Mastodawn

mcSlibinas 3d ago

Google Broke reCAPTCHA for De-Googled Android Users https://reclaimthenet.org/google-broke-recaptcha-for-de-googled-android-users

Google has tied its next-generation reCAPTCHA system to Google Play Services on Android, meaning anyone running a de-Googled phone will automatically fail verification when the system decides to challenge them. Another day another Google take over the world, open web and mobile ecosystems. This battle seems to be lost already because governments are ignoring shenanigans of Google.

Klaus Frank 4d ago

@nixCraft So you can't use Amazon Fire tables either?

That can be fun, lets see what Amazon does against this :D

@nixCraft i dont think so. There must be an ad-hoc solution. Same for iphone.

Klaus Frank 4d ago

@serk @nixCraft

According to the article you just don't have to have the Google Play Services on iPhone. Google only demands them for Android phones.

Tbh this feels like they're just trying to do a malicious compliance thing with the #DMA. They got slapped so they're trying the next thing...

@nixCraft just finished reading it XD
Yes as the article said it. This is control over android, and probably degoogle phones will find a fix but it will force them to do suspicious things.

Klaus Frank 4d ago

@serk @nixCraft

One petty thing to do would be to just patch the user agent for these devices to say they're iPhones...

🇨🇦 Mandy Roy

@serk @agowa338 @nixCraft

Not just suspicious, but challenging unless you know what you're doing, and in some cases, dangerous if you pooch something. Just like Skynet wants.

Klaus Frank 3d ago

@capergrrl @serk @nixCraft

Tbh, I feel like it is kinda time to drop #Android and #iPhones and move on to other operating systems. - Or drop the reliance on mobile phone entirely (where possible)

@capergrrl @nixCraft yes... But for example, now I'm living a "monopoly"/"shitification" moment. I have a degoogle phone, and for reasons I want to play Balatro on it. I could do it, but when I add a google account to the mirror-play-store I get a warning that maybe google could suspend the account... So no way I'm paying something. My hopes are in the Epic store now.
Not sure how this will be easy if I move to a Linux phone or something more alternative.

@[email protected] @[email protected] amazon dropped fiteos already.

sia, the Witch 4d ago

@nixCraft just made this meme after seeing this 😂

> The iOS comparison is revealing because Apple devices running iOS 16.4 or later complete the same verification without installing any additional apps. Google didn’t demand iPhone users install Google software to pass the test. Only Android users who refuse Play Services get locked out. The asymmetry reveals what this is really about: not security, but ecosystem control.

@nixCraft then let's get rid of Android Phones and live to linux ones. If only oss contributors moved to linux mobiles and started to provide mobile apps for linux on mobiles it would change the world... ONG and public EU administrations would move, mobile constructors to avoid loosing critical customers would provide at least some phones with linux and Google would step back in the end.

Miha Markič 4d ago

@maat @nixCraft Degoogled Android phones or those who support Android apps are still an option - huge and productive developer ecosystem

Asterisk 🇨🇦4d ago

@maat @nixCraft

Linux is a terrible option for general security, which is especially important for a device as personal as your phone. Nothing is encrypted and Flatpak's sandboxing is worse than Android 4.4 and grants broad permissions by default.

@asterisk @nixCraft Linux is not terrible at all if setup properly. A linux with a decent Apparmor setup is really good for security.
Flatpak is a shame and Android too: It lets Whatsapp and LinkedIn apps slurp all the contacts without even blinking. All Android sandboxing currently just suck.
Only things like island work a little to isolate rogue apps. And nothing protect users from Google on Android.

Asterisk 🇨🇦4d ago

@maat @nixCraft AppArmor and SELinux aren't really comparable to Android's ssndboxing model, which also handles app signing and certificate pinning.

Android's sandbox does not suck (bold of you to say when most Flatpaks can escape the sandbox by editing your .bashrc), Google just requires OEMs to bypass it for Play Services to obtain CTS certification (required to use the Android trademark). Alternate Android-based OSes are very secure (as long as they keep up with security patches, /e and iode do not). GrapheneOS's sandbox for it resolves this issue, letting you use it for apps that need it without security compromises.

A lot of Android's security also comes from verified boot (OS image is read-only and signed, bootloader checks the hash against the one burned in at manufacture or stored in the secure enclave at boot to ensure nothing is compromised) and a hardware secure enclave (which is not a TPM chip, its better)

edit: contact scopes (which GrapheneOS has had for ages) are coming in Android 17 to fix that issue.

@asterisk @nixCraft OK so the 16 first versions of Android did suck.
(By the way i hate flatpack principle so you can criticize itvall day i will just boredly agree)
And Google who wants to close Android platform and enforce the equivalent of Microsoft's Treacherous Computing Platform does suck even more.
Let's just degooglize this world... We'll breathe a better air.

Asterisk 🇨🇦4d ago

@maat @nixCraft They didn't suck, Google Play Services is what's always sucked (on stock play services can still access all your contacts as scopes are for third-party apps, get a Pixel or the upcoming Motorolas and flash Graphene on it if you'd like to restrict this and also regulate some other hidden permissions like Network and Sensors)

@asterisk @nixCraft pixel = Google hardware = very little chance for me to buy that. Now grapheneos works on other hardware i might consider it as an option.

And let's agree to disagree : you will not change my mind about Android suckiness.

Asterisk 🇨🇦4d ago

@maat @nixCraft

The Titan M2 is good hardware. A relockable bootloader is a good feature. The 2027 Motorolas will support GrapheneOS when they come out as part of the new agreement.

Edit: your arguments are just unfounded is all I'm saying, Android is much better than Linux and you have no proof to the contrary.

@asterisk @nixCraft you gave no proof either.
A fully integrated patched tuned industrialized implementation cannot be compared with « linux » in general which means nothing and everything.🙄
A linux installed and tuned by me on the desktop you will just be able to do what is allowed and nothing else.
I'm sure the same thing and better can be done by far more skilled linuxers than i am on mobiles with properly tailored linux systems.

Michael Labowicz 4d ago

@nixCraft can you spoof it with an updated browser agent string?

Templaillo Ahí 4d ago

@nixCraft Of course governments are ignoring Google's shenanigans, Google spends a lot of money on them.

maunzCache 4d ago

@nixCraft If it doesn't work, pressure the website owners and bring down the captcha monopol.

Edit: It probably violates accessiblity requirements as well...

@nixCraft when will the new captcha be in production ?

Asterisk 🇨🇦4d ago

@rufus01 @nixCraft Considering many haven't updated from reCAPTCHAv2 I don't think we'll see this much.

✡️ 🇵🇸

anarchismhebrew

Google slogan: Be REALLY Evil

spacebug 4d ago

@nixCraft so I guess there will be some website that I will not be visiting then.
Too bad for them..

Asterisk 🇨🇦4d ago

@nixCraft The funniest part is that a lot of apps use Google libraries (which means most "degoogled" setups aren't actually degoogled) which can act like a copy of Play Services themselves, so those apps could be a viable option for verification if Google insists on an app, but Google's gotta have that invasive Play Services access, right?

edit: Blog post because the article above doesn't cite its sources:

https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-fraud-defense-the-next-evolution-of-recaptcha

Introducing Google Cloud Fraud Defense, the next evolution of reCAPTCHA | Google Cloud Blog

Today at Next ‘26, we’re launching Google Cloud Fraud Defense, the trust platform for the agentic web and the next evolution of reCAPTCHA.

Google Cloud Blog

M/KΞ 🇪🇺1d ago

@asterisk @nixCraft no because you need to be "licensed" by google to have access to their crap of device atestation, so no if you have a degoogled OS it will not work.

Asterisk 🇨🇦1d ago

@hidikem @nixCraft You need to be licensed to pass the extra checks, yellowboot OSes like Graphene pass the basic check, but yeah they obviously use the extra ones that only allow greenboot CTS certified builds.

@nixCraft So, when you see the QR on your laptop, you'll need to scan it with your phone? I guess, this should reveal who (Google account) is trying to open the site.

Simon Brooke 4d ago

@nixCraft This is clear abuse of monopoly, and absolutely has to be illegal (everywhere). I cannot see the EU tolerating it.

M/KΞ 🇪🇺1d ago

@simon_brooke @nixCraft Legally EU see this as illegal.

In practice the stupid morron at the head of our institution don't see why it's dangerous becaus it does not touch them.

Deadly Headshot 4d ago

@nixCraft Wait, so people without smartphones are blocked from viewing websites on their computers because they can't scan a QR code?!

M/KΞ 🇪🇺1d ago

@dheadshot @nixCraft exactly.

Linux Is Best 3d ago

@nixCraft

You misunderstand. The government is not ignoring this. They are encouraging this.

All those new laws for age verification, for example, are to prevent you from using an operating system or ROM that cannot be minored or controlled. Blocking reCAPTCHA on a non-approved, non-certified government and corporate sanctioned devices is just 1 piece of the big picture.

@Linux @nixCraft This is the beginning of the slippery slope towards building in spyware and backdoors into the cryptographic subsystems of Windows and Mac OS. It has literally jack-all to do with protecting children. It is the early steps of fascism in the United States.

Linux Is Best 3d ago

@housepanther @Linux @nixCraft

It is not a slippery slope — it's the goal.

For example, the United States has made any new router not made in the USA illegal to import or sell. The problem is that no mainstream manufacturer currently makes routers in the USA. Whatever is currently in stock at stores and warehouses is all that is left.

However, companies can apply for special exceptions if they agree to implement the new control chip or firmware, and pay a fee. Netgear has recently done this.

Linux Is Best 3d ago

Here is the story about Netgear bending the knee. https://www.pcmag.com/news/netgear-scores-the-first-exemption-from-the-fccs-foreign-made-router-ban

@Linux @nixCraft

@Linux @Linux @nixCraft Yeah, I saw that article. With the possible exception of Netgear ProSafe managed switches, most of the stuff they churn out sucks.

Linux Is Best 3d ago

@housepanther
I dislike Netgear.

Their stuff is crap, but cheap, which is why many people buy it. If I wanted a router on sale at Walmart for $30–40, you know Netgear would be the first thing on the list. However, it would also be the first company to end support for its product and suggest you buy a new one. There was also that scandal a few years back where the solution Netgear posted after realizing they had made a defective device was to tell people to buy a new one.

@Linux @nixCraft

@Linux @housepanther @Linux @nixCraft

How exactly did they bend the knee? I can't find out what they did in the article.

Linux Is Best 3d ago

I need to stop using PC Magazine as a news source. They tend to silently update and revise their articles. I think they redo them for either better engagement or SEO, or something like that.

One of the links they included pointed to the FCC’s PDF file, which outlined the requirements in explicit detail to qualify for an exemption and continue operating in the USA.

@housepanther @Linux @nixCraft

@Linux @housepanther @Linux @nixCraft oh :(

There's a link to a PDF from the NetGear FAQ:

"How did NETGEAR receive conditional approval?

We reviewed the FCC's public guidelines for conditional approval, submitted an application that followed those guidelines, and received approval. The FCC's guidelines required detailed information for the relevant agencies to conduct an individualized national security assessment to determine whether the consumer router producer poses "unacceptable risks." Those public guidelines are available here: https://www.fcc.gov/sites/default/files/Guidance-for-Conditional-Approvals-Submissions0326.pdf"

is this the one?

@Linux @housepanther @Linux @nixCraft

Hmm, "No" is the answer - that's just the generic guidelines, now that i've read it :(

Linux Is Best 3d ago

Yes, the general PDF (which amounts to an introduction) only outlines a summary of the requirement for a plan and a projected long-term goal of manufacturing in the USA. It's a cover-letter in my opinion.

The other PDF, which I cannot find now, outlined the details more specifically.

@housepanther @Linux @nixCraft

Linux Is Best 3d ago

That was the first one, which is only the overlay (two pages, which amounts to a summary). There is another PDF that is more detailed and specific, beyond just manufacturing in the United States, because it goes into detail on what qualifies as manufacturing in the United States.

Truthfully, if you're good at searching the FCC's website, which I always found to be a mess. It was worth the read if you can find it.

@housepanther @Linux @nixCraft

@Linux @Linux @nixCraft You're just mixing metaphors. It is a sippery slope to the goal. I remember that piece of legislation. So, I simply virtualized OPNsense and I have my own router. Stupid fuckers. A tech pro will never be held back.

@Linux @nixCraft And I saw a youtube short (ugh, I know) saying that there's now a law being tabled in the US that will mean that government ID will be required to buy a SIM or phone (can't remember which), as an excuse to "stop Robo Calls".

What a load of BS.
Make it illegal to fake caller ID and surely a lot of problems will go away?

The originator should still be able to block caller ID, but then it's up to you if you pick up an "unidentified caller", surely?

Edit: Sadly, I can't find any more details about this at the moment - an original source would have been nice :(

Edit again: Found one: https://reclaimthenet.org/the-fcc-wants-your-id-before-you-get-a-phone-number

Miss Gayle 3d ago

So...now everyone needs a googled phone plus their real phone.

elongatedmushroom 3d ago

How's it going to be enforced? Will site-owners have the choice of whether or not they want to integrate this with their site?

Kierkethumbs up convincingly 3d ago

@nixCraft i’m sure there will be exceptions for hardened devices for military and government