• MehStrongBadMeh@programming.dev
    link
    fedilink
    English
    arrow-up
    186
    arrow-down
    1
    ·
    4 months ago

    There’s a reason captchas have moved mostly image identification systems. These text-based captchas have all been defeated for years.

    • ironhydroxide@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      95
      ·
      4 months ago

      Yeah because whomever “owns” the data needs humans to train their bots, not because the image based bot detection is better than other methods.

    • TheSlad@sh.itjust.works
      link
      fedilink
      arrow-up
      86
      ·
      4 months ago

      The images are not actually the captcha. They’ve used other methods and tools to verify your authenticity, then they force you to help train their image recognition AI under the guise of it being the actual captcha. Its Distributed Forced Labor, and Google has been using captchas to do this for decades. Remeber the picture-of-two-words captcha? One word was always squiggly and the other was not. The squiggly word was the real captcha, the other word was from a scanned book and you were helping to train their OCR algorithms.

      • node_user@feddit.uk
        link
        fedilink
        arrow-up
        56
        arrow-down
        1
        ·
        4 months ago

        There used to be hoardes of sites offering free downloads, quizzes, porn etc etc. You would have to solve a captcha to get through, but they were ‘stuck’ in an infinite loop. I always believed it was being used by spammers/hackers to bypass actual captcha elsewhere on the web. Its kinda genius, offloading the work to randoms looking for free stuff…

        • hinterlufer@lemmy.world
          link
          fedilink
          arrow-up
          14
          ·
          4 months ago

          I also remember services you could pay to get your captcha solved via a browser extension. You could also register as a captcha solver there to earn a few bucks stupidly solving captchas. Although I’m not sure if they were actually legit.

        • Terrasque@infosec.pub
          link
          fedilink
          arrow-up
          6
          ·
          4 months ago

          I remember back in the day this automated downloader program… the links had a limit of one download at a time and you had to solve a captcha to start each download.

          So the downloader had built in “solve other’s captcha” system, where you could build up credit.

          So when you had say 20 links to download you spent some minutes solving other’s captchas and get some credit, then the program would use that crowdsourcing to solve yours as they popped up.

      • MehStrongBadMeh@programming.dev
        link
        fedilink
        English
        arrow-up
        6
        ·
        4 months ago

        Yeah, at this point, most forms of image identification catches have also been defeated, not quite 100% success yet, but they’re getting there

    • breakingcups@lemmy.world
      link
      fedilink
      arrow-up
      22
      ·
      4 months ago

      Funnily enough, the reason they switched to those was to use the data to train machine learning (AI) models, just like Google’s recaptcha was originally pictures of words from old, scanned books so they could transcribe all of them “for free” and train their transcription algorithms.

      • antonim@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        15
        ·
        4 months ago

        Man I miss the times when Google used to trick us into helping make knowledge more easily accessible to everyone. Now we just train fucking AI for luxury cars.

    • RonSijm@programming.dev
      link
      fedilink
      arrow-up
      9
      ·
      4 months ago

      It’s a bit weird how that actually works though…

      “Which of these pictures are traffic lights?”

      I’d hope with all the self-driving-(ish) cars coming out, any AI like that should be able to identify a traffic light, right?

      • null@slrpnk.net
        link
        fedilink
        arrow-up
        30
        ·
        4 months ago

        When you “solve” a captcha like that, you’re just helping train the AI you’re talking about.

        The stuff that determines whether you’re a not or not is based on browser information, how you interact with the page, etc.

    • SkunkWorkz@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      4 months ago

      If they add audio captchas for the visual impaired then those image captchas can be circumvented. There is a Tampermonkey script on GitHub that can defeat Recaptcha by solving the audio captcha.

  • Aoife@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    154
    arrow-down
    10
    ·
    4 months ago

    Nobody mentioning it got the captcha wrong? That’s a p not a P which while admittedly a tiny mistake would still be counted as a fail

    • ulterno@lemmy.kde.social
      link
      fedilink
      English
      arrow-up
      5
      ·
      4 months ago

      metalbags

      metal, semi-metal, plastic, fibre-glass.

      If you just talk about the material of the bag, yes, it is mostly metal and plastic. The costlier the stuff, the more the metal.

  • Shanedino@lemmy.world
    link
    fedilink
    arrow-up
    47
    ·
    4 months ago

    Fun fact not only to captchas monitor your input but also can analyze how you input it. If you mouse moves in a perfectly straight line if all your key presses are precisely spaced, you are probably not human.

      • Shanedino@lemmy.world
        link
        fedilink
        arrow-up
        38
        arrow-down
        2
        ·
        4 months ago

        Sure two additional cases not that bad, now just keep adding them up. Like anything security related it’s not 100% perfect you just have to make it annoying to break.

        • uis@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          4 months ago

          Meanwhile mathematicians working on cryptography: the universe will die before you get even 10% chance of cracking encryption.

          Security by obscurity is no security.

          • FooBarrington@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            4 months ago

            No. Security through obscurity is bad security, but it’s still an additional layer. And since there’s literally no way to 100% ensure that a machine is being controlled by a human, there’s literally no other way except saying “fuck it” and not doing any security at all.

        • Mubelotix@jlai.lu
          link
          fedilink
          arrow-up
          2
          arrow-down
          3
          ·
          4 months ago

          Security by design is 100% perfect. Security by obscurity is far from it

      • dev_null@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        4 months ago

        They were used as example heuristics by Google marketing when they launched the checkbox reCaptcha. They were just simple to understand things for marketing purposes, but in reality Google checks many different signals and isn’t based on mouse movements. But people keep repeating the example from the ad.

    • Zozano@lemy.lol
      link
      fedilink
      English
      arrow-up
      7
      ·
      4 months ago

      I’m more worried about Google’s income. How can they afford to spy on me if they aren’t being paid far out the ass to host what will soon be security theatre.

      • Darkassassin07@lemmy.ca
        link
        fedilink
        English
        arrow-up
        4
        ·
        4 months ago

        Sure; but with a simple mistake that many people would (and inevitably did in this thread) make.

        I’d say it’s at least on par with people solving them.

  • Daemon Silverstein@thelemmy.club
    link
    fedilink
    arrow-up
    33
    ·
    4 months ago

    Nowadays there are some really annoying CAPTCHAs out there, such as:

    • “Click over the figures that are upwards/downwards” and various rotated bears
    • “Rotate the figure until it matches the given orientation” and a finger pointing to some random direction, as well as rotation buttons that don’t work the way you would mathematically expect them to work
    • “Select all the images with a bicycle until there are none left” and the images take centuries to fade away after you click them
    • “Select all the squares containing a bus” and there are squares with the very corner of the bus that make you wonder if they are considered as part of “squares containing A bus”
    • “Fit the puzzle piece”, although this is the least annoying one

    In summary, the CAPTCHAs seemingly are becoming less of a “prove you’re not a robot” and more of an forced IQ test. I can see the day when CAPTCHAs will ask you to write down a Laplacian transform for the solution f(x) to the differential equation governing the motion of a mass considering the resistance of air and aerodynamics, or write down a detailed solution to the P versus NP problem.

    • fsxylo@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      28
      ·
      4 months ago

      It’s when they make you do like 20 of them. Bitch you already stopped the DDOS let me see my balance fuck.

    • AwkwardLookMonkeyPuppet@lemmy.world
      link
      fedilink
      English
      arrow-up
      25
      ·
      4 months ago

      Sony has the most annoying ones, which are designed to prevent people from submitting tickets. They’ll show you like 10 dice, and ask what they add up to. They make you solve like 16 of them before they let you continue. Shit should be illegal.

      • TachyonTele@lemm.ee
        link
        fedilink
        arrow-up
        15
        ·
        edit-2
        4 months ago

        The math ones are ridiculous.
        Guess what computers are inherently great at?
        Math.

        • AwkwardLookMonkeyPuppet@lemmy.world
          link
          fedilink
          English
          arrow-up
          12
          ·
          4 months ago

          Because they’re not there to stop computers, they’re there to stop people from getting legitimate support from a company that owes it to them.

    • chuckleslord@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      4 months ago

      No, CAPTCHAs these days track mouse movements and other factors. They make you second guess if something should be included because, as a human, that’s going to be something you do. And it’ll be obvious from both that hesitation and your squishy, inaccurate mouse movements that you’re a human.

          • Daemon Silverstein@thelemmy.club
            link
            fedilink
            arrow-up
            8
            arrow-down
            1
            ·
            4 months ago

            They can’t without the given permission from the browser to do so. While they can indeed track the mouse, when they try to access mobile motion sensors (I’m considering a CAPTCHA inside a webpage being accessed through a mobile browser such as Firefox mobile or Chrome for Android), they need to use an HTML5 API that, in turn, will ask the user for permission, something like “This site wants to use sensor motion data. Allow or block?”

    • variants@possumpat.io
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      4 months ago

      at that point i just assume im the one they are keeping out and just close the tab

      AlrightThenKeepYourSecrets.gif

  • d0ntpan1c@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    33
    ·
    4 months ago

    Honestly, I’m not mad if AI fully defeats captchas to the point they go away. They almost always fail to be usable via accessibility tools. These things might block some automated systems, but they also block people with disabilities.

    • Mubelotix@jlai.lu
      link
      fedilink
      arrow-up
      4
      ·
      4 months ago

      What will you replace them with? They won’t go away, they will just get harder

      • schnurrito@discuss.tchncs.de
        link
        fedilink
        arrow-up
        6
        ·
        4 months ago

        When I ran a public installation of web forum software (more than a decade ago), I got spambot registrations, then I think I just set up a captcha where users had to answer some really simple question; this kept the spambots away.

        • Mubelotix@jlai.lu
          link
          fedilink
          arrow-up
          4
          ·
          4 months ago

          That worked because you were not personally targeted. Someone could defeat this system if they wanted to

        • linearchaos@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          Yeah, it’s about barrier to entry. Any question will bypass dumb automation, even hard captcha is defeated by a Task Rabbit or Fiverr job to make 10 accounts and post some s#!t

          Probably at some point in the future, the automation tools they’re using will support throwing in a GPT API token. But AI calls aren’t free so maybe we’ll squeak by.

          There’s also the real possibility that if somebody is actually using AI the bot text will be good enough that nobody will know for certain it’s a bot.

  • Ahardyfellow@lemmynsfw.com
    link
    fedilink
    arrow-up
    19
    ·
    4 months ago

    Most bots out there aren’t backed by chat gpt. We had a flood of Russian boys using a sign up for on a site to send spam emails by putting the spam in the names and address fields. Slapping the most basic of captchas on the page solved it.

  • TheCookingSenpai@lemmy.ml
    link
    fedilink
    English
    arrow-up
    12
    ·
    4 months ago

    While everybody’s right in saying text captchas are outdated, there are concerning amount of services (especially for small-mid businesses) that still use them.

    Anyway, if an AI could control something like Selenium with the necessary modifications (aka not presenting itself as Selenium), I am pretty sure most of the “Click here to confirm you are an human” captchas like the cloudflare one would be defeated too.

    I think the most challenging are image-based weird challenges that are difficult even to humans. The annoying ones.

    • lengau@midwest.social
      link
      fedilink
      arrow-up
      2
      ·
      4 months ago

      That’s the idea of those “which pictures contain bikes?” ones and the ReCaptcha (where you had two words from books). In the book one, one of the words is known and the other is not. They’ll present the same unknown word to people until they get a clear answer from many dozens or hundreds of entries, using the known word as a control. Then that other word goes into the known words category.