I am also blind. hCaptcha is the worst. Their stupid cookie expires so I have to go through their getting an email to set the cookie almost every time I encounter one. It's a horrendous UX, especially when using different devices and browsers. I imagine others just give up instead of dealing with the crap. They shouldn't use the word accessibility when their whole service is the exact opposite.
The bots can probably solve them easier than blind people anyway, or they can outsource them to third world workers for next to nothing. E.G. Anticaptcha [0]:
> Starting from 0.5USD per 1000 images, depending on your daily spending volume
Believe me, hCaptcha isn't much better even if you're not blind! They show me minuscule images which are barely distinguishable from each other. It manages to be much worse than reCaptcha, which is some achievement.
I'm not blind, but do have visibility issues. I can get by on my phone with maxed text size, etc. The pictures for hcaptcha are horrible... I keep having to zoom in and out. It's almost as bad as modals that flow off screen.
It sucks more when you work in the space and take a lot of care to usability. It's not that hard most of the time.
i have the complete opposite experience. im not blind but i use tor. vpns and non spyware browser which is probably worse lol google captcha most of the time sends me into a loop that does not stop and always fails regardless how right i am for +3 minutes. meanwhile hcapcha lets me pass if i simply correctly fill out 1-3 captchas.
There are no "best" version of captcha. I've worked on several large scale projects where captcha was floated and then quickly abandoned in favor of other methods like Honeypot or using other methods to weed out bots and other 3rd party agents.
If you have to use captcha the least worst are probably reCaptcha V2 and hCaptcha for accessibility.
I don't think there is any PoW that results in acceptable performance for the user (especially on mobile) while also making the cost for an attacker high enough to deter them.
Even renting the compute on AWS, it only costs $0.01 per minute for the equivalent of a decent desktop computer (c8g.4xlarge). While an attacker will likely either use a botnet, or hardware better suited for solving the PoW than the hardware the user is using.
Though CAPTCHAs don't really work well anymore either, since solving services are quite cheap. Recaptcha is nowadays primarily based on other factors, like IP reputation, susceptibility to google tracking, and behavioral scoring.
Most people engage with web content on relatively low powered machines. If you tune them to be tolerable on a 4 year old mid-range android device, there isn't much cost incurred on a threadripper.
I'd never heard of them before getting them while using Brave search sometimes, I'm not sure I entirely understand how they work and differentiate between a bot and human.
They don't differentiate. They just make it too expensive to be worth paying for the resources required to carry out a spam attack at any meaningful scale.
First of all, why should I want them to set a cooky on my system? I don't want them to do that. Yeah, I do use session cookies. However, I shouldn't have to have a company set one on my system to get around their stupid CAPTCHA!! In other words, I shouldn't have to disclose anything to them. I could be an AI for all they care.
The title kind of makes it appear far less of a problem than it actually is, because according to the article, hCaptcha made multiple rude and evidence-free accusations of lying despite the author actually being blind.
Remember that from hCaptcha's point of view, by this point they've probably dealt with hundreds of other people claiming that they are blind when they really aren't, so their bots will work.
This isn't a defense, just an explanation... but it is also an explanation of why the entire idea of "we'll not give blind people a way past the CAPTCHA but just give a pass to 'real' blind people so we can pass ADA", which is that it should have been transparently obvious that this approach is completely infeasible and unscalable. As big as Google, Facebook, or Amazon are, they would struggle under the load of trying to create a system for determining who is "truly" blind... and that's still true if we ignore questions like exactly what "blind" is anyhow.
This shouldn't have gotten deployed and then become a problem; it should have been a 5 minute diversion in the meeting where it was proposed to analyze it's completely infeasible and never made it to so much as the design phase, let alone the deployment phase.
If you had a system for completely accurately identifying characteristics like "who is blind" in the presence of extremely hostile attacks on the system, you'd have something far more valuable than the CAPTCHA system itself! The whole idea intrinsically depends on having a stronger solution to the problems CAPTCHAs are meant to solve than the CAPTCHA system itself provides... it's fundamentally a logically unsound idea.
This is a problem so chronic across so many fields that I wish there was single term to describe it.
User POV :"Wow, provider is a really shitty entity and had no respect for my legitimate problem."
Provider POV: "We get a huge number of illegitimate claims identical to legitimate ones regularly, the system would collapse if we didn't do heavy triage, the problem is the level of abuse, not a moral bankruptcy on our part."
I suppose "this is why we can't have nice things" captures some of it.
The actual problem is that Provider real POV is actually: "We already do the bare minimum required by the law and you are too insignificant to damage our reputation. It would actually cost our shareholders money to do more so please go die in silence somewhere else and stop bothering us. Replying to you costs us money too."
This kind of article is actually useful because it raises the risk of actual reputational damage thus encouraging companies to do more.
What users don't see is that a single good actor will make, at most, a dozen such claims in their life, while a malicious one might literally make hundreds of them a day. The scales are different, by orders of magnitude.
It's not unimaginable that just 0.001% of your users (in terms of actual humans / entities physically using your service) are fraudsters, but 99% of your signup or login attempts / interactions with your service / "I'm not a fraudster, pinky swear" support claims are fraudulent.
In cases like this the provider is someone I don't want to have any business with in the first place. I don't care how hard reliable CAPTCHAs are to implement and as a user I shouldn't have to.
The problem is that this very problem also happens simultaneously in the reverse direction. i.e. people have to deal with so many awful entities screwing them over due to sheer self-interest, negligence, or even malice, that they have a hard time knowing which ones legitimately are trying their best and genuinely don't have a better solution.
That's what happens when trust erodes, and why we can't have nice things.
If anyone should be be more understanding and absorb the costs to appease the other, it's probably the big corp, not the little guy.
> As big as Google, Facebook, or Amazon are, they would struggle under the load of trying to create a system for determining who is "truly" blind... and that's still true if we ignore questions like exactly what "blind" is anyhow.
In several countries, the government issues certificates of blindness [1] which grant access to certain extra types of support. We don't want severely vision-impaired people being forced to drive, after all!
So there are legal standards for what exactly blind is, and certificates.
The question is whether tech companies are inclined to hire enough people to wrangle the paperwork involved in checking such certificates, worldwide.
If "having a government identity" was a solution to the identity problem, it would be solved.
It is not solved.
That is at most the beginning of a solution to the problem.
And in practice, it is little more than the beginning of the problem, as the government's definition of blindness is very unlikely to be a precise match to "has problems completing our visual CAPTCHA", and if multiple governments have standards there is no chance they will match.
Do not underestimate the resilience and resourcefulness of scammers. They aren't just some individuals here and there who decide one day that they could make a couple extra bucks spamming people, and just sort of start sending out whatever scam strikes their fancy. They're international businesses with engineering teams, and a constant feed of low-level operatives who can scam governments about how blind they are if the governments leave any hole in their system. They're thousands of people dedicating their full human-level intelligence to the task of defeating your system and extracting the value from it. They are not as easy to defeat as "let's just put the obvious certification in place", for the same reason that the CAPTCHA problem isn't solved with "Let's just issue everyone official identities".
> They're international businesses with engineering teams, and a constant feed of low-level operatives who can scam governments about how blind they are if the governments leave any hole in their system.
I don't know about your country, but in my country the government is pretty keen on avoiding abuses of the benefits system. After all, a blind person gets tax breaks and cash benefits totalling about $5000/year.
So the existing system is used to dealing with financially motivated adversaries. I doubt the additional financial motivation of being able to bypass hCaptcha would mean much, in comparison.
> So there are legal standards for what exactly blind is, and certificates.
In the USA, people are not yet required to provide identification when signing up for "free" services. There are real concerns around privacy.
A certification of blindness is exactly one of those privacy concerns, being a medical issue. You think it would be a good idea to give that private information to the criminal organizations of big tech?
These are already users that want to let the company know that they are blind in order to qualify for special treatment. In that case showing the certificate doesn't seem to be much of an extra privacy issue to me.
I would have a privacy concern with it, and then your going to force everyone to do verification. Age verification isn't even passed here in the US, although a lot of companies do it. They wanted to make it law over the last couple years.
This is a moot point anyways because the Americans with Disabilities act bans businesses from asking people about their specific disabilities. Asking for proof of blindness will almost certainly be in contravention of that.
> something far more valuable than the CAPTCHA system itsel
In terms of CAPTCHAs being valuable – the other day I couldn’t for the life of me solve a captcha. It was one of those “Solve the implicit question in the picture” kind where it can be hard to tell what it’s even asking you to do.
So I took a screenshot and put it in chatgpt. Got it right immediately.
The real detection mechanism is that you’re moving your mouse, thinking, and generally being slower than a bot anyway. The captcha itself is just a pointless annoyance.
I am perfectly happy with having to prove that I am blind to get my bus pass, but if It was necessary to access a website I would just not use that site. Lets hope it never gets that bad. There's always Anticaptcha to fall back on, but I hate their business model.
Audio captchas are inherently discriminatory to those with hearing issues or those that don't speak the 5 supported languages. They're also somewhat easy to solve with ASR models now. Text captchas are incredibly easy to solve with LLMs.
The only other alternative I see is some incredible tracking / surveillance machine (think an actual non-browser app that you have to run on your computer), but is that really what we want?
I'm actually pretty okay with the zero click cloudflare dealios and prosopo PoW captchas. You can make websites that simply do not have visual puzzles on them at all.
Every now and then turnstile does get a little borked but I can honestly say that I would rather just do without whatever I was trying to do than click 7 motorcycles. Hcaptcha and recaptcha are becoming my personal brown M&M indicator for additional bad user experiences in a given web property.
> If you had a system for completely accurately identifying characteristics like "who is blind" in the presence of extremely hostile attacks on the system, you'd have something far more valuable than the CAPTCHA system itself!
Worldcoin? Government issued auth service is a viable option too. Just get some flag like "isBlind" in it. Disabled status is granted by the government after all.
Some captchas are getting pretty discriminatory, not everyone lives in the West and can identify the objects they are asking you to. Another recent one sticks out where they asked me to pick a shape as the same number of conoids on screen. If you ask people on a street what a conoids I bet a significant amount will give you blank looks
Also at least now I know some people call those markings crosswalks
Other things I don't have a clue about - a fire hydrant, yellow taxis, yellow buses
(Obviously I do, because of American cultural imperialism through things like Captchas which mean the world has to understand American cultural touchstones)
I distinctly remember a captcha which asked me to identify fire hydrants. Some of the pictures were hydrants, while others were standpipes. These are different things, and I answered accordingly.
The service refused to acknowledge my humanity until I relented that a standpipe was a hydrant. If at some future date any of us burn to death due to an automated fire truck that misbehaved due to this, we’ll know why.
Yup - I recognize this problem. I am a motorcyclist and I frequently have to grit my teeth and misidentify scooters as motorcycles if I want to get past captcha.
For non-bikers, a scooter has an automated gearbox and small wheels etc. Think vespa.
In the UK at least they are generally a different category of license, although that's because of the size of a standard scooter engine.
Except scooters are literally motorcycles? From Wikipedia:
> A scooter (motor scooter) is a motorcycle with an underbone or step-through frame, ....
Scooters are often legally motorcycles as well. For example, I had to get a motorcycle endorsement on my license for a scooter I owned, because the engine displacement was too large for the extremely restrictive "moped" category in my state.
They're not really considered as such by motorcycle people, for decent reasons too. Scooters generally have rather different ergonomics and controls, notably CVTs rather than manual transmissions for "proper" motorcycles. Overall a pretty different experience to ride. There's not really a good umbrella term, either, though.
I live in Vietnam where the entire population drives small motorbikes or scooters. There's no defining feature except for having a cutaway to place your feet in a scooter. Even the engine placement is less of a clear thing now that many of them are electric.
There's motorbikes with scooter like controls, there's scooters with motorbike like controls.
Many small automatic motorbikes feel basically identical to driving a scooter except that your sitting position is very slightly different.
The "decent reasons" just sounds like snobbery or a reason to feel superior. Cars are cars, whether manual, automatic, CVT, whatever. Why should bikes be any different?
I'm a big fan of two-wheeled transport in all its forms, but wow is there a prevailing toxic attitude among a large group of "true motorcycle" riders. Instead of welcoming people into the fold, it's just tribalism -- you drive a scooter, you're not a true biker; you ride a cruiser, true bikers only drive super sports; you drive an e-bike, but only loud pipes make a true rider!
Agree about the snobbery, but there is a real difference in kind between them that would be nice to have a good name for. Even if, as the other reply pointed out, they exist on a spectrum, the endpoints are pretty distinct.
My rationale is that they're teaching cars what things they shouldn't drive into, so I'm pretty liberal with what constitutes a motorcycle, including the person on top.
FWIW, I went out looking for a better category (something more like "two-wheeler" but without the engine), and discovered that Wikipedia actually agrees that scooters are motorcycles.
Unfortunately, even understanding these things, on a shared connection it might take you literally two or three minutes of captcha work before Google recognizes your personhood.
Am I identifying the boxes wrong? Am I doing it too fast? Where do "Stairs" begin and end? Does a motorcycle include its rider? Or is Google just fucking with me and failing me on purpose?
My workplace had a period this year where captcha was put into the cashier checkout process.
And while it's not quite the same kind of CAPTCHA, I've not infrequently run into Cloudflare "prove you're human" screens that just...never let me through. I click the box, it loads for a second, turns into a nice checkmark, and then...reloads the "prove you're human" page. Infinite loop (as far as I can tell, anyway, not having infinite time).
I forget what extension was doing this for me, but I think this was down to an extension blocking autoload/play. Try disabling your extensions down to ublock and slowly adding them back.
Can you have them translated into your native language? I mean I imagine if your using Google from a different country, it might take notice. Maybe it doesn't apply to reCAPTCHA, Google can be stupid like that!
Other things I don't have a clue about - a fire hydrant
Even within the United States, fire hydrants vary greatly from city to city.
I remember the first time I moved to a city that had those little squatty dark blue ones. I thought they were water main access points.
It's interesting to see so many people on HN assessing that captchas are biased toward American culture. Very frequently I get captchas that include things I don't know, and when I look them up, they turn out to be Indian in origin.
Maybe the standard international signs are more easily recognised by machines anyway, but if not it will be interesting when Google and others start needing Captcha help.
Americans will need to learn what speed limit, parking prohibition and pedestrian crossing signs look like in the rest of the world, as well as realizing buses and taxis come in more colours.
Americans will need to learn what speed limit, parking prohibition and pedestrian crossing signs look like in the rest of the world
If you think this is a binary America/Rest of the World problem, then you haven't visited very much of the "rest of the world" and noticed that every place is full of variations.
It's hard to really say objectively, as the strange yellow American school bus is kind of an iconic image - perhaps because it looks so different to a regular public transport bus as seen around the rest of the world.
And then there's "shuttle", I believe the US has at least one kind of thing called "shuttle" for every possible mode of transport, including orbital flight.
Well technically anything can be a shuttle because specifically the thing that makes it a shuttle is the operating pattern (repeated point to point service) rather than the machine itself.
Etymology-wise a shuttle was a type of weaving tool which is why the verb shuttle exists, i.e. to rapidly move back and forth across a length (as if you were weaving a thread into a piece of fabric).
So then you got shuttle trains which frequently ran back and forth. And from there other types of shuttle services (shuttle buses, shuttle vans, etc).
And of course eventually the space shuttle being intended to be a launch vehicle designed for shuttle service to and from orbit. (side note but technically if the SpaceX Starship actually achieves it's intended sub-24h turn around it'd be able to qualify as a shuttle provided it ran a fixed point to point route on a regular basis).
This can't be right, I have been told over and over again that America does not have any culture.
Now it's being used to push imperialism through captchas of all things?!
I feel like all the non-US or non-Western or however you want to categorize the 'rest of the world' should be striving to use free-range local culturally-appropriate captcha services if this is true.
It's easy to blame the colonizers, but what about the local artisanal websites who give the colonizers/invaders a voice by integrating their captcha services?
We really need an 'international-divorce' to put these issues to bed once and for all.
Well, France doesn't have Zone Improvement Plan codes. It is somewhat annoying to fill forms on websites with "ZIP code" in them for people outside US. They aren't called this way anywhere else (except for one or two countries).
Is a coach a bus? Honestly, I'm not sure what makes them different, if you pressed me I think I'd say a coach has luggage compartments underneath. A UK coach is not a bus... although Megabus run mostly coaches, and Stagecoach run mostly buses.
Is a scooter a motorcycle, what about a pedal-and-pop, an ebike? Is the backbox (rear carrier) part of the motorcycle?
Is a single light at a junction, ahem intersection, a traffic light? Is the outer-container part of the "light"? What about the lights for pedestrians, are they part of the traffic light?
Are house steps, that don't carry you to a different storey, still stairs? Is a single step also stairs?
Are fire hydrants always red?
So, yeah, usually I just leave the website and come back to HN.
I routinely have problems with closeup images. To this day I don't know how much of the object I should be selecting? Also what is a traffic light? Is the pole part of it or not? Motorcycles seem to be hard too.
Once it showed me a picture of steps nothing but steps. I think I marked like 15 boxes.
> To this day I don't know how much of the object I should be selecting? Also what is a traffic light? Is the pole part of it or not? Motorcycles seem to be hard too.
I have always assumed this was purposefully ambiguous. The right answer is whatever a majority of humans will answer when presented with the same picture.
If you think you're failing the captchas because you're doing them wrong, think again. Google captcha intentionally fails you a couple times if they don't have enough tracking info to determine that you're legit. So you solve the captcha correctly but are still lied to that "you've failed to solve the captcha, try again".
That and the "fading images slowly to pretend like you have bad internet" thing. Disgusting behaviour
They don't. They load the images and then have js to fade them slooooowly. It's pernicious precisely because of that: its purpose is to annoy humans while being completely useless to thwart bots.
I kinda don't understand why we still have captchas. We've solved the asymmetric problem with proof-of-work; just make somebody solve something trivial so they spend more resources than you do.
Like if a bot requests your page 1/day its not a problem; but if they want to request it 1/ms then the proof-of-work becomes too much for them and its transparent to a person.
It might be an incentive to make people stay logged into their accounts. This wouldn't be hole reason but I am sure it's part of it. I used another laptop with a VPN for a few days and what used to be smooth experiences turned into a shit ton of "log in to prove you're not a robot". Both Reddit and Youtube did this.
I'm never that consistent and usually get through. I think they are looking at things like mouse acceleration, smoothness, etc. rather than the actual answer to the questions.
Sure, but you can imagine pretty easily what a ‘conoid’ would be, right? ‘Sphereoid’ would be something sphere-like, ‘mongoloid’ is something mongol-like, ‘freakazoid’ is something freaky…
it’s pretty clear from context that ‘conoid’ means ‘like a cone’ isn’t it?
I am Googling "conoid" right now and I still can't even imagine what it's supposed to be.
The Google dictionary says it's a zoological term "approximately conical in shape".
The Wikipedia panel says "In geometry a conoid is a ruled surface, whose rulings fulfill the additional conditions: All rulings are parallel to a plane, the directrix plane. All rulings intersect a fixed line, the axis." The graphics are... nothing intuitive.
The M-W link in the search results says "a cone-shaped structure; especially : a hollow organelle shaped like a truncated cone that occurs at the anterior end of the organism".
None of this seeming relevant, I clicked on the Image tab and it's all these complicated Mathematica-style graphs of things that are very much not cones.
I see other people in the HN comments similarly have no idea.
Can you please explain what you saw on screen? What did the captcha think was a conoid...? Like, traffic cones or something?
In the UK some crosswalks have cones on the bottom of the box where the button to wait to cross is, and OP mentioned crosswalks in the final sentence. Maybe it's just too late for me right now, but that's what my brain assumed, but the "same number of shapes as" thing was not enough context!
the cone on the bottom spins when you have the right of way.
I can't be the only person who's been checking as many wrong answers as I can get away with for the last decade, and I'd be complimented by my conoid-questioning brethren. Captcha seems like it's fully entered a "bear proof garbage can" phase I don't see it escaping.
I've just resorted to flipping over to the audio captcha. Yes, solving the first one takes more time, but you pretty much get it right the first time and you're not wasting your life wondering if 2cm of a fire hydrant is enough to label a square as having a fire hydrant.
Also, if you use a larger minimum font size often the text describing the thing you are supposed to select is under the image and unreadable. With hCaptcha it varies depending on the size of the popup window with the captcha and Google seems to reliably show just the top (barely enough to figure it out most of the time).
> A conoid is a ruled surface whose rulings are parallel to a plane (called the directrix plane) and intersect a fixed line (called the axis of the conoid) (Gellert et al. 1989, p. 202). Examples include the circular conoid, helicoid, hyperbolic paraboloid, parabolic conoid, Plücker conoid, right circular conoid, Wallis's conical edge, Whitney umbrella, and Zindler conoid. If the axis is perpendicular to the directrix plane, the conoid is called a right conoid (Gray et al. 2006, p. 436).
Where did you get stripes from in any of that? A surface is ruled when it can be constructed by extruding a line (or segment) along some path… like waving a ruler around.
I think they meant that something striped and rectangular, like a crosswalk, is a 'ruled surface' because the stripes themselves are like the ruler ?
So I guess a crosswalk (flat rectangle in 3D space), would be considered a 'ruled surface', but I don't think it meets the other requirement to make it a conoid.
Avoiding this is what made hCaptcha popular among a lot of users in the first place. reCaptcha has always been guilty of this, and it doesn't seem like they're taking any steps to improve this US-centred definition of humanity. hCaptcha gave much more general and neutral puzzles that made a lot of people (including me) give a sigh of relief when they encountered a CAPTCHA and it was h and not re.
recaptcha audio challenge is just a few words (in English) that you have to enter. Might be easier in some circumstances? You can press CTRL to repeat the audio.
> Some captchas are getting pretty discriminatory, not everyone lives in the West and can identify the objects they are asking you to.
Honestly, even living in the West, sometimes I feel like they expect me to have an IQ of 200 just to pass! And, I am sure I pass the Turing test without issues.
>But on the internet the answer to „what is a conoid“ is just a web search away.
When I search, the whole first page of google is essentially "things that are shaped like cones", I have no idea what that would be in response to one of those image captchas that show traffic and buildings.
I got mathematical surfaces like https://en.wikipedia.org/wiki/Conoid To get the correct image I had to search conoid street. Anyway, I guessed they were those red cone shaped things that people put on the street and I'm not sure how they are call even is Spanish (probably conos or balizas).
Google "conoid" and you'll get a bunch of pictures of shapes that are curved in different ways. I assume the captcha was talking about things that have a similar shape to a cone, but I don't think you'd get much of a clue from Google.
> A conoid is a ruled surface whose rulings are parallel to a plane (called the directrix plane) and intersect a fixed line (called the axis of the conoid) (Gellert et al. 1989, p. 202). Examples include the circular conoid, helicoid, hyperbolic paraboloid, parabolic conoid, Plücker conoid, right circular conoid, Wallis's conical edge, Whitney umbrella, and Zindler conoid. If the axis is perpendicular to the directrix plane, the conoid is called a right conoid (Gray et al. 2006, p. 436).
Lesson 1 about competing with Google should be "don't be even more disrespectful to your users than Google is". Otherwise people will just use Google.
Relying on the goodwill of a small number of "never-Googlers" to carry your business, in spite of the way you do business, is not a path to success.
While hCaptcha trashes its reputation, the rest of the world will go on using reCaptcha and not giving the faintest whiff of a fart about hCaptcha's existence.
(Side note: the spelling is "intentional", not "intensional". Think "intent" + "-tion" + "-al", not "in-" + "tension" + "-al").
I wonder whether talking about "looking at the javascript console" somehow made them think that this person cannot possibly be blind, since how could a blind person "see" the JavaScript console? (But "having my screen reader read the content of the JavaScript console to me" is a bit of a mouthful.)
You know, that's a good point, and it hadn't occurred to me.
For the overwhelming majority of blind people, language like "looked at" is just metaphorical. I mean, all language is symbolic anyway. The map is not the territory and the menu is not the dinner.
Some of us are taught very young to use common terms like look in that kind of a metaphorical way.
Partially so that we fit in and are comfortable with the rest of sighted culture.
And then once in a great while, we get condescended to for it. There's a really good example of this in the second season episode of DS9, The Alternate.
```
ODO
It was a dilemma for me. I'd never
seen anything like these creatures
either.
MORA
"Seen" isn't really an appropriate
description. He had no eyes per
se...
ODO
I was only trying to describe it in
simple terms...
MORA
(ignoring that)
He had never perceived anything like
us before... go on...
```
I can pretty much guarantee that every blind person has had a condescending, patronizing douche canoe like Mora in their life at least once.
Even as a sighted person, "look at" is often metamorphic - you can interview an expert over the phone and say you looked into the subject even though the only looking was around the phone number.
When someone recommends me an album or artist I "take a look" at it: I listen to it. Though now that I think about it, I wouldn't say that in my other languages.
This is how use of language concealed aphantasia for so long. When you use a word in a context similar to how another used it in that context there seems to be a presumption that the subjective experience is the same in that context.
Given how we learn languages and words based upon encountering them in contexts, it makes sense that terms that we use in outwardly similar contexts reflect the subjective experience that each of us relate to those terms. We don't have access to another's subjective experience so I can see how it would encourage the assumption that we all perceive things the same way.
There might be many undetected variances in perception akin to aphantasia lurking in us waiting to be discovered.
Here's the thing. We're talking about people who are the accessibility team for hCaptcha. They should at least have a figleaf of an understanding of life for blind people.
The other problem we have is that online companies tend to be accountable to no one. Short of law suits, my friend who got banned from hCaptcha for "not being blind" has no recourse, because nobody is accountable.
I suppose one could say "observed" as a sense-neutral alternative to see / hear. Might be a worthwhile language shift, similar to using "they" as a gender-neutral alternative to "he" and "her".
We usually talk about the inclusion benefits of neutral language. It can also be valuable by making specific terms more meaningful when used appropriately. If I know you usually say "they", then when you choose to say "he" I get more information -- there's a clear gender expression. Similarly, if you usually say "observe", then when you say "see" I know we're specifically talking about vision.
Of course, it's an awkward transition. It's hard to get used to "they/them" and saying "I observed a delicious aroma" sounds like a robot impersonating a person.
It's notable that the majority of the people who would be "included" by the change to "more inclusive" language aren't offended in the first place. The sentence "I am watching TV" literally offended no blind person, evah. It is only sighted do-gooders who have the spoons to be offended by nothingburgers on our behalf.
We're too busy dealing with stuff like, ... I dunno, landlords who refuse to rent to us because all they have is second story units and we might fall down the stairs. Yes this actually happened to me in 2000 or so, and I don't have enough faith in human intelligence to believe that it isn't happening today.
We're too busy being oppressed by captchas and websites made by frontend devs who seem to care more about chasing JavaScript framework du jour than they care about accessibility.
We're busy struggling against a built physical environment which has been designed for cars and not people.
The supposedly non-inclusive language of "I watched TV" or "I looked at my browser's JS console" aren't even on our radar.
I coined the term "Sapir-Whorf Stalinists" a few weeks ago to describe the sort of people who think that monkeying with language will magically make things better for marginalized groups.
Here's Lee Atwater talking about the Southern Strategy:
> You start out in 1954 by saying, “Nigger, nigger,
> nigger.” By 1968 you can’t say “nigger”—that hurts you, backfires.
> So you say stuff like, uh, forced busing, states’ rights, and all that stuff,
> and you’re getting so abstract. Now, you’re talking about cutting taxes,
> and all these things you’re talking about are totally economic things and a
> byproduct of them is, blacks get hurt worse than whites.… “We want to cut
> this,” is much more abstract than even the busing thing, uh,
> and a hell of a lot more abstract than “Nigger, nigger.”
I hope we can end the CAPTCHA experiment soon. It didn't work.
Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat. CAPTCHA does not. Almost all turnkey CAPTCHA services can be solved for pennies.
Solving the problems of SPAM and malicious traffic will be challenging... I am worried it will come down to three possible things:
- Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.
- Closing the platform: approaches like Web Environment Integrity and Private Access Tokens pave the way for how the web platform could be closed down. The vast majority of web users use Google Chrome or Safari on a device with Secure Boot, so the entire boot chain can be attested. The number of users that can viably do this will only increase over time. In this future, the web ceases to meaningfully be open: alternatives to this approach will continue to become less and less useful (e.g. machine learning may not achieve AGI but it's going to kick the ass of every CAPTCHA in sight) so it will become increasingly unlikely you'll be able to get into websites without it.
- Accountability of network operators: Love it or hate it, the Internet benefits a lot from gray-area operators that operate with little oversight or transparency. However, another approach to getting rid of malicious traffic is to push more accountability to network operators, severing non-compliant providers off of the Internet. This would probably also suck, and would incentivize abusing this power.
It's tricky, though. What else can you do? You can try to reduce the incentives to have malicious traffic, but it's hard to do this without decreasing the value that things offer. You can make malicious traffic harder by obfuscation, but it's hard to stop motivated parties.
Either way, it feels like the era of the open web is basically over. The open web may continue to exist, but it will probably be overshadowed by a new and much more closed off web.
Even in a year, I don't think random AI will be "cheap" enough for spamming CAPTCHA on random websites. Maybe for select, ripe targets (your bank, etc.). But for a random business with a form?
CAPTCHA is useful only when it is costly to solve. It is a costly signal that this is a real person, or at least is more than 1/10^9th of a real person (you're not running a fully automated spam system).
The postal service also has costs - everybody that wants to move something through the postal service needs to buy a stamp. Transport fees are a 'natural' way to moderate traffic and deter spam.
Various combinations of network architecture and cryptocoinage permit you to invoke transport fees per attempted transmission/login. Sensible ones, if every spam email or login guess costs even 1 penny it becomes prohibitive for most fully automated spam applications. The cryptocoin aspect is specifically about preserving anonymity of private wallet access while permitting the cash-like transactions that stamps enable.
Cryptocurrency micropayments have been proposed and even attempted as a solution to various problems. Hell, there's also Hashcash, an early proposed anti-SPAM measure for e-mail using just proof-of-work. (Since this is just burning CPU though, it probably isn't effective in the modern world of most people using low-power mobile computers and many SPAMers having access to cheap very high power computers. Might serve as a good hurdle for people trying to implement malicious bots, but it will eventually become useless if it is shown to be effective IMO.)
I'm skeptical though. It puts a literal price on abusing a service, but how do you set that price? Is there a guarantee that there's a value high enough to meaningfully disincentivize SPAM but low enough that users, especially users in areas that may have an economic disadvantage, are able to pay it?
That's on top of the other practical problems, such as actually implementing it. I mean, if someone implements it and tries to solve the usability issues involved I would be open to this future, but as it is now, cryptocurrency has disappointed me. In a world with increasing scrutiny towards credit card processors, I was hoping that the silver lining would be that cryptocurrency could at least help mitigate some of the concerns, but there are just too many hurdles right now. (Some of them may be caused by regulation, but to be fair, I think at this point it's hard to blame governments for trying to regulate cryptocurrency exchanges. I'm not happy about silly KYC policies or anything like that, but I am not surprised at all.)
> It puts a literal price on abusing a service, but how do you set that price?
Start with a nominal one and increase it until the spam problem goes away.
Create escape hatches for people who can't afford it, e.g. you can either pay/mine a couple dollars worth of cryptocurrency, or you can have someone who paid vouch for you (but then if either of you spam you both get banned), or you can do some rigorous identity verification which is inconvenient and compromises privacy but doesn't cost money, or (for smaller communities) you ask the admins to comp you and if you're known in the community from other sites then they do it etc.
> I mean, if someone implements it and tries to solve the usability issues involved I would be open to this future, but as it is now, cryptocurrency has disappointed me.
This doesn't seem like an insurmountable problem to solve. To give someone some cryptocurrency you can either send it directly (useful option for advanced or privacy-conscious users) or use a service and then it should be no different than using Paypal et al.
The real problem is the regulations are currently designed to make using it an unreasonable amount of paperwork:
> Some of them may be caused by regulation, but to be fair, I think at this point it's hard to blame governments for trying to regulate cryptocurrency exchanges.
There's a difference between regulating exchanges and regulating users. If you're holding millions of dollars in cryptocurrency then the government is reasonably going to expect you to file paperwork and pay taxes on gains etc. If you're only holding three and four digit dollar amounts worth then they should leave you alone and you shouldn't have to do anything.
In theory you can strike a reasonable balance here where the crypto scammers go to jail but Joe Average doesn't have to file any more tax paperwork to use Bitcoin Cash to buy a pack of gum than to pay in physical cash. We'll see what the new administration does with it.
Well, for solving both the UX and regulatory issues with cryptocurrencies... I'm not optimistic, but I am open to being pleasantly surprised.
On the UX side, I think a huge problem is making it possible for users to participate using a non-custodial wallet with as little risk of data loss or compromised credentials as possible. So it needs to be hardened against ignorance, stupidity, house fires, malware, and social engineering. That is hard. Irreversible transactions greatly up the stakes while increasing the incentive to attack. Do you ever feel a bit nervous about the send address being wrong when you use cryptocurrency?
A thing I didn't mention but is equally important to solve is developer experience. I wish there was a turnkey SDK that took care of most of the technical stuff and just let you use cryptocurrency like it's PayPal. If we had on-chain subscriptions (I think Ethereum can do this?) it could be even more powerful. The technologies offer a ton of possibilities but taking advantage of it correctly and securely feels like a tall order. Dealing with cryptocurrencies feels more serious than dealing with traditional payment processors: you can't undo when you fuck up.
Some of this can be resolved. On the user side, users can keep less value stored in wallets long term... Though this is more cumbersome and less usable. On the developer side, developers can make nodes that can verify transactions but not spend currency... But this can be challenging (I think it's weird to do with Monero for example?) and it closes off some use cases ("escrow" style transactions; Skeb-style commissions would be a good use case.)
If it gets solved I will celebrate as it seems like it would have a lot of positive upsides, but I think you might need to pardon my skepticism: it's been a lot of years and it hasn't gotten that much better. (Granted, it's still pretty new, but the momentum is slower than I would have hoped.)
This sounds like the same argument that was made for about 10 years (2000 to 2010) that micropayments would save traditional (print) media in a digital world. It didn't work due to market fragmentation and friction to make a payment.
And, the reality of your fancy idea is that normie users would turn away if they made a mistake on the CAPTCHA and were suddenly presented with a screen "charging" them one pence.
This isn't about "making a mistake on the captcha", this is about charging them one pence for every attempt and just not having a captcha.
It's an entirely different sort of system, and it would require a cordoned off section of the Internet to implement it top-down, but it's technically viable.
The defining insight here is how many orders of magnitude difference there is between the "That price is negligible" threshold for a human being, and the "That price is negligible" threshold for an automated system. Sure there are adoption issues, but for all applications where there are several orders of magnitude difference, such a system makes some degree of sense.
Don't think it's going to work, except in the smallest forums?
According to a random page on internet [0], companies pay in $2-$6 range per 1000 ad impressions. If one pays $0.01 to bypass captcha and just 10 people see the resulting spam post, that's already $1 per 1000 views - much less than facebook charges. This becomes even more lucrative if the ads are expensive or there will be more than 10 people looking at the ad.
It looks you'll want much higher costs than that, which will make it "too much" for other users.
Would be great if the US government somehow facilitated micropayment. Either by creating their own system or removing the capital gains reporting requirements on crypto (maybe up to $10k/year).
If micropayment is such an amazing solution to these problems, why haven't we seen a working solution after more than 20 years of talking about it? Why doesn't HN have multiple competing micropayment startups? To me, the results speak for themselves.
Another outcome that I could never understand: The original conversation was micropayments for traditional print media that was moving into the digital age. Why didn't they all band together to create an industry standard that defined (and possibly administered) a micropayment system? In the end, paywalls were the solution, and winner-mostly-takes-all when print moved to digital. Look at the decline in medium to small newspapers in the last 20 years in the US. It is devastating, but a few national, major newspapers are doing OK.
You are talking about appreciable micropayments for appreciable amounts of entertainment from small creators.
And I would argue we did get those in the form of subscriptions in Patreon, Onlyfans, Buy Me A Coffee, et al, or in the co-op world of Nebula. We didn't get them down to very low fee structures because we've designed our payment infrastructure with the intent of supporting a profitable company called Visa, Inc, to which we've offloaded a number of different functions of that a government mint / treasury / post office would normally perform. And because lots of revenue on these sites comes from whales, people with outsized income in a country with a great deal of wealth inequality.
What I am talking about is TINY micropayments just for human authentication purposes. Because what we've had so far in the realm of, for example, spam email, involves sending off messages at a CPM of less than a tenth of a penny. Imposing infrastructure which pegs human authentication tasks, normally performed less than ten times a day, at a CPM of ten dollars, can eliminate most applications of automated systems and eliminate the annoyance of captcha, while costing the human less than ten cents. There are no whales in the login space.
Although solving a captcha can be translated into a monetary cost (often the cost of labour for a human in a clickfarm to solve it for you), the nice thing is that it's still "free" to solve normally.
If you switch to direct payments that are still affordable for routine use by your poorest users, then your rich adversaries can afford to generate orders of magnitude more spam (until we solve unequal wealth distribution globally).
Also, the cost of using a postal service nominally covers its operating costs. The cost of actually transferring a spammy HTTP request over the internet is negligible, but the costs imposed on its receiver are less so (i.e. the cost of responding to it (cpu/ram/disk/bandwidth), second-order costs of lowering the quality of the service for everyone else, etc.).
Even assuming that uneven distribution is a problem, and that it was possible to make global wealth evenly distributed, it would be such a collosal undertaking that it would necessarily entail massive social upheaval and take a very long time after which the captcha problem would hardly be comparable to what we have now.
None of that is at all relevant to the point I was making. Whether you think extreme wealth inequality is good or bad, for as long as it exists, it makes paying fixed fees a poor alternative to captchas.
If you expect 99% of normal internet users to maintain a crypto wallet of any kind just to access certain websites—even leaving aside the actual cost—you're going to be sorely disappointed.
I was moderately into crypto, i mined coins including BTC; and i'll be damned if i am gunna connect my wallet to a browser, or put crypto in an escrow to pay out to avoid captchas. I'm being as polite as reasonably possible, here.
the only way this makes sense is you convert the entire planet to renewable or non-polluting electricity generation, and then when a user is on facebook, youtube, (or watch ads!), a core or 2 of their machine/phone will "mine" crypto, that can then be used somewhere else. The crypto can't be transferable - it must be "burned". Defined: When the site requests some crypto for proof, it says "send to this non-existent address" and then waits for the block to show that your wallet sent crypto to that address. This "burns" the money. In fact, a couple of cryptocurrencies tried to enforce this, as well as "proof of stake" - where if you had enough coins you could "mine" by merely having your wallet "logged in." The former is called "proof of burn"
another thing, no blockchain block publication is fast enough for this. so now we gotta rope in lightning or some other "hack" on top. I knew when i first heard about bitcoin that there was no way that anyone was going to wait 10 minutes for any payment to go through, especially if it's under some moderate amount of money, like $20.
This doesn’t feel so much like the end of the “open web” as it does a rehash of USENET and email spam issues. Social media killed USENET, and email managed its spam issues thanks to filtering.
Email kind of solved its SPAM issues, but it came at great costs. It's possible but quite hard to run your own e-mail server; if you're not on a major provider, the possibility is high that a major provider will at some point have deliverability issues to or from you due to automated anti-SPAM measures. The degree of difficulty with participating in the network does somewhat degrade its openness in my opinion.
If anything works in the favor of email it is that email is not published. It is not necessary very private inherently, but it is at least not a system where things get broadcasted publicly. IMO this limits the value of spamming people over e-mail: you have to send a very high volume of e-mail to SPAM effectively over e-mail, and this high volume use pattern is not something that ordinary users will ever engage in, so it's easy to at least separate out "possible SPAM operation" versus "guy sending email to a friend". (I'm not saying that systems are necessarily perfect at distinguishing one from the other, but at the very least it would be hard to mistake the average Gmail account for being part of a massive SPAM operation. The volume is just too low.)
I hope the open web survives, but if e-mail is any kind of sign, it's not a great one in my opinion.
> It's possible but quite hard to run your own e-mail server; if you're not on a major provider, the possibility is high that a major provider will at some point have deliverability issues to or from you due to automated anti-SPAM measures.
In the roughly 25 years that I've used shared webhosting to have my own domainname and mailboxes, deliverability was never an issue. Never tried to send thousands of mails though, so...
I have been running web services for around 22 years I believe. At the very beginning, I had zero problems with deliverability to most addresses. However, even early on, I do remember plenty of forums that mentioned that Yahoo! or Hotmail tended to drop their confirmation e-mails into SPAM. Smaller operators had an advantage in being lower volume; I think that gives you a higher likelihood of delivery. That said, their emails are also more likely to get caught up in SPAM filters without remediation.
Something has changed recently, though. I have found it increasingly hard to even get an IP that is not blocked anymore. I recently migrated a VPS that was almost 10 years old that was running its own e-mail services, and after a lot of struggling... I gave up. It now has to go through an SMTP proxy to send e-mail. This bums me out, but after multiple attempts to get an IP that worked, I gave up. The provider did tell me that I was grandfathered in to have outgoing SMTP enabled on my servers (something that new users do not have by default, by the way) but recommended I stop using it.
Is the network open? Yes. Does everyone have deliverability problems? Probably not. But maybe another question: If you did have deliverability problems to some major provider, would you even know about it? If you're not very high volume, maybe not!
Email hasn't actually fixed spam issues, it's just mitigated a big chunk of them. But I know for a fact that I still mark emails in my inbox as spam on a regular basis, and still dig legitimate emails out of my spam once in a while.
> validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.
Not only untenable because of the privacy invasion but also because there are too many users who are willing to click on whatever for a chance to win a prize and thereby authorize use of their identity for spamming.
> approaches like Web Environment Integrity and Private Access Tokens
That stuff never works because the spammers only have to break one model of one popular device. The people proposing it are snake oil salesmen or platform companies that want to use it for lock-in, because spammers spend the resources to break the system but normal users won't put up with the inconvenience, which locks out competitors and interoperability.
> Accountability of network operators
This largely already happens. Disreputable IP blocks get banned. But then you get a botnet with users on ISPs with varying levels of willingness to do something about it and the ones that do something about it still can't do it instantaneously and some of the ones that don't care are in jurisdictions you can't control but are also too big to block.
The best solution is probably some kind of "pay something in money/cryptocurrency/proof of work to create an account" because normal users need a small number accounts kept for long periods of time but spammers need a large number of accounts that get banned almost immediately, which is exactly the sort of asymmetric cost structure that results in a functioning system.
> I hope we can end the CAPTCHA experiment soon. It didn't work.
Well it sort of worked before we got modern AI image recognizers, but even then they had to continue making the challenges harder to keep up with the recognizer software.
Now the damn things have crossed over into the domain of "easier for a machine to solve than a human" so they're worthless for their original purpose.
Yeah but filtering out mindless bots is even easier than loading a bloated mess of JS: a simple form question that you believe 100% of the valid users will be able to answer should be good enough to stop almost all of those low-level bots. I use that approach all the time.
Some day this luck will run out, but for larger entities that experience targeted malicious traffic it's never really been a viable approach.
"
Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.
"
What about zero knowledge proofs? Those with typical cryptocurrency wallets could leverage existing extensions. Everyone else can download an open source extension that sends the proof and an open source way to verify proofs but is unrelated to cryptocurrency. While a robustly decentralized chain like Bitcoin and Ethereum would be a good place to verify proofs, no reason a non-cryptocurrency solution can't also be avaliable as well for the cryptocurrency adverse. And for the tech adverse, a phone number to call/text to walk the person through sending the proof via phone that would cost a tiny bit--and could also help the tech adverse with setting up an extension going forward?
A start would be what kinds of websites even need a CAPTCHA in the first place. Why does just viewing websites with static conent ever need to result in a captcha prompt.
That I think is just to try to prevent scraping, probably mostly from people training AI models. I don't really think anti-scraping mitigations are a good idea and I'm hoping that problem some day solves itself.
"for pennies" is a lot more expensive than 0, and that matters at scale.
Scam isn't about one person performing one request, for that you can indeed just hire a human, it's about thousands of bots constantly interacting with a service.
If you need to scrape 10m records and there's no anti-fraud protection, you pay $0 (excluding typical bandwidth / server costs). If every query requires a captcha, and you have to pay $.01 per captcha, the operation costs you $100k.
Going from 0 to 100k is often "good enough" to make these things uneconomical.
Actually, I oversimplified. In most cases you don't have to pay $.01 per CAPTCHA. It's usually a fraction of a penny per CAPTCHA.
So basically it's good enough to protect something that is arguably barely worth protecting. I don't find this compelling. Protecting things that barely need it is already easy using existing techniques.
Feels like another option would be to bootstrap off of authenticated users, some sort of reputation system. It would still allow for anonymous users, but the expectation would be that they would be treated as suspected spam unless they receive sufficient endorsement from actual verified users. The verified users could be held accountable for the endorsements they provide up to a certain point, and the anonymous users would be able to remain anonymous assuming verified users consider them good citizens.
The endorsement and verification would need to be continuous, or else the anonymous users will sell their accounts for the value of the accrued positive reputation. I.e. what people already do with Reddit accounts that accrue a lot of karma.
In the past 3 years, every morning I wake up I open the news, and I hope that I will the following headlines: "Some guy figured out how to use AI to detect bot traffic with 100% accuracy, captchas became obsolete and banned worldwide with immediate effect"
And every morning my day starts with disappointment.
I had an idea about amost-privacy-preserving system by involving government ID and blind signatures:
1. The service passes a random string to the user.
2. The user authenticates to their government and asks the government to sign it.
3. The government applies a blind signature which basically says "this user/citizen hasn't registered an account in the last 60 minutes".
4. The government records the timestamp.
5. The user passes the signature back to the service.
Upsides:
* Bypassing this would be orders of magnitude more expensive than phone numbers.
* Almost private
Downsides:
* Won't happen. Remote HW attestation is likely to win :(
* The service knows your citizenship * The gov knows when and how often you register.
* Any gov can always bypass the limits for themselves.
I think it may be also possible to extend it so that the government attests that you have only one account on the service but without being able to find which account is yours.
> Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.
I see this point constantly made on the echo chamber that is known as HackerNews. The average normie user does not care about anonymity, nor privacy, on the Internet. They want a smooth, fun experience. The solution is secure boot plus attestation via some browser JavaScript API. If you want even less friction, users are required to register their devices with a gov't agency, then their attestation will carry more value.
Really, why don't we see HN crying about the need to show a national ID (and register) when buying a mobile phone? I never once saw anyone complaining about it here. Are there any highly developed nations that allow complete strangers with any nationality to buy and use a mobile phone without showing a national ID? I don't know any, or they will all soon be gone. It only takes a few more terrorist assholes to close that door permanently.
> Are there any highly developed nations that allow complete strangers with any nationality to buy and use a mobile phone without showing a national ID? I don't know any, or they will all soon be gone.
I regularly (1-2x per year) buy prepaid SIMs in Canada, USA, and Japan. None of them require an ID and I often even pay cash.
I'm sure you are right that they'll eventually be requiring ID, but you are wrong to imply that these countries aren't highly developed.
It's not the average person's job to make sure that the world isn't fucking them raw. People have limited attention and limited time, not everyone can care about everything.
Nobody else is going to step in and hold the line when it comes to digital privacy rights. It's on people like us who care. This is why organizations like EFF need to exist.
No, you're describing what the California tech echo chamber wishes an "average normie" was, i.e., stupid and compliant, and what they're always aggrieved never really exists in practice, having managed to inculcate only some moderate learned helplessness over time, and with "stupid normies" constantly attempting to fight back via law and politics.
> Are there any highly developed nations that allow complete strangers with any nationality to buy and use a mobile phone without showing a national ID?
Canada maybe? [I'm 80% sure that] Public Mobile will sell you a prepaid sim card at the counter. You could pay cash, and set your caller ID to a fake name.
If we're talking about mobility plans, the identity requirement is more about the credit check they might want to do than anything else.
> why don't we see HN crying about the need to show a national ID ... when buying a mobile phone?
Mmm, very possibly because there are at least a few ways to get a phone without using any ID. I picked up a used phone about a year ago, and use Tello. Tello had 0 info on me for years, only an old UPS box that I got the card delivered to. I eventually gave them my first name so Caller ID was correct, but short of that or putting in a correct address if you want 911 support, there's no reason to need any valid info with them. They don't do credit checks, just prepay.
> The solution is secure boot plus attestation
That's the second option they presented "Closing the platform". The issue with all these options is that it consolidates power, and thanks to already partially consolidated power, any option selected will, by necessity, obligate everyone to partake, whether or not they are ok with it.
> The average normie user does not care about anonymity, nor privacy, on the Internet.
It's true that often "normies" don't care (or at least think they don't care, but that's a completely different point I don't feel like trying to make), and it's also true that often "normies" don't want the status quo changed. But often "normies" also ignore when people are kidnapped due to their heritage being revealed. Is it acceptable to actively create a hostile environment for people already disadvantaged? Do we gain something worth their safety? Who gains from this higher level of scrutiny?
If we look at the smaller web, most sites never get enough traffic to be under active threat, and passive threat is easy enough to quell using honeypot forms and questions. Maybe the "normie" internet is the problem. Passive people passively consuming. "Normies" love watching stolen content, and praise thieves for harassing anyone who points out that what their doing is wrong. "Normies" enjoy watching someone livestream themselves flying down a highway at 100 mph over the speed limit.
I think maybe we should acknowledge that what we're defending with things like hCaptcha is not actually worth defending. Maybe the "normal" internet does need to be deprecated over "small" internet? We did pretty good before with things like Wikipedia. The "small" internet from before had a lot of chaff, but good things have grown from it, and a lot of it still exists as a "small" internet. Maybe it's ok that we have a lot of "crap content", so long as the internet can keep changing?
meh, continuing the pearl clutching and asserting there has to be some general "solution" is itself part of the problem. The sheer majority of captchas I come across are while browsing essentially static content. If simple source IP based rate limiting can't keep the server load at something manageable, then the real problem is with how the site is built. And adding even more bloat to address another managerial bullet point is exactly how it got that way.
- I don't believe there is a general solution to this problem, but that won't stop people with lots of money and influence from trying to find a general solution. Especially one that is cheap. I still hope for the least user- and ecosystem-hostile approach among the flawed approaches to win. (I guess of the ones I listed, the one that bothers me the least is having more policing of the service providers.)
- CAPTCHAs from static content are almost assuredly for anti-scraping measures. I think anti-scraping measures are mostly pointless and antithetical to an open web in the first place, but, an effective anti-scraping measure kind of has to work off of reputation, because getting access to a very large number of IP addresses isn't free, but it doesn't cost that much (especially if IPv6 is on the table.) I personally doubt it has much to do with server load in most cases, but maybe I am wrong.
There are indeed many powerful motives supporting the march of technological authoritarianism. But validating the narratives about why ever-more control is needed is a form of support, which we should avoid doing.
Rather we need to recognize that they're merely instances of the same old authoritarian fallacy of more control promising better outcomes, because what increased control ends up ruining cannot be enumerated. In actuality, reducing independent autonomy stifles invention and suffocates society.
"Anti-scraping" is a dubious problem in the context of web sites aimed at publishing information. The best "anti-scraping" solution is a published API that includes bulk downloads. I'll admit there's a tiny sliver of sites for which controlling consumption might make sense, but it's certainly not ones that allow browsing without even logging in.
I think, unfortunately, most accessibility options are not intended to actually be used.
If you are a governement or bigco, accessibility is part of your baseline requirements. You must be able to say: Yes, we are accessible. Otherwise, the public will cause a stink.
So you take your list of vendors, and remove any that don't say they enable accessibility. Vendors know this and make sure they say they are.
Meanwhile, it is a hard to get right feature, only applicable to a small part of your userbase. Multiple disabilities require different affordances. No developer on the team really understands the actual requirement.
The people requiring accessibility will go somewhere else, or grumble and make do. Neither will be detected on any metrics board.
This combination promotes shelfware: Things you buy and put on a shelf somewhere but never really use.
> I emailed back a day or so later, requesting an unban because, y'know, I actually* am blind, but they gave a pretty canned response of no, your account is remaining banned.*
Do I understand correctly that hCaptcha has created an accessibility problem that's denying this blind person access to all sorts of Web sites?
Is there an ADA angle here, for many customers of hCaptcha?
Why are captchas even a thing still?
If folks want to scrape something or build an automation around something, then why not let them do it? They still have to respect the system they're logging in. Not to mention the privacy perk of not exposing your visitors to some captcha service with a dozen or more data subprocessors.
I had to add a captcha to a registration page a couple years ago. Bots were signing up for thousands of fake accounts with other people’s email addresses. The email confirmation we sent would then get reported as spam since the recipient didn’t sign up for our service. Our email provider suspended our account for high spam reports.
What's is the play by the spammers here? Is it a direct attack on your website, perhaps because they were competitors? Or are they hoping that 1% of spammed email addresses will accidentally verify their email?
I hope the other lesson was the good email verification hygiene of making the user take an affirmative action and click a "verify email" button rather then send it unsolicited.
You essentially had an open public unauthed form that would send an email to any address you typed in it. Surely that alone raises some eyebrows.
How would adding an extra button change anything? Right now when they register we send a “verify email address” email. Adding an extra step of “click a button” makes no meaningful difference.
It took me a while to understand what GP was trying to say, but I suppose they're thinking of one of those sites where they let you create an account, will let you in and then nag you for a while about "verifying your email address" by clicking a link that will actually send you an email. An unsophisticated spambot won't probably care enough to click through that.
Not a solution.
Verification emails alone got a small web site I set up to be blacklisted within days. Most of the unwilling recipients presumably couldn't understand the language the verification email was written in and reported it as spam.
I assume you never tried to add a contact form to your website.
Explanation: I did, and within a few days bots started sending me spam using that form. I just added a trivial captcha (hardcoded '2+3=' question), but if my scale was bigger that would be untenable. Think also of PM spam, autoregistering accounts to abuse free tiers, etc.
I guess I just wouldn't have an open unauthed form and require a CC to use the free-tier. The contact-me form can just be a mailto: link and let the spammers go through the spam filter like everyone else. There are places where captchas is all you can really do but it's not like common use-cases don't have other options.
Because despite ZIRP being long over, there are still plenty of people/companies making money off "engagement" - aka wasting a human's time. Automation/scraping/etc would go around that.
I feel folks forget that whatever captchas do (or a large portion of), can be a library without the need for a strange, inaccessible 3rd party service call.
Captchas are used for many things, and the reason they are still a thing is because they mostly work. Especially fingerprinting invisible captchas.
Try having a login form without a captcha and you'll realize you are capturing 100s of users every day that require you to send out a "please confirm your email address" email for each of them for no good reason.
> They still have to respect the system they're logging in.
Your trust in people is admirable, but in my experience running anything on the internet you'll realize that intentionally or not people will bombard your system until it falls over.
I think folks forget that we can add many of the safeguards a captchas provide as part of whatever "form serving app" is needed without torturing our visitors to prove they can count bicycles.
I think the times of the "count bicycles" type of captcha are already counted just because of the bad user experience. Now everything is about fingerprinting, as paying to get captchas solved by humans or AI is already used everywhere if it's worth it.
Not everything is black and white. If it's cutting down 50% of the spam that does not have captcha solving robots because the effort is not worth it, that's already something.
There's a reason many site still have very basic captchas...it's good enough for their use case.
Simple distorted-characters captchas still do a good job of catching unsophisticated bots, which is most of them. They work even better when combined with hidden form fields because these bots don't support CSS.
Targeted attacks though? You're making your legitimate users suffer only so that you defeat 99% of bots instead of 95%.
If you have any input forms they will be overrun by bots immediately. At my last job, marketing built a website and didn't tell IT. They had a "contact us" form without any kind of captcha. Took about a month to be completely flooded by bot spam.
Because it works, to some degree. It keeps away the annoying cheap bots and stupid kids. Smarter or more dedicated actors can still circumvent it, but even they are least slowed down to some degree.
But thinking about, maybe just putting a 20 second pause after which you have to push a button might be already good enough for all this. And every stupid bot avoiding it will get banned.
Indeed… and if it's really problematic, a client-side script can run some expensive calculations as well (the same way captchas do it), to make it extra uninteresting to target unless someone is really motivated and has the budget for it.
Captchas have been obsolete for the past decade plus.
With solving services like DeathByCaptcha and AntiCaptcha, it takes seconds to solve them. It costs something like $1.90 per 1,000 successfully solved captchas using human typers and OCR. It can easily be rolled into your code with a few lines.
But surely, it's only going to get worse: it will force the de-anonymization of the internet. You already have to provide a phone number for many services.
If websites can't trust that their users are authentic they will probably institute even more intrusive checks.
I haven't been optimistic about the future of technology for a while now. :'(
In the future I think we will again go to "notarization"/"attestation" of the operating system / hardware.
Essentially, the manufacturer of the device + operating system will generate a unique signature per each device, and web browsers will be able to access it.
I'm very grateful the WEI proposals were put down. It'd have an enormous privacy impact on normal users, and not give that much protection against bad actors using device farms & similar tools.
But the WEI proposals
were never about protecting from bad actors with device farms. They were always about guaranteeing that a certain ad company who also makes browsers can always push ads to users, thus maximizing value for shareholders. Protecting from device farms was just the bait.
Oh, the really bad part of WEI is not the privacy impact.
The real thing is the gating of every kind of information exchange and treatment in the hands of a few entities, that get the power to say who will participate on those activities and doing exactly what.
That is, the complete elimination of the freedom of association and initiative from our society. At least around any one of those that involve computers.
I believe the plan was to ask the TPM of the computer.
From what I understood, each TPM has a unique private/public key pair (Endorsement Key (EK)), and then this key is certified by the manufacturer of the TPM.
From there, you can generate a Attestation Keys, and these keys are signed by the EK.
As a blind person, I genuinely believe that hCaptcha, being as terrible as it is, is still the best solution among the ones that we can physically achieve in the world as it exists right now.
Audio captchas don't work for people with hearing issues and/or who don't speak your n supported languages, where n is usually <10. I've had to help people out with these over the phone, it was not fun.
Even for people for whom they do work, it's worth keeping in mind that bots can solve them by now, and so users whose activity looks too fraudulent, who are still given access to the visual captchas, have to be blocked from using the audio ones. I have also seen this happen.
Text captchas are a non-option by now, they're very easy to solve with LLMs, and the way they have to be phrased makes it impossible to align LLMs not to solve them, like you can do with the visual ones.
Google's ReCaptcha can get away with having no actual challenge for most users, blind or otherwise, but that's because they're Google, they do enough user tracking that they don't actually need a captcha. Google is the only company that can get away with this, and even for them, it doesn't work in all situations, even when the user fully trusts Google and has not adjusted any privacy preferences.
Sure, you could stop using captchas entirely, if you're fine with receiving dozens of viagra ads on every single platform each day, abolishing all "contact us" and comment forms on the internet, having a significantly higher credit card fraud rate (which translates directly to higher prices and a much worse experience for consumers), and getting all your semi-public records and social media activity immediately scraped by shady companies and sold to anybody who expresses any interest. Unsurprisingly, most users are, in fact, not fine with this.
> and getting all your semi-public records and social media activity immediately
> scraped by shady companies and sold to anybody who expresses any interest.
Public content on the Internet should be scrapable. That's what public means.
The fact that my reddit posts were publicly available never bothered me. Even if they were going to be used to train some LMM.
What does bother me is reddit locking up my posts and making exclusive deals with Google to train Google's LMM.
Preventing scraping isn't good for the average user; it is good for the company that wants to take content created by said user, lock it up, and sell it to their buddies.
> Public content on the Internet should be scrapable. That's what public means.
Not necessarily, especially if you want to expose some relationships in one direction while hiding the other.
Imagine your government creates a CNAM-like[1][2] system that lets you enter a phone number and see their owner, to see who is calling you and whether a number you're given is legit. However, they do not want to let you see a person's phone number just by entering their name.
If there's no captcha, an unscrupulous actor, registered in the Seychelles and unconcerned with your country's laws, can just scrape all possible phone numbers and offer a "reverse lookup" service.
In a way, the number/name records are public information, after all, the government lets you query them without authentication, but in a way they aren't, because you're only permitted to query them in a certain way.
Variations of this problem have appeared many times, particularly across Europe, usually with company numbers, property deeds and such.
And the very angry email that I (probably unwisely) just dashed off to support@hcaptcha.com:
"So I've been trying to sign in repeatedly to set the accessibility
cookie since last night. Every time I click the submit button, I get
the useless error message "an error has occurred, please try again".
My friend, who shares my roof and my static IP, got banned from
hcaptcha's accessibility service last year for being too smart to be
blind. And I suspect you all have banned our IP and not just his
account.
For the record, my static IP address is (redacted).
Please let your bosses know that I plan to pursue legal action against
hCaptcha and/or amplify the truth to destroy its reputation in the
public square. I will also be reaching out to websites who utilize
hCaptcha, letting them know that the captcha provider they employ is
refusing to provide reasonable accomodations to blind people.
Whether it be with the force of law or the force of satyagraha, your
bosses are going to get a message and we will win.
It's quite unpleasantly often that I hear stories about accessibility accommodations being removed by someone considering themselves the sole arbiter of disability.
Please just let my link some kind of government-backed ID to an email account and then clients can ask "hey government, is this email account a real human being in your country"? And government can say "yes" and they can go forward knowing that if I turn out to be a bot and they ban me it will be a huge pain in my ass because I've got to go through government enrollment process again.
CAPTCHA: Completely Automated Public Turing test to tell Computers and Humans Apart.
These things have one job. Any time they fail to identify a human, they have failed at their job. How they go about administering the test, and (to a large extent) what the human does in response, should be irrelevant. I know that's hard, no-one said the job was easy, and the companies developing them are the ones making claims about their efficacy.
If you want to block 100% of bots, don't put your stuff on the Internet. If you want to block bots and allow humans then you're going to have false negatives. Failing to acknowledge them is dishonest.
None of which stops me filling them out when I encounter them, but I don't have to like it.
If you're in Europe, consider filing GDPR complaint to your local data protection authority. One of the rights recognised in GDPR is right to rectify information about you, and it was clearly not afforded by the provider here.
I am also blind. hCaptcha is the worst. Their stupid cookie expires so I have to go through their getting an email to set the cookie almost every time I encounter one. It's a horrendous UX, especially when using different devices and browsers. I imagine others just give up instead of dealing with the crap. They shouldn't use the word accessibility when their whole service is the exact opposite.
The bots can probably solve them easier than blind people anyway, or they can outsource them to third world workers for next to nothing. E.G. Anticaptcha [0]:
> Starting from 0.5USD per 1000 images, depending on your daily spending volume
[0] https://anti-captcha.com/
Believe me, hCaptcha isn't much better even if you're not blind! They show me minuscule images which are barely distinguishable from each other. It manages to be much worse than reCaptcha, which is some achievement.
I'm not blind, but do have visibility issues. I can get by on my phone with maxed text size, etc. The pictures for hcaptcha are horrible... I keep having to zoom in and out. It's almost as bad as modals that flow off screen.
It sucks more when you work in the space and take a lot of care to usability. It's not that hard most of the time.
i have the complete opposite experience. im not blind but i use tor. vpns and non spyware browser which is probably worse lol google captcha most of the time sends me into a loop that does not stop and always fails regardless how right i am for +3 minutes. meanwhile hcapcha lets me pass if i simply correctly fill out 1-3 captchas.
What's the best captcha regarding accessibility?
None.
There are no "best" version of captcha. I've worked on several large scale projects where captcha was floated and then quickly abandoned in favor of other methods like Honeypot or using other methods to weed out bots and other 3rd party agents.
If you have to use captcha the least worst are probably reCaptcha V2 and hCaptcha for accessibility.
What were the chosen choices? Curious to know
I'm OK with reCAPTCHA, but uh... Just not a fan of Google!! I'm an expert reCAPTCHA solver.
Brave PoW captcha maybe? Because it requires no input/interaction from the user.
I don't understand why POW solutions aren't more popular.
I don't think there is any PoW that results in acceptable performance for the user (especially on mobile) while also making the cost for an attacker high enough to deter them.
Even renting the compute on AWS, it only costs $0.01 per minute for the equivalent of a decent desktop computer (c8g.4xlarge). While an attacker will likely either use a botnet, or hardware better suited for solving the PoW than the hardware the user is using.
Though CAPTCHAs don't really work well anymore either, since solving services are quite cheap. Recaptcha is nowadays primarily based on other factors, like IP reputation, susceptibility to google tracking, and behavioral scoring.
Most people engage with web content on relatively low powered machines. If you tune them to be tolerable on a 4 year old mid-range android device, there isn't much cost incurred on a threadripper.
I'd never heard of them before getting them while using Brave search sometimes, I'm not sure I entirely understand how they work and differentiate between a bot and human.
They don't differentiate. They just make it too expensive to be worth paying for the resources required to carry out a spam attack at any meaningful scale.
Oh that makes sense, neat way of doing it. Basically adds a delay while also costing CPU resources.
First of all, why should I want them to set a cooky on my system? I don't want them to do that. Yeah, I do use session cookies. However, I shouldn't have to have a company set one on my system to get around their stupid CAPTCHA!! In other words, I shouldn't have to disclose anything to them. I could be an AI for all they care.
The title kind of makes it appear far less of a problem than it actually is, because according to the article, hCaptcha made multiple rude and evidence-free accusations of lying despite the author actually being blind.
Remember that from hCaptcha's point of view, by this point they've probably dealt with hundreds of other people claiming that they are blind when they really aren't, so their bots will work.
This isn't a defense, just an explanation... but it is also an explanation of why the entire idea of "we'll not give blind people a way past the CAPTCHA but just give a pass to 'real' blind people so we can pass ADA", which is that it should have been transparently obvious that this approach is completely infeasible and unscalable. As big as Google, Facebook, or Amazon are, they would struggle under the load of trying to create a system for determining who is "truly" blind... and that's still true if we ignore questions like exactly what "blind" is anyhow.
This shouldn't have gotten deployed and then become a problem; it should have been a 5 minute diversion in the meeting where it was proposed to analyze it's completely infeasible and never made it to so much as the design phase, let alone the deployment phase.
If you had a system for completely accurately identifying characteristics like "who is blind" in the presence of extremely hostile attacks on the system, you'd have something far more valuable than the CAPTCHA system itself! The whole idea intrinsically depends on having a stronger solution to the problems CAPTCHAs are meant to solve than the CAPTCHA system itself provides... it's fundamentally a logically unsound idea.
This is a problem so chronic across so many fields that I wish there was single term to describe it.
User POV :"Wow, provider is a really shitty entity and had no respect for my legitimate problem."
Provider POV: "We get a huge number of illegitimate claims identical to legitimate ones regularly, the system would collapse if we didn't do heavy triage, the problem is the level of abuse, not a moral bankruptcy on our part."
I suppose "this is why we can't have nice things" captures some of it.
The actual problem is that Provider real POV is actually: "We already do the bare minimum required by the law and you are too insignificant to damage our reputation. It would actually cost our shareholders money to do more so please go die in silence somewhere else and stop bothering us. Replying to you costs us money too."
This kind of article is actually useful because it raises the risk of actual reputational damage thus encouraging companies to do more.
What users don't see is that a single good actor will make, at most, a dozen such claims in their life, while a malicious one might literally make hundreds of them a day. The scales are different, by orders of magnitude.
It's not unimaginable that just 0.001% of your users (in terms of actual humans / entities physically using your service) are fraudsters, but 99% of your signup or login attempts / interactions with your service / "I'm not a fraudster, pinky swear" support claims are fraudulent.
“Moral bankruptcy” seems like a quite apt description of the state of affairs of being unable to afford to operate morally at a given level of scale.
Scaling is not a right.
> Scaling is not a right.
God I wish this could be plastered in letters 1000 feet high above Silicon Valley.
This is just an indication that their process is wrong. (Or in this case, their entire reason to exist is wrong.)
In cases like this the provider is someone I don't want to have any business with in the first place. I don't care how hard reliable CAPTCHAs are to implement and as a user I shouldn't have to.
The problem is that this very problem also happens simultaneously in the reverse direction. i.e. people have to deal with so many awful entities screwing them over due to sheer self-interest, negligence, or even malice, that they have a hard time knowing which ones legitimately are trying their best and genuinely don't have a better solution.
That's what happens when trust erodes, and why we can't have nice things.
If anyone should be be more understanding and absorb the costs to appease the other, it's probably the big corp, not the little guy.
> As big as Google, Facebook, or Amazon are, they would struggle under the load of trying to create a system for determining who is "truly" blind... and that's still true if we ignore questions like exactly what "blind" is anyhow.
In several countries, the government issues certificates of blindness [1] which grant access to certain extra types of support. We don't want severely vision-impaired people being forced to drive, after all!
So there are legal standards for what exactly blind is, and certificates.
The question is whether tech companies are inclined to hire enough people to wrangle the paperwork involved in checking such certificates, worldwide.
[1] https://www.mass.gov/info-details/benefits-for-people-who-ar...
If "having a government identity" was a solution to the identity problem, it would be solved.
It is not solved.
That is at most the beginning of a solution to the problem.
And in practice, it is little more than the beginning of the problem, as the government's definition of blindness is very unlikely to be a precise match to "has problems completing our visual CAPTCHA", and if multiple governments have standards there is no chance they will match.
Do not underestimate the resilience and resourcefulness of scammers. They aren't just some individuals here and there who decide one day that they could make a couple extra bucks spamming people, and just sort of start sending out whatever scam strikes their fancy. They're international businesses with engineering teams, and a constant feed of low-level operatives who can scam governments about how blind they are if the governments leave any hole in their system. They're thousands of people dedicating their full human-level intelligence to the task of defeating your system and extracting the value from it. They are not as easy to defeat as "let's just put the obvious certification in place", for the same reason that the CAPTCHA problem isn't solved with "Let's just issue everyone official identities".
> They're international businesses with engineering teams, and a constant feed of low-level operatives who can scam governments about how blind they are if the governments leave any hole in their system.
I don't know about your country, but in my country the government is pretty keen on avoiding abuses of the benefits system. After all, a blind person gets tax breaks and cash benefits totalling about $5000/year.
So the existing system is used to dealing with financially motivated adversaries. I doubt the additional financial motivation of being able to bypass hCaptcha would mean much, in comparison.
I'm sure some rural country somewhere would start selling certificates en masse the moment this is implemented.
> So there are legal standards for what exactly blind is, and certificates.
In the USA, people are not yet required to provide identification when signing up for "free" services. There are real concerns around privacy.
A certification of blindness is exactly one of those privacy concerns, being a medical issue. You think it would be a good idea to give that private information to the criminal organizations of big tech?
These are already users that want to let the company know that they are blind in order to qualify for special treatment. In that case showing the certificate doesn't seem to be much of an extra privacy issue to me.
Accessibility isn't special treatment! As I said before I would never provide proof of identity to simply access a website.
> Accessibility isn't special treatment!
Perhaps not in all cases, but it can be. This article is literally about special treatment for accessibility purposes.
It's of course debatable if this is how things should be, but that's another discussion.
Nah, it's the companies that's demanding proof over what's basically sane treatment rather than users wanting to surrender their medical info.
I would have a privacy concern with it, and then your going to force everyone to do verification. Age verification isn't even passed here in the US, although a lot of companies do it. They wanted to make it law over the last couple years.
This is a moot point anyways because the Americans with Disabilities act bans businesses from asking people about their specific disabilities. Asking for proof of blindness will almost certainly be in contravention of that.
> something far more valuable than the CAPTCHA system itsel
In terms of CAPTCHAs being valuable – the other day I couldn’t for the life of me solve a captcha. It was one of those “Solve the implicit question in the picture” kind where it can be hard to tell what it’s even asking you to do.
So I took a screenshot and put it in chatgpt. Got it right immediately.
The real detection mechanism is that you’re moving your mouse, thinking, and generally being slower than a bot anyway. The captcha itself is just a pointless annoyance.
I am perfectly happy with having to prove that I am blind to get my bus pass, but if It was necessary to access a website I would just not use that site. Lets hope it never gets that bad. There's always Anticaptcha to fall back on, but I hate their business model.
What is your suggested alternative?
Audio captchas are inherently discriminatory to those with hearing issues or those that don't speak the 5 supported languages. They're also somewhat easy to solve with ASR models now. Text captchas are incredibly easy to solve with LLMs.
The only other alternative I see is some incredible tracking / surveillance machine (think an actual non-browser app that you have to run on your computer), but is that really what we want?
I'm actually pretty okay with the zero click cloudflare dealios and prosopo PoW captchas. You can make websites that simply do not have visual puzzles on them at all.
Every now and then turnstile does get a little borked but I can honestly say that I would rather just do without whatever I was trying to do than click 7 motorcycles. Hcaptcha and recaptcha are becoming my personal brown M&M indicator for additional bad user experiences in a given web property.
> If you had a system for completely accurately identifying characteristics like "who is blind" in the presence of extremely hostile attacks on the system, you'd have something far more valuable than the CAPTCHA system itself!
You are unfortunately describing worldcoin.
Worldcoin? Government issued auth service is a viable option too. Just get some flag like "isBlind" in it. Disabled status is granted by the government after all.
Some captchas are getting pretty discriminatory, not everyone lives in the West and can identify the objects they are asking you to. Another recent one sticks out where they asked me to pick a shape as the same number of conoids on screen. If you ask people on a street what a conoids I bet a significant amount will give you blank looks
Also at least now I know some people call those markings crosswalks
Sorry I live in the west, what's a "crosswalk"
Did you mean to say
> not everyone lives in the USA
Other things I don't have a clue about - a fire hydrant, yellow taxis, yellow buses
(Obviously I do, because of American cultural imperialism through things like Captchas which mean the world has to understand American cultural touchstones)
I distinctly remember a captcha which asked me to identify fire hydrants. Some of the pictures were hydrants, while others were standpipes. These are different things, and I answered accordingly.
The service refused to acknowledge my humanity until I relented that a standpipe was a hydrant. If at some future date any of us burn to death due to an automated fire truck that misbehaved due to this, we’ll know why.
Yup - I recognize this problem. I am a motorcyclist and I frequently have to grit my teeth and misidentify scooters as motorcycles if I want to get past captcha.
For non-bikers, a scooter has an automated gearbox and small wheels etc. Think vespa.
In the UK at least they are generally a different category of license, although that's because of the size of a standard scooter engine.
Except scooters are literally motorcycles? From Wikipedia:
> A scooter (motor scooter) is a motorcycle with an underbone or step-through frame, ....
Scooters are often legally motorcycles as well. For example, I had to get a motorcycle endorsement on my license for a scooter I owned, because the engine displacement was too large for the extremely restrictive "moped" category in my state.
Of course as a scooter rider you say its a motorcycle. That wiki entry was probably written by a scooter rider also. ;-)
I actually feel a fellowship with all two-wheel riders but don't let any other bikers know or I'll be shunned.
They're not really considered as such by motorcycle people, for decent reasons too. Scooters generally have rather different ergonomics and controls, notably CVTs rather than manual transmissions for "proper" motorcycles. Overall a pretty different experience to ride. There's not really a good umbrella term, either, though.
I live in Vietnam where the entire population drives small motorbikes or scooters. There's no defining feature except for having a cutaway to place your feet in a scooter. Even the engine placement is less of a clear thing now that many of them are electric.
There's motorbikes with scooter like controls, there's scooters with motorbike like controls. Many small automatic motorbikes feel basically identical to driving a scooter except that your sitting position is very slightly different.
Presumably an American motorcycle purist's brain would simply explode in such an environment. :)
The "decent reasons" just sounds like snobbery or a reason to feel superior. Cars are cars, whether manual, automatic, CVT, whatever. Why should bikes be any different?
I'm a big fan of two-wheeled transport in all its forms, but wow is there a prevailing toxic attitude among a large group of "true motorcycle" riders. Instead of welcoming people into the fold, it's just tribalism -- you drive a scooter, you're not a true biker; you ride a cruiser, true bikers only drive super sports; you drive an e-bike, but only loud pipes make a true rider!
Agree about the snobbery, but there is a real difference in kind between them that would be nice to have a good name for. Even if, as the other reply pointed out, they exist on a spectrum, the endpoints are pretty distinct.
My rationale is that they're teaching cars what things they shouldn't drive into, so I'm pretty liberal with what constitutes a motorcycle, including the person on top.
Classic Vespa does not have an automatic gearbox. Last one without it was probably a PX model in the early 2000s, though.
It's a squares/rectangles issue.
Scooters are cycles that have motors, and are thus motorcycles in the most-inclusive definition of such.
FWIW, I went out looking for a better category (something more like "two-wheeler" but without the engine), and discovered that Wikipedia actually agrees that scooters are motorcycles.
Scooters are arguably more like traditional motorcycles than ebikes.
Reminds me of this scene from Police Academy 3: https://www.youtube.com/watch?v=cil6HFXlccw
And electric bicycle is in sense also motorcycle...
Fire hydrants in my country are virtually always in the ground covered by a steel lid. The only reason I know the answer is American popular culture.
https://fev.se/images/18.7ea68079182e95d391364a41/1663668627...
Unfortunately, even understanding these things, on a shared connection it might take you literally two or three minutes of captcha work before Google recognizes your personhood.
Am I identifying the boxes wrong? Am I doing it too fast? Where do "Stairs" begin and end? Does a motorcycle include its rider? Or is Google just fucking with me and failing me on purpose?
My workplace had a period this year where captcha was put into the cashier checkout process.
And while it's not quite the same kind of CAPTCHA, I've not infrequently run into Cloudflare "prove you're human" screens that just...never let me through. I click the box, it loads for a second, turns into a nice checkmark, and then...reloads the "prove you're human" page. Infinite loop (as far as I can tell, anyway, not having infinite time).
I forget what extension was doing this for me, but I think this was down to an extension blocking autoload/play. Try disabling your extensions down to ublock and slowly adding them back.
Firefox RFP? That sometimes does it
And audio Captchas are in English. I suppose blind people who don't speak English or have any kind of hearing difficulty don't deserve accessibility.
Can you have them translated into your native language? I mean I imagine if your using Google from a different country, it might take notice. Maybe it doesn't apply to reCAPTCHA, Google can be stupid like that!
Other things I don't have a clue about - a fire hydrant
Even within the United States, fire hydrants vary greatly from city to city.
I remember the first time I moved to a city that had those little squatty dark blue ones. I thought they were water main access points.
It's interesting to see so many people on HN assessing that captchas are biased toward American culture. Very frequently I get captchas that include things I don't know, and when I look them up, they turn out to be Indian in origin.
yeah, where are all these mopeds "in the US" i can't even remember the last time i saw someone on a moped... 15 years ago in L.A.?
Maybe the standard international signs are more easily recognised by machines anyway, but if not it will be interesting when Google and others start needing Captcha help.
Americans will need to learn what speed limit, parking prohibition and pedestrian crossing signs look like in the rest of the world, as well as realizing buses and taxis come in more colours.
Americans will need to learn what speed limit, parking prohibition and pedestrian crossing signs look like in the rest of the world
If you think this is a binary America/Rest of the World problem, then you haven't visited very much of the "rest of the world" and noticed that every place is full of variations.
You don't think you could identify yellow buses without cultural knowledge?
I think simply knowing "yellow" and "buses" would suffice.
It's hard to really say objectively, as the strange yellow American school bus is kind of an iconic image - perhaps because it looks so different to a regular public transport bus as seen around the rest of the world.
Does DHL delivery via yellow busses?
Does anyone deliver anything except people via "busses"?
Despite the name, you can’t deliver people over the Universal Serial Bus.
Well the local long distance bus "consortium" did move at least part of parcels via busses here.
Don't they have postbuses in some countries that do all types of delivery including people and mail, alpenhorns and cheese and that kinda thing??
Well yes, how else do you get the mail?
Those are called Vans.
Oh, vans! Of course, who could mistake those?
https://en.wikipedia.org/wiki/Brake_van
https://en.wikipedia.org/wiki/General_utility_van
In the US.
And then there's "shuttle", I believe the US has at least one kind of thing called "shuttle" for every possible mode of transport, including orbital flight.
Well technically anything can be a shuttle because specifically the thing that makes it a shuttle is the operating pattern (repeated point to point service) rather than the machine itself.
Etymology-wise a shuttle was a type of weaving tool which is why the verb shuttle exists, i.e. to rapidly move back and forth across a length (as if you were weaving a thread into a piece of fabric).
So then you got shuttle trains which frequently ran back and forth. And from there other types of shuttle services (shuttle buses, shuttle vans, etc).
And of course eventually the space shuttle being intended to be a launch vehicle designed for shuttle service to and from orbit. (side note but technically if the SpaceX Starship actually achieves it's intended sub-24h turn around it'd be able to qualify as a shuttle provided it ran a fixed point to point route on a regular basis).
This can't be right, I have been told over and over again that America does not have any culture.
Now it's being used to push imperialism through captchas of all things?!
I feel like all the non-US or non-Western or however you want to categorize the 'rest of the world' should be striving to use free-range local culturally-appropriate captcha services if this is true.
It's easy to blame the colonizers, but what about the local artisanal websites who give the colonizers/invaders a voice by integrating their captcha services?
We really need an 'international-divorce' to put these issues to bed once and for all.
Please enter your five-digit ZIP code
Mandatory "state" field on forms - if it allows any string I usually enter "mostly liquid"
For me it is "constant despair".
90210
(Cue theme music in mind's ear)
That’s my zip code too, along with millions of others who live outside the US. Haven’t needed to use it for a while.
Similarly, on websites that require a British address I use “10 Downing Street” (the only one I know!)
221 baker
did you know that the ZIP code for both Paris Texas and Paris France start with 75xxx
Well, France doesn't have Zone Improvement Plan codes. It is somewhat annoying to fill forms on websites with "ZIP code" in them for people outside US. They aren't called this way anywhere else (except for one or two countries).
Which you can then compress into a postcode file
#internationalisation
https://www.reddit.com/r/CasualUK/comments/12cwylk/microsoft...
SE1 9QN is my postcode what 5 number?
wooosh
Is a coach a bus? Honestly, I'm not sure what makes them different, if you pressed me I think I'd say a coach has luggage compartments underneath. A UK coach is not a bus... although Megabus run mostly coaches, and Stagecoach run mostly buses.
Is a scooter a motorcycle, what about a pedal-and-pop, an ebike? Is the backbox (rear carrier) part of the motorcycle?
Is a single light at a junction, ahem intersection, a traffic light? Is the outer-container part of the "light"? What about the lights for pedestrians, are they part of the traffic light?
Are house steps, that don't carry you to a different storey, still stairs? Is a single step also stairs?
Are fire hydrants always red?
So, yeah, usually I just leave the website and come back to HN.
I routinely have problems with closeup images. To this day I don't know how much of the object I should be selecting? Also what is a traffic light? Is the pole part of it or not? Motorcycles seem to be hard too.
Once it showed me a picture of steps nothing but steps. I think I marked like 15 boxes.
> To this day I don't know how much of the object I should be selecting? Also what is a traffic light? Is the pole part of it or not? Motorcycles seem to be hard too.
I have always assumed this was purposefully ambiguous. The right answer is whatever a majority of humans will answer when presented with the same picture.
I don't think the majority of people on earth would base all their captchas on things only found in America
The majority of people will still cluster around the same best guesses, and that’s all that matters to the algorithm.
Yes, it’s annoying, but that doesn’t matter to the algorithm.
If you think you're failing the captchas because you're doing them wrong, think again. Google captcha intentionally fails you a couple times if they don't have enough tracking info to determine that you're legit. So you solve the captcha correctly but are still lied to that "you've failed to solve the captcha, try again".
That and the "fading images slowly to pretend like you have bad internet" thing. Disgusting behaviour
Maybe they purposely load the images slowly to make it more expensive for the bot owners.
Also just catches people they think might be bots.
I've definitely encountered captcha tarpit logins before that could never be solved until I changed VPN endpoint. I was never getting in.
They don't. They load the images and then have js to fade them slooooowly. It's pernicious precisely because of that: its purpose is to annoy humans while being completely useless to thwart bots.
I kinda don't understand why we still have captchas. We've solved the asymmetric problem with proof-of-work; just make somebody solve something trivial so they spend more resources than you do.
Like if a bot requests your page 1/day its not a problem; but if they want to request it 1/ms then the proof-of-work becomes too much for them and its transparent to a person.
It might be an incentive to make people stay logged into their accounts. This wouldn't be hole reason but I am sure it's part of it. I used another laptop with a VPN for a few days and what used to be smooth experiences turned into a shit ton of "log in to prove you're not a robot". Both Reddit and Youtube did this.
I'm never that consistent and usually get through. I think they are looking at things like mouse acceleration, smoothness, etc. rather than the actual answer to the questions.
They don’t let you pass if you don’t answer roughly correctly.
I have lived in the West my whole life, and am reasonably well educated, and have never heard the word conoids in my life.
Sure, but you can imagine pretty easily what a ‘conoid’ would be, right? ‘Sphereoid’ would be something sphere-like, ‘mongoloid’ is something mongol-like, ‘freakazoid’ is something freaky…
it’s pretty clear from context that ‘conoid’ means ‘like a cone’ isn’t it?
But is it a geometrical cone, a conifer tree like thing, a psuedo-control device, or what.
I consider my self pretty literate (I was assessed as reading at a college level by the 4th grade), and I've never heard that word.
More importantly, they can look absolutely nothing like cones.
Would you identify this as "cone like" if it wasn't for the URL? https://en.wikipedia.org/wiki/Conoid#/media/File:Pluecker-co...
I am Googling "conoid" right now and I still can't even imagine what it's supposed to be.
The Google dictionary says it's a zoological term "approximately conical in shape".
The Wikipedia panel says "In geometry a conoid is a ruled surface, whose rulings fulfill the additional conditions: All rulings are parallel to a plane, the directrix plane. All rulings intersect a fixed line, the axis." The graphics are... nothing intuitive.
The M-W link in the search results says "a cone-shaped structure; especially : a hollow organelle shaped like a truncated cone that occurs at the anterior end of the organism".
None of this seeming relevant, I clicked on the Image tab and it's all these complicated Mathematica-style graphs of things that are very much not cones.
I see other people in the HN comments similarly have no idea.
Can you please explain what you saw on screen? What did the captcha think was a conoid...? Like, traffic cones or something?
Using the touch pad to long-press on the text "conoid" in my browser brought up the built-in dictionary definition on macOS:
> conoid | ˈkəʊnɔɪd | mainly Zoology adjective (also conoidal | kəʊˈnɔɪd(ə)l | ) approximately conical in shape.
> noun a conoid object: her hull was a conoid, tapering towards the bow.
Yeah, that's the zoological definition again.
In the UK some crosswalks have cones on the bottom of the box where the button to wait to cross is, and OP mentioned crosswalks in the final sentence. Maybe it's just too late for me right now, but that's what my brain assumed, but the "same number of shapes as" thing was not enough context!
the cone on the bottom spins when you have the right of way.
Also asking things about US traffic signs or markings in countries with different looking traffic signs
I can't be the only person who's been checking as many wrong answers as I can get away with for the last decade, and I'd be complimented by my conoid-questioning brethren. Captcha seems like it's fully entered a "bear proof garbage can" phase I don't see it escaping.
I've just resorted to flipping over to the audio captcha. Yes, solving the first one takes more time, but you pretty much get it right the first time and you're not wasting your life wondering if 2cm of a fire hydrant is enough to label a square as having a fire hydrant.
Also, if you use a larger minimum font size often the text describing the thing you are supposed to select is under the image and unreadable. With hCaptcha it varies depending on the size of the popup window with the captcha and Google seems to reliably show just the top (barely enough to figure it out most of the time).
I live in "the West" but English isn't my main language. I have no idea what a conoid is.
> A conoid is a ruled surface whose rulings are parallel to a plane (called the directrix plane) and intersect a fixed line (called the axis of the conoid) (Gellert et al. 1989, p. 202). Examples include the circular conoid, helicoid, hyperbolic paraboloid, parabolic conoid, Plücker conoid, right circular conoid, Wallis's conical edge, Whitney umbrella, and Zindler conoid. If the axis is perpendicular to the directrix plane, the conoid is called a right conoid (Gray et al. 2006, p. 436).
https://mathworld.wolfram.com/Conoid.html
so, a surface with stripes - example https://pxhere.com/en/photo/1366651
This doesn't look like a surface with stripes at all.
> https://en.m.wikipedia.org/wiki/Whitney_umbrella
Where did you get stripes from in any of that? A surface is ruled when it can be constructed by extruding a line (or segment) along some path… like waving a ruler around.
I think they meant that something striped and rectangular, like a crosswalk, is a 'ruled surface' because the stripes themselves are like the ruler ?
So I guess a crosswalk (flat rectangle in 3D space), would be considered a 'ruled surface', but I don't think it meets the other requirement to make it a conoid.
I live in the US, English is my only language. I could probably guess what a conoid is, but I don't actually know (until reading these comments).
Avoiding this is what made hCaptcha popular among a lot of users in the first place. reCaptcha has always been guilty of this, and it doesn't seem like they're taking any steps to improve this US-centred definition of humanity. hCaptcha gave much more general and neutral puzzles that made a lot of people (including me) give a sigh of relief when they encountered a CAPTCHA and it was h and not re.
recaptcha audio challenge is just a few words (in English) that you have to enter. Might be easier in some circumstances? You can press CTRL to repeat the audio.
I like it myself. If I have to use CAPTCHA that is, I can't stand it on principle!
>conoids
Things that are shaped like cones?
Things that look like a con?
> Some captchas are getting pretty discriminatory, not everyone lives in the West and can identify the objects they are asking you to.
Honestly, even living in the West, sometimes I feel like they expect me to have an IQ of 200 just to pass! And, I am sure I pass the Turing test without issues.
But on the internet the answer to „what is a conoid“ is just a web search away.
The bigger problem is when other options of a captcha fit in another cultural context.
Taxi colors are an example for that.
>But on the internet the answer to „what is a conoid“ is just a web search away.
When I search, the whole first page of google is essentially "things that are shaped like cones", I have no idea what that would be in response to one of those image captchas that show traffic and buildings.
> But on the internet the answer to „what is a conoid“ is just a web search away.
Not when it's your search engine that's asking you to identify conoids.
I got mathematical surfaces like https://en.wikipedia.org/wiki/Conoid To get the correct image I had to search conoid street. Anyway, I guessed they were those red cone shaped things that people put on the street and I'm not sure how they are call even is Spanish (probably conos or balizas).
Google "conoid" and you'll get a bunch of pictures of shapes that are curved in different ways. I assume the captcha was talking about things that have a similar shape to a cone, but I don't think you'd get much of a clue from Google.
> A conoid is a ruled surface whose rulings are parallel to a plane (called the directrix plane) and intersect a fixed line (called the axis of the conoid) (Gellert et al. 1989, p. 202). Examples include the circular conoid, helicoid, hyperbolic paraboloid, parabolic conoid, Plücker conoid, right circular conoid, Wallis's conical edge, Whitney umbrella, and Zindler conoid. If the axis is perpendicular to the directrix plane, the conoid is called a right conoid (Gray et al. 2006, p. 436).
https://mathworld.wolfram.com/Conoid.html
Lesson 1 about competing with Google should be "don't be even more disrespectful to your users than Google is". Otherwise people will just use Google.
Relying on the goodwill of a small number of "never-Googlers" to carry your business, in spite of the way you do business, is not a path to success.
While hCaptcha trashes its reputation, the rest of the world will go on using reCaptcha and not giving the faintest whiff of a fart about hCaptcha's existence.
(Side note: the spelling is "intentional", not "intensional". Think "intent" + "-tion" + "-al", not "in-" + "tension" + "-al").
The author was essentially too smart to be blind.
I wonder whether talking about "looking at the javascript console" somehow made them think that this person cannot possibly be blind, since how could a blind person "see" the JavaScript console? (But "having my screen reader read the content of the JavaScript console to me" is a bit of a mouthful.)
You know, that's a good point, and it hadn't occurred to me. For the overwhelming majority of blind people, language like "looked at" is just metaphorical. I mean, all language is symbolic anyway. The map is not the territory and the menu is not the dinner. Some of us are taught very young to use common terms like look in that kind of a metaphorical way. Partially so that we fit in and are comfortable with the rest of sighted culture. And then once in a great while, we get condescended to for it. There's a really good example of this in the second season episode of DS9, The Alternate.
``` ODO It was a dilemma for me. I'd never seen anything like these creatures either.
```I can pretty much guarantee that every blind person has had a condescending, patronizing douche canoe like Mora in their life at least once.
Even as a sighted person, "look at" is often metamorphic - you can interview an expert over the phone and say you looked into the subject even though the only looking was around the phone number.
When someone recommends me an album or artist I "take a look" at it: I listen to it. Though now that I think about it, I wouldn't say that in my other languages.
This is how use of language concealed aphantasia for so long. When you use a word in a context similar to how another used it in that context there seems to be a presumption that the subjective experience is the same in that context.
Given how we learn languages and words based upon encountering them in contexts, it makes sense that terms that we use in outwardly similar contexts reflect the subjective experience that each of us relate to those terms. We don't have access to another's subjective experience so I can see how it would encourage the assumption that we all perceive things the same way.
There might be many undetected variances in perception akin to aphantasia lurking in us waiting to be discovered.
Here's the thing. We're talking about people who are the accessibility team for hCaptcha. They should at least have a figleaf of an understanding of life for blind people.
The other problem we have is that online companies tend to be accountable to no one. Short of law suits, my friend who got banned from hCaptcha for "not being blind" has no recourse, because nobody is accountable.
Lawsuits are how that's solved in the physical world also.
I suppose one could say "observed" as a sense-neutral alternative to see / hear. Might be a worthwhile language shift, similar to using "they" as a gender-neutral alternative to "he" and "her".
We usually talk about the inclusion benefits of neutral language. It can also be valuable by making specific terms more meaningful when used appropriately. If I know you usually say "they", then when you choose to say "he" I get more information -- there's a clear gender expression. Similarly, if you usually say "observe", then when you say "see" I know we're specifically talking about vision.
Of course, it's an awkward transition. It's hard to get used to "they/them" and saying "I observed a delicious aroma" sounds like a robot impersonating a person.
It's notable that the majority of the people who would be "included" by the change to "more inclusive" language aren't offended in the first place. The sentence "I am watching TV" literally offended no blind person, evah. It is only sighted do-gooders who have the spoons to be offended by nothingburgers on our behalf. We're too busy dealing with stuff like, ... I dunno, landlords who refuse to rent to us because all they have is second story units and we might fall down the stairs. Yes this actually happened to me in 2000 or so, and I don't have enough faith in human intelligence to believe that it isn't happening today. We're too busy being oppressed by captchas and websites made by frontend devs who seem to care more about chasing JavaScript framework du jour than they care about accessibility. We're busy struggling against a built physical environment which has been designed for cars and not people. The supposedly non-inclusive language of "I watched TV" or "I looked at my browser's JS console" aren't even on our radar.
I coined the term "Sapir-Whorf Stalinists" a few weeks ago to describe the sort of people who think that monkeying with language will magically make things better for marginalized groups.
Here's Lee Atwater talking about the Southern Strategy:
> You start out in 1954 by saying, “Nigger, nigger, > nigger.” By 1968 you can’t say “nigger”—that hurts you, backfires. > So you say stuff like, uh, forced busing, states’ rights, and all that stuff, > and you’re getting so abstract. Now, you’re talking about cutting taxes, > and all these things you’re talking about are totally economic things and a > byproduct of them is, blacks get hurt worse than whites.… “We want to cut > this,” is much more abstract than even the busing thing, uh, > and a hell of a lot more abstract than “Nigger, nigger.”
Yes that's my mother.
I'd bet that's exactly what happened.
Gwahahha, succinct. I run into this far too often. Being in places or doing things I (blind guy) "shouldn't be", thus, am not blind.
Yes because all of us are stupid according to hCAPTCHA!
I hope we can end the CAPTCHA experiment soon. It didn't work.
Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat. CAPTCHA does not. Almost all turnkey CAPTCHA services can be solved for pennies.
Solving the problems of SPAM and malicious traffic will be challenging... I am worried it will come down to three possible things:
- Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.
- Closing the platform: approaches like Web Environment Integrity and Private Access Tokens pave the way for how the web platform could be closed down. The vast majority of web users use Google Chrome or Safari on a device with Secure Boot, so the entire boot chain can be attested. The number of users that can viably do this will only increase over time. In this future, the web ceases to meaningfully be open: alternatives to this approach will continue to become less and less useful (e.g. machine learning may not achieve AGI but it's going to kick the ass of every CAPTCHA in sight) so it will become increasingly unlikely you'll be able to get into websites without it.
- Accountability of network operators: Love it or hate it, the Internet benefits a lot from gray-area operators that operate with little oversight or transparency. However, another approach to getting rid of malicious traffic is to push more accountability to network operators, severing non-compliant providers off of the Internet. This would probably also suck, and would incentivize abusing this power.
It's tricky, though. What else can you do? You can try to reduce the incentives to have malicious traffic, but it's hard to do this without decreasing the value that things offer. You can make malicious traffic harder by obfuscation, but it's hard to stop motivated parties.
Either way, it feels like the era of the open web is basically over. The open web may continue to exist, but it will probably be overshadowed by a new and much more closed off web.
CAPTCHA definitely works in some cases.
On our website, without CAPTCHA we get dozens of forms filled out by bots per day. With the CAPTCHA we get 0.
So sure it may be cheap to defeat the CAPTCHA, but nobody seems to be willing to go through that small hoop to do it on our website.
I believe that 0 will be a higher number next year. And an even higher the following year.
Even in a year, I don't think random AI will be "cheap" enough for spamming CAPTCHA on random websites. Maybe for select, ripe targets (your bank, etc.). But for a random business with a form?
Nah.
There is another option.
CAPTCHA is useful only when it is costly to solve. It is a costly signal that this is a real person, or at least is more than 1/10^9th of a real person (you're not running a fully automated spam system).
The postal service also has costs - everybody that wants to move something through the postal service needs to buy a stamp. Transport fees are a 'natural' way to moderate traffic and deter spam.
Various combinations of network architecture and cryptocoinage permit you to invoke transport fees per attempted transmission/login. Sensible ones, if every spam email or login guess costs even 1 penny it becomes prohibitive for most fully automated spam applications. The cryptocoin aspect is specifically about preserving anonymity of private wallet access while permitting the cash-like transactions that stamps enable.
Cryptocurrency micropayments have been proposed and even attempted as a solution to various problems. Hell, there's also Hashcash, an early proposed anti-SPAM measure for e-mail using just proof-of-work. (Since this is just burning CPU though, it probably isn't effective in the modern world of most people using low-power mobile computers and many SPAMers having access to cheap very high power computers. Might serve as a good hurdle for people trying to implement malicious bots, but it will eventually become useless if it is shown to be effective IMO.)
I'm skeptical though. It puts a literal price on abusing a service, but how do you set that price? Is there a guarantee that there's a value high enough to meaningfully disincentivize SPAM but low enough that users, especially users in areas that may have an economic disadvantage, are able to pay it?
That's on top of the other practical problems, such as actually implementing it. I mean, if someone implements it and tries to solve the usability issues involved I would be open to this future, but as it is now, cryptocurrency has disappointed me. In a world with increasing scrutiny towards credit card processors, I was hoping that the silver lining would be that cryptocurrency could at least help mitigate some of the concerns, but there are just too many hurdles right now. (Some of them may be caused by regulation, but to be fair, I think at this point it's hard to blame governments for trying to regulate cryptocurrency exchanges. I'm not happy about silly KYC policies or anything like that, but I am not surprised at all.)
> It puts a literal price on abusing a service, but how do you set that price?
Start with a nominal one and increase it until the spam problem goes away.
Create escape hatches for people who can't afford it, e.g. you can either pay/mine a couple dollars worth of cryptocurrency, or you can have someone who paid vouch for you (but then if either of you spam you both get banned), or you can do some rigorous identity verification which is inconvenient and compromises privacy but doesn't cost money, or (for smaller communities) you ask the admins to comp you and if you're known in the community from other sites then they do it etc.
> I mean, if someone implements it and tries to solve the usability issues involved I would be open to this future, but as it is now, cryptocurrency has disappointed me.
This doesn't seem like an insurmountable problem to solve. To give someone some cryptocurrency you can either send it directly (useful option for advanced or privacy-conscious users) or use a service and then it should be no different than using Paypal et al.
The real problem is the regulations are currently designed to make using it an unreasonable amount of paperwork:
> Some of them may be caused by regulation, but to be fair, I think at this point it's hard to blame governments for trying to regulate cryptocurrency exchanges.
There's a difference between regulating exchanges and regulating users. If you're holding millions of dollars in cryptocurrency then the government is reasonably going to expect you to file paperwork and pay taxes on gains etc. If you're only holding three and four digit dollar amounts worth then they should leave you alone and you shouldn't have to do anything.
In theory you can strike a reasonable balance here where the crypto scammers go to jail but Joe Average doesn't have to file any more tax paperwork to use Bitcoin Cash to buy a pack of gum than to pay in physical cash. We'll see what the new administration does with it.
Well, for solving both the UX and regulatory issues with cryptocurrencies... I'm not optimistic, but I am open to being pleasantly surprised.
On the UX side, I think a huge problem is making it possible for users to participate using a non-custodial wallet with as little risk of data loss or compromised credentials as possible. So it needs to be hardened against ignorance, stupidity, house fires, malware, and social engineering. That is hard. Irreversible transactions greatly up the stakes while increasing the incentive to attack. Do you ever feel a bit nervous about the send address being wrong when you use cryptocurrency?
A thing I didn't mention but is equally important to solve is developer experience. I wish there was a turnkey SDK that took care of most of the technical stuff and just let you use cryptocurrency like it's PayPal. If we had on-chain subscriptions (I think Ethereum can do this?) it could be even more powerful. The technologies offer a ton of possibilities but taking advantage of it correctly and securely feels like a tall order. Dealing with cryptocurrencies feels more serious than dealing with traditional payment processors: you can't undo when you fuck up.
Some of this can be resolved. On the user side, users can keep less value stored in wallets long term... Though this is more cumbersome and less usable. On the developer side, developers can make nodes that can verify transactions but not spend currency... But this can be challenging (I think it's weird to do with Monero for example?) and it closes off some use cases ("escrow" style transactions; Skeb-style commissions would be a good use case.)
If it gets solved I will celebrate as it seems like it would have a lot of positive upsides, but I think you might need to pardon my skepticism: it's been a lot of years and it hasn't gotten that much better. (Granted, it's still pretty new, but the momentum is slower than I would have hoped.)
This sounds like the same argument that was made for about 10 years (2000 to 2010) that micropayments would save traditional (print) media in a digital world. It didn't work due to market fragmentation and friction to make a payment.
And, the reality of your fancy idea is that normie users would turn away if they made a mistake on the CAPTCHA and were suddenly presented with a screen "charging" them one pence.
This isn't about "making a mistake on the captcha", this is about charging them one pence for every attempt and just not having a captcha.
It's an entirely different sort of system, and it would require a cordoned off section of the Internet to implement it top-down, but it's technically viable.
The defining insight here is how many orders of magnitude difference there is between the "That price is negligible" threshold for a human being, and the "That price is negligible" threshold for an automated system. Sure there are adoption issues, but for all applications where there are several orders of magnitude difference, such a system makes some degree of sense.
Don't think it's going to work, except in the smallest forums?
According to a random page on internet [0], companies pay in $2-$6 range per 1000 ad impressions. If one pays $0.01 to bypass captcha and just 10 people see the resulting spam post, that's already $1 per 1000 views - much less than facebook charges. This becomes even more lucrative if the ads are expensive or there will be more than 10 people looking at the ad.
It looks you'll want much higher costs than that, which will make it "too much" for other users.
[0] https://spideraf.com/learning-hub/what-is-the-average-cost-p...
Relevant Penny Arcade comic responding to the proposal that micropayments will save comic artists - https://pennyarcade.fandom.com/wiki/June_22,_2001
Would be great if the US government somehow facilitated micropayment. Either by creating their own system or removing the capital gains reporting requirements on crypto (maybe up to $10k/year).
If micropayment is such an amazing solution to these problems, why haven't we seen a working solution after more than 20 years of talking about it? Why doesn't HN have multiple competing micropayment startups? To me, the results speak for themselves.
Another outcome that I could never understand: The original conversation was micropayments for traditional print media that was moving into the digital age. Why didn't they all band together to create an industry standard that defined (and possibly administered) a micropayment system? In the end, paywalls were the solution, and winner-mostly-takes-all when print moved to digital. Look at the decline in medium to small newspapers in the last 20 years in the US. It is devastating, but a few national, major newspapers are doing OK.
You are talking about appreciable micropayments for appreciable amounts of entertainment from small creators.
And I would argue we did get those in the form of subscriptions in Patreon, Onlyfans, Buy Me A Coffee, et al, or in the co-op world of Nebula. We didn't get them down to very low fee structures because we've designed our payment infrastructure with the intent of supporting a profitable company called Visa, Inc, to which we've offloaded a number of different functions of that a government mint / treasury / post office would normally perform. And because lots of revenue on these sites comes from whales, people with outsized income in a country with a great deal of wealth inequality.
What I am talking about is TINY micropayments just for human authentication purposes. Because what we've had so far in the realm of, for example, spam email, involves sending off messages at a CPM of less than a tenth of a penny. Imposing infrastructure which pegs human authentication tasks, normally performed less than ten times a day, at a CPM of ten dollars, can eliminate most applications of automated systems and eliminate the annoyance of captcha, while costing the human less than ten cents. There are no whales in the login space.
Although solving a captcha can be translated into a monetary cost (often the cost of labour for a human in a clickfarm to solve it for you), the nice thing is that it's still "free" to solve normally.
If you switch to direct payments that are still affordable for routine use by your poorest users, then your rich adversaries can afford to generate orders of magnitude more spam (until we solve unequal wealth distribution globally).
Also, the cost of using a postal service nominally covers its operating costs. The cost of actually transferring a spammy HTTP request over the internet is negligible, but the costs imposed on its receiver are less so (i.e. the cost of responding to it (cpu/ram/disk/bandwidth), second-order costs of lowering the quality of the service for everyone else, etc.).
> until we solve unequal wealth distribution globally
Is this a joke?
Why would it be a joke?
Even assuming that uneven distribution is a problem, and that it was possible to make global wealth evenly distributed, it would be such a collosal undertaking that it would necessarily entail massive social upheaval and take a very long time after which the captcha problem would hardly be comparable to what we have now.
None of that is at all relevant to the point I was making. Whether you think extreme wealth inequality is good or bad, for as long as it exists, it makes paying fixed fees a poor alternative to captchas.
Until we solve the "water is wet" problem domain squatting will continue to be an issue.
Without a definitive resolution to the continuum hypothesis there will be no efficient distributed consensus algorithm.
As long as humanity bears the mark of Original Sin, it will be hard to run a business selling GPL software.
"A fine means it's legal if you're rich"
> The postal service also has costs
I don't know about you but even with this cost about 90% of the physical mail I receive is junk mail.
> Sensible ones, if every spam email or login guess costs even 1 penny it becomes prohibitive for most fully automated spam applications.
Do you have a solution for transaction costs? How do you pay a penny without having to pay more than that for the transfer of funds?
If you expect 99% of normal internet users to maintain a crypto wallet of any kind just to access certain websites—even leaving aside the actual cost—you're going to be sorely disappointed.
I was moderately into crypto, i mined coins including BTC; and i'll be damned if i am gunna connect my wallet to a browser, or put crypto in an escrow to pay out to avoid captchas. I'm being as polite as reasonably possible, here.
the only way this makes sense is you convert the entire planet to renewable or non-polluting electricity generation, and then when a user is on facebook, youtube, (or watch ads!), a core or 2 of their machine/phone will "mine" crypto, that can then be used somewhere else. The crypto can't be transferable - it must be "burned". Defined: When the site requests some crypto for proof, it says "send to this non-existent address" and then waits for the block to show that your wallet sent crypto to that address. This "burns" the money. In fact, a couple of cryptocurrencies tried to enforce this, as well as "proof of stake" - where if you had enough coins you could "mine" by merely having your wallet "logged in." The former is called "proof of burn"
another thing, no blockchain block publication is fast enough for this. so now we gotta rope in lightning or some other "hack" on top. I knew when i first heard about bitcoin that there was no way that anyone was going to wait 10 minutes for any payment to go through, especially if it's under some moderate amount of money, like $20.
Snail mail is a hilarious example, given that spammers are the only ones willing to pay the fees.
This doesn’t feel so much like the end of the “open web” as it does a rehash of USENET and email spam issues. Social media killed USENET, and email managed its spam issues thanks to filtering.
Email kind of solved its SPAM issues, but it came at great costs. It's possible but quite hard to run your own e-mail server; if you're not on a major provider, the possibility is high that a major provider will at some point have deliverability issues to or from you due to automated anti-SPAM measures. The degree of difficulty with participating in the network does somewhat degrade its openness in my opinion.
If anything works in the favor of email it is that email is not published. It is not necessary very private inherently, but it is at least not a system where things get broadcasted publicly. IMO this limits the value of spamming people over e-mail: you have to send a very high volume of e-mail to SPAM effectively over e-mail, and this high volume use pattern is not something that ordinary users will ever engage in, so it's easy to at least separate out "possible SPAM operation" versus "guy sending email to a friend". (I'm not saying that systems are necessarily perfect at distinguishing one from the other, but at the very least it would be hard to mistake the average Gmail account for being part of a massive SPAM operation. The volume is just too low.)
I hope the open web survives, but if e-mail is any kind of sign, it's not a great one in my opinion.
> It's possible but quite hard to run your own e-mail server; if you're not on a major provider, the possibility is high that a major provider will at some point have deliverability issues to or from you due to automated anti-SPAM measures.
In the roughly 25 years that I've used shared webhosting to have my own domainname and mailboxes, deliverability was never an issue. Never tried to send thousands of mails though, so...
I have been running web services for around 22 years I believe. At the very beginning, I had zero problems with deliverability to most addresses. However, even early on, I do remember plenty of forums that mentioned that Yahoo! or Hotmail tended to drop their confirmation e-mails into SPAM. Smaller operators had an advantage in being lower volume; I think that gives you a higher likelihood of delivery. That said, their emails are also more likely to get caught up in SPAM filters without remediation.
Something has changed recently, though. I have found it increasingly hard to even get an IP that is not blocked anymore. I recently migrated a VPS that was almost 10 years old that was running its own e-mail services, and after a lot of struggling... I gave up. It now has to go through an SMTP proxy to send e-mail. This bums me out, but after multiple attempts to get an IP that worked, I gave up. The provider did tell me that I was grandfathered in to have outgoing SMTP enabled on my servers (something that new users do not have by default, by the way) but recommended I stop using it.
Is the network open? Yes. Does everyone have deliverability problems? Probably not. But maybe another question: If you did have deliverability problems to some major provider, would you even know about it? If you're not very high volume, maybe not!
Email hasn't actually fixed spam issues, it's just mitigated a big chunk of them. But I know for a fact that I still mark emails in my inbox as spam on a regular basis, and still dig legitimate emails out of my spam once in a while.
> validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.
Not only untenable because of the privacy invasion but also because there are too many users who are willing to click on whatever for a chance to win a prize and thereby authorize use of their identity for spamming.
> approaches like Web Environment Integrity and Private Access Tokens
That stuff never works because the spammers only have to break one model of one popular device. The people proposing it are snake oil salesmen or platform companies that want to use it for lock-in, because spammers spend the resources to break the system but normal users won't put up with the inconvenience, which locks out competitors and interoperability.
> Accountability of network operators
This largely already happens. Disreputable IP blocks get banned. But then you get a botnet with users on ISPs with varying levels of willingness to do something about it and the ones that do something about it still can't do it instantaneously and some of the ones that don't care are in jurisdictions you can't control but are also too big to block.
The best solution is probably some kind of "pay something in money/cryptocurrency/proof of work to create an account" because normal users need a small number accounts kept for long periods of time but spammers need a large number of accounts that get banned almost immediately, which is exactly the sort of asymmetric cost structure that results in a functioning system.
> I hope we can end the CAPTCHA experiment soon. It didn't work.
Well it sort of worked before we got modern AI image recognizers, but even then they had to continue making the challenges harder to keep up with the recognizer software.
Now the damn things have crossed over into the domain of "easier for a machine to solve than a human" so they're worthless for their original purpose.
Define modern? I worked adjacent to the web-scraping tech at Jet.com and they managed to beat a lot of the CAPTCHAs even in 2016.
Yeah but filtering out mindless bots is even easier than loading a bloated mess of JS: a simple form question that you believe 100% of the valid users will be able to answer should be good enough to stop almost all of those low-level bots. I use that approach all the time.
Some day this luck will run out, but for larger entities that experience targeted malicious traffic it's never really been a viable approach.
" Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable. "
What about zero knowledge proofs? Those with typical cryptocurrency wallets could leverage existing extensions. Everyone else can download an open source extension that sends the proof and an open source way to verify proofs but is unrelated to cryptocurrency. While a robustly decentralized chain like Bitcoin and Ethereum would be a good place to verify proofs, no reason a non-cryptocurrency solution can't also be avaliable as well for the cryptocurrency adverse. And for the tech adverse, a phone number to call/text to walk the person through sending the proof via phone that would cost a tiny bit--and could also help the tech adverse with setting up an extension going forward?
> Almost all turnkey CAPTCHA services can be solved for pennies.
There is one area where even pennies can be a barrier: DDoS.
Paying a few pennies per captcha can add up to a lot when you want to complete millions of them.
A start would be what kinds of websites even need a CAPTCHA in the first place. Why does just viewing websites with static conent ever need to result in a captcha prompt.
That I think is just to try to prevent scraping, probably mostly from people training AI models. I don't really think anti-scraping mitigations are a good idea and I'm hoping that problem some day solves itself.
> for pennies
"for pennies" is a lot more expensive than 0, and that matters at scale.
Scam isn't about one person performing one request, for that you can indeed just hire a human, it's about thousands of bots constantly interacting with a service.
If you need to scrape 10m records and there's no anti-fraud protection, you pay $0 (excluding typical bandwidth / server costs). If every query requires a captcha, and you have to pay $.01 per captcha, the operation costs you $100k.
Going from 0 to 100k is often "good enough" to make these things uneconomical.
Actually, I oversimplified. In most cases you don't have to pay $.01 per CAPTCHA. It's usually a fraction of a penny per CAPTCHA.
So basically it's good enough to protect something that is arguably barely worth protecting. I don't find this compelling. Protecting things that barely need it is already easy using existing techniques.
Feels like another option would be to bootstrap off of authenticated users, some sort of reputation system. It would still allow for anonymous users, but the expectation would be that they would be treated as suspected spam unless they receive sufficient endorsement from actual verified users. The verified users could be held accountable for the endorsements they provide up to a certain point, and the anonymous users would be able to remain anonymous assuming verified users consider them good citizens.
The endorsement and verification would need to be continuous, or else the anonymous users will sell their accounts for the value of the accrued positive reputation. I.e. what people already do with Reddit accounts that accrue a lot of karma.
Good point
In the past 3 years, every morning I wake up I open the news, and I hope that I will the following headlines: "Some guy figured out how to use AI to detect bot traffic with 100% accuracy, captchas became obsolete and banned worldwide with immediate effect"
And every morning my day starts with disappointment.
> It's tricky, though. What else can you do?
I had an idea about amost-privacy-preserving system by involving government ID and blind signatures:
1. The service passes a random string to the user. 2. The user authenticates to their government and asks the government to sign it. 3. The government applies a blind signature which basically says "this user/citizen hasn't registered an account in the last 60 minutes". 4. The government records the timestamp. 5. The user passes the signature back to the service.
Upsides:
* Bypassing this would be orders of magnitude more expensive than phone numbers. * Almost private
Downsides:
* Won't happen. Remote HW attestation is likely to win :( * The service knows your citizenship * The gov knows when and how often you register. * Any gov can always bypass the limits for themselves.
I think it may be also possible to extend it so that the government attests that you have only one account on the service but without being able to find which account is yours.
> Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat.
Curious if phone verification would block more or less legitimate users than catchpas.
Really, why don't we see HN crying about the need to show a national ID (and register) when buying a mobile phone? I never once saw anyone complaining about it here. Are there any highly developed nations that allow complete strangers with any nationality to buy and use a mobile phone without showing a national ID? I don't know any, or they will all soon be gone. It only takes a few more terrorist assholes to close that door permanently.
> Are there any highly developed nations that allow complete strangers with any nationality to buy and use a mobile phone without showing a national ID? I don't know any, or they will all soon be gone.
I regularly (1-2x per year) buy prepaid SIMs in Canada, USA, and Japan. None of them require an ID and I often even pay cash.
I'm sure you are right that they'll eventually be requiring ID, but you are wrong to imply that these countries aren't highly developed.
It's not the average person's job to make sure that the world isn't fucking them raw. People have limited attention and limited time, not everyone can care about everything.
Nobody else is going to step in and hold the line when it comes to digital privacy rights. It's on people like us who care. This is why organizations like EFF need to exist.
No, you're describing what the California tech echo chamber wishes an "average normie" was, i.e., stupid and compliant, and what they're always aggrieved never really exists in practice, having managed to inculcate only some moderate learned helplessness over time, and with "stupid normies" constantly attempting to fight back via law and politics.
> Are there any highly developed nations that allow complete strangers with any nationality to buy and use a mobile phone without showing a national ID?
Canada maybe? [I'm 80% sure that] Public Mobile will sell you a prepaid sim card at the counter. You could pay cash, and set your caller ID to a fake name.
If we're talking about mobility plans, the identity requirement is more about the credit check they might want to do than anything else.
> why don't we see HN crying about the need to show a national ID ... when buying a mobile phone?
Mmm, very possibly because there are at least a few ways to get a phone without using any ID. I picked up a used phone about a year ago, and use Tello. Tello had 0 info on me for years, only an old UPS box that I got the card delivered to. I eventually gave them my first name so Caller ID was correct, but short of that or putting in a correct address if you want 911 support, there's no reason to need any valid info with them. They don't do credit checks, just prepay.
> The solution is secure boot plus attestation That's the second option they presented "Closing the platform". The issue with all these options is that it consolidates power, and thanks to already partially consolidated power, any option selected will, by necessity, obligate everyone to partake, whether or not they are ok with it.
> The average normie user does not care about anonymity, nor privacy, on the Internet.
It's true that often "normies" don't care (or at least think they don't care, but that's a completely different point I don't feel like trying to make), and it's also true that often "normies" don't want the status quo changed. But often "normies" also ignore when people are kidnapped due to their heritage being revealed. Is it acceptable to actively create a hostile environment for people already disadvantaged? Do we gain something worth their safety? Who gains from this higher level of scrutiny?
If we look at the smaller web, most sites never get enough traffic to be under active threat, and passive threat is easy enough to quell using honeypot forms and questions. Maybe the "normie" internet is the problem. Passive people passively consuming. "Normies" love watching stolen content, and praise thieves for harassing anyone who points out that what their doing is wrong. "Normies" enjoy watching someone livestream themselves flying down a highway at 100 mph over the speed limit.
I think maybe we should acknowledge that what we're defending with things like hCaptcha is not actually worth defending. Maybe the "normal" internet does need to be deprecated over "small" internet? We did pretty good before with things like Wikipedia. The "small" internet from before had a lot of chaff, but good things have grown from it, and a lot of it still exists as a "small" internet. Maybe it's ok that we have a lot of "crap content", so long as the internet can keep changing?
meh, continuing the pearl clutching and asserting there has to be some general "solution" is itself part of the problem. The sheer majority of captchas I come across are while browsing essentially static content. If simple source IP based rate limiting can't keep the server load at something manageable, then the real problem is with how the site is built. And adding even more bloat to address another managerial bullet point is exactly how it got that way.
Two things:
- I don't believe there is a general solution to this problem, but that won't stop people with lots of money and influence from trying to find a general solution. Especially one that is cheap. I still hope for the least user- and ecosystem-hostile approach among the flawed approaches to win. (I guess of the ones I listed, the one that bothers me the least is having more policing of the service providers.)
- CAPTCHAs from static content are almost assuredly for anti-scraping measures. I think anti-scraping measures are mostly pointless and antithetical to an open web in the first place, but, an effective anti-scraping measure kind of has to work off of reputation, because getting access to a very large number of IP addresses isn't free, but it doesn't cost that much (especially if IPv6 is on the table.) I personally doubt it has much to do with server load in most cases, but maybe I am wrong.
There are indeed many powerful motives supporting the march of technological authoritarianism. But validating the narratives about why ever-more control is needed is a form of support, which we should avoid doing.
Rather we need to recognize that they're merely instances of the same old authoritarian fallacy of more control promising better outcomes, because what increased control ends up ruining cannot be enumerated. In actuality, reducing independent autonomy stifles invention and suffocates society.
"Anti-scraping" is a dubious problem in the context of web sites aimed at publishing information. The best "anti-scraping" solution is a published API that includes bulk downloads. I'll admit there's a tiny sliver of sites for which controlling consumption might make sense, but it's certainly not ones that allow browsing without even logging in.
I think, unfortunately, most accessibility options are not intended to actually be used.
If you are a governement or bigco, accessibility is part of your baseline requirements. You must be able to say: Yes, we are accessible. Otherwise, the public will cause a stink.
So you take your list of vendors, and remove any that don't say they enable accessibility. Vendors know this and make sure they say they are.
Meanwhile, it is a hard to get right feature, only applicable to a small part of your userbase. Multiple disabilities require different affordances. No developer on the team really understands the actual requirement.
The people requiring accessibility will go somewhere else, or grumble and make do. Neither will be detected on any metrics board.
This combination promotes shelfware: Things you buy and put on a shelf somewhere but never really use.
This has got to be an open-and-shut lawsuit if the author wants to pursue it. T&C doesn't shield you from the ADA.
> I emailed back a day or so later, requesting an unban because, y'know, I actually* am blind, but they gave a pretty canned response of no, your account is remaining banned.*
Do I understand correctly that hCaptcha has created an accessibility problem that's denying this blind person access to all sorts of Web sites?
Is there an ADA angle here, for many customers of hCaptcha?
Why are captchas even a thing still? If folks want to scrape something or build an automation around something, then why not let them do it? They still have to respect the system they're logging in. Not to mention the privacy perk of not exposing your visitors to some captcha service with a dozen or more data subprocessors.
I had to add a captcha to a registration page a couple years ago. Bots were signing up for thousands of fake accounts with other people’s email addresses. The email confirmation we sent would then get reported as spam since the recipient didn’t sign up for our service. Our email provider suspended our account for high spam reports.
What's is the play by the spammers here? Is it a direct attack on your website, perhaps because they were competitors? Or are they hoping that 1% of spammed email addresses will accidentally verify their email?
No clue to be honest; I just added a captcha and moved on with life. It’s a small side project so it wasn’t worth investing.
I hope the other lesson was the good email verification hygiene of making the user take an affirmative action and click a "verify email" button rather then send it unsolicited.
You essentially had an open public unauthed form that would send an email to any address you typed in it. Surely that alone raises some eyebrows.
How would adding an extra button change anything? Right now when they register we send a “verify email address” email. Adding an extra step of “click a button” makes no meaningful difference.
How do you authenticate a verify email button?
It took me a while to understand what GP was trying to say, but I suppose they're thinking of one of those sites where they let you create an account, will let you in and then nag you for a while about "verifying your email address" by clicking a link that will actually send you an email. An unsophisticated spambot won't probably care enough to click through that.
Not a solution. Verification emails alone got a small web site I set up to be blacklisted within days. Most of the unwilling recipients presumably couldn't understand the language the verification email was written in and reported it as spam.
I assume you never tried to add a contact form to your website.
Explanation: I did, and within a few days bots started sending me spam using that form. I just added a trivial captcha (hardcoded '2+3=' question), but if my scale was bigger that would be untenable. Think also of PM spam, autoregistering accounts to abuse free tiers, etc.
I guess I just wouldn't have an open unauthed form and require a CC to use the free-tier. The contact-me form can just be a mailto: link and let the spammers go through the spam filter like everyone else. There are places where captchas is all you can really do but it's not like common use-cases don't have other options.
You want to put a credit card form in front of a contact form?
There are less annoying alternatives. Things like honeypot fields are worked for me so far. There are more dynamic variations on your maths question.
Because despite ZIRP being long over, there are still plenty of people/companies making money off "engagement" - aka wasting a human's time. Automation/scraping/etc would go around that.
There're also more good faith use cases like stopping credit card testing, ticket reselling and forum spam.
I feel folks forget that whatever captchas do (or a large portion of), can be a library without the need for a strange, inaccessible 3rd party service call.
Captchas are used for many things, and the reason they are still a thing is because they mostly work. Especially fingerprinting invisible captchas.
Try having a login form without a captcha and you'll realize you are capturing 100s of users every day that require you to send out a "please confirm your email address" email for each of them for no good reason.
> They still have to respect the system they're logging in.
Your trust in people is admirable, but in my experience running anything on the internet you'll realize that intentionally or not people will bombard your system until it falls over.
I think folks forget that we can add many of the safeguards a captchas provide as part of whatever "form serving app" is needed without torturing our visitors to prove they can count bicycles.
I think the times of the "count bicycles" type of captcha are already counted just because of the bad user experience. Now everything is about fingerprinting, as paying to get captchas solved by humans or AI is already used everywhere if it's worth it.
they don't work, robots have a higher speed and success rate than humans.
Not everything is black and white. If it's cutting down 50% of the spam that does not have captcha solving robots because the effort is not worth it, that's already something.
There's a reason many site still have very basic captchas...it's good enough for their use case.
Simple distorted-characters captchas still do a good job of catching unsophisticated bots, which is most of them. They work even better when combined with hidden form fields because these bots don't support CSS.
Targeted attacks though? You're making your legitimate users suffer only so that you defeat 99% of bots instead of 95%.
If you have any input forms they will be overrun by bots immediately. At my last job, marketing built a website and didn't tell IT. They had a "contact us" form without any kind of captcha. Took about a month to be completely flooded by bot spam.
> Why are captchas even a thing still?
Because it works, to some degree. It keeps away the annoying cheap bots and stupid kids. Smarter or more dedicated actors can still circumvent it, but even they are least slowed down to some degree.
But thinking about, maybe just putting a 20 second pause after which you have to push a button might be already good enough for all this. And every stupid bot avoiding it will get banned.
Indeed… and if it's really problematic, a client-side script can run some expensive calculations as well (the same way captchas do it), to make it extra uninteresting to target unless someone is really motivated and has the budget for it.
Yes, hashcash.
I hope AI stuff makes captchas completely obsolete soon. I am sick of them. The cure is worse than the disease.
Captchas have been obsolete for the past decade plus.
With solving services like DeathByCaptcha and AntiCaptcha, it takes seconds to solve them. It costs something like $1.90 per 1,000 successfully solved captchas using human typers and OCR. It can easily be rolled into your code with a few lines.
But surely, it's only going to get worse: it will force the de-anonymization of the internet. You already have to provide a phone number for many services.
If websites can't trust that their users are authentic they will probably institute even more intrusive checks.
I haven't been optimistic about the future of technology for a while now. :'(
In the future I think we will again go to "notarization"/"attestation" of the operating system / hardware.
Essentially, the manufacturer of the device + operating system will generate a unique signature per each device, and web browsers will be able to access it.
https://en.wikipedia.org/wiki/Web_Environment_Integrity
I'm very grateful the WEI proposals were put down. It'd have an enormous privacy impact on normal users, and not give that much protection against bad actors using device farms & similar tools.
But the WEI proposals were never about protecting from bad actors with device farms. They were always about guaranteeing that a certain ad company who also makes browsers can always push ads to users, thus maximizing value for shareholders. Protecting from device farms was just the bait.
Oh, the really bad part of WEI is not the privacy impact.
The real thing is the gating of every kind of information exchange and treatment in the hands of a few entities, that get the power to say who will participate on those activities and doing exactly what.
That is, the complete elimination of the freedom of association and initiative from our society. At least around any one of those that involve computers.
The lost of privacy is a rounding error.
How does that works for, say, Chromium or Firefox on Linux ?
I believe the plan was to ask the TPM of the computer.
From what I understood, each TPM has a unique private/public key pair (Endorsement Key (EK)), and then this key is certified by the manufacturer of the TPM.
From there, you can generate a Attestation Keys, and these keys are signed by the EK.
https://security.stackexchange.com/questions/235148/whats-th...
So essentially, at the end of the day, Chromium would ask the TPM for attestation, and it would act as a unique Device ID.
Then they can allow only a selected list of TPM manufacturers certificates, to prevent emulators for example.
TL;DR: Chromium on Linux would ask the TPM chip for a signature, and each TPM chip has a different signature from the moment it is out of the factory.
CAPTCHAs already don't work. If they are not annoying enough to turn your customers away, they are very easy for an attacker to pay people to solve.
AI are already much better at them than I am.
AI stuff is why CAPTCHAs exist. It's also why they've gotten so much worse the last few years.
CAPTCHAs are going to get much worse before they're replaced by account paywalls or remote hardware attestation.
As a blind person, I genuinely believe that hCaptcha, being as terrible as it is, is still the best solution among the ones that we can physically achieve in the world as it exists right now.
Audio captchas don't work for people with hearing issues and/or who don't speak your n supported languages, where n is usually <10. I've had to help people out with these over the phone, it was not fun.
Even for people for whom they do work, it's worth keeping in mind that bots can solve them by now, and so users whose activity looks too fraudulent, who are still given access to the visual captchas, have to be blocked from using the audio ones. I have also seen this happen.
Text captchas are a non-option by now, they're very easy to solve with LLMs, and the way they have to be phrased makes it impossible to align LLMs not to solve them, like you can do with the visual ones.
Google's ReCaptcha can get away with having no actual challenge for most users, blind or otherwise, but that's because they're Google, they do enough user tracking that they don't actually need a captcha. Google is the only company that can get away with this, and even for them, it doesn't work in all situations, even when the user fully trusts Google and has not adjusted any privacy preferences.
Sure, you could stop using captchas entirely, if you're fine with receiving dozens of viagra ads on every single platform each day, abolishing all "contact us" and comment forms on the internet, having a significantly higher credit card fraud rate (which translates directly to higher prices and a much worse experience for consumers), and getting all your semi-public records and social media activity immediately scraped by shady companies and sold to anybody who expresses any interest. Unsurprisingly, most users are, in fact, not fine with this.
> and getting all your semi-public records and social media activity immediately > scraped by shady companies and sold to anybody who expresses any interest.
Public content on the Internet should be scrapable. That's what public means.
The fact that my reddit posts were publicly available never bothered me. Even if they were going to be used to train some LMM. What does bother me is reddit locking up my posts and making exclusive deals with Google to train Google's LMM.
Preventing scraping isn't good for the average user; it is good for the company that wants to take content created by said user, lock it up, and sell it to their buddies.
> Public content on the Internet should be scrapable. That's what public means.
Not necessarily, especially if you want to expose some relationships in one direction while hiding the other.
Imagine your government creates a CNAM-like[1][2] system that lets you enter a phone number and see their owner, to see who is calling you and whether a number you're given is legit. However, they do not want to let you see a person's phone number just by entering their name.
If there's no captcha, an unscrupulous actor, registered in the Seychelles and unconcerned with your country's laws, can just scrape all possible phone numbers and offer a "reverse lookup" service.
In a way, the number/name records are public information, after all, the government lets you query them without authentication, but in a way they aren't, because you're only permitted to query them in a certain way.
Variations of this problem have appeared many times, particularly across Europe, usually with company numbers, property deeds and such.
And the very angry email that I (probably unwisely) just dashed off to support@hcaptcha.com:
"So I've been trying to sign in repeatedly to set the accessibility cookie since last night. Every time I click the submit button, I get the useless error message "an error has occurred, please try again".
My friend, who shares my roof and my static IP, got banned from hcaptcha's accessibility service last year for being too smart to be blind. And I suspect you all have banned our IP and not just his account.
For the record, my static IP address is (redacted).
See https://michaels.world/2023/11/i-was-banned-from-the-hcaptch... for his story. I have been broadcasting this to websites frequented by technically capable people: https://news.ycombinator.com/item?id=42171164 https://lobste.rs/s/qbkd0u/i_was_banned_from_hcaptcha_access...
Please let your bosses know that I plan to pursue legal action against hCaptcha and/or amplify the truth to destroy its reputation in the public square. I will also be reaching out to websites who utilize hCaptcha, letting them know that the captcha provider they employ is refusing to provide reasonable accomodations to blind people.
Whether it be with the force of law or the force of satyagraha, your bosses are going to get a message and we will win.
And their thoroughly unhelpful reply:
"Hi there, sorry to hear you're having difficulties!
We have an alternative authentication scheme that you may prefer: https://www.hcaptcha.com/accessibility
You can sign up here: https://dashboard.hcaptcha.com/signup?type=accessibility
This lets you avoid the challenge altogether after registration.
It is designed for users with any kind of difficulty solving the challenges.
Thanks for reaching out, and hope this makes your experience better."
Brave support here, tried to reach out to hcaptcha support and got the same auto response :|
Yeah, sue them. They'll love that.
It's quite unpleasantly often that I hear stories about accessibility accommodations being removed by someone considering themselves the sole arbiter of disability.
That smells illegal.
hCaptcha is worse, than reCaptcha.
I pass the captcha (I am not blind and not using accessibility account) and get response like
Your response to the CAPTCHA appears to be invalid. Please re-verify that you're not a robot below. (Reference ID: 4035128747213959)
And you are given captcha again (passing which will have the same result).
reCaptcha had similar issue, but choosing 'accessibility' would transform the captcha from visual to auditory one and passing it had no such problems.
In the end I just gave up.
Please just let my link some kind of government-backed ID to an email account and then clients can ask "hey government, is this email account a real human being in your country"? And government can say "yes" and they can go forward knowing that if I turn out to be a bot and they ban me it will be a huge pain in my ass because I've got to go through government enrollment process again.
CAPTCHA: Completely Automated Public Turing test to tell Computers and Humans Apart.
These things have one job. Any time they fail to identify a human, they have failed at their job. How they go about administering the test, and (to a large extent) what the human does in response, should be irrelevant. I know that's hard, no-one said the job was easy, and the companies developing them are the ones making claims about their efficacy.
If you want to block 100% of bots, don't put your stuff on the Internet. If you want to block bots and allow humans then you're going to have false negatives. Failing to acknowledge them is dishonest.
None of which stops me filling them out when I encounter them, but I don't have to like it.
If you're in Europe, consider filing GDPR complaint to your local data protection authority. One of the rights recognised in GDPR is right to rectify information about you, and it was clearly not afforded by the provider here.
reCaptcha is better than hCaptcha