The Curious Case of the Bizarre, Disappearing Captcha (wired.com)
- Reference: 0179953842
- News link: https://tech.slashdot.org/story/25/11/03/1916215/the-curious-case-of-the-bizarre-disappearing-captcha
- Source link: https://www.wired.com/story/bizarre-disappearing-captcha/
Cloudflare followed in 2022 by releasing Turnstile, another invisible alternative that sometimes appears as a simple checkbox but actually gathers data from devices and software to determine if users are human. Both companies distribute their security tools for free to collect training data, and Cloudflare now sees 20% of all HTTP requests across the internet.
The rare challenges that do surface have become increasingly bizarre, ranging from requests to identify dogs and ducks wearing various hats to sliding a jockstrap across a screen to find matching underwear on hookup sites.
[1] https://www.wired.com/story/bizarre-disappearing-captcha/
nothing to do with securty (Score:1)
In this article and others I constantly see captchas and liveness checks presented as a "security measure". They are not. Scraping and bots are a cost and reputational risk, not a security risk.
I guess presenting it as a security issue makes people more accepting of the inconvenience? Or maybe executives more willing to pay to introduce friction to their sites? weird.
Re:nothing to do with securty (Score:4, Interesting)
It was never even about bots that much. Deciphering distorted text was actually training AI to read poorly scanned documents. Clicking traffic lights and bikes was training AI to analyze photographs. AI doesn't need our help for those tasks any more so those "bot tests" have disappeared.
Re: (Score:2)
Public free CAPTCHAs weren't a charity. It was a win win that they had a way to pay the bills and we got something useful out of it too. I do wonder what we are training when we pass these invisible tests. At this point, it's probably just a way to get a cookie to feed data to Adsense. They do still technically let developers use recaptcha.net instead of a google domain, but this just decouples the data somewhat. It's still being collected.
Re: (Score:2)
fail2ban might be great at blocking a single IP, but botnets aren't just for DDoS, you know. A CAPTCHA might help protect against a distributed dictionary attack.
Also, security means protecting against someone getting access to something valuable. If you think scraping doesn't hurt security, you're not looking at it right.
Doomed (Score:3)
Yes, in case you haven't been paying attention or your Internet browsing is so straight-and-narrow that you've never encountered this... We've evolved beyond text-based Captchas and now have what are essentially browser minigames that try to gauge that you're human. How much of it is just security theater, we don't know, but it's all based on the vain hope that it would be too tedious or expensive to get a bot to solve these en masse. However I'm sure they will all be cracked eventually. The object rotation puzzles I've seen are probably particularly challenging, but not insurmountable.
Re: Doomed (Score:5, Funny)
Pretty soon (if not already) the bots are going to be better at solving puzzles than humans. What then? "Demonstrate your humanity by being unable to solve our puzzle"?
Re: Doomed (Score:1)
Yes, I'm aware of mouse-movement monitoring but when this can be faked too, what then?
Think of the time before COVID - so much push-back for those who chose to work from a location which suited them; "it's not possible, blah blah, blah" then COVID hits and it's not only possible but mandatory. Of course now we're supposed to forget that it's possible and beneficial in terms of productivity.
So, once we can't distinguish between bots and humans, will bots suddenly be welcome? Will scraping turn into an additi
Re: (Score:2)
I think the arms race is already over. At this point it's security theater. Sooner than you think, it will be ONLY bots viewing your content, and at that point the question is... who pays for the traffic?
In the future, I can see every packet being signed to identify the billable party. You'll see aggregate charges for every API request that your AI Agent-based browser makes on your behalf, with overages if you exceed the quotas allowed by your monthly fee. You'll never interact with a website directly, exce
Re: (Score:2)
On the tech-side? Yes. All that stuff can be faked or it will be keeping too many real people out. But these may still help to keep the more stupid bots out.
Re: Doomed (Score:2)
Not ONLY bots - there'll be the holdouts who want to view the actual web pages not the bot-filtered view. Think antiques fans, users of: VIM, mechanical keyboards, vinyl records, normal toothbrushes.
At the moment, many sites are ad-supported - perhaps the LLM context window will be the new battleground for an automated ad bidding war - perhaps the LLM will take one for the team and sit through the same freaking ad in a foreign language for products no-one (not just the nominal viewer) wants, a million times
Re: (Score:2)
Good Lord. I feel called out. I just checked and I have 41 vim windows open, and I'm typing this comment on a mechanical keyboard. I also brushed this morning with a normal toothbrush.
Well, actually I don't have a record player or any vinyl (sold all my records in the early 1990s) so you aren't talking to me specifically.
Re: (Score:3)
It is not about making it impossible for bots, it is about making it more expensive than hiring an army of human captcha solvers in a low-income country.
They will be cracked eventually, and I believe that most of them already are, that's why they are constantly changing them. It is a cat-and-mouse game.
Re: (Score:2)
Like and subscribe to show you're a human.
PC Master Race? (Score:2)
Somewhere between once and ten times per week, Cloudflare decides I'm not human; and Im not allowed to visit some site. Safari on Mac. No need for sterilisation, already unix. :-|
Re: (Score:2)
> Somewhere between once and ten times per week, Cloudflare decides I'm not human; and Im not allowed to visit some site.
Every once in awhile I get Cloudflare's delay interstitial, where it has to sit there for a second and think about whether or not I'm human. Sometimes. I feel like I should return the favor by taking a moment to consider whether I'm actually dealing with a machine.
Cloudflare squints at you through a frosted glass pane, whispering, “Hmm human?”
And you, with equal suspicion, glance back at your screen thinking, “Hmm machine?”
We live in strange times.
These Are CAPTCHAS (Score:2)
In fact, these fit the name even better:
> Completely Automated Public Turing test to tell Computers and Humans Apart
Previously, they were only completely automated on one side. Now they are automated for the visitor too. Seems silly to call it something else, though.
Re: (Score:2)
But they are no longer turing tests either.
Re: (Score:2)
Yeah, probably can't work around that without just subbing the word Test for Turing (and the word is already there). The acronym for DVD changed over time too. It's still DVD but went from Video to Versatile.
I don't think it's fair to say that acting alive is a measure of intelligence. Unless you count fine motor skills as a form of humanlike intelligence.
NO THEY HAVE NOT! (Score:2)
There is still tons and tons of captchas going on. Sure, some of those have been replaced with doing a checkbox, but I am seeing captchas as a whole more now than say 5 years ago.
Re: (Score:2)
I still see captchas too. I'm wondering if a lot of this "post-captcha" stuff is Chrome only, since that browser still supports a lot of end-user-hostile activities while Firefox and Safari do not.
AI Can do them (Score:2)
AI has reached the point where it can do most the CAPTCHA's that we used to test humans on.
So it makes little sense to use them any more.
Yep, under-the-hood works well (Score:4, Interesting)
I use a psuedo-captcha on some of my sites, but I also use a lot of invisible under-the-hood stuff like timing, speed of response, 'special' fake form fields, and few other goodies I won't reveal. All those measures reduce spam to basically nothing. And I mean that literally.
Passing the 'captcha' pretty much requires an actual human operator, and even a lot of those human spammers don't make it through. I know because I look at the logs, and it's working damn well, with a literal 99.999%+ success rate.
The bots never, ever make it through because they don't have human eyes, which works against them nearly every time- they can't decipher the HTML-trickery to see what a human sees, so they fuck up and fall into the pit every time.
Recaptcha is garbage (Score:2)
Turnstile hasn't turned on me yet but Recaptcha is utter garbage. It get the "pick the boxes with these things" one regularly. And when I pick the things it tells me I picked wrong. And again. And again. Google's quality control is... non-existent.
I still see them far too often. (Score:2)
I wish captchas were a thing of the past. I run across them routinely. Had one presented on X yesterday and GOG regularly makes me "solve" one. The GOG ones are terrible. They are of the "click on all photos with a crosswalk/bus/bicycle" variety. And you run into issues like, "do they consider that a bus or not?" or "I can't quite make out whether there's a crosswalk at that corner or not because it's not 100% clear." And don't get me started on the ones with a photo broken down into a grid and you have to
To sliding a jockstrap across a screen (Score:2)
LMFAO. Sniffies plug.
Re: (Score:2)
I haven't seen the jockstrap one, so methinks those invisible tracking systems that analyze user behavior might know something about the author's online habits.
And before someone goes "but aren't you gay?", yeah, I am - but I'm in a committed relationship. So, just like how some of you straight folks grasp the concept of fidelity, I'm not browsing around on hookup sites, and I guess the algorithms truly have gotten smarter. Funny how that works.
Re: (Score:2)
Captchas are usually served by a 3rd party service, so unless the hookup site rolled their own, it's possible it'd pop up elsewhere. If it truly is specific to just one site, then it's just a strange example to include, since it's kinda like saying:
"My kid flushed a towel down the toilet and the plumber I called showed up riding a Bird scooter. Have they given up driving work trucks?"
Nope. That's a strange life experience just for you . The rest of us aren't getting plumbers on rental scooters and jock s