Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Google IT Technology

'There is No Evil Like reCAPTCHA (v3)' (thestoic.me) 259

An anonymous reader shares a post: Like many things that starts out as a mere annoyance, though eventually growing into somewhat of an affliction. One particularly dark and insidious thing has more than reared its ugly head in recent years, and now far more accurately described as an epidemic disease. I'm talking about the filth that is reCAPTCHA. Yes that seemingly harmless question of "Are you a human?" Truly I wish all this called for were sarcastic puns of 'The Matrix' variety but the matter is far more serious. Google describes reCAPTCHA as: "[reCAPTCHA] is a free security service that protects your websites from spam and abuse." However, this couldn't be further from the truth, as reCAPTCHA is actually something that causes abuse. In fact, I would go so far as to say that being subjected to constant reCAPTCHAs is actually an act of human torture and disregard for a person's human right of mental comfort. The author goes on to make several points.
This discussion has been archived. No new comments can be posted.

'There is No Evil Like reCAPTCHA (v3)'

Comments Filter:
  • by QuietLagoon ( 813062 ) on Monday August 05, 2019 @03:10PM (#59046004)
    ... because of reCAPTCHA. I was not able to get past the login screen because I was presented with an endless stream of "find the..." images.

    .

    ...Google describes reCAPTCHA as: "[reCAPTCHA] is a free security service that protects your websites from spam and abuse." ...

    I wonder how much data google is syphoning from the websites that use reCAPTCHA? Does a shopping site let google know what I purchased? How do the websites pay google for that "free" security service?"

    • by tripleevenfall ( 1990004 ) on Monday August 05, 2019 @03:14PM (#59046044)

      More importantly, what language is TFS written in?

    • by Anonymous Coward on Monday August 05, 2019 @03:30PM (#59046212)

      It’s worse. So you click on “how many images include traffic lights” and are presented with a bunch of images. So did traffic light mean just the light or does it include the entire apparatus of the light. Busses? Well, shit, sailor, there’s a little bit of tire in the image. Should I click that? Captcha is a useless thing that needs to die a horrible, horrible death.

      • by Anonymous Coward on Monday August 05, 2019 @04:13PM (#59046554)

        Not only that, but try solving them if you're obscuring your identity from Google.

        You can get an endless series of them. I've spent sometimes 15-20 minutes solving captcha after captcha before giving up in disgust.

        Google is an enemy of the internet, except for those who sell their souls to Google.

      • Re: (Score:3, Interesting)

        by thegarbz ( 1787294 )

        Captcha is a useless thing that needs to die a horrible, horrible death.

        Except it isn't. Not only does it prevent bot abuse but it is also a great way to confirm a person is at the keyboard while at the same time training AI models to identify crosswalks.

        So next time the little happy [theverge.com] Google car decides to not run you over when you're crossing at a crosswalk, you can pat yourself on the back for all those times you successfully filled out a reCAPTCHA.

        • It is not my responsibility to go through hurdles in order for Google's car to not run me over. They can pay employees to do their training.

        • Re: (Score:3, Insightful)

          If what you say is true, can’t they design a CAPTCHA that only humans can solve?

          This article has it right: you’re supposed to keep failing and failing these stupid things, because it’s not to validate you, but to train AIs.

          • If what you say is true, can’t they design a CAPTCHA that only humans can solve?

            Can you show me how bots have solved it, and how it's broken?

            This article has it right: you’re supposed to keep failing and failing these stupid things, because it’s not to validate you, but to train AIs.

            The article is poorly written rubbish from a mind that I have no doubt has trouble proving it is human. I'm not sure what kind of an idiot actually fails at solving a reCAPTCHA

            Better to make use of busywork in multiple ways than to waste human effort on pointlessness. If I can train AI rather than just point out which computer generated numbers came up on the screen then we as a species are all the better for it.

            • by jenningsthecat ( 1525947 ) on Tuesday August 06, 2019 @06:57AM (#59049710)

              I'm not sure what kind of an idiot actually fails at solving a reCAPTCHA

              I'm not sure what kind of an idiot makes the statement you just made. First off, as TFA points out, (poorly written though it may be), just what in a Captcha counts as part of a sign or a storefront or whatever is often more than a little ambiguous. Second, I'm no idiot, and I have sometimes failed several Captchas in a row. Then, when I turn off NoScript for Google, and accept and don't delete Google's cookies, all of a sudden I have much less trouble passing.

              I've heard that people who are actually logged in to Google have an even easier time of it - I've never tried that. Maybe you're just in the habit of bending over for Google more frequently and reflexively than are those of us who despise reCaptcha.

        • while at the same time training AI models to identify crosswalks.

          This is reCAPTCHA (v3). Which ones of these is a red light OR a person? A dog counts, too. It really behooves you not to get this wrong, and BTW: can you hurry it UP already?

        • by Cederic ( 9623 )

          It might prevent bot abuse but it also prevents human interaction.

          I just stop trying to use sites that demand captcha these days. Online sellers have lost sales because of this, companies have lost useful feedback, I've used expensive telephone support lines because the cheap online support is locked away from me and more than one CEO has had a direct email because it was the only way I could contact the company without jumping through hoops.

          Recaptcha needs to fucking die and I'll happily go to the Google o

        • > Not only does it prevent bot abuse ...and yet Facebook, Twitter, and even Google, that all use such tools are full of 'bot accounts.

          Recatcha stops 'casual' abuse, but it doesn't stop abuse. It also stops a lot of humans, and as such, may be a poor choice for protecting your website if you value your users. The point being: using anything other than recaptcha should be your default choice. If, and only if, that ceases to work properly should you 'graduate' to more complex tests, until eventually, when n

          • On a forum I used to run I instituted my own bot-proofing, with custom topical questions that users would definitely know, but your average bot would have no clue about. Two wrong answers and you got sent to the fiery pits of the bot spam forum. That was often really amusing, as the bots registered as having successfully passed the test and proceeded to spam the hell out of each other.

            There were definitely a couple of groups which shared answer lists, because we saw different bots "successfully" answering t

      • by tlhIngan ( 30335 )

        Itâ(TM)s worse. So you click on âoehow many images include traffic lightsâ and are presented with a bunch of images. So did traffic light mean just the light or does it include the entire apparatus of the light. Busses? Well, shit, sailor, thereâ(TM)s a little bit of tire in the image. Should I click that? Captcha is a useless thing that needs to die a horrible, horrible death.

        You're supposed to click what a "traffic light" means to you. Don't try to be technical - if a "traffic light" i

        • No, the real problem is when said light includes a small bit on another panel - half the time it works, half the time it fails. I'm guessing Google is trying to determine which way to go.

          You're missing how this works.

          This is 100% driven by users. Some of the time you get extra ones to click on. Either those or the previous are the training images, where google is trying to build up a repository of correct answers. They do one with existing known answers to see if you're human, then give you a second one assuming you'll likely get most of that one right. Repeat a thousand times, and they've got a nice average of what a correct answer looks like.

          So the next time you're struggling, remember to

      • My favorite is when their image recognition fails and has the audacity to tell me I'm wrong. Telling me to select the crosswalk when it is nothing but the work "ONLY" from a turn lane. Identifying a yellow pickup truck as taxi or a delivery truck as a bus. The "SKIP" button doesn't work in these situations and forces you to select an image or refresh the puzzle.
      • by AmiMoJo ( 196126 )

        I don't think the image recognition is the primary way it validates that you are a human. I think the image recognition is only one of many checks, and not a particularly important one because I know for a fact I've failed it by selecting the wrong boxes and still passed.

        The real tests are things like how you move your mouse and any other metrics they can gain from the browser.

        That's why it fails badly with things like RDP. In RDP your remote mouse doesn't move naturally apparently. Probably only updating a

    • by mysidia ( 191772 ) on Monday August 05, 2019 @04:07PM (#59046518)

      How do the websites pay google for that "free" security service?

      Google is using them to refine their machine-based image recognition algorithms.
      They do this by providing users images, and you're supposed to identify something like
      the text or "Find all the images with Traffic lights"

      Except, the service itself is not confident in what all the correct answers will be to all
      the questions.

      Sure, you had better get a "threshold" of answers consistent with their data and the responses
      of other users to be considered a human --- but in a previous generation of Captcha you were
      improving their OCRs of scanned books, and now; given all the road questions - you're probably
      helping Google improve their self-driving cars every time you answer a Captcha asking you which
      pictures contain Stop signs, or whatever.

      • Ah, so that's why they force me to go through 10 of them.

      • >Except, the service itself is not confident in what all the correct answers will be to all
        the questions.

        That' why they're paying you (in the form of a free bot-repellant) to have your visitors do it for them in the first place, isn't it? Have every image classified by several people and you'll either have a fairly solid consensus, or be fairly certain it's an ambiguous image. It does mean that you have to be uncertain of N% of the answers, but the majority can be fairly solidly identified already, jus

    • by vix86 ( 592763 )

      I was presented with an endless stream of "find the..." images.

      I hate those ones because they don't explain it and it feels like its broke. It took me awhile to realize that you just have to keep going through the images until there aren't any more of the "object" they're looking for. One of the most obnoxious recapthas that there are.

    • I had to ditch and rebuild a firefox profile because recaptcha v3 didn't trust me. No idea what caused it, but I was completely blocked from buying games from humblebundle.com.
    • by shanen ( 462549 )

      ... because of reCAPTCHA. I was not able to get past the login screen because I was presented with an endless stream of "find the..." images.

      Actually I've seen this bug, but now I don't remember what I did to trigger it. It was clearly an infinite loop. I also saw a different kind of infinite loop that was taking it back to the top each time around. I was pretty sure it was partly due to an incorrect configuration at the website in question, though I've seen at least one of those bugs on a another website.

      However my response is just bye-bye, website. I still didn't find this story interesting, though it did produce some jokes.

  • "But now? Now? THE AVERAGE TIME IS OVER 30 SECONDS!"

    This guy is on crack
    • Or on VPN / Tor (Score:5, Informative)

      by DrYak ( 748999 ) on Monday August 05, 2019 @03:17PM (#59046074) Homepage

      This guy is on crack

      Or on VPN / Tor, etc.

      If Google (or some CDN like Cloudflare) detect your IP as being from there, they'll automatically fail you a couple of time and force you to solve 3-4 captchas instead of just one single.
      (Go on, test it !)

      (Also, most good anti-tracker will by design (obviously) disable the feature that Google relies on to detect your human-ness and/or remember you already solved a captcha on some other log-in page, and will cause you to always need a captcha on every login page.)

      TL;DR: the progressive worsening of his captcha "experience" might also be simply the symptom of him progressively using better anti-tracking technology.

      • }}} If Google (or some CDN like Cloudflare) detect your IP as being from there, {{{ --- I don't use a VPN, It's just me and my ISP. Yet I am presented with a nearly endless (for me) stream of images (I usually give up after 8 or 9 refreshes).
      • If Google (or some CDN like Cloudflare) detect your IP as being from there, they'll automatically fail you a couple of time and force you to solve 3-4 captchas instead of just one single.
        (Go on, test it !)

        Yeah, I get why Google is hostile to Tor, as privacy is their business enemy, but I do with websites would run a different CAPTCHA on their hidden services.

      • If Google (or some CDN like Cloudflare) detect your IP as being from there, they'll automatically fail you a couple of time and force you to solve 3-4 captchas instead of just one single.
        (Go on, test it !)

        They don't fail you. They simply set a far higher requirement for passing presenting both more complicated images as well as requiring you to complete it in multiple sets.

      • Re:Or on VPN / Tor (Score:5, Interesting)

        by jwhyche ( 6192 ) on Monday August 05, 2019 @07:07PM (#59047738) Homepage

        I don't. I just close the window.

        I tried to order some chicken online for a party. The order was to close to $200. Order it, pay for it, then go pick it up. When it came time to pay, the website tossed up one of these captech things. I'm not going to solve an annoying puzzle to pay you money.

        I called the business and let them know why how big my order was and why I canceled the order. The next time I tried to order the annoying puzzle was gone. The only way to be rid of this garbage is to let the people know that use it, that we will not use their services as long as it's there.

      • by Bert64 ( 520050 )

        If they detect that you're using the same IP as a large number of other users, then they will try to identify you as a unique user through the use of tracking and making you fill out captchas.
        This happens because people abuse tor and vpn services to perform nefarious activities, and google has no other way to differentiate you from these users. The same thing happens with ISPs that use CGN whereby a large number of their customers originate from the same address. I get exactly the same problem when i travel

  • by crgrace ( 220738 ) on Monday August 05, 2019 @03:14PM (#59046042)

    The point of this post, that we as individuals should not be compelled to provide free labor (or "content") to the tech giants was rather more elequontly stated by Jaron Lanier in his book "You are Not a Gadget". It's a fascinating, well written book that I would recommend to anyone interested in the effects of digital communications on society.

    In addition, I think the author of this rant would be better served by making it less "rant-y". In fact, writing "reCRAPcha" actually dilutes his or her message by going to the lowest common denominator.

    It reminds me of posts about DemoRATs or RePUKElicans that make me tune out and totally discount the author's point.

    • that we as individuals should not be compelled to provide free labor

      Except you're not providing free labour. You are directly benefiting from what you put in through a third party authenticating you as a human actor to a website.

      I would argue the opposite. Going back to identifying numbers randomly generated to prove you are human is a colossal waste of human resources that could better be spent improving something (e.g. an AI image recognition model for traffic lights).

      Just because Google's model benefits from your work does not mean you're giving them free labour.

      • Yes it does. In fact, your preceding paragraph makes that point.
  • Necessary evil (Score:5, Insightful)

    by duke_cheetah2003 ( 862933 ) on Monday August 05, 2019 @03:25PM (#59046160) Homepage

    Hey, if it wasn't for all the jackoffs building bots to create fake accounts, post spam, and all the other nefarious activities that CAPCHA's help curtail, we wouldn't need them. And they do help curtail a lot of it. All of it? Dunno.

    I'm not sure Google is going to be very forthcoming with statistics regarding the effectiveness of reCAPCHA. I'm not even sure how Google could go about quantifying it's effectiveness.

    Now, the article mentions something rather conspiracy-theory styled: Google is just doing this to train this AI's. Uhhh, no. Google is doing this to help ward off the spam and bots. It's just a bonus they can use it to train AI recognition systems too.

    I really don't think Google is turning around and selling their AI know-how to spammers/scammers to defeat their own reCAPCHA system. That's why you see things like buses, traffic lights, cross walks, etc. They're trying to improve their self-driving AI. Is that really so wrong? Kill two birds with one stone? Seems pretty efficient to me. Ward off spam, get some AI training as a payback.

    And most people don't seem to mind. I've clicked on the buses many times myself, it's not the end of the world. You see, you don't see the 'payoff' for this necessary evil, cuz the whole point is to ward off unwanted spam. If you're not seeing the effect, well, duh, that's the frickin' point.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      The problem, ironically enough, are anti-tracking extensions and anti-fingerprinting protections.

      If you don't use those, Google and therefore reCAPTCHA can track your activity around the web and be fairly certain that you are not a bot and you get a simple checkbox.

      If you do use them, then Google can't tell you from a million other users, and you get the whole "identify the tiles with boats in them" stuff.

      Apple's anti-tracking and anti-fingerprinting efforts have effectively made it so that all iOS devices

      • by Bert64 ( 520050 )

        Doesn't happen to me at home, i have static addressing with ipv6...
        It happens to me a lot when mobile, as the mobile operator uses CGNAT and only supports ipv4, so my traffic originates from the same source address as thousands of other customers.

    • Re:Necessary evil (Score:4, Informative)

      by kerashi ( 917149 ) on Monday August 05, 2019 @04:24PM (#59046648)

      So much this. I ran some small web forums for years, and without reCAPTCHA or other services like it (using the default CAPTCHA that shipped with the forum software) I would get dozens of spam accounts a day. On a small site that was more a hobby than anything else, not a big presence by any means. After reCAPTCHA, I was able to take a break and not mass clean the forum of (unactivated) spam bot registrations every day. I shut down the last of those about a year ago, but I seriously doubt the problem is any better.

      • It worked until the bots figured out a way around it then it became completely useless.
        The bots don't have to necessarily be smart, Google only has so many images to feed you and once the machine learns them all the system becomes useless. They can learn them faster than you can add them.

        Small site owners need to connect with systems such as Project Honey Pot, it's really the only way to stop these guys. Yes, it requires human intervention if you are the first one hit, but relying strictly on tech means
        • by Bert64 ( 520050 )

          Project Honey Pot blocks traffic based on source address...
          Large numbers of people are stuck behind CGNAT, so all it takes is for one customer of the same ISP to perform some malicious activity or become infected with some kind of malware and every other customer gets banned too.

    • It doesn't work.
      Google is using machine learning to stop them while the machines are learning at the same time, using the same pictures. It's a cat and mouse battle of technology, except that it really isn't, it's an illusion. The bots don't have to necessarily be smart, Google only has so many images to feed you and once the machine learns them all the system becomes useless. I tried captcha, the bots broke through all the time. I required extra items such as social media links, they just added that to t
      • People not running sites and servers have no clue the mount of people trying to hack into things, it's simply staggering.

        Yup. Put up any popular forum software on a site that gets even minimal traffic and within days you'll be getting so much comment spam and bot registration it would be a full-time job to wade through it without some kind of automation.

      • by Bert64 ( 520050 )

        What does work is setting up lists for site owners to share and report bad actors, like Project Honey Pot, which are then blocked.

        So what you're doing is blocking anyone who is forced to share an IP with other users... An increasing number of users are behind CGNAT, you might have a large provider with a few million customers behind a small pool of source addresses. All it takes is for one of those users to become infected with malware and you'll get the shared address blacklisted - then all the other customers are blocked despite having done nothing wrong.

    • NPR, Planet Money, did a piece on reCaptcha recently, and they certainly report that reCaptcha was, and is, in fact used to train AI image recognition.

      https://www.npr.org/sections/m... [npr.org]

  • by Rick Schumann ( 4662797 ) on Monday August 05, 2019 @03:33PM (#59046242) Journal
    It's just a symptom of what's really wrong with the Internet in general, which is to say 'just about everything'. It's been monetized to within an millimeter of it's life, it's been turned into a surveillance system for everyone that uses it, and it attracts the very worst elements of society because it breaks the Social Contract completely: people can say or do pretty much whatever they want and there are no consequences because they're anonymous; someone can spread all the lies and hate they want and not be held accountable. 'reCaptcha' is just a reaction to all that, but it makes the innocent pay as equally as the guilty.
    • by gweihir ( 88907 )

      I pretty much agree, but I do not see any solutions. Curbing greed, the desire to spy on people, the desire to tell other what to think and how to live, etc. are either unattainable or far in the future of humanity. We have just gotten far enough that the independent thinkers (a small minority) can see what is wrong. That is a very early stage.

  • americanisms (Score:5, Interesting)

    by sjwest ( 948274 ) on Monday August 05, 2019 @03:50PM (#59046380)

    We quit using recptcha over five years ago on our websites

    When i do get challenges i often have to decode the amiricanism's crosswalk is one which means something else. Yes i vaguely know what it is but what they look like.

    The low res pictures do not help

    ps - not an american.

    • When i do get challenges i often have to decode the amiricanism's crosswalk is one which means something else. Yes i vaguely know what it is but what they look like.

      Be thankful it's not "pick all the squares with water in them" and it is a picture of a bottle of Bud Light next to what you think is an empty glass, but you can't tell because of the picture quality. Do you click all the squares? Do you click none of them!?

  • Just use a browser plugin that solves it automatically.
    • by Vrallis ( 33290 )

      "We're sorry, we've seen too much traffic coming from your network."

      The solvers use the audio version, and far too often Google just arbitrarily blocks it. I guess blind people aren't human.

  • I never bother with any site(s) that implement CrAPCHA's, but I wonder: How does it handle accessibility?

    What if I blind person needs to 'login' or whatever the CrAPCHA is blocking? Does it even come up for them? Does the 'audio' version even work (and what if the person is also deaf)?

    Seems to be this might be an easy workaround.

    • by Cederic ( 9623 )

      If you're blind and deaf then I think you're down to asking someone to help you with recaptcha.

      If you're not blind or deaf then I still recommend that approach.

  • From TFA:

    The reason that people fail reCAPTCHA v3 prompts so consistently now is because Google realised there was no punishment to forcing people to solve more of these 'human verification puzzles' and only more to gain by forcing (yes it IS forcing) people to train their AI for free.

    Seem to me revenge is best served cold: just identify anything but the damn traffic lights (or whatever), because it seems it just keeps asking until it's content that it got enough 'training' from you, so you might as wel

    • Obligatory XKCD [xkcd.com]

      Randall is always on point.

    • From TFA:

      The reason that people fail reCAPTCHA v3 prompts so consistently now is because Google realised there was no punishment to forcing people to solve more of these 'human verification puzzles' and only more to gain by forcing (yes it IS forcing) people to train their AI for free.

      Seem to me revenge is best served cold: just identify anything but the damn traffic lights (or whatever), because it seems it just keeps asking until it's content that it got enough 'training' from you, so you might as well pollute their data.

      Well, you have to identify everywhere their automatic suicide cars thinks there MIGHT be a traffic light, but isn't sure. If you select a picture it is sure about, you will fail.

  • Really pissed-off robots
  • by david.emery ( 127135 ) on Monday August 05, 2019 @04:52PM (#59046858)

    I'm in a debate right now with TIAA, who added one of those Goddamn things to their website.

    I pointed out (a) it's not an absolute guarantee of human activity, AI has defeated previous instances of this and will soon beat this one, too. (b) The TIAA website now makes me subject to -Google's terms of service- by including that. (c) If TIAA was actually serious about security, they'd add 2-factor authentication, like every other financial service I use has done.

    Their response:
    "Thank you for your email and the details you have provided. I forwarded the feedback provided to our IT department for review."

  • I was under the impression that reCAPTCHA v3 did away with the annoying-as-hell "click all the busses" type answers and uses a rating system instead. Are they using this as a fallback now?

    • I was under the impression that reCAPTCHA v3 did away with the annoying-as-hell "click all the busses" type answers and uses a rating system instead. Are they using this as a fallback now?

      They only do away with it if Google has succesfully tracked you and know exactly who you are and what you have been doing..

  • Click on all the pictures containing a male scrotum
  • This submitter labors under the self-imposed delusion that he's an articulate wordsmith; he's not. The first two strings of punctuated words masquerade as sentences; they are not sentences.

    To add injury to the insult, the hapless editor tasked with reviewing this drivel and assessing its worthiness also labors under a delusion of competency; neither is she competent. She approved this drivel as suitable for global readership; it most certainly is not suitable.

  • Anti-spam (Score:5, Interesting)

    by Jody Bruchon ( 3404363 ) on Monday August 05, 2019 @08:42PM (#59048110)
    There is a WordPress plugin called Anti-Spam. It advertises itself as "block spam, no captchas." I have never bothered to look into how it works, but it most certainly works and works extremely well. It blocks tons of spam comments with no apparent captcha of any sort for the human leaving the comment to deal with.

    If they can do it, why can't reCAPTCHA? The short answer is that they most certainly could, but that would mean not mining humans for free AI training while making them frustrated and angry.
  • The author goes on to make several points.

    Unfortunately, he is making them to his dog.

    His dog is not sure he is human.

    Fido asks him which photos have fire hydrants in them.

  • I am not familiar with any such civil or natural right. I do not see how such a right could or should exist. How would such a right be enforced? Are people to be punished for discomfiting others? Are the police going to arrest people on the basis of some other person's subjective response to stimuli? Could government even exist under such constraints? I find dealing with government offices quite uncomfortable, especially the IRS. Should I be exempted from paying income taxes because it's stressful?
  • Are they as stupid as "reCAPTCHAs is actually an act of human torture and disregard for a person's human right of mental comfort."?

The best defense against logic is ignorance.

Working...