"Scan to Verify You're Human": Google's reCAPTCHA is trialing a new "experimental challenge type" which requires desktop users to use an Android or iOS device to be able to pass it
from cypherpunks@lemmy.ml to privacy@lemmy.ml on 28 May 19:26
https://lemmy.ml/post/47973354
from cypherpunks@lemmy.ml to privacy@lemmy.ml on 28 May 19:26
https://lemmy.ml/post/47973354
cross-posted from: lemmy.ml/post/47972724
i encountered this for the first time today while attempting to read something on archive.today.
i confirmed that decoding the qrcode using a computer and following the URL it contains is insufficient; the error it gave directed me here which is what the linked screenshot is of.
the old type of captcha remains available too, for now:
threaded - newest
So Linux users are fucked?
No; they said you can use Android.
So, throw an android image into a virtual machine?
Seems a little round-about. But if you want, I guess you could do that for some reason.
Do you not understand why people don’t want to link their mobile to every website they visit?
I absolutely do, but Linux-or-not has nothing to do with that.
It needs Google play services on a play integrity passing device
don’t forget to sign-in to the google account you want the ‘protected’ web site visit logged to.
Android ≠ Linux
Android is based on a modified version of Linux, and owned by Google. Linux is independent.
Android is Linux. Not all Linux systems are Android, but all Android systems are Linux.
It’s not necessarily helpful to those on desktop Linux, but it is Linux if someone wants to be a purist about which operating systems run on their hardware.
First of all, Android is an operating system, and Linux is a kernel. OS ≠ Kernel.
Second of all, it’s not even the generic Linux Kernel. It is heavily modified by Google LLC.
GeeksForGeeks: Difference between Linux and Android
People without a mobile device are fucked out of being able to pass a captcha
As if this isn’t a way for them to associate multiple sessions on multiple specific devices with one another, this is just another avenue for data collection, period. Hidden under the guise of “more secure.”
I imagine scammers are already thinking of ways to use this for phishing too
i have one. but it isn’t android, or ios, or ‘smart’ in any way. it doesn’t even text. it’s just a telephone that fits in my pocket and connects to the cellular networks. it’s all i want. it’s all i use. it’s all i’ve needed ever since i got my first one about 25 years ago.
Same! Except mine does do SMS text and has the other flip phone stuff like alarms, timer, calendar.
Don’t worry you’re included. Simply visit one of our Accessibility Centers between 8am-9am on odd Wednesdays, with a valid birth certificate, filled-out form from here, and a notarized Charizard.
Captcha has been one of the greatest google acquisitions ever.
They acquired it under the guise of improving OCR and have since morphed it into an AI data farm (how else is google lens gonna know what objects are what?) and now total insight into a users every single action from desktop to mobile, tying it all together into a surveillance nightmare.
I can guess the permissions that the recaptcha app needs now. Probably something akin to root access with all datapoints and considerations you could think of.
I used to always add one incorrect tile and skip one correct tile.(It would still pass)
I thiught I was such a rebel lol
Then I figured, they’d be stupid if they didn’t show the same image to multiple people…
How would that teach Lens to recognise anything other than motorcycles and traffic lights really well?
I’ve had many, many not traffic light and motorcycle/bicycle recaptchas. They’re probably leaning a bit into self driving learning the past few years.
Lens has a lot more data points nowadays after everyone’s google photos was used for training for what, 10+ years at this point?
Google harvested all human typed words 15 years ago with the google library project. They’ve been hoarding and processing data for models forever.
I was being at least partly facetious because I rarely get anything but motorcycles and traffic lights and even then it’ll most likely ask me about buses or bridges. Not disagreeing that they’re hoarding data :)
You don’t have to drink a verification can, but you do need to buy a verification phone.
notably, this kills any alternative to android.
not if you kill google first
that’s plan A
🟩 🧑🔧 🪠
The point with captchas is not really that bots can’t pass them, more that its too expensive to pass them consistently with a hurtfully large enough volume of bots.
I’d heard of this strategy, like making it perform some kind of costly encryption that’s irrelevant to a human user but restrictively expensive for a bot army.
But does decoding a QR code apply? I never really thought about it. I guess it’s an image, it’s at least a little big by comparison… but it’s also in a restricted, easy to capture spot and maybe could be minimized to a fairly small pixel set? Idk how many key pixels you need to parse a QR code… I guess I could Google
*typo bit --> bot and bit --> big… I’m full of bit
I don’t know much about this new captcha system, but I feel like the challenge wouldn’t really be in the scanning of the qr code itself but more so on making the device you’re scanning with seem legitimate. They could check usage patterns, what apps are installed, how many accounts are added and are they actively used, location and sensor data, are the hardware specifications really unusual, are they constantly trying to complete random captchas… Stuff like that to tell apart a real user’s device from a bot or sandbox. The QR Code is probably just a random ID for which captcha instance the user is trying to pass.
Also I just realised this but this is probably inconvenient as hell. Like I do NOT want to constantly be picking up my phone to scan QR codes when I’m trying to go around the Internet. What if my phone is on the other side of the house? I don’t want to get up and walk all the way over there! If this gets fully rolled out there may actually be a small dip on the amount of desktop users of websites because they just leave when they are hit wth this captcha instead of bothering to scan a code.
Heard. We have a QR 2auth system for one of my work domains, and I let out an exasperated sigh every time I realize I have to get my phone out
Since a QR code is just made of squares, it can be very, very tiny
1 square = 1 pixel
Out of curiosity:
It really should be illegal to build systems that require a user’s access to any unrelated technology. You shouldn’t be forced to have a phone to pay a parking fee or to get on the bus. You shouldn’t need an app to charge your car. You shouldn’t need to use proprietary software from one spesific company to pass a captcha on a random site.
I mostly use my phone (Pixel with GrapheneOS) as a dumb phone + calendar. But by far the biggest number of apps I have to have on it are the fucking car charger apps.
Great, another shill for banknote technology. /s
Looks like a very good way to shoo actual humans off of your website.
Sorry, my faith in users is basically zero. These dummies will go to websites that tell them to copy code and run it with win+r. They’re morons and will do anything if a website promises them something.
Unfortunately true for a lot of people, but what’s the solution?
At work? Crowdstrike is kind of the training wheels for people who don’t want to use application whitelisting or group policy that disables users running various terminals.
Training isn’t the answer, because training is basically an industry propped up by knowbe4 from convincing cybersecurity insurance that it’s the right thing. We do training where I work and everyone falls for the same old shit, raise information, pay information, promotion information and performance review content. Doesn’t matter how many indicators of compromise are hidden in the message, but they’ll gladly just keep clicking along or running code that is prompted because the desire sensor overrides the training.
Anywho, nowadays not giving users admin rights is simply not enough. The script creating people often know how to use privilege escalation exploits without issue to gain control even when a user can’t. Really need a tool that can detect behavior and block it, or lock the system down somehow.
One more reason to not use google anything
This will be used on sites like Experian, Chase, IRS, DMV, etc. It’s a way to track and deanonymize everyone.
Is an android emulator able to bypass this? Just curious - I haven’t started the degoogle process.
I would guess not, given the other recent news about degoogled Android devices also being unable to pass reCAPTCHA.
Yeah, it requires a phone that Google can positively identify and connect to a real name / google account somehow.
Graphene OS won’t work, so this is a non starter for me. Any website using this will simply cease to exist in my eyes.
as i wrote in another recent thread on this topic:
In that case I am blind for government purposes. They have to accomodate me somehow.
No.
@cypherpunks the mere idea of requiring a device to use another is absurd. This should be illegal
Nice captcha. Would be a shame if someone intentionally injected malicious code that had users scan a QR code under the guise of security.
And had the qr code rickroll them, because that’s really a good song and dude got pipes
The word you’re looking for is … abomination.
A good way to force the user to use by Google controlled devices and to download Google services for more control by Google. Also a good way that the user show the middle finger to Google, using alternatives.
Who owns the implementation of this? Is this something that websites opt into and add to their own site? Or is this something that Google injects when you’re clicking a search result on Google?
Yes.
reCAPTCHA is google’s “anti-abuse” service which many websites use to
preventslightly increase the cost of operating automated crawlers (which somewhat ironically google operates one of the largest of itself, for their search engine).Before neural networks could solve CAPTCHAs reliably, spammers were solving them with human labor; solving services like
anti-captcha.com(intentionally not a clickable link…) today use a mixture of automated and human solvers.In the future google is apparently building, solving services will need farms of able-to-run-a-recent-android-release mobile devices with some kind of trusted computing hardware, each one of which they’ll have to use sparingly enough to keep usage of its unique ID under some plausibly-human threshold.
And even if you do have a phone and are willing to identify yourself with it, if it is too old to run a recent enough Android you also will sometimes be denied services for being unable to pass a robots’ “human” test.
🤮
Oh boy! Another way to fingerprint your devices! Scammer are sleeping good tonight with these new verifications
More importantly, to link multiple device fingerprints to a single identity.
Many humans don’t have smart phones
If you don’t have a smartphone are you truly human? ^/s^
So those humans will go buy the cheapest they can find which is, surprise, Android + Google Play Services.
Hell no I won’t.
No. More likely those people just won’t visit that website and will very easily get the information that they were looking for from the next link down on the search results.
Google are fucking idiots if they think otherwise.
Assuming we’ll have that at all or just AI summaries replacing the results.
There are several superior search engines to Google.
I kind of doubt that even when it comes to English, and for smaller languages i’m sure that there’s still no serious competition to Google.
Yup, and they are being cut out of society everyday. Just losing your phone or even breaking it can be a figurative death sentence. Want to check your email from another device? Did you set up 2 factor with your phone?
Yeah sorry, can’t access your email.
I’m at the point where I’m fine with it. If you want to cut me out for such a silly reason, I don’t want to be included in your dumb thing. I’ll find an alternative that treats me with respect.
There’s no way this is ADA compliant.
With the way the Trump admin is going I’m surprised they haven’t totallt dismantled the ADA already.
Clicking the headphone icon to hear the audio option is the way to bypass this if you get one.
Be prepared for an audio qr code that requires a special app to decode
For now, yes.
Although having tried to use the audio recaptca before, it felt like a psychotic episode.
Yes, I don’t use them regularly but the audio captchas don’t have a good reputation among blind users.
what do the Visual 👁 and Audio 🎧 options look like?
The visual option is the normal reCAPTCHA (eg) and the audio option is the (quite difficult) thing they’ve been subjecting blind people to for years. Presumably they will keep offering desktop users these options (at least in many/most cases) for a long time still; this new phone-required extra-invasive CAPTCHA is just a hint of where they’re heading. (But already it is apparently actually required for Android users in some cases: reclaimthenet.org/google-broke-recaptcha-for-de-g… …)
if the old ways are still available, the bad guys can use 'em too… so this new thing is just to get people ‘used to’ the idea of an anal probe for verification before actually forcing it on everyone.
I bet this will be removed soon.
I hate that it’s my responsibility to protect your system from infiltration.
If you haven’t already divested from Google and its related services then now is the time.
problem is their captchas are used outside their shitty ecosystem too
Not if this abuse finally succeeds in driving away other peoples’ customers. Captcha losing people money makes captcha go bye bye
i have a feeling normies will begrudgingly accept it, and retroactively justify it with some security bullshit google puts out.
Without a google account there will be many sites I can’t visit. I’ll look at such sites the same way as I look at paywalled sites.
It is a paywall, you just pay with your data. Except Google gets the revenue and not the website so maybe a second paywall will be “necessary”
This is going to work just amazingly well with AI moderation, faceborg style.
I know it has been said already but how stupid is it to teach users the pattern of randomly scanning QR codes. So ironic given that reCaptcha is for security in some sense.
It’s not for your security :(((
It’s the same with ID verification. For your safety you need to start giving random websites your drivers license or passport…
I had a site I was gunna buy stuff from ask me for a video selfie to “prove” I was over 21.
First if all, I wasn’t buying anything controlled, so thats ridiculous over-reach, and second of all LOL FUCK NO I’m not giving you, some random-ass e-commerce site, my fucking biometric data. That’s absolutely insane.
Needless to say, I blocked that site on my pihole, so it no longer exists to me as an option. Sent them a message letting them know they lost a rather substantial sale from that shit. I’ll do that for absolutely every one, same with ID or whatever else. I could just use the tricks kids use, but that still rewards them for this bullshit with money.
I’ll just stop using the internet if it becomes a thing everywhere. It’s not really worth being on anymore, for the most part, anyway.
I don’t blame you. Personally I get more satisfaction from using fake IDs or directing a video selfie thing to a video game character etc or finding some obscure bypass to whatever bullshit they throw at me. That way I still get what I want from the website and they get nothing of value from me, lmao.
Can you explain me how i can direct the selfie thing to a image i have on my computer? I didn’t found anything and ya seem to know something
Depends what device you’re using. I’ve only done it on a desktop using apps like CamTwist
.
It’s called the boiling frog effect.
Can I just drink the Verification Can, or do I need to stand up and shout, “MCDONALD’S®!”
<img alt="" src="https://lemmy.dbzer0.com/pictrs/image/9cfa6e90-ae02-4169-b1ea-082e7f49c4a1.webp">
<img alt="" src="https://leminal.space/pictrs/image/5d472cef-b75b-4bca-bf95-4a9a98bd8df0.gif">
OK dumb question but I don’t have a smartphone, so: You’re browsing the web on your phone and this pops up. It says “Use your phone’s camera app to scan this QR code”. So obviously a phone’s camera can’t scan its own screen. And if you switch to the camera app the QR code is no longer on the screen anyway. So how does your phone’s camera app read the QR code? Does it have a button to click and give you 5 seconds to go to the screen that’s showing the code or what?
Presumably the QR code captcha doesn’t trigger when the browser detects it’s a mobile device. This is for browsing on desktop, then verifying with your separate mobile device
Looks like I know what change my browser’s User Agent to then!
Netscape navigator 3.0?
Oh thanks, I guess I should have read the title a little more closely!
Any website that chooses to use this service will simply not get my traffic. If enough people feel the same, those websites will lose clicks and eventually tell Google to pound sand.
Imagine the utter hubris on these fuckers to think that people will get a google device just to access a website.
Or to think that an average user sitting at home would run to another room to grab their phone so they can verify themselves on the desktop just to visit blackcougar.com
You want me to scan a QR code to log onto your fuckin’ website?! <img alt="" src="https://thelemmy.club/pictrs/image/4431f5fd-039e-425a-801d-e48036380eed.png">
I was wondering how long it would take for someone to get the reference. Its a pretty old episode.
They’re using the fact that everyone else both already owns a Google or iOS device, and does everything on those devices, to punish desktop and alt mobile OS users.
The fact that this is going on right as AluminumOS is down the pipes, and right as rigged parts prices threaten to kill desktops as an option to begin with makes this especially sus.
The way things are going right now, I won’t be surprised if we see a computing future where you’re either on a Google or Apple-controlled device, or you’re on a thin client tied to a cloud subscription, and you won’t own your tech anymore.
Bezos’ ‘Give up your PC and rent from our cloud’ threat is sounding less and less like a threat and more and more likely to become reality.
Have you been paying attention to the open source community at all? We have made this future impossible.
Right now we can share a lot of infrastructure.
1 year later
Government website you have to use to pay your water bill: “Confirm you are a human…”
I either use my banking website or go into city hall clerks office to pay it in person. I’ve never once had to go to the actual government website. It’s an option, but not mandatory.
How soon before reCAPTCHA-encumbered sites are blocked on desktops entirely unless you’re on ChromeOS or the upcoming AluminumOS?
That’s it. JavaScript was a mistake. Time to go back to HTML only pages
This? This is the JavaScript straw that broke your back?
Are you implying that Spice Hoarder is a camel?
I can neither confirm nor deny these claims
I meanf you can do this flow without JavaScript: The server renders a QR code and sends it in a static web page and on Android, you register a URL handler to do the rest of the flow.
obligatory NoScript advertisement
No malicious site would ever fake this kind of flow in order to get someone to scan a dangerous QR code. Nope, that would never happen.
It’s already happening. They tell you to scan a QR code that links to a website where they ask you to log in with your Google account (but it’s just a phishing page).
Good job Google!
I had encountered this terrible captcha before. I just refresh the page until old captcha appear.
there are options at the bottom of the panel
For now
Absolutely not
Fuck absolutely everything about this.
Hype up AI.
Everyone starts scraping the internet to obtain training data for their AI.
To block the scrapers, countless sites implement stricter bot detection tools.
The owners of the bot detection tools now effectively hold all of the internet by its throat, deciding who can access what and extorting more and more data from you to verify you’re human.
Fucking genius.
You can always build more bot detection tools, right? Or am I wrong?
<img alt="" src="https://discuss.online/pictrs/image/9798a412-8fd2-4501-8d98-fda329401766.jpeg">
Verifying you have a phone doesn’t verify that you’re human.
How so?
Android emulators exist and are usable by bots.
So they SS the QR code, scan it and continue?
May have to stream a video of the screen into a scanner app, but shouldn’t be difficult anyway.
One of the forms of digital ID in use in my country now has a new way to use it, which the government websites use now. You always needed a mobile device for this one anyway (phone holds the private keys and you have to enter the PIN 1 or PIN 2 depending on whether you’re authenticating or authorizing something), but it used to be that you could enter your ID code and get prompted for the PIN (with a verification number to make sure you’re responding to the prompt you think you’re responding to), now it’s either on-device from the default browser to the app, OR on desktop you have to scan a QR code that’s a moving target, it changes a couple of times a second so you couldn’t send a screenshot to someone else to scan. This is meant to prevent scams where someone gets you to just enter your PIN over a phone call.
I don’t know if the google thing is similar though or if it’s a static QR there.
Something like that. Emulators also give the ability to emulate cameras using pictures or video feeds.
They just need to set up a Google play equipped emulator, set the picture as simulated camera input and put in the inputs to the emulator (also automatable)
Sheesh
My cat once jumped on keybard and wrote “ghfhghgghhfjgfhf” on Discord chat. The first non-human with acces to computer.
Discord?! Computers are a lot older than Discord! Cats have been jumping on keyboards since forever.
Well, I doubt your cat could scan QR codes
Just like Recaptchas haven’t been a challenge to bots for a long time. Still, we had to deal with this shit. Makes you wonder if it’s just a stupid fucking pretext… 🤔
Isn’t it training for AI and automated cars?
Used to be, yeah. But this part of computer vision has been a solved problem for a while now. Captchas still remained for the sole purpose of annoying the living fuck out of people like you and me. Well, until Google figured out Captchas could be weaponised for (gestures) whatever this is.
I once saw fake captcha scam that reuired scaning QR code to infect device. It looks exactly like that.
I once made QR code stickers that placed people on a website warning them to stop trusting QR codes.
I spent a year traveling and everywhere I saw a QR code my sticker QR code went over it.
You target the right locations and spoof the website and you can get credit card, phone, email, address. Svan this QR code for 20% off blah blah blah.
Do use them.
Noticed parking meters here have prominent labels now stating they do not use QR codes. I’m sure that’s just providing the spot to put the scam QR code, but it’s better than nothing.
Sign: “Scan here for a trail map”
lemmylump: “I better vandalize this. Guys I’m tooootally helping people.”
On the bright side, this means they are really worried that privacy practices such as those popular among the Lemmy crowd can make their surveillance expensive or maybe even impractical at scale, rather than profitable. I’m never sure if it’s working, with firmware and all. Almost a good sign? Am I deluded?
malware is bytecode Google didn’t approve of. when google spies on you, that’s just “legitimate interest”
LOL, fuck off. How about instead I move on to somewhere less hostile toward the user instead?
aaaaaand tab closed.
This is the only way to stop it. We must refuse to use it. All they watch is the numbers.
I bought a thing from Walmart using pickup for the first time, because the thing was “low stock”, and I didn’t want to drive there if they didn’t have it. I get the email that it’s ready, and they want me to download their stupid app to confirm. Fuck that, I went to the store, knowing I had a backup option, and found the last one of the thing on the shelf and bought that instead. Although, apparently the sign at the parking spot has a phone number you can call to let them know you’ve arrived–no mention of that option in the email.
Walmart’s curbside pickup workflow can be done entirely within the mobile site, even the arrival/parking step (w/o having to call the number).
Just another reason to not use Google.
FWIW I’ve found passing it through my local SearxNG usually gives me a clean path to the content. But it’s seriously worrying that some of the blocked content is publically available science (e.g. PMC Bioinformatics). But that should not be necessary, at this point a search engine should be a public resource. Fuck Google.
I still won’t order online from a store that won’t show me shipping cost without a full address and phone number. I’ll give them the zip code, that’s all they need, that’s all they get before I decide.
I got one of these. They had accessibility options so I just did the auditory one. It says a couple words, you write them out, and you’re done. Like hell am I using a Phone for this shit.
to prove you’re human, enter your credit card number
your pin, cvv and expiry date too, which confirms you are actually human
Nah. Block all fingerprinting. You don’t need any of this crap.
Everyone needs to fail the test over and over again until they fall back to their non-we want to fuck everyone over even more world.
…just use a different website?
As easy as eating cake.
<img alt="" src="https://lemmy.starlightkel.xyz/pictrs/image/ef938676-ca86-4126-b2af-ab52b6dd646d.gif">
This is step one.
Step two is id verification via play services before you’re even allowed to scan the QR code.
This is going to erode privacy as we know it on the internet and I can’t see any feasible escape.