Ditching CAPTCHA systems because they don’t work any more is kind of obvious. I’m more interested on what to replace them with; as in, what to use to prevent access of bots to a given resource and/or functionality.
In some cases we could use human connections to do that for us; that’s basically what db0’s Fediseer does, by creating a chain of groups of users (instances) guaranteeing each other.
The chain of trust being formed. If some adversary does slip past the radar, and gets guaranteed, once you revoke their access you’re revoking the access of everyone else guaranteed by that person, by their guarantees, by their guarantees’ guarantees, etc. recursively.
For example. Let’s say that Alice is confirmed human (as you need to start somewhere, right?). Alice guarantees Bob and Charlie, saying “they’re humans, let them in!”. Bob is a good user and guarantees Dan and Ed. Now all five have access to the resource.
But let’s say that Charlie is an adversary. She uses the system to guarantee a bunch of bots. And you detect bots in your network. They all backtrack to Charlie; so once you revoke access to Charlie, everyone else that she guaranteed loses access to the network. And their guarantees, etc. recursively.
If Charlie happened to also recruit a human, like Fran, Fran will also get orphaned like the bots. However Fran can simply ask someone else to be her guarantee.
[I’ll edit this comment with a picture illustrating the process.]
Note that the Fediseer works in a simpler way, as each instance can only guarantee another instance (in this example I’m allowing multiple people to be guaranteed by the same person). However, the underlying reasoning is the same.
That sounds infeasible in the real world. 90% of the population isn’t even going to understand a system like that, much less be willing to use it.
I’m tempted to say “good riddance of those muppets”, but that’s just me being mean.
On a more serious note: you don’t need to understand such a system to use it. All you need to know is that “if you want to join, you need someone who already joined guaranteeing you”.
Plus you don’t need to use this system with lone individuals; you can use it with groups too, like the Fediseer does. As long as whoever is in charge of the group knows how to do it, the group gets access.
Users don’t need to understand the system, all they need to know is you need to get someone to vouch for you, and if you vouch for bad people/bots you might lose your access.
Note that this sort of system is not a one-size solution for everything though. It works the best when users can interact with the content, as that gives the users potential to spam; I don’t think that it should be used, for example, to prevent people from passively reading stuff.
[I’ll edit this comment with a picture illustrating the process.]
While we wait for the picture, I will use an analogy to provide a mental one:
Imagine a family tree. That is the chain of trust, in this analogy. Ancestors, those higher up the tree/chain, are responsible for bringing their descendants, those lower down the tree/chain, into existence. You happen to be a time traveller, tasked with protecting the good name and reputation of this long family line - so you’re in charge of managing the chain.
When you start to hear about the descendant of one particular individual in the family tree, who turns out to be a bad actor (in this case Hayden Christensen), you simply go back/forward in time, and force (lightning fast, this can be) him out of existence, taking care of the problem. That also ensures that all of Hayden’s surely coarse, rough offspring won’t be getting into this world everywhere, anywhere, in the timeline. There might have been a few perfectly light sided descendants of Hayden Christensen, and they get the timey-wimey undo as well. Too bad for them! Casualties of dealing in absolutes.
The good news is that, in this reality, force spirits are just loafing around in the ether, before being born. Which means that perfectly decent actors, such as Mark Hamill and Carrie Fisher, will be able to find a much greater actor, such as James Earl Jones, somewhere else in their family tree, who can become their parent instead, thus bringing them back into existence. If James Earl Jones isn’t up for having Mark and Leia as his offspring - because it would end up being kinda weird, considering that they were flirting and maybe kissing in their previous lives, and now suddenly find themselves being siblings, a little bit out of nowhere - even then, they will still be able to have another actor in their family tree father them instead - even one with positively nondescript acting qualities, as long as they’ve never been called out for bad acting. David Prowse might become their Dad, for instance.
Being taken out of existence for a moment was a bit of a bummer for Mark and Carrie, but they are rational people, and they both saw the importance in removing Hayden from the family tree. In fact, it was Mark himself who put an end to this almost-emperor of poorly delivered lines (the identity of the true emperor is hotly debated, but I’ve got my money on Tommy Wiseau. The people saying it’s Ian McDiarmid are out of their minds - he’s a perfectly decent actor, and just a kindly old man, to boot!), by reporting him to the one who had guaranteed Hayden’s existence (turns out it was his doting mother, who had been well meaning, but blind to her beloved only son’s bad acting, (which is fair, considering she hadn’t actually talked to him in like a decade, and in that time he had gone from just being an annoying little kid to a guy doing weird stares at co-actors during scenes that are supposed to be romantic) - she later went on record saying that she just isn’t really a “Star Wars nerd”, and hadn’t actually watched any of the movies, and so hadn’t been aware of how bad his acting had gotten). Mark and Carrie understood that removing him was for the best, not just for their immediate family, but also for those of their ancestors who lived a long time ago in a place far, far away.
Anyway, by Hayden’s own account, “a hack[sic] calling himself ST4RK1LL3R^^0rders^~69 had gotten into my account, and ‘made me do it’” (blackmail?), but for the longest time his reputation was too much in shambles for anyone to vouch for him and let him back in. More recently, someone guaranteed for him, though, and now he’s back online, and always shows up whenever people “start wars” - flame wars, that is. Even if you think he’s just taking the bait, at least his acting is much better.
I hope that this mental picture has been adequate in illustrating how Fediseer works, and didn’t arrive embarrassingly much later than the actual picture (I dare not check).
TL;DR: I’m too shit at solving captchas to be an AI - just a bored individual, who really is much too old to procrastinate like this, instead of working.
Proof of work could be easily combined with this, if the wasted computational cost is deemed necessary/worthy. (At least it’s wasted CPU cost, instead of wasted human time like captcha.)
Tor has already implemented proof of work to protect onion services and from everything I can tell it has definitely helped. It’s a slight inconvenience for users but it becomes very expensive very quickly for bot farms.
If using this system with individuals, privacy is a concern because it shows who knows who. And the system needs that info to get rid of bad faith actors spamming it.
However, if using it with groups of individuals, like instances, it would be considerably harder to know who knows who.
Bro, everytime I get the select all the ‘x’ tiles (motorcycle, bicycle, bus, etc) one I never know if it means “all” of them, like even ones with just a little bit on the tile. Does it want the tires, too? It’s bullshit. Never seems to be correct, what I select.
I’ve always done any square that includes any part of the thing, so the tire on the bus or the helmet of the motorcycle rider. That no longer works for me though, recently I keep getting more images and they seemingly never stop so I just give up on whatever I was trying to load. Its pretty ridiculous how shit the internet has become.
I think they don't train AI with captchas anymore. That used to be the case 10 years ago when we put in all the house numbers for google maps. but as far as I know they learned to do it cheaper without the captcha service. as of now (and for some time already) the results are just wasted.
IKR! i try and solve the CAPTCHA and theres a tiny 5 nanometer slice of crosswalk on another tile, and i have no idea if i need to click it or not. And then sometimes you don’t have that issue, and you click all the correct tiles, and then it just takes you to another one, and another one, and another one… they really need to improve it
Isn’t the real security from how you and your browser act before and during the captcha? The point was to label the data with humans to make robots better at it. Any trivial/novel task is sufficient generally, right?
Seriously, we probably need to dig into some parts of the human senses that can’t be well defined. Like when you look at an image and it seems to be spinning.
I work in a related space. There is no good solution. Companies are quickly developing DRM that takes full control of your device to verify you’re legit (think anticheat, but it’s not called that). Android and iPhones already have it, Windows is coming with TPM and MacOS is coming soon too.
Edit: Fun fact, we actually know who is (beating the captchas). The problem is if we blocked them, they would figure out how we’re detecting them and work around that. Then we’d just be blind to the size of the issue.
Edit2: Puzzle captchas around images are still a good way to beat 99% of commercial AIs due to how image recognition works (the text is extracted separately with a much more sophisticated model). But if I had to guess, image puzzles will be better solved by AI in a few years (if not sooner)
Private Access Tokens? Enabled by default in Settings > [your name] > Sign-In & Security > Automatic Verification. Neat that it works without us realizing it, but disconcerting nonetheless.
So, the spammers will need physical Android device farms…
No way!! Can’t find anything about it online - is this info by the way of insiders? Thanks for sharing, would have NEVER guessed. Not even that they’d have to use Selenium much less device farms.
Yup insider info they definitely don’t want public. Just confirmed the phone farms were to bypass rate limit, although they do use stuff like Selenium for API-less banks
So five wasn’t good enough… they had to double it. Do kinda respect that they’re fighting spammers, but wonder how Google does it with Gmail. They seem to have tightened then recently loosened up on their requirement for SMS verification (but this may be an inaccurate perception).
I know some sites have experimented with feeding bots bogus data rather than blocking them outright.
My employer spotted a bot a year or so ago that was performing a slow speed credential stuffing attack to try to avoid detection. We set up our systems to always return a login failure no matter what credentials it supplied. The only trick was to make sure the canned failure response was 100% identical to the real one so that they wouldn’t spot any change. Something as small as an extra space could have given it away.