Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Robotics

Are CAPTCHAs More Than Just Annoying? (msn.com) 69

The Atlantic writes: Failing a CAPTCHA isn't just annoying — it keeps people from navigating the internet. Older people can take considerably more time to solve different kinds of CAPTCHAs, according to the UC Irvine researchers, and other research has found that the same is true for non-native English speakers. The annoyance can lead a significant chunk of users to just give up.
But is it all also just a big waste of time? The article notes there's now even CAPTCHA-solving services you can hire. ("2Captcha will solve a thousand CAPTCHAs for a dollar, using human workers paid as low as 50 cents an hour. Newer companies, such as Capsolver, claim to instead be using AI and charge roughly the same price.")

And they also write that this summer saw more discouraging news: In a recent study from researchers at UC Irvine and Microsoft:

- most of the 1,400 human participants took 15 to 26 seconds to solve a CAPTCHA with a grid of images, with 81% accuracy.

- A bot tested in March 2020, meanwhile, was shown to solve similar puzzles in an average of 19.9 seconds, with 83% accuracy.

The article ultimately argues that for roughly 20 years, "CAPTCHAs have been engaged in an arms race against the machines," and that now "The burden is on CAPTCHAs to keep up" — which they're doing by evolving. The most popular type, Google's reCAPTCHA v3, should mostly be okay. It typically ascertains your humanity by monitoring your activity on websites before you even click the checkbox, comparing it with models of "organic human interaction," Jess Leroy, a senior director of product management at Google Cloud, the division that includes reCAPTCHA, told me.
But the automotive site Motor Biscuit speculates something else could also be happening. "Have you noticed it likes to ask about cars, buses, crosswalks, and other vehicle-related images lately?" Google has not confirmed that it uses the reCAPTCHA system for autonomous vehicles, but here are a few reasons why I think that could be the case. Self-driving cars from Waymo and other brands are improving every day, but the process requires a lot of critical technology and data to improve continuously.

According to an old Google Security Blog, using reCAPTCHA and Street View to make locations on Maps more accurate was happening way back in 2014... [I]t would ask users to find the street numbers found on Google Street View and confirm the numbers matched. Previously, it would use distorted text or letters. Using this data, Google could correlate the numbers with addresses and help pinpoint the location on Google Maps...

Medium reports that more than 60 million CAPTCHAs are being solved every day, which saves around 160,000 human hours of work. If these were helping locate addresses, why not also help identify other objects? Help differentiate a bus from a car and even choose a crosswalk over a light pole.

Thanks to Slashdot reader rikfarrow for suggesting the topic.
This discussion has been archived. No new comments can be posted.

Are CAPTCHAs More Than Just Annoying?

Comments Filter:
  • by serafean ( 4896143 ) on Sunday December 03, 2023 @03:07PM (#64051277)

    > Previously, it would use distorted text or letters.

    It was always two words. One well readable, the other not.
    Typing the first (well readable) word was enough to pass the captcha...
    Rumor has it it was to help google books' scanned data integrity.

    • A certain imageboard even had a public awareness campaign encouraging everyone to just type gibberish for the second word.

      • A certain imageboard even had a public awareness campaign encouraging everyone to just type gibberish for the second word.

        No a certain image board is full of anti-social shits who really deserve to get hit by a self driving car who mistake them for a green traffic light they themselves trained.

        A public awareness campaign is telling someone something does something. Actively polluting useful datasets for shits and giggles makes you a cunt.

        • by flink ( 18449 )

          Google thinking they are entitled to my labor for free just because I want to log into my bank is also pretty cunty.

          • It sounds like your bank thinks Google is entitled to your free labor. They knew what they were doing when they put a CAPTCHA on their login page.
        • You think people should be killed or at least violently maimed by moving machinery for spreading the word (that is to say, sharing awareness, in a public manner) about how to quickly bypass irritating captchas.

          Whatever moral high ground there might ever be in battles against /b/tards, I can assure you that you are absolutely not standing on it.

        • > Actively polluting useful datasets for shits and giggles makes you a cunt.

          Yeah, but no.
          Had google put a description there (or made it very publicly known) that it was using it to train datasets, it would have been fair game, and I'd happily contribute. Covertly, no...

    • by thegarbz ( 1787294 ) on Sunday December 03, 2023 @06:34PM (#64051623)

      Rumor has it it was to help google books' scanned data integrity.

      What is it with reCAPTCHA that has people so cautious about stating the obvious. No it's not a rumour that it has helped Google scan books. It's actually what Google does and actively advertises it does on its website https://www.google.com/recaptc... [google.com]

      reCAPTCHA offers more than just spam protection. Every time our CAPTCHAs are solved, that human effort helps digitize text, annotate images, and build machine learning datasets. This in turn helps preserve books, improve maps, and solve hard AI problems.

      • by arglebargle_xiv ( 2212710 ) on Sunday December 03, 2023 @10:35PM (#64052105)

        And the same thing for training with street furniture, Google has always used that to train models used for driving.

        Of course the problem with that then is that what's being asked of users is "identify what you think the CAPTCHA model thinks is a stop sign/traffic light/motobike/whatever", not "identify what actually is a stop sign/traffic light/motobike/whatever". Try it the next time you're asked to identify one of those things and keep getting told you need to try again.

        • It's ok, that's probably my fault for deliberately mixing fake answers with the real ones. I figure about 20% of incorrect responses will pass the test, I usually start with 50% fake ones though and reduce until I get through.

          It's interesting that the captchas don't seem to show a lot of human beings. I guess Google isn't dumb enough to ask random strangers (*) if the picture of a 3 year old crossing the road is an important hazard for a self driving car.

          (*) most of whom (let's face it) are porn fiends

          • It's ok, that's probably my fault for deliberately mixing fake answers with the real ones.

            Fortunately you're not actually doing anything negative. Only a small subset of users are such arseholes that attempt to poison learning data sets that they get lost in the noise after other users correct them. I'm sure you feel good about your narcissistic actions though.

            • That's actually incorrect, the 80/20 rule applies to all datasets with large cardinality of outcomes. It's true that for a relatively small class of "common" images a single user's incorrect identification will be overridden by the average provided by other users, however for "uncommon" images (aka the remaining 20%, aka the tail of the distribution, etc) there won't be enough other eyeballs to override one user's classification. It's the nature of datasets with many classes, and it's the reason Google per
        • by AmiMoJo ( 196126 )

          The squares too too big and the question is ambiguous. Select the sign. Does that include the pole it is mounted on? Do the traffic lights include the pedestrian crossing button?

          When select a motorbike, does that include the rider and the tyres? Or just the body of the machine?

        • That's not a problem. That's a design feature. They are targeting a certain pass rate and log your answers. The "this is wrong" answer you get back from Google feeds into their training set. Give the same thing to 5 users and 4 of them come back with the same "wrong" answer is a positive training to your own model. These aren't once-off images seen by only you and no one else.

          Also Google changes the difficulty of the reCAPTCHA based on the threat model of the user. Try this one day: Log in to a website via

  • by Ken_g6 ( 775014 ) on Sunday December 03, 2023 @03:07PM (#64051279)

    https://xkcd.com/1897/ [xkcd.com]

    And, first?!

  • Of course you could always register, subscribe etc

    • Re:CAPTCHA (Score:5, Insightful)

      by Anubis IV ( 1279820 ) on Sunday December 03, 2023 @04:16PM (#64051381)

      Many sites have CAPTCHA as part of the login process, which is just ridiculous. I can already prove I have an account, so why are you asking me to prove my humanity again? Throttle the login to prevent nefarious things? Sure. Registration? I get it. But stop wasting my time with logins.

      • by Luckyo ( 1726890 )

        Easy protection against DDoS. You can DDoS the login page by trying infinite logins and passwords randomly.

        • Easy protection against DDoS. You can DDoS the login page by trying infinite logins and passwords randomly.

          If DDoS is your concern, a CAPTCHA won’t help that. I can just spin up more bots to slam you repeatedly. It is a way of throttling attempts at guessing login credentials, but there are far easier, better, and less invasive ways to do the same, such as simply adding a small delay to each login request (costs you nothing but will stop a random guesser in their tracks).

          • Or even just waiting until the 3rd (5th, 10th, whatever) failed login attempt in x seconds to show a CAPTCHA.

          • by Luckyo ( 1726890 )

            You're arguing against reality. When captchas were integrated properly a few years ago with services like cloudflare, DDoS effectiveness against websites crashed.

      • by AmiMoJo ( 196126 )

        Lots of users re-use passwords. The captcha makes it harder for bots to try username/password combos that were leaked in some data breach.

  • by 93 Escort Wagon ( 326346 ) on Sunday December 03, 2023 @03:18PM (#64051307)

    'The most popular type, Google's reCAPTCHA v3, should mostly be okay. It typically ascertains your humanity by monitoring your activity on websites before you even click the checkbox, comparing it with models of "organic human interaction," Jess Leroy, a senior director of product management at Google Cloud, the division that includes reCAPTCHA, told me.'

    See, Google is tracking your activity for your own benefit!

    Also note this requires cross-site third-party tracking and thus will only work in Chrome.

    • by mysidia ( 191772 )

      It typically ascertains your humanity by monitoring your activity on websites before you even click

      Except when it doesn't and then it asks you to identify pictures that have Motorcycles in them presents you with pages and pages of Difficult images, And ambiguous ones where parts of avsingle motorcycle may intersect with multiple images.

      • The really annoying type is when they use it as a covert rate-limiter. Oh so slowly fading out the square, oh so slowly fading in the next.
    • See, Google is tracking your activity for your own benefit!

      It doesn't me: I enable www.google.com and gstatic.com in Noscript and Ublock Origin just for the time of the captcha, then I disable them again.

      Also, I do my best to poison the captcha: Google actually needs your input as much as you "need" to pass the fucking captcha, so it will accept some errors in your resolution of the captcha. So I always select a few squares wrong, and on average, it doesn't seem to make the captcha any longer.

      Another thing that helps - especially if you want to poison the captcha -

      • by Luckyo ( 1726890 )

        Interesting, I didn't know about the mouse behavior one. Thanks for sharing that.

        On the topic of "usefulness" I would disagree though. There genuinely needs to be some form of cheap and easily accessible DDoS protection on the internet. Captchas, as annoying as they are have provided a cost effective solution for both sides. A lot of small sites wouldn't really survive their first twitter/4chan brigading attempt without captchas.

    • by Reziac ( 43301 ) *

      Probably also explains my numerous battles with reCAPTCHA, because I have the majority of the Googleplex blocked in HOSTS.

  • by JoeDuncan ( 874519 ) on Sunday December 03, 2023 @03:25PM (#64051313)
    ... there's plenty of auto-captcha extensions out there, almost as mandatory as adblockers now.
    • by Luckyo ( 1726890 )

      Problem with those is that when these get attacked by captcha creators, you may get IP banned or banned based on a cookie, which can be a pain to diagnose and resolve.

    • I'm going to go out on a limb here and say that someone who is elderly and maybe has a bit of brain fog as a result or just plain has some form of disability is going to have a tough time using those Auto capta extensions. If only because that's the kind of thing that there are probably a thousand different extensions that are really just malware....
  • by davidwr ( 791652 )

    Yes, CAPTCHAs are more than just annoying.

    Multiple meanings implied.

  • by david.emery ( 127135 ) on Sunday December 03, 2023 @03:39PM (#64051329)

    It infuriates me when an institution (such as a bank or financial service) uses those goddamn things, so that using the institution's website make me subject to the CAPTCHA's terms of service, privacy/surveillance, etc. I have raised that issue with the company that handles my retirement accounts, bitching well up the corporate chain (but of course never getting to an actual corporate officer who could change the policy.) The defense I get is "this is a security measure that prevents attacks on our website." to which I respond "Well, as a security measure, it doesn't work very well. And do you really want to send the message to your customers/clients that 'your privacy is not very important to us'?"

    And on another website, this shit shows up AFTER I've entered my password, which shows truly clueless website security.

    • Well, as a security measure, it doesn't work very well.

      Actually it works very well. The fact that it is defeatable doesn't mean it isn't useful. One of the best security measures you can implement is a 2 second delay on login. Given that these things take 10+ seconds to solve by bots automatically it massively reduces the amount of attacks an attacker can implement if forced on every login attempt (which many sites do).

      It's about as secure as closing your window at night. Sure it's not going to stop a brick going through it, but it will stop a casual hand reach

      • You can implement a 2-10 second delay in logon attempts easily though without going to a captcha. Lock the account down for X too many attempts on a specific account, from a specific IP address, etc...

        • "too many attempts on a specific account" gives attackers an easy way to DoS a particular customer.

          "too many attempts from a specific IP address" gives attackers an easy way to DoS other customers behind the same carrier-grade network address translation (CGNAT) gateway.

          • Oh noes! Whatever will the other customers of that Bulgarian phone company do when someone locks their shared IP out of my local bank's website?

          • You know, my first thought is that if somebody is trying to DoS my account with my bank, that's something that I think I'd want to know about? More than necessarily being able to access my account at that moment?

            To wit: If the bank detects a DoS/Password crack attempt against "JohnnyB", I think Johnny would appreciate a phone call about it. I also tend to think that shutting down a password cracking attempt(of various sorts) that can actually be narrowed down to a fairly specific source is a good thing,

            • by vbdasc ( 146051 )

              I also tend to think that shutting down a password cracking attempt(of various sorts) that can actually be narrowed down to a fairly specific source is a good thing, even if it might theoretically affect a user (such as the other poster mentioning a gateway of a Bulgarian carrier, presumably against a US bank, where there probably aren't many customers in bulgaria).

              What if it's an US ISP, instead of Bulgarian?

              • Then they can contact that ISP and have a realistic chance of getting it shut down.

                Or even get US law enforcement involved and have some chance of a bust.

                It is still more likely to just be a proxy on a compromised box though.

        • You can implement a 2-10 second delay in logon attempts easily though without going to a captcha.

          Or you can get the user to do something useful while they wait.

          The question here isn't either/or, it's always been an expansion of utility for a given time. The worst CAPTCHAs are the ones which are machine generated. Classifying AI images is objectively useful, and far more so than sitting on your thumb for 10 seconds.

    • What pisses me off is the logon CAPTCHA. This is literally the dumbest possible way to rate-limit password brute force guess attempts.

      I used to have a tiny bit of sympathy for new account CAPTCHAs on free sites. That is fading fast though.

  • Some sites that are large SPAM sources seem to code their SPAM complaint forms with a mis-coded CAPTCHA. Part of me wonders if it's so people won't report SPAM from their site but I'll bet it's just poor QA. "Don't ascribe to malice what you can easily ascribe to incompetence."
  • They know damn well you're not a robot. They're counting on it.
  • by sinij ( 911942 ) on Sunday December 03, 2023 @03:47PM (#64051345)
    For years Google punished people that avoided their insidious tracking with additional CAPTCHA. Sure, it is also used to stop low-effort bots and scripts, but I am not convinced it is still its primary purpose.
  • Think about how much of your life you have spent solving a captcha. Sure, it's probably not much, but if its one of the companies like hCAPTCHA that are actually using your labor to train their AI models, well they are not paying you for your labor. This also means they aren't paying appropriate taxes on that work. It's many billions of dollars in lost tax revenue in aggregate. Oh, and they also employ child labor.

  • Just ask multiple questions or show a situation that requires reasoning and future-simulation to figure out -- it will confuse itself because it doesn't really understand the question it comes up with a broad answer. Let me try it in ChatGPT 4 .. notice from it's generalized response it has no reasoning of what was actually asked, and it royally F'd up the second question:

    >Alice plants an orange seed in concrete. Bob plants one in soil. Which one will eventually get oranges?

    ChatGPT
    Alice and Bob's experim

  • by hfollmann ( 564898 ) on Sunday December 03, 2023 @05:15PM (#64051473) Homepage
    The discriminate against impaired users.
  • I have to switch off my VPN if I don't want to spend the rest of my life clicking the box and not getting in.

  • Now those are annoying as hell. Nothing too bad with the Google ones, but the commercial CAPTCHA companies are just the worse, because you know they're doing it to make money.

    And some are plain annoying - like HCAPTHA. You know this because they involve doing a ton of puzzles. I tried to log into my Sony account and it wanted me to do 8 not-very-easy math problems (seriously, you expect people to do 3 digit additions/subtractions/multiplications/etc mentally?!) and stupid "point the object in the same direc

  • by Dwedit ( 232252 ) on Sunday December 03, 2023 @07:41PM (#64051777) Homepage

    I just use a really simple trivia question that anyone of similar fandom or interest will get instantly.

    Unique enough to stop the completely automated bots. They're not trying to solve unique questions presented by particular communities, even if you could just ask a LLM chatbot for the answer.

    Anyone else you can just IP ban.

  • I hate Captcha, I try using the Audio puzzle as much as I can. F The Pictures!
  • 1. Implement the annoying CAPTCHA system.
    2. Sell CAPTCHA bypass passes for a nominal fee.
    3. Profit!

  • ... but they just fucking aren't.

    Aside from the unreadable grainy shots, the fuzzy logic of whether the shadow is part of a bicycle, or whether or not a tiny line one pixel off the horizon is a crosswalk... sometimes you are 100% right and it STILL rejects your answer.

    May everybody who works at captcha rot in hell. Coder to janitor.

  • My biggest problem with image grid captchas is they slow me down. You have to deliberately move the mouse in non-linear paths to pass, and pause a least a fraction of a second between clicking images, otherwise you fail the test.
  • These are more annoying. Who is to blame for those?
    Also, both Google and Cloudflare blocking (and similar) vpn server IP addresses. They obviously don't care about our privacy.

  • > Older people can take considerably more time to solve different kinds of CAPTCHAs

    Quick, off the top of your head, can you name an activity that older people *don't* take longer to complete?

    As far as I know, there is only one such activity, namely, falling asleep. Every single thing that people do, they do slower when they're older. It takes my dad 45 minutes to go to the bathroom. It takes him 10 minutes or more, twice a day, just to take his pills, _when somebody brings them to him_

    Mom's in conside
  • I am not kidding, sometimes I needed more than 30 screens. You solve an images but it says next, next, next, next and when you can finally solve it, it says "wrong, try again". Repeat a lot of times. And when it says "click on the cars/hills/whatever until there are none left" and they keep reappearing ...

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...