450
submitted 4 months ago* (last edited 4 months ago) by tek@calckey.world to c/technology@lemmy.world
you are viewing a single comment's thread
view the rest of the comments
[-] Wistful@discuss.tchncs.de 17 points 4 months ago

So what would be a good solution to this? What is something simple that bots are bad at but humans are good at it?

[-] tal@lemmy.today 92 points 4 months ago
[-] db0@lemmy.dbzer0.com 35 points 4 months ago

Knowing what we now know, the bots will instead just make convincingly wrong arguments which appear constructive on the surface.

[-] DarkDarkHouse@lemmy.sdf.org 21 points 4 months ago
[-] db0@lemmy.dbzer0.com -1 points 4 months ago

You're wrong but I don't have the patience to explain why.

[-] weststadtgesicht@discuss.tchncs.de 17 points 4 months ago

Not a constructive comment, captcha failed.

[-] ArmokGoB@lemmy.dbzer0.com 2 points 4 months ago

Everyone on Lemmy is a bot except you.

[-] OsrsNeedsF2P@lemmy.ml 33 points 4 months ago* (last edited 4 months ago)

I work in a related space. There is no good solution. Companies are quickly developing DRM that takes full control of your device to verify you're legit (think anticheat, but it's not called that). Android and iPhones already have it, Windows is coming with TPM and MacOS is coming soon too.

Edit: Fun fact, we actually know who is (beating the captchas). The problem is if we blocked them, they would figure out how we're detecting them and work around that. Then we'd just be blind to the size of the issue.

Edit2: Puzzle captchas around images are still a good way to beat 99% of commercial AIs due to how image recognition works (the text is extracted separately with a much more sophisticated model). But if I had to guess, image puzzles will be better solved by AI in a few years (if not sooner)

[-] brbposting@sh.itjust.works 21 points 4 months ago

I love Microsoft’s email signup CAPTCHA:

Repeat ten times. Get one wrong, restart.


iPhones already have it

Private Access Tokens? Enabled by default in Settings  > [your name] > Sign-In & Security > Automatic Verification. Neat that it works without us realizing it, but disconcerting nonetheless.

So, the spammers will need physical Android device farms…

[-] OsrsNeedsF2P@lemmy.ml 17 points 4 months ago* (last edited 4 months ago)

More industry insight: walls of phones like this is how company's like Plaid operate for connecting to banks that don't have APIs.

Plaid is the backend for a lot of customer to buisness financial services, including H&R Block, Affirm, Robinhood, Coinbase, and a whole bunch more

Edit: just confirmed, they did this to pass rate limiting, not due to lack of API access. They also stopped 1-2 years ago

[-] brbposting@sh.itjust.works 2 points 4 months ago

No way!! Can’t find anything about it online - is this info by the way of insiders? Thanks for sharing, would have NEVER guessed. Not even that they’d have to use Selenium much less device farms.

[-] OsrsNeedsF2P@lemmy.ml 4 points 4 months ago

Yup insider info they definitely don't want public. Just confirmed the phone farms were to bypass rate limit, although they do use stuff like Selenium for API-less banks

[-] EliteDragonX@lemmy.world 6 points 4 months ago

Oh my god. I lost my fucking mind at the microsoft one. You might aswell have them solve a PhD level theoretical physics question

[-] brbposting@sh.itjust.works 3 points 4 months ago

Just noticed the screenshot shows 1 of 5.

So five wasn’t good enough… they had to double it. Do kinda respect that they’re fighting spammers, but wonder how Google does it with Gmail. They seem to have tightened then recently loosened up on their requirement for SMS verification (but this may be an inaccurate perception).

[-] IphtashuFitz@lemmy.world 3 points 4 months ago

I know some sites have experimented with feeding bots bogus data rather than blocking them outright.

My employer spotted a bot a year or so ago that was performing a slow speed credential stuffing attack to try to avoid detection. We set up our systems to always return a login failure no matter what credentials it supplied. The only trick was to make sure the canned failure response was 100% identical to the real one so that they wouldn’t spot any change. Something as small as an extra space could have given it away.

[-] Lost_My_Mind@lemmy.world 10 points 4 months ago

Pizza toppings. Glue is not a topping.

[-] NegativeInf@lemmy.world 8 points 4 months ago

Isn't the real security from how you and your browser act before and during the captcha? The point was to label the data with humans to make robots better at it. Any trivial/novel task is sufficient generally, right?

[-] I_Miss_Daniel@lemmy.world 5 points 4 months ago
[-] lemmyvore@feddit.nl 2 points 4 months ago

Seriously, we probably need to dig into some parts of the human senses that can't be well defined. Like when you look at an image and it seems to be spinning.

[-] hakunawazo@lemmy.world 1 points 4 months ago* (last edited 4 months ago)

Yes, or:
Which of these images makes you horny?
(Casualty would be machine kink people.)

[-] theneverfox@pawb.social 3 points 4 months ago

I think this is a non-issue

Captchas aren't easy to bypass - run of the mill scammers can't afford a bunch of servers running cutting edge LLMs for this

Captchas were never a guarantee - one person could sit there solving captchas for a good chunk of a bot farm anyways

So where does that leave us? Sophisticated actors could afford manually doing captchas and may even just be using a call-center setup to do astroturfing. My bigger concern here is the higher speed LLMs can operate at, not bypassing the captcha

Your run of the mill programmer can't bypass them, it requires actual skill and a time investment to build a system to do this. Captchas could be defeated programically before and still can now - it still raises the difficulty to the point most who could bother would rather work on something more worthwhile

IMO, the fact this keeps getting boosted makes me think this is softening us up to accept less control over our own hardware

[-] shortwavesurfer@lemmy.zip 2 points 4 months ago

Proof of work. For a legitimate account, it's a slight inconvenience. For a bot farm, it's a major problem.

[-] theneverfox@pawb.social -1 points 4 months ago

I think this is a non-issue

Captchas aren't easy to bypass - run of the mill scammers can't afford a bunch of servers running cutting edge LLMs for this

Captchas were never a guarantee - one person could sit there solving captchas for a good chunk of a bot farm anyways

So where does that leave us? Sophisticated actors could afford manually doing captchas and may even just be using a call-center setup to do astroturfing. My bigger concern here is the higher speed LLMs can operate at, not bypassing the captcha

Your run of the mill programmer can't bypass them, it requires actual skill and a time investment to build a system to do this. Captchas could be defeated programically before and still can now - it still raises the difficulty to the point most who could bother would rather work on something more worthwhile

IMO, the fact this keeps getting boosted makes me think this is softening us up to accept less control over our own hardware

this post was submitted on 19 Jul 2024
450 points (99.3% liked)

Technology

59598 readers
2198 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS