RobMurray 3 days ago

I am also blind. hCaptcha is the worst. Their stupid cookie expires so I have to go through their getting an email to set the cookie almost every time I encounter one. It's a horrendous UX, especially when using different devices and browsers. I imagine others just give up instead of dealing with the crap. They shouldn't use the word accessibility when their whole service is the exact opposite.

The bots can probably solve them easier than blind people anyway, or they can outsource them to third world workers for next to nothing. E.G. Anticaptcha [0]:

> Starting from 0.5USD per 1000 images, depending on your daily spending volume

[0] https://anti-captcha.com/

  • rwmj 3 days ago

    Believe me, hCaptcha isn't much better even if you're not blind! They show me minuscule images which are barely distinguishable from each other. It manages to be much worse than reCaptcha, which is some achievement.

    • tracker1 3 days ago

      I'm not blind, but do have visibility issues. I can get by on my phone with maxed text size, etc. The pictures for hcaptcha are horrible... I keep having to zoom in and out. It's almost as bad as modals that flow off screen.

      It sucks more when you work in the space and take a lot of care to usability. It's not that hard most of the time.

  • akimbostrawman 3 days ago

    i have the complete opposite experience. im not blind but i use tor. vpns and non spyware browser which is probably worse lol google captcha most of the time sends me into a loop that does not stop and always fails regardless how right i am for +3 minutes. meanwhile hcapcha lets me pass if i simply correctly fill out 1-3 captchas.

  • nmarinov 3 days ago

    What's the best captcha regarding accessibility?

    • burningChrome 3 days ago

      None.

      There are no "best" version of captcha. I've worked on several large scale projects where captcha was floated and then quickly abandoned in favor of other methods like Honeypot or using other methods to weed out bots and other 3rd party agents.

      If you have to use captcha the least worst are probably reCaptcha V2 and hCaptcha for accessibility.

      • Gud 3 days ago

        What were the chosen choices? Curious to know

      • webspinner 3 days ago

        I'm OK with reCAPTCHA, but uh... Just not a fan of Google!! I'm an expert reCAPTCHA solver.

    • Saris 3 days ago

      Brave PoW captcha maybe? Because it requires no input/interaction from the user.

      • jknoepfler 3 days ago

        I don't understand why POW solutions aren't more popular.

        • CodesInChaos 3 days ago

          I don't think there is any PoW that results in acceptable performance for the user (especially on mobile) while also making the cost for an attacker high enough to deter them.

          Even renting the compute on AWS, it only costs $0.01 per minute for the equivalent of a decent desktop computer (c8g.4xlarge). While an attacker will likely either use a botnet, or hardware better suited for solving the PoW than the hardware the user is using.

          Though CAPTCHAs don't really work well anymore either, since solving services are quite cheap. Recaptcha is nowadays primarily based on other factors, like IP reputation, susceptibility to google tracking, and behavioral scoring.

        • marginalia_nu 3 days ago

          Most people engage with web content on relatively low powered machines. If you tune them to be tolerable on a 4 year old mid-range android device, there isn't much cost incurred on a threadripper.

        • Saris 3 days ago

          I'd never heard of them before getting them while using Brave search sometimes, I'm not sure I entirely understand how they work and differentiate between a bot and human.

          • xelamonster 3 days ago

            They don't differentiate. They just make it too expensive to be worth paying for the resources required to carry out a spam attack at any meaningful scale.

            • Saris 3 days ago

              Oh that makes sense, neat way of doing it. Basically adds a delay while also costing CPU resources.

  • webspinner 3 days ago

    First of all, why should I want them to set a cooky on my system? I don't want them to do that. Yeah, I do use session cookies. However, I shouldn't have to have a company set one on my system to get around their stupid CAPTCHA!! In other words, I shouldn't have to disclose anything to them. I could be an AI for all they care.

soraminazuki 3 days ago

The title kind of makes it appear far less of a problem than it actually is, because according to the article, hCaptcha made multiple rude and evidence-free accusations of lying despite the author actually being blind.

  • jerf 3 days ago

    Remember that from hCaptcha's point of view, by this point they've probably dealt with hundreds of other people claiming that they are blind when they really aren't, so their bots will work.

    This isn't a defense, just an explanation... but it is also an explanation of why the entire idea of "we'll not give blind people a way past the CAPTCHA but just give a pass to 'real' blind people so we can pass ADA", which is that it should have been transparently obvious that this approach is completely infeasible and unscalable. As big as Google, Facebook, or Amazon are, they would struggle under the load of trying to create a system for determining who is "truly" blind... and that's still true if we ignore questions like exactly what "blind" is anyhow.

    This shouldn't have gotten deployed and then become a problem; it should have been a 5 minute diversion in the meeting where it was proposed to analyze it's completely infeasible and never made it to so much as the design phase, let alone the deployment phase.

    If you had a system for completely accurately identifying characteristics like "who is blind" in the presence of extremely hostile attacks on the system, you'd have something far more valuable than the CAPTCHA system itself! The whole idea intrinsically depends on having a stronger solution to the problems CAPTCHAs are meant to solve than the CAPTCHA system itself provides... it's fundamentally a logically unsound idea.

    • Workaccount2 3 days ago

      This is a problem so chronic across so many fields that I wish there was single term to describe it.

      User POV :"Wow, provider is a really shitty entity and had no respect for my legitimate problem."

      Provider POV: "We get a huge number of illegitimate claims identical to legitimate ones regularly, the system would collapse if we didn't do heavy triage, the problem is the level of abuse, not a moral bankruptcy on our part."

      I suppose "this is why we can't have nice things" captures some of it.

      • RandomThoughts3 3 days ago

        The actual problem is that Provider real POV is actually: "We already do the bare minimum required by the law and you are too insignificant to damage our reputation. It would actually cost our shareholders money to do more so please go die in silence somewhere else and stop bothering us. Replying to you costs us money too."

        This kind of article is actually useful because it raises the risk of actual reputational damage thus encouraging companies to do more.

      • miki123211 3 days ago

        What users don't see is that a single good actor will make, at most, a dozen such claims in their life, while a malicious one might literally make hundreds of them a day. The scales are different, by orders of magnitude.

        It's not unimaginable that just 0.001% of your users (in terms of actual humans / entities physically using your service) are fraudsters, but 99% of your signup or login attempts / interactions with your service / "I'm not a fraudster, pinky swear" support claims are fraudulent.

      • cwillu 3 days ago

        “Moral bankruptcy” seems like a quite apt description of the state of affairs of being unable to afford to operate morally at a given level of scale.

        Scaling is not a right.

        • danaris 3 days ago

          > Scaling is not a right.

          God I wish this could be plastered in letters 1000 feet high above Silicon Valley.

      • rwmj 3 days ago

        This is just an indication that their process is wrong. (Or in this case, their entire reason to exist is wrong.)

      • account42 3 days ago

        In cases like this the provider is someone I don't want to have any business with in the first place. I don't care how hard reliable CAPTCHAs are to implement and as a user I shouldn't have to.

      • dataflow 3 days ago

        The problem is that this very problem also happens simultaneously in the reverse direction. i.e. people have to deal with so many awful entities screwing them over due to sheer self-interest, negligence, or even malice, that they have a hard time knowing which ones legitimately are trying their best and genuinely don't have a better solution.

        That's what happens when trust erodes, and why we can't have nice things.

        If anyone should be be more understanding and absorb the costs to appease the other, it's probably the big corp, not the little guy.

    • michaelt 3 days ago

      > As big as Google, Facebook, or Amazon are, they would struggle under the load of trying to create a system for determining who is "truly" blind... and that's still true if we ignore questions like exactly what "blind" is anyhow.

      In several countries, the government issues certificates of blindness [1] which grant access to certain extra types of support. We don't want severely vision-impaired people being forced to drive, after all!

      So there are legal standards for what exactly blind is, and certificates.

      The question is whether tech companies are inclined to hire enough people to wrangle the paperwork involved in checking such certificates, worldwide.

      [1] https://www.mass.gov/info-details/benefits-for-people-who-ar...

      • jerf 3 days ago

        If "having a government identity" was a solution to the identity problem, it would be solved.

        It is not solved.

        That is at most the beginning of a solution to the problem.

        And in practice, it is little more than the beginning of the problem, as the government's definition of blindness is very unlikely to be a precise match to "has problems completing our visual CAPTCHA", and if multiple governments have standards there is no chance they will match.

        Do not underestimate the resilience and resourcefulness of scammers. They aren't just some individuals here and there who decide one day that they could make a couple extra bucks spamming people, and just sort of start sending out whatever scam strikes their fancy. They're international businesses with engineering teams, and a constant feed of low-level operatives who can scam governments about how blind they are if the governments leave any hole in their system. They're thousands of people dedicating their full human-level intelligence to the task of defeating your system and extracting the value from it. They are not as easy to defeat as "let's just put the obvious certification in place", for the same reason that the CAPTCHA problem isn't solved with "Let's just issue everyone official identities".

        • michaelt 3 days ago

          > They're international businesses with engineering teams, and a constant feed of low-level operatives who can scam governments about how blind they are if the governments leave any hole in their system.

          I don't know about your country, but in my country the government is pretty keen on avoiding abuses of the benefits system. After all, a blind person gets tax breaks and cash benefits totalling about $5000/year.

          So the existing system is used to dealing with financially motivated adversaries. I doubt the additional financial motivation of being able to bypass hCaptcha would mean much, in comparison.

          • jokethrowaway 3 days ago

            I'm sure some rural country somewhere would start selling certificates en masse the moment this is implemented.

      • inetknght 3 days ago

        > So there are legal standards for what exactly blind is, and certificates.

        In the USA, people are not yet required to provide identification when signing up for "free" services. There are real concerns around privacy.

        A certification of blindness is exactly one of those privacy concerns, being a medical issue. You think it would be a good idea to give that private information to the criminal organizations of big tech?

        • Scarblac 3 days ago

          These are already users that want to let the company know that they are blind in order to qualify for special treatment. In that case showing the certificate doesn't seem to be much of an extra privacy issue to me.

          • RobMurray 3 days ago

            Accessibility isn't special treatment! As I said before I would never provide proof of identity to simply access a website.

            • kelnos 3 days ago

              > Accessibility isn't special treatment!

              Perhaps not in all cases, but it can be. This article is literally about special treatment for accessibility purposes.

              It's of course debatable if this is how things should be, but that's another discussion.

          • soraminazuki 3 days ago

            Nah, it's the companies that's demanding proof over what's basically sane treatment rather than users wanting to surrender their medical info.

        • webspinner 3 days ago

          I would have a privacy concern with it, and then your going to force everyone to do verification. Age verification isn't even passed here in the US, although a lot of companies do it. They wanted to make it law over the last couple years.

      • gruez 3 days ago

        This is a moot point anyways because the Americans with Disabilities act bans businesses from asking people about their specific disabilities. Asking for proof of blindness will almost certainly be in contravention of that.

    • Swizec 3 days ago

      > something far more valuable than the CAPTCHA system itsel

      In terms of CAPTCHAs being valuable – the other day I couldn’t for the life of me solve a captcha. It was one of those “Solve the implicit question in the picture” kind where it can be hard to tell what it’s even asking you to do.

      So I took a screenshot and put it in chatgpt. Got it right immediately.

      The real detection mechanism is that you’re moving your mouse, thinking, and generally being slower than a bot anyway. The captcha itself is just a pointless annoyance.

    • RobMurray 3 days ago

      I am perfectly happy with having to prove that I am blind to get my bus pass, but if It was necessary to access a website I would just not use that site. Lets hope it never gets that bad. There's always Anticaptcha to fall back on, but I hate their business model.

    • miki123211 3 days ago

      What is your suggested alternative?

      Audio captchas are inherently discriminatory to those with hearing issues or those that don't speak the 5 supported languages. They're also somewhat easy to solve with ASR models now. Text captchas are incredibly easy to solve with LLMs.

      The only other alternative I see is some incredible tracking / surveillance machine (think an actual non-browser app that you have to run on your computer), but is that really what we want?

      • jabroni_salad 3 days ago

        I'm actually pretty okay with the zero click cloudflare dealios and prosopo PoW captchas. You can make websites that simply do not have visual puzzles on them at all.

        Every now and then turnstile does get a little borked but I can honestly say that I would rather just do without whatever I was trying to do than click 7 motorcycles. Hcaptcha and recaptcha are becoming my personal brown M&M indicator for additional bad user experiences in a given web property.

    • anotherhue 3 days ago

      > If you had a system for completely accurately identifying characteristics like "who is blind" in the presence of extremely hostile attacks on the system, you'd have something far more valuable than the CAPTCHA system itself!

      You are unfortunately describing worldcoin.

      • KETHERCORTEX 3 days ago

        Worldcoin? Government issued auth service is a viable option too. Just get some flag like "isBlind" in it. Disabled status is granted by the government after all.

Rastonbury 3 days ago

Some captchas are getting pretty discriminatory, not everyone lives in the West and can identify the objects they are asking you to. Another recent one sticks out where they asked me to pick a shape as the same number of conoids on screen. If you ask people on a street what a conoids I bet a significant amount will give you blank looks

Also at least now I know some people call those markings crosswalks

  • ta1243 3 days ago

    Sorry I live in the west, what's a "crosswalk"

    Did you mean to say

    > not everyone lives in the USA

    Other things I don't have a clue about - a fire hydrant, yellow taxis, yellow buses

    (Obviously I do, because of American cultural imperialism through things like Captchas which mean the world has to understand American cultural touchstones)

    • smitelli 3 days ago

      I distinctly remember a captcha which asked me to identify fire hydrants. Some of the pictures were hydrants, while others were standpipes. These are different things, and I answered accordingly.

      The service refused to acknowledge my humanity until I relented that a standpipe was a hydrant. If at some future date any of us burn to death due to an automated fire truck that misbehaved due to this, we’ll know why.

      • seanhunter 3 days ago

        Yup - I recognize this problem. I am a motorcyclist and I frequently have to grit my teeth and misidentify scooters as motorcycles if I want to get past captcha.

        For non-bikers, a scooter has an automated gearbox and small wheels etc. Think vespa.

        In the UK at least they are generally a different category of license, although that's because of the size of a standard scooter engine.

        • gsk22 3 days ago

          Except scooters are literally motorcycles? From Wikipedia:

          > A scooter (motor scooter) is a motorcycle with an underbone or step-through frame, ....

          Scooters are often legally motorcycles as well. For example, I had to get a motorcycle endorsement on my license for a scooter I owned, because the engine displacement was too large for the extremely restrictive "moped" category in my state.

          • seanhunter 3 days ago

            Of course as a scooter rider you say its a motorcycle. That wiki entry was probably written by a scooter rider also. ;-)

            I actually feel a fellowship with all two-wheel riders but don't let any other bikers know or I'll be shunned.

          • andrewflnr 3 days ago

            They're not really considered as such by motorcycle people, for decent reasons too. Scooters generally have rather different ergonomics and controls, notably CVTs rather than manual transmissions for "proper" motorcycles. Overall a pretty different experience to ride. There's not really a good umbrella term, either, though.

            • esperent 3 days ago

              I live in Vietnam where the entire population drives small motorbikes or scooters. There's no defining feature except for having a cutaway to place your feet in a scooter. Even the engine placement is less of a clear thing now that many of them are electric.

              There's motorbikes with scooter like controls, there's scooters with motorbike like controls. Many small automatic motorbikes feel basically identical to driving a scooter except that your sitting position is very slightly different.

              • andrewflnr 3 days ago

                Presumably an American motorcycle purist's brain would simply explode in such an environment. :)

            • gsk22 2 days ago

              The "decent reasons" just sounds like snobbery or a reason to feel superior. Cars are cars, whether manual, automatic, CVT, whatever. Why should bikes be any different?

              I'm a big fan of two-wheeled transport in all its forms, but wow is there a prevailing toxic attitude among a large group of "true motorcycle" riders. Instead of welcoming people into the fold, it's just tribalism -- you drive a scooter, you're not a true biker; you ride a cruiser, true bikers only drive super sports; you drive an e-bike, but only loud pipes make a true rider!

              • andrewflnr a day ago

                Agree about the snobbery, but there is a real difference in kind between them that would be nice to have a good name for. Even if, as the other reply pointed out, they exist on a spectrum, the endpoints are pretty distinct.

        • arcanemachiner 3 days ago

          My rationale is that they're teaching cars what things they shouldn't drive into, so I'm pretty liberal with what constitutes a motorcycle, including the person on top.

        • gattilorenz 3 days ago

          Classic Vespa does not have an automatic gearbox. Last one without it was probably a PX model in the early 2000s, though.

        • jachee 3 days ago

          It's a squares/rectangles issue.

          Scooters are cycles that have motors, and are thus motorcycles in the most-inclusive definition of such.

          • TeMPOraL 3 days ago

            FWIW, I went out looking for a better category (something more like "two-wheeler" but without the engine), and discovered that Wikipedia actually agrees that scooters are motorcycles.

          • Ekaros 3 days ago

            And electric bicycle is in sense also motorcycle...

    • mapt 3 days ago

      Unfortunately, even understanding these things, on a shared connection it might take you literally two or three minutes of captcha work before Google recognizes your personhood.

      Am I identifying the boxes wrong? Am I doing it too fast? Where do "Stairs" begin and end? Does a motorcycle include its rider? Or is Google just fucking with me and failing me on purpose?

      My workplace had a period this year where captcha was put into the cashier checkout process.

      • danaris 3 days ago

        And while it's not quite the same kind of CAPTCHA, I've not infrequently run into Cloudflare "prove you're human" screens that just...never let me through. I click the box, it loads for a second, turns into a nice checkmark, and then...reloads the "prove you're human" page. Infinite loop (as far as I can tell, anyway, not having infinite time).

        • wing-_-nuts 3 days ago

          I forget what extension was doing this for me, but I think this was down to an extension blocking autoload/play. Try disabling your extensions down to ublock and slowly adding them back.

    • RobMurray 3 days ago

      And audio Captchas are in English. I suppose blind people who don't speak English or have any kind of hearing difficulty don't deserve accessibility.

      • webspinner 3 days ago

        Can you have them translated into your native language? I mean I imagine if your using Google from a different country, it might take notice. Maybe it doesn't apply to reCAPTCHA, Google can be stupid like that!

    • reaperducer 3 days ago

      Other things I don't have a clue about - a fire hydrant

      Even within the United States, fire hydrants vary greatly from city to city.

      I remember the first time I moved to a city that had those little squatty dark blue ones. I thought they were water main access points.

      It's interesting to see so many people on HN assessing that captchas are biased toward American culture. Very frequently I get captchas that include things I don't know, and when I look them up, they turn out to be Indian in origin.

      • genewitch 3 days ago

        yeah, where are all these mopeds "in the US" i can't even remember the last time i saw someone on a moped... 15 years ago in L.A.?

    • Symbiote 3 days ago

      Maybe the standard international signs are more easily recognised by machines anyway, but if not it will be interesting when Google and others start needing Captcha help.

      Americans will need to learn what speed limit, parking prohibition and pedestrian crossing signs look like in the rest of the world, as well as realizing buses and taxis come in more colours.

      • reaperducer 3 days ago

        Americans will need to learn what speed limit, parking prohibition and pedestrian crossing signs look like in the rest of the world

        If you think this is a binary America/Rest of the World problem, then you haven't visited very much of the "rest of the world" and noticed that every place is full of variations.

    • jstanley 3 days ago

      You don't think you could identify yellow buses without cultural knowledge?

      I think simply knowing "yellow" and "buses" would suffice.

      • dkdbejwi383 3 days ago

        It's hard to really say objectively, as the strange yellow American school bus is kind of an iconic image - perhaps because it looks so different to a regular public transport bus as seen around the rest of the world.

      • itishappy 3 days ago

        Does DHL delivery via yellow busses?

        • wccrawford 3 days ago

          Does anyone deliver anything except people via "busses"?

          • lostlogin 3 days ago

            Despite the name, you can’t deliver people over the Universal Serial Bus.

          • Ekaros 3 days ago

            Well the local long distance bus "consortium" did move at least part of parcels via busses here.

          • pbhjpbhj 3 days ago

            Don't they have postbuses in some countries that do all types of delivery including people and mail, alpenhorns and cheese and that kinda thing??

          • ta1243 3 days ago

            Well yes, how else do you get the mail?

            • Toorkit 3 days ago

              Those are called Vans.

              • TeMPOraL 3 days ago

                In the US.

                And then there's "shuttle", I believe the US has at least one kind of thing called "shuttle" for every possible mode of transport, including orbital flight.

                • jacoblambda 3 days ago

                  Well technically anything can be a shuttle because specifically the thing that makes it a shuttle is the operating pattern (repeated point to point service) rather than the machine itself.

                  Etymology-wise a shuttle was a type of weaving tool which is why the verb shuttle exists, i.e. to rapidly move back and forth across a length (as if you were weaving a thread into a piece of fabric).

                  So then you got shuttle trains which frequently ran back and forth. And from there other types of shuttle services (shuttle buses, shuttle vans, etc).

                  And of course eventually the space shuttle being intended to be a launch vehicle designed for shuttle service to and from orbit. (side note but technically if the SpaceX Starship actually achieves it's intended sub-24h turn around it'd be able to qualify as a shuttle provided it ran a fixed point to point route on a regular basis).

    • astroid 2 days ago

      This can't be right, I have been told over and over again that America does not have any culture.

      Now it's being used to push imperialism through captchas of all things?!

      I feel like all the non-US or non-Western or however you want to categorize the 'rest of the world' should be striving to use free-range local culturally-appropriate captcha services if this is true.

      It's easy to blame the colonizers, but what about the local artisanal websites who give the colonizers/invaders a voice by integrating their captcha services?

      We really need an 'international-divorce' to put these issues to bed once and for all.

    • slater 3 days ago

      Please enter your five-digit ZIP code

      • dkdbejwi383 3 days ago

        Mandatory "state" field on forms - if it allows any string I usually enter "mostly liquid"

        • OptionOfT 3 days ago

          For me it is "constant despair".

      • bux93 3 days ago

        90210

        (Cue theme music in mind's ear)

        • thebruce87m 3 days ago

          That’s my zip code too, along with millions of others who live outside the US. Haven’t needed to use it for a while.

          • umanwizard 3 days ago

            Similarly, on websites that require a British address I use “10 Downing Street” (the only one I know!)

      • croisillon 3 days ago

        did you know that the ZIP code for both Paris Texas and Paris France start with 75xxx

        • KETHERCORTEX 3 days ago

          Well, France doesn't have Zone Improvement Plan codes. It is somewhat annoying to fill forms on websites with "ZIP code" in them for people outside US. They aren't called this way anywhere else (except for one or two countries).

      • alex7o 3 days ago

        SE1 9QN is my postcode what 5 number?

    • pbhjpbhj 3 days ago

      Is a coach a bus? Honestly, I'm not sure what makes them different, if you pressed me I think I'd say a coach has luggage compartments underneath. A UK coach is not a bus... although Megabus run mostly coaches, and Stagecoach run mostly buses.

      Is a scooter a motorcycle, what about a pedal-and-pop, an ebike? Is the backbox (rear carrier) part of the motorcycle?

      Is a single light at a junction, ahem intersection, a traffic light? Is the outer-container part of the "light"? What about the lights for pedestrians, are they part of the traffic light?

      Are house steps, that don't carry you to a different storey, still stairs? Is a single step also stairs?

      Are fire hydrants always red?

      So, yeah, usually I just leave the website and come back to HN.

    • zeroonetwothree 3 days ago

      [flagged]

      • Symbiote 3 days ago

        In many countries fire hydrants are underground, under an iron or concrete cover. There's very little to see on the street.

        There might or might not be a sign marking the location.

        Sweden: https://commons.wikimedia.org/wiki/Category:Fire_hydrants_in...

        UK: https://commons.wikimedia.org/wiki/Category:Fire_hydrants_in...

        It's also not necessarily relevant to worry about blocking one when parking a car.

        • pbhjpbhj 3 days ago

          Most UK hydrants are at junctions where its already illegal to park... come to think of it, I think USA ones are maybe mostly at junctions (in the media I've seen)? Are you allowed to park at junctions in USA?

          • umanwizard 3 days ago

            > Are you allowed to park at junctions in USA?

            US driving laws vary quite widely depending on the state (and sometimes depending on the city within the state). So there’s probably no uniform answer. But parking at an intersection is indeed allowed in a lot of places within the US, in my experience.

  • dizhn 3 days ago

    I routinely have problems with closeup images. To this day I don't know how much of the object I should be selecting? Also what is a traffic light? Is the pole part of it or not? Motorcycles seem to be hard too.

    Once it showed me a picture of steps nothing but steps. I think I marked like 15 boxes.

    • Wowfunhappy 3 days ago

      > To this day I don't know how much of the object I should be selecting? Also what is a traffic light? Is the pole part of it or not? Motorcycles seem to be hard too.

      I have always assumed this was purposefully ambiguous. The right answer is whatever a majority of humans will answer when presented with the same picture.

      • sml156 3 days ago

        I don't think the majority of people on earth would base all their captchas on things only found in America

        • layer8 3 days ago

          The majority of people will still cluster around the same best guesses, and that’s all that matters to the algorithm.

          Yes, it’s annoying, but that doesn’t matter to the algorithm.

    • andrepd 3 days ago

      If you think you're failing the captchas because you're doing them wrong, think again. Google captcha intentionally fails you a couple times if they don't have enough tracking info to determine that you're legit. So you solve the captcha correctly but are still lied to that "you've failed to solve the captcha, try again".

      That and the "fading images slowly to pretend like you have bad internet" thing. Disgusting behaviour

      • oniony 3 days ago

        Maybe they purposely load the images slowly to make it more expensive for the bot owners.

        • reginald78 3 days ago

          Also just catches people they think might be bots.

          I've definitely encountered captcha tarpit logins before that could never be solved until I changed VPN endpoint. I was never getting in.

        • andrepd 3 days ago

          They don't. They load the images and then have js to fade them slooooowly. It's pernicious precisely because of that: its purpose is to annoy humans while being completely useless to thwart bots.

        • lesuorac 3 days ago

          I kinda don't understand why we still have captchas. We've solved the asymmetric problem with proof-of-work; just make somebody solve something trivial so they spend more resources than you do.

          Like if a bot requests your page 1/day its not a problem; but if they want to request it 1/ms then the proof-of-work becomes too much for them and its transparent to a person.

          • dizhn 3 days ago

            It might be an incentive to make people stay logged into their accounts. This wouldn't be hole reason but I am sure it's part of it. I used another laptop with a VPN for a few days and what used to be smooth experiences turned into a shit ton of "log in to prove you're not a robot". Both Reddit and Youtube did this.

    • jrockway 3 days ago

      I'm never that consistent and usually get through. I think they are looking at things like mouse acceleration, smoothness, etc. rather than the actual answer to the questions.

      • layer8 3 days ago

        They don’t let you pass if you don’t answer roughly correctly.

  • bityard 3 days ago

    I have lived in the West my whole life, and am reasonably well educated, and have never heard the word conoids in my life.

    • mock-possum 3 days ago

      Sure, but you can imagine pretty easily what a ‘conoid’ would be, right? ‘Sphereoid’ would be something sphere-like, ‘mongoloid’ is something mongol-like, ‘freakazoid’ is something freaky…

      it’s pretty clear from context that ‘conoid’ means ‘like a cone’ isn’t it?

      • TylerE 3 days ago

        But is it a geometrical cone, a conifer tree like thing, a psuedo-control device, or what.

        I consider my self pretty literate (I was assessed as reading at a college level by the 4th grade), and I've never heard that word.

        More importantly, they can look absolutely nothing like cones.

        Would you identify this as "cone like" if it wasn't for the URL? https://en.wikipedia.org/wiki/Conoid#/media/File:Pluecker-co...

  • crazygringo 3 days ago

    I am Googling "conoid" right now and I still can't even imagine what it's supposed to be.

    The Google dictionary says it's a zoological term "approximately conical in shape".

    The Wikipedia panel says "In geometry a conoid is a ruled surface, whose rulings fulfill the additional conditions: All rulings are parallel to a plane, the directrix plane. All rulings intersect a fixed line, the axis." The graphics are... nothing intuitive.

    The M-W link in the search results says "a cone-shaped structure; especially : a hollow organelle shaped like a truncated cone that occurs at the anterior end of the organism".

    None of this seeming relevant, I clicked on the Image tab and it's all these complicated Mathematica-style graphs of things that are very much not cones.

    I see other people in the HN comments similarly have no idea.

    Can you please explain what you saw on screen? What did the captcha think was a conoid...? Like, traffic cones or something?

    • ayewo 3 days ago

      Using the touch pad to long-press on the text "conoid" in my browser brought up the built-in dictionary definition on macOS:

      > conoid | ˈkəʊnɔɪd | mainly Zoology adjective (also conoidal | kəʊˈnɔɪd(ə)l | ) approximately conical in shape.

      > noun a conoid object: her hull was a conoid, tapering towards the bow.

      • recursive 3 days ago

        Yeah, that's the zoological definition again.

    • genewitch 3 days ago

      In the UK some crosswalks have cones on the bottom of the box where the button to wait to cross is, and OP mentioned crosswalks in the final sentence. Maybe it's just too late for me right now, but that's what my brain assumed, but the "same number of shapes as" thing was not enough context!

      the cone on the bottom spins when you have the right of way.

  • Aardwolf 3 days ago

    Also asking things about US traffic signs or markings in countries with different looking traffic signs

  • gopher_space 3 days ago

    I can't be the only person who's been checking as many wrong answers as I can get away with for the last decade, and I'd be complimented by my conoid-questioning brethren. Captcha seems like it's fully entered a "bear proof garbage can" phase I don't see it escaping.

  • wing-_-nuts 3 days ago

    I've just resorted to flipping over to the audio captcha. Yes, solving the first one takes more time, but you pretty much get it right the first time and you're not wasting your life wondering if 2cm of a fire hydrant is enough to label a square as having a fire hydrant.

  • joveian 3 days ago

    Also, if you use a larger minimum font size often the text describing the thing you are supposed to select is under the image and unreadable. With hCaptcha it varies depending on the size of the popup window with the captcha and Google seems to reliably show just the top (barely enough to figure it out most of the time).

  • jillyboel 3 days ago

    I live in "the West" but English isn't my main language. I have no idea what a conoid is.

    • rovr138 3 days ago

      > A conoid is a ruled surface whose rulings are parallel to a plane (called the directrix plane) and intersect a fixed line (called the axis of the conoid) (Gellert et al. 1989, p. 202). Examples include the circular conoid, helicoid, hyperbolic paraboloid, parabolic conoid, Plücker conoid, right circular conoid, Wallis's conical edge, Whitney umbrella, and Zindler conoid. If the axis is perpendicular to the directrix plane, the conoid is called a right conoid (Gray et al. 2006, p. 436).

      https://mathworld.wolfram.com/Conoid.html

      so, a surface with stripes - example https://pxhere.com/en/photo/1366651

      • cmrx64 2 days ago

        Where did you get stripes from in any of that? A surface is ruled when it can be constructed by extruding a line (or segment) along some path… like waving a ruler around.

        • radicality 2 days ago

          I think they meant that something striped and rectangular, like a crosswalk, is a 'ruled surface' because the stripes themselves are like the ruler ?

          So I guess a crosswalk (flat rectangle in 3D space), would be considered a 'ruled surface', but I don't think it meets the other requirement to make it a conoid.

    • BenjiWiebe 3 days ago

      I live in the US, English is my only language. I could probably guess what a conoid is, but I don't actually know (until reading these comments).

  • sundarurfriend 3 days ago

    Avoiding this is what made hCaptcha popular among a lot of users in the first place. reCaptcha has always been guilty of this, and it doesn't seem like they're taking any steps to improve this US-centred definition of humanity. hCaptcha gave much more general and neutral puzzles that made a lot of people (including me) give a sigh of relief when they encountered a CAPTCHA and it was h and not re.

    • RobMurray 3 days ago

      recaptcha audio challenge is just a few words (in English) that you have to enter. Might be easier in some circumstances? You can press CTRL to repeat the audio.

      • webspinner 3 days ago

        I like it myself. If I have to use CAPTCHA that is, I can't stand it on principle!

  • Suppafly 3 days ago

    >conoids

    Things that are shaped like cones?

  • wslh 3 days ago

    > Some captchas are getting pretty discriminatory, not everyone lives in the West and can identify the objects they are asking you to.

    Honestly, even living in the West, sometimes I feel like they expect me to have an IQ of 200 just to pass! And, I am sure I pass the Turing test without issues.

  • croes 3 days ago

    But on the internet the answer to „what is a conoid“ is just a web search away.

    The bigger problem is when other options of a captcha fit in another cultural context.

    Taxi colors are an example for that.

    • Suppafly 3 days ago

      >But on the internet the answer to „what is a conoid“ is just a web search away.

      When I search, the whole first page of google is essentially "things that are shaped like cones", I have no idea what that would be in response to one of those image captchas that show traffic and buildings.

    • TeMPOraL 3 days ago

      > But on the internet the answer to „what is a conoid“ is just a web search away.

      Not when it's your search engine that's asking you to identify conoids.

    • gus_massa 3 days ago

      I got mathematical surfaces like https://en.wikipedia.org/wiki/Conoid To get the correct image I had to search conoid street. Anyway, I guessed they were those red cone shaped things that people put on the street and I'm not sure how they are call even is Spanish (probably conos or balizas).

    • joegibbs 3 days ago

      Google "conoid" and you'll get a bunch of pictures of shapes that are curved in different ways. I assume the captcha was talking about things that have a similar shape to a cone, but I don't think you'd get much of a clue from Google.

    • rovr138 3 days ago

      > A conoid is a ruled surface whose rulings are parallel to a plane (called the directrix plane) and intersect a fixed line (called the axis of the conoid) (Gellert et al. 1989, p. 202). Examples include the circular conoid, helicoid, hyperbolic paraboloid, parabolic conoid, Plücker conoid, right circular conoid, Wallis's conical edge, Whitney umbrella, and Zindler conoid. If the axis is perpendicular to the directrix plane, the conoid is called a right conoid (Gray et al. 2006, p. 436).

      https://mathworld.wolfram.com/Conoid.html

nerdponx 3 days ago

Lesson 1 about competing with Google should be "don't be even more disrespectful to your users than Google is". Otherwise people will just use Google.

Relying on the goodwill of a small number of "never-Googlers" to carry your business, in spite of the way you do business, is not a path to success.

While hCaptcha trashes its reputation, the rest of the world will go on using reCaptcha and not giving the faintest whiff of a fart about hCaptcha's existence.

(Side note: the spelling is "intentional", not "intensional". Think "intent" + "-tion" + "-al", not "in-" + "tension" + "-al").

blindgeek 4 days ago

The author was essentially too smart to be blind.

  • yorwba 4 days ago

    I wonder whether talking about "looking at the javascript console" somehow made them think that this person cannot possibly be blind, since how could a blind person "see" the JavaScript console? (But "having my screen reader read the content of the JavaScript console to me" is a bit of a mouthful.)

    • blindgeek 3 days ago

      You know, that's a good point, and it hadn't occurred to me. For the overwhelming majority of blind people, language like "looked at" is just metaphorical. I mean, all language is symbolic anyway. The map is not the territory and the menu is not the dinner. Some of us are taught very young to use common terms like look in that kind of a metaphorical way. Partially so that we fit in and are comfortable with the rest of sighted culture. And then once in a great while, we get condescended to for it. There's a really good example of this in the second season episode of DS9, The Alternate.

      ``` ODO It was a dilemma for me. I'd never seen anything like these creatures either.

           MORA
         "Seen" isn't really an appropriate 
         description.  He had no eyes per 
         se...
      
           ODO
         I was only trying to describe it in 
         simple terms...
      
           MORA
          (ignoring that)
         He had never perceived anything like 
         us before... go on...
      
      ```

      I can pretty much guarantee that every blind person has had a condescending, patronizing douche canoe like Mora in their life at least once.

      • bluGill 3 days ago

        Even as a sighted person, "look at" is often metamorphic - you can interview an expert over the phone and say you looked into the subject even though the only looking was around the phone number.

        • lagadu 3 days ago

          When someone recommends me an album or artist I "take a look" at it: I listen to it. Though now that I think about it, I wouldn't say that in my other languages.

      • Lerc 3 days ago

        This is how use of language concealed aphantasia for so long. When you use a word in a context similar to how another used it in that context there seems to be a presumption that the subjective experience is the same in that context.

        Given how we learn languages and words based upon encountering them in contexts, it makes sense that terms that we use in outwardly similar contexts reflect the subjective experience that each of us relate to those terms. We don't have access to another's subjective experience so I can see how it would encourage the assumption that we all perceive things the same way.

        There might be many undetected variances in perception akin to aphantasia lurking in us waiting to be discovered.

        • blindgeek 3 days ago

          Here's the thing. We're talking about people who are the accessibility team for hCaptcha. They should at least have a figleaf of an understanding of life for blind people.

          The other problem we have is that online companies tend to be accountable to no one. Short of law suits, my friend who got banned from hCaptcha for "not being blind" has no recourse, because nobody is accountable.

          • rascul 3 days ago

            Lawsuits are how that's solved in the physical world also.

      • pbronez 3 days ago

        I suppose one could say "observed" as a sense-neutral alternative to see / hear. Might be a worthwhile language shift, similar to using "they" as a gender-neutral alternative to "he" and "her".

        We usually talk about the inclusion benefits of neutral language. It can also be valuable by making specific terms more meaningful when used appropriately. If I know you usually say "they", then when you choose to say "he" I get more information -- there's a clear gender expression. Similarly, if you usually say "observe", then when you say "see" I know we're specifically talking about vision.

        Of course, it's an awkward transition. It's hard to get used to "they/them" and saying "I observed a delicious aroma" sounds like a robot impersonating a person.

        • blindgeek 3 days ago

          It's notable that the majority of the people who would be "included" by the change to "more inclusive" language aren't offended in the first place. The sentence "I am watching TV" literally offended no blind person, evah. It is only sighted do-gooders who have the spoons to be offended by nothingburgers on our behalf. We're too busy dealing with stuff like, ... I dunno, landlords who refuse to rent to us because all they have is second story units and we might fall down the stairs. Yes this actually happened to me in 2000 or so, and I don't have enough faith in human intelligence to believe that it isn't happening today. We're too busy being oppressed by captchas and websites made by frontend devs who seem to care more about chasing JavaScript framework du jour than they care about accessibility. We're busy struggling against a built physical environment which has been designed for cars and not people. The supposedly non-inclusive language of "I watched TV" or "I looked at my browser's JS console" aren't even on our radar.

          I coined the term "Sapir-Whorf Stalinists" a few weeks ago to describe the sort of people who think that monkeying with language will magically make things better for marginalized groups.

          Here's Lee Atwater talking about the Southern Strategy:

          > You start out in 1954 by saying, “Nigger, nigger, > nigger.” By 1968 you can’t say “nigger”—that hurts you, backfires. > So you say stuff like, uh, forced busing, states’ rights, and all that stuff, > and you’re getting so abstract. Now, you’re talking about cutting taxes, > and all these things you’re talking about are totally economic things and a > byproduct of them is, blacks get hurt worse than whites.… “We want to cut > this,” is much more abstract than even the busing thing, uh, > and a hell of a lot more abstract than “Nigger, nigger.”

    • RandallBrown 3 days ago

      I'd bet that's exactly what happened.

  • jesterswilde 3 days ago

    Gwahahha, succinct. I run into this far too often. Being in places or doing things I (blind guy) "shouldn't be", thus, am not blind.

  • webspinner 3 days ago

    Yes because all of us are stupid according to hCAPTCHA!

jchw 3 days ago

I hope we can end the CAPTCHA experiment soon. It didn't work.

Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat. CAPTCHA does not. Almost all turnkey CAPTCHA services can be solved for pennies.

Solving the problems of SPAM and malicious traffic will be challenging... I am worried it will come down to three possible things:

- Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.

- Closing the platform: approaches like Web Environment Integrity and Private Access Tokens pave the way for how the web platform could be closed down. The vast majority of web users use Google Chrome or Safari on a device with Secure Boot, so the entire boot chain can be attested. The number of users that can viably do this will only increase over time. In this future, the web ceases to meaningfully be open: alternatives to this approach will continue to become less and less useful (e.g. machine learning may not achieve AGI but it's going to kick the ass of every CAPTCHA in sight) so it will become increasingly unlikely you'll be able to get into websites without it.

- Accountability of network operators: Love it or hate it, the Internet benefits a lot from gray-area operators that operate with little oversight or transparency. However, another approach to getting rid of malicious traffic is to push more accountability to network operators, severing non-compliant providers off of the Internet. This would probably also suck, and would incentivize abusing this power.

It's tricky, though. What else can you do? You can try to reduce the incentives to have malicious traffic, but it's hard to do this without decreasing the value that things offer. You can make malicious traffic harder by obfuscation, but it's hard to stop motivated parties.

Either way, it feels like the era of the open web is basically over. The open web may continue to exist, but it will probably be overshadowed by a new and much more closed off web.

  • SirMaster 3 days ago

    CAPTCHA definitely works in some cases.

    On our website, without CAPTCHA we get dozens of forms filled out by bots per day. With the CAPTCHA we get 0.

    So sure it may be cheap to defeat the CAPTCHA, but nobody seems to be willing to go through that small hoop to do it on our website.

    • salviati 3 days ago

      I believe that 0 will be a higher number next year. And an even higher the following year.

      • whartung 3 days ago

        Even in a year, I don't think random AI will be "cheap" enough for spamming CAPTCHA on random websites. Maybe for select, ripe targets (your bank, etc.). But for a random business with a form?

        Nah.

  • mapt 3 days ago

    There is another option.

    CAPTCHA is useful only when it is costly to solve. It is a costly signal that this is a real person, or at least is more than 1/10^9th of a real person (you're not running a fully automated spam system).

    The postal service also has costs - everybody that wants to move something through the postal service needs to buy a stamp. Transport fees are a 'natural' way to moderate traffic and deter spam.

    Various combinations of network architecture and cryptocoinage permit you to invoke transport fees per attempted transmission/login. Sensible ones, if every spam email or login guess costs even 1 penny it becomes prohibitive for most fully automated spam applications. The cryptocoin aspect is specifically about preserving anonymity of private wallet access while permitting the cash-like transactions that stamps enable.

    • jchw 3 days ago

      Cryptocurrency micropayments have been proposed and even attempted as a solution to various problems. Hell, there's also Hashcash, an early proposed anti-SPAM measure for e-mail using just proof-of-work. (Since this is just burning CPU though, it probably isn't effective in the modern world of most people using low-power mobile computers and many SPAMers having access to cheap very high power computers. Might serve as a good hurdle for people trying to implement malicious bots, but it will eventually become useless if it is shown to be effective IMO.)

      I'm skeptical though. It puts a literal price on abusing a service, but how do you set that price? Is there a guarantee that there's a value high enough to meaningfully disincentivize SPAM but low enough that users, especially users in areas that may have an economic disadvantage, are able to pay it?

      That's on top of the other practical problems, such as actually implementing it. I mean, if someone implements it and tries to solve the usability issues involved I would be open to this future, but as it is now, cryptocurrency has disappointed me. In a world with increasing scrutiny towards credit card processors, I was hoping that the silver lining would be that cryptocurrency could at least help mitigate some of the concerns, but there are just too many hurdles right now. (Some of them may be caused by regulation, but to be fair, I think at this point it's hard to blame governments for trying to regulate cryptocurrency exchanges. I'm not happy about silly KYC policies or anything like that, but I am not surprised at all.)

      • AnthonyMouse 3 days ago

        > It puts a literal price on abusing a service, but how do you set that price?

        Start with a nominal one and increase it until the spam problem goes away.

        Create escape hatches for people who can't afford it, e.g. you can either pay/mine a couple dollars worth of cryptocurrency, or you can have someone who paid vouch for you (but then if either of you spam you both get banned), or you can do some rigorous identity verification which is inconvenient and compromises privacy but doesn't cost money, or (for smaller communities) you ask the admins to comp you and if you're known in the community from other sites then they do it etc.

        > I mean, if someone implements it and tries to solve the usability issues involved I would be open to this future, but as it is now, cryptocurrency has disappointed me.

        This doesn't seem like an insurmountable problem to solve. To give someone some cryptocurrency you can either send it directly (useful option for advanced or privacy-conscious users) or use a service and then it should be no different than using Paypal et al.

        The real problem is the regulations are currently designed to make using it an unreasonable amount of paperwork:

        > Some of them may be caused by regulation, but to be fair, I think at this point it's hard to blame governments for trying to regulate cryptocurrency exchanges.

        There's a difference between regulating exchanges and regulating users. If you're holding millions of dollars in cryptocurrency then the government is reasonably going to expect you to file paperwork and pay taxes on gains etc. If you're only holding three and four digit dollar amounts worth then they should leave you alone and you shouldn't have to do anything.

        In theory you can strike a reasonable balance here where the crypto scammers go to jail but Joe Average doesn't have to file any more tax paperwork to use Bitcoin Cash to buy a pack of gum than to pay in physical cash. We'll see what the new administration does with it.

        • jchw 3 days ago

          Well, for solving both the UX and regulatory issues with cryptocurrencies... I'm not optimistic, but I am open to being pleasantly surprised.

          On the UX side, I think a huge problem is making it possible for users to participate using a non-custodial wallet with as little risk of data loss or compromised credentials as possible. So it needs to be hardened against ignorance, stupidity, house fires, malware, and social engineering. That is hard. Irreversible transactions greatly up the stakes while increasing the incentive to attack. Do you ever feel a bit nervous about the send address being wrong when you use cryptocurrency?

          A thing I didn't mention but is equally important to solve is developer experience. I wish there was a turnkey SDK that took care of most of the technical stuff and just let you use cryptocurrency like it's PayPal. If we had on-chain subscriptions (I think Ethereum can do this?) it could be even more powerful. The technologies offer a ton of possibilities but taking advantage of it correctly and securely feels like a tall order. Dealing with cryptocurrencies feels more serious than dealing with traditional payment processors: you can't undo when you fuck up.

          Some of this can be resolved. On the user side, users can keep less value stored in wallets long term... Though this is more cumbersome and less usable. On the developer side, developers can make nodes that can verify transactions but not spend currency... But this can be challenging (I think it's weird to do with Monero for example?) and it closes off some use cases ("escrow" style transactions; Skeb-style commissions would be a good use case.)

          If it gets solved I will celebrate as it seems like it would have a lot of positive upsides, but I think you might need to pardon my skepticism: it's been a lot of years and it hasn't gotten that much better. (Granted, it's still pretty new, but the momentum is slower than I would have hoped.)

    • throwaway2037 3 days ago

      This sounds like the same argument that was made for about 10 years (2000 to 2010) that micropayments would save traditional (print) media in a digital world. It didn't work due to market fragmentation and friction to make a payment.

      And, the reality of your fancy idea is that normie users would turn away if they made a mistake on the CAPTCHA and were suddenly presented with a screen "charging" them one pence.

      • mapt 3 days ago

        This isn't about "making a mistake on the captcha", this is about charging them one pence for every attempt and just not having a captcha.

        It's an entirely different sort of system, and it would require a cordoned off section of the Internet to implement it top-down, but it's technically viable.

        The defining insight here is how many orders of magnitude difference there is between the "That price is negligible" threshold for a human being, and the "That price is negligible" threshold for an automated system. Sure there are adoption issues, but for all applications where there are several orders of magnitude difference, such a system makes some degree of sense.

        • theamk 3 days ago

          Don't think it's going to work, except in the smallest forums?

          According to a random page on internet [0], companies pay in $2-$6 range per 1000 ad impressions. If one pays $0.01 to bypass captcha and just 10 people see the resulting spam post, that's already $1 per 1000 views - much less than facebook charges. This becomes even more lucrative if the ads are expensive or there will be more than 10 people looking at the ad.

          It looks you'll want much higher costs than that, which will make it "too much" for other users.

          [0] https://spideraf.com/learning-hub/what-is-the-average-cost-p...

      • njarboe 3 days ago

        Would be great if the US government somehow facilitated micropayment. Either by creating their own system or removing the capital gains reporting requirements on crypto (maybe up to $10k/year).

        • throwaway2037 2 days ago

          If micropayment is such an amazing solution to these problems, why haven't we seen a working solution after more than 20 years of talking about it? Why doesn't HN have multiple competing micropayment startups? To me, the results speak for themselves.

          Another outcome that I could never understand: The original conversation was micropayments for traditional print media that was moving into the digital age. Why didn't they all band together to create an industry standard that defined (and possibly administered) a micropayment system? In the end, paywalls were the solution, and winner-mostly-takes-all when print moved to digital. Look at the decline in medium to small newspapers in the last 20 years in the US. It is devastating, but a few national, major newspapers are doing OK.

          • mapt a day ago

            You are talking about appreciable micropayments for appreciable amounts of entertainment from small creators.

            And I would argue we did get those in the form of subscriptions in Patreon, Onlyfans, Buy Me A Coffee, et al, or in the co-op world of Nebula. We didn't get them down to very low fee structures because we've designed our payment infrastructure with the intent of supporting a profitable company called Visa, Inc, to which we've offloaded a number of different functions of that a government mint / treasury / post office would normally perform. And because lots of revenue on these sites comes from whales, people with outsized income in a country with a great deal of wealth inequality.

            What I am talking about is TINY micropayments just for human authentication purposes. Because what we've had so far in the realm of, for example, spam email, involves sending off messages at a CPM of less than a tenth of a penny. Imposing infrastructure which pegs human authentication tasks, normally performed less than ten times a day, at a CPM of ten dollars, can eliminate most applications of automated systems and eliminate the annoyance of captcha, while costing the human less than ten cents. There are no whales in the login space.

    • Retr0id 3 days ago

      Although solving a captcha can be translated into a monetary cost (often the cost of labour for a human in a clickfarm to solve it for you), the nice thing is that it's still "free" to solve normally.

      If you switch to direct payments that are still affordable for routine use by your poorest users, then your rich adversaries can afford to generate orders of magnitude more spam (until we solve unequal wealth distribution globally).

      Also, the cost of using a postal service nominally covers its operating costs. The cost of actually transferring a spammy HTTP request over the internet is negligible, but the costs imposed on its receiver are less so (i.e. the cost of responding to it (cpu/ram/disk/bandwidth), second-order costs of lowering the quality of the service for everyone else, etc.).

      • Y_Y 3 days ago

        > until we solve unequal wealth distribution globally

        Is this a joke?

        • Retr0id 3 days ago

          Why would it be a joke?

          • Y_Y 3 days ago

            Even assuming that uneven distribution is a problem, and that it was possible to make global wealth evenly distributed, it would be such a collosal undertaking that it would necessarily entail massive social upheaval and take a very long time after which the captcha problem would hardly be comparable to what we have now.

            • Retr0id 3 days ago

              None of that is at all relevant to the point I was making. Whether you think extreme wealth inequality is good or bad, for as long as it exists, it makes paying fixed fees a poor alternative to captchas.

              • Y_Y 3 days ago

                Until we solve the "water is wet" problem domain squatting will continue to be an issue.

                Without a definitive resolution to the continuum hypothesis there will be no efficient distributed consensus algorithm.

                As long as humanity bears the mark of Original Sin, it will be hard to run a business selling GPL software.

              • genewitch 3 days ago

                "A fine means it's legal if you're rich"

    • thayne 3 days ago

      > The postal service also has costs

      I don't know about you but even with this cost about 90% of the physical mail I receive is junk mail.

      > Sensible ones, if every spam email or login guess costs even 1 penny it becomes prohibitive for most fully automated spam applications.

      Do you have a solution for transaction costs? How do you pay a penny without having to pay more than that for the transfer of funds?

    • danaris 3 days ago

      If you expect 99% of normal internet users to maintain a crypto wallet of any kind just to access certain websites—even leaving aside the actual cost—you're going to be sorely disappointed.

      • genewitch 3 days ago

        I was moderately into crypto, i mined coins including BTC; and i'll be damned if i am gunna connect my wallet to a browser, or put crypto in an escrow to pay out to avoid captchas. I'm being as polite as reasonably possible, here.

        the only way this makes sense is you convert the entire planet to renewable or non-polluting electricity generation, and then when a user is on facebook, youtube, (or watch ads!), a core or 2 of their machine/phone will "mine" crypto, that can then be used somewhere else. The crypto can't be transferable - it must be "burned". Defined: When the site requests some crypto for proof, it says "send to this non-existent address" and then waits for the block to show that your wallet sent crypto to that address. This "burns" the money. In fact, a couple of cryptocurrencies tried to enforce this, as well as "proof of stake" - where if you had enough coins you could "mine" by merely having your wallet "logged in." The former is called "proof of burn"

        another thing, no blockchain block publication is fast enough for this. so now we gotta rope in lightning or some other "hack" on top. I knew when i first heard about bitcoin that there was no way that anyone was going to wait 10 minutes for any payment to go through, especially if it's under some moderate amount of money, like $20.

    • Nullabillity 2 days ago

      Snail mail is a hilarious example, given that spammers are the only ones willing to pay the fees.

  • Telemakhos 3 days ago

    This doesn’t feel so much like the end of the “open web” as it does a rehash of USENET and email spam issues. Social media killed USENET, and email managed its spam issues thanks to filtering.

    • jchw 3 days ago

      Email kind of solved its SPAM issues, but it came at great costs. It's possible but quite hard to run your own e-mail server; if you're not on a major provider, the possibility is high that a major provider will at some point have deliverability issues to or from you due to automated anti-SPAM measures. The degree of difficulty with participating in the network does somewhat degrade its openness in my opinion.

      If anything works in the favor of email it is that email is not published. It is not necessary very private inherently, but it is at least not a system where things get broadcasted publicly. IMO this limits the value of spamming people over e-mail: you have to send a very high volume of e-mail to SPAM effectively over e-mail, and this high volume use pattern is not something that ordinary users will ever engage in, so it's easy to at least separate out "possible SPAM operation" versus "guy sending email to a friend". (I'm not saying that systems are necessarily perfect at distinguishing one from the other, but at the very least it would be hard to mistake the average Gmail account for being part of a massive SPAM operation. The volume is just too low.)

      I hope the open web survives, but if e-mail is any kind of sign, it's not a great one in my opinion.

      • martin_a 3 days ago

        > It's possible but quite hard to run your own e-mail server; if you're not on a major provider, the possibility is high that a major provider will at some point have deliverability issues to or from you due to automated anti-SPAM measures.

        In the roughly 25 years that I've used shared webhosting to have my own domainname and mailboxes, deliverability was never an issue. Never tried to send thousands of mails though, so...

        • jchw 3 days ago

          I have been running web services for around 22 years I believe. At the very beginning, I had zero problems with deliverability to most addresses. However, even early on, I do remember plenty of forums that mentioned that Yahoo! or Hotmail tended to drop their confirmation e-mails into SPAM. Smaller operators had an advantage in being lower volume; I think that gives you a higher likelihood of delivery. That said, their emails are also more likely to get caught up in SPAM filters without remediation.

          Something has changed recently, though. I have found it increasingly hard to even get an IP that is not blocked anymore. I recently migrated a VPS that was almost 10 years old that was running its own e-mail services, and after a lot of struggling... I gave up. It now has to go through an SMTP proxy to send e-mail. This bums me out, but after multiple attempts to get an IP that worked, I gave up. The provider did tell me that I was grandfathered in to have outgoing SMTP enabled on my servers (something that new users do not have by default, by the way) but recommended I stop using it.

          Is the network open? Yes. Does everyone have deliverability problems? Probably not. But maybe another question: If you did have deliverability problems to some major provider, would you even know about it? If you're not very high volume, maybe not!

    • dataflow 3 days ago

      Email hasn't actually fixed spam issues, it's just mitigated a big chunk of them. But I know for a fact that I still mark emails in my inbox as spam on a regular basis, and still dig legitimate emails out of my spam once in a while.

  • AnthonyMouse 3 days ago

    > validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.

    Not only untenable because of the privacy invasion but also because there are too many users who are willing to click on whatever for a chance to win a prize and thereby authorize use of their identity for spamming.

    > approaches like Web Environment Integrity and Private Access Tokens

    That stuff never works because the spammers only have to break one model of one popular device. The people proposing it are snake oil salesmen or platform companies that want to use it for lock-in, because spammers spend the resources to break the system but normal users won't put up with the inconvenience, which locks out competitors and interoperability.

    > Accountability of network operators

    This largely already happens. Disreputable IP blocks get banned. But then you get a botnet with users on ISPs with varying levels of willingness to do something about it and the ones that do something about it still can't do it instantaneously and some of the ones that don't care are in jurisdictions you can't control but are also too big to block.

    The best solution is probably some kind of "pay something in money/cryptocurrency/proof of work to create an account" because normal users need a small number accounts kept for long periods of time but spammers need a large number of accounts that get banned almost immediately, which is exactly the sort of asymmetric cost structure that results in a functioning system.

  • dreamcompiler 3 days ago

    > I hope we can end the CAPTCHA experiment soon. It didn't work.

    Well it sort of worked before we got modern AI image recognizers, but even then they had to continue making the challenges harder to keep up with the recognizer software.

    Now the damn things have crossed over into the domain of "easier for a machine to solve than a human" so they're worthless for their original purpose.

    • tombert 3 days ago

      Define modern? I worked adjacent to the web-scraping tech at Jet.com and they managed to beat a lot of the CAPTCHAs even in 2016.

    • jchw 3 days ago

      Yeah but filtering out mindless bots is even easier than loading a bloated mess of JS: a simple form question that you believe 100% of the valid users will be able to answer should be good enough to stop almost all of those low-level bots. I use that approach all the time.

      Some day this luck will run out, but for larger entities that experience targeted malicious traffic it's never really been a viable approach.

  • awbvious 3 days ago

    " Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable. "

    What about zero knowledge proofs? Those with typical cryptocurrency wallets could leverage existing extensions. Everyone else can download an open source extension that sends the proof and an open source way to verify proofs but is unrelated to cryptocurrency. While a robustly decentralized chain like Bitcoin and Ethereum would be a good place to verify proofs, no reason a non-cryptocurrency solution can't also be avaliable as well for the cryptocurrency adverse. And for the tech adverse, a phone number to call/text to walk the person through sending the proof via phone that would cost a tiny bit--and could also help the tech adverse with setting up an extension going forward?

  • thayne 3 days ago

    > Almost all turnkey CAPTCHA services can be solved for pennies.

    There is one area where even pennies can be a barrier: DDoS.

    Paying a few pennies per captcha can add up to a lot when you want to complete millions of them.

  • account42 3 days ago

    A start would be what kinds of websites even need a CAPTCHA in the first place. Why does just viewing websites with static conent ever need to result in a captcha prompt.

    • jchw 3 days ago

      That I think is just to try to prevent scraping, probably mostly from people training AI models. I don't really think anti-scraping mitigations are a good idea and I'm hoping that problem some day solves itself.

  • miki123211 3 days ago

    > for pennies

    "for pennies" is a lot more expensive than 0, and that matters at scale.

    Scam isn't about one person performing one request, for that you can indeed just hire a human, it's about thousands of bots constantly interacting with a service.

    If you need to scrape 10m records and there's no anti-fraud protection, you pay $0 (excluding typical bandwidth / server costs). If every query requires a captcha, and you have to pay $.01 per captcha, the operation costs you $100k.

    Going from 0 to 100k is often "good enough" to make these things uneconomical.

    • jchw 3 days ago

      Actually, I oversimplified. In most cases you don't have to pay $.01 per CAPTCHA. It's usually a fraction of a penny per CAPTCHA.

      So basically it's good enough to protect something that is arguably barely worth protecting. I don't find this compelling. Protecting things that barely need it is already easy using existing techniques.

  • j-bos 3 days ago

    Feels like another option would be to bootstrap off of authenticated users, some sort of reputation system. It would still allow for anonymous users, but the expectation would be that they would be treated as suspected spam unless they receive sufficient endorsement from actual verified users. The verified users could be held accountable for the endorsements they provide up to a certain point, and the anonymous users would be able to remain anonymous assuming verified users consider them good citizens.

    • jprete 3 days ago

      The endorsement and verification would need to be continuous, or else the anonymous users will sell their accounts for the value of the accrued positive reputation. I.e. what people already do with Reddit accounts that accrue a lot of karma.

      • j-bos 3 days ago

        Good point

  • not_your_vase 3 days ago

    In the past 3 years, every morning I wake up I open the news, and I hope that I will the following headlines: "Some guy figured out how to use AI to detect bot traffic with 100% accuracy, captchas became obsolete and banned worldwide with immediate effect"

    And every morning my day starts with disappointment.

  • plingbang 3 days ago

    > It's tricky, though. What else can you do?

    I had an idea about amost-privacy-preserving system by involving government ID and blind signatures:

    1. The service passes a random string to the user. 2. The user authenticates to their government and asks the government to sign it. 3. The government applies a blind signature which basically says "this user/citizen hasn't registered an account in the last 60 minutes". 4. The government records the timestamp. 5. The user passes the signature back to the service.

    Upsides:

    * Bypassing this would be orders of magnitude more expensive than phone numbers. * Almost private

    Downsides:

    * Won't happen. Remote HW attestation is likely to win :( * The service knows your citizenship * The gov knows when and how often you register. * Any gov can always bypass the limits for themselves.

    I think it may be also possible to extend it so that the government attests that you have only one account on the service but without being able to find which account is yours.

  • rascul 3 days ago

    > Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat.

    Curious if phone verification would block more or less legitimate users than catchpas.

  • throwaway2037 3 days ago

        > Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.
    
    I see this point constantly made on the echo chamber that is known as HackerNews. The average normie user does not care about anonymity, nor privacy, on the Internet. They want a smooth, fun experience. The solution is secure boot plus attestation via some browser JavaScript API. If you want even less friction, users are required to register their devices with a gov't agency, then their attestation will carry more value.

    Really, why don't we see HN crying about the need to show a national ID (and register) when buying a mobile phone? I never once saw anyone complaining about it here. Are there any highly developed nations that allow complete strangers with any nationality to buy and use a mobile phone without showing a national ID? I don't know any, or they will all soon be gone. It only takes a few more terrorist assholes to close that door permanently.

    • tredre3 3 days ago

      > Are there any highly developed nations that allow complete strangers with any nationality to buy and use a mobile phone without showing a national ID? I don't know any, or they will all soon be gone.

      I regularly (1-2x per year) buy prepaid SIMs in Canada, USA, and Japan. None of them require an ID and I often even pay cash.

      I'm sure you are right that they'll eventually be requiring ID, but you are wrong to imply that these countries aren't highly developed.

    • jchw 3 days ago

      It's not the average person's job to make sure that the world isn't fucking them raw. People have limited attention and limited time, not everyone can care about everything.

      Nobody else is going to step in and hold the line when it comes to digital privacy rights. It's on people like us who care. This is why organizations like EFF need to exist.

    • juped 2 days ago

      No, you're describing what the California tech echo chamber wishes an "average normie" was, i.e., stupid and compliant, and what they're always aggrieved never really exists in practice, having managed to inculcate only some moderate learned helplessness over time, and with "stupid normies" constantly attempting to fight back via law and politics.

    • graypegg 3 days ago

      > Are there any highly developed nations that allow complete strangers with any nationality to buy and use a mobile phone without showing a national ID?

      Canada maybe? [I'm 80% sure that] Public Mobile will sell you a prepaid sim card at the counter. You could pay cash, and set your caller ID to a fake name.

      If we're talking about mobility plans, the identity requirement is more about the credit check they might want to do than anything else.

    • faeranne 3 days ago

      > why don't we see HN crying about the need to show a national ID ... when buying a mobile phone?

      Mmm, very possibly because there are at least a few ways to get a phone without using any ID. I picked up a used phone about a year ago, and use Tello. Tello had 0 info on me for years, only an old UPS box that I got the card delivered to. I eventually gave them my first name so Caller ID was correct, but short of that or putting in a correct address if you want 911 support, there's no reason to need any valid info with them. They don't do credit checks, just prepay.

      > The solution is secure boot plus attestation That's the second option they presented "Closing the platform". The issue with all these options is that it consolidates power, and thanks to already partially consolidated power, any option selected will, by necessity, obligate everyone to partake, whether or not they are ok with it.

      > The average normie user does not care about anonymity, nor privacy, on the Internet.

      It's true that often "normies" don't care (or at least think they don't care, but that's a completely different point I don't feel like trying to make), and it's also true that often "normies" don't want the status quo changed. But often "normies" also ignore when people are kidnapped due to their heritage being revealed. Is it acceptable to actively create a hostile environment for people already disadvantaged? Do we gain something worth their safety? Who gains from this higher level of scrutiny?

      If we look at the smaller web, most sites never get enough traffic to be under active threat, and passive threat is easy enough to quell using honeypot forms and questions. Maybe the "normie" internet is the problem. Passive people passively consuming. "Normies" love watching stolen content, and praise thieves for harassing anyone who points out that what their doing is wrong. "Normies" enjoy watching someone livestream themselves flying down a highway at 100 mph over the speed limit.

      I think maybe we should acknowledge that what we're defending with things like hCaptcha is not actually worth defending. Maybe the "normal" internet does need to be deprecated over "small" internet? We did pretty good before with things like Wikipedia. The "small" internet from before had a lot of chaff, but good things have grown from it, and a lot of it still exists as a "small" internet. Maybe it's ok that we have a lot of "crap content", so long as the internet can keep changing?

  • mindslight 3 days ago

    meh, continuing the pearl clutching and asserting there has to be some general "solution" is itself part of the problem. The sheer majority of captchas I come across are while browsing essentially static content. If simple source IP based rate limiting can't keep the server load at something manageable, then the real problem is with how the site is built. And adding even more bloat to address another managerial bullet point is exactly how it got that way.

    • jchw 3 days ago

      Two things:

      - I don't believe there is a general solution to this problem, but that won't stop people with lots of money and influence from trying to find a general solution. Especially one that is cheap. I still hope for the least user- and ecosystem-hostile approach among the flawed approaches to win. (I guess of the ones I listed, the one that bothers me the least is having more policing of the service providers.)

      - CAPTCHAs from static content are almost assuredly for anti-scraping measures. I think anti-scraping measures are mostly pointless and antithetical to an open web in the first place, but, an effective anti-scraping measure kind of has to work off of reputation, because getting access to a very large number of IP addresses isn't free, but it doesn't cost that much (especially if IPv6 is on the table.) I personally doubt it has much to do with server load in most cases, but maybe I am wrong.

      • mindslight 3 days ago

        There are indeed many powerful motives supporting the march of technological authoritarianism. But validating the narratives about why ever-more control is needed is a form of support, which we should avoid doing.

        Rather we need to recognize that they're merely instances of the same old authoritarian fallacy of more control promising better outcomes, because what increased control ends up ruining cannot be enumerated. In actuality, reducing independent autonomy stifles invention and suffocates society.

        "Anti-scraping" is a dubious problem in the context of web sites aimed at publishing information. The best "anti-scraping" solution is a published API that includes bulk downloads. I'll admit there's a tiny sliver of sites for which controlling consumption might make sense, but it's certainly not ones that allow browsing without even logging in.

hyperman1 3 days ago

I think, unfortunately, most accessibility options are not intended to actually be used.

If you are a governement or bigco, accessibility is part of your baseline requirements. You must be able to say: Yes, we are accessible. Otherwise, the public will cause a stink.

So you take your list of vendors, and remove any that don't say they enable accessibility. Vendors know this and make sure they say they are.

Meanwhile, it is a hard to get right feature, only applicable to a small part of your userbase. Multiple disabilities require different affordances. No developer on the team really understands the actual requirement.

The people requiring accessibility will go somewhere else, or grumble and make do. Neither will be detected on any metrics board.

This combination promotes shelfware: Things you buy and put on a shelf somewhere but never really use.

neilv 3 days ago

> I emailed back a day or so later, requesting an unban because, y'know, I actually* am blind, but they gave a pretty canned response of no, your account is remaining banned.*

Do I understand correctly that hCaptcha has created an accessibility problem that's denying this blind person access to all sorts of Web sites?

Is there an ADA angle here, for many customers of hCaptcha?

Spivak 3 days ago

This has got to be an open-and-shut lawsuit if the author wants to pursue it. T&C doesn't shield you from the ADA.

isodev 3 days ago

Why are captchas even a thing still? If folks want to scrape something or build an automation around something, then why not let them do it? They still have to respect the system they're logging in. Not to mention the privacy perk of not exposing your visitors to some captcha service with a dozen or more data subprocessors.

  • stanmancan 3 days ago

    I had to add a captcha to a registration page a couple years ago. Bots were signing up for thousands of fake accounts with other people’s email addresses. The email confirmation we sent would then get reported as spam since the recipient didn’t sign up for our service. Our email provider suspended our account for high spam reports.

    • reginald78 3 days ago

      What's is the play by the spammers here? Is it a direct attack on your website, perhaps because they were competitors? Or are they hoping that 1% of spammed email addresses will accidentally verify their email?

      • stanmancan 3 days ago

        No clue to be honest; I just added a captcha and moved on with life. It’s a small side project so it wasn’t worth investing.

    • Spivak 3 days ago

      I hope the other lesson was the good email verification hygiene of making the user take an affirmative action and click a "verify email" button rather then send it unsolicited.

      You essentially had an open public unauthed form that would send an email to any address you typed in it. Surely that alone raises some eyebrows.

      • stanmancan 3 days ago

        How would adding an extra button change anything? Right now when they register we send a “verify email address” email. Adding an extra step of “click a button” makes no meaningful difference.

      • toast0 3 days ago

        How do you authenticate a verify email button?

        • klez 3 days ago

          It took me a while to understand what GP was trying to say, but I suppose they're thinking of one of those sites where they let you create an account, will let you in and then nag you for a while about "verifying your email address" by clicking a link that will actually send you an email. An unsophisticated spambot won't probably care enough to click through that.

      • binarycoffee 3 days ago

        Not a solution. Verification emails alone got a small web site I set up to be blacklisted within days. Most of the unwilling recipients presumably couldn't understand the language the verification email was written in and reported it as spam.

  • hifromwork 3 days ago

    I assume you never tried to add a contact form to your website.

    Explanation: I did, and within a few days bots started sending me spam using that form. I just added a trivial captcha (hardcoded '2+3=' question), but if my scale was bigger that would be untenable. Think also of PM spam, autoregistering accounts to abuse free tiers, etc.

    • Spivak 3 days ago

      I guess I just wouldn't have an open unauthed form and require a CC to use the free-tier. The contact-me form can just be a mailto: link and let the spammers go through the spam filter like everyone else. There are places where captchas is all you can really do but it's not like common use-cases don't have other options.

      • hluska 3 days ago

        You want to put a credit card form in front of a contact form?

    • graemep 3 days ago

      There are less annoying alternatives. Things like honeypot fields are worked for me so far. There are more dynamic variations on your maths question.

  • Nextgrid 3 days ago

    Because despite ZIRP being long over, there are still plenty of people/companies making money off "engagement" - aka wasting a human's time. Automation/scraping/etc would go around that.

    • spacebanana7 3 days ago

      There're also more good faith use cases like stopping credit card testing, ticket reselling and forum spam.

    • isodev 3 days ago

      I feel folks forget that whatever captchas do (or a large portion of), can be a library without the need for a strange, inaccessible 3rd party service call.

  • dewey 3 days ago

    Captchas are used for many things, and the reason they are still a thing is because they mostly work. Especially fingerprinting invisible captchas.

    Try having a login form without a captcha and you'll realize you are capturing 100s of users every day that require you to send out a "please confirm your email address" email for each of them for no good reason.

    > They still have to respect the system they're logging in.

    Your trust in people is admirable, but in my experience running anything on the internet you'll realize that intentionally or not people will bombard your system until it falls over.

    • isodev 3 days ago

      I think folks forget that we can add many of the safeguards a captchas provide as part of whatever "form serving app" is needed without torturing our visitors to prove they can count bicycles.

      • dewey 3 days ago

        I think the times of the "count bicycles" type of captcha are already counted just because of the bad user experience. Now everything is about fingerprinting, as paying to get captchas solved by humans or AI is already used everywhere if it's worth it.

    • nraynaud 3 days ago

      they don't work, robots have a higher speed and success rate than humans.

      • dewey 3 days ago

        Not everything is black and white. If it's cutting down 50% of the spam that does not have captcha solving robots because the effort is not worth it, that's already something.

        There's a reason many site still have very basic captchas...it's good enough for their use case.

  • grishka 3 days ago

    Simple distorted-characters captchas still do a good job of catching unsophisticated bots, which is most of them. They work even better when combined with hidden form fields because these bots don't support CSS.

    Targeted attacks though? You're making your legitimate users suffer only so that you defeat 99% of bots instead of 95%.

  • bongodongobob 3 days ago

    If you have any input forms they will be overrun by bots immediately. At my last job, marketing built a website and didn't tell IT. They had a "contact us" form without any kind of captcha. Took about a month to be completely flooded by bot spam.

  • slightwinder 3 days ago

    > Why are captchas even a thing still?

    Because it works, to some degree. It keeps away the annoying cheap bots and stupid kids. Smarter or more dedicated actors can still circumvent it, but even they are least slowed down to some degree.

    But thinking about, maybe just putting a 20 second pause after which you have to push a button might be already good enough for all this. And every stupid bot avoiding it will get banned.

    • isodev 3 days ago

      Indeed… and if it's really problematic, a client-side script can run some expensive calculations as well (the same way captchas do it), to make it extra uninteresting to target unless someone is really motivated and has the budget for it.

lupusreal 3 days ago

I hope AI stuff makes captchas completely obsolete soon. I am sick of them. The cure is worse than the disease.

  • edm0nd 3 days ago

    Captchas have been obsolete for the past decade plus.

    With solving services like DeathByCaptcha and AntiCaptcha, it takes seconds to solve them. It costs something like $1.90 per 1,000 successfully solved captchas using human typers and OCR. It can easily be rolled into your code with a few lines.

  • xdennis 3 days ago

    But surely, it's only going to get worse: it will force the de-anonymization of the internet. You already have to provide a phone number for many services.

    If websites can't trust that their users are authentic they will probably institute even more intrusive checks.

    I haven't been optimistic about the future of technology for a while now. :'(

    • rvnx 3 days ago

      In the future I think we will again go to "notarization"/"attestation" of the operating system / hardware.

      Essentially, the manufacturer of the device + operating system will generate a unique signature per each device, and web browsers will be able to access it.

      https://en.wikipedia.org/wiki/Web_Environment_Integrity

      • spacebanana7 3 days ago

        I'm very grateful the WEI proposals were put down. It'd have an enormous privacy impact on normal users, and not give that much protection against bad actors using device farms & similar tools.

        • blindgeek 3 days ago

          But the WEI proposals were never about protecting from bad actors with device farms. They were always about guaranteeing that a certain ad company who also makes browsers can always push ads to users, thus maximizing value for shareholders. Protecting from device farms was just the bait.

        • marcosdumay 3 days ago

          Oh, the really bad part of WEI is not the privacy impact.

          The real thing is the gating of every kind of information exchange and treatment in the hands of a few entities, that get the power to say who will participate on those activities and doing exactly what.

          That is, the complete elimination of the freedom of association and initiative from our society. At least around any one of those that involve computers.

          The lost of privacy is a rounding error.

      • slooonz 3 days ago

        How does that works for, say, Chromium or Firefox on Linux ?

        • rvnx 3 days ago

          I believe the plan was to ask the TPM of the computer.

          From what I understood, each TPM has a unique private/public key pair (Endorsement Key (EK)), and then this key is certified by the manufacturer of the TPM.

          From there, you can generate a Attestation Keys, and these keys are signed by the EK.

          https://security.stackexchange.com/questions/235148/whats-th...

          So essentially, at the end of the day, Chromium would ask the TPM for attestation, and it would act as a unique Device ID.

          Then they can allow only a selected list of TPM manufacturers certificates, to prevent emulators for example.

          TL;DR: Chromium on Linux would ask the TPM chip for a signature, and each TPM chip has a different signature from the moment it is out of the factory.

  • remram 3 days ago

    CAPTCHAs already don't work. If they are not annoying enough to turn your customers away, they are very easy for an attacker to pay people to solve.

  • exe34 3 days ago

    AI are already much better at them than I am.

  • jeroenhd 3 days ago

    AI stuff is why CAPTCHAs exist. It's also why they've gotten so much worse the last few years.

    CAPTCHAs are going to get much worse before they're replaced by account paywalls or remote hardware attestation.

miki123211 3 days ago

As a blind person, I genuinely believe that hCaptcha, being as terrible as it is, is still the best solution among the ones that we can physically achieve in the world as it exists right now.

Audio captchas don't work for people with hearing issues and/or who don't speak your n supported languages, where n is usually <10. I've had to help people out with these over the phone, it was not fun.

Even for people for whom they do work, it's worth keeping in mind that bots can solve them by now, and so users whose activity looks too fraudulent, who are still given access to the visual captchas, have to be blocked from using the audio ones. I have also seen this happen.

Text captchas are a non-option by now, they're very easy to solve with LLMs, and the way they have to be phrased makes it impossible to align LLMs not to solve them, like you can do with the visual ones.

Google's ReCaptcha can get away with having no actual challenge for most users, blind or otherwise, but that's because they're Google, they do enough user tracking that they don't actually need a captcha. Google is the only company that can get away with this, and even for them, it doesn't work in all situations, even when the user fully trusts Google and has not adjusted any privacy preferences.

Sure, you could stop using captchas entirely, if you're fine with receiving dozens of viagra ads on every single platform each day, abolishing all "contact us" and comment forms on the internet, having a significantly higher credit card fraud rate (which translates directly to higher prices and a much worse experience for consumers), and getting all your semi-public records and social media activity immediately scraped by shady companies and sold to anybody who expresses any interest. Unsurprisingly, most users are, in fact, not fine with this.

  • blindgeek 3 days ago

    > and getting all your semi-public records and social media activity immediately > scraped by shady companies and sold to anybody who expresses any interest.

    Public content on the Internet should be scrapable. That's what public means.

    The fact that my reddit posts were publicly available never bothered me. Even if they were going to be used to train some LMM. What does bother me is reddit locking up my posts and making exclusive deals with Google to train Google's LMM.

    Preventing scraping isn't good for the average user; it is good for the company that wants to take content created by said user, lock it up, and sell it to their buddies.

    • miki123211 2 days ago

      > Public content on the Internet should be scrapable. That's what public means.

      Not necessarily, especially if you want to expose some relationships in one direction while hiding the other.

      Imagine your government creates a CNAM-like[1][2] system that lets you enter a phone number and see their owner, to see who is calling you and whether a number you're given is legit. However, they do not want to let you see a person's phone number just by entering their name.

      If there's no captcha, an unscrupulous actor, registered in the Seychelles and unconcerned with your country's laws, can just scrape all possible phone numbers and offer a "reverse lookup" service.

      In a way, the number/name records are public information, after all, the government lets you query them without authentication, but in a way they aren't, because you're only permitted to query them in a certain way.

      Variations of this problem have appeared many times, particularly across Europe, usually with company numbers, property deeds and such.

blindgeek 3 days ago

And the very angry email that I (probably unwisely) just dashed off to support@hcaptcha.com:

"So I've been trying to sign in repeatedly to set the accessibility cookie since last night. Every time I click the submit button, I get the useless error message "an error has occurred, please try again".

My friend, who shares my roof and my static IP, got banned from hcaptcha's accessibility service last year for being too smart to be blind. And I suspect you all have banned our IP and not just his account.

For the record, my static IP address is (redacted).

See https://michaels.world/2023/11/i-was-banned-from-the-hcaptch... for his story. I have been broadcasting this to websites frequented by technically capable people: https://news.ycombinator.com/item?id=42171164 https://lobste.rs/s/qbkd0u/i_was_banned_from_hcaptcha_access...

Please let your bosses know that I plan to pursue legal action against hCaptcha and/or amplify the truth to destroy its reputation in the public square. I will also be reaching out to websites who utilize hCaptcha, letting them know that the captcha provider they employ is refusing to provide reasonable accomodations to blind people.

Whether it be with the force of law or the force of satyagraha, your bosses are going to get a message and we will win.

  • blindgeek 3 days ago

    And their thoroughly unhelpful reply:

    "Hi there, sorry to hear you're having difficulties!

    We have an alternative authentication scheme that you may prefer: https://www.hcaptcha.com/accessibility

    You can sign up here: https://dashboard.hcaptcha.com/signup?type=accessibility

    This lets you avoid the challenge altogether after registration.

    It is designed for users with any kind of difficulty solving the challenges.

    Thanks for reaching out, and hope this makes your experience better."

    • mp3geek 3 days ago

      Brave support here, tried to reach out to hcaptcha support and got the same auto response :|

  • webspinner 3 days ago

    Yeah, sue them. They'll love that.

devmor 3 days ago

It's quite unpleasantly often that I hear stories about accessibility accommodations being removed by someone considering themselves the sole arbiter of disability.

garbanz0 3 days ago

That smells illegal.

mathfailure 3 days ago

hCaptcha is worse, than reCaptcha.

I pass the captcha (I am not blind and not using accessibility account) and get response like

Your response to the CAPTCHA appears to be invalid. Please re-verify that you're not a robot below. (Reference ID: 4035128747213959)

And you are given captcha again (passing which will have the same result).

reCaptcha had similar issue, but choosing 'accessibility' would transform the captcha from visual to auditory one and passing it had no such problems.

In the end I just gave up.

Pxtl 3 days ago

Please just let my link some kind of government-backed ID to an email account and then clients can ask "hey government, is this email account a real human being in your country"? And government can say "yes" and they can go forward knowing that if I turn out to be a bot and they ban me it will be a huge pain in my ass because I've got to go through government enrollment process again.

andrewaylett 3 days ago

CAPTCHA: Completely Automated Public Turing test to tell Computers and Humans Apart.

These things have one job. Any time they fail to identify a human, they have failed at their job. How they go about administering the test, and (to a large extent) what the human does in response, should be irrelevant. I know that's hard, no-one said the job was easy, and the companies developing them are the ones making claims about their efficacy.

If you want to block 100% of bots, don't put your stuff on the Internet. If you want to block bots and allow humans then you're going to have false negatives. Failing to acknowledge them is dishonest.

None of which stops me filling them out when I encounter them, but I don't have to like it.

throw_a_grenade 3 days ago

If you're in Europe, consider filing GDPR complaint to your local data protection authority. One of the rights recognised in GDPR is right to rectify information about you, and it was clearly not afforded by the provider here.