Your compensation is access to the website that uses Recaptcha
Which is one of the reasons why the presence of reCAPTCHA is strong push to avoid that site.
> since you're here and HN uses Recaptcha on its register/login form, it seems like the compensation was adequate.
Perhaps so. I don't remember doing a CAPTCHA to sign up, but I don't dispute that I did it. However, I've never been presented with one after signup. If I was, I wouldn't be here.
I don't really understand the case where you'd use this.
First, it seems tacky scrounging for peanuts from the users' captcha work. Or it's like a product/services website showing Adsense ads. It's a cheapening message to send.
Second, since you make more money from more captcha volume, you're incentivized to maximize your use of captcha which is at odds with every complaint in this comments section about captcha. Most sites only use captcha to gate low-volume actions like register/login (e.g. HN).
They created their own Ethereum token too which always puts a bad taste in my mouth these days.
Finally, it doesn't address the upstream complaint that someone else is profiting off the user's "work" rather than the user. Though I don't find that complaint very reasonable. And a tiny fraction of a cent sounds about right. The truth is that users benefit from anti-abuse systems. The number of bots that HN's recaptcha on register/login has stopped is worth that tiny fraction of a cent to most users.
Is it somehow less tacky to give that value away to Google for free?
Sites can set the difficulty level necessary for their application. Some are under continual targeted attack, others are mainly keeping out rogue automated spambots from their comments section.
The user is typically getting a free service, a better site experience due to less bot traffic, or both. I think sharing the value of their work with the website is a fair deal.
As for using blockchain tech for ledger functions, that is all under the hood: websites can cash out to dollars as they prefer.
(disclosure: work on bot detection at hCaptcha.com)
> Is it somehow less tacky to give that value away to Google for free?
Yes, mainly because we're talking about fractions of cents. Also, it's not for free; the website and its users get a good anti-abuse measure in return.
There's a big difference between something that cannot make money and something that makes pennies for the site. But, to be fair, 99.9% of users aren't going to notice the difference in captcha branding either way unlike my example of a banner ad on a retail site.
My main reaction is that the UX incentive to minimize user exposure to captchas seems to work against the primary pull of using hcaptcha in the first place.
Though one site I can think of that has a captcha behind every action (every post) is 4chan. Maybe you can get them on hcaptcha one day. It would at least help you test your tagging system against vandalism. :)
I assume you're talking about ads. But you're bidding at least cents on Adwords and making at least cents on Adsense. In Adsense's hey day, I had relatively low-volume sites making over $1 per click and paying my rent in lucrative niches.
I didn't find any pricing examples on hcaptcha's website. For all I know, people are bidding 5 cents per image.
Anyways, I definitely want to see more serious contenders in the captcha space so that we all aren't contributing to Google's middle-manning of the entire internet, and I'd like to try hcaptcha even out of curiosity.
Your compensation is that you get to use the website, and the website's compensation for putting up a gate for their users is that they get to keep the bots out.
When you search for an address on google maps, that little tiny house number on the house was once a captcha image and now google knows that number so it can take you to the exact location on a map when you search for that number.
Everyone helps train the machine so when they want something from the machine then the machine is better at finding what they asked for. That seems pretty democratic to me.
So you want compensation because your data is used along with millions of others to train an algorithm to distinguish if a bot or a real human to provide a service to you? Nice.
The Cascade Bicycle Club in the Pacific Northwest threw me into one of these multi-minute Captchell vortexes when I tried to log in to my years-old account to renew my membership and register for one of their organized rides. I was already on the fence as to whether it would be worth paying to do these rides that I have already done several times over the years. That (ironically) dehumanizing experience pushed me over the edge. I didn't complete the Captchas, didn't log in, didn't renew my membership, and didn't register for anything this year.
More and more frequently when presented with a captcha, I've been deciding I don't care enough about whatever it was to want to exchange robot training for access. Especially if they pull that shit after I've spent effort on something (a comment, say) - I will absolutely walk away and not come back.
One solution is to remove Google out of your life as best as possible.
Personally I now use...
- iCloud.com instead of Gmail
- DDG for search though I do have to !g like 20 to 30% of the time for things like driving directions (from X point to Y point), local movie times nearby and flights.
I still use
- YouTube
- Google Maps some as its great for getting distance between X and Y
- Google News (is there a better substitute)
- Google Photos (is there anything that compares)
Hoping in time to rely a ton less on Google products.
I'm in the same boat, friend. Expelling Google from my life.
Apple Maps works for me. I appreciate that's not the case for everyone, but it's come a LONG way.
I sincerely use Apple news (on iOS) and have been loving it, but appreciate it's not for everyone's use case.
Google photos.. yeah wow. There really isn't much like it. I've resigned to storing my photos myself on a private server and slowly making albums/things come together. But I have to NOT use google photos. It's too scary.
Gmail was easy
Youtube I use a fake gmail account that's not linked to me in the slightest and only use it on 1 iPad, else not logged in.
It's a quest. But I'll get there. Someone really ought to make a Google Photos competitor though, there's nothing that has the same level of polish right now.
Not a solution in this case - the problem is that companies like Cloudflare use these captchas to slow down your visit if you are using Tor or a VPN. In fact being logged in to google probably helps you bypass these checks
I suspect you could replace the entire mess described in the post with: what's the logged in account's spaminess? followed by, what are the doubleclick cookies' spaminess?
You could further approximate that with: "How much does Google's AI think this human's time is worth in future revenue?"
I for one intentionally inject errors into their image classifier until it lets me in anyway.
I always try and click one or two extra boxes that are wrong. Sure I sometimes have to go through and confirm extra images, but you know what? I don't work for free and so I'm doing my small part to bugger up Google's data set.
I've recently made a discovery that pleases my petty side.
You know how they usually give you several questions to solve, even if you're quite convinced you solved a question correctly?
Turns out if you click randomly, they keep showing you new questions as well. If, after a handful of purposely wrong answers, you answer one correctly, they let you through.
I now purposely mess up the answers a few times. It seems neither slower nor faster than actually taking the time to do it right, but it takes less mental load, and it makes me not feel like doing slave labour for a machine.
I'm now wondering if the fact that I block third-party cookies is the reason I always have to identify cars and store fronts. Maybe I should just avoid sites that use recaptcha.
For a while there they kept saying I was wrong and it would effectively lock me out of some accounts that required it. Recently it’s stopped but it’s super annoying how ambiguous it is.
This is reCAPTCHA v2. There's even a v3 that does not have a checkbox at all. Is just a Javascript API that gives you a score between 1.0 and 0.0 on how likely a user is a bot or not. I suspect it uses the same ideas of this one, maybe more since the article is a bit outdated.
I don't think that's the goal. Nowhere they suggest locking people out though def it is possible. The idea is that the website can choose to be more cautious about that user, requiring 2FAuth, flagging for possible credit card fraud and comment moderation. I think these are all good use cases.
It will lock me out of the websites because it requires me to enable Google Javascript code to execute, which is something I will not do. I allow very little JS to execute at all, and I don't allow any from advertising companies or entities that report to advertising companies.
I understand the reasons why sites may want to do this sort of thing, but personally, the cost of allowing this to happen in my browsing is simply too high.
Is there any place where I can find a comprehensive list of countermeasures to stop Google from recording and analyzing all the stuff that the article lists? According to the article:
It turns out they record and analyse:
- Your computer’s timezone and time
- Your IP address and rough location
- Your screen size and resolution
- What browser you’re using
- What plugins you’re using
- How long the page took to display
- How many key presses, mouse clicks, and tap/scrolls were made
And ... some other stuff we don’t quite understand.
If you want more granularity I’d suggest giving uMatrix a try. You’ll basically break every site at first and have to make adjustments for every site you visit (whitelist certain Ressourcen on a per domain basis) but I think it’s well worth it.
NoScript (which is totally fine) just blocks all JS, uMatrix can block much more.
NoScript lets you whitelist sites. Chrome's built in Javascript blocking is about as usable.
Settings -> Privacy and Security -> Content Settings -> Javascript and then change "Allowed" to off.
You can white list a domain by clicking on the padlock or the thing that says "Not Secure" in the URL bar on the left and clicking "Site settings" and changing Javascript to Allowed.
In my opinion, the only real effect JS blocking has is you start complaining in HN comments about sites not working.
> NoScript (which is totally fine) just blocks all JS
Depends on the version of NoScript. If you stick with the older ones before this was broken, you're good. You can't do that with the new Firefox, though.
I found umatrix required me to turn so many things on for the average site that I wasn't sure it was blocking anything significant anymore. I suppose I have up after a while
I can see why you’d feel that way but for me it still blocks a lot of stuff I don’t want.
I block some domains/companies via my hosts file and run a pihole but there’s always the odd advertising network etc I, or my pihole didn’t knew about that gets blocked by uMatrix.
Personally I prefer uMatrix. It has a nice CSS-ish quality to it, e.g. you can whitelist random subdomains like *.cloudfront.net _if_ the root page is a domain you trust already.
It's still a pain to get rolling at first but it feels more friendly to me than noscript
uMatrix is a serious pain in the ass with reCapcha however, and for any site that embeds video. Plus it treats every site as unique so you have to redo the green boxes on every site.
If you click on the asterisk between the domain name and the on/off button, it switches to global rule mode. Any allows/denies you save will be used across all sites.
I use NoScript, and only allow very specific scripts to run. There are sites that won't work without allowing a metric ton of sketchy scripts to run, but those are both a minority and tend to be sites run by major companies -- so I can ignore them without loss.
Nope, because it's a cat-and-mouse game with robots. It's not in Google's interest to publish it because it would give an advantage to the bot writers.
I feel a sense of dread whenever I see this box. Is it going to let me through, or am I going to spend the next few minutes futilely clicking signs and lights, only to give up and leave the site?
just preemtively say no and leave the site. this is just another tracking vector for google and it should be discouraged.
i'm generally against this type of gating, where the people doing the right thing get punished disproportionately (even small slices of time add up to wasting thousands of human-years over the population) just to combat the tiny number of bad actors. target the bad actors directly.
it's the same for tsa security theater. let's put all those humans to work training dogs of all sorts and filtering them through people at the airport. the money for those privacy invading scanners can be put toward training and housing the dogs. our collective time is not wasted on silliness and standing in line, and we'd probably save a lot of tax dollars that way.
Sadly, the parcel tracking functionality of the Royal Mail's site here in the UK uses it, so I have little choice but to go through this rigmarole a few times a week.
On the one hand, fuck Google for wanting another vector with which to track me, on the other hand, why can't it remember that I proved to it that I'm human (allegedly) two days ago?
I was being a bit pithy, but in that case, surely there's some sequence of smart fuzzily-heuristic analysis that can be played out to check that my humanised identification isn't acting like a bot?
> I have also trained myself to wait a few seconds before clicking the box, which seems to help assert my humanity.
I wonder how many different weird rituals are out there for 'beating' CAPTCHA?
For me, I usually make some effort to keep moving my mouse and being "active" after clicking the box, on the idea that an isolated click event looks less human. It's based on a friend's tip and it seems to help, but I have no confidence that it's actually relevant in such a complex system. I sort of suspect Google has created a new generation of meaningless routines fit to rival historical standouts like sports rituals.
Yeah, the extreme comments that we see whenever the topic of ReCaptcha comes up are especially amusing because HN uses it on its own register/login page.
Yeah it's ironic. It's more convenient to use the phone to get my balance, even if you count the time spent listening to the recorded message telling me how much better my life would be if I used Internet banking.
yes, the problem is prevalent and (small) forum operators bear the pain acutely. i'm not so dogmatic that i can't sympathize with your need for a working, if imperfect, solution, or as a user, needing to jump through the captcha hoops occasionally.
this is a subtle externality borne from scale combined with zero marginal cost. we need to find a way to make the bad actors bear the cost of that externality rather than the rest of us.
it's a hard problem that resists simple solutions like captchas, certificate signing, delivery fees, taxes, or even just outlawing the practice. as a lowly consumer, one of the few levers i have is curtailing my use of services employing (google) captchas.
I do this after being blackholed by goolgles captcha a dozen times. If your site reli3s on google you are the problem at this point. I am not a data point. I am a free man.
Counter anecdote: I was actually never rejected though I’ve been subjected to the picture test multiple times. Most of the time I just get through, though it is hard not to sigh and roll your eyes when presented with one.
Annoying as they are, I don’t really see a better alternative. They’re also pretty easily circumvented with cheap labour like mechanical turk and similar services.
As superficial as it seems, this kind of stuff drives me away from businesses. I almost changed my mind about opening a retirement account with Charles Schwab purely because they block access to their site from the VPN that I used at the time. That said, for services from which I gain a lot of benefit, the annoyance is worth it, so it ultimately doesn't matter.
Why? My time is valuable. If they want such detailed feedback (i.e. free business advice) from me, they can compensate me for it. I would get nothing in return for spending my time explaining why I'm not going to give them any more of my money.
Presumably they'll already make you waste time talking to a human when you close your account. Might as well mention the captcha to make public the distaste for recaptcha as we are now on this forum.
I hardly ever get to just check the box. I think uBlock Origin and Safari's intelligent cookie blocking removes a lot of identifying details, and ReCAPTCHA relies a lot on browsing history and cookies.
I use Firefox with containers (so ReCaptcha can’t see my Google cookies) and also uBlock Origin + a few more extensions. I don’t use NoScript or similar. I get the manual test for ReCaptcha pretty much 100% of the time.
Personally, I've reached the point where this is the first thing that I do. If a site is presenting a CAPTCHA (especially one run by Google) to me, then 90% of the time, that's a site I'm better off avoiding anyway.
That last 10% can be infuriating, though, and I certainly won't feel positively about it.
And if you have a vision issue like me and you try to use the audio version you will often get "Your computer or network may be sending automated queries. To protect our users, we can't process your request right now. For more details visit our help page" and be unable to continue.
I'm willing to bet if you record how long you spend clicking signs and lights on average, it's going to be more like several seconds than a few minutes. This must be hyperbole. There are the outlier cases where it gets fairly annoying but otherwise, I'm not sure I understand the hostility toward such a benign system that actually does thwart bots very effectively.
> I'm willing to bet if you record how long you spend clicking signs and lights on average, it's going to be more like several seconds than a few minutes.
How much, and at what odds?
The length of the average Google CATPCHA has been steadily going up for me. I haven't pulled out a stopwatch, but I do count how many image sets I go through. I basically never get through on the checkbox unless I've done one on another site shortly before. I sometimes succeed after one set, but if I don't it's consistently 3+. The worst case I've seen was 10 layers of slow-loading images without success, at which point I gave up and tried on another device. (If it had been a site I didn't need, I'd have given up after 5 - which I do fairly often, so I don't have an average count needed to succeed!)
I'm fully aware that average users don't have this much trouble, or people would be furious. But I also see that captcha ramps up to an extremely long process in the face of even modest privacy-protection efforts like not running Javascript or allowing third party trackers by default. (God forbid you're using a VPN for any reason.) It's not assessing your humanity but your familiarity, using the same fingerprinting tools as any site that wants to track you.
Spam is a real problem, and a hard one to solve, but I admit I'm hostile to Google's captcha. Partly because it really is a significant time sink for me. Partly because it lacks any progress indicator or fallback option so it's an indefinite hurdle to accessing sites I'm already committed to using. But largely because, despite what I really believe are good intentions, it's yet another force pushing people to give up privacy and even security if they want websites to work tolerably.
Effective or not, I wouldn't exactly call it benign when it's aggressively fingerprinting you based on every bit of data it can access.
I disable most scripts using uBlock, but I have to make an exception for reCaptcha if I want to interact with half the web. I'm pretty sure due to that alone Google is able to track where I go.
Someone is suing Apple for making 2FA too annoying, I only hope Google can be next for the significantly greater time being wasted on their stupid CAPTCHA. Why should any of us even care if someone accesses a website programmatically?
It's almost definitely not my problem, and it's not even necessarily a problem it's just a way to access pages, made easier by Google in fact because it's a perfectly legitimate way to navigate the internet and Google themselves depend on it. If anyone wants to discourage it just provide an official API to use instead of pages, which are a defacto API for humans.
Apple's 2FA cannot be disabled, beyond that if you ever had two devices connected to your account, good luck getting them to use your verified phone instead... I was trying to get rid of a "your apple account... please sign in" via the app store, and the advice was to sign out then back in again... my only other apple device was in another city...
Phone calls to GF, to get her to login, similar issue, it was now signed out, and after another attempt, one of them showed the 2FA window, which got me in. At no point was I able to use the phone number also associated with my account, and it was a huge, long, pain in the ass. It's actually a huge part of why I won't buy an iPhone.
It is describing how the checkbox is collecting your browser's characteristics (eg they go to great length describing the webGL fingerprint) and your own characteristics (eg mouse behavior), such that when you click the box, you are determined to be a person or a bot. If they think you are a person, you don't have to do the CAPTCHA.
The whole bit about a double encrypted "VM" is overstating the case. The "VM" is "just" a bytecode interpreter, which at the end of the day can't do anything the browser's javascript engine can't do itself. Yes, it's some heavy obfuscation, and what's more interesting than the interpreter itself is the decision to spend what must have been lots of time/resources to develop it. It's security by obscurity, and in this case it is delivered to the client so obviously it's reversible. Maybe there's a deeper purpose.
EDIT: ah. the purpose is not to obfuscate. it is to fingerprint the CPU characteristics. by running their own interpreter, and changing the opcodes on the fly and such things, they can defeat JIT and learn something about the CPU itself. if they have user info (google cookie) they can know what CPU/CPUs that user typically uses and if "the checkbox" records something different it's a signal.
When trying to detect ad fraud, one problematic scenario is that of replay attacks. It's basically when a scammer records human behavior on a site, and then replays a mix of actual their sessions to fraudulently click an ad.
The Quora answer is interesting but it's not clear to me whether the "I'm not a robot" box cannot be defeated in a similar manner.
I work on bot detection at hCaptcha.com. (Hiring: reach out if you want to apply machine learning to stop bots and help websites monetize their traffic without ads)
In order to successfully execute a replay attack you would also need to pass the Turing Test, i.e. click the correct images. If you design a bot that starts a combinatoric attacking by trying random guesses we can easily confuse it, so most attackers try to use a solver service.
We can also identify how you interact with semantic content in the images when you click on the image and characterize your mouse interaction as human or non-human. Since confidence increases as more results come in we can also run them after the initial pass and then shadow-ban bots. (And notify the targeted website that we have determined e.g. a particular signup is a bot.)
Ultimately, many techniques beyond simple correct/not-correct are required to defend against the main attack vector: humans hired to solve captchas en-masse and make thousands of fake accounts. Modern ML is pretty effective for these kinds of problems. Browser obfuscation does not add real security, and today's reCAPTCHA (all versions) is easily defeated in practice.
This solution has more or less locked me out of certain accounts, except for when I want to spend a whole evening solving captchas in order to log in. I just don't use those services anymore, which means I've lost paid-for content that I'm practically locked out of.
It seems like they make that hard by mixing semi-random elements that are different each time, like user interaction data, with the user's browser fingerprint and location. This seems to be why they go to such lengths to obfuscate the algorithm they use to combine these elements. If the pseudorandom and the fixed elements were easy to separate it would make replay attacks much more feasible.
Doesn't that particular Captcha also work in an incognito browser? I don't see where all this complexity comes in. You simulate the mouse movement and the click. Your browser pretends to not be able to run webgl, so no ghost image. Forcing the user to have a history with google services would lock everyone out who's new. The user agent and other browser metadata is easy to fake.
After reading this thread yesterday, I had a nightmare in which I called 911 but was required to answer an endless stream of personal verification questions, never able to report the problem.
This already happens with many automated service call centers: endless key tapping before an actual carbon based lifeform who can understand the problem picks up.
I faced this recently when my card was skimmed and I saw some fraud transactions. After blocking the card, I tried reaching customer support, but my bank's IVR refused to recognize the card number (mandatory to talk to fraud folks apparently) and thus, didn't let me through.
Had to reach out to them on twitter to get things moving. Horrible stuff.
I'm not convinced that picking the pictures has anything to do with actually convincing google if you're a bot or not. I mean sure, it's an indicator. But I _know_ that I can pick the right pictures of school buses and store fronts every freaking time, so that's only a very small indicator.
More likely, the majority of the algorithm is devoted to the "fingerprint" of your browser. If you have adblock running, you may not have a google ad cookie. If you have a randomizing user-agent addon, you're going to get blocked.
What we need, for captcha, is an addon that makes you look as human as possible. Mouse click timings become random. Javascript fingerprint becomes John Smith common. Third party cookies, temporarily enabled (and then pruned). VPN traffic routed through a common looking gateway that few bots use. etc. etc.
You're assuming that the picking-of-pictures validation logic cares solely about what pictures you pick. What if it cares about your "mouse click timings" not being random, but rather looking like the mouse movements of a human who is using eye saccades to examine and classify images, and then moves their mouse only when they see and find one, and sloppily at that?
Right, that's what I'm saying. I was putting forth that humans are pretty random with their timings. But the truth is, they are probably not and that we all probably click in some uniform distribution.
But I am pretty sure, if you click on the images too quickly, you're going to get stopped. Slowing down your clicks, moving around a little like you're "thinking" seems to help. That's been my experience at least.
I'm personally rooting for the AI here. When the robots and crawlers become so smart to become too hard for Google to distinguish between them and humans, then we will all benefit. They are becoming smarter, which is why captchas are becoming more difficult for humans.
There a many services that can get around a Google Recaptcha. They are not free, but cost roughly $2 for 1000 recaptchas. This means is that recaptcha makes things more expensive, but still surmountable.
Services that use recaptcha should consider why they are using them. Preventing spam, stealing proprietary data, and preventing actual harm are legitimate reasons. On the other hand, stopping free information from becoming truly free is bad. For example, numerous U.S. government agencies use captchas to prevent scraping or analyzing of public documents. These government organizations provide "public access" in the narrowest possible sense, making it difficult to search for a specific record or analyze data in bulk. If they can't do it, they should allow others to try.
Google runs a very profitable ad network. People who use adblockers don't directly help support their revenue. I have a conspiracy theory that google is making it hard for people running adblock to get through captchas. I want all the code that is used by the captcha to think I'm running a pristine ad displaying browser.
I wonder if recaptcha seeing your ad cookies (and other dark tracking indicators) would be enough to help get through. Like we need a "recaptcha profile" in your browser that would have just enough fingerprint to get you through.
Robots don't watch the ads. Adblock blocks the ads. Google's revenue is mostly ad revenue. I don't think it's coincidence.
I never got this. Why not just run the browser in a VM, capture the screen and do a mouse click. I mean, why bother with all the headless nonsense which is an arms race. How could google possible ever defeat something that never ever even goes near the operating environment and just appears as a simple human mouse click?
I suppose you’d have to simulate the human movement of the mouse over to make it look like a human actually did it, but how hard can that be? Just train it with a few 100 Turks moving mouse pointers to click on links.
Though an interesting counter measure might be to inject cpu spikes and measure the impact in the mouse movements and the robot controlling it.
Why can't I just run headless chrome of firefox and have my bot click it there? "Aha here it is, so I click using system 'fake' mouse click". where's the catch?
Point a webcam at the screen and wire a mouse to the computer controlling the webcam, you'd have to simulate the computer moving the mouse like a human would but I don't see why it wouldn't work.
You've now forced spammers to purchase webcams. And write code or whatever to make realistic mouse movements. This is expensive. Whatever they're doing likely isn't worth it anymore.
I don't get why you'd need a physical robot arm? Just have a usb device that simulates the mouse movements. Or just software to move the mouse virtually.
You don’t, you wouldn’t even need a webcam, you could just splice into the video signal at output and interpret it directly (much as the HDCP bypasses do).
Because humans still get the picture selection prompts, so you'd have to write code good enough to read the prompt and then select the appropriate images.
I think recaptcha and captcha in general are very overused today, as they cause way too much inconvenience for the user. Why discriminate against robots so much?
What's so wrong about crawling or using automated tools?
With today's networks and hardware performance most websites shouldn't concern themselves with denial-of-service type of attacks, unless they're past a certain threshold of popularity.
At work we have a scraper that likes to use a particularly expensive search query using hundreds of different ips dozens of times per second, all so that they can scrape data that is freely available from us as an XML feed at a different url.
Every time I found a way to fingerprint and block them, they'd change their bot to avoid detection. Captcha for rate limiting seemed like the least bad option.
However, eventually I decided that instead of blocking them, I'd return random results from the db. They weren't checking the data too thoroughly because to this day they haven't changed the bot to avoid my most recent pattern detection. They're still merrily scraping useless data.
Awesome idea giving them crappy data. I do the same thing with loyalty programs. Someone has already registered XXX-555-1234 as a phone number in your area code. I like to think I'm adding a little bit of chaos to their data tracking.
Rate limiting can be achieved without actually inconveniencing regular users. Put a exponentially growing delay on the server's response for requests coming in too quick succession.
The problem was that with the sheer number of ip addresses they were using, and with the rate that some normal users used that particular endpoint, regular users would have been inconvenienced--either by being forced to wait or by being forced to do a captcha.
I would have set it to only show the captcha if the delay was active, so users would effectively have had a choice of wait or captcha.
Because 99% of bots on the web are spam bots. Naked email addresses are skimmed and cataloged. Any unprotected contact form will receive dozens of spam messages per day. Forums constantly get new members that only post linkspam.
There's very few friendly bots like archive.org, and those respect meta robots tags anyway.
One thing is account creation. It's usually a bad idea that user accounts are created by non-humans. In general, anything that writes to a database may have concerns about robot/automation/abuse.
I agree with you, for "read only" content, let the robots crawl.
There's nothing inherently wrong with crawlers and automated tools, but there's a lot of poorly written scrapers out there that can easily generate a huge volume of traffic along with the associated maintenance.
Why waste time catering to people who are too lazy to write a decent scraper? Most people would prefer to spend their time working on things that will benefit the other 99% of their users.
Keep a history of the biometrics of the devices either on the account or in a cookie. Use a sufficiently secure and obfuscated language to capture and upload the data (maybe using steganography in an image, explaining the weird image uploads.) Prompt when the biometrics don't match a known user of the device/account (according to ml). Or if the tracking data didn't exist (incognito) then prompt using a backup model trained in the difference between the biometrics of known bots and known humans. Keep a very loose threshold here.
That's how I'd do it if I were Google (and no one else because only Google can afford that.) All the browser fingerprinting stuff mentioned is great but doesn't really work as much as you'd hope in practice.
The basic theory behind that checkbox is to attach an unmovable cookie to your browser.
The majority the client side reCAPTCHA is fingerprinting to make it impossible for spammers to steal cookies from legitimate users.
Once you have the immovable cookie, is easy to do regular reCAPTCHA challenges until you are sure that browser is being used by a regular human.
You will notice that if you ever move to fresh OS install, or a different browser that reCAPTCHA suddenly starts showing you image challenges again, which last for several weeks.
Keyboard/mouse biometics is a nice theory. But that's all it is. It doesn't work as a general CAPTCHA solution because it's so easy for bots to fake human looking input.
Great points. I agree the critical and biggest innovation is building a secure environment inside the browser. When I explored keyboard/mouse biometrics it was for detecting account theft which is a bit different.
If they have a way to create a secure, immovable cookie across browser sessions even in incognito mode then they don't need biometrics. In the absence of persistence, biometrics could serve as the cookie. Even with a naive approach in a hackathon, a member of my team was able to get very high precision identifying users based on a small sample of keyboard and mouse movements. I'm sure Google can do better.
So it's not really about attackers being able to look like any human. It's about being able to look like a specific human. Which is much harder.
But maybe you have more experience? We abandoned it seemed intrusive and because we knew we couldn't invest in the secure environment. Without that it doesn't matter. And with it maybe there's an easier solution. But I figured that given Google made it that they would be using keyboard/mouse movements for user identification.
So how does it really work? In the article a lot of words about obfuscated code reading browser fingerprint, but that's just a fingerprint, a bot can run a browser as well and fingerprint will not reveal him.
How clicking the checkbox helps? Do they measure the delay it takes me to read the captcha request and react by clicking?
I see a lot of conjecture and theory and not a lot of evidence. AI models? Maybe for ad behavior but not for this. Google has you and your machine ID'ed and fingerprinted. That's the core of the authentication. The rest is subterfuge and obfuscation.
So basically they do very advanced browser fingerprinting? I wonder if they keep that data around, as that would tell them who uses which third party services (not that they would have trouble working this out by other means) and would make a nice addition to their tracking efforts.
It’s quite depressing to see that almost all sites now require sending data to Google just to log in to them. Not to mention that they help to turn billions of users into clickworkers for annotating AI data. Tell me what you want but I’m pretty sure they show image captchas to users that they are absolutely sure are no bots. I use Chromium on Linux and I’m logged into a Google account, still I have to solve three or four image captures at times to use a login.
The bigger question. Why do we treat bot visits differently. Automated submissions or manual have the same rate limiting controls that prevent more submissions than expected. The content of a form shouldn't be acceptable or not based on who sent it (human or machine) there needs to be another verification process against the data submitted to expected/acceptable values.
Why couldn't a bot purchase a droplet or shoes. As a saler I would be happy to sell to them. Purchases would be quicker and less wasted resources with humans browsing the same product pages for months before buying.
Because bots are used in multitarget and multisource spam attacks that humans can’t do efficiently; rate limiting on any particular target site, particularly for submissions from a particular source, cannot prevent such attacks.
Totally anecdotal: Back when I was using a vpn and would see this recaptcha more often, I found that the recaptcha would often declare me a bot (and give me a second chance) if I clicked the boxes too quickly. Like, the storefronts would load and I'd immediately click+click+click+click then submit. But if I slowed down and staggered my clicks, it would realize I'm just another inefficient human who needs time to move a mouse and make decisions.
Right. I think I have seen similar behavior for mouse movement as well. Not sure, but I think moving your mouse around randomly helps as well. The timing of picking the images, as you say, helps. As does the order you pick them in.
Of course, I think the biggest thing is your browser's fingerprint. If you are using a lot of privacy blocking addons, etc. you are going to be spending a lot of time looking at captchas.
Could anyone please translate this part to a normal technical description?:
> Google’s invented language is decoded with a key that is changed by the process of reading the language, and the language also changes as it is read.
I feel like that's either some everyday cryptothing that I'm too tired to realize right now (ahem hashing cough?), or some clever stuff that I want to know quite a lot. Or Google cracked the secret of writing Malbolge.
Why wouldn't a bot just use a proper browser (not headless), detect the "not a robot" box at the pixel level, and click on it using browser automation or some mouse movement script? At today's level of bot sophistication this seems almost trivial. Sure it might cost more in resources, but I doubt it's economically prohibitive when you're making at least a cent per fraudulent ad click?
I believe the Quora answer is putting a little too much faith in Google using "fair" factors when determining if a client is a robot.
I'm sure it plays a part in determining "hijacked extension" activity vs human activity, but it's likely that the majority of the decision is how much recent activity your signed-in Google account has, whether or not you're signed in on Chrome (Firefox has a lot more stories of recaptcha challenges), and maybe even if you have Google WiFi or Google Home linked to your account. I wouldn't be surprised if they purely whitelist accounts that subscribe to Google Fiber or Fi.
I feel somewhat vindicated by this story. I was talking to a couple of work colleagues about the "I'm not a robot" box and they were convinced it worked purely as a time delay, to slow bots down. I had a feeling that there was far more to it than that, but I didn't know how/where to get that information at the time.
Is there an easy-to-implement, simple-to-use alternative solution out there that delivers better UX, does not require i18n treatments and stops spambots just as well?
I'm not seeing any except asking questions about the site, and even that takes effort to translate. Numerical math questions I assume can be easily bypassed.
Sometimes I get really angry about that captcha. For example, when I am trying to buy something, having an account on the store with 100+ orders, and still having to play 6 rounds or so of 'find the car' at the speed of the very slow fading images.
So sophisticated and still such a pain in the a for the user.
This explains everything except why Google itself won't let humans through even when they've selected the right things a million times. All this sophistication and it's still too stupid to do its basic job of knowing the right answer which couldn't be more than a few equality checks away.
The linked post doesn't give any concrete answers in my opinion. Can't a bot use a real browser to pass the CSS tests? Can't the behaviour of a human be recorded and mixed in with the behaviour of the bot to seem more human like? Why can't the encryption used be decoded?
You certainly can click that box using chrome headless or a simple VNC setup. It's insanely easy. Google has replaced the idea of a CAPTCHA (completely automated public Turing test to tell computers and humans apart) with a basic rate limiting heuristic.
Okay how about a button that says "I'm a robot" and you only serve to sessions that don't click it. "Sorry you said you were a robot. If you clicked it by mistake, clear your cookies and uninstall at least 50% of your fonts"
I don't understand this. When I get the "I am not a Robot" box, in 95% percent of all cases I only have to click the checkmark. That's it. A robot certainly can do that, too.
In the remaining 5% I get a Captcha that is impossible to solve, e.g. it states "Please mark all cars" and once I've marked all cars it states "Please also mark all traffic signs" and when I've marked all traffic signs it states "Please also mark the following traffic signs" and so on, for as long as I bother to try.
I have never encountered a Google Chaptcha that worked in any other way, either it works trivially with one click or never.
My conclusion has always been that Google Captcha are simply broken for anyone who runs an ad-blocker, and I don't don't bother with services for which it doesn't work. Problem solved.
I feel like a "bot" with access to control your mouse and read the output from the graphics system (aka get an image of the screen in real-time) could have little trouble with these things.
Our national mail carrier added this to their tracking page! Makes tracking a parcel absolutely maddening and prevents third parties from doing simple (non abusive) aggregation of tracking data.
I wish they finally could so I could stop being held hostage through multiple rounds of visual recognition tests -- how long is it going to take me to prove I'm human when I'm senile?
How you can prove that a human genuinely wanting the information in the page is filling that information out? Imprisoned humans are great CAPTCHA defeat bots.
I hate it because I always have to solve lots of storefront or traffic sign images as I have disabled third party cookies because I do not want to be tracked by Google all over the web.
Turns out that the low cost way to bypass this is to hire a click farm of 25 people in Bangladesh, each running remote desktop sessions to about a dozen virtual machines.
Back in the late 90s, my teenage friends and I were writing Visual Basic programs to automatically click ad banners and surf webpages to generate money. I doubt it's significantly more difficult to do the same now with a captcha box.
the answer is basically wrong. robots can and do. captcha has become an AI training tool and it now blocks humans as a consequence. the convenient side-effect being a nudge to those humans to change their behaviour in such a way as to never need captcha and thus support google's business: enable cookies, login to google, use unique identifiers (IP), etc
Its getting weird when you have to fill that box in with pen and paper
Marci Robin was buying a Fiat 500X from a West Palm Beach, Florida dealership, and was in the final stages of signing all the paperwork, when she was presented with a strange but simple question: was she a robot?
This wasn’t online or anything, she was right there, in person, in front of the sales person, who wanted her to check a box, with a pen, on real paper, confirming that she was not, in fact, a robot. She claims she isn’t.
I had roughly the same problem. My facebook career lasted for all of thirty seconds before they decided I was a robot and banned my account. I appealed and they asked me to send a photo. I sent them a photo and they said I was still a robot and there was no further appeal. Very helpful. So my choices from that point are to 1) shame them in the media and hope its an entertaining enough story that people like it or 2) do something better with my time then facebook. I chose the latter.
It's not, it's really not. They really do want to verify you're a person.
Facebook got busted using that (security) info for marketing purposes, and the reaction was muted; but, within the security community, it was loud and angry. Within a week, they had ceased completely.
Where are you getting that they ceased completely? This is a large company who has a vetted history of absolutely zero ethical accountability. The reasonable thought is that they learned to hide it better, not that they stopped doing it at all.
> someone has to run a NN against a dad joke DB and learn AI to crack some
A "that's what she said" detector can be implemented as a two class identification problem. This 2011 describes one algorithm that achieves 71% precision: That's What She Said: Double Entendre Identificationhttps://www.aclweb.org/anthology/P11-2016
I believe they could have done an even better job with better training (and test) data. It seems to me there's a big problem with how they selected the negative examples: one of the sources is a set of racy text messages, which would be rife with positives. They claim TWSS positives are rare in general, but I doubt that holds for a sexy text messages corpus.
Their overall strategy is pretty interesting though (not deep learning).
Not an outright ban, but I am unable to use Interactive Brokers client portal (or even signup form) using a regular internet connection. It keeps timing out, logging me out, etc.
Bizarre part is it works fine when I tether via my iPhone.
Also there seems to be growth of websites in NZ that use some sort of Cloudflare-like proxy that very often straight up blocks requests to some simple blogs. Unsure whether it's user agent, ad blocker or my IP is quite dirty, but try to open up www.pointhacks.co.nz and click thru older posts...
Signing up for facebook, after a short period, they'll lock your account due to suspicious activity, even if you have done nothing (maybe that's suspicous?), and demand a phone number or a photo.
If you sign up and provide a phone number, they'll just demand a photo. Twice. Giving them the same photo seems to work though, and leave your account in peace...
Interesting use of "its" but it is entirely possible that a robot has a preferred set of gender pronouns, and you just mislabeled them. Many of our assumptions support the biopatriarchy.
This may sound bizarre, but to fuck is a fundamental desire of organisms that reproduce sexually, and reproduction is one of the prime objectives of living organisms.
I know this comment is in jest, but please don't joke on Hacker News as you would on Reddit. Posts like this add little informational content, spawn a thread of joke responses, and take time away from hundreds of people who are here to read high signal commentary.
Sorry to be so profoundly un-fun.
edit: I'm being downvoted, but consider the comment chain this has generated.
> I know this comment is in jest, but please don't joke on Hacker News as you would on Reddit. Posts like this add little informational content, spawn a thread of joke responses, and take time away from hundreds of people who are here to read high signal commentary.
Here's a challenge:
Create a bot capable of generating and posting content like the above that's attributed to "zxcvbn4038."
The bot doesn't have to be able to get through spam filters or register itself. It just has to take the current state of a forum thread as (part of its) input and output a) content for a post and b) a position in the tree to insert it.
The human bot-author can then try to insert the content into the thread at the given position. If the post doesn't get detected as spam and can avoid downvotes, the bot wins.
The prize is the sheer joy of contradicting what I'm assuming is an HN mod:
> edit: I'm being downvoted, but consider the comment chain this has generated.
Edit: added rule about avoiding downvotes to retain "high signal commentary."
At the risk of getting downvoted too, I'll second this. Reddit is already a great platform to read fun comments on any possible subject, let's try to keep them differentiated.
Humour is fine here so long as it makes the audience think. Which the comment did.
If mainstream systems suggest that a human is acting like a robot, then what is a robot and what is human? That's pretty profound.
It seems that we're nearing the point that anyone who thinks and acts rationally and contrary to consumptive norms is indistinguishable on a coarse scale from a logical machine.
I would assume a submitted photo of a robot would go over just as well as when I was once asked to add a picture to the company's internal website of employees by our HR dept. I never add photos of me to anything, so instead, in good humor, downloaded a random anonymous silhouette type avatar. That didn't work for them, and I was told "I need a picture of you". So, I open up photoshop, found a generic picture frame online, and added the word YOU inside the frame. Shortly after this, my supervisor comes in to pay me a visit. Some people just have no sense of humor.
In much the same situation, I just said NO. A protracted argument unfolded over the next few days until the matter was settled by me skimming a copy of the Conditions Of Service booklet across the desk and saying, "Show me where it says I have to." Immediate manager was not happy, but it soon blew over.
Or take the photo using a potato. The security at my gym requires a photo id - but you can barely see who's on the picture. It looks to be printed with a dot printer.
I got banned from Twitter within 5 Minutes of trying to figure out the user interface, and my best guess as to why it happened is that their anomaly detection is overfit to their existing users. So when a new user starts exploring randomly instead of directly going to look at ads, they're behaving much more like a scraper than what the system has learned to recognize as a normal user.
I think that's very unlikely. There are over 100,000 new accounts created on Twitter every day so we would expect a large and frequent amount of bans if what you are saying were true. Furthermore most Twitter visitors don't have accounts so it would be pretty foolish to base their anomaly detection on a metric that most of their visitors fail.
It's actually well known that you'll get blocked by Twitter within the first 2 minutes of registering, whatever you'll do.
They probably use it as a way to enforce their "soft" requirement of a phone number. After verifying that you have a working phone number, you'll get unblocked.
Also, Twitter routinely renders their tweets unaccessible to non-logged-in users, due to rate limits on their api (which is used by their web frontend).
So, I'm not one bit surprised if anyone would describe Twitter as foolish: that's exactly how they act
I had Microsoft do this. They notified me that my account was being suspicious, so I needed to provide a phone number to use it. I had literally just made the account though, zero activity at all. It was just to force me to give a phone number to them for their data harvest
I ran into this with MS as well. However, they explicitly stated that it did not need to be my phone number. So since it was for a work thing, I ask to use my boss' number to get around the lockout. Seemed pretty pointless.
Welp, it's a good thing these companies don't have a large amount of control over a lot of people's lives. And luckily their business practices are transparent and we all agree they're fair.
Hey, I have some experience creating intentionally suspicious Twitter accounts.
There is no phone number requirement. They're just as happy with an email address.
If you provide neither of those, then your account functionality is restricted (with a big obvious banner showing at the top of every page), but you still don't get blocked.
Once I needed to create several accounts at once and then have all but one of them follow the last one. Those accounts got blocked, but it's hard to blame Twitter for that.
> There are over 100,000 new accounts created on Twitter every day so we would expect a large and frequent amount of bans if what you are saying were true.
That's in fact true. Every single one of my Twitter account that I've created in the last few years have got banned within a few minutes even before I've had a chance to post anything meaningful with the account.
I wouldn't be surprised if the anomaly detection is overfit to banned users: comes from Kenya, or Russia, or China. Doesn't initially seed the account with in-person connections. Shares an IPv4 address or telephone number with other folks who have been banned before.
I'd bet that the vast majority of botters/phishers which Facebook deals with are amateurs. That said, I meant using unusual user agent software, not really just having an unusual user agent string.
No need for software, one can easy change it on the about:config of Firefox and/or there are some cool add-ons that can rotate/change the user agent of a Firefox on the "desired frequency"
We have a Wordpress site that suddenly saw a surge of hacking attempts. Turns out they all had IE7 user agents. Blocked that, not a problem anymore. Wouldn't surprise me if big sites use simple measures for such simple attack attempts as well.
I can't imagine that a car dealership would even care, as long as they got to sell a car.
"Oh dang, you ticked the 'not a robot' box but you are actually a robot ... Ah, no worries, I'll put a call in to head office, get the paperwork changed. Well, enjoy your car! ... And don't forget to come back in six months for your free oil change! ... for the car, I mean."
Hm, so selling to a robot without someone behind to represent would be extralegal I guess, and if any problems occur during the trade you'd be on your own?
The closest thing would probably trades with wild animals. Are there any laws on that? (Probably not, but the situation is not unthinkable.)
I wonder if in the far future we'll have two androids pretending to be human and trying to fool each other at the same time, only for them to realize that they are both, in fact, robots
It made for funny headlines but anyone with a little insight into corporate can guess that they simply printed a form from their computer. Likely from their website. A form normally designed to be used online was sent over paper mail and happened to include online elements like captcha.
If anything you should exclude such html elements from the print page with css.
Well yes obviously they had printed out an online form. But they made her fill it in. Thats the funny bit. And yes its clearly to do with employees not quite knowing what to do with the paper version and so just shrugging and say yep you'd better fill it in anyway. Thats all pretty obvious. Its still interesting though, as a little slice of corporate anthropology.
Interesting. Not sure if it's a gag or for some sort of handwriting/stroke analysis. Or it could be a variation on the M&M contract clause (https://www.snopes.com/fact-check/brown-out/) to try to verify that they actually read the contract.
>>"...she was right there, in person, in front of the sales person, who wanted her to check a box, with a pen, on real paper, confirming that she was not, in fact, a robot. She claims she isn’t.
All robots claim not to be one, so we must be really careful.
probably printed app from website and the dealer took it literally
I think the entire story will be lost on some future generation, unless you add to the end: "but perfectly human-like robots didn't even exist back then!"
tl;dr: because Google massively invades your privacy to know whether you're a bot or not before you tick the box, also the CAPTCHA is a bit more sophisticated than just showing a checkbox to click on.
A bot absolutely can, you just need to use a more sophisticated bot. This article [1] is from August 2017, so the arms race has escalated and techniques improve, but the gist is the same: You just do a better job of simulating the "human" characteristics they monitor. Gen 4 bots (bots that run on an infected user's machine) can circumvent these measures as well.
Honestly, if there were a web standard where I could opt-in to all of this tracking and it meant I would be ‘trusted’ I’d happily have my user agent send them almost anything they want. I trust Google not to fuck me.
The items one is supposed to select often overlap the grids, so it becomes a kind of Keynesian Beauty Contest[1] at that point; I assume they validate based on how much in alignment you are with previous answers, so it becomes a problem of “What nearby grids would a person reasonably select when there’s overlap”, or, you’re tasked at selecting <some_item> and you see <some_item> in the distant background of the image you’re supposed to classify and you need to determine “How visible would <some_item> need to be for a reasonable person to classify <some_item> as being in this image”.
On top of this, when you’re clicking through image after image after image, the additional frustrating thing is that you’re helping train their algorithms; you’re doing work because their service isn’t smart enough to know you’re human, or, you’re seen as a marginal customer they can piss off by forcing you to work for them for free.
It’s a frustrating experience when it fails, and my current strategy is to leave the website when the ‘I’m not a robot’ checkbox fails.
[1]https://en.m.wikipedia.org/wiki/Keynesian_beauty_contest
now that's over thinking :D
It's easily the worst UX I encounter online. I can't describe the relief I feel when I come across a "normal" CAPTCHA. It's coming to the point that if I could pay a few cents to outsource every reCAPTCHA, I gladly would simply to avoid this atrocity.
It's interesting to find out that this might have nothing to do with my ability or inability to recognize objects in blurry photos.
I don't think Google's publicly said what they do with any data derived from the new "I'm not a robot" reCAPTCHA, but, given the content it usually uses, it seems likely that they're still using it for image classification in Street View, or for their self-driving car projects.
Given that I'm not doing anything unusual, it really feels to me like reCAPTCHA, for all its complexity, boils down to "what's your history using Google software? Oh you rarely use it? I'm gonna give you a captcha". It didn't used to be this aggressive, but it's really ramped up in the past few weeks.
> During testing I had to shut it off because it became increasingly more complicated every page reload. First it was just one page of traffic lights, but 20 minutes later I was having to click through 5-6 pages of images. This worries me that user's might get pissed off.
Why are you now badmouthing someone else for deleting Spotify over this exact same issue?
https://support.google.com/recaptcha/answer/6175971?hl=en
In a quick search it seems like NoCaptcha is the accessible answer for the issues with regular Captchas. For the most part it seems to work, most of the complaints here seem to stem from people trying to actively block some of the evaluation metrics used by the checkbox (cookies,javascript,user strings,fingerprinting,etc) which makes them look very different from normal traffic which kind of by necessity makes them look a lot more like bots.
https://simplyaccessible.com/article/googles-no-captcha/
But if they are doing so because they are disabled, and the difference means they receive a worse experience, may result in an ADA complaint (especially if a government service falling under section 508 is involved).
That only really leaves blind deaf people out, at which point we might be reaching the limits of any technology to provide access to everyone without a tooooon of work.
Possible fingerprinting?
But honestly, I wish it would just die.
Some financial and government benefit web sites query web trackers as an extra factor in the enrollment process.
Making (online or offline) life more difficult for people who don't want to use company X products could escalate to the point where you either accept the yoke and are admitted to the walled garden of "society" which company X has firmly cemented themselves under -- or you say no and find yourself unable to drive/fly/get a job/go to college/buy groceries in your town. It sounds like a big leap to make right now, but is a real possibility if Amazon/Google/FB don't get broken up soon.
So perhaps it's Safari and/or the ad blocker that are to blame? Hard to say, though.
I'm convinced that part of the reason Google released headless Chrome is as a honeypot for bot authors to use. The idea is that instead of going through the effort of fingerprinting and identifying new bot software, release something that bot authors will use instead that you have a capability to detect.
Somewhere inside of headless Chrome, there's one or more subtle changes that make it so Google can detect whether you're using headless Chrome or normal Chrome. There's no limit to how subtle the indicator could be - maybe headless Chrome renders certain CSS elements slightly slower than normal Chrome, etc.
It sounds pretty crazy/complicated but I could definitely see it being worth it if it means detecting $X,000,000 worth of ad fraud every year
I once ran into a piece of code from the scammy advertising world that tried to redirect users to a phishing site. They cleverly tried to hide themselves from the automated quality checks some ad networks do, by checking for these functions and appearing benign if they saw them. One of the checks even created an exception and then inspected the stack trace for certain flags that apparently are only there on some type of headless browser. Clever!
I don't think spambots are currently using Chromium or even running JavaScript. Using simple spamfilters in JavaScript still works fine on my setups.
Login attempts are usually spread over a massive botnet of residential IPs as well, where they'll only use each IP for one or two login attempts before moving on to the next.
It's a very fascinating problem space
In a parallel universe of fluffy niceness we willingly provide our help and in that way we get all those old books converted to ASCII and available for us to read online. Our efforts are for the good of mankind. Similarly with the newer challenges, we help the maps be up to date and again this is for the good of mankind and those needing help getting around.
Clearly this doesn't work in an era where the 'don't be evil' mantra is long forgotten and people only see Google as some advertiser friendly capitalist monopolist beast.
Google need to work on their relationship with their customers, to be a benevolent dictatorship of sorts. They are lousy at customer service and there are other pain points that they are ignorant to. I don't see how this helps.
Google's customers are those who buy advertising. The rest of us are just cannon fodder.
Have come to the conclusion it really means any patch of grass.
Seems pretty bilateral.
Checking the box is actually not that hard. There is no advanced measurements of your mouse and touch speed. This is an Internet myth. It's more a game of cookies, making them age well, and having an organic set of headers.
From their site: Is scraping legal? In the United States, scraping public resources falls under the Fair Use doctrine, and is protected by the First Amendment. See the LinkedIn Vs. hiQ scraper ruling for more information. This does not constitute legal advice, and you should seek the counsel of an attorney on your specific matter to comply with the laws in your jurisdiction.
ROFL, I guess if you are able to ignore the layers of other issues TOS, breaking of technology to specifically exclude your use case, etc and are only willing to apply some very tangential case law against your reasoning it is "legal".
> Employee #427's job was simple: he sat at his desk in room 427 and he pushed buttons on a keyboard.
> Orders came to him through a monitor on his desk, telling him what buttons to push, how long to push them, and in what order.
And the community rules try to block people from writing firm "you're full of shit"-like answers, even though every other answer of Quora is full of lies like "Linux is fast, because it was designed for 16-bit computers".
Quite a lot of the “extremely good looking” answers on Quora straight up said that you couldn’t do e-mail in AWS. These were answers from after workmail was a thing by the way.
So I started looking at other Quora answers on stuff I wouldn’t normally need an answer for, and it’s frighteningly how often completely wrong answers look correct.
Don’t get me wrong, there is a lot of truly amazing answers as well, and it’s entirely possible that I just suck at it, but I don’t think I can always tell the amazing answer from the completely wrong one.
https://en.wikipedia.org/wiki/Gell-Mann_amnesia_effect
This assessment isn't quite right. The actual question is about how the captcha differentiates between a human and a bot at the box checking stage.
You're right, though, that it is both full of filler and also doesn't address the question as posed at all.
> Why can’t a bot tick the 'I'm not a robot' box?
It can, by taking over the mouse...except...
LUCKILY, the top answer (on my screen at least it's https://www.quora.com/Why-can-t-a-bot-tick-the-Im-not-a-robo...) does actually try to answer the question.
I feel like the OP submission might have just been some sort of submarine self-promotion for the "CEO of <redacted>".
It also links to a patent describing a novel mobile captcha invented by the author, so they might have some knowledge about the domain.
That's what you get when you value niceness over competence. Just look at any typical discussion of "Linus' rants" here on HN - people (or, I must clarify, americans) seem to care more about whether you hurt someone's feelings rather than if you're right or not.
I don't know a better environment for professional bullshitters to thrive.
You can also add in some fundamental attribution error, as in "I am just looking out for everyone. You are being difficult. They are engaging in bad faith."
Google isn't going out of their way to punish you for trying to protect your privacy. They're trying to stop unwanted traffic. By unfortunate happenstance, you appear to be disguising yourself in the exact same way a shocking amount of bad traffic is.
I use Firefox with a few basic extensions (Privacy badger, uBlock, Google Container) yet every time I am presented with having to pick out traffic lights over and over and over again. I usually have about 5 or 6 "challenges" before I give up and use another site.
My timezone has not changed, my IP address and rough location has not changed, my screensize has not changed, my broadband speed has not changed, and my general computer dexterity has not changed, yet I am relentlessly targeted. On chrome I never saw these challenges, but on firefox with the privacy plug-ins I am always always always challenged.
At this stage I think the only signal it is using is "is there a google cookie in this browser? and if so has the google cookie got some 'normal' looking activity logged against it?" I.e. they are checking their server-side logs for a given cookie ID and seeing if that looks normal or not (i.e. seen on google search, seen on youtube, seen ads from a variety of third parties on various different sites, mixed up with time of day and speed of viewing etc etc).
Since I have got Google in a container in Firefox, I am guessing that my google cookie is not present when the captcha loads (due to the containers and privacy badger et al) so there is no identity back in the mothership to compare me against.
captcha is google master blow against ad blockers.
a regular user, who they have all the info, give them dollars per ad impression. You, with your doNotTrack (ha! that was a joke) and privacy addons makes them only cents per ad impressions.
you are google's enemy. remember this when you get stuck in captcha hell (and consequently censored from most sites until changing device/ip)
I rarely see the "I am not a robot" box, and hasn't seen image recognition tasks for a long-long time.
If they lose enough customers over this, they will probably remove the captcha.
The clever part from Google's perspective is that you have to trade one of these things to Google in order to get access to sites that do not belong to Google at all. Google convinced site owners to have their users pay a tax to Google.
When someone uses a recaptcha, they should think about why they are doing so. It's one thing to use it to save a business model, but it's another to use it to protect information that should be free anyway. The elephant in the room is government data. Many government agencies think that selling their data can be a nice source of side revenue, and a recaptcha is a good way of enforcing it. In reality, they just increase the costs for everyone, and those with means can obtain the information while those without means cannot.
Governments need to release their data, freely, without captchas or fees for single users and bulk users, no exceptions.
The counter argument is that they do a great job with trivial stuff like registered dog's names, and less well with sensitive/important issues like policing.
What's the right way to leverage the platform developed for the first into the second?
Totally agree. Fortunately the Dutch government is trying to make as much data open as they reasonably can, and regularly organise events to encourage developers to use their open APIs.
That's because Google isn't just profiling "Tor users". They're going after anyone who values privacy in any way or technology.
Simply put, you're being punished for ensuring privacy. And anybody who uses Google's captcha services is an accessory to that.
That's a massive load of bullshit. Google has a captcha challenge that only humans can solve. That alone is already sufficient to prevent unwanted traffic. That is how every captcha system works. However google is an exception. If you're logged in to a google account or are using chrome then google can use that information to track your captcha history. Privacy minded people avoid google like the plague and therefore they cannot be tracked.
>Google isn't going out of their way to punish you for trying to protect your privacy. Except this is exactly what happens. It's not "unfortunate". It works like this by design.
If google cannot track you then the captcha will force you to do something that no other captcha system does: give you even more challenges even if you have solved them correctly. You will spend the next 5 minutes solving captchas correctly and then at the end it will tell you you've failed. This again is unique to google: correct answers lead to failure. The problem immediately goes away if you let google track you, it doesn't matter how bot infested the network is. No other captcha system does it this way.
Google is clearly doing this to get free labour to label their datasets, force people to have a google account and encourage them to use chrome.
If you do everything you can to prevent google from knowing who you are, don't be surprised when they behave like they don't know who you are.
I took that to mean they were blocking cookies
A lot of the behavior that captcha exhibits is in part a function of feature analysis from ML models - features that may seem ridiculous to layman humans but make sense to a neural net plugged into the data.
It's not bullshit, it just depends whether your website is being targeted directly or not. We're targeted directly and the robots hitting us are getting the CAPTCHAs solved, presumably with human help.
[0] https://blog.cloudflare.com/cloudflare-supports-privacy-pass...
Another thing that sets it off is virtual machine usage, I can be logged into chrome and gmail on the same residential IP for hours but the moment I try to search google for a problem inside a VM it's a minute of slow loading captchas.
Have moved to bing instead, that sort of wasted productivity is a burden.
This does not agree with my experience. I browse without cookies and severely limited javascript (using umatrix), and I also encounter the myriad of ridiculous inconveniences that the OP was referring to. On the good side, however, the web is much faster and generally less annoying.
Isn't this also something that many bots do (don't run javascript and don't have realistic cookies)? It seems like just another instance of reducing your distance from the "bot" cluster in agent-space.
Also, I’m just not interested in the remaining 10% "legit" traffic from people who are aggressively paranoid about their privacy. Almost all of them ended up being dickheads who were using TOR to abuse other members of our community.
To the people who think every website should treat TOR users with respect, please understand that you are intentionally making yourself indistinguishable from the mountain of robotic junk, abuse and human dickheads. It's not my fault that you have chosen to do this, and it's not my job to provide you with tools to prove you're not a dickhead.
...or maybe voting me down will change the facts.
Yeah, that's totally going to work.
My VPN must have gotten white listed (or cracked down on some of their traffic patterns) because that stopped.
I personally don't care too much about the hassle, but I really don't like the idea that I'm basically playing Artificial "Intelligence"/doing clickworking for the not so community oriented efforts of Google.
Do you have any data on this?
> On the other hand, anonymity is also something that provides value to online attackers. Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious. That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network.
The obvious caveats apply, of course. It's completely possible what Cloudflare saw at the time is no longer true and TOR is no longer mostly spam. It's equally fully possible that the traffic Cloudflare sees is wildly unrepresentative of what TOR traffic actually looks like, and it's mostly people worried about their privacy. This is just the data we have at the moment.
And when you have malicious traffic swimming in an anonymous pool, there's no practical alternative but to block all of it.
And also, isn't cloudflare also the one to allow booters and stressers to be online behind CF - and they used stolen CC's to boot?
The Tor decisions to screw users over is just the cherry on top. Especially is egregious is when a captcha is demanded on even a simple static page. Seems pretty obvious what's going on here.
You continued to post flamewar comments. We ban accounts that do that repeatedly, so could you please stop? We've already had to ask you more than once before.
https://news.ycombinator.com/newsguidelines.html
Yeah, right.
HN stans for white supremacy because it's mostly white and extremely online and never gets out to see the results of "give everyone a soapbox" on the streets where the proud boys are out there beating the shit out of people.
You people are cowards, and nothing more. There's no bravery here, no principled stand, just a bunch of fucking cowards.
We're not robots. We can shun white supremacists and leave everyone else alone. This isn't a slippery slope, it's just good sense (no more white supremacists, hey!). Humankind will get along just fine if we tack on that one extra rule and all follow it.
The definition is commonly agreed upon, and what "white supremacist" means is not at all controversial to most people. It certainly isn't so arbitrary as to be meaningless.
Now, the term may be misapplied at times, as may any term, but for it to be misapplied, it has to have an accepted application to begin with. A term without a definition can't be subject to definition creep, and the possible creep of a term like "white supremacist" is that wide to begin with.
Murder now, for some, includes abortion.
Censorship now includes, for some, private companies removing bad actors from their private systems.
Come on, that's lazy to dismiss it that way when society literally changes all the time.
Whether or not abortion is a murder is not about definition of "murder" it is about definition of "human being".
There's no doubt that abortion involves killing a living creature, the whole pro-choice vs pro-life debate is basically about one simple question: "is fetus a human being?". If you answer that with "yes", then every abortion becomes a murder, plain and simple.
This also explains why there will never be a compromise between two crowds: it is logically impossible to compromise on yes/no questions.
If you're putting constraints on Tor traffic, it's not because of raw throughput. It's because it's extremely poor quality traffic.
It should be default for the TOR browser for sure, if just a few people use it, it decreases the anonimity set.
The issue with just doing memory-consuming work client-side is that it only marginally slows down spamming. Spammers tend to use compromised machines they don't own. Unless you can make it prohibitively expensive to calculate something using machines you don't pay for - perhaps not a trivial ask - you wind up needing a different set of tools. This is why Google tends to look at things that will exhibit human variation rather than pure computation.
It's not that your ideas aren't good. I'm sure ARGON2 has a use here! It's that this might not be a problem easily solved by consuming more resources.
Click all boxes with traffic lights. Ok, well, this one box just barely contains the bottom right corner of the traffic light. Click. Nope, that little corner didn't count. Try again. Ok, well on this one, the right side of the traffic light is only barely over the line, so I won't click it. Nope, that sliver of the light mattered this time. MF!
Spambots will solve the Sorites paradox!
My naive assumption is that you should click the "refresh" button in these cases.
Another one is "click the mountains". It typically won't let you through unless you click anything with trees on the horizon, even if the terrain is clearly flat. Google's robot thinks mountains are made out of wood, and any human who disagrees is labeled a robot. It's insanity.
I'm guessing they do something like load up a batch of images and once N people agree on one, record the answer and remove it from the rotation. You end up left with the ambiguous images where people couldn't agree.
And, does the pole count?
The whole thing is way more stressful than it needs to be for what it is.
Does this look like a mountain to you? https://0x0.st/zzvr.jpg
Google's image classifier would think that's a mountain. If you disagree, google will classify you as a robot. After failing these sort of challenges a few times the user decides to play along and tell google what they think google wants to hear, rather than the truth.
Especially if this is all used for learning, enough people saying "that is clearly not a mountain" would reinforce that it's, in fact, probably not a mountain. Even if I got classified as a robot, I'm not sure I would think "oh, a system designed to classify images would think this not-a-mountain is a mountain", so I definitely wouldn't double down and keep marking it as a mountain. I'd, well, not. And assume the system is at least as good as classifying the images it chooses to use as I am.
Because every single time it asks me to classify mountains it rejects my answers if I don't click on trees on the horizon (and often trees on the horizon are the only "mountains" presented) and every single time it accepts the answer that such trees are mountains. I've gotten the mountains challenge dozens of times, the results are very consistent. If there is a group of trees on the horizon, that is asserted to be a mountain.
> "enough people saying "that is clearly not a mountain" would reinforce that it's, in fact, probably not a mountain."
Totally irrelevant because if I am trying to get through a google captcha, it's because that captcha is standing in the way of me doing something. My interest is in passing the captcha, not correcting Google's shitty image classifier. So I have absolutely no incentive to make my life harder by insisting on correct answers, and every incentive to tell Google what they want to hear.
I guess this is where the misunderstanding is. You don't think Google wants to hear the correct answer?
Trying to guess at what the daily/monthly flavor of "correct" is seems like it'd do more harm than good, resulting in some kind of nondeterministic guessing game of "well, trees on the horizon are probably assumed to be a mountain" that never settles on actually-correct answers (and, I'd wager, is often more inconvenient to the user than just answering correctly would be, because now there's a layer of indirection on what they think a system thinks of an image, rather than just what they think of that image).
If everyone just answered "no, that's trees" instead of a hand-wavy "I think you think it's a mountain", I feel like this captcha would be significantly easier for us humans (because we could actually give real answers), as well as less inconvenient for people who just want to pass on through and get on with whatever they were doing before a site wanted to verify they weren't a bot (because they can just, well, identify images instead of playing a game of "what does the machine think?").
They may want it but they don't reward it. I don't care what sort of answer they want, I only care what sort of answer they accept. I'm not going to donate my time to these bastards by doing anything more than what's necessary to pass their captcha.
> "If everyone just answered "no, that's trees" instead of a hand-wavy "I think you think it's trees","
That's just not going to happen: https://en.wikipedia.org/wiki/Prisoner%27s_dilemma
Thankfully they'll eventually fall back to the "click the images of _object_ until there are no pictures left with a(n) _object_" in it, but those clicking block ones of a specific picture are super frustrating.
It's always annoying though.
The image classifications that you do, however, are used to train the computer vision system.
TOR doesn't protect your privacy, it just lumps you in with—and makes you indistinguishable from—the worst crap on the internet. If you don't want to be treated like crap, don't try to blend in with the crap.
https://addons.mozilla.org/en-US/firefox/addon/buster-captch...
A very good addon against the shit from Cloudflare and Google.
The difficulty is probably cranked all the way up
if you care about all that, run a node without internet exit, and also strive to make your sites available on tor (hate the "hidden service" nomenclature)
I recall the modern (non-text) captchas used to be cars pretty much every time. Then, the images started getting grainier as they apparently wanted to improve their recognition in different conditions. Then crosswalks and store fronts became quite common, eventually with the same kinds of noise distorting images. Now I've started seeing things like buses, bridges, motorcycles, bicycles, etc. It feels like they've finished getting enough data for improving Google Maps and have begun moving towards collecting data for their self-driving car projects.
Also Google: "Our standard for 'what a machine couldn't possibly do' is identifying a stop sign."
Stuff you get now often requires cultural information, like "sidewalk" isn't a cross-cultural name, I'd guess almost everyone knows it, but meh. What classes as a store, is a lawyers office a store? Also, I seem to recall I had "click on all minivans"?? Not sure what one of those is, nor really what is classed as a car in USA, is an MPV a car [I'd guess that's what a minivan is?]? Do pedestrian crossing lights (green/red man) count as [part of] traffic lights? I've often wanted a short description of the locus of the terms they're using. Of course it never tells you if you failed, just gives you a further captcha, which it might have done anyway.
The V2 was just annoyingly badly designed because the questions were badly put.
I'd always assumed that was noise carefully tuned to throw off one machine learning model or another that was being used to beat the captcha, sort of like this: https://www.theverge.com/2017/11/2/16597276/google-ai-image-...
I think it might be the same when they switch to other types of objects (like crosswalks or bikes). Someone's model got too good, so they had to change to something else. I also get the impression that they add delays to the tile refresh before they do that.
I suspect Google now uses robots to generate captchas for humans, under the assumption their image recognizers are far better than anyone else's. They already have some very well ones for other products (self driving cars, street view) and lots of street-level city imagery. That would explain why their captchas are so difficult for humans to solve -- they're testing if you see things like their "AI," not like other humans.
I was thinking it was trying to dirty up the image just like the lenses on cameras get dirty. What happens to the image recognition when there's water spots, dirt, mud, etc on the lens that keeps parts of the image obscured?
If you have the clean version of the image, you need to get that classified by a human - then you can throw noisy versions of it into the training set for your AI. You don’t need to ask a human, hey, I added noise to a picture of a yield sign. Is it still a picture of a yield sign?
With the possibility of almost uniquely identifying us on the web through fingerprinting... Google, of all companies is in the perfect position to know that my web request was made by me... And therefore I'm not a robot.
You can only conclude that recaptcha is a ml training exercise.
They're not secretive about it
https://developers.google.com/recaptcha/
The article explains that this is part of what reCAPTCHA does, e.g.:
> Finally they combine all of this data with their knowledge of the person using the computer. Almost everyone on the Internet uses something owned by Google – search, mail, ads, maps – and as you know Google Tracks All Of Your Things. When you click that checkbox, Google reviews your browser history to see if it looks convincingly human.
But your point is otherwise right in that it's used for ML training, which Google admits as another commenter pointed out.
Human [n]: Entity that uses Google®-brand services.
— Google Dictionary, 2020 edition
Or, maybe they feel I'm not pulling my own weight, seeing as I rarely ever click on adds. They probably need more monkeys to feed the beast so I get selected to train their AI beast.
Edit: It could also be that I'm always running on incognito mode.
If one looks at the history of Google Books one can see that they started with big ambitions, but hit copyright in quite intensive ways. That also changed their approach to other projects. Clearing all rights internationally isn't easy.
This is false. EU governments have already placed significant restrictions and fines upon US tech companies in the past. There is no reason to believe that they won't be able to again.
It's a great situation for the US economy but a very bad strategical position for Europe.
But I'm kinda hoping that the reason I keep having to identify cars and store fronts is that my refusal of third-party cookies is causing them to have no idea who I am. But that might be the optimistic view.
In any case, I wouldn't mind if sites stopped using recaptcha.
there was a decent write up from a whitehat showing the damage, but I can't find it
I can't imagine some forum has enough traffic to meaningfully screw up their data, and they don't tell you which of the two words is the unknown word, so you're just going to fail a lot doing that.
If I remember correctly, Google later on also sometimes showed two "known" words or, if they had actual other evidence that you are human, two unknown words.
Two questions: - Couldn't a computer just temporarily hire a human to prove there is a human involved? - Why are we using recaptcha or verifying humanity anyway? I understand stopping spam, scams, and fraud, but scraping already public data doesn't present significant harm.
I don't love the compromise of paying for things with my data or by training Google's AI, but it's hard to say users aren't getting anything out of it. That said, I do miss the old reCaptcha.
Very few low-traffic blogs that I see use (or need) CAPTCHAs. I know that the ones I run don't.
> I don't love the compromise of paying for things with my data or by training Google's AI, but it's hard to say users aren't getting anything out of it.
I don't think they are getting much, if anything out of it -- aside from being increasingly punished for defending themselves against being spied on by Google.
If this somple thing comes from a popular WordPress plugin the equation for the spammer changes, of course.
But it also sucks the first day you get an attacker who solves it once and then spams you thousands of times.
Modern spam tools are pretty impressive these days and minimize the targeted work the human spammer needs to do in these cases. In the early 2000s, you could set a custom question and then assume no attacker is going to manually code for your little blog.
But even in 2008 I was using spam software (out of curiosity) where you could import a massive blog list, and it would pause spamjobs with failed comment submissions, let you pencil in a value for this unknown field, and then click resume.
You could also choose other actions for that field like "prompt me each time" and sit at your computer multiplexing your labor across hundreds of blogs. And that was pretty polished ten years ago.
Exactly :)
Fair enough, but you won't get Google's spam filter or availability either, which your privacy was paying for.
My point was just that even if something is provided to the customer for free, doesn't mean it's easy to produce. That causes a lot of the issues my non-tech friends have with understanding the scope of work. Just because social media is free and easy to set up as a customer doesn't mean developing a social media is easy at all.
Overall it’s been a good experience. I run into a few sites which when I send to them classify my email as spam or grey list my sending IP so mail doesn’t get through quickly but then I used to have the same spam problem with some sites running my own domain through google apps.
This book offers one set of proposals for "Data as Labor", inspired by Jaron Lanier: http://radicalmarkets.com/chapters/data-as-labor/
And there's going to be a lot of discussion of the idea at the RadicalxChange conference in March (https://radicalxchange.org/), including with Jaron himself as well as the book authors. (Disclosure: I do the conference website as a volunteer).
Labels can also be obfuscated with javascript, replacing the raw HTML "Email" with "Age"on page load. Getting this right will require the bot to parse both HTML and JS, and we can force them to handle CSS too. Add a "zip" field, and hide it with complex CSS rules. If it contains a zip code, it's a bot.
If you're really paranoid, randomise combinations of distinguishable fields (name, email, phone, age and hidden fields) every time you generate the form, so even if a bot herder manually maps names to fields one time, it'll fail the next. At this stage it'll be cheaper for the bot herder to use Mechanical Turk, after which even Google's captcha is compromised.
Or a blind user who might actually rely on both labels and names. That's a bit like what arxiv does, they have hidden links that ban your ip when you crawl, but the links aren't hidden for AT users. I got myself banned that way once.
Accessibility is very important, and if accessibility features are implemented well they'll often be useful even to people without disabilities, but do any CS/SE or code bootcamp programs take the topic seriously? I'm sure it must be taught somewhere, but it doesn't seem to be common at all. Can you even imagine 21st century university architecture department that didn't cover ADA compliance? That'd be unthinkable.
I can easily imagine it: architecture departments from universities in other countries don't necessarily have to cover compliance with USA laws.
maybe to save them a few $ from bots and spam (bandwidth and storage is very cheap today) they might be losing new users by the thousands (and traffic acquisition is far more expensive than the formers)
Recaptcha isn't obnoxious for fun, it's obnoxious because this is the state of the arms race right now. There's also the challenge of creating a captcha that allows blind people in.
[0]: https://en.wikipedia.org/wiki/XRumer
For example, since you're here and HN uses Recaptcha on its register/login form, it seems like the compensation was adequate.
Which is one of the reasons why the presence of reCAPTCHA is strong push to avoid that site.
> since you're here and HN uses Recaptcha on its register/login form, it seems like the compensation was adequate.
Perhaps so. I don't remember doing a CAPTCHA to sign up, but I don't dispute that I did it. However, I've never been presented with one after signup. If I was, I wouldn't be here.
You give Google training for ML models.
Google gives the site provider the service of excluding bots from submitting the form.
The site provider gives you whatever was provided by the form you were trying to submit.
No one is uncompensated.
First, it seems tacky scrounging for peanuts from the users' captcha work. Or it's like a product/services website showing Adsense ads. It's a cheapening message to send.
Second, since you make more money from more captcha volume, you're incentivized to maximize your use of captcha which is at odds with every complaint in this comments section about captcha. Most sites only use captcha to gate low-volume actions like register/login (e.g. HN).
They created their own Ethereum token too which always puts a bad taste in my mouth these days.
Finally, it doesn't address the upstream complaint that someone else is profiting off the user's "work" rather than the user. Though I don't find that complaint very reasonable. And a tiny fraction of a cent sounds about right. The truth is that users benefit from anti-abuse systems. The number of bots that HN's recaptcha on register/login has stopped is worth that tiny fraction of a cent to most users.
Sites can set the difficulty level necessary for their application. Some are under continual targeted attack, others are mainly keeping out rogue automated spambots from their comments section.
The user is typically getting a free service, a better site experience due to less bot traffic, or both. I think sharing the value of their work with the website is a fair deal.
As for using blockchain tech for ledger functions, that is all under the hood: websites can cash out to dollars as they prefer.
(disclosure: work on bot detection at hCaptcha.com)
Yes, mainly because we're talking about fractions of cents. Also, it's not for free; the website and its users get a good anti-abuse measure in return.
There's a big difference between something that cannot make money and something that makes pennies for the site. But, to be fair, 99.9% of users aren't going to notice the difference in captcha branding either way unlike my example of a banner ad on a retail site.
My main reaction is that the UX incentive to minimize user exposure to captchas seems to work against the primary pull of using hcaptcha in the first place.
Though one site I can think of that has a captcha behind every action (every post) is 4chan. Maybe you can get them on hcaptcha one day. It would at least help you test your tagging system against vandalism. :)
I didn't find any pricing examples on hcaptcha's website. For all I know, people are bidding 5 cents per image.
Anyways, I definitely want to see more serious contenders in the captcha space so that we all aren't contributing to Google's middle-manning of the entire internet, and I'd like to try hcaptcha even out of curiosity.
If it means no/fewer ads to support a site then the user benefits because they don't have to pay real money to keep the site up.
If you use my referral URL I get a bump in the queue:
https://hcaptcha.com/?r=29d830be7540
When you search for an address on google maps, that little tiny house number on the house was once a captcha image and now google knows that number so it can take you to the exact location on a map when you search for that number.
Everyone helps train the machine so when they want something from the machine then the machine is better at finding what they asked for. That seems pretty democratic to me.
disclaimer: work for google, nothing related to reCAPTCHA though. opinions are my own, etc.
A dividend on this could probably provide for a basic income.
Is it worth it?
Manipulative user-hostile websites can rot.
Personally I now use...
- iCloud.com instead of Gmail
- DDG for search though I do have to !g like 20 to 30% of the time for things like driving directions (from X point to Y point), local movie times nearby and flights.
I still use
- YouTube
- Google Maps some as its great for getting distance between X and Y
- Google News (is there a better substitute)
- Google Photos (is there anything that compares)
Hoping in time to rely a ton less on Google products.
Apple Maps works for me. I appreciate that's not the case for everyone, but it's come a LONG way. I sincerely use Apple news (on iOS) and have been loving it, but appreciate it's not for everyone's use case.
Google photos.. yeah wow. There really isn't much like it. I've resigned to storing my photos myself on a private server and slowly making albums/things come together. But I have to NOT use google photos. It's too scary.
Gmail was easy
Youtube I use a fake gmail account that's not linked to me in the slightest and only use it on 1 iPad, else not logged in.
It's a quest. But I'll get there. Someone really ought to make a Google Photos competitor though, there's nothing that has the same level of polish right now.
Flickr app has auto upload from Android at least, I'd guess Flickr as Google photos closest competitor?
You could further approximate that with: "How much does Google's AI think this human's time is worth in future revenue?"
I for one intentionally inject errors into their image classifier until it lets me in anyway.
You know how they usually give you several questions to solve, even if you're quite convinced you solved a question correctly?
Turns out if you click randomly, they keep showing you new questions as well. If, after a handful of purposely wrong answers, you answer one correctly, they let you through.
I now purposely mess up the answers a few times. It seems neither slower nor faster than actually taking the time to do it right, but it takes less mental load, and it makes me not feel like doing slave labour for a machine.
https://developers.google.com/identity/protocols/OAuth2#inst...
Yes, this is the worst of them all, as it will completely lock me out of websites that use it.
I understand the reasons why sites may want to do this sort of thing, but personally, the cost of allowing this to happen in my browsing is simply too high.
It turns out they record and analyse:
- Your computer’s timezone and time
- Your IP address and rough location
- Your screen size and resolution
- What browser you’re using
- What plugins you’re using
- How long the page took to display
- How many key presses, mouse clicks, and tap/scrolls were made
And ... some other stuff we don’t quite understand.
NoScript (which is totally fine) just blocks all JS, uMatrix can block much more.
Settings -> Privacy and Security -> Content Settings -> Javascript and then change "Allowed" to off.
You can white list a domain by clicking on the padlock or the thing that says "Not Secure" in the URL bar on the left and clicking "Site settings" and changing Javascript to Allowed.
In my opinion, the only real effect JS blocking has is you start complaining in HN comments about sites not working.
Depends on the version of NoScript. If you stick with the older ones before this was broken, you're good. You can't do that with the new Firefox, though.
It's still a pain to get rolling at first but it feels more friendly to me than noscript
1. turn off javascript (effective for all websites)
2. block access to google in your router/firewall. (effective only for google)
Select all images with traffic lights, I'm like, does the pole also count?
Select all images with cars, what about that car that is two pixes in the next tile?
Do I click based on absolute truth, or how they expect an average user to?
i'm generally against this type of gating, where the people doing the right thing get punished disproportionately (even small slices of time add up to wasting thousands of human-years over the population) just to combat the tiny number of bad actors. target the bad actors directly.
it's the same for tsa security theater. let's put all those humans to work training dogs of all sorts and filtering them through people at the airport. the money for those privacy invading scanners can be put toward training and housing the dogs. our collective time is not wasted on silliness and standing in line, and we'd probably save a lot of tax dollars that way.
On the one hand, fuck Google for wanting another vector with which to track me, on the other hand, why can't it remember that I proved to it that I'm human (allegedly) two days ago?
Maybe to prevent bot operators from manually aquiring a human-cookie then let their bot operate for ever ?
I have also trained myself to wait a few seconds before clicking the box, which seems to help assert my humanity.
I wonder how many different weird rituals are out there for 'beating' CAPTCHA?
For me, I usually make some effort to keep moving my mouse and being "active" after clicking the box, on the idea that an isolated click event looks less human. It's based on a friend's tip and it seems to help, but I have no confidence that it's actually relevant in such a complex system. I sort of suspect Google has created a new generation of meaningless routines fit to rival historical standouts like sports rituals.
I'm using that captcha on my website, and I can tell you, that one works 100% while the other ones don't.
this is a subtle externality borne from scale combined with zero marginal cost. we need to find a way to make the bad actors bear the cost of that externality rather than the rest of us.
it's a hard problem that resists simple solutions like captchas, certificate signing, delivery fees, taxes, or even just outlawing the practice. as a lowly consumer, one of the few levers i have is curtailing my use of services employing (google) captchas.
Annoying as they are, I don’t really see a better alternative. They’re also pretty easily circumvented with cheap labour like mechanical turk and similar services.
Identifying the lights and cars and bicycles is you training Waymo's self-driving AI.
Personally, I've reached the point where this is the first thing that I do. If a site is presenting a CAPTCHA (especially one run by Google) to me, then 90% of the time, that's a site I'm better off avoiding anyway.
That last 10% can be infuriating, though, and I certainly won't feel positively about it.
How much, and at what odds?
The length of the average Google CATPCHA has been steadily going up for me. I haven't pulled out a stopwatch, but I do count how many image sets I go through. I basically never get through on the checkbox unless I've done one on another site shortly before. I sometimes succeed after one set, but if I don't it's consistently 3+. The worst case I've seen was 10 layers of slow-loading images without success, at which point I gave up and tried on another device. (If it had been a site I didn't need, I'd have given up after 5 - which I do fairly often, so I don't have an average count needed to succeed!)
I'm fully aware that average users don't have this much trouble, or people would be furious. But I also see that captcha ramps up to an extremely long process in the face of even modest privacy-protection efforts like not running Javascript or allowing third party trackers by default. (God forbid you're using a VPN for any reason.) It's not assessing your humanity but your familiarity, using the same fingerprinting tools as any site that wants to track you.
Spam is a real problem, and a hard one to solve, but I admit I'm hostile to Google's captcha. Partly because it really is a significant time sink for me. Partly because it lacks any progress indicator or fallback option so it's an indefinite hurdle to accessing sites I'm already committed to using. But largely because, despite what I really believe are good intentions, it's yet another force pushing people to give up privacy and even security if they want websites to work tolerably.
I disable most scripts using uBlock, but I have to make an exception for reCaptcha if I want to interact with half the web. I'm pretty sure due to that alone Google is able to track where I go.
It's almost definitely not my problem, and it's not even necessarily a problem it's just a way to access pages, made easier by Google in fact because it's a perfectly legitimate way to navigate the internet and Google themselves depend on it. If anyone wants to discourage it just provide an official API to use instead of pages, which are a defacto API for humans.
https://github.com/GoogleChrome/puppeteer
https://www.trustedreviews.com/news/apple-hit-two-factor-law...
Phone calls to GF, to get her to login, similar issue, it was now signed out, and after another attempt, one of them showed the 2FA window, which got me in. At no point was I able to use the phone number also associated with my account, and it was a huge, long, pain in the ass. It's actually a huge part of why I won't buy an iPhone.
https://www.youtube.com/watch?v=fsF7enQY8uI
It is describing how the checkbox is collecting your browser's characteristics (eg they go to great length describing the webGL fingerprint) and your own characteristics (eg mouse behavior), such that when you click the box, you are determined to be a person or a bot. If they think you are a person, you don't have to do the CAPTCHA.
The whole bit about a double encrypted "VM" is overstating the case. The "VM" is "just" a bytecode interpreter, which at the end of the day can't do anything the browser's javascript engine can't do itself. Yes, it's some heavy obfuscation, and what's more interesting than the interpreter itself is the decision to spend what must have been lots of time/resources to develop it. It's security by obscurity, and in this case it is delivered to the client so obviously it's reversible. Maybe there's a deeper purpose.
EDIT: ah. the purpose is not to obfuscate. it is to fingerprint the CPU characteristics. by running their own interpreter, and changing the opcodes on the fly and such things, they can defeat JIT and learn something about the CPU itself. if they have user info (google cookie) they can know what CPU/CPUs that user typically uses and if "the checkbox" records something different it's a signal.
The Quora answer is interesting but it's not clear to me whether the "I'm not a robot" box cannot be defeated in a similar manner.
In order to successfully execute a replay attack you would also need to pass the Turing Test, i.e. click the correct images. If you design a bot that starts a combinatoric attacking by trying random guesses we can easily confuse it, so most attackers try to use a solver service.
We can also identify how you interact with semantic content in the images when you click on the image and characterize your mouse interaction as human or non-human. Since confidence increases as more results come in we can also run them after the initial pass and then shadow-ban bots. (And notify the targeted website that we have determined e.g. a particular signup is a bot.)
Ultimately, many techniques beyond simple correct/not-correct are required to defend against the main attack vector: humans hired to solve captchas en-masse and make thousands of fake accounts. Modern ML is pretty effective for these kinds of problems. Browser obfuscation does not add real security, and today's reCAPTCHA (all versions) is easily defeated in practice.
Had to reach out to them on twitter to get things moving. Horrible stuff.
https://moderncrypto.org/mail-archive/messaging/2014/000780....
(search "Javascripts").
More likely, the majority of the algorithm is devoted to the "fingerprint" of your browser. If you have adblock running, you may not have a google ad cookie. If you have a randomizing user-agent addon, you're going to get blocked.
What we need, for captcha, is an addon that makes you look as human as possible. Mouse click timings become random. Javascript fingerprint becomes John Smith common. Third party cookies, temporarily enabled (and then pruned). VPN traffic routed through a common looking gateway that few bots use. etc. etc.
But I am pretty sure, if you click on the images too quickly, you're going to get stopped. Slowing down your clicks, moving around a little like you're "thinking" seems to help. That's been my experience at least.
I'm personally rooting for the AI here. When the robots and crawlers become so smart to become too hard for Google to distinguish between them and humans, then we will all benefit. They are becoming smarter, which is why captchas are becoming more difficult for humans.
Services that use recaptcha should consider why they are using them. Preventing spam, stealing proprietary data, and preventing actual harm are legitimate reasons. On the other hand, stopping free information from becoming truly free is bad. For example, numerous U.S. government agencies use captchas to prevent scraping or analyzing of public documents. These government organizations provide "public access" in the narrowest possible sense, making it difficult to search for a specific record or analyze data in bulk. If they can't do it, they should allow others to try.
I wonder if recaptcha seeing your ad cookies (and other dark tracking indicators) would be enough to help get through. Like we need a "recaptcha profile" in your browser that would have just enough fingerprint to get you through.
Robots don't watch the ads. Adblock blocks the ads. Google's revenue is mostly ad revenue. I don't think it's coincidence.
I suppose you’d have to simulate the human movement of the mouse over to make it look like a human actually did it, but how hard can that be? Just train it with a few 100 Turks moving mouse pointers to click on links.
Though an interesting counter measure might be to inject cpu spikes and measure the impact in the mouse movements and the robot controlling it.
Must be a fun job, both sides.
I can see it being possible - racks of "robot arms" that move mice based on whatever criteria is needed (in this case, reCaptcha).
It works for 3D printing, as well as device testing - so in theory, this could be done too...
It exists for a long time already.
It’s always going to be an arms race I guess.
What's so wrong about crawling or using automated tools? With today's networks and hardware performance most websites shouldn't concern themselves with denial-of-service type of attacks, unless they're past a certain threshold of popularity.
Every time I found a way to fingerprint and block them, they'd change their bot to avoid detection. Captcha for rate limiting seemed like the least bad option.
However, eventually I decided that instead of blocking them, I'd return random results from the db. They weren't checking the data too thoroughly because to this day they haven't changed the bot to avoid my most recent pattern detection. They're still merrily scraping useless data.
I would have set it to only show the captcha if the delay was active, so users would effectively have had a choice of wait or captcha.
There's very few friendly bots like archive.org, and those respect meta robots tags anyway.
I agree with you, for "read only" content, let the robots crawl.
Why waste time catering to people who are too lazy to write a decent scraper? Most people would prefer to spend their time working on things that will benefit the other 99% of their users.
(in reality though reddit has a huge bot / astroturfing problem anyway, so perhaps the value of captchas really is overstated)
Keep a history of the biometrics of the devices either on the account or in a cookie. Use a sufficiently secure and obfuscated language to capture and upload the data (maybe using steganography in an image, explaining the weird image uploads.) Prompt when the biometrics don't match a known user of the device/account (according to ml). Or if the tracking data didn't exist (incognito) then prompt using a backup model trained in the difference between the biometrics of known bots and known humans. Keep a very loose threshold here.
That's how I'd do it if I were Google (and no one else because only Google can afford that.) All the browser fingerprinting stuff mentioned is great but doesn't really work as much as you'd hope in practice.
The majority the client side reCAPTCHA is fingerprinting to make it impossible for spammers to steal cookies from legitimate users.
Once you have the immovable cookie, is easy to do regular reCAPTCHA challenges until you are sure that browser is being used by a regular human.
You will notice that if you ever move to fresh OS install, or a different browser that reCAPTCHA suddenly starts showing you image challenges again, which last for several weeks.
Keyboard/mouse biometics is a nice theory. But that's all it is. It doesn't work as a general CAPTCHA solution because it's so easy for bots to fake human looking input.
If they have a way to create a secure, immovable cookie across browser sessions even in incognito mode then they don't need biometrics. In the absence of persistence, biometrics could serve as the cookie. Even with a naive approach in a hackathon, a member of my team was able to get very high precision identifying users based on a small sample of keyboard and mouse movements. I'm sure Google can do better.
So it's not really about attackers being able to look like any human. It's about being able to look like a specific human. Which is much harder.
But maybe you have more experience? We abandoned it seemed intrusive and because we knew we couldn't invest in the secure environment. Without that it doesn't matter. And with it maybe there's an easier solution. But I figured that given Google made it that they would be using keyboard/mouse movements for user identification.
How clicking the checkbox helps? Do they measure the delay it takes me to read the captcha request and react by clicking?
For firefox - https://github.com/dessant/buster
Is there any evidence that I'm wrong?
It’s quite depressing to see that almost all sites now require sending data to Google just to log in to them. Not to mention that they help to turn billions of users into clickworkers for annotating AI data. Tell me what you want but I’m pretty sure they show image captchas to users that they are absolutely sure are no bots. I use Chromium on Linux and I’m logged into a Google account, still I have to solve three or four image captures at times to use a login.
Why couldn't a bot purchase a droplet or shoes. As a saler I would be happy to sell to them. Purchases would be quicker and less wasted resources with humans browsing the same product pages for months before buying.
Because bots are used in multitarget and multisource spam attacks that humans can’t do efficiently; rate limiting on any particular target site, particularly for submissions from a particular source, cannot prevent such attacks.
Plenty of other people get past it too: https://medium.com/@jsoverson/bypassing-captchas-with-headle...
I am pretty sure Google is just doing an 80/20 rule here, or even a 99/1 rule since there are so many simple bots that are easy to detect.
I wonder if they also overlay another image that to humans looks like noise, but its a neural network attack[1][2]
[1] https://youtu.be/SA4YEAWVpbk?t=34
[2] https://medium.com/datadriveninvestor/8b966793dfe1
Of course, I think the biggest thing is your browser's fingerprint. If you are using a lot of privacy blocking addons, etc. you are going to be spending a lot of time looking at captchas.
> Google’s invented language is decoded with a key that is changed by the process of reading the language, and the language also changes as it is read.
I feel like that's either some everyday cryptothing that I'm too tired to realize right now (ahem hashing cough?), or some clever stuff that I want to know quite a lot. Or Google cracked the secret of writing Malbolge.
https://github.com/neuroradiology/InsideReCaptcha
I'm sure it plays a part in determining "hijacked extension" activity vs human activity, but it's likely that the majority of the decision is how much recent activity your signed-in Google account has, whether or not you're signed in on Chrome (Firefox has a lot more stories of recaptcha challenges), and maybe even if you have Google WiFi or Google Home linked to your account. I wouldn't be surprised if they purely whitelist accounts that subscribe to Google Fiber or Fi.
I'm not seeing any except asking questions about the site, and even that takes effort to translate. Numerical math questions I assume can be easily bypassed.
So sophisticated and still such a pain in the a for the user.
https://addons.mozilla.org/en-US/firefox/addon/buster-captch...
In the remaining 5% I get a Captcha that is impossible to solve, e.g. it states "Please mark all cars" and once I've marked all cars it states "Please also mark all traffic signs" and when I've marked all traffic signs it states "Please also mark the following traffic signs" and so on, for as long as I bother to try.
I have never encountered a Google Chaptcha that worked in any other way, either it works trivially with one click or never.
My conclusion has always been that Google Captcha are simply broken for anyone who runs an ad-blocker, and I don't don't bother with services for which it doesn't work. Problem solved.
That's a bit of an ambiguous sentence - are you saying they would have little trouble, as in not much trouble, or the opposite?
How you can prove that a human genuinely wanting the information in the page is filling that information out? Imprisoned humans are great CAPTCHA defeat bots.
https://www.youtube.com/watch?v=fsF7enQY8uI
You get punished for blocking Google tracking.
I love it. Totally not evil(tm).
Very tempted to cancel/stop using anything that uses this crap, but it's a bit too ubiquitous.
https://addons.mozilla.org/en-US/firefox/addon/buster-captch...
Marci Robin was buying a Fiat 500X from a West Palm Beach, Florida dealership, and was in the final stages of signing all the paperwork, when she was presented with a strange but simple question: was she a robot?
This wasn’t online or anything, she was right there, in person, in front of the sales person, who wanted her to check a box, with a pen, on real paper, confirming that she was not, in fact, a robot. She claims she isn’t.
https://jalopnik.com/dealership-makes-woman-sitting-right-in...
edit: and the original tweet: https://twitter.com/MarciRobin/status/998030243981033472
You can confirm your identity by entering your phone number and receiving a text.
I feel like it's more of a cheap ploy to get additional info after your first 25 tweets than it is any bot detection algorithm.
Facebook got busted using that (security) info for marketing purposes, and the reaction was muted; but, within the security community, it was loud and angry. Within a week, they had ceased completely.
That's the plot of Blade Runner 2.
Ironically sending a robot picture is the best proof that you're not one, since robots don't have a sense of humour (yet).
Wait; lightbulb moment; someone has to run a NN against a dad joke DB and learn AI to crack some (like the generated face stuff).
Well this is the internets and all, so I suppose it's been done before but no one would admit to owning such a big enough dad joke DB...
A "that's what she said" detector can be implemented as a two class identification problem. This 2011 describes one algorithm that achieves 71% precision: That's What She Said: Double Entendre Identification https://www.aclweb.org/anthology/P11-2016
I believe they could have done an even better job with better training (and test) data. It seems to me there's a big problem with how they selected the negative examples: one of the sources is a set of racy text messages, which would be rife with positives. They claim TWSS positives are rare in general, but I doubt that holds for a sexy text messages corpus.
Their overall strategy is pretty interesting though (not deep learning).
Bizarre part is it works fine when I tether via my iPhone.
Also there seems to be growth of websites in NZ that use some sort of Cloudflare-like proxy that very often straight up blocks requests to some simple blogs. Unsure whether it's user agent, ad blocker or my IP is quite dirty, but try to open up www.pointhacks.co.nz and click thru older posts...
Interesting interview process!
If you sign up and provide a phone number, they'll just demand a photo. Twice. Giving them the same photo seems to work though, and leave your account in peace...
They never accused me of being a robot though.
https://qntm.org/difference
Sorry to be so profoundly un-fun.
edit: I'm being downvoted, but consider the comment chain this has generated.
> Please don't submit comments saying that HN is turning into Reddit. It's a semi-noob illusion, as old as the hills.
Here's a challenge:
Create a bot capable of generating and posting content like the above that's attributed to "zxcvbn4038."
The bot doesn't have to be able to get through spam filters or register itself. It just has to take the current state of a forum thread as (part of its) input and output a) content for a post and b) a position in the tree to insert it.
The human bot-author can then try to insert the content into the thread at the given position. If the post doesn't get detected as spam and can avoid downvotes, the bot wins.
The prize is the sheer joy of contradicting what I'm assuming is an HN mod:
> edit: I'm being downvoted, but consider the comment chain this has generated.
Edit: added rule about avoiding downvotes to retain "high signal commentary."
https://www.theguardian.com/technology/2019/feb/14/elon-musk...
Yet some more signal for this thread that started with a joke.
If mainstream systems suggest that a human is acting like a robot, then what is a robot and what is human? That's pretty profound.
It seems that we're nearing the point that anyone who thinks and acts rationally and contrary to consumptive norms is indistinguishable on a coarse scale from a logical machine.
Hence the high rate of rejections
(Her name is actually Faux, which means fake in French.)
That is my favourite XKCD comic!
They probably use it as a way to enforce their "soft" requirement of a phone number. After verifying that you have a working phone number, you'll get unblocked.
Also, Twitter routinely renders their tweets unaccessible to non-logged-in users, due to rate limits on their api (which is used by their web frontend).
So, I'm not one bit surprised if anyone would describe Twitter as foolish: that's exactly how they act
I disconnected the ringer so it doesn't bother me.
This is fine.
There is no phone number requirement. They're just as happy with an email address.
If you provide neither of those, then your account functionality is restricted (with a big obvious banner showing at the top of every page), but you still don't get blocked.
Once I needed to create several accounts at once and then have all but one of them follow the last one. Those accounts got blocked, but it's hard to blame Twitter for that.
That's in fact true. Every single one of my Twitter account that I've created in the last few years have got banned within a few minutes even before I've had a chance to post anything meaningful with the account.
The twist at the end is that she's lying.
"Oh dang, you ticked the 'not a robot' box but you are actually a robot ... Ah, no worries, I'll put a call in to head office, get the paperwork changed. Well, enjoy your car! ... And don't forget to come back in six months for your free oil change! ... for the car, I mean."
You may sell to someone represented by a robot, but you're not selling to the robot.
When using a vending machine, your making a trade with the vending machine company, not the machine itself.
The closest thing would probably trades with wild animals. Are there any laws on that? (Probably not, but the situation is not unthinkable.)
Definitely one of my favorite reads from my youth days...
https://en.wikipedia.org/wiki/Impostor_(short_story)
https://en.wikipedia.org/wiki/Second_Variety
https://en.wikipedia.org/wiki/Generative_adversarial_network
If anything you should exclude such html elements from the print page with css.
https://en.m.wikipedia.org/wiki/Monkey_and_banana_problem
All robots claim not to be one, so we must be really careful.
probably printed app from website and the dealer took it literally
I wonder if the subtlety of that joke will be lost on future generations one day.
We should start protesting to make sure robots can buy cars.
[1] https://intoli.com/blog/making-chrome-headless-undetectable/
The amount of time I've wasted clicking on crosswalks and store fronts is way too high.