
Just say no
to any form of Capcha. As the article says, the puzzles can be filled in by bots these days so where is the security in that eh?
As for Google?
FSCK to the entire company
Google promotes its reCAPTCHA service as a security mechanism for websites, but researchers affiliated with the University of California, Irvine, argue it's harvesting information while extracting human labor worth billions. The term CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart …
I get those bloody ones where they want squares with traffic lights or "crosswalks" ... I had to Google to find out what they hell they were asking me the first time, but then for a global company they have form in doing stupid non-international things like "pick squares with taxis" (translation: all the yellow cars).
Anyway, all to often I get a picture with a tiny bit of the thing requested in another square. Does that count? Often I get given another challenge, so I'm guessing it didn't count...so why not?
I'm glad that the newer tests (like when updating the free No-IP account every 30 days) simply thinks for a moment then gives me a tick instead of stupid pictures, or worse, text so mangled that even a meatsack couldn't make sense of it.
I dunno, I could go for capchas like this one.
Ahem, You wouldn't happen to know where I can come by one of those Captcha solving bots? Being human, I'm not especially good at solving them, so a bot to handle the damn things would be a most welcome addition to my workflow. (Linux or ChromeOS only, thanks. I used to try to keep a Windows machine around for emergencies, but I only needed it about once every two years, and the misbegotten box invariably failed to do anything remotely useful when I did try to apply it to some problem.
I assume then that El Reg will be removing reCAPTCHA from the corrections link at the top of this page. Then I can finally load that page without having to unblock Google in my browser.
reCAPTCHA Started as a way for illegible text to be translated by the general public. Difficult words in hand-written books were injected into the list, so we could all have a crack at translating it. It was exploitative before Google bought it (obviously Google optimised the exploitation). It’s now mainly a way for Google to track people on websites that don’t include other Google trackers.
Similar with store fronts and other nonsense. It has degenerated to ‘prove you are a human by classifying images identically to our US-data mistrained neural network – and rarely as a human being would, especially someone with a different cultural background’.
Unlikely, as they're pretty US-centric already. And they probably wouldn't want to risk confusing Americans by expecting them to understand other cultures in the way that they expect non-Americans to understand US culture, e.g. asking users in the UK to identify "crosswalks" rather than "pedestrian crossings", even though it would likely be trivial to adjust the wording based on geolocation.
(Not to mention that underground access fire hydrants like the ones used in the UK (and the signs used to denote them) are unlikely to be clearly visible in the thumbnail-sized images Google use, even if you're familiar with what they're looking for).
Click on all crosswalks / click click click / click on more crosswalks / click click / click on more crosswalks.
Now click on crosswalks while I slowly show new images of crosswalks. Did it? OK, now let me present new images even more slowly. Fading out and in a new one every two seconds.
Now click on all squares that contain a crosswalk. Now restart from scratch since the computer is still not sure you're a human.
I removed Googles Recaptcha from my sites and replaced it with Cloudflare turnstile instead. It seems to work as well if not better than Recaptcha for stopping spam bots and there aren't those awful click on the 'cross walk' puzzles. Which BTW Google we don't all live in America, since they are called zebra crossings here in blighty.
Same.
Google's catpcha failed to recognise me as human twice within a week last month.
Asking me what parts of an image contain an object, only reveals that I don't agree with the majority of people asked the same question for the same image.
I'm not even trying to fail. every time, there is a square that barely contains a few pixels that belong to the object. Sometimes, I select the square, sometimes I don't. My answer is always "wrong". But that's OK: if Google doesn't recognise me as human, I can totally destroy the entire company without any legal repercusion, right? right?
Yeah, I noticed that too. When I'm using the work computer with the work approved browsers (edge or chrome), I seem to always pass the Captchas first time. At home, with FreeBSD and Firefox, it's probably a fail at least 50% of the attempts. Having NoScript and uBlock Origin might also be a factor in Google choosing to reject my correct answers too. Mostly I just give up where it's practicable to get what I want from somewhere else.
The worst is when the Google captcha makes you work with no intention of ever letting your pass - for example when you're behind a VPN.
The pictures you click keep reappearing, you can get unlimited challenges in a row, basically you can waste 10 minutes and it still won't stop. The audio captcha is more forgiving (as in: it actually allows you to enter the solution and let you pass) but sometimes it still tells you "nope, computer says no, your IP is not kosher" after you solve the audio captcha.
Brave Search and Cock.li (when signing up for a new email address) have a PoW captcha (proof of work, like Bitcoin or Monero), which basically means the computer does the work and not you. You pay for access in electricity rather than labour. I much prefer this because at least it can happen in a background tab.
One of my long-standing pet peeves has been that if you are obliged to carry out a reCAPTCHA test, then you are, de facto, being required to perform work to which you do not voluntarily consent. This is prima facie in breach of numerous international conventions, covenants and laws, including Article 8 of International Covenant on Civil and Political Rights; Article 4 of the Universal Declaration of Human Rights; the European Convention on Human Rights; the Human Rights Act 1998 UK. (It is also at odds with Target 8.7 of the Sustainable Development Goals.)
The ban on such work is absolute and can never be justified.
Somewhat ironically, I cannot pass Cloudflare's verification test to access the original white paper.
It always seems weird the hoops companies make you go through to pay a bill. If user has the bill number (hopefully essentially random) and the postal code, then display the amount owed (but nothing else!) and allow payment. If someone managed to link somebody's name to the bill number and postal code (so they already know that person is a customer), the most they could find out is the amount remaining on that bill - minimal possibility of personal data loss.
What are those reCAPTCHA cookies the researchers wrote about? I just deleted all browser cookies and checked. The cookie jar contains the same number of cookies (ie. zero) before and after completing the puzzle. Are those cookies more exotic (perhaps implemented using localstorage), or does some browser plugin keep them away from my machine?
I think some version of it, which might not be the same one they're using now, would use cookies set by other Google products as a way to bypass the check. If you identified yourself to Google and they could track you onto the page, then you're allowed through. Otherwise, do a test.
None of you seem to have ever had a website that required registration or some online contact form.
reCAPTCHA "may" be "solved" by generative AI and stuff like that (or so they claim...) , but I don't see that on the dozens of websites I manage that use it.
It still prevents 99% of the automated bot traffic and it does it well.
While CloudFlare's solution is *maybe* better, it's also not as widespread (yet).
As always, you have to compromise. If "free" blocks 99% of the automated annoyances, then it's perfect for most people.
It would be trivial for you to implement your own anti-bot test. 3+4=? Last time I added one to one of my websites it took less than an hour. Instead you invite Google in to track users on your websites. Lazy web admins like you are a big part of the problems with the internet.
The best test is asking about something your potential visitors would know.
Because any bot can solve "3+4", the only, minor problem being to parse the question (which is pretty basic in its formulation).
On the other hand, some website-specific questions (something your users would certainly know, but you can't find verbatim in Wikipedia) would block all bots, if only because it isn't worth the effort to code all bots to handle them. ("Emacs or Vim?"... *evil laughter*)
It occurred to me years ago that google could also be harvesting protected medical information. Analyses of a users completion of the challenge could provide a lot of information about for instance neurological problems, which I indeed have and which would be very, very obvious if you collected info about me completing visual test. It's a lot like parts of an IQ test, which I've had several of during my life. Even subtle differences between different people's responses could be analyzed to recover highly sensitive personal data, like how much stress a person is having recently. So many, many things affect human performance. As mentioned Google is big on ML, it would be foolish to think they aren't going to exhaustively process all the data they've collected with this apparent scam. And a scam at many levels at that.
By far the worst offender for me are a few websites I need to go to for professional reasons where I am presented a login screen to login. I do so. After I successfully login, then it requires me to fill out one of those visual captchas.
Yes. After a successful login.