Google's reCAPTCHA Turns 'Invisible,' Will Separate Bots From People Without Challenges

Google is making CAPTCHAs invisible using "a combination of machine learning and advanced risk analysis that adapts to new and emerging threats." Ars Technica reports: The old reCAPTCHA system was pretty easy -- just a simple "I'm not a robot" checkbox would get people through your sign-up page. The new version is even simpler, and it doesn't use a challenge or checkbox. It works invisibly in the background, somehow, to identify bots from humans. Google doesn't go into much detail on how it works, only saying that the system uses "a combination of machine learning and advanced risk analysis that adapts to new and emerging threats." More detailed information on how the system works would probably also help bot-makers crack it, so don't expect details to pop up any time soon. When sites switch over to the invisible CAPTCHA system, most users won't see CAPTCHAs at all, not even the "I'm not a robot" checkbox. If you are flagged as "suspicious" by the system, then it will display the usual challenges.

"suspicious" by the system

[turkeydance]

the ceiling is the roof

Re: "suspicious" by the system

the floor is the basement

Re: "suspicious" by the system

[Spazmania]

yeah... display the usual challenges and then reject correct answers two or three times in a row before accepting a correct one. And by the way Linux = suspicious. It's a POS.

Re: "suspicious" by the system

[Spazmania]

Just reporting my experience with the product, so if you're the guy who wrote it then right back at you.

Re: "suspicious" by the system

Gotta confirm. You must answer according to the flawed machine reasoning, not provide actual human answers.

Pick all street signs. Except for these that are sideways , visible from behind, or somewhere in the background.

Pick all store fronts. A church is also a store.

Pick all photos that contain food. Nope, that on the table of the restaurant doesn't count.

Mark all squares that contain street signs. By street signs we mean the big banner for the laundry, occupying 3/4 of the image.

Seriously, the captcha doesn't test if you're a human, it tests if you are a crappy image-recognition AI!

Re: "suspicious" by the system

[Anonymous+Brave+Guy]

You got through after only two or three times? That's a huge improvement on the old system then. I have literally been locked out of making financial payments and even being able to access some government systems because of captcha madness, giving up trying after several minutes of not being able to get one right. The picture-based ones, where you have to click every square with a tree or road sign or something, are the worst. So much time wasted.

Re: "suspicious" by the system

Can confirm exact same behaviour.

Re: "suspicious" by the system

The walls are the walls

Re: "suspicious" by the system

[Spazmania]

This. So much this.

Re: "suspicious" by the system

[PixetaledPikachu]

"The desk is just a desk"
Twice's Sana

Up until it tags the handicapped as bots

I believe there are accessibility laws most parts of the world ....

Re:Up until it tags the handicapped as bots

[gnick]

If they're compliant now, it shouldn't be a problem. If you're suspicious, they just kick you back to the system they were using before. If they're not compliant now, this may be part of their accessibility solution.

Re:Up until it tags the handicapped as bots

The pre-existing one fails in accessibility scenarios.

Eh!

"You're either a bot or you're running NoScript!"

Re:Eh!

As far as I can tell, if you are running noscript you cannot get through these things at all.

Google wants to know what you are signing up for. If you won't tell it, it won't let you pass.

Re:Eh!

[infolation]

But google's CAPTCHAs are not only used for signups. If you search google using the TOR browser you're also presented with CAPTCHAs for every search. Which gets quite annoying.

(Google say they don't target TOR but experience says otherwise.)

Re:Eh!

It does provide a "noscript" alternative. It's cumbersome as fuck as it takes you to an entirely different page with the captcha as a web form from web1.0 times.

Re:Eh!

[toddestan]

Browsing the internet through TOR is downright painful now thanks to all of the CAPTCHA garbage. Besides Google, Cloudfare is another major offender. Though at least as far as search goes, you can use DuckDuckGo.

Don't know how I feel about this

For one thing, I never get the checkbox from my residential IP connection. But once I switch to my vpn on my own assigned /24 I get recaptcha's all day. This isn't new, I've been browsing from the same /24 for the last 5 years. Yet for some reason, Google things when I'm coming from there I'm a threat. I know I'm a minority that's going to be drowned out because who cares about the few users caught in the net. It's just an annoying feature that kills any competition for my business. Any remote sites using a squid cache connection get the reCaptcha flag. They switch to a different provider or move the cache server to GCE then everything magically works.

What's a BOFH to do.

Re:Don't know how I feel about this

[jaymemaurice]

Did you ever make sure that /24 doesn't have an open proxy, DNS or NTP server running on it? Did you make sure that there are DNS reverse/PTR records? When using squid did you make sure it is locked down? Did you ever try removing the x-forwarded-for headers or adding them?

I am the walrus

Coo coo cha coo

Re:I am the walrus

Don't you mean "goo goo ga joob"?

Lots of work to do

[arth1]

For some reason, I get flagged for captchas all the time, but no matter how vigilant I am at choosing storefronts, mountains, street signs and house numbers, I have to go through at least a dozen pages of them before it believes me.
I wonder whether being behind load balanced proxy servers might have anything to do with it.
Anyone else having similar problems?

Re:Lots of work to do

[MatthiasF]

Yep. I constantly need to do them because I have my browser locked down to stop tracking.

I have a feeling most of Google's new "invisible" method has more to do with the fact they are tracking you as a unique user and following your path to the page. If it looks legit, they don't challenge.

But if you're one of the many of us who actively fight being tracked, we're going to be relegated to second-hand internet user thanks to Google's monopoly.

Re:Lots of work to do

Yup, exactly the same problem and I'm not behind proxy servers. I just assume Google needs more free labor right now. I'm slowly starting to avoid sites with reCAPTCHA.

Re:Lots of work to do

[sinij]

Yes, if you lock down your browser you get them a lot. Basically, for Google, if they know where you live and your cat's name - then you don't get shown captchas.

Re:Lots of work to do

Yep, apparently I'm a bot too. Could be the various ad blockers and anti-trackers, maybe? I guess giving a sh*t about your privacy and your ability to surf the web rather than just blindly consuming stuff like a drooling imbecile makes you an AI.

Re:Lots of work to do

[hcs_$reboot]

Yes, and this is because you do, on Google behalf, some picture recognition as well, in order either to confirm some other person recognition "work", or to be the initiator. The percentage distribution between "recognition work" and "actual recaptcha" is not clear, but the more you have to recognize, the more you work for Google at no charge.

Re:Lots of work to do

But if you're one of the many of us who actively fight being tracked, we're going to be relegated to second-hand internet user thanks to Google's monopoly.

So much this. It is a long, steady march. Most people don't care.

Re:Lots of work to do

[93+Escort+Wagon]

Yep. I constantly need to do them because I have my browser locked down to stop tracking.

I have to do them all the time, and I'm not even that aggressive regarding blocking tracking. I mostly just clear things out after the fact, every few days - I'm not even running noscript (but I am running an ad blocker, and don't use Google for much).
I'll be curious to see how many of us this disenfranchises...

Re:Lots of work to do

[Baloroth]

It's amusing that you consider this "relegated to a second-hand internet user". If Google can't track you, they can't use said tracking to verify that you're a human. Of course that means you have to do more work to prove you are a human. If you deliberately choose to opt out of a feature of the internet that makes your life more convenient for the sake of privacy, your internet usage is going to be less convenient. This isn't the only area where that happens (for instance, if you don't want credit card companies tracking your purchases, you have to use cash, which is less convenient). This isn't difficult, and let's be honest, it's also not a big deal (these reCaptchas take like 30 seconds maybe every couple of days). Privacy and convenience are, and always have been, a tradeoff.

Re:Lots of work to do

[MatthiasF]

That's a really nice attempt at an apologist's view of Google's monopoly, except credit card companies can only track WHERE you spend money, not the specifics of what you actually bought. Whereas Google literally knows what sites you are browsing, what pages on that site you are browsing, even what parts of the page you read through it's AdSense product and then takes all of that to determine what parts of the Internet it wants to show you through it's Search product. Then there's the email product, and the social media, etc. etc.

No other entity has ever been able to get that much information in that detail on a "customer" (quotes intentional, since let's face it you're the product to Google, not the customer).

The fact that Google is pushing an internet standard that would require accepting the use of their invasive business practices to maintain a normal experience on the Internet is pretty abusive of their monopoly in my opinion.

Re:Lots of work to do

[arth1]

This isn't difficult, and let's be honest, it's also not a big deal (these reCaptchas take like 30 seconds maybe every couple of days).

30 seconds? More like 10 minutes. Once I've selected all the pictures, I get a new set. And a new set. And a new set. It doesn't matter that I answer them all correctly - I have to go through a lot of sets before finally being let through.

Re:Lots of work to do

> Whereas Google literally knows what sites you are browsing, what pages on that site you are browsing, even what parts of the page you read through...

As APK would tell you, blocking Google's analytics domains stops this dead. Your computer can't run code that it doesn't know how to fetch.

"Oh, but then google.com doesn't work, and I can't watch funny cat videos on YouTube!" Well... what did you expect?

Because of their corporate integrity and their extremely serious commitment to data security, Google is _the_ most trustworthy Internet Advertising network. You need to take any concerns you have about Google, crank them up 100x, and then duplicate them by a couple hundred to cover every shitty, shady, Big Internet Advertiser that's not Google.

If Internet Advertising were an unavoidable fact of life, and I were God Emperor, I would decree that forever and for always Google will remain the only Internet Advertiser permitted to operate from now until the end of time. The other guys are just _that bad_.

Re:Lots of work to do

Yep, same problems for me, and some images are so grainy it's not possible to make out anything on them.
Since I normally don't have 10 minutes to spare clicking images when I want to do something, I just put that site to my blacklist and find an alternative instead.

Re:Lots of work to do

Yes. For the longest time I didn't even know some people didn't have to click on every type of doughnut, pizza, patio, or whatever else google comes up with.
I have to do it pretty much every single time. Maybe they don't like my ISP.
I don't even have any special setup at home.

Re:Lots of work to do

[AmiMoJo]

The invisible ones seem to be using things like mouse movements and other measurements of human interaction, which can be difficult to fake. They must have some way to prevent replay attacks. Not sure how they will handle people disabling Javascript, probably fall back to the old HTML5 method.

I find what triggers to endless captcha loops is:

- Privacy settings in your browser, especially Privacy Badger and uBlock
- Blocking Flash/WebGL/Canvas fingerprinting
- Disabling Javascript
- Using a VPN
- Especially using TOR

Re:Lots of work to do

[jenningsthecat]

I find what triggers to endless captcha loops is:

- Privacy settings in your browser, especially Privacy Badger and uBlock - Blocking Flash/WebGL/Canvas fingerprinting - Disabling Javascript - Using a VPN - Especially using TOR

I find what triggers endless captcha loops is the regression of Google's search capability, such that I have to repeat the same basic query multiple times with different minor variations in attempts to bypass Google's belief that it knows what I want better than I do. At least once a week, and often several times per day, I get stuck doing Google captchas. I guess it doesn't help that I have a wide range of interests and the type and range of query I make can change dramatically in a short period of time.

Google really is gearing its results to the lowest common denominator among Internet users. It never used to be that way. If I had the opportunity to pay for the quality of search capability that Google provided a decade ago I would do so. But I guess they're not interested in receiving money from us, AKA "their products". They're only interested in monetizing us by selling our data, not in providing quality data to us.

Re:Lots of work to do

[TheRaven64]

"Oh, but then google.com doesn't work, and I can't watch funny cat videos on YouTube!" Well... what did you expect?

That's absolutely fine. The problem is that it's not just Google, it's every third-party site that uses reCAPTCHA stops working properly as well if you don't permit Google to track you all across the web.

Re:Lots of work to do

[TheRaven64]

- Blocking Flash/WebGL/Canvas fingerprinting

I'd wondered why a load of sites seem to be asking for WebGL access now when nothing seems to need it - using it for fingerprinting makes sense. I disable it by default, because I've worked on GPU drivers and there's no way in hell I'd allow untrusted code into them, even if it's been through a WebGL verifier.

Re:Lots of work to do

That's a really nice attempt at a whiners' view of google's services, except you can easily use other searchengines, if you're really that bothered about it. See of those are any better, googlebasher.

Just like you have other emailproducts on the internet and btw, the social media is in large part NOT googles' (facebook, twitter...).

And if you now complain that the others are far worse: you're right. So stop whining about google. If you REALLY want, you can use duckduckgo and emailsystems bend on privacy and anonymity.

In fact, you know all this, as do I. But yes, you loose convenience and comfort, just as the other poster said, and THAT'S what you're really complaining about. It's not about google, or any other company, it's just you being self-centered and being too lazy do to the trouble that gives you the ability of more privacy, or you're too focused on your own comfort to give in a bit for the sake of additional privacy.

Well, tough luck. You can't have it both ways, and if you think you can: develop your own searchengine then, that has all of the advantages, and none of the disadvantages. Make a Slashdot-story when you do, and I'll get back to you. Until you do: shut your whining. You sound like a little kid going on a tantrum because he can't get everything he wants.

Re: Lots of work to do

[BlytheBowman]

and I can't watch funny cat videos on YouTube!#### Anybody that obsessed with cats needs to check into a mental institution. Seriously Today's die-hard "lolcats" fans - Tomorrow's animal hoarders

Re:Lots of work to do

[Wrath0fb0b]

But if you're one of the many of us who actively fight being tracked, we're going to be relegated to second-hand internet user thanks to Google's monopoly.

Whatever happened to you happened because the owner of the site chose to use ReCaptcha as a tool to prevent bots. You have no right to insist that a particular website cater a particular user experience to you -- if you don't like it, you can go elsewhere.

And what monopoly are we talking about here? There's certainly no monopoly on plugins to detect bots, there are dozens. Google might (probably even) have a monopoly on search, but that's hardly relevant to the captcha story. . .

Re: Lots of work to do

[BlytheBowman]

Must suck for those who have any kind of eye or visual perception problems. Those capchas that twist and contort the letters and mash them close together must really be fun for dyslexics.

Re:Lots of work to do

That's a really nice attempt at an apologist's view of Google's monopoly, except credit card companies can only track WHERE you spend money, not the specifics of what you actually bought.

Uhhh... you probably want to take a peek at Level 3 credit card data. Most applications today also send information about the things you purchase to the credit card companies anytime it is possible to get reduced rates from them. The cc companies effectively "pay" merchants for that information by lowering their rates so they can offer things like "how did you get this far into debt" to their cardholders, while at the same time building surprising portfolios on their cardholders that, as banks, I certainly wouldn't put them past selling.

If you don't want somebody knowing what you bought, you absolutely have to use cash.

Re: Lots of work to do

[BlytheBowman]

I never get those on my tablet or phone, but that is because they are generally gimped compared to a desktop or laptop computer (even though there is no real technical reason they can't do what a "proper" computer can , the marketeers demanded these hobbles). If you are using a "proper" desktop computer, Google must ass-u-me the user is some Ev1l SpAm 73rr0r ha>0r and must prove they are innocent. (Yes, I know what our forefathers said, but right now they are bound and gagged and dressed in a silly clown suit, proverbaly speaking. Not even the peasants take seriously or care what they had to say anymore. Citizen Rights? That is so last millenium!) If you are using a browser where you can change the User-Agent string that it sends out to match an Android browser, you may be able to get around this, but be prepared to to be bombarded with "This stupid web site works best with our app!" messages, or be locked out entirely from some sites by this until you change the string back.

Re:Lots of work to do

The fact you entered given captcha answer correctly doesn't mean you passed the whole captcha test. If Google gets suspicious, you need to solve a couple captchas correctly before you're allowed through. Observe the confirm button, it changes between something like "next" and "done".

Re:Lots of work to do

[tepples]

I've worked on GPU drivers and there's no way in hell I'd allow untrusted code into them, even if it's been through a WebGL verifier.

What should reach more users: an application developed for WebGL or an application developed for, say, OpenGL on a Mac?

Re: Lots of work to do

“The Needs of the Many Outweigh the Needs of the Few”

Re:Lots of work to do

My god! Whatever am I going to do??! It'll never work for me, then: I own no cat!!

I guess I could buy a kitten so google let's me through...

Re:Lots of work to do

[Anonymous+Brave+Guy]

I haven't used much from Google in years, personally. I'll still use Google search if my first choices don't get good results, but usually they do fine. I watch videos on YouTube sometimes. It's not as if anyone actually has to use Google services routinely if they don't want to be subject to Google hassles.

We're all fine unless other admins start plastering Google-hosted junk all over their own sites. Oh, wait...

Re:Lots of work to do

[TheRaven64]

The web-based malware will be a lot easier to deploy, if that's your question.

Re:Lots of work to do

[Ol+Olsoc]

If you don't want somebody knowing what you bought, you absolutely have to use cash.

That's gone by the wayside. For some reason I had to buy something around a hundred dollars or so with cash. I had to show them ID and give a phone number.

I suspect a lot of Slashdotters are going to have to sell everything, and move to a compound in remote Idaho, only barter, tear up their SS card, and go back to subsistence living.

I wonder if the 1840's were really that much better than today.

Re:Lots of work to do

[tepples]

Let me rephrase:

A video game developer might consider targeting WebGL in order to avoid having to develop the game five times, once each for Windows, macOS, GNU/Linux, iOS, and Android, or to avoid the editorial censorship imposed by the sole app store of one or more of said platforms. If you were developing a video game, would you develop it five times in such a manner, or would you instead limit supported operating systems and forgo revenue from users of others?

Re:Lots of work to do

[FlaSheridn]

http://www.bfi.org.uk/are-you-...

Re:Lots of work to do

[dryeo]

Google doesn't have a monopoly, there's competition like Facebook and MS in the tracking space, Bing in the search engine space and a few ad networks. Soon your ISP will also be competing in gathering your info and selling it as well (yay consumer freedom) and it is harder to block your ISP then just adding a few entries to your hosts file and running no-script. Your ISP also has a lot more power then Google in controlling your internet use

Re:Lots of work to do

[cant_get_a_good_nick]

I always say --

I really do hope there's an evil Phase 2 to Google, possibly enslaving us and forcing us to use Google Wave, Buzz, and Knol. Because if they're tracking me across every web page, every place I go, listen to everything I say, just to sell me socks, I'd be disappointed.

Re:Lots of work to do

[mrchaotica]

I'd develop it in SDL + OpenGL.

Re:Lots of work to do

[tepples]

And then compile the game made in SDL and OpenGL for which of the five platforms that I mentioned above (Windows, macOS, GNU/Linux, iOS, or Android)? Because I doubt that these platforms are binary compatible, unlike web browsers running a web application.

Re:Lots of work to do

[mrchaotica]

And then compile the game made in SDL and OpenGL for which of the five platforms?

Um... all of them, as you normally do? I'm confused because you ask that as if it's some kind of problem...

Re:Lots of work to do

[MatthiasF]

You just linked a service that is essentially only used for huge companies and government entities. Even on that very same page is an explanation that Level 1, the level for the majority of credit card purchases via the average consumer, only passes minimum data like I stated. Level 2 is the old Level 3, where it offers sales tax and a unique customer code along with what Level 1 offers to help track the purchases in the card holder's accounting or ERP systems.

Level 3 requires an entire infrastructure of software on both sides, the credit card owner and the merchant, for it to work. I doubt many consumer-based merchants have Level 3 support, nor would any amount of fee reduction pay for the expense of it (and I would doubt many merchant merchants would survive had they agreed to doing this). This level of information is only used for large corporations buying from wholesalers and such so they can track the inventory they are purchasing from moment of purchase.

But nice try Googling something to feed your paranoia.

Re:Lots of work to do

[tepples]

And then compile the game made in SDL and OpenGL for which of the five platforms?

Um... all of them, as you normally do?

Not everybody "normally do[es]", for two reasons.

First, an individual developer graduating from hobby projects to a first revenue-generating project is unlikely to have the financial resources right off the bat to purchase five different devices for which to build and test: a Mac, a Windows 10 PC, a GNU/Linux PC, an iPhone or iPad, and an Android device. He would have to make a version for each platform and use the revenue from users of each platform to fund a port to the next platform. But with web technologies, it's possible to hit multiple operating systems with one testing effort, such as all three major PC operating systems plus Android. In addition, someone who habitually uses Chrome and Firefox and refers to Can I Use is likely to be able to make something that's at least partially usable in Edge and Safari and can fix reported issues on demand. In addition, all users of Edge or Safari for macOS are eligible to install Chrome or Firefox and use it to run a particular web application until the application's support for Edge or Safari is more thorough.

Second, with WebGL, if you publish the game once, all five platforms receive it simultaneously. There is no mandatory app review process to delay it by two weeks or reject it, as there is with native apps for iOS.

Re:Lots of work to do

[mrchaotica]

First, an individual developer graduating from hobby projects to a first revenue-generating project is unlikely to have the financial resources right off the bat to purchase five different devices for which to build and test: a Mac, a Windows 10 PC, a GNU/Linux PC, an iPhone or iPad, and an Android device.

LOLWUT?

There are only two possibilities: either the programmer in question is a hobbyist, or a pro. If the former, then Virtualbox (or whatever other emulator/virtualization system is applicable) would be fine. If the latter, then two phones and a Mac Mini is affordable.

Besides, even writing platform-specific code from scratch is less complicated and time-consuming than you'd think.

Re: Lots of work to do

[BlytheBowman]

Sucks when you are one of the few

Re: Lots of work to do

[BlytheBowman]

Wow, I just had a flashback to all the stink that arose here when it was revealed that the Pentium 3 cpus would have a unique numerical id Damn, so quaint in this age of locked and signed boot loaders, malware from illigitimate and "legitimate" companies*cough*Sony*cough*, all the major commercial computer and phone operating systems constantly phoning home with shitloads of user info, games with DRM that require an always on internet connection just to load, and other such shit to remind us that we are fast backsliding into Feudal times.

Re:Lots of work to do

[tepples]

There are only two possibilities: either the programmer in question is a hobbyist, or a pro.

My question was about the transition from the first of these "two possibilities" to the second. But first, let me make sure we agree on definitions. To me, a "professional" means one who has been paid for his work in a particular field. Am I right? Or are you instead defining it as one who seeks to be paid for such?

I thought one's project to become a professional had to be done with hobbyist tools in order to afford professional tools for the next project. The only ways I can see around this are A. to earn money for the required tools in a day job in a different industry, or B. to release hobby projects to establish one's reputation and then crowdfund the tools needed for a simultaneous 5-platform release of one's first professional project. Which one is more practical?

If the former, then Virtualbox (or whatever other emulator/virtualization system is applicable) would be fine.

I thought it was copyright infringement to run macOS in "VirtualBox (or whatever other emulator/virtualization system is applicable)" on anything but a Mac.

If the latter, then two phones and a Mac Mini is affordable.

Do you consider it a desirable state of affairs to give Apple a monopoly over computers used by developers? If so, why is this an exception to the inefficiency of monopoly?

Re:Lots of work to do

[mrchaotica]

I thought one's project to become a professional had to be done with hobbyist tools in order to afford professional tools for the next project. The only ways I can see around this are A. to earn money for the required tools in a day job in a different industry, or B. to release hobby projects to establish one's reputation and then crowdfund the tools needed for a simultaneous 5-platform release of one's first professional project. Which one is more practical?

C. Become a professional and save up money by working at an established company before striking out on your own, D. get venture capital and/or a small business loan, E. go ahead and release on one platform first to get money for proper testing on the others, although that's not ideal), etc.

I thought it was copyright infringement to run macOS in "VirtualBox (or whatever other emulator/virtualization system is applicable)" on anything but a Mac.

You run Linux and Mac VMs using a Mac OS host. Obviously.

Do you consider it a desirable state of affairs to give Apple a monopoly over computers used by developers?

No, which is why I'd just release on Windows/Linux/Android and fuck Apple. You're the one who predicated this sequence of strawman arguments on wanting to release on Mac and iOS.

Regardless of all this, the fact remains that writing native code (even if it takes multiple times and testing everywhere) is infinitely better than balancing your game on the gigantic Jenga-tower of excessive abstractions and security holes that is Javascript/WebGL!

Furthermore, WTF is wrong with you? I've read your posts on Slashdot for many years now, and you're not usually this trollish and stupidly argumentative. Are you ill, or did somebody else take over your account or something?

Re:Lots of work to do

[mrchaotica]

"Linux and Windows VMs using a Mac OS host," I meant.

Re:Lots of work to do

[tepples]

You run Linux and Mac^W Windows VMs using a Mac OS host. Obviously.

And thus still need to buy the Mac mini to run the macOS host, making the "hobbyist" and "pro" loadouts the same.

No, which is why I'd just release on Windows/Linux/Android and fuck Apple.

At this point, I'm inclined to agree.

Google knows who you are already

Translation: Google have collected enough data of most people's browsing habit from google.com + googleanalytics.com + googleadsense, no need to show you a captcha when they know who you are already.

Re:Google knows who you are already

[sinij]

Speak for yourself. Insofar as Google knows, I am a dog.

Re:Google knows who you are already

Slashdot users are irrelevant edge cases, most people don't even have noscript or adblock, adsense is on almost every page they go (outside of facebook), so google knows who they are already.

Re:Google knows who you are already

[Black+Parrot]

Speak for yourself. Insofar as Google knows, I am a dog.

No, on the internet nobody knows that.

Re:Google knows who you are already

[Blig]

Speak for yourself. Insofar as Google knows, I am a dog.

Incoming dog food and related products advertising when you visit Google now in 5... 4... 3... 2... 1 ;-)

Given that Google not infrequently flags me...

[gweilo8888]

Given that Google not infrequently flags my web searches as being "suspicious", you'll forgive me if I expect this to work rather poorly in practice. I won't be holding my breath for the pipe dream of seeing captcha images less frequently...

Re:Given that Google not infrequently flags me...

Whenever they do that to me, sometimes I submit "Google SUCKS!" and "LARRY PAGE is a Fucking DOUCHEBAG!" in their captcha box until I recover my composure.

Re:Given that Google not infrequently flags me...

What do you mean suspicious? Does it print some kind of warning on the screen or it sends you a TXT to say someone is using your account?

Re:Given that Google not infrequently flags me...

If you do stuff like make a succession of similar searches, but with slightly different word orders or adding one or two different words, and then go deep into the returned page cache (past page 10), then Google's servers might get suspicious and throw a captcha box at you. And they won't be nice about it either - they'll say "Prove you're not a robot."

Re:Given that Google not infrequently flags me...

[ayesnymous]

Google always thinks power users (people who use quotes around phrases, or who use the site:domain.com filter, or who are fast typers able to submit more than 1 search every 5 seconds) are suspicious.

Re:Given that Google not infrequently flags me...

I hate that page. Since I became a dev manager, I don't get any time to program but instead spend about half of my time trying to help others. That often involves searching for errors or solutions to problems. I've gotten good at knowing which, for example, Java-related sites have good info so I scroll through the results fast. I see that captcha several times a week.

Re: Given that Google not infrequently flags me...

The captcha for Google Search uses different tech. There is no client side JavaScript, and I believe it is solely based on the request you are making and your IP address (so your query history, account etc are irrelevant).

That's cos the captcha has to work to block DoS attempts, which might be very high volume, and if they had to do a database query to look up your account details for each query it would overwhelm the database.

My guess is you are on a shared IP address block, and someone else on the same IP block is running malware or an open proxy.

Find them, nuke it, problem solved and you're making the web less spammy at the same time.

Re:Given that Google not infrequently flags me...

[toddestan]

I don't get why anyone would put with a search engine that throws CAPTCHAs at you when you try to use it. Given how lousy Google's search results are nowadays, it seems pretty easy to make the switch to someone else. I've never seen a CAPTCHA using DuckDuckGo, but I imagine even Bing would be an improvement. And if for some reason you like Google's results, there's always Startpage.

Still get captchas

Like most Google products, it works so-so at best.

That's nothing...

[bistromath007]

If they were really smart, they'd just give up so they don't have to dump effort into the arms race anymore and reCAPTCHA would just secretly be a cryptocurrency mining operation.

reCAPTCHA is simply another tracker

reCAPTCHA is triggered if you take basic precaution when browsing the web, e.g. blocking unnecessary scripts, cookies, trackers, beacons, and of course ads
If you do, reCAPTCHA will force you to complete a broken AI-training job, collect your behavioral data, and monetize your labor.
It's purpose: to force you to become a PRODUCT of Google, the all-grabbing data company.

And now it's even worse.

Do not endorse reCAPTCHA. Don't put it on your website.

Google Checkmates Antiphorm

[retroworks]

This has been a war over user rights to "camouflage". Google and other ads-funded corporations have feared the "false positive", the background-running random search engine. The recent "are you human" captchas come when I'm not even running an anti-phorm, so I guess I have to prove I'm human because my searches appear to be non-sequetors to Google (though they are not, to me). x2010 http://retroworks.blogspot.com...

There goes anonymous browsing

[cfalcon]

The current "identify some bullshit" captchas can be done without javascript. This seems unlikely to have that failsafe. It will be a wad of purposefully hard to reverse engineer javascript, probably with some timing crap to make it hard to do anything with, and that will be that. It will of course ultimately end up generating telemetry.

I sound pessimistic, but this has been the direction we've been heading for some time.

Re:There goes anonymous browsing

Timing? It could be worse.

Mouse movement cadence. Path eigenmodes and entropy. OS and browser fingerprinting. Render fingerprinting. Anti-fingerprinting fingerprinting. Cross-correlation with thousands of other features Google already knows about.

The human as an autonomous and free agent is over. You're a product.

Re:There goes anonymous browsing

I'm totally fine with that. It's the free market in action. We can just boycott pages that require connections to Google in order to work properly.

Re:There goes anonymous browsing

The current "identify some bullshit" captchas can be done without javascript

I pictured a captcha image challenge where it gives you assorted piles of crap and you try to guess which ones came from a bull.

Re:There goes anonymous browsing

So...everywhere except myspace. Oh wait! even myspace uses google.

Re:There goes anonymous browsing

[jbn-o]

Perhaps this is the latest PR initiative to try to get the public to defend "invisible" spying. Google makes considerable money and maintains relationships with powerful organizations on the basis of spying. Spying is very much a part of Google's business. Google could probably use a way to get more people to (even indirectly) defend Javascript-based spying by turning the public into ignorant supporters who say things like 'We *need* this invisible reCAPTCHA' when we could actually choose to do without it.

Without knowing what the code does (and keeping up with all the changes, changes which can happen at any time) we can't confirm this code only does the job Google claims it does.

Re:There goes anonymous browsing

[Blig]

I pictured a captcha image challenge where it gives you assorted piles of crap and you try to guess which ones came from a bull.

So, would this type of captcha technically be a "crapcha"? ;-)

Re:There goes anonymous browsing

An anonymous browser by definition has no trackable browsing history, therefore Google won't be able to tell if you're a bot or not.

Re:There goes anonymous browsing

[strikethree]

If this requires javascript, then every site that uses it will lock me out.

I use noscript. I am willing to go without any information from anyone else, forever, as long as requiring a script to run is part of the deal.

Executing logic on MY computing device, is purely at my discretion. I am unsure why anyone else feels they have a right to require me to execute logic. Perhaps if they asked, I might agree, depending on the other details in the deal. If it is required up front, then they have my denial up front. There is no business to be had here.

Alternative checkbox

[Black+Parrot]

"Yes, I am a robot, but I'm not going to take your job."

Re:Alternative checkbox

[lgw]

Read this yesterday and just now got the joke. So, LOL. Never change your sig - that show was awesome.

Google digitally fingerprints everyone

They digitally fingerprint and bubble everyone's searches so honestly, they don't need reCAPTCHA. They can just tell you're human because you act like one.

Useless

[corychristison]

reCAPTCHA is useless.

There are other very reliable ways of catching automated bots. They are stupid, and make many mistakes that are easy enough to catch even without Javascript.

The real issue is firms hiring people for less than a buck an hour to spam crap. It's impossible to stop without impeding real users... so where do you draw the line?

As it is reCAPTCHA gets in the way more than it should. You're probably better off without it.

Re:Useless

reCAPTCHA is useless.

No, as another poster said: it's a great way for Google to force you to be tracked.

Most other tracking can be blocked, but not captchas.

Re:Useless

Yes you can. Simply turn away from the site that gives you the recaptcha.

Re:Useless

[Gavagai80]

Common spambots that submit contact forms are easy to catch. Advanced registration bots targeting major websites, not so easy.

The amount of paid human spam is minuscule compared to the automated kind, so it's much easier to handle manually.

Re:Useless

[arth1]

Yes you can. Simply turn away from the site that gives you the recaptcha.

That's not always so easy. I had to go through a Google captcha in order to request an RMA from a company.

Re:Useless

[corychristison]

Having been in web development for over 15 years, I can tell you there are some very reliable ways to catch any kind of form submission SPAM.

As stated, there is a point where the bots are not possible to catch, as they emulate exactly how people do it (or they are paid spammers).

You come to a point of diminishing returns, and start to irritate real users.

CAPTCHA's are a bandaid solution for lazy developers.

Re:Make Joogle ad infection/tracking impossible

Oh dear. Are you trolling yourself by your first link (to Google search)?

reCAPTCHA sucks

> The old reCAPTCHA system was pretty easy -- just a simple "I'm not a robot" checkbox would get people through your sign-up page.

Bullshit. It often made people answer stupid fucking quizzes and once Cloudflare started using it against people on VPNs you had to do it on every fucking website you visited even during the same session. It got to the point where when I saw reCAPTCHA I said "Ha ha fuck you I'm not going to your shitty web site."

A lot of technology has made life easier. Steve Jobs once urged Andy Herzog speed up the Mac startup by a few seconds saying "Imagine that multiplied by the number of people who will do this. Imagine how many human lifetimes you will save."

CAPTCHA has wasted many human lifetimes. CAPTCHA was invented by Mark D. Lillibridge, Martin Abadi, Krishna Bharat, Andrei Z. Broder; Eran Reshef, Gil Raanan and Eilon Solan. Fuck them for the many lost lifetimes and anguish and frustration they caused to so many people.

Re:reCAPTCHA sucks

[molarmass192]

I'm pretty sure you meant Hertzfeld, not Herzog in that SJ citation.

Re:reCAPTCHA sucks

Thanks. He is forever "Andy" in my mind :-)

Std. Joogle modus operandi again

See my subject: Trolling me by unidentifiable JOOGLE anonymous posts as usual, unable to prove me wrong, lol!

Don't worry - I KNOW how "your kind" is easily controlled: Remove what "your kind" craves, GOLD (ads, lol)! Yes, it's THAT easy to get you to react in such a CRAVEN manner showing your TRUE colors (shit brown/piss yellow).

* Joogle I easily best your NOT so "best & brightest" so bring on your phony PhD's or Rabbi Brin/Eric SHIT so I can dust them publicly & further HUMILIATE your sorry sad "not men" asses, ok?

As to my link? Heh - using their own engine against them is the "coup de gras" of it all, lol!

APK

P.S.=> Pitiful whimps w/ NO balls - no small wonder "your kind" has to HIDE behind anonymous posts - it's all you & yours EVER do vs. me weasels... apk

Re:Std. Joogle modus operandi again

Joogle JUDEN jews are jews who used same method as they scalped the heads of US men's cocks. To hide themselves in a mass so they aren't easily found the way the germans found them and to turn all US men into 2" clip tip nubs like jews naturally are!

Re:Std. Joogle modus operandi again

Hahahahahahaha fucking hilarious but true. Scalped hahahahaahahaha!

Re:Std. Joogle modus operandi again

Can you actually speak coherent English or at least attempt it? Your drivel of Engrishy like nonsense is giving readers a headache. Kthx bye.

Re:Std. Joogle modus operandi again

STFU Juden scalper https://hardware.slashdot.org/comments.pl?sid=10345479&cid=54011037/ cock shaver!

Re:Std. Joogle modus operandi again

Aw! Your comment is broke. :-( Here let me help you! :-)

STFU Juden scalper https://hardware.slashdot.org/comments.pl?sid=10345479&cid=54011037/ cock shaver!

STFU Cookie baker https://hardware.slashdot.org/comments.pl?sid=10345479&cid=54011037/ Oranges peeler!

Fixed! No need to thank me! :-) Have a nice day! :-)

i AM THE spy

i AM THE spy
GO GO GOOGLEACHOO

Re:Most efficient way to do all that defense

APK Hosts File Engine 9.0++ SR-7 32/64-bit

Hey, Alexander: Can your host list block your incessantly spammed ads here on slashdot?

If not, you've just proven how useless it is with your own spamming. Just sayin'...

Re:hrrrm

Pardon the pun but you should be pissed at these Google scalpers for knocking your cock's block off then https://hardware.slashdot.org/comments.pl?sid=10345479&cid=54011037/

don't expect details to pop up any time soon

[gravewax]

"don't expect details to pop up any time soon", LOL anyone else smell the bullshit here. basically with a few days of this being available you will see published tear downs of it and proposals to work around it.

Re:Most efficient way to do all that defense

Jew cock scalper ac hiding harassing apk? Skinning hide off US men's socks for you to hide is twisted https://hardware.slashdot.org/comments.pl?sid=10345479&cid=54011037/ Native americans are pissed at whitemen for scalping! US men should be at you too. You did them much worse!

The inverse Turing Test

[goombah99]

So now we have an AI trying to decide who is the human, the inverse of the turing test. What it comes down to then is it easier to create an AI that can pass the Turing test or the inverse turing test. If it's easier for a bot to fool a bot then this AI strategy will meet it's match in another AI. On the other hand if it's easier to do the inverse turing test then this new strategy will work. I'm not really sure if it's obvious which test is harder.

Re: The inverse Turing Test

Perfect comment.

Re: The inverse Turing Test

Yeah its great. A non transparent way to make life to make life more difficult. What could possibly go wrong ?

Re:The inverse Turing Test

[modrzej]

Probably that's how it's done by Google. You just described the training stage of generative adversarial networks.

Re:The inverse Turing Test

I guess it's the "It takes one to know one" theory.

Re:The inverse Turing Test

[dj245]

So now we have an AI trying to decide who is the human, the inverse of the turing test. What it comes down to then is it easier to create an AI that can pass the Turing test or the inverse turing test. If it's easier for a bot to fool a bot then this AI strategy will meet it's match in another AI. On the other hand if it's easier to do the inverse turing test then this new strategy will work. I'm not really sure if it's obvious which test is harder.

Depends on how invasive you allow the inverse turing test to be. USB blood analyzers already exist, DNA analyzers that fit in your pocket may be built in my lifetime. (Obligatory Skynet reference.)

Wikileaks told us how.

New captcha uses you computer, phone, tablet, or TV's microphone to listen for your breathing to see if you are human :-).

Re:Wikileaks told us how.

You say in jest, but I give it five years.

Re:Wikileaks told us how.

And it will not just be audio, it will be a multitude of physical environment signatures through the entire wave spectrum and chemical analysis. It is a brave new world.

Re:Wikileaks told us how.

I'm pretty sure that's already perfectly doable on mobile devices.

Re:Wikileaks told us how.

I've never had a computer with a microphone. I know you can buy them, but why spend the extra money?

Re:BS: I blow all that Joogle crap away!

[fisted]

Fuck you and your ads.

Now now

How am I supposed to post on /r9k/?

For how long?

More detailed information on how the system works would probably also help bot-makers crack it...

...earlier than they otherwise would.

If it was just google it wouldn't be a problem

[Geeky]

Flagging you as a robot incorrectly would be less of an issue if it was just Google doing it.

Unfortunately, lots of other websites use the API. There are plenty of Wordpress plugins that add Google's recaptcha to comment forms and I've seen it elsewhere.

It could become a de-facto standard and at that point the issues - in particular for accessibility - become critical. If it's more likely to pop up if you're disabled and using things like screen readers then it's discriminatory.

If nothing else, it'll be something new to keep the EU busy with Google...

ffs

Why won't all the bad guys like GNAA and russian hackers just ddos recaptcha into hell where it belongs?

In Other Words...

Google is tracking you and logging everything you do.

Make sure your proxies aren't open, firewall

[raymorris]

> I wonder whether being behind load balanced proxy servers might have anything to do with it.
Anyone else having similar problems?

Yes, proxies correlate well to bots. Not all attempts from proxies are bots, but most attempts from bots come through proxies. Open proxies especially. Open proxies are bad anyway, so make sure your proxies aren't open. If possible, use a firewall to limit access to your proxies by IP address.

Windows Embedded POSReady

[tepples]

Windows is also a POS.

Re:Windows Embedded POSReady

[Spazmania]

Hah hah. The "it" referred to Recaptcha not Linux.

google is doing nothing new

At least 1 wordpress plugin weeds out spam without ever presenting captchas. Works pretty well too.

When a government requires solving reCAPTCHA

[tepples]

Whatever happened to you happened because the owner of the site chose to use ReCaptcha as a tool to prevent bots. You have no right to insist that a particular website cater a particular user experience to you -- if you don't like it, you can go elsewhere.

What you said applies when a private sector business in a competitive market requires solving a reCAPTCHA challenge or running other proprietary scripts as a condition of accessing a luxury. I don't find it so defensible when a private sector monopolist or even a government requires doing so as a condition of accessing a necessity, as the United States Copyright Office required last year.

BS: I blow all that Joogle crap away!

Prevention = best medicine (& what u can't touch can't hurt u) via NEW APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads & malware rob speed/security/privacy

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!

* Via what u NATIVELY have built into the IP stack in FASTER kernelmode!

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/

Can't easily boycott your government

[tepples]

We can just boycott pages that require connections to Google in order to work properly.

Until your national government requires connection to Google in order to exercise the rights of a citizen, such as submitting comments on proposed regulations. It has happened recently; see the Free Software Foundation's 2016 letter to U.S. Copyright Office.

Most efficient way to do all that defense

Prevention = best medicine (& what u can't touch can't hurt u) via NEW APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/Script & malware rob speed/security/privacy

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!

* Via what u NATIVELY have built into the IP stack in FASTER kernelmode!

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/

/.ers disagree Fisted... apk

I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

his hosts program is actually pretty good by xenotransplant

I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

take a look at the APK hosts file engine by SuperKendall

APK is kinda right. I've tried his hosts file generating software. It works by bmo

I like your host file system by Karmashock

I find your hosts file admirable by vel-ex-tech

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience by chihowa

* Recommended & hosted by Malwarebytes' hpHosts!

APK

P.S.=> You're outnumbered Fisted (you fake name using punk)... apk

Re:/.ers disagree Fisted... apk

[fisted]

Doesn't matter that the mentioned people allegedly fell for your ads. It doesn't stop the irony of you advertising in a more obnoxious way than the ads your crapware is alledgedly getting rid of. You are a special sort of retarded to not realize that.

Here are my demands

If you can't explain what it does, I won't use it in my projects.

Fisted? STFU fake name "ne'er-do-well"

See my subject "Fisted" you punk bitch: You're ALL talk nothing to show for yourself. I can, easily https://hardware.slashdot.org/comments.pl?sid=10345479&cid=54012361/

* Who supports ANYTHING you've EVER done (nothing) motherfucker?

The PRICE of your fuckery (trolling by unidentifiable anonymous posts OR delusional FAKE NAMES for FAKE LIVES like yours) is YOU WILL NEVER, ever, ACCOMPLISH A DAMN THING OF WORTH (& you know it - not thru lack of effort but being "damaged INFERIOR goods" losers).

Motherfucker - "your kind"? You're BORN losers... which is why most of you are HEROIN JUNKIES or on the WELFARE tit. You are, clearly, INFERIOR wastes.

Too much Bisphenol A from plastic milk cartons has turned you into BITCHES, disgusting bitches.

APK

P.S.=> Answer that question bitch - you piece of FUCKING shit bitch do-nothing WASTE of life (makes me sick to see what's coming up behind my generation, it truly does - you're FUCKING wastes on the WELFARE or HEROIN tit fuckers)... apk

Re:Fisted? STFU fake name "ne'er-do-well"

[fisted]

I generally don't care about what advertisers think or say about me, so you might as well save yourself the trouble -- I'm not even reading your ads.

That's convenient..

"If you are flagged as "suspicious" by the system, then it will display the usual challenges."
Thus giving the bot developers a clue whether they are doing it right.

Has never prevented spam.

I know a dude who spams things he doesn't like by writing a front end that displays the recaptcha challenge to a pool of people he pays via amazon mechanical turk to solve them. $10 to spam a site for a day.

This shit has always simply been about tracking users and harvesting as much data as they can.

BS FIsted - why else reply? You care

I'm no advertiser: Google is (you're probably one of their shills OR getting money from them somehow) & you DO care or you wouldn't reply.

* Funny you don't answer the question I asked you (NOT & why's that? You're a "ne'er-do-well" - period).

APK

P.S.=> Dry up & blow away - you're a "ne'er-do-well" do nothing waste of life... apk

Re:BS FIsted - why else reply? You care

[fisted]

I'm no advertiser

Then what are your posts on /., if not ads? Maybe you need a little reality check?

I give /.ers what they need/want quoted

I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

his hosts program is actually pretty good by xenotransplant

I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

APK is kinda right. I've tried his hosts file generating software. It works by bmo

I like your host file system by Karmashock

I find your hosts file admirable by vel-ex-tech

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience by chihowa

* Recommended & hosted by Malwarebytes' hpHosts!

APK

P.S.=> See subject: YOU troll & do zero vs. threats "ne'er-do-well" - you did better than I? No... apk