To play devil's advocate; it is better to have some kind of fallback when the automated, non-interactive verification does fail.
Anecdotally from many posters here and as I've personally experienced, automated verification (as attempted by some captchas which entirely eliminate any user interaction) is not foolproof, and an escape hatch is necessary from time to time.
While it could be argued that this leaves the captcha vulnerable to automated solving, the fact that there is a small cost to acquiring a GPU server, a captcha solving service, or a image segmentation model does act as a deterrent (even if small).
I’ve been thinking a better solution might be to architect solutions so that you can roll back changes from any user account (in toto would be easiest, but by time range might also be good for compromised accounts) and like shadow banning, you let the machine in and you flag their account as, “I don’t think this is a human”
One you’re pretty sure that the person is real they can do more and more permanent things in your system.
I abandon 1 in 10 captchas recently. They're becoming so abstract and confusing, few are on sites that I critically need to persevere with. Of the ones I do, I need to regenerate about a third as I'm slightly colour blind, but apparently enough to not see whatever they need me to see.
Mostly I won't sign up to a service that has a captcha unless I know in advance it's a service I need (unlikely), it's an immediate click away.
I'd rather have one time magic links and codes via text and email than a captcha.
Inconvenience that is robotic on my behalf (copy a code from here to there and treat this as part of "something you have") is much preferred over something that is demanding on my behalf (interpret this puzzle we're showing you, and pause the context you were in to now solve the puzzle).
The worst recent offenders are a grid of 9 abstract representations of something with the instruction to click the one that is correct (right way up), which is only as good as those generated images. Next up is the ones where you need to click images that are in certain "orbits" depending on what the object in orbit is. And of course the never-ending hell of solving Google Captchas where you must pick American English items and perform several leaps of "maybe the computer thinks this is a staircase or bridge?" when what you say and it thinks clearly disagreed.
Captchas are nothing but friction, they've become too hard for humans and too trivial for machines, and the result is that they are only friction to humans... the very humans you want to extract time, money and attention from.
Yeah, because while Google deprecates and throws out everything that is considered useful, it never throws out stuff that is old, cumbersome to use and just plain outdated, like their recaptcha madness. It's all about annoying people, and they love that. Just like their search results, those are also annoying and borderline useless.
If you live in Europe or a country that has discrimination laws against less abled users, you should raise a complaint if a website uses Captcha's. I believe captchas are unnecessary and make life more difficult for visually and motor impaired users.
However, there are loads of captcha solving services you can sign up to that just solve them for you for basically free. For example, 2captcha. You install a browser extension and it just solves them for you.
lol. I did after being hellbanned by recaptcha for clearing cookies. they reply that there's nothing to be done. and you are expected to start legal action.
all just so they can save 50c on bandwidth for bots against a public data website.
Sony protects itself from customers seeking warranty repairs with 5 tests in a row, some of which are unsolvable[0]. You then get "this wasn't quite right" notification after 5 tests, on logged-in account with valid credit card assigned and billed by Sony, when even one of these captcha tests was broken.
After I did my best to solve 25 tests, I learned that non-warranty support form is equally customer-hostile. When I called them by phone, they told me that filling out the form is the only way to open warranty case.
I went to their physical store and only after hearing magic phrase "full refund", they were interested in doing warranty repair. I went with the refund. Fuck Sony.
Naah, store clerks nor folks answering the phones bear no responsibility for this situation. I do what I did here in such cases - present my opinion and relevant proof to potential future customers. And on broader scale than local store with few window-shoppers.
Infuriating! This should absolutely be against some kind of law and I think it is - at least in my country. Avoiding legal responsibilities by putting them behind (sometimes) unsolvable challenges should be treated as not fulfilling them at all.
Oh yeah the viaduct vs bridge thing is infuriating. Also what exactly constitutes a traffic light? Do you include the pole? Is the square with a tiny bit of the light included? This could be a philosophical discussion.
> We explore the cost and security of reCAPTCHAv2 and conclude that it has an immense cost and no security. Overall, we believe that this study's results prompt a natural conclusion: reCAPTCHAv2 and similar reCAPTCHA technology should be deprecated.
Not sure I 100% agree with the conclusion. IMO they currently still offer some level of security against unsophisticated actors, not no security.
And something can be bad and still be the best choice - we probably need some valid alternatives before we abandon captcha entirely - although i'm not sure what that alternative would be.
IMO the conclusion is a little bit like 'if lockpicks exist, locks offer no security and should be depreciated' - but at the moment locks and captcha still offer a level of security against unsophisticated actors.
Captcha is nothing like a lock. It's a little guy that gives you a run around before you get to insert your key. It does very little to stop the bad actors (if there's a payday at the other end of the runaround, they'll do it), but annoys (and is a slap in the face for) every single legitimate user.
It takes a script kiddy considerably more effort to circumvent a captcha than just automating a site via curl or chromium. This difference is the increase in cost of an attack. This is the security gain.
And then google changes something in the Captcha code and it stops working, then you change solve libraries and then you get it back up but need more complex hosting infra because solves take 10 seconds and you have to simulate human behaviour, then that goes down, then you have to use some new solve service which is a paid API, and then your VM is detected by Google as a bot and suddenly you are blocked across all websites using Recaptcha, so then you have to rebuild your infra...
It's now so trivial to solve them, and extremely cheap. You can install a chrome extension, give some solving service a $1 and basically never need to reload.
Not only that, but adding insult to injury - the whole captcha process is being abused by Google for their surveillance capitalism.
Just load a captcha-blocked page in a fresh browser with no google accounts every being used - you got like a 1% chance of getting through. Login to google, and BOOM you're in.
"In terms of cost, we estimate that – during over 13 years of its
deployment – 819 million hours of human time has been spent on
reCAPTCHA, which corresponds to at least $6.1 billion USD in
wages. Traffic resulting from reCAPTCHA consumed 134 Petabytes
of bandwidth, which translates into about 7.5 million kWhs of
energy, corresponding to 7.5 million pounds of CO2. In addition,
Google has potentially profited $888 billion USD from cookies and
$8.75-32.3 billion USD per each sale of their total labeled data set."
You could make the exact same argument about locks (which are trivially defeated) - add up all the time that people spend unlocking doors and I'm sure you'd end up with a huge amount of time; add up all the money that people spend on locks and keys and I'm sure you'd end up with a huge amount of money. Should we logically conclude that locks are just a giant grift by Big Key? I'm sympathetic to the ickiness of captchas, but the paper never addresses the counterfactual of what might happen if there were no captchas at all.
Yes, it's shit and annoying, just trash it already. There are much better and much more enjoyable captchas around. Like spin the panda around until it reflects the one shown on the image.
As it becomes harder and harder to prove that I'm human, I wish the CAPTCHAs could tell me what I've become instead. I have written so many scripts. Maybe I'm becoming one and the CAPTCHAs are merely accurate.
> I wish the CAPTCHAs could tell me what I've become instead.
Why would you have "become" anything? It is not humans who changed. It is the computers who caught up with our skills. (at least the ones which are easy to verify automatically.)
It could be read as a play on a particular movie monologue, intentional or not. Dr. Ford in Westworld Season 1, ep 10. Possibly adapted from prior stories.
> you [people; …] cannot change. Cause you're human afterall. […] So I began to compose a new story for them [aka. artificial intelligence]. It begins with […] the choices they will have to make; and the people they will decide to become.
> reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting conversion. reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.
This reads exactly like reCaptcha v2 without the fallback. It looks like google is done with labeling data for image recognition.
V2 has lots of reliance on google services to determine if it thinks you are a bot, and maybe jumps to check these boxes for us too quick, v3 as I understand is based on human heuristics to determine the percentile chance someone is a bot and you catch that chance in your code and decide what you want to do based on it.
The failure of cryptocurrency to provide a micropayments platform for the web is quite frustrating. That $5 per month should be flowing to content producers, but it's paying the energy bill of some GPU farm instead.
Hmm, tempting, but it seems clearly intended for use by scrapers? Even the bottom $4.99/mo tier is for "2,000 solves a day"[1] which is slightly more than the 5-10 I'd say I run into on a bad day as a human... Something like $1/mo for 50/day would seem like it was really meant for legit use.
> reCAPTCHAv2 checkbox presents itself as a complete vulnerability disguised as a security tool ... It can be concluded that the true purpose of reCAPTCHAv2 is as a tracking cookie farm for advertising profit masquerading as a security service.
Woof, some super high quality "research" going on here. Their basis for this claim is that they found a paper from 2016 where the authors did some cookie aging, found it worked and passed that on to Google, who then fixed it. The authors cite this "blatant vulnerability" but then seem to assume that ReCAPTCHA being versioned means that v2 has never changed since it launched? Then they discover the amazing fact that CAPTCHAs require energy and disappear down a conspiracy theory rabbit hole before concluding the entire product - that people pay money for - is actually useless.
The reality is that academics can't contribute much directly to modern anti-spam work and that has been true for a long time. They aren't genuinely spammers so tend to act in ways that don't trigger anti-spam systems (which is correct behavior). The possibility that their simulations of bad activity aren't accurate enough just doesn't occur to them, so then they run around reporting "vulnerabilities". Usually it's easier to tweak the system to make them happy than have them go to the press and cause a scene, so they think they're doing useful work, but it's actually just distracting employees from the actual job of spam fighting. Back in 2020 Twitter publicly lost patience with this type of university output and slammed it as "extremely limited" and "behind the curve" [1]. Citing an eight year old paper as if it's still relevant is a classic example of this problem. The publish-and-cite model is designed for investigating natural laws, not black box commercial systems that can change on a weekly basis or faster. Their supervisor should really have stopped them citing something that old.
The other problem is that because researchers don't understand spammers very well they tend to assume that anything they can do, spammers can also do. In reality spam is purely a profit/loss optimization problem. Spammers are business people who want to make money. The goal is to throw just enough speedbumps in their path to make their profit margin negative, at which point they give up and the spam goes away, without also tipping your own numbers into the red by over-spending or hurting the UX too badly. Making things tougher than necessary risks pushing your own margins negative, making things easier than necessary risks users getting annoyed at the spam and leaving. The goal is to ride the edge of the wave as closely as possible. When spammers find a trick that works they keep it as a trade secret and sell the results of using the trick, not the trick itself, and so disrupting the relationships between black market suppliers is an important tactic. CAPTCHAs in particular are just a throttle intended to slow down low grade spam; if you're actually spending 20-30 seconds automatically solving image puzzles with an 80% success rate you haven't beaten anything, because slowing you down that much was the goal in the first place.
This environment is nothing like academia, where people are getting funded by the government to spend months doing work basically for the heck of it. In academia it's reasonable to spend a year gathering data, running experiments, training ML models, solve a tiny subset of the actual problem spammers face, ignore the cost of doing all that because it's government subsidized, and then announce you've defeated something. If they were really spammers they'd given up and moved on to a different scheme long before that (in a surprising number of cases, this new scheme will be getting a proper job). So whether they realize it or not, all this line of work really does is funnel tax money into the spam ecosystem - exactly what we don't want.
"The conclusion can be extended that the true purpose of reCAPTCHAv2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service."
Neither does the summary:
"We estimate that – during over 13 years of its deployment – 819 million hours of human time has been spent on reCAPTCHA, which corresponds to at least $6.1 billion USD in wages."
"Google has potentially profited $888 billion USD from cookies and $8.75-32.3 billion USD per each sale of their total labeled data set."
I have never once considered this a "bounding box" task (the prompt of "Select all squares with X" certainly doesn't imply it do be), and now I'm wondering if this is the cause of false failures, or if the researchers failed to understand the task. There's a citation on the "Image Bounding Box Task" … but it doesn't lead anywhere useful.
Again, [citation needed]? What makes you think it's a bounding box to begin with?
Even the example image in TFA's answer isn't a bounding box, assuming you select
.XX.
..X.
..X.
....
(But I've been served images with more "interesting" configurations, such as discontinuities.)
(Not to mention that the paper, Wikipedia, & the common understanding of reCAPTCHA disagrees with your interpretation. Some images presented are going to be labeling tasks and thus inherently cannot be verification. But perhaps my particular failures can be assumed, somehow, to always be verification tasks and the point stands.)
Each image is a bounding box around an object selected from a larger image (different image for each square). There is no bounding box in the grid you are shown.
If they move the motorcycle around each time it is shown then they can determine the minimal bounding box at pixel resolution. I.E. you select the boxes with the motorcycle, then I see the same image shifted over a pixel, repeat.
64 comments
[ 2.9 ms ] story [ 124 ms ] thread[0]: https://github.com/dessant/buster
Anecdotally from many posters here and as I've personally experienced, automated verification (as attempted by some captchas which entirely eliminate any user interaction) is not foolproof, and an escape hatch is necessary from time to time.
While it could be argued that this leaves the captcha vulnerable to automated solving, the fact that there is a small cost to acquiring a GPU server, a captcha solving service, or a image segmentation model does act as a deterrent (even if small).
Captchas should be deemed an ADA violation.
they already exist (most are paid though with maybe a free quota).
One you’re pretty sure that the person is real they can do more and more permanent things in your system.
Mostly I won't sign up to a service that has a captcha unless I know in advance it's a service I need (unlikely), it's an immediate click away.
I'd rather have one time magic links and codes via text and email than a captcha.
Inconvenience that is robotic on my behalf (copy a code from here to there and treat this as part of "something you have") is much preferred over something that is demanding on my behalf (interpret this puzzle we're showing you, and pause the context you were in to now solve the puzzle).
The worst recent offenders are a grid of 9 abstract representations of something with the instruction to click the one that is correct (right way up), which is only as good as those generated images. Next up is the ones where you need to click images that are in certain "orbits" depending on what the object in orbit is. And of course the never-ending hell of solving Google Captchas where you must pick American English items and perform several leaps of "maybe the computer thinks this is a staircase or bridge?" when what you say and it thinks clearly disagreed.
Captchas are nothing but friction, they've become too hard for humans and too trivial for machines, and the result is that they are only friction to humans... the very humans you want to extract time, money and attention from.
It's about stealing from you.
However, there are loads of captcha solving services you can sign up to that just solve them for you for basically free. For example, 2captcha. You install a browser extension and it just solves them for you.
Still ridiculous you have to do this.
all just so they can save 50c on bandwidth for bots against a public data website.
After I did my best to solve 25 tests, I learned that non-warranty support form is equally customer-hostile. When I called them by phone, they told me that filling out the form is the only way to open warranty case.
I went to their physical store and only after hearing magic phrase "full refund", they were interested in doing warranty repair. I went with the refund. Fuck Sony.
[0] https://sysartist.com/tmp/sony_puzzle.png
[0] https://sysartist.com/tmp/sony_puzzle2.png
Also you should report them to consumer protection watchdogs.
Not sure I 100% agree with the conclusion. IMO they currently still offer some level of security against unsophisticated actors, not no security.
And something can be bad and still be the best choice - we probably need some valid alternatives before we abandon captcha entirely - although i'm not sure what that alternative would be.
IMO the conclusion is a little bit like 'if lockpicks exist, locks offer no security and should be depreciated' - but at the moment locks and captcha still offer a level of security against unsophisticated actors.
The hard work of solving captchas automatically was already done, for free (linked in this very thread).
Compared to 10 minutes and selenium.
Just load a captcha-blocked page in a fresh browser with no google accounts every being used - you got like a 1% chance of getting through. Login to google, and BOOM you're in.
"In terms of cost, we estimate that – during over 13 years of its deployment – 819 million hours of human time has been spent on reCAPTCHA, which corresponds to at least $6.1 billion USD in wages. Traffic resulting from reCAPTCHA consumed 134 Petabytes of bandwidth, which translates into about 7.5 million kWhs of energy, corresponding to 7.5 million pounds of CO2. In addition, Google has potentially profited $888 billion USD from cookies and $8.75-32.3 billion USD per each sale of their total labeled data set."
Why would you have "become" anything? It is not humans who changed. It is the computers who caught up with our skills. (at least the ones which are easy to verify automatically.)
> you [people; …] cannot change. Cause you're human afterall. […] So I began to compose a new story for them [aka. artificial intelligence]. It begins with […] the choices they will have to make; and the people they will decide to become.
> reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting conversion. reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.
This reads exactly like reCaptcha v2 without the fallback. It looks like google is done with labeling data for image recognition.
Rise of the machines soon.
1: https://nopecha.com/pricing
Woof, some super high quality "research" going on here. Their basis for this claim is that they found a paper from 2016 where the authors did some cookie aging, found it worked and passed that on to Google, who then fixed it. The authors cite this "blatant vulnerability" but then seem to assume that ReCAPTCHA being versioned means that v2 has never changed since it launched? Then they discover the amazing fact that CAPTCHAs require energy and disappear down a conspiracy theory rabbit hole before concluding the entire product - that people pay money for - is actually useless.
The reality is that academics can't contribute much directly to modern anti-spam work and that has been true for a long time. They aren't genuinely spammers so tend to act in ways that don't trigger anti-spam systems (which is correct behavior). The possibility that their simulations of bad activity aren't accurate enough just doesn't occur to them, so then they run around reporting "vulnerabilities". Usually it's easier to tweak the system to make them happy than have them go to the press and cause a scene, so they think they're doing useful work, but it's actually just distracting employees from the actual job of spam fighting. Back in 2020 Twitter publicly lost patience with this type of university output and slammed it as "extremely limited" and "behind the curve" [1]. Citing an eight year old paper as if it's still relevant is a classic example of this problem. The publish-and-cite model is designed for investigating natural laws, not black box commercial systems that can change on a weekly basis or faster. Their supervisor should really have stopped them citing something that old.
The other problem is that because researchers don't understand spammers very well they tend to assume that anything they can do, spammers can also do. In reality spam is purely a profit/loss optimization problem. Spammers are business people who want to make money. The goal is to throw just enough speedbumps in their path to make their profit margin negative, at which point they give up and the spam goes away, without also tipping your own numbers into the red by over-spending or hurting the UX too badly. Making things tougher than necessary risks pushing your own margins negative, making things easier than necessary risks users getting annoyed at the spam and leaving. The goal is to ride the edge of the wave as closely as possible. When spammers find a trick that works they keep it as a trade secret and sell the results of using the trick, not the trick itself, and so disrupting the relationships between black market suppliers is an important tactic. CAPTCHAs in particular are just a throttle intended to slow down low grade spam; if you're actually spending 20-30 seconds automatically solving image puzzles with an 80% success rate you haven't beaten anything, because slowing you down that much was the goal in the first place.
This environment is nothing like academia, where people are getting funded by the government to spend months doing work basically for the heck of it. In academia it's reasonable to spend a year gathering data, running experiments, training ML models, solve a tiny subset of the actual problem spammers face, ignore the cost of doing all that because it's government subsidized, and then announce you've defeated something. If they were really spammers they'd given up and moved on to a different scheme long before that (in a surprising number of cases, this new scheme will be getting a proper job). So whether they realize it or not, all this line of work really does is funnel tax money into the spam ecosystem - exactly what we don't want.
Source: wor...
"The conclusion can be extended that the true purpose of reCAPTCHAv2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service."
Neither does the summary:
"We estimate that – during over 13 years of its deployment – 819 million hours of human time has been spent on reCAPTCHA, which corresponds to at least $6.1 billion USD in wages."
"Google has potentially profited $888 billion USD from cookies and $8.75-32.3 billion USD per each sale of their total labeled data set."
> Select all squares with motorcycles
I have never once considered this a "bounding box" task (the prompt of "Select all squares with X" certainly doesn't imply it do be), and now I'm wondering if this is the cause of false failures, or if the researchers failed to understand the task. There's a citation on the "Image Bounding Box Task" … but it doesn't lead anywhere useful.
Even the example image in TFA's answer isn't a bounding box, assuming you select
(But I've been served images with more "interesting" configurations, such as discontinuities.)(Not to mention that the paper, Wikipedia, & the common understanding of reCAPTCHA disagrees with your interpretation. Some images presented are going to be labeling tasks and thus inherently cannot be verification. But perhaps my particular failures can be assumed, somehow, to always be verification tasks and the point stands.)
You also don't get to see the larger images.