Ask HN: Did HN just start using Google recaptcha for logins?
In ten years I've never been asked to solve a captcha to login in. Is this new? What happened?
I know that my input into conversations is not some critical feature of HN or anything, but this is enough of a barrier to keep me from bothering to login on most occasions.
Seems odd to enable google to track users logging into HN, but maybe it's always been this way and for some reason recaptcha is just flagging accounts from my network today.
110 comments
[ 3.3 ms ] story [ 81.6 ms ] thread[1] - https://www.gstatic.com/recaptcha/releases/5qcenVbrhOy8zihcc...
As Dang says it sounds like it's just a short term attack mitigation, glad to hear it's not intended as a permanent feature.
https://web.archive.org/web/20211120193211/https://matt.trau...
If you need to geo-shift or pirate or something less risky than being a literal dissident, I recommend being VERY careful not to do it where you sleep in case you slip up.
(And remember: your DNS queries go to the exit note or the VPN, not the ISP.)
Two milliseconds on Google will lead you to hCaptcha[1]
[1]https://www.hcaptcha.com
can't tell if is satire or not
https://www.hcaptcha.com/
https://blog.cloudflare.com/turnstile-private-captcha-altern...
Unfortunately if you're a user (as opposed to a website author) you don't get a choice.
If captchas weren’t a rare-ish occurrence for me, I’d buy a nopeCha subscription to solve that shit for me.
(disclosure: work there)
I do NOT consent to working for free for Google to train their AI.
I'd be willing to solve any CAPTCHA the product of which would be open source, or even useless.
But Google is a for-profit company which uses the solutions to create proprietary software and profit off of it, they won't pay me, and I have no way to opt-out of working for them because the most useful places of the Internet use their CAPTCHAs.
(Yes, I can intentionally put wrong solutions into their CAPTCHAs to poison their data, but I'm afraid they get so many valid solutions that they can just calculate the wrong ones out.)
I don't personally have an opinion on HN using the captcha, but their reasoning is pretty obvious, and almost certainly comes from a good place (reducing any spam on the site). That said, you're welcome to your opinions, it just seems like you have an option, based on your stated goal.
Consider it like this:
If someone forced you to do physical work against your will, you wouldn't like it any more just because they throw away the product of your labor in the end.
It would just make it more obscene.
If there was an economic value to using captcha solutions for labeling, somebody would be rotating novel tasks into the mix. But they don't seem to be.
(And if the goal of running the service was to generate labels, they would not have built solutions to make it possible to pass the captchas without a puzzle, like recaptcha v3.)
So rest assured, your work in solving the captchas is totally b useless, just like you wanted!
I can assure you that if CLIP and ALIGN exist, there is objectively no reason for them to collect what would amount to a dataset for...solving Google CAPTCHA's? Which I'm pretty sure is a solved problem even without the data.
What would a task that uses humans to solve that problem actually look like? I'm guessing it would need to be short videos, not images. And look for things with some ambiguity. "Select any videos where a pedestrian looks like they intend to cross the street".
Waymo: “I see you have that hammer, we have a usecase for it”
Google: “Ok, but we aren’t changing the hammer or how hard it is to use it”
I think at this point it is clear we are not training image recognition so much as providing them with free scoring for their image generation algorithms.
Now, if it is a captcha provider whose advertised business model is to sell access to the users for labeling and split the profits with the website that integrates their captcha (e.g. hCaptcha), then I can believe somebody would submit a image generation eval dataset. But it seems irrelevant to discussion of whether solving a Recaptcha is free work.
This prompt of course could still be for classification of images.
But then the "ladybugs" often were heavily distorted to the point where they did things like morph into other animals or the background. They did not seem possible to be photos, but I could be wrong. The prompts were very odd.
Its not for free.
In this case, you get access to HN when it is under attack.
If you don’t consent to those terms, that's your choice, you can wait and come back later.
That is, it is about the specific content of the complaint, not a meta-level commentary on the appropriateness of complaining about practices you disapprove of.
What bothers me about recaptcha (other than the obvious first order task) is that I believe it's used to penalize people who don't let google track them, and by extension to make other browsers look worse. It's an abuse of their market power.
Like how I gave up using protonmail because my emails kept getting classified as spam by anyone using gmail or gmail-backed organizational email.
Also, I think we shouldn't underestimate the monetization value of being able to target "HN users" for advertising. From the moment we are flagged, Google can exploit this data pointer for targeted advertisment on any other website/app.
This information should be given at the highest cost possible:)
That doesn't grok - Millions of people use safari daily and pass recaptcha challenges. You probably have a content blocker set too aggressively or something like that preventing you from it - it's not safari.
Btw I also fume when I have to work as an unpaid manual image recognizer, so I'm open to alternatives.
Followed by a modern reimagining of the classic 88x31 animated gif mini-banner button as a not so subtle pixel.gif tracker.
https://www.yewknee.com/_img/blog/blog_webbuttons020.png
"Once you’ve deployed Turnstile, you can go back to the dashboard and see analytics on where you have widgets deployed..."
So less a gift, more another sensor.
I don't think people are disputing the necessity, just the mechanism used.
The other services (hCaptcha) are effectively drop-in replacement with minimal code changes.
https://github.com/xHossein/PyPasser
Be sure to include a few macros, otherwise the JS crowd will still be able to reverse engineer their way in.
I'll send details in an email.
- Select everything that is a color im sure there are more clever open-ended questions and maybe sometimes switch up "is" with "is not".
- Red
- Blue
- Monkey
- Violet
- Armchair
People say that bots can learn such things but if every site had their own in-house tool then bots would have to keep track of thousands of site specific puzzles. Each site could even rotate through a dozen sets of different puzzle types and pause the ones that get learned. This would avoid sending cookies to a third party or depending on 3rd party code thus mitigating some corporate capture.
Bonus complexity: Don't use Alpha-Numeric characters. Use something like "figlet" [1] and cycle through a few of its ASCII art fonts.
[1] - https://github.com/xero/figlet-fonts
Costs money to maintain and build correctly, which naturally leads to buying existing solutions.
I found a few starter ideas [1][2] and concepts [3] but I would prefer to use something like figlet vs gd generated images. Figlet or something like it should be much lighter weight. I just have to find one that is readable on cell phones.
[1] - https://github.com/lua-programming/lua-captcha
[2] - https://github.com/mrDoctorWho/lua-captcha
[3] - https://nedbatchelder.com/text/stopbots.html
And sure, qntm.org isn't nearly as big a website as HN, but I concur that this isn't likely to be super-difficult. The wide use of recaptcha seems like mostly laziness; most websites aren't big enough to get targeted attacks.
Lastly, what I would do is have users pick a login image, in addition to the password login, they have to pick a correct image in addition to password.So it would still be the process I suggested except a failed login is allowed one time so long as the correct login image is selected. Also, the login images will be slow to load during times of attack on purpose to identify clients that are guessing before the image is served and to slow down their attack. I would also maintain a list of IP+UA that have repeatedly logged in succesfully to exempt or prioritize them depending on the attack.
(Condolences on the attack/headache.)
Also: OTP 2FA?
No I mean when a specific user has a failed login attempt that user has to wait 5-30 seconds before being able to try again. A legitimate user would only be affected if a bot is trying to log in as them.
This is not a novel measure, rest assured that the people that choose to implement captcha instead are aware of its existence and chose for the captcha instead.
Bots will not have access to TouchID, Windows Hello, or a Yubikey but most humans have one of those in the device in front of them right now.
Fallback to captcha for edge cases, but then at least /most/ people can skip it.
Example: https://cloudflarechallenge.com/
There's nothing about the WebAuthn protocol that forces hardware backed key storage, other than everyone collectively agreeing it's a good idea. A bot author would just ignore that.
Firefox already includes this functionality, gated by flag (security.webauth.webauthn_enable_softtoken).
Not possible if vendor signature checking is enforced. All major webauthn device manufacturers sign the keys of all the devices they produce. You can prove a given device is unique and issued by Apple, Yubico, Google, Microsoft, etc.
First, I'm sorry to hear HN was under attack. That's never fun.
Second, I understand your reasons for temporarily turning on the CAPTCHA, even though as a user I really dislike it - especially reCAPTCHA.
Given the latter, I hope you will consider alternatives. Regardless though, it would be nice to add a message to the login page explaining that the CAPTCHA is temporary because the website is under attack. That would allow me to keep 3rd-party stuff blocked by uBO on the login page and still know what's going on. I would probably just keep the pages I'm interested in on a tab and come back to them later, when the CAPTCHA is gone.
In any case, as always, thanks for your work keeping this forum alive and healthy.
I'll whitelist your account for now (i.e. until the server restarts). If anyone else wants that, email hn@ycombinator.com and I'll do it as soon as I'm back online.
(It looked like the attack had died down but then it un-died back up again)
Edit: Yep, it's real. Seriously?
Edit 2: Understandable, see https://news.ycombinator.com/item?id=34313452.
Then again, venture capitalists have always been overly focused on confidentiality, integrity, and availability[1], while floundering when the subject of non-repudiation[2] comes up.
(It seems based on my lived experience, the rule is "if the lie is to my benefit, it's ok"? Not cool fellas.)
[1] https://informationsecurity.wustl.edu/items/confidentiality-...
[2] https://www.cse.msu.edu/~cse870/Public/Lectures/Security/Non...
If you want drop in replacement, Cloudflare a turnstile as mentioned. Otherwise fully behind Cloudflare. CDN won't help much due to nature of content but WAF rules can be used to easily turn on invisible captcha based on rules.
I was not prompted to do a CAPTCHA logging in on the clearnet, but this may be my last batch of posts I do if that ever changes... for I will never consent to asking GOOG if I can post here.
Let us set aside the myriad of issues with visual CAPTCHAs and how they exclude folks with disabilities such as blindness.
There are other solutions like Hcaptcha[1] that do not use GOOG, a company which has strayed so far from it's "Don't be evil" mission that they went from supporting Mozilla via the search deal to moving the Chrome team into the same building, poaching key employees, and aggressively pushing folks so young they can't ask for help without violating COPPA to switch to a browser that would allow them to monitor them from cradle to the grave.
I greatly sympathize with the goal of an authentic dialog... trust me.
But using GOOG to accomplish it is not going to do that.
(The true threats to HN, like any democratic space, come not from automatons, but human beings. Only when you stop giving undue attention to the wrong... metrics... will you find the ecstatic truths you claim to seek.)
- "Greg"