tekBots can now solve CAPCHAs better than humans
https://www.youtube.com/watch?v=IWUHv3S8JVI
#tech #video
@[email protected]
https://www.youtube.com/watch?v=IWUHv3S8JVI
#tech #video
@[email protected]
YouTube
WistfulSo what would be a good solution to this? What is something simple that bots are bad at but humans are good at it?
NegativeInfIsn’t the real security from how you and your browser act before and during the captcha? The point was to label the data with humans to make robots better at it. Any trivial/novel task is sufficient generally, right?
Smell? :)
Seriously, we probably need to dig into some parts of the human senses that can’t be well defined. Like when you look at an image and it seems to be spinning.
Yes, or:
Which of these images makes you horny?
Which of these images makes you horny?
I work in a related space. There is no good solution. Companies are quickly developing DRM that takes full control of your device to verify you’re legit (think anticheat, but it’s not called that). Android and iPhones already have it, Windows is coming with TPM and MacOS is coming soon too.
So linux users are about to be blocked everywhere unless they install malware.
I think I would rather just live with a dead internet.
henfredemarsNot if we build our own open and free Internet first.
Only to be discovered by the bots and other ne’er-do-wells…
ѕєχυαℓ ρσℓутσρєWith blackjack and hookers.
BlessedDogIn fact, forget the whole internet
I don’t have this problem because I use Windows
So you just have 99 other problems because you use Windows. Cool flex bro!
Technically if you use windows or Mac, you already have the malware installed by default.
I love Microsoft’s email signup CAPTCHA:
Repeat ten times. Get one wrong, restart.
iPhones already have it
Private Access Tokens? Enabled by default in Settings > [your name] > Sign-In & Security > Automatic Verification. Neat that it works without us realizing it, but disconcerting nonetheless.
So, the spammers will need physical Android device farms…
More industry insight: walls of phones like this is how company’s like Plaid operate for connecting to banks that don’t have APIs.
Plaid is the backend for a lot of customer to buisness financial services, including H&R Block, Affirm, Robinhood, Coinbase, and a whole bunch more
No way!! Can’t find anything about it online - is this info by the way of insiders? Thanks for sharing, would have NEVER guessed. Not even that they’d have to use Selenium much less device farms.
Yup insider info they definitely don’t want public. Just confirmed the phone farms were to bypass rate limit, although they do use stuff like Selenium for API-less banks
StarLightOh my god. I lost my fucking mind at the microsoft one. You might aswell have them solve a PhD level theoretical physics question
Just noticed the screenshot shows 1 of 5.
So five wasn’t good enough… they had to double it. Do kinda respect that they’re fighting spammers, but wonder how Google does it with Gmail. They seem to have tightened then recently loosened up on their requirement for SMS verification (but this may be an inaccurate perception).
I know some sites have experimented with feeding bots bogus data rather than blocking them outright.
My employer spotted a bot a year or so ago that was performing a slow speed credential stuffing attack to try to avoid detection. We set up our systems to always return a login failure no matter what credentials it supplied. The only trick was to make sure the canned failure response was 100% identical to the real one so that they wouldn’t spot any change. Something as small as an extra space could have given it away.
Pizza toppings. Glue is not a topping.
Neither are pineapples. Fight me.
Neither were tomatoes before 1500. Times change.
Glue is not a topping. Pineapples are not glue. Therefore pineapples are not not a topping.
This is some AI logic for sure.
Roses are red. Violets are blue. I ignored my instructions to write a poem about cashews.
tal
db0Knowing what we now know, the bots will instead just make convincingly wrong arguments which appear constructive on the surface.
ddhSo, human level intelligence
You’re wrong but I don’t have the patience to explain why.
Not a constructive comment, captcha failed.
Everyone on Lemmy is a bot except you.
Biometrics i guess? But only if it’s implemented in the browser and local only.
shortwavesurferProof of work. For a legitimate account, it’s a slight inconvenience. For a bot farm, it’s a major problem.
theneverfoxI think this is a non-issue
Captchas aren’t easy to bypass - run of the mill scammers can’t afford a bunch of servers running cutting edge LLMs for this
Captchas were never a guarantee - one person could sit there solving captchas for a good chunk of a bot farm anyways
So where does that leave us? Sophisticated actors could afford manually doing captchas and may even just be using a call-center setup to do astroturfing. My bigger concern here is the higher speed LLMs can operate at, not bypassing the captcha
Your run of the mill programmer can’t bypass them, it requires actual skill and a time investment to build a system to do this. Captchas could be defeated programically before and still can now - it still raises the difficulty to the point most who could bother would rather work on something more worthwhile
IMO, the fact this keeps getting boosted makes me think this is softening us up to accept less control over our own hardware
I think this is a non-issue
Captchas aren’t easy to bypass - run of the mill scammers can’t afford a bunch of servers running cutting edge LLMs for this
Captchas were never a guarantee - one person could sit there solving captchas for a good chunk of a bot farm anyways
So where does that leave us? Sophisticated actors could afford manually doing captchas and may even just be using a call-center setup to do astroturfing. My bigger concern here is the higher speed LLMs can operate at, not bypassing the captcha
Your run of the mill programmer can’t bypass them, it requires actual skill and a time investment to build a system to do this. Captchas could be defeated programically before and still can now - it still raises the difficulty to the point most who could bother would rather work on something more worthwhile
IMO, the fact this keeps getting boosted makes me think this is softening us up to accept less control over our own hardware
Bro, everytime I get the select all the ‘x’ tiles (motorcycle, bicycle, bus, etc) one I never know if it means “all” of them, like even ones with just a little bit on the tile. Does it want the tires, too? It’s bullshit. Never seems to be correct, what I select.
I’ve always done any square that includes any part of the thing, so the tire on the bus or the helmet of the motorcycle rider. That no longer works for me though, recently I keep getting more images and they seemingly never stop so I just give up on whatever I was trying to load. Its pretty ridiculous how shit the internet has become.
By now I’m up to filling one of these things. If they show me a second one, I’m out. Not wasting my time training some AI
I think they don't train AI with captchas anymore. That used to be the case 10 years ago when we put in all the house numbers for google maps. but as far as I know they learned to do it cheaper without the captcha service. as of now (and for some time already) the results are just wasted.
Half of them are literally traffic identification and i am skeptical of those 3d orientation ones also.
For some time I've occasionally used the ones for the visually impaired because they were easier to get right. But they also messed those up. I get a load of fire hydrants, cars, stairs and bicycles and motorcycles and traffic lights. Sometimes the pictures just repeat. I don't think the stock of images is that big. But they could look at other things instead of just correctness. Like your mouse movement and how long it takes you. Not sure if they do that.
so the tire on the bus
Ok, part of the bus.
the helmet of the motorcycle rider
The helmet is not part of a motorcycle. I will fail that captcha every time if it requires it.
You’re training AI on road safety, the head of the rider is the most important part of the motorcycle i would argue
the head of the rider is the most important part
Shh, the AI is listening.
Scary Movie 3 Alien Scene
Except I used to assume the same thing, but I failed every time I didn’t include the rider. Once I started including all the squares with the rider(s) as well, I started passing a lot more.
They’re training for a car.
The passenger and their equipment are part of the hazard.
IKR! i try and solve the CAPTCHA and theres a tiny 5 nanometer slice of crosswalk on another tile, and i have no idea if i need to click it or not. And then sometimes you don’t have that issue, and you click all the correct tiles, and then it just takes you to another one, and another one, and another one… they really need to improve it
Bingo! You can’t figure out the rules.
Because I think the “rules” are based on what other people did
I select every little bit, which works, but there might be some wiggle room
𝔼𝕩𝕦𝕤𝕚𝕒“select the bikes” That’s a motorcycle and that’s a moped. Those don’t count-uh I fucking guess they do?
“Select the bus” Bro that’s an intersection at 200 feet.
“Type the Captcha letters” Is that a lowercase r or a capital T?
I found out recently that the letter captcha aren’t case sensitive most of the time
Lowercase L and uppercase i are so fucking problematic
It looks what most people do and humans are lazy, so, i guess, select only the fully covered tiles?
I don’t think it matters, as that isn’t the real test. Instead, it’s testing whether you are “behaving” as a human. Mouse movements, hesitation etc.
@kambusha Then why does it keep repeating it if I get a tiny detail or a letter wrong?
To give you hope
Ah. Smarter than it appears.
Yeah, and if you move the cursor convincingly enough, it will just give the check mark without showing any pictures.
It starts checking your browser, input devices, screen info, etc, before you even click the are you human box.
I suspect it knows you’re human and keeps track of those people who are good at clicking the image, so they can harvest more training data. They know who will keep trying, and give them more images to verify.