Since Cloudflare published Turnstile I’ve hated Captchas even more, because Turnstile does it so much better. Captchas are such a hassle. One website I occasionally visit does not keep me logged in and then presents one of the worst captcha puzzle systems. Shitty captchas are a huge barrier.
Turnstile is, in almost all cases, one checkbox to click (I’ve never been challenged beyond that). All captcha puzzles should be replaced with Turnstile or similar simple (for the user to solve) tech.
The announcement blog post linked on the bottom of the linked Turnstile page has some info on that
For Turnstile, the actual act of checking a box isn’t important, it’s the background data we’re analyzing while the box is checked that matters. We find and stop bots by running a series of in-browser tests, checking browser characteristics, native browser APIs, and asking the browser to pass lightweight tests (ex: proof-of-work tests, proof-of-space tests) to prove that it’s an actual browser. The current deployment of Turnstile checks billions of visitors every day, and we are able to identify browser abnormalities that bots exhibit while attempting to pass those tests.
It’s a lot easier to determine the intent of this hed with the quote being closed somewhere. Just after “service” would have been my guess, but it’s a disservice to remove that and leave people dangling.
My larger issue is that when I’m faced with traffic lights – or, god forbid, motorcycles – this is performative nonsense wherein I’m supposed to guess percentage coverage on a given square without having been provided parameters.
At this point, CAPTCHAs feel designed to make sure you can never get through the first time, thus needing to continue training image models several times before I can just fucking do what I originally came to the site for.
I already hate them for access gating based on unnecessary labour, and deliberately making access more cumbersome for people not using chrome and using VPNs
But what really peeves me off, even though it’s much less important, is that they don’t localise them.
Where are the crosswalks? What the hell is a crosswalk. How many trolleys in this picture? None, that’s a picture of a tram!
“I see no trucks, only lorries.” Being on a VPN has been getting worse and worse with CAPTCHAs, almost like I’m being punished for telling my ISP they have no right to sell the details of my internet use since I’m paying them.
At this point, CAPTCHAs feel designed […] training image models
It was never a secret:
The reCAPTCHA program originated with Guatemalan computer scientist Luis von Ahn, and was aided by a MacArthur Fellowship. An early CAPTCHA developer, he realized “he had unwittingly created a system that was frittering away, in ten-second increments, millions of hours of a most precious resource: human brain cycles”
A reminder that recaptcha is no longer free, but since a few months ago now the website owner needs to pay $0.001 each time a verification is performed
Free tier is only 10k verifications per month and must link a valid credit card so they can charge you immediately when you reach higher level.
Hopefully this kills the product in the long term as bots solve recaptcha faster than humans, so it’s just for slowing down humans than actual security. I personally use a browser extension that solves them with a click in a second.
Probably only sucessful ones.
Google captchas have had multiple rounds (with it faking you out claiming you failed) for probably a decade. Every round of the game updates some confidence score which if you get it high enough lets you pass.
This conversely means there is no way to fail, you just get stuck in an infinite loop of challenges if your score doesn’t get high enough.
The only other alternative means of pricing it would see even valid users consume way more than one “verification” per actual completed captcha, since so many users have low enough scores to need multiple rounds of captcha even when completing them with perfect accuracy.
I doubt they do this, but if they do it’s a scandal waiting to happen, besides also being very weird for any kind of statistic google certainly offers for their captcha.
I’m a simple guy. If a website I visit uses any kind of captcha other than Cloudflare’s Turnstile, then I close that website and don’t use it ever again. I’m not interested in wasting five minutes picking which squares have busses in them because ReCaptcha has decided I have to do the captcha 200 times.
Is that cloudflare one the one that just verifies you’re human automatically? Like it pops up with a check box you sometimes don’t even have to manually click? How does that one even work? 🤔
The code basically tracks mouse movements, or the lack thereof. If a bot is using a cursor, it might move in a straight line at constant speed to the “I’m not a robot” checkbox. Most bots though just check the HTML and jump directly to the checkbox. There are other checks it might do as well, e.g. the user-agent of the browser, whether the user came from a search engine, etc.
That being said it’s that not difficult to break, e.g. Puppeteer has a plugin specifically for getting around Captchas and Cloudflare’s offerings.
All this is to say: automatic captchas are better at allowing legitimate users than they are at blocking bots entirely.
It checks user agent to see if you are using something generic in a user agent switcher. It gives me fits sometimes if I leave it on chrome from Firefox too long.
Okay, this “$1 trillion” metric is a bit of a reach, and seems to be based on an arbitrary value assigned to an estimated amount of data Google has collected, and not actually $1,000,000,000,000 in revenue. It does not appear that Google has actually made a trillion dollars from CAPTCHA data.
They had been used to help with text recognition for book scanning for more than a decade. It has never been secret, it was explained on them time ago.
This is the logical progression, regardless of your feelings with “AI”
They don’t seem to actually identify the cookies as tracking (as opposed to just identifying that the account can bypass further challenges), just assuming that any third party cookie has a monetary tracking value.
It also appears to be unreviewed and unpublished a few years later. Just being in paper format and up on arXiv doesn’t mean that the contents are reliable science.
we do so via a large-scale (over 3, 600 distinct users) 13-month real-world user study and post-study survey
results indicate that the website context directly influences
(with statistically significant differences) solving time between pass-
word recovery and account creation.
We explore the cost and security of reCAPTCHAv2 and conclude
that it has an immense cost and no security. Overall, we believe that
this study’s results prompt a natural conclusion: reCAPTCHAv2 and
similar reCAPTCHA technology should be deprecated.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@beehaw.org
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Since Cloudflare published Turnstile I’ve hated Captchas even more, because Turnstile does it so much better. Captchas are such a hassle. One website I occasionally visit does not keep me logged in and then presents one of the worst captcha puzzle systems. Shitty captchas are a huge barrier.
Turnstile is, in almost all cases, one checkbox to click (I’ve never been challenged beyond that). All captcha puzzles should be replaced with Turnstile or similar simple (for the user to solve) tech.
Cloudflare turnstile is also the only captcha system that works ok with most browsers and adblockers.
Especially Google recaptcha freaks out if you use Firefox or an adblocker or anything and asks you the hardest possible questions.
Better than not asking you any questions and just going in an infinite loop!
If your getting looped by turnstile maybe you need to stop being a bot?
Literally never had an issue with it.
Its a false positive. That’s the point.
That’s a feature, not a bug.
Anticompetitive feature!
How’s that work anyway. Fingerprinting?
The announcement blog post linked on the bottom of the linked Turnstile page has some info on that
Turnstile is worse. Its just an infinite loop. Literally clicking for hours
It’s a lot easier to determine the intent of this hed with the quote being closed somewhere. Just after “service” would have been my guess, but it’s a disservice to remove that and leave people dangling.
My larger issue is that when I’m faced with traffic lights – or, god forbid, motorcycles – this is performative nonsense wherein I’m supposed to guess percentage coverage on a given square without having been provided parameters.
At this point, CAPTCHAs feel designed to make sure you can never get through the first time, thus needing to continue training image models several times before I can just fucking do what I originally came to the site for.
I already hate them for access gating based on unnecessary labour, and deliberately making access more cumbersome for people not using chrome and using VPNs
But what really peeves me off, even though it’s much less important, is that they don’t localise them.
Where are the crosswalks? What the hell is a crosswalk. How many trolleys in this picture? None, that’s a picture of a tram!
“I see no trucks, only lorries.” Being on a VPN has been getting worse and worse with CAPTCHAs, almost like I’m being punished for telling my ISP they have no right to sell the details of my internet use since I’m paying them.
It was never a secret:
https://en.m.wikipedia.org/wiki/ReCAPTCHA#Origin
I was fine with it when it was wavy text to digitise old works. This shit is just asinine and a time sink.
Yeah… only OCR and AI have advanced to the point where a spammer/bot can easily bypass them.
20+ years ago, Microsoft proposed a [Penny Black project](https://en.m.wikipedia.org/wiki/Penny_Black_(research_project)), which was superseded by reCAPTCHA. Nowadays, we might have to go back to that… maybe by mining crypto as a proof of effort.
Proof of work. See mCaptcha and Friendly Captcha.
A reminder that recaptcha is no longer free, but since a few months ago now the website owner needs to pay $0.001 each time a verification is performed
https://cloud.google.com/recaptcha/docs/compare-tiers
Free tier is only 10k verifications per month and must link a valid credit card so they can charge you immediately when you reach higher level.
Hopefully this kills the product in the long term as bots solve recaptcha faster than humans, so it’s just for slowing down humans than actual security. I personally use a browser extension that solves them with a click in a second.
Do you pay for successful verification only, or even for failed ones?
Probably only sucessful ones.
Google captchas have had multiple rounds (with it faking you out claiming you failed) for probably a decade. Every round of the game updates some confidence score which if you get it high enough lets you pass.
This conversely means there is no way to fail, you just get stuck in an infinite loop of challenges if your score doesn’t get high enough.
The only other alternative means of pricing it would see even valid users consume way more than one “verification” per actual completed captcha, since so many users have low enough scores to need multiple rounds of captcha even when completing them with perfect accuracy.
I doubt they do this, but if they do it’s a scandal waiting to happen, besides also being very weird for any kind of statistic google certainly offers for their captcha.
That was my line of thought. If you pay for failed captchas, there are a few websites using it that’d deserve a bot failing them constantly.
Does that also work for the puzzle captchas? Do you have a link if so?
No it exclusively works with recaptcha https://github.com/dessant/buster
Lol so now site admins pay more than the bot farm companies pay to solve each one
I’m a simple guy. If a website I visit uses any kind of captcha other than Cloudflare’s Turnstile, then I close that website and don’t use it ever again. I’m not interested in wasting five minutes picking which squares have busses in them because ReCaptcha has decided I have to do the captcha 200 times.
What is infuriating, is that some government official website in my country used google captcha
This happened to me recently. Worse, there’s an error message saying I didn’t solve the CAPTCHA…but I wasn’t prompted for the CAPTCHA!
I opened a bug report and the gov said “works for me”
So, yeah, people breaking laws because they can’tsubmit legally required data to the gov due to reliance on faulty Google services is real.
Is that cloudflare one the one that just verifies you’re human automatically? Like it pops up with a check box you sometimes don’t even have to manually click? How does that one even work? 🤔
The code basically tracks mouse movements, or the lack thereof. If a bot is using a cursor, it might move in a straight line at constant speed to the “I’m not a robot” checkbox. Most bots though just check the HTML and jump directly to the checkbox. There are other checks it might do as well, e.g. the user-agent of the browser, whether the user came from a search engine, etc.
That being said it’s that not difficult to break, e.g. Puppeteer has a plugin specifically for getting around Captchas and Cloudflare’s offerings.
All this is to say: automatic captchas are better at allowing legitimate users than they are at blocking bots entirely.
It checks user agent to see if you are using something generic in a user agent switcher. It gives me fits sometimes if I leave it on chrome from Firefox too long.
Yes, that’s the one. It works by just using Javascript to check that the browser is OK.
Okay, this “$1 trillion” metric is a bit of a reach, and seems to be based on an arbitrary value assigned to an estimated amount of data Google has collected, and not actually $1,000,000,000,000 in revenue. It does not appear that Google has actually made a trillion dollars from CAPTCHA data.
It is incredibly obvious that CAPTCHAs are at the very least a way of exploiting distributed labor to train AI.
They had been used to help with text recognition for book scanning for more than a decade. It has never been secret, it was explained on them time ago.
This is the logical progression, regardless of your feelings with “AI”
That was their selling point.
deleted by creator
This sounds like a conspiracy theory but I’d like to know more.
The study that they reference: https://arxiv.org/abs/2311.10911 [PDF]
They don’t seem to actually identify the cookies as tracking (as opposed to just identifying that the account can bypass further challenges), just assuming that any third party cookie has a monetary tracking value.
It also appears to be unreviewed and unpublished a few years later. Just being in paper format and up on arXiv doesn’t mean that the contents are reliable science.
It’s true. They make us work to identify data, we are checking for them not confirming, then they also track us.
Does this apply to hCaptcha?
Past tense?