The bots can probably solve them easier than blind people anyway, or they can outsource them to third world workers for next to nothing. E.G. Anticaptcha [0]:
> Starting from 0.5USD per 1000 images, depending on your daily spending volume
It sucks more when you work in the space and take a lot of care to usability. It's not that hard most of the time.
There are no "best" version of captcha. I've worked on several large scale projects where captcha was floated and then quickly abandoned in favor of other methods like Honeypot or using other methods to weed out bots and other 3rd party agents.
If you have to use captcha the least worst are probably reCaptcha V2 and hCaptcha for accessibility.
Even renting the compute on AWS, it only costs $0.01 per minute for the equivalent of a decent desktop computer (c8g.4xlarge). While an attacker will likely either use a botnet, or hardware better suited for solving the PoW than the hardware the user is using.
Though CAPTCHAs don't really work well anymore either, since solving services are quite cheap. Recaptcha is nowadays primarily based on other factors, like IP reputation, susceptibility to google tracking, and behavioral scoring.
This isn't a defense, just an explanation... but it is also an explanation of why the entire idea of "we'll not give blind people a way past the CAPTCHA but just give a pass to 'real' blind people so we can pass ADA", which is that it should have been transparently obvious that this approach is completely infeasible and unscalable. As big as Google, Facebook, or Amazon are, they would struggle under the load of trying to create a system for determining who is "truly" blind... and that's still true if we ignore questions like exactly what "blind" is anyhow.
This shouldn't have gotten deployed and then become a problem; it should have been a 5 minute diversion in the meeting where it was proposed to analyze it's completely infeasible and never made it to so much as the design phase, let alone the deployment phase.
If you had a system for completely accurately identifying characteristics like "who is blind" in the presence of extremely hostile attacks on the system, you'd have something far more valuable than the CAPTCHA system itself! The whole idea intrinsically depends on having a stronger solution to the problems CAPTCHAs are meant to solve than the CAPTCHA system itself provides... it's fundamentally a logically unsound idea.
User POV :"Wow, provider is a really shitty entity and had no respect for my legitimate problem."
Provider POV: "We get a huge number of illegitimate claims identical to legitimate ones regularly, the system would collapse if we didn't do heavy triage, the problem is the level of abuse, not a moral bankruptcy on our part."
I suppose "this is why we can't have nice things" captures some of it.
This kind of article is actually useful because it raises the risk of actual reputational damage thus encouraging companies to do more.
It's not unimaginable that just 0.001% of your users (in terms of actual humans / entities physically using your service) are fraudsters, but 99% of your signup or login attempts / interactions with your service / "I'm not a fraudster, pinky swear" support claims are fraudulent.
Scaling is not a right.
God I wish this could be plastered in letters 1000 feet high above Silicon Valley.
That's what happens when trust erodes, and why we can't have nice things.
If anyone should be be more understanding and absorb the costs to appease the other, it's probably the big corp, not the little guy.
In several countries, the government issues certificates of blindness [1] which grant access to certain extra types of support. We don't want severely vision-impaired people being forced to drive, after all!
So there are legal standards for what exactly blind is, and certificates.
The question is whether tech companies are inclined to hire enough people to wrangle the paperwork involved in checking such certificates, worldwide.
[1] https://www.mass.gov/info-details/benefits-for-people-who-ar...
It is not solved.
That is at most the beginning of a solution to the problem.
And in practice, it is little more than the beginning of the problem, as the government's definition of blindness is very unlikely to be a precise match to "has problems completing our visual CAPTCHA", and if multiple governments have standards there is no chance they will match.
Do not underestimate the resilience and resourcefulness of scammers. They aren't just some individuals here and there who decide one day that they could make a couple extra bucks spamming people, and just sort of start sending out whatever scam strikes their fancy. They're international businesses with engineering teams, and a constant feed of low-level operatives who can scam governments about how blind they are if the governments leave any hole in their system. They're thousands of people dedicating their full human-level intelligence to the task of defeating your system and extracting the value from it. They are not as easy to defeat as "let's just put the obvious certification in place", for the same reason that the CAPTCHA problem isn't solved with "Let's just issue everyone official identities".
I don't know about your country, but in my country the government is pretty keen on avoiding abuses of the benefits system. After all, a blind person gets tax breaks and cash benefits totalling about $5000/year.
So the existing system is used to dealing with financially motivated adversaries. I doubt the additional financial motivation of being able to bypass hCaptcha would mean much, in comparison.
In the USA, people are not yet required to provide identification when signing up for "free" services. There are real concerns around privacy.
A certification of blindness is exactly one of those privacy concerns, being a medical issue. You think it would be a good idea to give that private information to the criminal organizations of big tech?
Perhaps not in all cases, but it can be. This article is literally about special treatment for accessibility purposes.
It's of course debatable if this is how things should be, but that's another discussion.
In terms of CAPTCHAs being valuable – the other day I couldn’t for the life of me solve a captcha. It was one of those “Solve the implicit question in the picture” kind where it can be hard to tell what it’s even asking you to do.
So I took a screenshot and put it in chatgpt. Got it right immediately.
The real detection mechanism is that you’re moving your mouse, thinking, and generally being slower than a bot anyway. The captcha itself is just a pointless annoyance.
Audio captchas are inherently discriminatory to those with hearing issues or those that don't speak the 5 supported languages. They're also somewhat easy to solve with ASR models now. Text captchas are incredibly easy to solve with LLMs.
The only other alternative I see is some incredible tracking / surveillance machine (think an actual non-browser app that you have to run on your computer), but is that really what we want?
Every now and then turnstile does get a little borked but I can honestly say that I would rather just do without whatever I was trying to do than click 7 motorcycles. Hcaptcha and recaptcha are becoming my personal brown M&M indicator for additional bad user experiences in a given web property.
You are unfortunately describing worldcoin.
Also at least now I know some people call those markings crosswalks
Did you mean to say
> not everyone lives in the USA
Other things I don't have a clue about - a fire hydrant, yellow taxis, yellow buses
(Obviously I do, because of American cultural imperialism through things like Captchas which mean the world has to understand American cultural touchstones)
The service refused to acknowledge my humanity until I relented that a standpipe was a hydrant. If at some future date any of us burn to death due to an automated fire truck that misbehaved due to this, we’ll know why.
For non-bikers, a scooter has an automated gearbox and small wheels etc. Think vespa.
In the UK at least they are generally a different category of license, although that's because of the size of a standard scooter engine.
> A scooter (motor scooter) is a motorcycle with an underbone or step-through frame, ....
Scooters are often legally motorcycles as well. For example, I had to get a motorcycle endorsement on my license for a scooter I owned, because the engine displacement was too large for the extremely restrictive "moped" category in my state.
I actually feel a fellowship with all two-wheel riders but don't let any other bikers know or I'll be shunned.
There's motorbikes with scooter like controls, there's scooters with motorbike like controls. Many small automatic motorbikes feel basically identical to driving a scooter except that your sitting position is very slightly different.
I'm a big fan of two-wheeled transport in all its forms, but wow is there a prevailing toxic attitude among a large group of "true motorcycle" riders. Instead of welcoming people into the fold, it's just tribalism -- you drive a scooter, you're not a true biker; you ride a cruiser, true bikers only drive super sports; you drive an e-bike, but only loud pipes make a true rider!
Scooters are cycles that have motors, and are thus motorcycles in the most-inclusive definition of such.
Reminds me of this scene from Police Academy 3: https://www.youtube.com/watch?v=cil6HFXlccw
https://fev.se/images/18.7ea68079182e95d391364a41/1663668627...
Am I identifying the boxes wrong? Am I doing it too fast? Where do "Stairs" begin and end? Does a motorcycle include its rider? Or is Google just fucking with me and failing me on purpose?
My workplace had a period this year where captcha was put into the cashier checkout process.
Even within the United States, fire hydrants vary greatly from city to city.
I remember the first time I moved to a city that had those little squatty dark blue ones. I thought they were water main access points.
It's interesting to see so many people on HN assessing that captchas are biased toward American culture. Very frequently I get captchas that include things I don't know, and when I look them up, they turn out to be Indian in origin.
Americans will need to learn what speed limit, parking prohibition and pedestrian crossing signs look like in the rest of the world, as well as realizing buses and taxis come in more colours.
If you think this is a binary America/Rest of the World problem, then you haven't visited very much of the "rest of the world" and noticed that every place is full of variations.
I think simply knowing "yellow" and "buses" would suffice.
And then there's "shuttle", I believe the US has at least one kind of thing called "shuttle" for every possible mode of transport, including orbital flight.
Etymology-wise a shuttle was a type of weaving tool which is why the verb shuttle exists, i.e. to rapidly move back and forth across a length (as if you were weaving a thread into a piece of fabric).
So then you got shuttle trains which frequently ran back and forth. And from there other types of shuttle services (shuttle buses, shuttle vans, etc).
And of course eventually the space shuttle being intended to be a launch vehicle designed for shuttle service to and from orbit. (side note but technically if the SpaceX Starship actually achieves it's intended sub-24h turn around it'd be able to qualify as a shuttle provided it ran a fixed point to point route on a regular basis).
Now it's being used to push imperialism through captchas of all things?!
I feel like all the non-US or non-Western or however you want to categorize the 'rest of the world' should be striving to use free-range local culturally-appropriate captcha services if this is true.
It's easy to blame the colonizers, but what about the local artisanal websites who give the colonizers/invaders a voice by integrating their captcha services?
We really need an 'international-divorce' to put these issues to bed once and for all.
(Cue theme music in mind's ear)
#internationalisation
https://www.reddit.com/r/CasualUK/comments/12cwylk/microsoft...
Is a scooter a motorcycle, what about a pedal-and-pop, an ebike? Is the backbox (rear carrier) part of the motorcycle?
Is a single light at a junction, ahem intersection, a traffic light? Is the outer-container part of the "light"? What about the lights for pedestrians, are they part of the traffic light?
Are house steps, that don't carry you to a different storey, still stairs? Is a single step also stairs?
Are fire hydrants always red?
So, yeah, usually I just leave the website and come back to HN.
Once it showed me a picture of steps nothing but steps. I think I marked like 15 boxes.
I have always assumed this was purposefully ambiguous. The right answer is whatever a majority of humans will answer when presented with the same picture.
Yes, it’s annoying, but that doesn’t matter to the algorithm.
That and the "fading images slowly to pretend like you have bad internet" thing. Disgusting behaviour
I've definitely encountered captcha tarpit logins before that could never be solved until I changed VPN endpoint. I was never getting in.
Like if a bot requests your page 1/day its not a problem; but if they want to request it 1/ms then the proof-of-work becomes too much for them and its transparent to a person.
it’s pretty clear from context that ‘conoid’ means ‘like a cone’ isn’t it?
I consider my self pretty literate (I was assessed as reading at a college level by the 4th grade), and I've never heard that word.
More importantly, they can look absolutely nothing like cones.
Would you identify this as "cone like" if it wasn't for the URL? https://en.wikipedia.org/wiki/Conoid#/media/File:Pluecker-co...
The Google dictionary says it's a zoological term "approximately conical in shape".
The Wikipedia panel says "In geometry a conoid is a ruled surface, whose rulings fulfill the additional conditions: All rulings are parallel to a plane, the directrix plane. All rulings intersect a fixed line, the axis." The graphics are... nothing intuitive.
The M-W link in the search results says "a cone-shaped structure; especially : a hollow organelle shaped like a truncated cone that occurs at the anterior end of the organism".
None of this seeming relevant, I clicked on the Image tab and it's all these complicated Mathematica-style graphs of things that are very much not cones.
I see other people in the HN comments similarly have no idea.
Can you please explain what you saw on screen? What did the captcha think was a conoid...? Like, traffic cones or something?
> conoid | ˈkəʊnɔɪd | mainly Zoology adjective (also conoidal | kəʊˈnɔɪd(ə)l | ) approximately conical in shape.
> noun a conoid object: her hull was a conoid, tapering towards the bow.
the cone on the bottom spins when you have the right of way.
https://mathworld.wolfram.com/Conoid.html
so, a surface with stripes - example https://pxhere.com/en/photo/1366651
So I guess a crosswalk (flat rectangle in 3D space), would be considered a 'ruled surface', but I don't think it meets the other requirement to make it a conoid.
Things that are shaped like cones?
Honestly, even living in the West, sometimes I feel like they expect me to have an IQ of 200 just to pass! And, I am sure I pass the Turing test without issues.
The bigger problem is when other options of a captcha fit in another cultural context.
Taxi colors are an example for that.
When I search, the whole first page of google is essentially "things that are shaped like cones", I have no idea what that would be in response to one of those image captchas that show traffic and buildings.
Not when it's your search engine that's asking you to identify conoids.
Relying on the goodwill of a small number of "never-Googlers" to carry your business, in spite of the way you do business, is not a path to success.
While hCaptcha trashes its reputation, the rest of the world will go on using reCaptcha and not giving the faintest whiff of a fart about hCaptcha's existence.
(Side note: the spelling is "intentional", not "intensional". Think "intent" + "-tion" + "-al", not "in-" + "tension" + "-al").
``` ODO It was a dilemma for me. I'd never seen anything like these creatures either.
MORA
"Seen" isn't really an appropriate
description. He had no eyes per
se...
ODO
I was only trying to describe it in
simple terms...
MORA
(ignoring that)
He had never perceived anything like
us before... go on...
```I can pretty much guarantee that every blind person has had a condescending, patronizing douche canoe like Mora in their life at least once.
Given how we learn languages and words based upon encountering them in contexts, it makes sense that terms that we use in outwardly similar contexts reflect the subjective experience that each of us relate to those terms. We don't have access to another's subjective experience so I can see how it would encourage the assumption that we all perceive things the same way.
There might be many undetected variances in perception akin to aphantasia lurking in us waiting to be discovered.
The other problem we have is that online companies tend to be accountable to no one. Short of law suits, my friend who got banned from hCaptcha for "not being blind" has no recourse, because nobody is accountable.
We usually talk about the inclusion benefits of neutral language. It can also be valuable by making specific terms more meaningful when used appropriately. If I know you usually say "they", then when you choose to say "he" I get more information -- there's a clear gender expression. Similarly, if you usually say "observe", then when you say "see" I know we're specifically talking about vision.
Of course, it's an awkward transition. It's hard to get used to "they/them" and saying "I observed a delicious aroma" sounds like a robot impersonating a person.
I coined the term "Sapir-Whorf Stalinists" a few weeks ago to describe the sort of people who think that monkeying with language will magically make things better for marginalized groups.
Here's Lee Atwater talking about the Southern Strategy:
> You start out in 1954 by saying, “Nigger, nigger, > nigger.” By 1968 you can’t say “nigger”—that hurts you, backfires. > So you say stuff like, uh, forced busing, states’ rights, and all that stuff, > and you’re getting so abstract. Now, you’re talking about cutting taxes, > and all these things you’re talking about are totally economic things and a > byproduct of them is, blacks get hurt worse than whites.… “We want to cut > this,” is much more abstract than even the busing thing, uh, > and a hell of a lot more abstract than “Nigger, nigger.”
Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat. CAPTCHA does not. Almost all turnkey CAPTCHA services can be solved for pennies.
Solving the problems of SPAM and malicious traffic will be challenging... I am worried it will come down to three possible things:
- Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.
- Closing the platform: approaches like Web Environment Integrity and Private Access Tokens pave the way for how the web platform could be closed down. The vast majority of web users use Google Chrome or Safari on a device with Secure Boot, so the entire boot chain can be attested. The number of users that can viably do this will only increase over time. In this future, the web ceases to meaningfully be open: alternatives to this approach will continue to become less and less useful (e.g. machine learning may not achieve AGI but it's going to kick the ass of every CAPTCHA in sight) so it will become increasingly unlikely you'll be able to get into websites without it.
- Accountability of network operators: Love it or hate it, the Internet benefits a lot from gray-area operators that operate with little oversight or transparency. However, another approach to getting rid of malicious traffic is to push more accountability to network operators, severing non-compliant providers off of the Internet. This would probably also suck, and would incentivize abusing this power.
It's tricky, though. What else can you do? You can try to reduce the incentives to have malicious traffic, but it's hard to do this without decreasing the value that things offer. You can make malicious traffic harder by obfuscation, but it's hard to stop motivated parties.
Either way, it feels like the era of the open web is basically over. The open web may continue to exist, but it will probably be overshadowed by a new and much more closed off web.
On our website, without CAPTCHA we get dozens of forms filled out by bots per day. With the CAPTCHA we get 0.
So sure it may be cheap to defeat the CAPTCHA, but nobody seems to be willing to go through that small hoop to do it on our website.
Nah.
CAPTCHA is useful only when it is costly to solve. It is a costly signal that this is a real person, or at least is more than 1/10^9th of a real person (you're not running a fully automated spam system).
The postal service also has costs - everybody that wants to move something through the postal service needs to buy a stamp. Transport fees are a 'natural' way to moderate traffic and deter spam.
Various combinations of network architecture and cryptocoinage permit you to invoke transport fees per attempted transmission/login. Sensible ones, if every spam email or login guess costs even 1 penny it becomes prohibitive for most fully automated spam applications. The cryptocoin aspect is specifically about preserving anonymity of private wallet access while permitting the cash-like transactions that stamps enable.
I'm skeptical though. It puts a literal price on abusing a service, but how do you set that price? Is there a guarantee that there's a value high enough to meaningfully disincentivize SPAM but low enough that users, especially users in areas that may have an economic disadvantage, are able to pay it?
That's on top of the other practical problems, such as actually implementing it. I mean, if someone implements it and tries to solve the usability issues involved I would be open to this future, but as it is now, cryptocurrency has disappointed me. In a world with increasing scrutiny towards credit card processors, I was hoping that the silver lining would be that cryptocurrency could at least help mitigate some of the concerns, but there are just too many hurdles right now. (Some of them may be caused by regulation, but to be fair, I think at this point it's hard to blame governments for trying to regulate cryptocurrency exchanges. I'm not happy about silly KYC policies or anything like that, but I am not surprised at all.)
Start with a nominal one and increase it until the spam problem goes away.
Create escape hatches for people who can't afford it, e.g. you can either pay/mine a couple dollars worth of cryptocurrency, or you can have someone who paid vouch for you (but then if either of you spam you both get banned), or you can do some rigorous identity verification which is inconvenient and compromises privacy but doesn't cost money, or (for smaller communities) you ask the admins to comp you and if you're known in the community from other sites then they do it etc.
> I mean, if someone implements it and tries to solve the usability issues involved I would be open to this future, but as it is now, cryptocurrency has disappointed me.
This doesn't seem like an insurmountable problem to solve. To give someone some cryptocurrency you can either send it directly (useful option for advanced or privacy-conscious users) or use a service and then it should be no different than using Paypal et al.
The real problem is the regulations are currently designed to make using it an unreasonable amount of paperwork:
> Some of them may be caused by regulation, but to be fair, I think at this point it's hard to blame governments for trying to regulate cryptocurrency exchanges.
There's a difference between regulating exchanges and regulating users. If you're holding millions of dollars in cryptocurrency then the government is reasonably going to expect you to file paperwork and pay taxes on gains etc. If you're only holding three and four digit dollar amounts worth then they should leave you alone and you shouldn't have to do anything.
In theory you can strike a reasonable balance here where the crypto scammers go to jail but Joe Average doesn't have to file any more tax paperwork to use Bitcoin Cash to buy a pack of gum than to pay in physical cash. We'll see what the new administration does with it.
On the UX side, I think a huge problem is making it possible for users to participate using a non-custodial wallet with as little risk of data loss or compromised credentials as possible. So it needs to be hardened against ignorance, stupidity, house fires, malware, and social engineering. That is hard. Irreversible transactions greatly up the stakes while increasing the incentive to attack. Do you ever feel a bit nervous about the send address being wrong when you use cryptocurrency?
A thing I didn't mention but is equally important to solve is developer experience. I wish there was a turnkey SDK that took care of most of the technical stuff and just let you use cryptocurrency like it's PayPal. If we had on-chain subscriptions (I think Ethereum can do this?) it could be even more powerful. The technologies offer a ton of possibilities but taking advantage of it correctly and securely feels like a tall order. Dealing with cryptocurrencies feels more serious than dealing with traditional payment processors: you can't undo when you fuck up.
Some of this can be resolved. On the user side, users can keep less value stored in wallets long term... Though this is more cumbersome and less usable. On the developer side, developers can make nodes that can verify transactions but not spend currency... But this can be challenging (I think it's weird to do with Monero for example?) and it closes off some use cases ("escrow" style transactions; Skeb-style commissions would be a good use case.)
If it gets solved I will celebrate as it seems like it would have a lot of positive upsides, but I think you might need to pardon my skepticism: it's been a lot of years and it hasn't gotten that much better. (Granted, it's still pretty new, but the momentum is slower than I would have hoped.)
And, the reality of your fancy idea is that normie users would turn away if they made a mistake on the CAPTCHA and were suddenly presented with a screen "charging" them one pence.
It's an entirely different sort of system, and it would require a cordoned off section of the Internet to implement it top-down, but it's technically viable.
The defining insight here is how many orders of magnitude difference there is between the "That price is negligible" threshold for a human being, and the "That price is negligible" threshold for an automated system. Sure there are adoption issues, but for all applications where there are several orders of magnitude difference, such a system makes some degree of sense.
According to a random page on internet [0], companies pay in $2-$6 range per 1000 ad impressions. If one pays $0.01 to bypass captcha and just 10 people see the resulting spam post, that's already $1 per 1000 views - much less than facebook charges. This becomes even more lucrative if the ads are expensive or there will be more than 10 people looking at the ad.
It looks you'll want much higher costs than that, which will make it "too much" for other users.
[0] https://spideraf.com/learning-hub/what-is-the-average-cost-p...
Another outcome that I could never understand: The original conversation was micropayments for traditional print media that was moving into the digital age. Why didn't they all band together to create an industry standard that defined (and possibly administered) a micropayment system? In the end, paywalls were the solution, and winner-mostly-takes-all when print moved to digital. Look at the decline in medium to small newspapers in the last 20 years in the US. It is devastating, but a few national, major newspapers are doing OK.
And I would argue we did get those in the form of subscriptions in Patreon, Onlyfans, Buy Me A Coffee, et al, or in the co-op world of Nebula. We didn't get them down to very low fee structures because we've designed our payment infrastructure with the intent of supporting a profitable company called Visa, Inc, to which we've offloaded a number of different functions of that a government mint / treasury / post office would normally perform. And because lots of revenue on these sites comes from whales, people with outsized income in a country with a great deal of wealth inequality.
What I am talking about is TINY micropayments just for human authentication purposes. Because what we've had so far in the realm of, for example, spam email, involves sending off messages at a CPM of less than a tenth of a penny. Imposing infrastructure which pegs human authentication tasks, normally performed less than ten times a day, at a CPM of ten dollars, can eliminate most applications of automated systems and eliminate the annoyance of captcha, while costing the human less than ten cents. There are no whales in the login space.
If you switch to direct payments that are still affordable for routine use by your poorest users, then your rich adversaries can afford to generate orders of magnitude more spam (until we solve unequal wealth distribution globally).
Also, the cost of using a postal service nominally covers its operating costs. The cost of actually transferring a spammy HTTP request over the internet is negligible, but the costs imposed on its receiver are less so (i.e. the cost of responding to it (cpu/ram/disk/bandwidth), second-order costs of lowering the quality of the service for everyone else, etc.).
Is this a joke?
Without a definitive resolution to the continuum hypothesis there will be no efficient distributed consensus algorithm.
As long as humanity bears the mark of Original Sin, it will be hard to run a business selling GPL software.
I don't know about you but even with this cost about 90% of the physical mail I receive is junk mail.
> Sensible ones, if every spam email or login guess costs even 1 penny it becomes prohibitive for most fully automated spam applications.
Do you have a solution for transaction costs? How do you pay a penny without having to pay more than that for the transfer of funds?
the only way this makes sense is you convert the entire planet to renewable or non-polluting electricity generation, and then when a user is on facebook, youtube, (or watch ads!), a core or 2 of their machine/phone will "mine" crypto, that can then be used somewhere else. The crypto can't be transferable - it must be "burned". Defined: When the site requests some crypto for proof, it says "send to this non-existent address" and then waits for the block to show that your wallet sent crypto to that address. This "burns" the money. In fact, a couple of cryptocurrencies tried to enforce this, as well as "proof of stake" - where if you had enough coins you could "mine" by merely having your wallet "logged in." The former is called "proof of burn"
another thing, no blockchain block publication is fast enough for this. so now we gotta rope in lightning or some other "hack" on top. I knew when i first heard about bitcoin that there was no way that anyone was going to wait 10 minutes for any payment to go through, especially if it's under some moderate amount of money, like $20.
If anything works in the favor of email it is that email is not published. It is not necessary very private inherently, but it is at least not a system where things get broadcasted publicly. IMO this limits the value of spamming people over e-mail: you have to send a very high volume of e-mail to SPAM effectively over e-mail, and this high volume use pattern is not something that ordinary users will ever engage in, so it's easy to at least separate out "possible SPAM operation" versus "guy sending email to a friend". (I'm not saying that systems are necessarily perfect at distinguishing one from the other, but at the very least it would be hard to mistake the average Gmail account for being part of a massive SPAM operation. The volume is just too low.)
I hope the open web survives, but if e-mail is any kind of sign, it's not a great one in my opinion.
In the roughly 25 years that I've used shared webhosting to have my own domainname and mailboxes, deliverability was never an issue. Never tried to send thousands of mails though, so...
Something has changed recently, though. I have found it increasingly hard to even get an IP that is not blocked anymore. I recently migrated a VPS that was almost 10 years old that was running its own e-mail services, and after a lot of struggling... I gave up. It now has to go through an SMTP proxy to send e-mail. This bums me out, but after multiple attempts to get an IP that worked, I gave up. The provider did tell me that I was grandfathered in to have outgoing SMTP enabled on my servers (something that new users do not have by default, by the way) but recommended I stop using it.
Is the network open? Yes. Does everyone have deliverability problems? Probably not. But maybe another question: If you did have deliverability problems to some major provider, would you even know about it? If you're not very high volume, maybe not!
Not only untenable because of the privacy invasion but also because there are too many users who are willing to click on whatever for a chance to win a prize and thereby authorize use of their identity for spamming.
> approaches like Web Environment Integrity and Private Access Tokens
That stuff never works because the spammers only have to break one model of one popular device. The people proposing it are snake oil salesmen or platform companies that want to use it for lock-in, because spammers spend the resources to break the system but normal users won't put up with the inconvenience, which locks out competitors and interoperability.
> Accountability of network operators
This largely already happens. Disreputable IP blocks get banned. But then you get a botnet with users on ISPs with varying levels of willingness to do something about it and the ones that do something about it still can't do it instantaneously and some of the ones that don't care are in jurisdictions you can't control but are also too big to block.
The best solution is probably some kind of "pay something in money/cryptocurrency/proof of work to create an account" because normal users need a small number accounts kept for long periods of time but spammers need a large number of accounts that get banned almost immediately, which is exactly the sort of asymmetric cost structure that results in a functioning system.
Well it sort of worked before we got modern AI image recognizers, but even then they had to continue making the challenges harder to keep up with the recognizer software.
Now the damn things have crossed over into the domain of "easier for a machine to solve than a human" so they're worthless for their original purpose.
Some day this luck will run out, but for larger entities that experience targeted malicious traffic it's never really been a viable approach.
What about zero knowledge proofs? Those with typical cryptocurrency wallets could leverage existing extensions. Everyone else can download an open source extension that sends the proof and an open source way to verify proofs but is unrelated to cryptocurrency. While a robustly decentralized chain like Bitcoin and Ethereum would be a good place to verify proofs, no reason a non-cryptocurrency solution can't also be avaliable as well for the cryptocurrency adverse. And for the tech adverse, a phone number to call/text to walk the person through sending the proof via phone that would cost a tiny bit--and could also help the tech adverse with setting up an extension going forward?
There is one area where even pennies can be a barrier: DDoS.
Paying a few pennies per captcha can add up to a lot when you want to complete millions of them.
"for pennies" is a lot more expensive than 0, and that matters at scale.
Scam isn't about one person performing one request, for that you can indeed just hire a human, it's about thousands of bots constantly interacting with a service.
If you need to scrape 10m records and there's no anti-fraud protection, you pay $0 (excluding typical bandwidth / server costs). If every query requires a captcha, and you have to pay $.01 per captcha, the operation costs you $100k.
Going from 0 to 100k is often "good enough" to make these things uneconomical.
So basically it's good enough to protect something that is arguably barely worth protecting. I don't find this compelling. Protecting things that barely need it is already easy using existing techniques.
And every morning my day starts with disappointment.
I had an idea about amost-privacy-preserving system by involving government ID and blind signatures:
1. The service passes a random string to the user. 2. The user authenticates to their government and asks the government to sign it. 3. The government applies a blind signature which basically says "this user/citizen hasn't registered an account in the last 60 minutes". 4. The government records the timestamp. 5. The user passes the signature back to the service.
Upsides:
* Bypassing this would be orders of magnitude more expensive than phone numbers. * Almost private
Downsides:
* Won't happen. Remote HW attestation is likely to win :( * The service knows your citizenship * The gov knows when and how often you register. * Any gov can always bypass the limits for themselves.
I think it may be also possible to extend it so that the government attests that you have only one account on the service but without being able to find which account is yours.
Curious if phone verification would block more or less legitimate users than catchpas.
> Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.
I see this point constantly made on the echo chamber that is known as HackerNews. The average normie user does not care about anonymity, nor privacy, on the Internet. They want a smooth, fun experience. The solution is secure boot plus attestation via some browser JavaScript API. If you want even less friction, users are required to register their devices with a gov't agency, then their attestation will carry more value.Really, why don't we see HN crying about the need to show a national ID (and register) when buying a mobile phone? I never once saw anyone complaining about it here. Are there any highly developed nations that allow complete strangers with any nationality to buy and use a mobile phone without showing a national ID? I don't know any, or they will all soon be gone. It only takes a few more terrorist assholes to close that door permanently.
I regularly (1-2x per year) buy prepaid SIMs in Canada, USA, and Japan. None of them require an ID and I often even pay cash.
I'm sure you are right that they'll eventually be requiring ID, but you are wrong to imply that these countries aren't highly developed.
Nobody else is going to step in and hold the line when it comes to digital privacy rights. It's on people like us who care. This is why organizations like EFF need to exist.
Canada maybe? [I'm 80% sure that] Public Mobile will sell you a prepaid sim card at the counter. You could pay cash, and set your caller ID to a fake name.
If we're talking about mobility plans, the identity requirement is more about the credit check they might want to do than anything else.
Mmm, very possibly because there are at least a few ways to get a phone without using any ID. I picked up a used phone about a year ago, and use Tello. Tello had 0 info on me for years, only an old UPS box that I got the card delivered to. I eventually gave them my first name so Caller ID was correct, but short of that or putting in a correct address if you want 911 support, there's no reason to need any valid info with them. They don't do credit checks, just prepay.
> The solution is secure boot plus attestation That's the second option they presented "Closing the platform". The issue with all these options is that it consolidates power, and thanks to already partially consolidated power, any option selected will, by necessity, obligate everyone to partake, whether or not they are ok with it.
> The average normie user does not care about anonymity, nor privacy, on the Internet.
It's true that often "normies" don't care (or at least think they don't care, but that's a completely different point I don't feel like trying to make), and it's also true that often "normies" don't want the status quo changed. But often "normies" also ignore when people are kidnapped due to their heritage being revealed. Is it acceptable to actively create a hostile environment for people already disadvantaged? Do we gain something worth their safety? Who gains from this higher level of scrutiny?
If we look at the smaller web, most sites never get enough traffic to be under active threat, and passive threat is easy enough to quell using honeypot forms and questions. Maybe the "normie" internet is the problem. Passive people passively consuming. "Normies" love watching stolen content, and praise thieves for harassing anyone who points out that what their doing is wrong. "Normies" enjoy watching someone livestream themselves flying down a highway at 100 mph over the speed limit.
I think maybe we should acknowledge that what we're defending with things like hCaptcha is not actually worth defending. Maybe the "normal" internet does need to be deprecated over "small" internet? We did pretty good before with things like Wikipedia. The "small" internet from before had a lot of chaff, but good things have grown from it, and a lot of it still exists as a "small" internet. Maybe it's ok that we have a lot of "crap content", so long as the internet can keep changing?
- I don't believe there is a general solution to this problem, but that won't stop people with lots of money and influence from trying to find a general solution. Especially one that is cheap. I still hope for the least user- and ecosystem-hostile approach among the flawed approaches to win. (I guess of the ones I listed, the one that bothers me the least is having more policing of the service providers.)
- CAPTCHAs from static content are almost assuredly for anti-scraping measures. I think anti-scraping measures are mostly pointless and antithetical to an open web in the first place, but, an effective anti-scraping measure kind of has to work off of reputation, because getting access to a very large number of IP addresses isn't free, but it doesn't cost that much (especially if IPv6 is on the table.) I personally doubt it has much to do with server load in most cases, but maybe I am wrong.
Rather we need to recognize that they're merely instances of the same old authoritarian fallacy of more control promising better outcomes, because what increased control ends up ruining cannot be enumerated. In actuality, reducing independent autonomy stifles invention and suffocates society.
"Anti-scraping" is a dubious problem in the context of web sites aimed at publishing information. The best "anti-scraping" solution is a published API that includes bulk downloads. I'll admit there's a tiny sliver of sites for which controlling consumption might make sense, but it's certainly not ones that allow browsing without even logging in.
If you are a governement or bigco, accessibility is part of your baseline requirements. You must be able to say: Yes, we are accessible. Otherwise, the public will cause a stink.
So you take your list of vendors, and remove any that don't say they enable accessibility. Vendors know this and make sure they say they are.
Meanwhile, it is a hard to get right feature, only applicable to a small part of your userbase. Multiple disabilities require different affordances. No developer on the team really understands the actual requirement.
The people requiring accessibility will go somewhere else, or grumble and make do. Neither will be detected on any metrics board.
This combination promotes shelfware: Things you buy and put on a shelf somewhere but never really use.
Do I understand correctly that hCaptcha has created an accessibility problem that's denying this blind person access to all sorts of Web sites?
Is there an ADA angle here, for many customers of hCaptcha?
You essentially had an open public unauthed form that would send an email to any address you typed in it. Surely that alone raises some eyebrows.
Explanation: I did, and within a few days bots started sending me spam using that form. I just added a trivial captcha (hardcoded '2+3=' question), but if my scale was bigger that would be untenable. Think also of PM spam, autoregistering accounts to abuse free tiers, etc.
Try having a login form without a captcha and you'll realize you are capturing 100s of users every day that require you to send out a "please confirm your email address" email for each of them for no good reason.
> They still have to respect the system they're logging in.
Your trust in people is admirable, but in my experience running anything on the internet you'll realize that intentionally or not people will bombard your system until it falls over.
There's a reason many site still have very basic captchas...it's good enough for their use case.
Targeted attacks though? You're making your legitimate users suffer only so that you defeat 99% of bots instead of 95%.
Because it works, to some degree. It keeps away the annoying cheap bots and stupid kids. Smarter or more dedicated actors can still circumvent it, but even they are least slowed down to some degree.
But thinking about, maybe just putting a 20 second pause after which you have to push a button might be already good enough for all this. And every stupid bot avoiding it will get banned.
With solving services like DeathByCaptcha and AntiCaptcha, it takes seconds to solve them. It costs something like $1.90 per 1,000 successfully solved captchas using human typers and OCR. It can easily be rolled into your code with a few lines.
If websites can't trust that their users are authentic they will probably institute even more intrusive checks.
I haven't been optimistic about the future of technology for a while now. :'(
Essentially, the manufacturer of the device + operating system will generate a unique signature per each device, and web browsers will be able to access it.
The real thing is the gating of every kind of information exchange and treatment in the hands of a few entities, that get the power to say who will participate on those activities and doing exactly what.
That is, the complete elimination of the freedom of association and initiative from our society. At least around any one of those that involve computers.
The lost of privacy is a rounding error.
From what I understood, each TPM has a unique private/public key pair (Endorsement Key (EK)), and then this key is certified by the manufacturer of the TPM.
From there, you can generate a Attestation Keys, and these keys are signed by the EK.
https://security.stackexchange.com/questions/235148/whats-th...
So essentially, at the end of the day, Chromium would ask the TPM for attestation, and it would act as a unique Device ID.
Then they can allow only a selected list of TPM manufacturers certificates, to prevent emulators for example.
TL;DR: Chromium on Linux would ask the TPM chip for a signature, and each TPM chip has a different signature from the moment it is out of the factory.
CAPTCHAs are going to get much worse before they're replaced by account paywalls or remote hardware attestation.
Audio captchas don't work for people with hearing issues and/or who don't speak your n supported languages, where n is usually <10. I've had to help people out with these over the phone, it was not fun.
Even for people for whom they do work, it's worth keeping in mind that bots can solve them by now, and so users whose activity looks too fraudulent, who are still given access to the visual captchas, have to be blocked from using the audio ones. I have also seen this happen.
Text captchas are a non-option by now, they're very easy to solve with LLMs, and the way they have to be phrased makes it impossible to align LLMs not to solve them, like you can do with the visual ones.
Google's ReCaptcha can get away with having no actual challenge for most users, blind or otherwise, but that's because they're Google, they do enough user tracking that they don't actually need a captcha. Google is the only company that can get away with this, and even for them, it doesn't work in all situations, even when the user fully trusts Google and has not adjusted any privacy preferences.
Sure, you could stop using captchas entirely, if you're fine with receiving dozens of viagra ads on every single platform each day, abolishing all "contact us" and comment forms on the internet, having a significantly higher credit card fraud rate (which translates directly to higher prices and a much worse experience for consumers), and getting all your semi-public records and social media activity immediately scraped by shady companies and sold to anybody who expresses any interest. Unsurprisingly, most users are, in fact, not fine with this.
Public content on the Internet should be scrapable. That's what public means.
The fact that my reddit posts were publicly available never bothered me. Even if they were going to be used to train some LMM. What does bother me is reddit locking up my posts and making exclusive deals with Google to train Google's LMM.
Preventing scraping isn't good for the average user; it is good for the company that wants to take content created by said user, lock it up, and sell it to their buddies.
Not necessarily, especially if you want to expose some relationships in one direction while hiding the other.
Imagine your government creates a CNAM-like[1][2] system that lets you enter a phone number and see their owner, to see who is calling you and whether a number you're given is legit. However, they do not want to let you see a person's phone number just by entering their name.
If there's no captcha, an unscrupulous actor, registered in the Seychelles and unconcerned with your country's laws, can just scrape all possible phone numbers and offer a "reverse lookup" service.
In a way, the number/name records are public information, after all, the government lets you query them without authentication, but in a way they aren't, because you're only permitted to query them in a certain way.
Variations of this problem have appeared many times, particularly across Europe, usually with company numbers, property deeds and such.
"So I've been trying to sign in repeatedly to set the accessibility cookie since last night. Every time I click the submit button, I get the useless error message "an error has occurred, please try again".
My friend, who shares my roof and my static IP, got banned from hcaptcha's accessibility service last year for being too smart to be blind. And I suspect you all have banned our IP and not just his account.
For the record, my static IP address is (redacted).
See https://michaels.world/2023/11/i-was-banned-from-the-hcaptch... for his story. I have been broadcasting this to websites frequented by technically capable people: https://news.ycombinator.com/item?id=42171164 https://lobste.rs/s/qbkd0u/i_was_banned_from_hcaptcha_access...
Please let your bosses know that I plan to pursue legal action against hCaptcha and/or amplify the truth to destroy its reputation in the public square. I will also be reaching out to websites who utilize hCaptcha, letting them know that the captcha provider they employ is refusing to provide reasonable accomodations to blind people.
Whether it be with the force of law or the force of satyagraha, your bosses are going to get a message and we will win.
"Hi there, sorry to hear you're having difficulties!
We have an alternative authentication scheme that you may prefer: https://www.hcaptcha.com/accessibility
You can sign up here: https://dashboard.hcaptcha.com/signup?type=accessibility
This lets you avoid the challenge altogether after registration.
It is designed for users with any kind of difficulty solving the challenges.
Thanks for reaching out, and hope this makes your experience better."
I pass the captcha (I am not blind and not using accessibility account) and get response like
Your response to the CAPTCHA appears to be invalid. Please re-verify that you're not a robot below. (Reference ID: 4035128747213959)
And you are given captcha again (passing which will have the same result).
reCaptcha had similar issue, but choosing 'accessibility' would transform the captcha from visual to auditory one and passing it had no such problems.
In the end I just gave up.
These things have one job. Any time they fail to identify a human, they have failed at their job. How they go about administering the test, and (to a large extent) what the human does in response, should be irrelevant. I know that's hard, no-one said the job was easy, and the companies developing them are the ones making claims about their efficacy.
If you want to block 100% of bots, don't put your stuff on the Internet. If you want to block bots and allow humans then you're going to have false negatives. Failing to acknowledge them is dishonest.
None of which stops me filling them out when I encounter them, but I don't have to like it.