cross-posted from: https://lemmy.ml/post/47972724
i encountered this for the first time today while attempting to read something on archive.today.
i confirmed that decoding the qrcode using a computer and following the URL it contains is insufficient; the error it gave directed me here which is what the linked screenshot is of.
the old type of captcha remains available too, for now:
deleted by creator
-
People without a mobile device are fucked out of being able to pass a captcha
-
As if this isn’t a way for them to associate multiple sessions on multiple specific devices with one another, this is just another avenue for data collection, period. Hidden under the guise of “more secure.”
The point with captchas is not really that bots can’t pass them, more that its too expensive to pass them consistently with a hurtfully large enough volume of bots.
I’d heard of this strategy, like making it perform some kind of costly encryption that’s irrelevant to a human user but restrictively expensive for a bot army.
But does decoding a QR code apply? I never really thought about it. I guess it’s an image, it’s at least a little big by comparison… but it’s also in a restricted, easy to capture spot and maybe could be minimized to a fairly small pixel set? Idk how many key pixels you need to parse a QR code… I guess I could Google
*typo bit --> bot and bit --> big… I’m full of bit
I don’t know much about this new captcha system, but I feel like the challenge wouldn’t really be in the scanning of the qr code itself but more so on making the device you’re scanning with seem legitimate. They could check usage patterns, what apps are installed, how many accounts are added and are they actively used, location and sensor data, are the hardware specifications really unusual, are they constantly trying to complete random captchas… Stuff like that to tell apart a real user’s device from a bot or sandbox. The QR Code is probably just a random ID for which captcha instance the user is trying to pass.
Also I just realised this but this is probably inconvenient as hell. Like I do NOT want to constantly be picking up my phone to scan QR codes when I’m trying to go around the Internet. What if my phone is on the other side of the house? I don’t want to get up and walk all the way over there! If this gets fully rolled out there may actually be a small dip on the amount of desktop users of websites because they just leave when they are hit wth this captcha instead of bothering to scan a code.
Since a QR code is just made of squares, it can be very, very tiny
1 square = 1 pixel
notably, this kills any alternative to android.
not if you kill google first
🟩 🧑🔧 🪠
that’s plan A
You don’t have to drink a verification can, but you do need to buy a verification phone.
Captcha has been one of the greatest google acquisitions ever.
They acquired it under the guise of improving OCR and have since morphed it into an AI data farm (how else is google lens gonna know what objects are what?) and now total insight into a users every single action from desktop to mobile, tying it all together into a surveillance nightmare.
I can guess the permissions that the recaptcha app needs now. Probably something akin to root access with all datapoints and considerations you could think of.
How would that teach Lens to recognise anything other than motorcycles and traffic lights really well?
I’ve had many, many not traffic light and motorcycle/bicycle recaptchas. They’re probably leaning a bit into self driving learning the past few years.
Lens has a lot more data points nowadays after everyone’s google photos was used for training for what, 10+ years at this point?
Google harvested all human typed words 15 years ago with the google library project. They’ve been hoarding and processing data for models forever.
I used to always add one incorrect tile and skip one correct tile.(It would still pass)
I thiught I was such a rebel lol
Then I figured, they’d be stupid if they didn’t show the same image to multiple people…
i have one. but it isn’t android, or ios, or ‘smart’ in any way. it doesn’t even text. it’s just a telephone that fits in my pocket and connects to the cellular networks. it’s all i want. it’s all i use. it’s all i’ve needed ever since i got my first one about 25 years ago.
Don’t worry you’re included. Simply visit one of our Accessibility Centers between 8am-9am on odd Wednesdays, with a valid birth certificate, filled-out form from here, and a notarized Charizard.
Same! Except mine does do SMS text and has the other flip phone stuff like alarms, timer, calendar.
I imagine scammers are already thinking of ways to use this for phishing too
It really should be illegal to build systems that require a user’s access to any unrelated technology. You shouldn’t be forced to have a phone to pay a parking fee or to get on the bus. You shouldn’t need an app to charge your car. You shouldn’t need to use proprietary software from one spesific company to pass a captcha on a random site.
I mostly use my phone (Pixel with GrapheneOS) as a dumb phone + calendar. But by far the biggest number of apps I have to have on it are the fucking car charger apps.
-
Many humans don’t have smart phones
If you don’t have a smartphone are you truly human? /s
Yup, and they are being cut out of society everyday. Just losing your phone or even breaking it can be a figurative death sentence. Want to check your email from another device? Did you set up 2 factor with your phone?
Yeah sorry, can’t access your email.
I’m at the point where I’m fine with it. If you want to cut me out for such a silly reason, I don’t want to be included in your dumb thing. I’ll find an alternative that treats me with respect.
So those humans will go buy the cheapest they can find which is, surprise, Android + Google Play Services.
No. More likely those people just won’t visit that website and will very easily get the information that they were looking for from the next link down on the search results.
Google are fucking idiots if they think otherwise.
the next link down on the search results
Assuming we’ll have that at all or just AI summaries replacing the results.
There are several superior search engines to Google.
I kind of doubt that even when it comes to English, and for smaller languages i’m sure that there’s still no serious competition to Google.
So those humans will go buy the cheapest they can find
Hell no I won’t.
Looks like a very good way to shoo actual humans off of your website.
Sorry, my faith in users is basically zero. These dummies will go to websites that tell them to copy code and run it with win+r. They’re morons and will do anything if a website promises them something.
deleted by creator
At work? Crowdstrike is kind of the training wheels for people who don’t want to use application whitelisting or group policy that disables users running various terminals.
Training isn’t the answer, because training is basically an industry propped up by knowbe4 from convincing cybersecurity insurance that it’s the right thing. We do training where I work and everyone falls for the same old shit, raise information, pay information, promotion information and performance review content. Doesn’t matter how many indicators of compromise are hidden in the message, but they’ll gladly just keep clicking along or running code that is prompted because the desire sensor overrides the training.
Anywho, nowadays not giving users admin rights is simply not enough. The script creating people often know how to use privilege escalation exploits without issue to gain control even when a user can’t. Really need a tool that can detect behavior and block it, or lock the system down somehow.
Is an android emulator able to bypass this? Just curious - I haven’t started the degoogle process.
I would guess not, given the other recent news about degoogled Android devices also being unable to pass reCAPTCHA.
Yeah, it requires a phone that Google can positively identify and connect to a real name / google account somehow.
Graphene OS won’t work, so this is a non starter for me. Any website using this will simply cease to exist in my eyes.
Any website using this will simply cease to exist in my eyes.
as i wrote in another recent thread on this topic:
for some reCaptcha-using websites there actually aren’t alternatives. eg many governments, healthcare providers, public utilities, etc are using it :(
In that case I am blind for government purposes. They have to accomodate me somehow.
Nice captcha. Would be a shame if someone intentionally injected malicious code that had users scan a QR code under the guise of security.
And had the qr code rickroll them, because that’s really a good song and dude got pipes
So Linux users are fucked?
No; they said you can use Android.
So, throw an android image into a virtual machine?
don’t forget to sign-in to the google account you want the ‘protected’ web site visit logged to.
It needs Google play services on a play integrity passing device
Seems a little round-about. But if you want, I guess you could do that for some reason.
Do you not understand why people don’t want to link their mobile to every website they visit?
I absolutely do, but Linux-or-not has nothing to do with that.
Android ≠ Linux
Android is based on a modified version of Linux, and owned by Google. Linux is independent.
Android is Linux. Not all Linux systems are Android, but all Android systems are Linux.
It’s not necessarily helpful to those on desktop Linux, but it is Linux if someone wants to be a purist about which operating systems run on their hardware.
First of all, Android is an operating system, and Linux is a kernel. OS ≠ Kernel.
Second of all, it’s not even the generic Linux Kernel. It is heavily modified by Google LLC.
@cypherpunks the mere idea of requiring a device to use another is absurd. This should be illegal
Who owns the implementation of this? Is this something that websites opt into and add to their own site? Or is this something that Google injects when you’re clicking a search result on Google?
Is this something that websites opt into and add to their own site?
Yes.
reCAPTCHA is google’s “anti-abuse” service which many websites use to
preventslightly increase the cost of operating automated crawlers (which somewhat ironically google operates one of the largest of itself, for their search engine).Before neural networks could solve CAPTCHAs reliably, spammers were solving them with human labor; solving services like
anti-captcha.com(intentionally not a clickable link…) today use a mixture of automated and human solvers.In the future google is apparently building, solving services will need farms of able-to-run-a-recent-android-release mobile devices with some kind of trusted computing hardware, each one of which they’ll have to use sparingly enough to keep usage of its unique ID under some plausibly-human threshold.
And even if you do have a phone and are willing to identify yourself with it, if it is too old to run a recent enough Android you also will sometimes be denied services for being unable to pass a robots’ “human” test.
🤮
One more reason to not use google anything
This will be used on sites like Experian, Chase, IRS, DMV, etc. It’s a way to track and deanonymize everyone.
No.
Oh boy! Another way to fingerprint your devices! Scammer are sleeping good tonight with these new verifications
More importantly, to link multiple device fingerprints to a single identity.
The word you’re looking for is … abomination.
A good way to force the user to use by Google controlled devices and to download Google services for more control by Google. Also a good way that the user show the middle finger to Google, using alternatives.
If you haven’t already divested from Google and its related services then now is the time.
problem is their captchas are used outside their shitty ecosystem too
Not if this abuse finally succeeds in driving away other peoples’ customers. Captcha losing people money makes captcha go bye bye
i have a feeling normies will begrundingly accept it, and retroactively justify it with some security bullshit google puts out.
