News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • ReCaptcha makes its appearance

    Posted on Ascaris Comment on the AskWoody Lounge

    Home Forums Outside the box The Junk Drawer ReCaptcha makes its appearance

    This topic contains 12 replies, has 8 voices, and was last updated by

     DriftyDonN 2 months, 3 weeks ago.

    • Author
      Posts
    • #945376 Reply

      Ascaris
      AskWoody_MVP

      I just saw the ReCaptcha thing for the first time on AskWoody.com, and immediately I was concerned.  My browser is set to delete cookies early and often, so nearly all of the browsing of AskWoody.com I do is anonymous.  I sign in before I make a post, at least in theory.  I’ve managed to post anonymously by accident on many occasions, though, as all it takes is for that addon to delete the cookies and… not signed in anymore!

      The ReCaptcha, thus, was showing for the anonymous post function, but the thing has been spreading like a virus lately.  I’m seeing ReCaptchas on a host of sites upon which I never saw them before.  So I signed in and, thankfully, no ReCaptcha on sign-in or to post while signed in.  Whew!

      The problem with these things is that I cannot solve them.  I don’t know what they did in the last couple of months, but I either succeed only after many, many retries (takes several minutes) or I am told after all that haranguing that they can’t be sure I am not a bot, so go away.

      I don’t know what the deal is.  They seem to be really focusing on crosswalks, cars, buses, motorcycles, and traffic lights now (happy to help for free with your AI training for your self-driving car program, Google… not).  I check off all the ones with buses, study it carefully to make sure, then click the button to accept it, and it tells me “please try again” and gives me another one.  I have no idea what I am supposed to be doing, but I do not see any buses, crosswalks, etc., in those super grainy excuses for pictures.

      I remember reading about the new “no Captcha ReCaptcha” the tech press breathlessly told us we’d soon have, but I’ve never seen it.  Of course, when you know how it works, it’s obvious why it doesn’t work for me.  Their “no Captcha” thing is based on allowing Google to track you.  If they track you and they like what they see in the results of that tracking, you’re not given a challenge.  On the other hand, all of my cookies get deleted dozens of times a day, certainly before and after using Google for anything.  I’m also using Waterfox, and we’ve already seen the articles about how Google artificially downgrades their services for people not using Chrome, in what appears to be a blatant violation of antitrust law.

      I recently read a presentation made by someone at one of the black hat conferences describing how he made a bot that can break Google ReCaptchas, and he said that one of the things that adds to the suspicion level is any browser that is out of date.  Well, Waterfox is based on Firefox 56, which is seriously out of date, and banks all over the place complain about that even though it’s not Firefox and is fully patched (all of Mozilla’s security patches backported).  The banks are basing that “out of date” on their misuse/misassessment of the  useragent string.  It’s not supposed to be used to decide whether someone should be allowed to access your site– at best, it should only be used to get an idea of what the browser is able to render, and even that’s considered bad practice.

      I can change the useragent for Google domains, but the presentation says that useragents that disagree with the actual browser are another suspicion-adding thing, so it is able to grok out that it’s not actually Chrome, even if I change the useragent to say it is.  If I change it to say it’s a newer Firefox than what it actually is, I wonder what effect that will have.

      All of this means, apparently, that I am at the maximum suspicion level, and I get the hardest challenges.  Which would be fine, of course, if they were not so hard that I am incapable of solving them.  Are they supposed to determine whether I am a bot or just deny me access completely?  I’m reasonably intelligent, and I know what a bus is, or a crosswalk, or a traffic light.  I’m most assuredly not a bot.  Even so, I have less than a 50% eventual success rate with a given login attempt, and that’s after round after round of time-consuming, insulting, frustrating puzzles that keep telling me I am wrong when I can’t possibly see how.  The success rate after just one challenge is 0%.  It never lets me in after just one.

      The audio puzzles are much easier, I think… but I only managed to get one once.  All the other times it tells me that my computer may be sending out automated requests (it’s not), so they can’t let me do the audio one to “protect other users.”  Other users of what?  The highway system?

      The way it is now on AskWoody will actually be a benefit to me, I think, as now I know I won’t enter a message anonymously by mistake with that in place.  I’m sure this was about avoiding the spam that clogs comment sections that allow anonymous, unmoderated comments, and that cause much consternation and gnashing of teeth for those that are moderated.  It’s dismaying that it has to be Google providing the captcha, using us guinea pigs to train their UI and judging us based on whether we’re being good little tracking targets, but at least I can avoid it by signing in, which is what I want to do before posting anyway.  On some other sites, I can’t even attempt to sign in without being blocked by a ReCaptcha.

      I can understand how a given site might want to block bots from attempting to break into their users’ accounts, but can they at least wait until there’s been a failed login attempt before breaking out the weapons?  I can’t even get into my account on some sites now.  Maybe this is what they do… maybe someone has always been trying to get into my account right before I log in.  As time passes and it happens each time I try to log in for weeks and months, though, that seems less and less likely.

      One of those sites that recently added a ReCaptcha on login was Newegg, of which I have been a customer for many years.  I just gave it another try now, and there was no ReCaptcha before signing in.  What do you know!

      I wonder if they responded to complaints like the one I sent them, or if there is some kind of anti-spam IP blacklist that they’re using.  I use a big ISP with a coverage area containing tens of millions of people, and the pool from which my IP is drawn is huge as well.  It’s entirely possible that someone who had my IP before I did deliberately or inadvertently (by being infected with malware) send out spam or participated in other malfeasance, but that’s the nature of ISPs.  By the time anyone blacklists a given IP, it’s very likely that the IP will belong to someone else, someone completely unconnected to the source of the spam, malware, DDOS, or whatever else.  The individual actually at fault will also have a new IP address by then, of course.

      That may have been what Newegg was doing, but other sites I use apparently just ReCaptcha everyone on every login attempt, since I’ve never seen them not have that ominous “I’m not a robot” box), or else they’ve blacklisted my entire ISP, which seems a bit heavy-handed and excessive.

      Group "L" (KDE Neon User Edition 5.16.3).

      3 users thanked author for this post.
    • #971589 Reply

      Elly
      AskWoody MVP

      And here I thought it was some combination of shaky hands and old eyes that was making it difficult for me to succeed! And I’ve never succeeded at an audio one. For my part, practice does not make perfect… and there is no recourse. I usually go rest and evaluate whether its important enough for me to try again.

      Win 7 Home, 64 bit, Group B

    • #972097 Reply

      cyberSAR
      AskWoody Plus

      I absolutely despise captchas but it is a necessary evil with all the bots and idiots on the net. Manage a website for a day or two without them and you’ll want to kill someone.

      1 user thanked author for this post.
    • #972444 Reply

      woody
      Da Boss

      I’m sure this was about avoiding the spam that clogs comment sections that allow anonymous, unmoderated comments,

      Yep. We were getting 100+ new users every day who were either spam- or bot-related, and some anonymous comments included SQL injections.

      3 users thanked author for this post.
      • #983043 Reply

        Ascaris
        AskWoody_MVP

        See, spammers?  This is why we can’t have nice things!

        I understand the need to prevent bots from doing what they do, but when I’m being challenged for simply trying to log into a website for the first time that day, or when the challenges are so hard that I can’t solve them, that’s a problem too.  This is a violation of accessibility standards… If I were a blind user, I would be completely locked out, since it always denies me the option to use the audio captchas (except one time), based on who-knows-what.  As it stands, I can eventually get let in using the visual ones, though it may take me five or more minutes.  There’s just too much about this that stinks, and it’s Google that is to blame.

        I don’t like Google decides that a person who does not allow himself to be tracked by Google is suspicious and thus deserving of these impossible captchas.  Would it really be hard for a bot writer to copy a real tracking cookie and use that to make it seem like the bot was a real user that had been tracked?

        It’s kind of like how Google intentionally downgrades their services if you use another browser.    Those two things right there show exactly why some people would like Google to be broken up… they’ve got too many fingers in too many pies.  It’s a conflict of interest for them to be the leaders in so much web content and for them to make one browser that competes with those made by companies that don’t own so much of the web.  It’s just far too convenient that they use the data they’ve gathered tracking someone across the web for their own monetary purposes to determine whether they get further hassled by ReCaptchas.  Choose not to be tracked by Google and you get punished with unsolvable Google ReCaptchas.  Choose to use Firefox and Youtube is ten times slower than it is in Chrome, with Google recently changing (with the latest redesign) to using deprecated and obsolete libraries that are still supported in Chrome, but not Firefox (which was not the case with their older site design).

        All the while, Google’s claiming they want a free and open web, don’t be evil, all that kind of thing, smiling at you as they go.

         

        Group "L" (KDE Neon User Edition 5.16.3).

        1 user thanked author for this post.
    • #976906 Reply

      OscarCP
      AskWoody Plus

      I have encountered some more picture captchas than I used to, not enough, yet, to amount to a serious problem, but annoying all the same. For some reason, I am seeing less letter and numbers captchas than I used to. I have no idea what an audio captcha is like.

      Part of the problem with picture captchas is what exactly are certain things one is supposed to click on: are the poles supporting the traffic lights, or the cables suspending them, part of the “traffic lights”? Is a tiny bit of a white stripe of a pedestrian crossing captured in one picture, counted by the captcha algorithm as part of the crossing? It should be, but is it?

      Now that this has been mentioned here, I am curious to get some very basic idea (with no telling details) of how bot’s “anonymous” comments are identified for purging, particularly when there are so many trying to get in every day that normally moderating them is not a practical option.

      • #983351 Reply

        Ascaris
        AskWoody_MVP

        That uncertainty is part of it for me too, but I’ve had a few just recently that ask me to select all the pictures with cars, and I am certain I’ve marked everything that resembles a car with the grainy pixellation they apply to make it more difficult, and then it tells me “try again” when I submit it anyway.

        Here’s one I screencapped right before I submitted it (it was wrong, of course).  Can you see any buses in the pixellated mess in any of the images?

        Group "L" (KDE Neon User Edition 5.16.3).

        Attachments:
        • #1003134 Reply

          OscarCP
          AskWoody Plus

          Ascaris: It could be that the big car or limo in the central picture is a “bus” to the software running the captcha tests. There is no law of physics that says that captchas must be always correctly setup. So: how is that for some more “uncertainty”?

           

    • #988388 Reply

      jabeattyauditor
      AskWoody Lounger

      One obvious part of the latest algorithm is timing – I find that if I identify and click on the various pictures too quickly, I’m more likely to be presented with another challenge. If I take my time between clicks (a second or two), I often manage a login with a single challenge.

      We use reCaptcha in a vain attempt to stop web scrapers from pulling down the public record data that we’d happily send to them in bulk (free) upon request. The smarter scrapers manage to get past them with far less difficulty than we do.

      1 user thanked author for this post.
    • #996109 Reply

      Lars220
      AskWoody Lounger

      The following website may be helpful:

      How to Bypass Google ReCAPTCHA Images

      I have not tried all the recommendations, #3. Use ReCAPTCHA Bypass Bots, looks interesting, if you use Firefox, or possibly FF derivatives like Waterfox (?) – maybe this ‘Add-on’ might be useful, but I have not tried it:

      https://addons.mozilla.org/en-US/firefox/addon/buster-captcha-solver/

      • #1003278 Reply

        OscarCP
        AskWoody Plus

        A problem I can see with trying out this add on, is that the captcha software might be wise to it and so able, somehow, to sense it is being used by you.

        Then you’ll be the unhappy recipient of “captcha rage” and never again allowed to get even close to that Web site.

        I just made up what I wrote in the last paragraph, but… you never know.

      • #1006766 Reply

        Ascaris
        AskWoody_MVP

        #1 and #3 involve using audio challenges, and it won’t let me try those.  I managed to get it to let me try it one time, and even with my hearing issues, I was easily able to solve it.  That was a while ago, and I haven’t been able to get another one since.

        Group "L" (KDE Neon User Edition 5.16.3).

    • #1008847 Reply

      DriftyDonN
      AskWoody Plus

      The following website may be helpful: https://www.maketecheasier.com/bypass-google-recaptcha-images/ I have not tried all the recommendations, #3. Use ReCAPTCHA Bypass Bots, looks interesting, if you use Firefox, or possibly FF derivatives like Waterfox (?) – maybe this ‘Add-on’ might be useful, but I have not tried it: https://addons.mozilla.org/en-US/firefox/addon/buster-captcha-solver/

      Buster captcha does not work with NordVPN!

       

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: ReCaptcha makes its appearance

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.