cross-posted from: https://lemmy.ml/post/47972724
i encountered this for the first time today while attempting to read something on archive.today.
i confirmed that decoding the qrcode using a computer and following the URL it contains is insufficient; the error it gave directed me here which is what the linked screenshot is of.
the old type of captcha remains available too, for now:
This is step one.
Step two is id verification via play services before you’re even allowed to scan the QR code.
This is going to erode privacy as we know it on the internet and I can’t see any feasible escape.
…just use a different website?
Everyone needs to fail the test over and over again until they fall back to their non-we want to fuck everyone over even more world.
-
People without a mobile device are fucked out of being able to pass a captcha
-
As if this isn’t a way for them to associate multiple sessions on multiple specific devices with one another, this is just another avenue for data collection, period. Hidden under the guise of “more secure.”
I imagine scammers are already thinking of ways to use this for phishing too
It really should be illegal to build systems that require a user’s access to any unrelated technology. You shouldn’t be forced to have a phone to pay a parking fee or to get on the bus. You shouldn’t need an app to charge your car. You shouldn’t need to use proprietary software from one spesific company to pass a captcha on a random site.
I mostly use my phone (Pixel with GrapheneOS) as a dumb phone + calendar. But by far the biggest number of apps I have to have on it are the fucking car charger apps.
The point with captchas is not really that bots can’t pass them, more that its too expensive to pass them consistently with a hurtfully large enough volume of bots.
I’d heard of this strategy, like making it perform some kind of costly encryption that’s irrelevant to a human user but restrictively expensive for a bot army.
But does decoding a QR code apply? I never really thought about it. I guess it’s an image, it’s at least a little big by comparison… but it’s also in a restricted, easy to capture spot and maybe could be minimized to a fairly small pixel set? Idk how many key pixels you need to parse a QR code… I guess I could Google
*typo bit --> bot and bit --> big… I’m full of bit
Since a QR code is just made of squares, it can be very, very tiny
1 square = 1 pixel
I don’t know much about this new captcha system, but I feel like the challenge wouldn’t really be in the scanning of the qr code itself but more so on making the device you’re scanning with seem legitimate. They could check usage patterns, what apps are installed, how many accounts are added and are they actively used, location and sensor data, are the hardware specifications really unusual, are they constantly trying to complete random captchas… Stuff like that to tell apart a real user’s device from a bot or sandbox. The QR Code is probably just a random ID for which captcha instance the user is trying to pass.
Also I just realised this but this is probably inconvenient as hell. Like I do NOT want to constantly be picking up my phone to scan QR codes when I’m trying to go around the Internet. What if my phone is on the other side of the house? I don’t want to get up and walk all the way over there! If this gets fully rolled out there may actually be a small dip on the amount of desktop users of websites because they just leave when they are hit wth this captcha instead of bothering to scan a code.
i have one. but it isn’t android, or ios, or ‘smart’ in any way. it doesn’t even text. it’s just a telephone that fits in my pocket and connects to the cellular networks. it’s all i want. it’s all i use. it’s all i’ve needed ever since i got my first one about 25 years ago.
Same! Except mine does do SMS text and has the other flip phone stuff like alarms, timer, calendar.
Don’t worry you’re included. Simply visit one of our Accessibility Centers between 8am-9am on odd Wednesdays, with a valid birth certificate, filled-out form from here, and a notarized Charizard.
notably, this kills any alternative to android.
not if you kill google first
🟩 🧑🔧 🪠
that’s plan A
You don’t have to drink a verification can, but you do need to buy a verification phone.
Captcha has been one of the greatest google acquisitions ever.
They acquired it under the guise of improving OCR and have since morphed it into an AI data farm (how else is google lens gonna know what objects are what?) and now total insight into a users every single action from desktop to mobile, tying it all together into a surveillance nightmare.
I can guess the permissions that the recaptcha app needs now. Probably something akin to root access with all datapoints and considerations you could think of.
I used to always add one incorrect tile and skip one correct tile.(It would still pass)
I thiught I was such a rebel lol
Then I figured, they’d be stupid if they didn’t show the same image to multiple people…
How would that teach Lens to recognise anything other than motorcycles and traffic lights really well?
I’ve had many, many not traffic light and motorcycle/bicycle recaptchas. They’re probably leaning a bit into self driving learning the past few years.
Lens has a lot more data points nowadays after everyone’s google photos was used for training for what, 10+ years at this point?
Google harvested all human typed words 15 years ago with the google library project. They’ve been hoarding and processing data for models forever.
-
The word you’re looking for is … abomination.
Who owns the implementation of this? Is this something that websites opt into and add to their own site? Or is this something that Google injects when you’re clicking a search result on Google?
Is this something that websites opt into and add to their own site?
Yes.
reCAPTCHA is google’s “anti-abuse” service which many websites use to
preventslightly increase the cost of operating automated crawlers (which somewhat ironically google operates one of the largest of itself, for their search engine).Before neural networks could solve CAPTCHAs reliably, spammers were solving them with human labor; solving services like
anti-captcha.com(intentionally not a clickable link…) today use a mixture of automated and human solvers.In the future google is apparently building, solving services will need farms of able-to-run-a-recent-android-release mobile devices with some kind of trusted computing hardware, each one of which they’ll have to use sparingly enough to keep usage of its unique ID under some plausibly-human threshold.
And even if you do have a phone and are willing to identify yourself with it, if it is too old to run a recent enough Android you also will sometimes be denied services for being unable to pass a robots’ “human” test.
🤮
I know it has been said already but how stupid is it to teach users the pattern of randomly scanning QR codes. So ironic given that reCaptcha is for security in some sense.
It’s the same with ID verification. For your safety, you need to start giving random websites your drivers license or passport…
It’s the same with ID verification. For your safety you need to start giving random websites your drivers license or passport…
I had a site I was gunna buy stuff from ask me for a video selfie to “prove” I was over 21.
First if all, I wasn’t buying anything controlled, so thats ridiculous over-reach, and second of all LOL FUCK NO I’m not giving you, some random-ass e-commerce site, my fucking biometric data. That’s absolutely insane.
Needless to say, I blocked that site on my pihole, so it no longer exists to me as an option. Sent them a message letting them know they lost a rather substantial sale from that shit. I’ll do that for absolutely every one, same with ID or whatever else. I could just use the tricks kids use, but that still rewards them for this bullshit with money.
I’ll just stop using the internet if it becomes a thing everywhere. It’s not really worth being on anymore, for the most part, anyway.
I don’t blame you. Personally I get more satisfaction from using fake IDs or directing a video selfie thing to a video game character etc or finding some obscure bypass to whatever bullshit they throw at me. That way I still get what I want from the website and they get nothing of value from me, lmao.
Can you explain me how i can direct the selfie thing to a image i have on my computer? I didn’t found anything and ya seem to know something
It’s called the boiling frog effect.
It’s not for your security :(((
Any website that chooses to use this service will simply not get my traffic. If enough people feel the same, those websites will lose clicks and eventually tell Google to pound sand.
Imagine the utter hubris on these fuckers to think that people will get a google device just to access a website.
Or to think that an average user sitting at home would run to another room to grab their phone so they can verify themselves on the desktop just to visit blackcougar.com
You want me to scan a QR code to log onto your fuckin’ website?!
I was wondering how long it would take for someone to get the reference. Its a pretty old episode.
1 year later
Government website you have to use to pay your water bill: “Confirm you are a human…”
They’re using the fact that everyone else both already owns a Google or iOS device, and does everything on those devices, to punish desktop and alt mobile OS users.
The fact that this is going on right as AluminumOS is down the pipes, and right as rigged parts prices threaten to kill desktops as an option to begin with makes this especially sus.
The way things are going right now, I won’t be surprised if we see a computing future where you’re either on a Google or Apple-controlled device, or you’re on a thin client tied to a cloud subscription, and you won’t own your tech anymore.
Have you been paying attention to the open source community at all? We have made this future impossible.
Many humans don’t have smart phones
So those humans will go buy the cheapest they can find which is, surprise, Android + Google Play Services.
No. More likely those people just won’t visit that website and will very easily get the information that they were looking for from the next link down on the search results.
Google are fucking idiots if they think otherwise.
the next link down on the search results
Assuming we’ll have that at all or just AI summaries replacing the results.
There are several superior search engines to Google.
I kind of doubt that even when it comes to English, and for smaller languages i’m sure that there’s still no serious competition to Google.
So those humans will go buy the cheapest they can find
Hell no I won’t.
Yup, and they are being cut out of society everyday. Just losing your phone or even breaking it can be a figurative death sentence. Want to check your email from another device? Did you set up 2 factor with your phone?
Yeah sorry, can’t access your email.
I’m at the point where I’m fine with it. If you want to cut me out for such a silly reason, I don’t want to be included in your dumb thing. I’ll find an alternative that treats me with respect.
If you don’t have a smartphone are you truly human? /s
So Linux users are fucked?
No; they said you can use Android.
So, throw an android image into a virtual machine?
Seems a little round-about. But if you want, I guess you could do that for some reason.
Do you not understand why people don’t want to link their mobile to every website they visit?
I absolutely do, but Linux-or-not has nothing to do with that.
don’t forget to sign-in to the google account you want the ‘protected’ web site visit logged to.
It needs Google play services on a play integrity passing device
Android ≠ Linux
Android is based on a modified version of Linux, and owned by Google. Linux is independent.
Android is Linux. Not all Linux systems are Android, but all Android systems are Linux.
It’s not necessarily helpful to those on desktop Linux, but it is Linux if someone wants to be a purist about which operating systems run on their hardware.
First of all, Android is an operating system, and Linux is a kernel. OS ≠ Kernel.
Second of all, it’s not even the generic Linux Kernel. It is heavily modified by Google LLC.
I hate that it’s my responsibility to protect your system from infiltration.
One more reason to not use google anything
This will be used on sites like Experian, Chase, IRS, DMV, etc. It’s a way to track and deanonymize everyone.
Nah. Block all fingerprinting. You don’t need any of this crap.
@cypherpunks the mere idea of requiring a device to use another is absurd. This should be illegal
