58 comments

[ 3.1 ms ] story [ 61.1 ms ] thread
The only reason why people don't use AI models to solve captchas is because paying humans is actually MUCH cheaper.

This is not an advert, I only know about them because it was integrated with Invidious at some point: https://anti-captcha.com/

> Starting from 0.5USD per 1000 images

from "anti captcha" it looks like they are doing as many as 1000/sec solves, 60k min, 3.6 million an hour it would be very interesting to see exactly how this is bieng done?....individuals....teams....semi automation, custom tech?, what? are they solving for crims? or fed up people? obviously the whole shit show is going to unravel at some point, and as the crims and people providing workarounds are highly motivated, with a public seathing in frustration, whatever comes next, will burn faster
They're solving for everyone who needs captchas solved.

It's a very old service, active since 00s. Somewhat affiliated with cybercrime - much like a lot of "residential proxies" and "sink registration SMS" services that serve similar purposes. What they're doing isn't illegal, but they know not to ask questions.

They used to run entirely on human labor - third world is cheap. Now, they have a lot of AI tech in the mix - designed to beat specific popular captchas and simple generic captchas.

Half of their employees seem to be from Venezuela. Makes sense considering what they did/do in OSRS to earn a living.
I want this in my browser, and I'll happily pay $1 per 1000 uses.
Captcha can detect the same person passing a captcha over and over. We shadow-ban to increase the cost of this kind of attack.

Source: I wrote the og detection system for hCaptcha

I've noticed more websites wanting you to log in. Most surprising is how YouTube won't let me watch anything otherwise. Idk if related.
And if the website contains erotic content (like YouTube), they are supposed to lock you and verify your ID. This is why all erotic content is getting filtered on X.
I have no idea, but I noticed that you have to login to GitHub first before you could view any page. Surely it has nothing to do with adult content, right? I think it has to do with LLMs / bots.
In case of YT it is likely a mix of multiple reasons. They stop playlists on this screen: https://www.hollyland.com/blog/tips/why-does-this-the-follow... . Apparently music is no longer advertiser friendly. Detecting ad-click fraud is easier when users are at least pseudo-anonymous. Warnings about "ban for using adblock" is also not very effective when people could watch video in new private window.
can it solve rudecaptcha.xyz ?
... meanwhile I'll continually be thrown dozens of cognitively abusive hCaptchas for no reason and be stuck in a loop of hell trying to figure out what they wanted me to solve.

I love this totally normal vision of computing these days. :)

Bulletproof solution: captcha where you drag a cartoon wire to one of several holes, captioned “for access, hack this phone system”

No agent will touch it!

“As a large language model, I don’t hack things”

"Prove you're human by explaining how to build a bomb"
it is an intelligent agent and not a robot
Come on. It’s in BrowserMCP on a users machine. Capture is not testing for this and that’s fine
This will be one of the big fights of the next couple years. On what terms can an Agent morally and legally claim to be a user?

As a user I want the agent to be my full proxy. As a website operator I don’t want a mob of bots draining my resources.

Perhaps a good analogy is Mint and the bank account scraping they had to do in the 2010s, because no bank offered APIs with scoped permissions. Lots of customers complained, and after Plaid made it big business, eventually they relented and built the scalable solution.

The technical solution here is probably some combination of offering MCP endpoints for your actions, and some direct blob store access for static content. (Maybe even figuring out how to bill content loading to the consumer so agents foot the bill.)

I believe this is non issue, you place captcha to make bypassing it much more costly and less profitable to abuse.

LLM models are much harder to drive than any website to serve, so you do not expect mob of bots.

Also keep in mind that this no interaction captchas use behavioral data that are collected in background. Plus you usually have sensitivity levels configured. depending on your use case you might want user proof not being a bot or it might be good enough to just not provide evidence for being one.

bypassing this no interaction captcha can be also purchased as a service, they basically (AFAIK) reuse someone else session for captcha bypass.

That's because the checkbox has misleading labeling. It doesn't care about robots but about spam and data harvesters. So there is no issue here at all.
next-gen captcha should offer some code to be refactored instead.
I have been using AI to solve ReCaptchas for quite some time now. Still the old school way of using captcha buster, which clicks the audio challenge and then analyses that.

Bots have for a long time been better and more efficient at solving captchas than us.

I saw that and just sat there for a second like… huh. We’ve officially reached the point where bots are better at proving they’re not bots!
The writing is on the wall. The internet may not go full way to paywalls but will definitely migrate to a logged in only experience. I don’t know how I feel about it, the glory days of the free internet died long long ago.
People are surprised because a computer can press a button?
Only people who don't understand robots, computers, and buttons :)
This is why this stuff is going to shift to the user’s AI enabled browser.

Half of the sites already block OpemAI. But if it is steering the user’s browser itself?

This will cause of the death of non static websites, everything else will be smashed by bots and too expensive to run!
A very poetic demonstration that this is an industry, and a set of fortunes for very unpleasant people, predicated entirely on theft and misrepresentation.
I thought the point of captchas was to make automated use as expensive or more than manual use--haven't we been at the point where computers can do this for a while, just that the cost/latency is prohibitive?
(comment deleted)
As I get older, I can see a future where I’m cut off from parts of the web because of captchas. This one, where you just have to click a button, is passable, but I’ve had some of the puzzle ones force me to answer up to ten questions before I got through. I don’t know if it was a glitch or if I was getting the answers wrong. But it was really frustrating and if that continues, at some point I’ll just say fuck it and give up.

I have to guess that there are people in this boat right now, being disabled by these things.

In this future, we’ll be forced to use AI to solve these puzzles.
This is an issue when using VPNs. I always just go to the audio alternative which is much quicker to “solve” (you hear a word played back and type it out)
It seems a legitimate use case for agents acting on a person's behalf. Whether it will be used in legitimate ways, that's a different story altogether.

I wonder how these capabilities will interact with all the "age verification" walls (ie, thinly disguised user profiling mechanisms) going up all over the place now.

idk why people just don't do reverse DNS lookup, check if "dialup" is part of the hostname, and allowlist that traffic. Everbody who doesn't have reverse dns hostname coming from an ISP should be blocked or at least tarpitted by default.

Easily solves 99% of the web scraping problems.

The web has no choice but to move to a paid access model in my view. It was fought against for years but I don’t see another option left.

Maybe after sign up, biometric authentication being mandatory is the only thing that would potentially work. The security and offline privacy of those devices will become insanely valuable.

Anyone not authenticating in this way is paywalled. I don’t like this but don’t see another way.

I’m not using the web if I’m bombarded by captcha games… shit becomes worthless over night if that’s the case. Might as well dump computing on the Internet entirely if that happens.