[HN Gopher] I was banned from the hCaptcha accessibility account...
___________________________________________________________________
I was banned from the hCaptcha accessibility account for not being
blind (2023)
Author : blindgeek
Score : 319 points
Date : 2024-11-18 10:13 UTC (12 hours ago)
(HTM) web link (michaels.world)
(TXT) w3m dump (michaels.world)
| blindgeek wrote:
| The author was essentially too smart to be blind.
| yorwba wrote:
| I wonder whether talking about "looking at the javascript
| console" somehow made them think that this person cannot
| possibly be blind, since how could a blind person "see" the
| JavaScript console? (But "having my screen reader read the
| content of the JavaScript console to me" is a bit of a
| mouthful.)
| blindgeek wrote:
| You know, that's a good point, and it hadn't occurred to me.
| For the overwhelming majority of blind people, language like
| "looked at" is just metaphorical. I mean, all language is
| symbolic anyway. The map is not the territory and the menu is
| not the dinner. Some of us are taught very young to use
| common terms like look in that kind of a metaphorical way.
| Partially so that we fit in and are comfortable with the rest
| of sighted culture. And then once in a great while, we get
| condescended to for it. There's a really good example of this
| in the second season episode of DS9, _The Alternate_.
|
| ``` ODO It was a dilemma for me. I'd never seen anything like
| these creatures either. MORA "Seen"
| isn't really an appropriate description. He had no
| eyes per se... ODO I was only
| trying to describe it in simple terms...
| MORA (ignoring that) He had never perceived
| anything like us before... go on...
|
| ```
|
| I can pretty much guarantee that _every_ blind person has had
| a condescending, patronizing douche canoe like Mora in their
| life at least once.
| bluGill wrote:
| Even as a sighted person, "look at" is often metamorphic -
| you can interview an expert over the phone and say you
| looked into the subject even though the only looking was
| around the phone number.
| lagadu wrote:
| When someone recommends me an album or artist I "take a
| look" at it: I listen to it. Though now that I think
| about it, I wouldn't say that in my other languages.
| pbronez wrote:
| I suppose one could say "observed" as a sense-neutral
| alternative to see / hear. Might be a worthwhile language
| shift, similar to using "they" as a gender-neutral
| alternative to "he" and "her".
|
| We usually talk about the inclusion benefits of neutral
| language. It can also be valuable by making specific terms
| more meaningful when used appropriately. If I know you
| usually say "they", then when you choose to say "he" I get
| more information -- there's a clear gender expression.
| Similarly, if you usually say "observe", then when you say
| "see" I know we're specifically talking about vision.
|
| Of course, it's an awkward transition. It's hard to get
| used to "they/them" and saying "I observed a delicious
| aroma" sounds like a robot impersonating a person.
| blindgeek wrote:
| It's notable that the majority of the people who would be
| "included" by the change to "more inclusive" language
| aren't offended in the first place. The sentence "I am
| watching TV" literally offended no blind person, evah. It
| is only sighted do-gooders who have the spoons to be
| offended by nothingburgers on our behalf. We're too busy
| dealing with stuff like, ... I dunno, landlords who
| refuse to rent to us because all they have is second
| story units and we might fall down the stairs. Yes this
| actually happened to me in 2000 or so, and I don't have
| enough faith in human intelligence to believe that it
| isn't happening today. We're too busy being oppressed by
| captchas and websites made by frontend devs who seem to
| care more about chasing JavaScript framework du jour than
| they care about accessibility. We're busy struggling
| against a built physical environment which has been
| designed for cars and not people. The supposedly non-
| inclusive language of "I watched TV" or "I looked at my
| browser's JS console" aren't even on our radar.
|
| I coined the term "Sapir-Whorf Stalinists" a few weeks
| ago to describe the sort of people who think that
| monkeying with language will magically make things better
| for marginalized groups.
|
| Here's Lee Atwater talking about the Southern Strategy:
|
| > You start out in 1954 by saying, "Nigger, nigger, >
| nigger." By 1968 you can't say "nigger"--that hurts you,
| backfires. > So you say stuff like, uh, forced busing,
| states' rights, and all that stuff, > and you're getting
| so abstract. Now, you're talking about cutting taxes, >
| and all these things you're talking about are totally
| economic things and a > byproduct of them is, blacks get
| hurt worse than whites.... "We want to cut > this," is
| much more abstract than even the busing thing, uh, > and
| a hell of a lot more abstract than "Nigger, nigger."
| Lerc wrote:
| This is how use of language concealed aphantasia for so
| long. When you use a word in a context similar to how
| another used it in that context there seems to be a
| presumption that the subjective experience is the same in
| that context.
|
| Given how we learn languages and words based upon
| encountering them in contexts, it makes sense that terms
| that we use in outwardly similar contexts reflect the
| subjective experience that each of us relate to those
| terms. We don't have access to another's subjective
| experience so I can see how it would encourage the
| assumption that we all perceive things the same way.
|
| There might be many undetected variances in perception akin
| to aphantasia lurking in us waiting to be discovered.
| blindgeek wrote:
| Here's the thing. We're talking about people who are the
| accessibility team for hCaptcha. They should at least
| have a figleaf of an understanding of life for blind
| people.
|
| The other problem we have is that online companies tend
| to be accountable to no one. Short of law suits, my
| friend who got banned from hCaptcha for "not being blind"
| has no recourse, because nobody is accountable.
| rascul wrote:
| Lawsuits are how that's solved in the physical world
| also.
| RandallBrown wrote:
| I'd bet that's exactly what happened.
| jesterswilde wrote:
| Gwahahha, succinct. I run into this far too often. Being in
| places or doing things I (blind guy) "shouldn't be", thus, am
| not blind.
| soraminazuki wrote:
| The title kind of makes it appear far less of a problem than it
| actually is, because according to the article, hCaptcha made
| multiple rude and evidence-free accusations of lying despite the
| author actually being blind.
| jerf wrote:
| Remember that from hCaptcha's point of view, by this point
| they've probably dealt with hundreds of other people claiming
| that they are blind when they really aren't, so their bots will
| work.
|
| This isn't a defense, just an explanation... but it is also an
| explanation of why the entire idea of "we'll not give blind
| people a way past the CAPTCHA but just give a pass to 'real'
| blind people so we can pass ADA", which is that it should have
| been transparently obvious that this approach is completely
| infeasible and unscalable. As big as Google, Facebook, or
| Amazon are, _they_ would struggle under the load of trying to
| create a system for determining who is "truly" blind... and
| that's still true if we ignore questions like exactly what
| "blind" is anyhow.
|
| This shouldn't have gotten deployed and then become a problem;
| it should have been a 5 minute diversion in the meeting where
| it was proposed to analyze it's completely infeasible and never
| made it to so much as the design phase, let alone the
| deployment phase.
|
| If you had a system for completely accurately identifying
| characteristics like "who is blind" in the presence of
| _extremely hostile_ attacks on the system, you 'd have
| something far more valuable than the CAPTCHA system itself! The
| whole idea intrinsically depends on having a stronger solution
| to the problems CAPTCHAs are meant to solve than the CAPTCHA
| system itself provides... it's fundamentally a logically
| unsound idea.
| anotherhue wrote:
| > If you had a system for completely accurately identifying
| characteristics like "who is blind" in the presence of
| extremely hostile attacks on the system, you'd have something
| far more valuable than the CAPTCHA system itself!
|
| You are unfortunately describing worldcoin.
| KETHERCORTEX wrote:
| Worldcoin? Government issued auth service is a viable
| option too. Just get some flag like "isBlind" in it.
| Disabled status is granted by the government after all.
| Swizec wrote:
| > something far more valuable than the CAPTCHA system itsel
|
| In terms of CAPTCHAs being valuable - the other day I
| couldn't for the life of me solve a captcha. It was one of
| those "Solve the implicit question in the picture" kind where
| it can be hard to tell what it's even asking you to do.
|
| So I took a screenshot and put it in chatgpt. Got it right
| immediately.
|
| The real detection mechanism is that you're moving your
| mouse, thinking, and generally being slower than a bot
| anyway. The captcha itself is just a pointless annoyance.
| Workaccount2 wrote:
| This is a problem so chronic across so many fields that I
| wish there was single term to describe it.
|
| User POV :"Wow, provider is a really shitty entity and had no
| respect for my legitimate problem."
|
| Provider POV: "We get a huge number of illegitimate claims
| identical to legitimate ones regularly, the system would
| collapse if we didn't do heavy triage, the problem is the
| level of abuse, not a moral bankruptcy on our part."
|
| I suppose "this is why we can't have nice things" captures
| some of it.
| RandomThoughts3 wrote:
| The actual problem is that Provider real POV is actually:
| "We already do the bare minimum required by the law and you
| are too insignificant to damage our reputation. It would
| actually cost our shareholders money to do more so please
| go die in silence somewhere else and stop bothering us.
| Replying to you costs us money too."
|
| This kind of article is actually useful because it raises
| the risk of actual reputational damage thus encouraging
| companies to do more.
| rwmj wrote:
| This is just an indication that their process is wrong. (Or
| in this case, their entire reason to exist is wrong.)
| cwillu wrote:
| "Moral bankruptcy" seems like a quite apt description of
| the state of affairs of being unable to afford to operate
| morally at a given level of scale.
|
| Scaling is not a right.
| danaris wrote:
| > Scaling is not a right.
|
| God I wish this could be plastered in letters 1000 feet
| high above Silicon Valley.
| account42 wrote:
| In cases like this the provider is someone I don't want to
| have any business with in the first place. I don't care how
| hard reliable CAPTCHAs are to implement and as a user I
| shouldn't have to.
| dataflow wrote:
| The problem is that this very problem also happens
| simultaneously in the reverse direction. i.e. people have
| to deal with so many awful entities screwing them over due
| to sheer self-interest, negligence, or even malice, that
| they have a hard time knowing which ones legitimately are
| trying their best and genuinely don't have a better
| solution.
|
| That's what happens when trust erodes, and why we can't
| have nice things.
|
| If anyone should be be more understanding and absorb the
| costs to appease the other, it's probably the big corp, not
| the little guy.
| miki123211 wrote:
| What users don't see is that a single good actor will make,
| at most, a dozen such claims in their life, while a
| malicious one might literally make hundreds of them a day.
| The scales are different, by orders of magnitude.
|
| It's not unimaginable that just 0.001% of your users (in
| terms of actual humans / entities physically using your
| service) are fraudsters, but 99% of your signup or login
| attempts / interactions with your service / "I'm not a
| fraudster, pinky swear" support claims are fraudulent.
| michaelt wrote:
| _> As big as Google, Facebook, or Amazon are, they would
| struggle under the load of trying to create a system for
| determining who is "truly" blind... and that's still true if
| we ignore questions like exactly what "blind" is anyhow._
|
| In several countries, the government issues certificates of
| blindness [1] which grant access to certain extra types of
| support. We don't want severely vision-impaired people being
| forced to drive, after all!
|
| So there are legal standards for what exactly blind is, and
| certificates.
|
| The question is whether tech companies are inclined to hire
| enough people to wrangle the paperwork involved in checking
| such certificates, worldwide.
|
| [1] https://www.mass.gov/info-details/benefits-for-people-
| who-ar...
| inetknght wrote:
| > _So there are legal standards for what exactly blind is,
| and certificates._
|
| In the USA, people are not yet required to provide
| identification when signing up for "free" services. There
| are real concerns around privacy.
|
| A certification of blindness is exactly one of those
| privacy concerns, being a medical issue. You think it would
| be a good idea to give that private information to the
| criminal organizations of big tech?
| Scarblac wrote:
| These are already users that _want_ to let the company
| know that they are blind in order to qualify for special
| treatment. In that case showing the certificate doesn 't
| seem to be much of an extra privacy issue to me.
| RobMurray wrote:
| Accessibility isn't special treatment! As I said before I
| would never provide proof of identity to simply access a
| website.
| kelnos wrote:
| > _Accessibility isn 't special treatment!_
|
| Perhaps not in all cases, but it can be. This article is
| literally about special treatment for accessibility
| purposes.
|
| It's of course debatable if this is how things _should_
| be, but that 's another discussion.
| soraminazuki wrote:
| Nah, it's the companies that's demanding proof over
| what's basically sane treatment rather than users wanting
| to surrender their medical info.
| jerf wrote:
| If "having a government identity" was a solution to the
| identity problem, it would be solved.
|
| It is not solved.
|
| That is at most the beginning of a solution to the problem.
|
| And in practice, it is little more than the beginning of
| the problem, as the government's definition of blindness is
| very unlikely to be a precise match to "has problems
| completing our visual CAPTCHA", and if multiple governments
| have standards there is no chance they will match.
|
| Do not underestimate the resilience and resourcefulness of
| scammers. They aren't just some individuals here and there
| who decide one day that they could make a couple extra
| bucks spamming people, and just sort of start sending out
| whatever scam strikes their fancy. They're international
| businesses with engineering teams, and a constant feed of
| low-level operatives who can scam governments about how
| blind they are if the governments leave _any_ hole in their
| system. They 're thousands of people dedicating their full
| human-level intelligence to the task of defeating your
| system and extracting the value from it. They are not as
| easy to defeat as "let's just put the obvious certification
| in place", for the same reason that the CAPTCHA problem
| isn't solved with "Let's just issue everyone official
| identities".
| michaelt wrote:
| _> They 're international businesses with engineering
| teams, and a constant feed of low-level operatives who
| can scam governments about how blind they are if the
| governments leave any hole in their system._
|
| I don't know about your country, but in my country the
| government is pretty keen on avoiding abuses of the
| benefits system. After all, a blind person gets tax
| breaks and cash benefits totalling about $5000/year.
|
| So the existing system is used to dealing with
| financially motivated adversaries. I doubt the additional
| financial motivation of being able to bypass hCaptcha
| would mean much, in comparison.
| gruez wrote:
| This is a moot point anyways because the Americans with
| Disabilities act bans businesses from asking people about
| their specific disabilities. Asking for proof of blindness
| will almost certainly be in contravention of that.
| RobMurray wrote:
| I am perfectly happy with having to prove that I am blind to
| get my bus pass, but if It was necessary to access a website
| I would just not use that site. Lets hope it never gets that
| bad. There's always Anticaptcha to fall back on, but I hate
| their business model.
| miki123211 wrote:
| What is your suggested alternative?
|
| Audio captchas are inherently discriminatory to those with
| hearing issues or those that don't speak the 5 supported
| languages. They're also somewhat easy to solve with ASR
| models now. Text captchas are incredibly easy to solve with
| LLMs.
|
| The only other alternative I see is some incredible tracking
| / surveillance machine (think an actual non-browser app that
| you have to run on your computer), but is that really what we
| want?
| jabroni_salad wrote:
| I'm actually pretty okay with the zero click cloudflare
| dealios and prosopo PoW captchas. You can make websites
| that simply do not have visual puzzles on them at all.
|
| Every now and then turnstile does get a little borked but I
| can honestly say that I would rather just do without
| whatever I was trying to do than click 7 motorcycles.
| Hcaptcha and recaptcha are becoming my personal brown M&M
| indicator for additional bad user experiences in a given
| web property.
| garbanz0 wrote:
| That smells illegal.
| Spivak wrote:
| This has got to be an open-and-shut lawsuit if the author wants
| to pursue it. T&C doesn't shield you from the ADA.
| lupusreal wrote:
| I hope AI stuff makes captchas completely obsolete soon. I am
| sick of them. The cure is worse than the disease.
| edm0nd wrote:
| Captchas have been obsolete for the past decade plus.
|
| With solving services like DeathByCaptcha and AntiCaptcha, it
| takes seconds to solve them. It costs something like $1.90 per
| 1,000 successfully solved captchas using human typers and OCR.
| It can easily be rolled into your code with a few lines.
| jeroenhd wrote:
| AI stuff is why CAPTCHAs exist. It's also why they've gotten so
| much worse the last few years.
|
| CAPTCHAs are going to get much worse before they're replaced by
| account paywalls or remote hardware attestation.
| exe34 wrote:
| AI are already much better at them than I am.
| xdennis wrote:
| But surely, it's only going to get worse: it will force the de-
| anonymization of the internet. You already have to provide a
| phone number for many services.
|
| If websites can't trust that their users are authentic they
| will probably institute even more intrusive checks.
|
| I haven't been optimistic about the future of technology for a
| while now. :'(
| rvnx wrote:
| In the future I think we will again go to
| "notarization"/"attestation" of the operating system /
| hardware.
|
| Essentially, the manufacturer of the device + operating
| system will generate a unique signature per each device, and
| web browsers will be able to access it.
|
| https://en.wikipedia.org/wiki/Web_Environment_Integrity
| slooonz wrote:
| How does that works for, say, Chromium or Firefox on Linux
| ?
| rvnx wrote:
| I believe the plan was to ask the TPM of the computer.
|
| From what I understood, each TPM has a unique
| private/public key pair (Endorsement Key (EK)), and then
| this key is certified by the manufacturer of the TPM.
|
| From there, you can generate a Attestation Keys, and
| these keys are signed by the EK.
|
| https://security.stackexchange.com/questions/235148/whats
| -th...
|
| So essentially, at the end of the day, Chromium would ask
| the TPM for attestation, and it would act as a unique
| Device ID.
|
| Then they can allow only a selected list of TPM
| manufacturers certificates, to prevent emulators for
| example.
|
| TL;DR: Chromium on Linux would ask the TPM chip for a
| signature, and each TPM chip has a different signature
| from the moment it is out of the factory.
| spacebanana7 wrote:
| I'm very grateful the WEI proposals were put down. It'd
| have an enormous privacy impact on normal users, and not
| give that much protection against bad actors using device
| farms & similar tools.
| blindgeek wrote:
| But the WEI proposals were never about protecting from
| bad actors with device farms. They were always about
| guaranteeing that a certain ad company who also makes
| browsers can always push ads to users, thus maximizing
| value for shareholders. Protecting from device farms was
| just the bait.
| marcosdumay wrote:
| Oh, the really bad part of WEI is not the privacy impact.
|
| The real thing is the gating of every kind of information
| exchange and treatment in the hands of a few entities,
| that get the power to say who will participate on those
| activities and doing exactly what.
|
| That is, the complete elimination of the freedom of
| association and initiative from our society. At least
| around any one of those that involve computers.
|
| The lost of privacy is a rounding error.
| remram wrote:
| CAPTCHAs already don't work. If they are not annoying enough to
| turn your customers away, they are very easy for an attacker to
| pay people to solve.
| Rastonbury wrote:
| Some captchas are getting pretty discriminatory, not everyone
| lives in the West and can identify the objects they are asking
| you to. Another recent one sticks out where they asked me to pick
| a shape as the same number of conoids on screen. If you ask
| people on a street what a conoids I bet a significant amount will
| give you blank looks
|
| Also at least now I know some people call those markings
| crosswalks
| ta1243 wrote:
| Sorry I live in the west, what's a "crosswalk"
|
| Did you mean to say
|
| > not everyone lives in the USA
|
| Other things I don't have a clue about - a fire hydrant, yellow
| taxis, yellow buses
|
| (Obviously I do, because of American cultural imperialism
| through things like Captchas which mean the world has to
| understand American cultural touchstones)
| slater wrote:
| Please enter your five-digit ZIP code
| bux93 wrote:
| 90210
|
| (Cue theme music in mind's ear)
| thebruce87m wrote:
| That's my zip code too, along with millions of others who
| live outside the US. Haven't needed to use it for a
| while.
| dkdbejwi383 wrote:
| Mandatory "state" field on forms - if it allows any string
| I usually enter "mostly liquid"
| OptionOfT wrote:
| For me it is "constant despair".
| croisillon wrote:
| did you know that the ZIP code for both Paris Texas and
| Paris France start with 75xxx
| KETHERCORTEX wrote:
| Well, France doesn't have Zone Improvement Plan codes. It
| is somewhat annoying to fill forms on websites with "ZIP
| code" in them for people outside US. They aren't called
| this way anywhere else (except for one or two countries).
| ta1243 wrote:
| Which you can then compress into a postcode file
|
| #internationalisation
|
| https://www.reddit.com/r/CasualUK/comments/12cwylk/microsof
| t...
| alex7o wrote:
| SE1 9QN is my postcode what 5 number?
| nmeofthestate wrote:
| Don't have a cow dude.
| zeroonetwothree wrote:
| Ah yes those American imperialists with their cultural
| touchstones of fire hydrants. Why are they always forcing
| those fire hydrants into other cultures.
| Symbiote wrote:
| In many countries fire hydrants are underground, under an
| iron or concrete cover. There's very little to see on the
| street.
|
| There might or might not be a sign marking the location.
|
| Sweden: https://commons.wikimedia.org/wiki/Category:Fire_hy
| drants_in...
|
| UK: https://commons.wikimedia.org/wiki/Category:Fire_hydran
| ts_in...
|
| It's also not necessarily relevant to worry about blocking
| one when parking a car.
| pbhjpbhj wrote:
| Most UK hydrants are at junctions where its already
| illegal to park... come to think of it, I think USA ones
| are maybe mostly at junctions (in the media I've seen)?
| Are you allowed to park at junctions in USA?
| Symbiote wrote:
| Maybe the standard international signs are more easily
| recognised by machines anyway, but if not it will be
| interesting when Google and others start needing Captcha
| help.
|
| Americans will need to learn what speed limit, parking
| prohibition and pedestrian crossing signs look like in the
| rest of the world, as well as realizing buses and taxis come
| in more colours.
| reaperducer wrote:
| _Americans will need to learn what speed limit, parking
| prohibition and pedestrian crossing signs look like in the
| rest of the world_
|
| If you think this is a binary America/Rest of the World
| problem, then you haven't visited very much of the "rest of
| the world" and noticed that every place is full of
| variations.
| jstanley wrote:
| You don't think you could identify yellow buses without
| cultural knowledge?
|
| I think simply knowing "yellow" and "buses" would suffice.
| dkdbejwi383 wrote:
| It's hard to really say objectively, as the strange yellow
| American school bus is kind of an iconic image - perhaps
| because it looks so different to a regular public transport
| bus as seen around the rest of the world.
| itishappy wrote:
| Does DHL delivery via yellow busses?
| wccrawford wrote:
| Does anyone deliver anything except people via "busses"?
| ta1243 wrote:
| Well yes, how else do you get the mail?
| Toorkit wrote:
| Those are called Vans.
| TeMPOraL wrote:
| In the US.
|
| And then there's "shuttle", I believe the US has at least
| one kind of thing called "shuttle" for every possible
| mode of transport, including orbital flight.
| itishappy wrote:
| Oh, vans! Of course, who could mistake those?
|
| https://en.wikipedia.org/wiki/Brake_van
|
| https://en.wikipedia.org/wiki/General_utility_van
| lostlogin wrote:
| Despite the name, you can't deliver people over the
| Universal Serial Bus.
| pbhjpbhj wrote:
| Don't they have postbuses in some countries that do all
| types of delivery including people and mail, alpenhorns
| and cheese and that kinda thing??
| RobMurray wrote:
| And audio Captchas are in English. I suppose blind people who
| don't speak English or have any kind of hearing difficulty
| don't deserve accessibility.
| smitelli wrote:
| I distinctly remember a captcha which asked me to identify
| fire hydrants. Some of the pictures were hydrants, while
| others were standpipes. These are different things, and I
| answered accordingly.
|
| The service refused to acknowledge my humanity until I
| relented that a standpipe was a hydrant. If at some future
| date any of us burn to death due to an automated fire truck
| that misbehaved due to this, we'll know why.
| seanhunter wrote:
| Yup - I recognize this problem. I am a motorcyclist and I
| frequently have to grit my teeth and misidentify scooters
| as motorcycles if I want to get past captcha.
|
| For non-bikers, a scooter has an automated gearbox and
| small wheels etc. Think vespa.
|
| In the UK at least they are generally a different category
| of license, although that's because of the size of a
| standard scooter engine.
| jachee wrote:
| It's a squares/rectangles issue.
|
| Scooters are cycles that have motors, and are thus
| motorcycles in the most-inclusive definition of such.
| TeMPOraL wrote:
| FWIW, I went out looking for a better category (something
| more like "two-wheeler" but without the engine), and
| discovered that Wikipedia _actually agrees that scooters
| are motorcycles_.
| bredren wrote:
| Scooters are arguably more like traditional motorcycles
| than ebikes.
|
| Reminds me of this scene from Police Academy 3:
| https://www.youtube.com/watch?v=cil6HFXlccw
| arcanemachiner wrote:
| My rationale is that they're teaching cars what things
| they shouldn't drive into, so I'm pretty liberal with
| what constitutes a motorcycle, including the person on
| top.
| gsk22 wrote:
| Except scooters are literally motorcycles? From
| Wikipedia:
|
| > A scooter (motor scooter) is a motorcycle with an
| underbone or step-through frame, ....
|
| Scooters are often legally motorcycles as well. For
| example, I had to get a motorcycle endorsement on my
| license for a scooter I owned, because the engine
| displacement was too large for the extremely restrictive
| "moped" category in my state.
| andrewflnr wrote:
| They're not really considered as such by motorcycle
| people, for decent reasons too. Scooters generally have
| rather different ergonomics and controls, notably CVTs
| rather than manual transmissions for "proper"
| motorcycles. Overall a pretty different experience to
| ride. There's not really a good umbrella term, either,
| though.
| jeltz wrote:
| Fire hydrants in my country are virtually always in the
| ground covered by a steel lid. The only reason I know the
| answer is American popular culture.
|
| https://fev.se/images/18.7ea68079182e95d391364a41/166366862
| 7...
| mapt wrote:
| Unfortunately, even understanding these things, on a shared
| connection it might take you literally two or three minutes
| of captcha work before Google recognizes your personhood.
|
| Am I identifying the boxes wrong? Am I doing it too fast?
| Where do "Stairs" begin and end? Does a motorcycle include
| its rider? Or is Google just fucking with me and failing me
| on purpose?
|
| My workplace had a period this year where captcha was put
| into the cashier checkout process.
| danaris wrote:
| And while it's not quite the same kind of CAPTCHA, I've not
| infrequently run into Cloudflare "prove you're human"
| screens that just...never let me through. I click the box,
| it loads for a second, turns into a nice checkmark, and
| then...reloads the "prove you're human" page. Infinite loop
| (as far as I can tell, anyway, not having infinite time).
| alwayslikethis wrote:
| Firefox RFP? That sometimes does it
| wing-_-nuts wrote:
| I forget what extension was doing this for me, but I
| _think_ this was down to an extension blocking autoload
| /play. Try disabling your extensions down to ublock and
| slowly adding them back.
| reaperducer wrote:
| _Other things I don 't have a clue about - a fire hydrant_
|
| Even within the United States, fire hydrants vary greatly
| from city to city.
|
| I remember the first time I moved to a city that had those
| little squatty dark blue ones. I thought they were water main
| access points.
|
| It's interesting to see so many people on HN assessing that
| captchas are biased toward American culture. Very frequently
| I get captchas that include things I don't know, and when I
| look them up, they turn out to be Indian in origin.
| pbhjpbhj wrote:
| Is a coach a bus? Honestly, I'm not sure what makes them
| different, if you pressed me I think I'd say a coach has
| luggage compartments underneath. A UK coach is not a bus...
| although Megabus run mostly coaches, and Stagecoach run
| mostly buses.
|
| Is a scooter a motorcycle, what about a pedal-and-pop, an
| ebike? Is the backbox (rear carrier) part of the motorcycle?
|
| Is a single light at a junction, ahem intersection, a traffic
| light? Is the outer-container part of the "light"? What about
| the lights for pedestrians, are they part of the traffic
| light?
|
| Are house steps, that don't carry you to a different storey,
| still stairs? Is a single step also stairs?
|
| Are fire hydrants always red?
|
| So, yeah, usually I just leave the website and come back to
| HN.
| joveian wrote:
| Also, if you use a larger minimum font size often the text
| describing the thing you are supposed to select is under the
| image and unreadable. With hCaptcha it varies depending on the
| size of the popup window with the captcha and Google seems to
| reliably show just the top (barely enough to figure it out most
| of the time).
| croes wrote:
| But on the internet the answer to ,,what is a conoid" is just a
| web search away.
|
| The bigger problem is when other options of a captcha fit in
| another cultural context.
|
| Taxi colors are an example for that.
| Suppafly wrote:
| >But on the internet the answer to ,,what is a conoid" is
| just a web search away.
|
| When I search, the whole first page of google is essentially
| "things that are shaped like cones", I have no idea what that
| would be in response to one of those image captchas that show
| traffic and buildings.
| rovr138 wrote:
| > A conoid is a ruled surface whose rulings are parallel to a
| plane (called the directrix plane) and intersect a fixed line
| (called the axis of the conoid) (Gellert et al. 1989, p.
| 202). Examples include the circular conoid, helicoid,
| hyperbolic paraboloid, parabolic conoid, Plucker conoid,
| right circular conoid, Wallis's conical edge, Whitney
| umbrella, and Zindler conoid. If the axis is perpendicular to
| the directrix plane, the conoid is called a right conoid
| (Gray et al. 2006, p. 436).
|
| https://mathworld.wolfram.com/Conoid.html
| gus_massa wrote:
| I got mathematical surfaces like
| https://en.wikipedia.org/wiki/Conoid To get the correct image
| I had to search _conoid street_. Anyway, I guessed they were
| those red cone shaped things that people put on the street
| and I 'm not sure how they are call even is Spanish (probably
| _conos_ or _balizas_ ).
| TeMPOraL wrote:
| > _But on the internet the answer to ,,what is a conoid" is
| just a web search away._
|
| Not when it's your search engine that's asking you to
| identify conoids.
| Aardwolf wrote:
| Also asking things about US traffic signs or markings in
| countries with different looking traffic signs
| dizhn wrote:
| I routinely have problems with closeup images. To this day I
| don't know how much of the object I should be selecting? Also
| what is a traffic light? Is the pole part of it or not?
| Motorcycles seem to be hard too.
|
| Once it showed me a picture of steps nothing but steps. I think
| I marked like 15 boxes.
| Wowfunhappy wrote:
| > To this day I don't know how much of the object I should be
| selecting? Also what is a traffic light? Is the pole part of
| it or not? Motorcycles seem to be hard too.
|
| I have always assumed this was purposefully ambiguous. The
| right answer is whatever a majority of humans will answer
| when presented with the same picture.
| sml156 wrote:
| I don't think the majority of people on earth would base
| all their captchas on things only found in America
| layer8 wrote:
| The majority of people will still cluster around the same
| best guesses, and that's all that matters to the
| algorithm.
|
| Yes, it's annoying, but that doesn't matter to the
| algorithm.
| andrepd wrote:
| If you think you're failing the captchas because you're doing
| them wrong, think again. Google captcha _intentionally_ fails
| you a couple times if they don 't have enough tracking info
| to determine that you're legit. So you solve the captcha
| correctly but are still lied to that "you've failed to solve
| the captcha, try again".
|
| That and the "fading images slowly to pretend like you have
| bad internet" thing. Disgusting behaviour
| oniony wrote:
| Maybe they purposely load the images slowly to make it more
| expensive for the bot owners.
| reginald78 wrote:
| Also just catches people they think might be bots.
|
| I've definitely encountered captcha tarpit logins before
| that could never be solved until I changed VPN endpoint.
| I was never getting in.
| lesuorac wrote:
| I kinda don't understand why we still have captchas.
| We've solved the asymmetric problem with proof-of-work;
| just make somebody solve something trivial so they spend
| more resources than you do.
|
| Like if a bot requests your page 1/day its not a problem;
| but if they want to request it 1/ms then the proof-of-
| work becomes too much for them and its transparent to a
| person.
| dizhn wrote:
| It might be an incentive to make people stay logged into
| their accounts. This wouldn't be hole reason but I am
| sure it's part of it. I used another laptop with a VPN
| for a few days and what used to be smooth experiences
| turned into a shit ton of "log in to prove you're not a
| robot". Both Reddit and Youtube did this.
| andrepd wrote:
| They don't. They load the images and then have js to fade
| them slooooowly. It's pernicious precisely because of
| that: its purpose is to annoy humans while being
| completely useless to thwart bots.
| jrockway wrote:
| I'm never that consistent and usually get through. I think
| they are looking at things like mouse acceleration,
| smoothness, etc. rather than the actual answer to the
| questions.
| layer8 wrote:
| They don't let you pass if you don't answer roughly
| correctly.
| Suppafly wrote:
| >conoids
|
| Things that are shaped like cones?
| bityard wrote:
| I have lived in the West my whole life, and am reasonably well
| educated, and have never heard the word conoids in my life.
| mock-possum wrote:
| Sure, but you can imagine pretty easily what a 'conoid' would
| be, right? 'Sphereoid' would be something sphere-like,
| 'mongoloid' is something mongol-like, 'freakazoid' is
| something freaky...
|
| it's pretty clear from context that 'conoid' means 'like a
| cone' isn't it?
| TylerE wrote:
| But is it a geometrical cone, a conifer tree like thing, a
| psuedo-control device, or what.
|
| I consider my self pretty literate (I was assessed as
| reading at a college level by the 4th grade), and I've
| never heard that word.
|
| More importantly, they can look _absolutely nothing like
| cones_.
|
| Would you identify this as "cone like" if it wasn't for the
| URL?
| https://en.wikipedia.org/wiki/Conoid#/media/File:Pluecker-
| co...
| jillyboel wrote:
| I live in "the West" but English isn't my main language. I have
| no idea what a conoid is.
| rovr138 wrote:
| > A conoid is a ruled surface whose rulings are parallel to a
| plane (called the directrix plane) and intersect a fixed line
| (called the axis of the conoid) (Gellert et al. 1989, p.
| 202). Examples include the circular conoid, helicoid,
| hyperbolic paraboloid, parabolic conoid, Plucker conoid,
| right circular conoid, Wallis's conical edge, Whitney
| umbrella, and Zindler conoid. If the axis is perpendicular to
| the directrix plane, the conoid is called a right conoid
| (Gray et al. 2006, p. 436).
|
| https://mathworld.wolfram.com/Conoid.html
|
| so, a surface with stripes - example
| https://pxhere.com/en/photo/1366651
| BenjiWiebe wrote:
| I live in the US, English is my only language. I could
| probably guess what a conoid is, but I don't actually know
| (until reading these comments).
| wing-_-nuts wrote:
| I've just resorted to flipping over to the audio captcha. Yes,
| solving the first one takes more time, but you pretty much get
| it right the first time and you're not wasting your life
| wondering if 2cm of a fire hydrant is enough to label a square
| as having a fire hydrant.
| crazygringo wrote:
| I am Googling "conoid" right now and I still can't even imagine
| what it's supposed to be.
|
| The Google dictionary says it's a _zoological_ term
| "approximately conical in shape".
|
| The Wikipedia panel says "In geometry a conoid is a ruled
| surface, whose rulings fulfill the additional conditions: All
| rulings are parallel to a plane, the directrix plane. All
| rulings intersect a fixed line, the axis." The graphics are...
| nothing intuitive.
|
| The M-W link in the search results says "a cone-shaped
| structure; especially : a hollow organelle shaped like a
| truncated cone that occurs at the anterior end of the
| organism".
|
| None of this seeming relevant, I clicked on the Image tab and
| it's all these complicated Mathematica-style graphs of things
| that are very much _not_ cones.
|
| I see other people in the HN comments similarly have no idea.
|
| Can you please explain what you saw on screen? What did the
| captcha think was a conoid...? Like, traffic cones or
| something?
| ayewo wrote:
| Using the touch pad to long-press on the text "conoid" in my
| browser brought up the built-in dictionary definition on
| macOS:
|
| > conoid | 'k@UnoId | mainly Zoology adjective (also conoidal
| | k@U'noId(@)l | ) approximately conical in shape.
|
| > noun a conoid object: her hull was a conoid, tapering
| towards the bow.
| recursive wrote:
| Yeah, that's the zoological definition again.
| wslh wrote:
| > Some captchas are getting pretty discriminatory, not everyone
| lives in the West and can identify the objects they are asking
| you to.
|
| Honestly, even living in the West, sometimes I feel like they
| expect me to have an IQ of 200 just to pass! And, I am sure I
| pass the Turing test without issues.
| sundarurfriend wrote:
| Avoiding this is what made hCaptcha popular among a lot of
| users in the first place. reCaptcha has always been guilty of
| this, and it doesn't seem like they're taking any steps to
| improve this US-centred definition of humanity. hCaptcha gave
| much more general and neutral puzzles that made a lot of people
| (including me) give a sigh of relief when they encountered a
| CAPTCHA and it was h and not re.
| RobMurray wrote:
| recaptcha audio challenge is just a few words (in English)
| that you have to enter. Might be easier in some
| circumstances? You can press CTRL to repeat the audio.
| gopher_space wrote:
| I can't be the only person who's been checking as many wrong
| answers as I can get away with for the last decade, and I'd be
| complimented by my conoid-questioning brethren. Captcha seems
| like it's fully entered a "bear proof garbage can" phase I
| don't see it escaping.
| nerdponx wrote:
| Lesson 1 about competing with Google should be "don't be even
| more disrespectful to your users than Google is". Otherwise
| people will just use Google.
|
| Relying on the goodwill of a small number of "never-Googlers" to
| carry your business, in spite of the way you do business, is not
| a path to success.
|
| While hCaptcha trashes its reputation, the rest of the world will
| go on using reCaptcha and not giving the faintest whiff of a fart
| about hCaptcha's existence.
|
| (Side note: the spelling is "intentional", not "intensional".
| Think "intent" + "-tion" + "-al", not "in-" + "tension" + "-al").
| isodev wrote:
| Why are captchas even a thing still? If folks want to scrape
| something or build an automation around something, then why not
| let them do it? They still have to respect the system they're
| logging in. Not to mention the privacy perk of not exposing your
| visitors to some captcha service with a dozen or more data
| subprocessors.
| dewey wrote:
| Captchas are used for many things, and the reason they are
| still a thing is because they mostly work. Especially
| fingerprinting invisible captchas.
|
| Try having a login form without a captcha and you'll realize
| you are capturing 100s of users every day that require you to
| send out a "please confirm your email address" email for each
| of them for no good reason.
|
| > They still have to respect the system they're logging in.
|
| Your trust in people is admirable, but in my experience running
| anything on the internet you'll realize that intentionally or
| not people will bombard your system until it falls over.
| isodev wrote:
| I think folks forget that we can add many of the safeguards a
| captchas provide as part of whatever "form serving app" is
| needed without torturing our visitors to prove they can count
| bicycles.
| dewey wrote:
| I think the times of the "count bicycles" type of captcha
| are already counted just because of the bad user
| experience. Now everything is about fingerprinting, as
| paying to get captchas solved by humans or AI is already
| used everywhere if it's worth it.
| nraynaud wrote:
| they don't work, robots have a higher speed and success rate
| than humans.
| dewey wrote:
| Not everything is black and white. If it's cutting down 50%
| of the spam that does not have captcha solving robots
| because the effort is not worth it, that's already
| something.
|
| There's a reason many site still have very basic
| captchas...it's good enough for their use case.
| stanmancan wrote:
| I had to add a captcha to a registration page a couple years
| ago. Bots were signing up for thousands of fake accounts with
| other people's email addresses. The email confirmation we sent
| would then get reported as spam since the recipient didn't sign
| up for our service. Our email provider suspended our account
| for high spam reports.
| Spivak wrote:
| I hope the other lesson was the good email verification
| hygiene of making the user take an affirmative action and
| click a "verify email" button rather then send it
| unsolicited.
|
| You essentially had an open public unauthed form that would
| send an email to any address you typed in it. Surely that
| alone raises some eyebrows.
| toast0 wrote:
| How do you authenticate a verify email button?
| klez wrote:
| It took me a while to understand what GP was trying to
| say, but I suppose they're thinking of one of those sites
| where they let you create an account, will let you in and
| then nag you for a while about "verifying your email
| address" by clicking a link that will actually send you
| an email. An unsophisticated spambot won't probably care
| enough to click through that.
| binarycoffee wrote:
| Not a solution. Verification emails alone got a small web
| site I set up to be blacklisted within days. Most of the
| unwilling recipients presumably couldn't understand the
| language the verification email was written in and reported
| it as spam.
| stanmancan wrote:
| How would adding an extra button change anything? Right now
| when they register we send a "verify email address" email.
| Adding an extra step of "click a button" makes no
| meaningful difference.
| reginald78 wrote:
| What's is the play by the spammers here? Is it a direct
| attack on your website, perhaps because they were
| competitors? Or are they hoping that 1% of spammed email
| addresses will accidentally verify their email?
| stanmancan wrote:
| No clue to be honest; I just added a captcha and moved on
| with life. It's a small side project so it wasn't worth
| investing.
| Nextgrid wrote:
| Because despite ZIRP being long over, there are still plenty of
| people/companies making money off "engagement" - aka wasting a
| _human 's_ time. Automation/scraping/etc would go around that.
| spacebanana7 wrote:
| There're also more good faith use cases like stopping credit
| card testing, ticket reselling and forum spam.
| isodev wrote:
| I feel folks forget that whatever captchas do (or a large
| portion of), can be a library without the need for a strange,
| inaccessible 3rd party service call.
| hifromwork wrote:
| I assume you never tried to add a contact form to your website.
|
| Explanation: I did, and within a few days bots started sending
| me spam using that form. I just added a trivial captcha
| (hardcoded '2+3=' question), but if my scale was bigger that
| would be untenable. Think also of PM spam, autoregistering
| accounts to abuse free tiers, etc.
| Spivak wrote:
| I guess I just wouldn't have an open unauthed form and
| require a CC to use the free-tier. The contact-me form can
| just be a mailto: link and let the spammers go through the
| spam filter like everyone else. There are places where
| captchas is all you can really do but it's not like common
| use-cases don't have other options.
| hluska wrote:
| You want to put a credit card form in front of a contact
| form?
| graemep wrote:
| There are less annoying alternatives. Things like honeypot
| fields are worked for me so far. There are more dynamic
| variations on your maths question.
| bongodongobob wrote:
| If you have any input forms they will be overrun by bots
| immediately. At my last job, marketing built a website and
| didn't tell IT. They had a "contact us" form without any kind
| of captcha. Took about a month to be completely flooded by bot
| spam.
| slightwinder wrote:
| > Why are captchas even a thing still?
|
| Because it works, to some degree. It keeps away the annoying
| cheap bots and stupid kids. Smarter or more dedicated actors
| can still circumvent it, but even they are least slowed down to
| some degree.
|
| But thinking about, maybe just putting a 20 second pause after
| which you have to push a button might be already good enough
| for all this. And every stupid bot avoiding it will get banned.
| isodev wrote:
| Indeed... and if it's really problematic, a client-side
| script can run some expensive calculations as well (the same
| way captchas do it), to make it extra uninteresting to target
| unless someone is really motivated and has the budget for it.
| blindgeek wrote:
| Yes, hashcash.
| grishka wrote:
| Simple distorted-characters captchas still do a good job of
| catching unsophisticated bots, which is most of them. They work
| even better when combined with hidden form fields because these
| bots don't support CSS.
|
| Targeted attacks though? You're making your legitimate users
| suffer only so that you defeat 99% of bots instead of 95%.
| devmor wrote:
| It's quite unpleasantly often that I hear stories about
| accessibility accommodations being removed by someone considering
| themselves the sole arbiter of disability.
| jchw wrote:
| I hope we can end the CAPTCHA experiment soon. It didn't work.
|
| Phone verification isn't good either, but for as much as I hate
| phone verification at least it actually raises the cost of
| spamming somewhat. CAPTCHA does not. Almost all turnkey CAPTCHA
| services can be solved for pennies.
|
| Solving the problems of SPAM and malicious traffic will be
| challenging... I am worried it will come down to three possible
| things:
|
| - Anonymity of users: validating someone's real-life identity
| sufficiently would make it possible to permanently ban malicious
| individuals and filter out bots with good effectiveness, but it
| will destroy anonymity online. In my opinion, literally
| untenable.
|
| - Closing the platform: approaches like Web Environment Integrity
| and Private Access Tokens pave the way for how the web platform
| could be closed down. The vast majority of web users use Google
| Chrome or Safari on a device with Secure Boot, so the entire boot
| chain can be attested. The number of users that can viably do
| this will only increase over time. In this future, the web ceases
| to meaningfully be open: alternatives to this approach will
| continue to become less and less useful (e.g. machine learning
| may not achieve AGI but it's going to kick the ass of every
| CAPTCHA in sight) so it will become increasingly unlikely you'll
| be able to get into websites without it.
|
| - Accountability of network operators: Love it or hate it, the
| Internet benefits a lot from gray-area operators that operate
| with little oversight or transparency. However, another approach
| to getting rid of malicious traffic is to push more
| accountability to network operators, severing non-compliant
| providers off of the Internet. This would probably also suck, and
| would incentivize abusing this power.
|
| It's tricky, though. What else can you do? You can try to reduce
| the incentives to have malicious traffic, but it's hard to do
| this without decreasing the value that things offer. You can make
| malicious traffic harder by obfuscation, but it's hard to stop
| motivated parties.
|
| Either way, it feels like the era of the open web is basically
| over. The open web may continue to exist, but it will probably be
| overshadowed by a new and much more closed off web.
| Telemakhos wrote:
| This doesn't feel so much like the end of the "open web" as it
| does a rehash of USENET and email spam issues. Social media
| killed USENET, and email managed its spam issues thanks to
| filtering.
| jchw wrote:
| Email _kind of_ solved its SPAM issues, but it came at great
| costs. It 's possible but quite hard to run your own e-mail
| server; if you're not on a major provider, the possibility is
| high that a major provider will at some point have
| deliverability issues to or from you due to automated anti-
| SPAM measures. The degree of difficulty with participating in
| the network does somewhat degrade its openness in my opinion.
|
| If anything works in the favor of email it is that email is
| not published. It is not necessary very private inherently,
| but it is at least not a system where things get broadcasted
| publicly. IMO this limits the value of spamming people over
| e-mail: you have to send a _very_ high volume of e-mail to
| SPAM effectively over e-mail, and this high volume use
| pattern is not something that ordinary users will ever engage
| in, so it 's easy to at least separate out "possible SPAM
| operation" versus "guy sending email to a friend". (I'm not
| saying that systems are necessarily perfect at distinguishing
| one from the other, but at the very least it would be hard to
| mistake the average Gmail account for being part of a massive
| SPAM operation. The volume is just too low.)
|
| I hope the open web survives, but if e-mail is any kind of
| sign, it's not a great one in my opinion.
| martin_a wrote:
| > It's possible but quite hard to run your own e-mail
| server; if you're not on a major provider, the possibility
| is high that a major provider will at some point have
| deliverability issues to or from you due to automated anti-
| SPAM measures.
|
| In the roughly 25 years that I've used shared webhosting to
| have my own domainname and mailboxes, deliverability was
| never an issue. Never tried to send thousands of mails
| though, so...
| jchw wrote:
| I have been running web services for around 22 years I
| believe. At the very beginning, I had zero problems with
| deliverability to most addresses. However, even early on,
| I do remember plenty of forums that mentioned that Yahoo!
| or Hotmail tended to drop their confirmation e-mails into
| SPAM. Smaller operators had an advantage in being lower
| volume; I think that gives you a higher likelihood of
| delivery. That said, their emails are also more likely to
| get caught up in SPAM filters without remediation.
|
| Something has changed recently, though. I have found it
| increasingly hard to even get an IP that is not blocked
| anymore. I recently migrated a VPS that was almost 10
| years old that was running its own e-mail services, and
| after a lot of struggling... I gave up. It now has to go
| through an SMTP proxy to send e-mail. This bums me out,
| but after multiple attempts to get an IP that worked, I
| gave up. The provider did tell me that I was
| grandfathered in to have outgoing SMTP enabled on my
| servers (something that new users do not have by default,
| by the way) but recommended I stop using it.
|
| Is the network open? Yes. Does everyone have
| deliverability problems? Probably not. But maybe another
| question: If you _did_ have deliverability problems to
| some major provider, would you even know about it? If you
| 're not very high volume, maybe not!
| dataflow wrote:
| Email hasn't actually fixed spam issues, it's just mitigated
| a big chunk of them. But I know for a fact that I still mark
| emails in my inbox as spam on a regular basis, and still dig
| legitimate emails out of my spam once in a while.
| plingbang wrote:
| > It's tricky, though. What else can you do?
|
| I had an idea about amost-privacy-preserving system by
| involving government ID and blind signatures:
|
| 1. The service passes a random string to the user. 2. The user
| authenticates to their government and asks the government to
| sign it. 3. The government applies a blind signature which
| basically says "this user/citizen hasn't registered an account
| in the last 60 minutes". 4. The government records the
| timestamp. 5. The user passes the signature back to the
| service.
|
| Upsides:
|
| * Bypassing this would be orders of magnitude more expensive
| than phone numbers. * Almost private
|
| Downsides:
|
| * Won't happen. Remote HW attestation is likely to win :( * The
| service knows your citizenship * The gov knows when and how
| often you register. * Any gov can always bypass the limits for
| themselves.
|
| I think it may be also possible to extend it so that the
| government attests that you have only one account on the
| service but without being able to find which account is yours.
| mindslight wrote:
| meh, continuing the pearl clutching and asserting there has to
| be some general "solution" is itself part of the problem. The
| sheer majority of captchas I come across are while browsing
| essentially static content. If simple source IP based rate
| limiting can't keep the server load at something manageable,
| then the real problem is with how the site is built. And adding
| even more bloat to address another managerial bullet point is
| exactly how it got that way.
| jchw wrote:
| Two things:
|
| - I don't believe there is a general solution to this
| problem, but that won't stop people with lots of money and
| influence from trying to find a general solution. Especially
| one that is cheap. I still hope for the least user- and
| ecosystem-hostile approach among the flawed approaches to
| win. (I guess of the ones I listed, the one that bothers me
| the least is having more policing of the service providers.)
|
| - CAPTCHAs from static content are almost assuredly for anti-
| scraping measures. I think anti-scraping measures are mostly
| pointless and antithetical to an open web in the first place,
| but, an effective anti-scraping measure kind of _has_ to work
| off of reputation, because getting access to a very large
| number of IP addresses isn 't free, but it doesn't cost
| _that_ much (especially if IPv6 is on the table.) I
| personally doubt it has much to do with server load in most
| cases, but maybe I am wrong.
| mindslight wrote:
| There are indeed many powerful motives supporting the march
| of technological authoritarianism. But validating the
| narratives about why ever-more control is needed is a form
| of support, which we should avoid doing.
|
| Rather we need to recognize that they're merely instances
| of the same old authoritarian fallacy of more control
| promising better outcomes, because what increased control
| ends up ruining cannot be enumerated. In actuality,
| reducing independent autonomy stifles invention and
| suffocates society.
|
| "Anti-scraping" is a dubious problem for web sites aimed at
| _publishing_ information. The best "anti-scraping"
| solution is a published API that includes bulk downloads.
| I'll admit there's a tiny sliver of sites for which
| controlling consumption might make sense, but it's
| certainly not ones that allow browsing without even logging
| in.
| account42 wrote:
| A start would be what kinds of websites even need a CAPTCHA in
| the first place. Why does just viewing websites with static
| conent ever need to result in a captcha prompt.
| jchw wrote:
| _That_ I think is just to try to prevent scraping, probably
| mostly from people training AI models. I don 't really think
| anti-scraping mitigations are a good idea and I'm hoping that
| problem some day solves itself.
| mapt wrote:
| There is another option.
|
| CAPTCHA is useful only when it is costly to solve. It is a
| costly signal that this is a real person, or at least is more
| than 1/10^9th of a real person (you're not running a fully
| automated spam system).
|
| The postal service also has costs - everybody that wants to
| move something through the postal service needs to buy a stamp.
| Transport fees are a 'natural' way to moderate traffic and
| deter spam.
|
| Various combinations of network architecture and cryptocoinage
| permit you to invoke transport fees per attempted
| transmission/login. Sensible ones, if every spam email or login
| guess costs even 1 penny it becomes prohibitive for most fully
| automated spam applications. The cryptocoin aspect is
| specifically about preserving anonymity of private wallet
| access while permitting the cash-like transactions that stamps
| enable.
| throwaway2037 wrote:
| This sounds like the same argument that was made for about 10
| years (2000 to 2010) that micropayments would save
| traditional (print) media in a digital world. It didn't work
| due to market fragmentation and friction to make a payment.
|
| And, the reality of your fancy idea is that normie users
| would turn away if they made a mistake on the CAPTCHA and
| were suddenly presented with a screen "charging" them one
| pence.
| mapt wrote:
| This isn't about "making a mistake on the captcha", this is
| about charging them one pence for every attempt and just
| not having a captcha.
|
| It's an entirely different sort of system, and it would
| require a cordoned off section of the Internet to implement
| it top-down, but it's technically viable.
|
| The defining insight here is how many orders of magnitude
| difference there is between the "That price is negligible"
| threshold for a human being, and the "That price is
| negligible" threshold for an automated system. Sure there
| are adoption issues, but for all applications where there
| are several orders of magnitude difference, such a system
| makes some degree of sense.
| theamk wrote:
| Don't think it's going to work, except in the smallest
| forums?
|
| According to a random page on internet [0], companies pay
| in $2-$6 range per 1000 ad impressions. If one pays $0.01
| to bypass captcha and just 10 people see the resulting
| spam post, that's already $1 per 1000 views - much less
| than facebook charges. This becomes even more lucrative
| if the ads are expensive or there will be more than 10
| people looking at the ad.
|
| It looks you'll want much higher costs than that, which
| will make it "too much" for other users.
|
| [0] https://spideraf.com/learning-hub/what-is-the-
| average-cost-p...
| njarboe wrote:
| Would be great if the US government somehow facilitated
| micropayment. Either by creating their own system or
| removing the capital gains reporting requirements on crypto
| (maybe up to $10k/year).
| Thoreandan wrote:
| Relevant Penny Arcade comic responding to the proposal that
| micropayments will save comic artists -
| https://pennyarcade.fandom.com/wiki/June_22,_2001
| jchw wrote:
| Cryptocurrency micropayments have been proposed and even
| attempted as a solution to various problems. Hell, there's
| also Hashcash, an early proposed anti-SPAM measure for e-mail
| using just proof-of-work. (Since this is just burning CPU
| though, it probably isn't effective in the modern world of
| most people using low-power mobile computers and many SPAMers
| having access to cheap very high power computers. Might serve
| as a good hurdle for people trying to implement malicious
| bots, but it will eventually become useless if it is shown to
| be effective IMO.)
|
| I'm skeptical though. It puts a literal price on abusing a
| service, but how do you _set_ that price? Is there a
| guarantee that there 's a value high enough to meaningfully
| disincentivize SPAM but low enough that users, especially
| users in areas that may have an economic disadvantage, are
| able to pay it?
|
| That's on top of the other practical problems, such as
| actually implementing it. I mean, if someone implements it
| and tries to solve the usability issues involved I would be
| open to this future, but as it is now, cryptocurrency has
| disappointed me. In a world with increasing scrutiny towards
| credit card processors, I was hoping that the silver lining
| would be that cryptocurrency could at least help mitigate
| some of the concerns, but there are just too many hurdles
| right now. (Some of them may be caused by regulation, but to
| be fair, I think at this point it's hard to blame governments
| for trying to regulate cryptocurrency exchanges. I'm not
| _happy_ about silly KYC policies or anything like that, but I
| am not surprised at all.)
| AnthonyMouse wrote:
| > It puts a literal price on abusing a service, but how do
| you _set_ that price?
|
| Start with a nominal one and increase it until the spam
| problem goes away.
|
| Create escape hatches for people who can't afford it, e.g.
| you can either pay/mine a couple dollars worth of
| cryptocurrency, or you can have someone who paid vouch for
| you (but then if either of you spam you both get banned),
| or you can do some rigorous identity verification which is
| inconvenient and compromises privacy but doesn't cost
| money, or (for smaller communities) you ask the admins to
| comp you and if you're known in the community from other
| sites then they do it etc.
|
| > I mean, if someone implements it and tries to solve the
| usability issues involved I would be open to this future,
| but as it is now, cryptocurrency has disappointed me.
|
| This doesn't seem like an insurmountable problem to solve.
| To give someone some cryptocurrency you can either send it
| directly (useful option for advanced or privacy-conscious
| users) or use a service and then it should be no different
| than using Paypal et al.
|
| The real problem is the regulations are currently designed
| to make using it an unreasonable amount of paperwork:
|
| > Some of them may be caused by regulation, but to be fair,
| I think at this point it's hard to blame governments for
| trying to regulate cryptocurrency exchanges.
|
| There's a difference between regulating exchanges and
| regulating users. If you're holding millions of dollars in
| cryptocurrency then the government is reasonably going to
| expect you to file paperwork and pay taxes on gains etc. If
| you're only holding three and four digit dollar amounts
| worth then they should leave you alone and you shouldn't
| have to do anything.
|
| In theory you can strike a reasonable balance here where
| the crypto scammers go to jail but Joe Average doesn't have
| to file any more tax paperwork to use Bitcoin Cash to buy a
| pack of gum than to pay in physical cash. We'll see what
| the new administration does with it.
| jchw wrote:
| Well, for solving both the UX and regulatory issues with
| cryptocurrencies... I'm not optimistic, but I am open to
| being pleasantly surprised.
|
| On the UX side, I think a huge problem is making it
| possible for users to participate using a non-custodial
| wallet with as little risk of data loss or compromised
| credentials as possible. So it needs to be hardened
| against ignorance, stupidity, house fires, malware, and
| social engineering. That is hard. Irreversible
| transactions greatly up the stakes while increasing the
| incentive to attack. Do you ever feel a bit nervous about
| the send address being wrong when you use cryptocurrency?
|
| A thing I didn't mention but is equally important to
| solve is developer experience. I wish there was a turnkey
| SDK that took care of most of the technical stuff and
| just let you use cryptocurrency like it's PayPal. If we
| had on-chain subscriptions (I think Ethereum can do
| this?) it could be even more powerful. The technologies
| offer a ton of possibilities but taking advantage of it
| correctly and securely feels like a tall order. Dealing
| with cryptocurrencies feels more serious than dealing
| with traditional payment processors: you can't undo when
| you fuck up.
|
| Some of this can be resolved. On the user side, users can
| keep less value stored in wallets long term... Though
| this is more cumbersome and less usable. On the developer
| side, developers can make nodes that can verify
| transactions but not spend currency... But this can be
| challenging (I think it's weird to do with Monero for
| example?) and it closes off some use cases ("escrow"
| style transactions; Skeb-style commissions would be a
| good use case.)
|
| If it gets solved I will celebrate as it seems like it
| would have a lot of positive upsides, but I think you
| might need to pardon my skepticism: it's been a lot of
| years and it hasn't gotten that much better. (Granted,
| it's still pretty new, but the momentum is slower than I
| would have hoped.)
| Retr0id wrote:
| Although solving a captcha can be translated into a monetary
| cost (often the cost of labour for a human in a clickfarm to
| solve it for you), the nice thing is that it's still "free"
| to solve normally.
|
| If you switch to direct payments that are still affordable
| for routine use by your poorest users, then your rich
| adversaries can afford to generate orders of magnitude more
| spam (until we solve unequal wealth distribution globally).
|
| Also, the cost of using a postal service nominally covers its
| operating costs. The cost of actually transferring a spammy
| HTTP request over the internet is negligible, but the costs
| imposed on its receiver are less so (i.e. the cost of
| responding to it (cpu/ram/disk/bandwidth), second-order costs
| of lowering the quality of the service for everyone else,
| etc.).
| Y_Y wrote:
| > until we solve unequal wealth distribution globally
|
| Is this a joke?
| Retr0id wrote:
| Why would it be a joke?
| danaris wrote:
| If you expect 99% of normal internet users to maintain a
| crypto wallet of any kind just to access certain websites--
| even leaving aside the actual cost--you're going to be sorely
| disappointed.
| thayne wrote:
| > The postal service also has costs
|
| I don't know about you but even with this cost about 90% of
| the physical mail I receive is junk mail.
|
| > Sensible ones, if every spam email or login guess costs
| even 1 penny it becomes prohibitive for most fully automated
| spam applications.
|
| Do you have a solution for transaction costs? How do you pay
| a penny without having to pay more than that for the transfer
| of funds?
| throwaway2037 wrote:
| > Anonymity of users: validating someone's real-life identity
| sufficiently would make it possible to permanently ban
| malicious individuals and filter out bots with good
| effectiveness, but it will destroy anonymity online. In my
| opinion, literally untenable.
|
| I see this point constantly made on the echo chamber that is
| known as HackerNews. The average normie user does not care
| about anonymity, nor privacy, on the Internet. They want a
| smooth, fun experience. The solution is secure boot plus
| attestation via some browser JavaScript API. If you want even
| less friction, users are required to register their devices
| with a gov't agency, then their attestation will carry more
| value.
|
| Really, why don't we see HN crying about the need to show a
| national ID (and register) when buying a mobile phone? I never
| once saw anyone complaining about it here. Are there any highly
| developed nations that allow complete strangers with any
| nationality to buy and use a mobile phone without showing a
| national ID? I don't know any, or they will all soon be gone.
| It only takes a few more terrorist assholes to close that door
| permanently.
| graypegg wrote:
| > Are there any highly developed nations that allow complete
| strangers with any nationality to buy and use a mobile phone
| without showing a national ID?
|
| Canada maybe? [I'm 80% sure that] Public Mobile will sell you
| a prepaid sim card at the counter. You could pay cash, and
| set your caller ID to a fake name.
|
| If we're talking about mobility plans, the identity
| requirement is more about the credit check they might want to
| do than anything else.
| tredre3 wrote:
| > Are there any highly developed nations that allow complete
| strangers with any nationality to buy and use a mobile phone
| without showing a national ID? I don't know any, or they will
| all soon be gone.
|
| I regularly (1-2x per year) buy prepaid SIMs in Canada, USA,
| and Japan. None of them require an ID and I often even pay
| cash.
|
| I'm sure you are right that they'll eventually be requiring
| ID, but you are wrong to imply that these countries aren't
| highly developed.
| faeranne wrote:
| > why don't we see HN crying about the need to show a
| national ID ... when buying a mobile phone?
|
| Mmm, very possibly because there are at least a few ways to
| get a phone without using any ID. I picked up a used phone
| about a year ago, and use Tello. Tello had 0 info on me for
| years, only an old UPS box that I got the card delivered to.
| I eventually gave them my first name so Caller ID was
| correct, but short of that or putting in a correct address if
| you want 911 support, there's no reason to need any valid
| info with them. They don't do credit checks, just prepay.
|
| > The solution is secure boot plus attestation That's the
| second option they presented "Closing the platform". The
| issue with all these options is that it consolidates power,
| and thanks to already partially consolidated power, any
| option selected will, by necessity, obligate _everyone_ to
| partake, whether or not they are ok with it.
|
| > The average normie user does not care about anonymity, nor
| privacy, on the Internet.
|
| It's true that often "normies" don't care (or at least think
| they don't care, but that's a completely different point I
| don't feel like trying to make), and it's also true that
| often "normies" don't want the status quo changed. But often
| "normies" also ignore when people are kidnapped due to their
| heritage being revealed. Is it acceptable to actively create
| a hostile environment for people already disadvantaged? Do we
| gain something worth their safety? Who gains from this higher
| level of scrutiny?
|
| If we look at the smaller web, most sites never get enough
| traffic to be under active threat, and passive threat is easy
| enough to quell using honeypot forms and questions. Maybe the
| "normie" internet _is_ the problem. Passive people passively
| consuming. "Normies" love watching stolen content, and
| praise thieves for harassing anyone who points out that what
| their doing is wrong. "Normies" enjoy watching someone
| livestream themselves flying down a highway at 100 mph over
| the speed limit.
|
| I think maybe we should acknowledge that what we're defending
| with things like hCaptcha is not actually worth defending.
| Maybe the "normal" internet does need to be deprecated over
| "small" internet? We did pretty good before with things like
| Wikipedia. The "small" internet from before had a lot of
| chaff, but good things have grown from it, and a lot of it
| still exists as a "small" internet. Maybe it's ok that we
| have a lot of "crap content", so long as the internet can
| keep changing?
| jchw wrote:
| It's not the average person's job to make sure that the world
| isn't fucking them raw. People have limited attention and
| limited time, not everyone can care about everything.
|
| Nobody else is going to step in and hold the line when it
| comes to digital privacy rights. It's on people like us who
| care. This is why organizations like EFF need to exist.
| SirMaster wrote:
| CAPTCHA definitely works in some cases.
|
| On our website, without CAPTCHA we get dozens of forms filled
| out by bots per day. With the CAPTCHA we get 0.
|
| So sure it may be cheap to defeat the CAPTCHA, but nobody seems
| to be willing to go through that small hoop to do it on our
| website.
| salviati wrote:
| I believe that 0 will be a higher number next year. And an
| even higher the following year.
| whartung wrote:
| Even in a year, I don't think random AI will be "cheap"
| enough for spamming CAPTCHA on random websites. Maybe for
| select, ripe targets (your bank, etc.). But for a random
| business with a form?
|
| Nah.
| dreamcompiler wrote:
| > I hope we can end the CAPTCHA experiment soon. It didn't
| work.
|
| Well it _sort of_ worked before we got modern AI image
| recognizers, but even then they had to continue making the
| challenges harder to keep up with the recognizer software.
|
| Now the damn things have crossed over into the domain of
| "easier for a machine to solve than a human" so they're
| worthless for their original purpose.
| tombert wrote:
| Define modern? I worked adjacent to the web-scraping tech at
| Jet.com and they managed to beat a lot of the CAPTCHAs even
| in 2016.
| jchw wrote:
| Yeah but filtering out mindless bots is even easier than
| loading a bloated mess of JS: a simple form question that you
| believe 100% of the valid users will be able to answer should
| be good enough to stop almost all of those low-level bots. I
| use that approach all the time.
|
| Some day this luck will run out, but for larger entities that
| experience targeted malicious traffic it's never really been
| a viable approach.
| not_your_vase wrote:
| In the past 3 years, every morning I wake up I open the news,
| and I hope that I will the following headlines: "Some guy
| figured out how to use AI to detect bot traffic with 100%
| accuracy, captchas became obsolete and banned worldwide with
| immediate effect"
|
| And every morning my day starts with disappointment.
| thayne wrote:
| > Almost all turnkey CAPTCHA services can be solved for
| pennies.
|
| There is one area where even pennies can be a barrier: DDoS.
|
| Paying a few pennies per captcha can add up to a lot when you
| want to complete millions of them.
| AnthonyMouse wrote:
| > validating someone's real-life identity sufficiently would
| make it possible to permanently ban malicious individuals and
| filter out bots with good effectiveness, but it will destroy
| anonymity online. In my opinion, literally untenable.
|
| Not only untenable because of the privacy invasion but also
| because there are too many users who are willing to click on
| whatever for a chance to win a prize and thereby authorize use
| of their identity for spamming.
|
| > approaches like Web Environment Integrity and Private Access
| Tokens
|
| That stuff never works because the spammers only have to break
| one model of one popular device. The people proposing it are
| snake oil salesmen or platform companies that want to use it
| for lock-in, because spammers spend the resources to break the
| system but normal users won't put up with the inconvenience,
| which locks out competitors and interoperability.
|
| > Accountability of network operators
|
| This largely already happens. Disreputable IP blocks get
| banned. But then you get a botnet with users on ISPs with
| varying levels of willingness to do something about it and the
| ones that do something about it still can't do it
| instantaneously and some of the ones that don't care are in
| jurisdictions you can't control but are also too big to block.
|
| The best solution is probably some kind of "pay something in
| money/cryptocurrency/proof of work to create an account"
| because normal users need a small number accounts kept for long
| periods of time but spammers need a large number of accounts
| that get banned almost immediately, which is exactly the sort
| of asymmetric cost structure that results in a functioning
| system.
| awbvious wrote:
| " Anonymity of users: validating someone's real-life identity
| sufficiently would make it possible to permanently ban
| malicious individuals and filter out bots with good
| effectiveness, but it will destroy anonymity online. In my
| opinion, literally untenable. "
|
| What about zero knowledge proofs? Those with typical
| cryptocurrency wallets could leverage existing extensions.
| Everyone else can download an open source extension that sends
| the proof and an open source way to verify proofs but is
| unrelated to cryptocurrency. While a robustly decentralized
| chain like Bitcoin and Ethereum would be a good place to verify
| proofs, no reason a non-cryptocurrency solution can't also be
| avaliable as well for the cryptocurrency adverse. And for the
| tech adverse, a phone number to call/text to walk the person
| through sending the proof via phone that would cost a tiny bit
| --and could also help the tech adverse with setting up an
| extension going forward?
| miki123211 wrote:
| > for pennies
|
| "for pennies" is a _lot_ more expensive than 0, and that
| matters at scale.
|
| Scam isn't about one person performing one request, for that
| you can indeed just hire a human, it's about thousands of bots
| constantly interacting with a service.
|
| If you need to scrape 10m records and there's no anti-fraud
| protection, you pay $0 (excluding typical bandwidth / server
| costs). If every query requires a captcha, and you have to pay
| $.01 per captcha, the operation costs you $100k.
|
| Going from 0 to 100k is often "good enough" to make these
| things uneconomical.
| jchw wrote:
| Actually, I oversimplified. In most cases you don't have to
| pay $.01 per CAPTCHA. It's usually a fraction of a penny per
| CAPTCHA.
|
| So basically it's good enough to protect something that is
| arguably barely worth protecting. I don't find this
| compelling. Protecting things that barely need it is already
| easy using existing techniques.
| rascul wrote:
| > Phone verification isn't good either, but for as much as I
| hate phone verification at least it actually raises the cost of
| spamming somewhat.
|
| Curious if phone verification would block more or less
| legitimate users than catchpas.
| j-bos wrote:
| Feels like another option would be to bootstrap off of
| authenticated users, some sort of reputation system. It would
| still allow for anonymous users, but the expectation would be
| that they would be treated as suspected spam unless they
| receive sufficient endorsement from actual verified users. The
| verified users could be held accountable for the endorsements
| they provide up to a certain point, and the anonymous users
| would be able to remain anonymous assuming verified users
| consider them good citizens.
| jprete wrote:
| The endorsement and verification would need to be continuous,
| or else the anonymous users will sell their accounts for the
| value of the accrued positive reputation. I.e. what people
| already do with Reddit accounts that accrue a lot of karma.
| j-bos wrote:
| Good point
| RobMurray wrote:
| I am also blind. hCaptcha is the worst. Their stupid cookie
| expires so I have to go through their getting an email to set the
| cookie almost every time I encounter one. It's a horrendous UX,
| especially when using different devices and browsers. I imagine
| others just give up instead of dealing with the crap. They
| shouldn't use the word accessibility when their whole service is
| the exact opposite.
|
| The bots can probably solve them easier than blind people anyway,
| or they can outsource them to third world workers for next to
| nothing. E.G. Anticaptcha [0]:
|
| > Starting from 0.5USD per 1000 images, depending on your daily
| spending volume
|
| [0] https://anti-captcha.com/
| rwmj wrote:
| Believe me, hCaptcha isn't much better even if you're not
| blind! They show me minuscule images which are barely
| distinguishable from each other. It manages to be much worse
| than reCaptcha, which is some achievement.
| tracker1 wrote:
| I'm not blind, but do have visibility issues. I can get by on
| my phone with maxed text size, etc. The pictures for hcaptcha
| are horrible... I keep having to zoom in and out. It's almost
| as bad as modals that flow off screen.
|
| It sucks more when you work in the space and take a lot of
| care to usability. It's not that hard most of the time.
| nmarinov wrote:
| What's the best captcha regarding accessibility?
| burningChrome wrote:
| None.
|
| There are no "best" version of captcha. I've worked on
| several large scale projects where captcha was floated and
| then quickly abandoned in favor of other methods like
| Honeypot or using other methods to weed out bots and other
| 3rd party agents.
|
| If you _have to_ use captcha the least worst are probably
| reCaptcha V2 and hCaptcha for accessibility.
| Saris wrote:
| Brave PoW captcha maybe? Because it requires no
| input/interaction from the user.
| jknoepfler wrote:
| I don't understand why POW solutions aren't more popular.
| Saris wrote:
| I'd never heard of them before getting them while using
| Brave search sometimes, I'm not sure I entirely
| understand how they work and differentiate between a bot
| and human.
| xelamonster wrote:
| They don't differentiate. They just make it too expensive
| to be worth paying for the resources required to carry
| out a spam attack at any meaningful scale.
| Saris wrote:
| Oh that makes sense, neat way of doing it. Basically adds
| a delay while also costing CPU resources.
| akimbostrawman wrote:
| i have the complete opposite experience. im not blind but i use
| tor. vpns and non spyware browser which is probably worse lol
| google captcha most of the time sends me into a loop that does
| not stop and always fails regardless how right i am for +3
| minutes. meanwhile hcapcha lets me pass if i simply correctly
| fill out 1-3 captchas.
| hyperman1 wrote:
| I think, unfortunately, most accessibility options are not
| intended to actually be used.
|
| If you are a governement or bigco, accessibility is part of your
| baseline requirements. You must be able to say: Yes, we are
| accessible. Otherwise, the public will cause a stink.
|
| So you take your list of vendors, and remove any that don't say
| they enable accessibility. Vendors know this and make sure they
| say they are.
|
| Meanwhile, it is a hard to get right feature, only applicable to
| a small part of your userbase. Multiple disabilities require
| different affordances. No developer on the team really
| understands the actual requirement.
|
| The people requiring accessibility will go somewhere else, or
| grumble and make do. Neither will be detected on any metrics
| board.
|
| This combination promotes shelfware: Things you buy and put on a
| shelf somewhere but never really use.
| miki123211 wrote:
| As a blind person, I genuinely believe that hCaptcha, being as
| terrible as it is, is still the best solution among the ones that
| we can physically achieve in the world as it exists right now.
|
| Audio captchas don't work for people with hearing issues and/or
| who don't speak your n supported languages, where n is usually
| <10. I've had to help people out with these over the phone, it
| was not fun.
|
| Even for people for whom they do work, it's worth keeping in mind
| that bots can solve them by now, and so users whose activity
| looks too fraudulent, who are still given access to the visual
| captchas, have to be blocked from using the audio ones. I have
| also seen this happen.
|
| Text captchas are a non-option by now, they're very easy to solve
| with LLMs, and the way they have to be phrased makes it
| impossible to align LLMs not to solve them, like you can do with
| the visual ones.
|
| Google's ReCaptcha can get away with having no actual challenge
| for most users, blind or otherwise, but that's because they're
| Google, they do enough user tracking that they don't actually
| need a captcha. Google is the only company that can get away with
| this, and even for them, it doesn't work in all situations, even
| when the user fully trusts Google and has not adjusted any
| privacy preferences.
|
| Sure, you could stop using captchas entirely, if you're fine with
| receiving dozens of viagra ads on every single platform each day,
| abolishing all "contact us" and comment forms on the internet,
| having a significantly higher credit card fraud rate (which
| translates directly to higher prices and a much worse experience
| for consumers), and getting all your semi-public records and
| social media activity immediately scraped by shady companies and
| sold to anybody who expresses any interest. Unsurprisingly, most
| users are, in fact, not fine with this.
| blindgeek wrote:
| > and getting all your semi-public records and social media
| activity immediately > scraped by shady companies and sold to
| anybody who expresses any interest.
|
| Public content on the Internet should be scrapable. That's what
| public means.
|
| The fact that my reddit posts were publicly available never
| bothered me. Even if they were going to be used to train some
| LMM. What does bother me is reddit locking up my posts and
| making exclusive deals with Google to train Google's LMM.
|
| Preventing scraping isn't good for the average user; it is good
| for the company that wants to take content created by said
| user, lock it up, and sell it to their buddies.
| blindgeek wrote:
| And the very angry email that I (probably unwisely) just dashed
| off to support@hcaptcha.com:
|
| "So I've been trying to sign in repeatedly to set the
| accessibility cookie since last night. Every time I click the
| submit button, I get the useless error message "an error has
| occurred, please try again".
|
| My friend, who shares my roof and my static IP, got banned from
| hcaptcha's accessibility service last year for being too smart to
| be blind. And I suspect you all have banned our IP and not just
| his account.
|
| For the record, my static IP address is (redacted).
|
| See https://michaels.world/2023/11/i-was-banned-from-the-
| hcaptch... for his story. I have been broadcasting this to
| websites frequented by technically capable people:
| https://news.ycombinator.com/item?id=42171164
| https://lobste.rs/s/qbkd0u/i_was_banned_from_hcaptcha_access...
|
| Please let your bosses know that I plan to pursue legal action
| against hCaptcha and/or amplify the truth to destroy its
| reputation in the public square. I will also be reaching out to
| websites who utilize hCaptcha, letting them know that the captcha
| provider they employ is refusing to provide reasonable
| accomodations to blind people.
|
| Whether it be with the force of law or the force of satyagraha,
| your bosses are going to get a message and we will win.
| blindgeek wrote:
| And their thoroughly unhelpful reply:
|
| "Hi there, sorry to hear you're having difficulties!
|
| We have an alternative authentication scheme that you may
| prefer: https://www.hcaptcha.com/accessibility
|
| You can sign up here:
| https://dashboard.hcaptcha.com/signup?type=accessibility
|
| This lets you avoid the challenge altogether after
| registration.
|
| It is designed for users with any kind of difficulty solving
| the challenges.
|
| Thanks for reaching out, and hope this makes your experience
| better."
| andrewaylett wrote:
| CAPTCHA: Completely Automated Public Turing test to tell
| Computers and Humans Apart.
|
| These things have _one job_. Any time they fail to identify a
| human, they have failed at their job. How they go about
| administering the test, and (to a large extent) what the human
| does in response, should be irrelevant. I know that 's hard, no-
| one said the job was _easy_ , and the companies developing them
| are the ones making claims about their efficacy.
|
| If you want to block 100% of bots, don't put your stuff on the
| Internet. If you want to block bots _and allow humans_ then you
| 're _going_ to have false negatives. Failing to acknowledge them
| is dishonest.
|
| None of which stops me filling them out when I encounter them,
| but I don't have to like it.
| throw_a_grenade wrote:
| If you're in Europe, consider filing GDPR complaint to your local
| data protection authority. One of the rights recognised in GDPR
| is right to rectify information about you, and it was clearly not
| afforded by the provider here.
| mathfailure wrote:
| hCaptcha is worse, than reCaptcha.
|
| I pass the captcha (I am not blind and not using accessibility
| account) and get response like
|
| Your response to the CAPTCHA appears to be invalid. Please re-
| verify that you're not a robot below. (Reference ID:
| 4035128747213959)
|
| And you are given captcha again (passing which will have the same
| result).
|
| reCaptcha had similar issue, but choosing 'accessibility' would
| transform the captcha from visual to auditory one and passing it
| had no such problems.
|
| In the end I just gave up.
| Pxtl wrote:
| Please just let my link some kind of government-backed ID to an
| email account and then clients can ask "hey government, is this
| email account a real human being in your country"? And government
| can say "yes" and they can go forward knowing that if I turn out
| to be a bot and they ban me it will be a _huge_ pain in my ass
| because I 've got to go through government enrollment process
| again.
| neilv wrote:
| > _I emailed back a day or so later, requesting an unban because,
| y 'know, I _actually* am blind, but they gave a pretty canned
| response of no, your account is remaining banned.*
|
| Do I understand correctly that hCaptcha has created an
| accessibility problem that's denying this blind person access to
| all sorts of Web sites?
|
| Is there an ADA angle here, for many customers of hCaptcha?
___________________________________________________________________
(page generated 2024-11-18 23:01 UTC)