"Select every tile with motorcycles", shows an image of a single motorcycle parked on the street. Does the sliver of a tire that shows up in the bottom right tile count, or not? This is never clear, and I end up usually getting it wrong until they show me one that's unambiguous.
"This is never clear, and I end up usually getting it wrong until they show me one that's unambiguous."
While those CAPTCHAs present a surface narrative of you having to get the problem correct, that's not how they really work. After all, it's not like they are creating those problems by hand. They're pushing the images through computers. You don't even know that what the CAPTCHA server considers correct is even close to objectively correct.
Really it's just a hook to engage you to collect a wide variety of streams to try to detect whether or not you are a human, like reaction speeds, how the mouse moves, etc. The correctness of your selection is only one small signal, and not even necessarily a large one.
The answer is, stop overthinking it. Your overthinking it is probably sending a signal that you're not a human because it's got all your timings wrong. Do what most humans do: Halfassedly click at the problem until it seems rightish and then click "Submit". Does the sliver of tire that shows up in the bottom right tile count? The human response to that question is "Who cares you dumb computer let me through to the content already", so, to maximize how human you look to the algorithm, channel your fellow human's feelings. If you feel frustrated at the CAPTCHA problem and wiggle your mouse angrily and maybe overshoot some of the squares you mean to click, so much the better and more human looking.
Interesting, I guess this explains why I can never "solve" the damn things on my desktop. I use an Ultimate Hacking Keyboard which has a mouse layer, so I control the mouse cursor with my keyboard. It means that my mouse always travels in either perfectly horizontal, perfectly vertical, or perfectly diagonal patterns, and at very different timings than a human using a traditional mouse would.
But, it pisses me off to no end that I can't use my fucking keyboard the way it is supposed to be used (which is a far superior design to the "normal" setup) to view some websites because it doesn't "look" human to the fucking server who expects me not to be a statistical outlier. As someone who has always been an outlier, I kind of hate the algorithmic future we live in and are headed even further toward. This is why we can't have nice things.
> I can't use my fucking keyboard the way it is supposed to be used (which is a far superior design to the "normal" setup)
Surely this is just your preference and the setup isn't objectively better. I can see see some people prefer moving a mouse with a keyboard but they likely wouldn't be as quick/precise as people with an actual mouse.
The last time I got blocked by captcha I went through a dozen of them in a row before being told I wasnt human enough (possibly true after 30 years in IT!) and so on principal I reject all websites that include captcha. And anyway, why are we training these image recognition tools for free.
I used to have an internet connection from a small ISP that used carrier grade nat. Same issue. I think most of these captcha systems basically just look at IP or other reputation, and then make end-users do mechanical turk style work for free.
Someday, I'm hoping some sociologists look for evidence of socioeconomic discrimination in captcha implementations.
In my experience, performing the exact same actions with your mouse in Mountain View leads to a completely different outcome than it does in lower income areas (red-voting white, ethnic minorities, etc) surrounding the Bay Area.
I have never successfully gotten a “click all motorcycle squares” to succeed. With a VPN, nothing usually works until “click until there are no more X.” It’s so consistent that I’m pretty sure it’s designed that way, since the final task is time-gated.
I'm guessing they also use failed CAPTCHA statistics as more "proof" that those users are malicious. How much should we bet that each time I fail a CAPTCHA because it's utter shit, and happen to be on a VPN, somebody somewhere counts it as a "blocked bot" or "blocked attack"? I guess I don't want to know as it will probably make me angry.
It's not comparing your response to some hard truth, it's comparing your response to a typical response. Sort of like how LLMs dish stuff out based on what's probable, not based on hard truth.
So when you fail, it's not really saying you're wrong, it's saying you're not like most.
On these captchas I used to sweat it but now I just think "fuck it" and don't overthink anything. And I always pass, perhaps for a variety of reasons secondary to the actual tiles selected
Widevine has already been reverse engineered. You just need to extract a device private key and there are numerous methods for doing so. "Web Environment Integrity" will never work.
Widevine (or any other DRM-based "proof of human" solution) would be far less compute-freedom and privacy respecting than a captcha.
Hashcash[1] was invented two and a half decades ago and is still the best solution. It doesn't require manual work or user privacy invasion and deters mass spammers.
I'd prefer to see proof-of-work based captchas. I'd much rather give up 10 minutes of CPU time for a token that can be revoked as soon as I actually use it for evil than give up all of my privacy (and two minutes of my personal time) for the privilege of using your annoying website.
Proof of work captchas are pretty hard to tune. You need it high enough to deter spammers (who can pre-compute and dont care about latency), but low enough not to deter real users on low powered devices who are using your site live and get more frustrated every second they have to wait.
It might work for spammers who really are just making billion of attempts, but then again if they are making that many attempts then you can block on the IP level.
This is basically how Apple does things. Instead of proof of work, they bake the tokens into devices.
The basic idea is that they'll happily let you sneak a few spam messages through iMessage if you're willing to spend a few hundred dollars on a burner iPhone. This is one reason why they're so resistant to allowing gateway protocols between iMessage and third party devices or RCS.
Spammers would actually prefer it I think. I think for each captcha solved, spammer are ready to pay more than real users(be it electricity or real money). They were already paying real humans before AI became good enough for solving captcha.
No, it would not. Spammers are still paying for the devices - most botnets are built and used (to spam) by different actors. Systems that require more computational power to spam take up more of their resources, making spamming significantly less profitable.
Depends on how much do you want real users to spend per captcha in electricity cost? If say it is $1/captcha it would be untenable for real users. If it is 0.01 cent, it wouldn't hurt spammer's margins.
Yes, $1/captcha is clearly infeasible - it'd be far too slow, first of all.
I don't have any knowledge of what spammers' financials are like, but it's possible that even 0.01c/captcha would still be impactful if the click rate is low enough.
Probably the best way to start tuning the PoW difficulty is just by starting out with what users are willing to tolerate - e.g. 3s solve time on the median mobile device. The gap between mobile and desktop devices has significantly lessened over the past decade, so desktop-grade equipment won't have that much of an advantage - say 1s per captcha, which is a lot for a spammer who would otherwise be able to send out dozens of spam per second.
It's not about making spam impossible, but about making it unprofitable enough that the criminals go elsewhere. Economic warfare.