Follow

If you are a web developer trying to keep spambots out, DO NOT use reCAPTCHA. It is an unethical privacy invasion that follows people around the Web and stops disabled people from accessing information or services for no good reason.

Instead, just ask a (very) simple logic puzzle from a decent-sized set. Ask the questions in regular text and give an option to change puzzles. Switch out the library of puzzles occasionally. This will stop the vast majority of spambots.

· brutaldon · 12 · 112 · 92

@alexbuzzbee

> If you are a web developer trying to keep spambots out, DO NOT use reCAPTCHA. … Instead, just ask a (very) simple logic puzzle

How does the effectiveness of using logic puzzles compare to using honeypots hidden with CSS/JS? (if the site already requires JS)

(Done poorly, those can be even less accessible that reCAPTCHA, but I'm talking about well-done versions that don't have accessibility issues)

@codesections A field that is hidden and/or says "leave empty" is a sort of logic puzzle of its own. That's the kind of level of "very simple" I'm talking about. Not much more complicated than giving them instructions in their natural language and seeing if they follow them. Not enough to be any challenge for a human, but very hard for a computer. We're approaching the level at which machine learning will be able to solve these, but such tools aren't widely deployed in spambots.

@alexbuzzbee @codesections you can get really creative with it too. It's fun to come up with easy little puzzles like that and they can also be jokes.

@codesections If you're a web user, and don't like Training Google's GD ML AI Dragon:

1. Request audio.

2. Repeatedly respond with "Fuck you, Google."

3. The algo will eventually let you in.

4. Bonus: all audio interpretation trends to "Fuck you, Google".

@alexbuzzbee

@dredmorbius @alexbuzzbee

Or, you can replace steps 2–4 with pitting Google's toys against one another, and have the audio Captcha solved by google's speach-to-text algorithm: vice.com/en_us/article/pa55z8/

@alexbuzzbee @codesections I don't have empirical evidence, but the general idea with both Turing tests and honeypots is to develop a reputation sense of the remote party. Each has pros and cons, *both* can be used together. Honeypots risk false-positives, TT's both false positives and negatives A key problem is that there's no really reliable, durable, expensive (e.g., sockpuppet-proof) remote reputational token we have yet. #HardProblems

@alexbuzzbee when I had this problem some years ago, I just implemented a captcha field with whatever random question. The captcha response text box was hidden in CSS.

So, no human would ever fill it out, but all bots would. It was 100% effective.

@celesteh @alexbuzzbee this might be true. Although screen readers are pretty smart these days.

It wasn't a perfect solution, for sure.

@alexbuzzbee Also, as a user: file bugs / issues with service providers who *do* rely on reCAPTCHA telling them that you find this practice unacceptable.

Possible reasons:

1. Privacy / surveillance.
2. Privatising results of crowdsourced intelligence.
3. Potential military / antisocial applications of technology.
4. Other (think of your own).

I regularly do this.

@alexbuzzbee i agree, it must be at the end a way to feed google's AI for free...

@Darkness_89 Yes. reCAPTCHA uses Google's tracking infrastructure as part of its human-detection algorithm (which is why I always have to answer the second step), and it is part of that tracking infrastructure. reCAPTCHA widgets monitor your activity on the page before, as, and after you click the checkbox. Supposedly this helps with the human detection, but it's also being sent to Google.

@alexbuzzbee dang Google won't let any stone unturned for info mining.

@alexbuzzbee Also learn about rate-limiting, logic isn't that accessible (I actually tend to dump the math ones in the calculator).

@alexbuzzbee I'd love to expand my repertoire of puzzles. Currently, I give three words and ask the user to type all three in a box with the first one in all caps. I feel alright with it since I'm the only user, but it won't work with s2t which is a downer. Do you have any good suggestions?

@alexbuzzbee I love when people nowadays ask for such things in such a self-confident way, though they know well that this is all lost, and you are not even able to _just_ _conserve_ what works fine _today_!

You lost that war around a decade ago... Just nobody has (wanted to?!) notice then...

People do all that google stuff, because its cheap and its 'typical' and 'accepted' in the mainstream nowadays...

@alexbuzzbee I agree. I have so many problems with CAPTCHA. Sometimes it takes me over 5 minutes to get through, it forces me to open up connections to google as I remove them in my hosts file and I know its a tracking issue. I've requested to site admins not to use it and the typical response I get is "We have no current plans at the moment to move away from CAPTCHA" . Sometime if I face goog capcha and what I'm doing is not paramount I opt out. So see it as a potential barrier to clients...

@alexbuzzbee also generate it in JS and most spam bots will not even see it.

@curufuin This isn't accessible; many screen readers and low-resource browsers do not process JavaScript.

@alexbuzzbee do you have an example, usable in wordpress and/or drupal ideally? just so I get an idea what to do? right now I do not use any recaptcha, but if I am in the need...

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.