[HN Gopher] Buster: Captcha Solver for Humans
___________________________________________________________________
Buster: Captcha Solver for Humans
Author : thunderbong
Score : 59 points
Date : 2024-08-04 17:47 UTC (5 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| squigz wrote:
| > reCAPTCHA challenges remain a considerable burden on the web,
| delaying and often blocking our access to services and
| information depending on our physical and cognitive abilities,
| our social and cultural background, and the devices or networks
| we connect from.
|
| I'm a visually impaired user, and watching captchas get more and
| more hostile to people like me has been... difficult.
| throwup238 wrote:
| I imagine it's going to result in some ADA suits sooner or
| later, like when people went around suing business who didn't
| have a ramp alternative to stairs.
| mjcohen wrote:
| There seems to be quite a business with small businesses
| being sued for violating the ADA. They can pay about $10,000
| to make the lawsuit go away.
| jfengel wrote:
| I'm kinda surprised captcha still exists. It's pretty clear that
| the robots have beaten it, and when they haven't you can hire
| armies of humans for the price of a latte.
|
| Not that I want trillions of bots hitting up every resource on
| the Internet. But I don't see how to stop it at this point except
| by excluding a fair number of regular people.
| freedomben wrote:
| For big sites I agree, but for small to medium it's clear to
| me. The amount of shit thrown your way drops dramatically with
| a captcha in the way. It's enough to stop the barely interested
| scanners/attackers, which in my experience is a huge number of
| people.
| immibis wrote:
| This argument might have flown a decade ago, but our current
| economic environment is largely characterized by ignoring
| reality - creating vibes for upper management and shareholders
| is what really matters. And telling them we implemented a
| CAPTCHA solution creates that vibe.
| teeray wrote:
| > you can hire armies of humans for the price of a latte.
|
| I've heard this before, but where does one actually hire these
| humans? Mturk is the only thing that comes to mind.
| michaelt wrote:
| For example https://2captcha.com/ https://anti-captcha.com/
| https://www.capsolver.com/ https://deathbycaptcha.com/
| https://nextcaptcha.com/ seems like about $1 for 1000
| solutions
|
| I suspect these businesses do a first pass of ML in case the
| captcha is easy, before sending it to a human to be solved
| manually.
| oxymoron wrote:
| Countering advanced bits is a game of economics. Sure, we know
| that they can solve the captchas, but they usually can't do so
| for free. Eg. Typical captcha solver services are around
| $1/thousand solved. Depending on the unit economics of a
| particular bot that might be cheap or it might completely
| destroy the business model. I've definitely seen a lot of
| professionally operated bots where they invest a lot of effort
| into solving the fewest captchas possible to keep the cost
| down.
|
| That captchas are completely useless is a popular myth.
| technion wrote:
| That depends what problem you're trying to solve. I've seen web
| applications deal with someone throwing rockyou at hundreds of
| users on the logon form. This sort of large scale brute forcing
| was completely arrested by captcha, the workarounds just aren't
| worth it at the scale.
| neilv wrote:
| A separate concern I have is that Web sites running ReCaptcha
| often _require_ leaking privacy-invasive information to Google,
| in the course of using the site.
|
| Not only does Google presumably usually know exactly who you are
| when you visit that site, but even if you normally block other
| Google hidden Web trackers, you can't block the ReCaptcha
| tracker, so in some cases Google can have a very good idea of
| what you do on the site.
|
| So, while this browser extension might relieve some of the
| visible annoyance, it doesn't relieve the more insidious problem.
| lelandfe wrote:
| Users are punished if Google is unaware of them. I built an iOS
| app for a major brand but the web view would load with no
| cookies in a sandbox, and we realized after roll out that all
| users were needing to solve 10+ _hard_ CAPTCHA challenges to be
| let through, as Google was unfamiliar with the users. You'll
| get a similar experience loading over a VPN. We removed it.
|
| It's easy to why device attestation is so alluring to these
| companies. Anonymity and bots look alike.
| pennybanks wrote:
| i didnt even think of that but makes sense. valuable pov.
|
| either way im sure most people are just annoyed with the gate
| code then they are with the tracking and would take the
| cookie everytime. and i feel like this is similar to many
| things especially with google.
|
| but people just would rather just believe these companies are
| against them haha. kinda silly imo
| anonzzzies wrote:
| I encounter recaptcha a lot and often it violates the gdpr. I
| believe this to be one of the positives of the gdpr. Things
| usually go as follows:
|
| - something gets abused
|
| - a solution is needed to stop the abuse
|
| - the 'techies' implement recaptcha and they are not aware of
| the regulatory implications
|
| - it's such a small thing that it often get's overlooked in
| internal audits
|
| Google fonts from their cdn is another.
|
| Landing page Youtube videos is another but a little bit more
| well known.
|
| The user should be warned so they can decide if they want to
| give Google everything; how else would they know?
| sentientslug wrote:
| Can you elaborate on why these are violations of GDPR? I
| presume Google handles the data for EU customers in a manner
| compliant with GDPR (one would think).
| cess11 wrote:
| No, they can't, because they're covered by the CLOUD Act.
| aziaziazi wrote:
| Wouldn't GDPR compliance require to let user refuse third
| party cookies? If a user don't accept cookies I guess
| reCaptcha won't work. Do you either
|
| - block them access to your site
|
| - ask for recaptcha (use cookies so you just don't give a
| poo of their choice - illegal)
|
| - open the doors without captcha resolution (don't need
| captcha as it can be bypassed)
| anonzzzies wrote:
| Yes, but because recaptcha is often such a simple
| integration on 'some page somewhere' it is overlooked. Or
| people just think 'it is Google, they must have got it
| covered'.
| stavros wrote:
| Using reCaptcha to stop attacks might fall under
| legitimate concerns, as the site isn't using it to track
| visitors. If reCaptcha does track, that's Google breaking
| the law, not the website.
| jddj wrote:
| Another thing here is more and more creeping into the
| "legitimate purposes" category.
|
| I installed CalcNote on a new android phone today and had to
| untick "legitimate uses" for 3 vendors in several places,
| including Google and Bytedance.
|
| Felt like I needed a shower once I was finished setting it up
| with the minimal apps that I use
| Onavo wrote:
| If you want to take a look at a more professional grade tool
| (used by webscraping companies, with API access), take a look at
| NopeCha
|
| https://github.com/NopeCHALLC/nopecha-extension
| askvictor wrote:
| I've found that since switching to Firefox I get a lot more
| captchas than in Chrome or chromium.
| capitainenemo wrote:
| It's even worse if you enable Firefox's fingerprinting
| resistance. For example Drupal.org is essentially unusable with
| Firefox anti-fingerprinting (even for basic things like patch
| information). Ditto Zillow.
|
| I have to use a separate "fingerprint me" profile.
| poikroequ wrote:
| It's interesting to think, using AI to solve captcha requires
| some compute time, effectively turning captchas into proof of
| work.
___________________________________________________________________
(page generated 2024-08-04 23:00 UTC)