From the (overly lengthy) Patent Description section:
A challenge-response test may include a type of authentication where one party (e.g., security device 240) presents a question (e.g., a “challenge”) and another party (e.g., attacker device 210) is required to provide a valid solution (e.g., a “response”) to be authenticated. An unsolvable challenge-response test may include a challenge-response test that does not have a correct solution and/or a challenge-response test where attacker device 210 may be incapable of providing the correct solution (e.g., when the correct solution includes a character that may not be typed using a standard keyboard, etc.). In some implementations, security device 240 may generate the unsolvable challenge-response test in the form of an unsolvable CAPTCHA. In some implementations, security device 240 may generate the unsolvable CAPTCHA using one or more construction techniques that are designed to block attacker device 210 from sending a request to server device 230 without making attacker device 210, and/or a user of attacker device 210 (e.g., a hacker), aware that attacker device 210 is being blocked (e.g., by security device 240) from sending the request to server device 230.
I hate stuff like this. When I fall into the "this guy looks unusual" bucket, I don't want to have to second-guess whether your system is even going to let me in if I put in the effort to jump through its kafkaesque hoops.
I had trouble with Coinbase account verification which I'm almost certain was akin to the linked patent: it asked me for a picture of my passport, and then a picture of my face, and then told me that the pictures didn't match and I must try again. Every single time. I only managed to regain access to my account by emailing a contact that most people wouldn't have.
I attended a talk by Coinbase. They get A LOT of fraudulent activity (both high end and amateur). They have like 7-8 employees who handle all the manual aspects of user verification. So they have to rely heavily on automated solutions.
I have never used them so I don't know how often they flag false positives but based on that talk I would at least qualify the statement with "it's a hard problem!"
Treating your users like shit is actually a pretty easy problem to solve. It's companies that don't 'care' to solve it that cause this kind of strife. Coinbase pulled the same shit with me.
This makes me think of userbinator's comment from yesterday's Google Memory Loss post.
To add insult to injury, if you do try to make complex and slightly varying queries and exhaust its result pages in an effort to find something you know exists, very often it will think you're a robot and present you with a CAPTCHA, or just ban you completely (solving the CAPTCHA just gives you another, and no matter how many you solve it keeps refusing to search; but they probably benefit from all the AI help you just gave them, what bastards...) for a few hours.
Edit: I wonder if Google is using this as a sort of income source for pages that bring little to no ad revenue.
I thought this item would be related to that very popular item... I saw it mentioned in discussion.
At work I just recently managed to trip it three times in one day, which I consider a record since in the past I've encountered it at most a few times a week. What's more infuriating is that my queries were far less complex than the ones that tripped it before (trying to find information about some API constants), basically one quoted term and one site: modifier. I can understand if I was querying 24/7 and hogging their servers (in which case a nice "please slow down" message would be much better), but it tripped within a few minutes of, admittedly intense, Googling.
The security device may notify the attacker device that the solution is incorrect regardless of whether the solution is actually correct.
In Google's case, it doesn't do that at all --- solve one CAPTCHA successfully and all you get is another, immediately. If you actually do deliberately give the wrong answers, it does tell you they were incorrect.
I wonder what can be done to stop it from doing that, besides the old tactic of evading IP bans by changing IP --- it's somewhat creepy to think that it's probably capable of detecting that too and banning the entire subnet. On second thought, it might be worth it... if it means I can get thousands of others blocked from Google for a nontrivial amount of time, all the more mouths to complain and maybe force some reconsideration. I am not a robot. I am not a competitor scraping your pages or doing anything else against your ToS. I am just an intelligent human with over two decades of Internet searching experience enthusiastically using your service for the exact purpose it claims to do: to find something on the Internet.
Happened to me too, but not over my normal DSL IP, but while browsing through Tor. As you note, one CAPTCHA is replaced by another seemingly without end. I gave up after 3 or so tries and switched to DDG, which is what I use when browsing over Tor. It's Google's loss, certainly not mine.
Which shows how important it is for Internet health that we have search competitors to Google who maintain their own indexes. No one company should become the sole practical gateway to the Net.
> I am not a robot. I am not a competitor scraping your pages or doing anything else against your ToS. I am just an intelligent human with over two decades of Internet searching experience enthusiastically using your service for the exact purpose it claims to do: to find something on the Internet.
Maybe it’s time to stop using Google and use another search engine which actually treat you like a human being, like DuckDuckGo.
That's what I do whenever it comes up. For the longest time I used Google because they had the biggest index, but if they're not keen on letting people actually make use of it, then DDG and the others suddenly look a lot more appealing.
I think most people don’t realize this “endless” CAPTCHA is actually an average of three iterations. You’re supposed to stop when you see no squares with X in them. That is, you should click submit even when there are zero squares matching the CAPTCHA criteria.
Once you realize this it’s way less confusing, and in fact it even clearly states the instructions at the top of the CAPTCHA. But it’s super confusing and definitely a usability nightmare.
The goal, as I see it, is to increase the number of round trips to google required to solve a CAPTCHA, in order to increase the cost for those using CAPTCHA solving services.
Not in my experience. It would give me “select cars until none are visible” and it would be replacing the last car by another one for a long time. Then, when there are finally none, it would just offer another captcha, such a as “click on storefronts until there are none”. And so on and on
Their mapping AI isn't going to train itself, and unlike the proofreading CAPTCHA, this one actually benefits Google's bottom line by providing free input for a proprietary data set.
These Google CAPTCHA's are deployed all over the internet, but you mostly won't notice them until you use a VPN. When you do, you get them at what seems to be their strictest setting: multiple rounds of 'click the object that is a car/storefront/road/mountain/road sign/bus/river', where all pictures clicked are replaced via a fade-out-fade-in that lasts about five seconds before you can continue evaluating the new picture.
I do not blame Google, they do what they do for their own benefit. However, when I do get to solve a never ending captcha in a mobile app, while being logged with a user account, while buying a cinema ticket—I get really pissed. Not at Google, but at whoever thought that putting a captcha there was a good idea.
That happens to me when browsing normally on my home Internet connection (no VPN). I think it's because Google thinks I'm a robot (I frequently don't even touch my mouse and check the CAPTCHA box using my keyboard, or just move my mouse cursor in a straight line to the CAPTCHA), so it appears we've entered an era where you're punished for being too efficient at using a Web browser.
Same here. I'm starting to wonder if they're doing that on purpose to profile real users according to how fast they solve multiple captchas, say by measuring reaction times between every click on a "car", or to refine their anti bot algorithms by doing a deeper analysis of real user behavior.
Whatever their intentions are, it's frustrating.
My guess is that most of the "automatic" stuff is done using cookies and other fingerprinting techniques. In safari I hit the longer captchas far more often than in chrome, and it is quite possible that it is because of the ad blocking tech inside.
That's not the issue here though. I had this happen to me with the old 'type these two street numbers' captcha as well: it would just present a new captcha after the old one was solved correctly. Makes me give up instantly whenever I got a captcha while doing Google searches.
Nope, I've been caught in captchas which kept on going for about 5 minutes until the algorithm finally decided it had enough. Even when there were no tiles to click anymore, I would click ok and then more would appear and it just kept on going and going and going.
That's literally what it takes to get something patented? For better or worse, maybe by patenting it, we won't see that solution used in many products from other companies.
Hmm, maybe I should start thinking up annoying things that future software might do for profit, and patent them now to stop companies from doing them for a while.
Getting a patent on pretty much anything is a relatively straightforward (if somewhat arduous) bureaucratic process. I got one on a device that lets you communicate faster than light:
Is it because quantum entangled particles propagate their changes at the speed of light? Making the invention work, just not any faster than normal methods?
> Of course it doesn't actually work, but figuring out why makes an interesting exercise.
I've always found that kind of interesting. The US lets you patent just about anything.
But in my home country, Australia, one of the patent requirements is that it actually appears to function in the way you are claiming it does. ("The application must be for something patentable, like a practical adaption, not for an idea or principle.")
I wonder if that has any impact on patent trolling, or if it's just as pervasive.
Theoretically it's a requirement in the U.S. as well. To get a patent, the invention has to be "useful", and presumably to be useful it has to work. But in practice this is never enforced.
I'm not sure why the application page rather than the grant page is the one turning up in Google's results, but the patent was granted. It is US Patent number 7,126.691, issued October 24, 2006.
Gotta love the patent system. Reading the summary made my eyes roll so far into the back of my head.
Basically, they've patented shadow-banning via CAPTCHA. And I'm left also wondering if they've taken the "that's not a bug, it's a feature" meme to a whole new level. I've run into the scenario described by this patent on a few occasions over the last year. I'll be given a CAPTCHA on Google's search results page that has no solution, and they're cleverly frustrating -- not just pictures of roads asking for you to identify lakes, but "click on pictures of street signs", you click, they disappear, new ones appear but there are no street signs left and the submit button yells at you to "make sure you check the new pictures". So you start wondering if it's a trick question; maybe they're using the phrase "street signs" in a manner you weren't previously familiar with?[0] I hate it when my search engine tires to screw with my head.
A hard-refresh resolves it (or I could have probably picked the audio version and been fine, but I have a difficult time understanding those). Running into this bug, the very first thought I had was "this would be a rather novel way of frustrating a bot", followed immediately by "that's got to be what's going on" (and a bit of profanity about how lovely it is to be a false positive)[1]. I mean, combine a freshly loaded PC with an obscure set of search terms and you tend to get a long CAPTCHA. Perform some action that triggers a CAPTCHA while logged in to Google and you'll get a CAPTCHA-less CAPTCHA (check the box to continue). It's only logical they'd have the opposite extreme of "we're going to reject this one because the maliciousness rating indicates that we're being visited by satan coding in brainfuck".
[0] It seems to be occur the most when searching for obscure, specific error messages with commands like "allintext:" (since Google likes to just pretend I didn't actually mean what I asked for) along with portions of the search in quotes. It also doesn't trigger until I hit page 3, or have performed the search a few times with changes only in what I'm including in quotes. It's been happening a lot since I started doing CUDA development. I guess Google really, really, hates bad CUDA developers. Joking aside, since I usually have to get a few pages in, I probably look like a search-engine scraper combining variations of rarely searched terms with no click-through traffic.
[1] I have a funny history with this sort of thing. I was banned from Bing Rewards years ago for ToS violations that I didn't violate. My guess was they assumed my search traffic automated for reward harvesting (because, you know, the rewards would have ever been worth wasting the time developing a bot). And it probably looked that way since obscure searches on Bing, way back when, rarely yielded any relevant results (a half-page of log files, often). Things over there have improved enough that I use it as a fallback when I don't feel like clicking pictures of storefronts, though the banning was a personal insult, so I have to be really cranky about the CAPTCHA interruption to "Ask Chandler".
edit: I felt that neither "satan" nor "brainfuck" deserved title casing.
You can’t just green light any known VPN IP ranges though because they’re dynamic, and if you did, bots would just resort to using VPNs to bypass normal IP blocking.
Criminal? Not really. Usually in physical stores on private property 'management reserve the right to refuse admission' and they can do that any (legal) way they feel like, including stating that you can only gain admission once you have completed an impossible task, if that makes them happy.
Reminds me of that "intelligence test" that just generates endless pages of questions until you hit a "cancel" or "give up" button (it's been a while) - your score is based on the number of pages it takes before you figure out what it's doing.
This started happening to me after I stopped using Chromium and went back to Firefox couple of years back. Switching to Duckduckgo eliminated this nonsense completely.
Something like this is used by russian insurance companies. They should sell motor third-party liability insurance online and prices are limited by the law. It's not profitable enough for them so they boycot such sales. When you want to by such insurance online they send you SMS verification code, which you must enter on their site. The trick is that this SMS message contains 8-10 letters and some of them are unicode letters and you have only 2-3 minutes to enter it manually, copy-paste is blocked.
I was getting this quite regularly (can confirm that I'm not a robot). It would show the regular captcha asking you to identify traffic signs and stuff, but no matter what you do, it just wouldn't end. Good to know it was just Google deciding to ban my IP for some reason.
62 comments
[ 4.8 ms ] story [ 129 ms ] threadA challenge-response test may include a type of authentication where one party (e.g., security device 240) presents a question (e.g., a “challenge”) and another party (e.g., attacker device 210) is required to provide a valid solution (e.g., a “response”) to be authenticated. An unsolvable challenge-response test may include a challenge-response test that does not have a correct solution and/or a challenge-response test where attacker device 210 may be incapable of providing the correct solution (e.g., when the correct solution includes a character that may not be typed using a standard keyboard, etc.). In some implementations, security device 240 may generate the unsolvable challenge-response test in the form of an unsolvable CAPTCHA. In some implementations, security device 240 may generate the unsolvable CAPTCHA using one or more construction techniques that are designed to block attacker device 210 from sending a request to server device 230 without making attacker device 210, and/or a user of attacker device 210 (e.g., a hacker), aware that attacker device 210 is being blocked (e.g., by security device 240) from sending the request to server device 230.
I had trouble with Coinbase account verification which I'm almost certain was akin to the linked patent: it asked me for a picture of my passport, and then a picture of my face, and then told me that the pictures didn't match and I must try again. Every single time. I only managed to regain access to my account by emailing a contact that most people wouldn't have.
Just fabulous. /s
To add insult to injury, if you do try to make complex and slightly varying queries and exhaust its result pages in an effort to find something you know exists, very often it will think you're a robot and present you with a CAPTCHA, or just ban you completely (solving the CAPTCHA just gives you another, and no matter how many you solve it keeps refusing to search; but they probably benefit from all the AI help you just gave them, what bastards...) for a few hours.
Edit: I wonder if Google is using this as a sort of income source for pages that bring little to no ad revenue.
At work I just recently managed to trip it three times in one day, which I consider a record since in the past I've encountered it at most a few times a week. What's more infuriating is that my queries were far less complex than the ones that tripped it before (trying to find information about some API constants), basically one quoted term and one site: modifier. I can understand if I was querying 24/7 and hogging their servers (in which case a nice "please slow down" message would be much better), but it tripped within a few minutes of, admittedly intense, Googling.
The security device may notify the attacker device that the solution is incorrect regardless of whether the solution is actually correct.
In Google's case, it doesn't do that at all --- solve one CAPTCHA successfully and all you get is another, immediately. If you actually do deliberately give the wrong answers, it does tell you they were incorrect.
I wonder what can be done to stop it from doing that, besides the old tactic of evading IP bans by changing IP --- it's somewhat creepy to think that it's probably capable of detecting that too and banning the entire subnet. On second thought, it might be worth it... if it means I can get thousands of others blocked from Google for a nontrivial amount of time, all the more mouths to complain and maybe force some reconsideration. I am not a robot. I am not a competitor scraping your pages or doing anything else against your ToS. I am just an intelligent human with over two decades of Internet searching experience enthusiastically using your service for the exact purpose it claims to do: to find something on the Internet.
I have experienced Google doing the endless captcha when using Opera's built in VPN.
The first time I went through about 3 captchas and then I "knew" they were messing with me.
So, now, I just change my location in the VPN, and get back the searching...
Which shows how important it is for Internet health that we have search competitors to Google who maintain their own indexes. No one company should become the sole practical gateway to the Net.
Maybe it’s time to stop using Google and use another search engine which actually treat you like a human being, like DuckDuckGo.
Once you realize this it’s way less confusing, and in fact it even clearly states the instructions at the top of the CAPTCHA. But it’s super confusing and definitely a usability nightmare.
The goal, as I see it, is to increase the number of round trips to google required to solve a CAPTCHA, in order to increase the cost for those using CAPTCHA solving services.
These Google CAPTCHA's are deployed all over the internet, but you mostly won't notice them until you use a VPN. When you do, you get them at what seems to be their strictest setting: multiple rounds of 'click the object that is a car/storefront/road/mountain/road sign/bus/river', where all pictures clicked are replaced via a fade-out-fade-in that lasts about five seconds before you can continue evaluating the new picture.
Hmm, maybe I should start thinking up annoying things that future software might do for profit, and patent them now to stop companies from doing them for a while.
My favorite in this genre is IBM's patent on patent trolling: https://www.google.com/patents/US20070244837
https://www.google.com/patents/US20030133714
Of course it doesn't actually work, but figuring out why makes an interesting exercise.
http://www.flownet.com/ron/QM.pdf
Or if you prefer, this video:
https://www.youtube.com/watch?v=dEaecUuEqfc
I've always found that kind of interesting. The US lets you patent just about anything.
But in my home country, Australia, one of the patent requirements is that it actually appears to function in the way you are claiming it does. ("The application must be for something patentable, like a practical adaption, not for an idea or principle.")
I wonder if that has any impact on patent trolling, or if it's just as pervasive.
Basically, they've patented shadow-banning via CAPTCHA. And I'm left also wondering if they've taken the "that's not a bug, it's a feature" meme to a whole new level. I've run into the scenario described by this patent on a few occasions over the last year. I'll be given a CAPTCHA on Google's search results page that has no solution, and they're cleverly frustrating -- not just pictures of roads asking for you to identify lakes, but "click on pictures of street signs", you click, they disappear, new ones appear but there are no street signs left and the submit button yells at you to "make sure you check the new pictures". So you start wondering if it's a trick question; maybe they're using the phrase "street signs" in a manner you weren't previously familiar with?[0] I hate it when my search engine tires to screw with my head.
A hard-refresh resolves it (or I could have probably picked the audio version and been fine, but I have a difficult time understanding those). Running into this bug, the very first thought I had was "this would be a rather novel way of frustrating a bot", followed immediately by "that's got to be what's going on" (and a bit of profanity about how lovely it is to be a false positive)[1]. I mean, combine a freshly loaded PC with an obscure set of search terms and you tend to get a long CAPTCHA. Perform some action that triggers a CAPTCHA while logged in to Google and you'll get a CAPTCHA-less CAPTCHA (check the box to continue). It's only logical they'd have the opposite extreme of "we're going to reject this one because the maliciousness rating indicates that we're being visited by satan coding in brainfuck".
[0] It seems to be occur the most when searching for obscure, specific error messages with commands like "allintext:" (since Google likes to just pretend I didn't actually mean what I asked for) along with portions of the search in quotes. It also doesn't trigger until I hit page 3, or have performed the search a few times with changes only in what I'm including in quotes. It's been happening a lot since I started doing CUDA development. I guess Google really, really, hates bad CUDA developers. Joking aside, since I usually have to get a few pages in, I probably look like a search-engine scraper combining variations of rarely searched terms with no click-through traffic.
[1] I have a funny history with this sort of thing. I was banned from Bing Rewards years ago for ToS violations that I didn't violate. My guess was they assumed my search traffic automated for reward harvesting (because, you know, the rewards would have ever been worth wasting the time developing a bot). And it probably looked that way since obscure searches on Bing, way back when, rarely yielded any relevant results (a half-page of log files, often). Things over there have improved enough that I use it as a fallback when I don't feel like clicking pictures of storefronts, though the banning was a personal insult, so I have to be really cranky about the CAPTCHA interruption to "Ask Chandler".
edit: I felt that neither "satan" nor "brainfuck" deserved title casing.
Original Assignee: Juniper Networks, Inc.
It's an _incredibly_ frustrating experience for real users caught in this
I see this occasionally, but just change servers. And it's typically just temporary. Affected servers are OK in a day or so.
That's criminal deception.
The services were never truly to offer, and you've wasted a persons time and energy.
What if a store kept out undesirable customers by giving them an unsolvable puzzle? There'd be lawsuits.