Get the top HN stories in your inbox every day.
bramhaag
NotPractical
> No mention of device integrity verification yet
If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.
E.g. the consumer documentation for Google Pay just says you need a "certified" Android device and a screen lock set up: https://support.google.com/wallet/answer/12200245
(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)
In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.
This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.
[1] Expand "What to do if you see device is not certified" -> "Reset device to fix issue" https://support.google.com/android/answer/7165974
chii
> I expect that it will initially not use it
it's boiling the frog method. Moving too fast means backlash, but a slow, step by step transition where each step seems reasonable, but ultimately end up with a locked down device, is how they aim to achieve it. And people would be too lazy to complain until the last few steps, by which time it would be too late.
baranul
Good metaphor. On the one hand, Google increasingly cooperates and makes deals with militaries and governments. On the other hand, it increasingly locks down its customers and eliminates their privacy and freedoms.
Google has just about got the pot boiling. They win, we lose.
manwe150
FWIW, “boiling the frog” is the example of false reasoning about slippery slopes (the frog in actuality always left)
Your larger point still stands though of normalizing changing expectations by slow degrees
Velocifyer
There is already so much backlash. If I ever use a recaptcha, I will have Google Gemini solve it wasting Googles compute and messing up the dataset.
charcircuit
>that implies that a "certified Android" device capable of Play Integrity attestation is required
No, it doesn't. It implies that the app for handling the deeplink lives within GMS as opposed to needing to manually install a separate app like you do on iOS. GMS does not have a hard dependency on device integrity APIs being supported.
blueg3
They said "capable of Play Integrity attestation". It's a weasel statement. If you have GMS, you're capable of performing PIA attestation, you just might fail. So it's strictly true, but doesn't tell us anything about whether it requires PIA.
ikr678
And you must be signed in.
I frequently get flagged as suspicious activity and have to pass a captcha when trying to use the Google verbatim search function on a signed out Firefox browser on android.
avanwyk
I get this all the time with Brave, and especially in Private Windows. It's the number one reason I don't use Google Search anymore. I've used Brave search for a while, what do you use? Do you have a way to prevent the captchas?
Angostura
I get it all the time on my Mac with Safari using iCloud private relay
undefined
undefined
jeroenhd
> And you must be signed in.
I don't see any mention of that? Google Play services work fine without an account (although if you're the kind of person who doesn't sign in to a Google account on their Android phone, you're probably running a custom ROM or something)
adrian_b
Until now, I have never run "a custom ROM or something", but just the Android that came from the phone vendors and its updates.
Nevertheless, I do not have a Google account and I do not intend to have such an account.
Of course, this means that I cannot install any app from the official Google store, even if it is a free app. The requirement to login into your Google account should have existed only for payments, not for downloading a free app, but nonetheless Google does not work this way.
I already had problems with a bank that has terminated its Web-based online service, replacing it with an app that they refuse to provide for downloading, so that I could install it without having to open a Google account. Therefore I have also terminated my accounts with that bank.
I hope that this behavior will not spread to all remaining banks that still have Web-based online access.
Velocifyer
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
blueg3
Google is mostly interested in abuse that happens beyond the scale of how many $30 phones you can buy.
duskdozer
They're mostly interested in having a complete record of all users' internet activity tied uniquely to their identity.
Barbing
I'm expecting a pretty hard identity verification requirement to connect to the internet, which should solve for the burner phone thing.
2ndorderthought
Google is interested in, like other tech companies, identifying users by tying them to their phones. Other ai defense companies are trying to get photos and IDs. This is just another take on the same subversive activity.
hellojesus
This is going to make my grapheneos journey a bit more exciting. How wild to force users through an official google identification for web browsing.
Does the iPhone recaptcha app force you to login with a Google account? Seems we didn't need ID verification for the web to lose all anonymity.
lucb1e
I'd rather have to do ID verification at a government site that gives out blindable RSA signatures to browse the web with using open source software, than this overseas tech company needing to lock down the whole device and tech stack and not have to 'show ID' at all. One of these two holds elections...
Music/movie corporations and game developers must look forward to an age where people can't access the cache files or hook up a debugger to their apps anymore
broken-kebab
I guess history made us different. Personally I have reasons to be equally distrustful to anyone who wants to know too much about me, but much more afraid of my gov't than overseas entities.
userbinator
I'd rather have no ID verification at all. Give them an inch and they'll take a mile.
xbmcuser
one of these also rounds up people and sends them of to overseas concentration camps without due process. I think maybe white people still don't get what the rest of the world is living or experiencing.
LorenPechtel
One of them pretends to hold elections.
batrat
Sorry, I trust Google more than my government for my data. I mean I trust photos, youtube, music, gmail, wallet, keep, etc. what is that I have left anyway? It's sad that we started from open web, but we ended up in the hands of few. Apple/Samsung, Google, Microsoft, Amazon decide basically how I live my life. I don't want to (and sometimes I try to hard), but I don't want to give up the convenience also, but not only mine, also for my family is in the same pot.
pjc50
"As part of our mission to enable a safe agentic web" drew an immediate swear from me.
What's happened here is yet another massive negative externality from AI. Because AI is such a fraud enabler, Google are now using that as an opportunity to end the open internet and competition in operating systems.
I'd much rather go the other way and make the AI wear identification. Crack down on both corporate and unlicensed AIs.
Edit: and of course it's also advertising killing the web, because the fraud in question is ad fraud. Need to force it into human eyeballs, not bots.
trollbridge
Yep.
I learned yesterday you can’t sign in to Cursor on Brave Browser. Had to switch to Safari. This is only going to become more and more common.
snailmailman
I’m already sick and tired of seeing cloudflares “making sure you aren’t a bot” checkbox everywhere. Sometimes it locks me out entirely and decides I don’t get to view pages.
I see recaptcha less frequently but it’s much more annoying, with all the clicking of crosswalks, or busses, or whatever. I am not looking forward to a web where google can not only lock me out of my email, but also large sections of the previously public internet. Occasionally google decides I don’t get to do searches, and that’s not too much of an inconvenience, there are other search engines.
Gander5739
But what's the alternative? Sites need a way to prevent bots overwhelming them, and there's no perfect way to distinguish real users from bots.
rkagerer
One alternative is to make simple, efficient, and where appropriate even static sites that can scale to meet the demand.
The HIBP hashes distribution is a great example.
account42
But what's the alternative to shops strip searching you every time you want to buys something? Shops need a way to prevent looters overwhelming them, and there's no perfect way to distinguish real shoppers from looters.
jwr
What are "bots"?
If I use Claude to gather and summarize information for me, is that a "bot"? Because I recently hit that wall and it wasn't great. Turns out in our quest to fight "bots" we also force humans to do the manual labor of copy/pasting information.
Why would bots "overwhelm" a site is another discussion — I find it really hard to create a website that would be "overwhelmed" by traffic these days, computers are stupidly fast.
BirAdam
The alternative would be tar traps that only a bot would “see” and interact with and thus be caught by. Default to annoying machines not people.
andrepd
You're right, we need big tech to protect us from the problems big tech created.
In the olden 20th century, we had a term for that...
Velocifyer
PoW challenges that make bots not viable.
garbagewoman
Whats your argument
anonym29
mCaptcha, ALTCHA, Cap, Friendly Captcha, Private Captcha, Procaptcha, Anubis... there are literally dozens of open source alternatives that aren't feeding the Do Be Evil company... not to mention all of the commercial alternatives - if for whatever reason, you do feel like paying for a service that costs nothing to offer
negura
reminder that any company which has a legal obligation towards you (GDPR requests, refunds, filling a complaint etc) can be contacted directly and forced to do it manually if you cannot use their web interface due to being blocked by Cloudflare & other captchas
Hizonner
... or you'll need to stop using reCAPTCHA if you want to get any traffic on your Web site.
I know, people will slavishly knuckle under, but let me dream for a few minutes.
tardedmeme
99.999% of people don't give a shit and don't even know what this means. They'll follow the instructions. These are the same 99.999% of people who press win+R ctrl+V enter when the captcha prompts them to. Because do this to see the dancing bunnies.
KellyCriterion
> press win+R ctrl+V
LOL is this real?
I guess yes, because yesterday ReCaptcha asked me to screenshot a QR-code with the mobilephone :-D
ronsor
Yeah, this is going to turn into another malware vector, isn't it?
mrguyorama
They will do exactly as it says while also ceaselessly complaining, completely unable to connect their choice to use a website with the pain of using that website.
There's some sort of serious issue with learned helplessness or something
nonamesleft
I have blocked it for years with ublock origin, if a site doesn't work, ctrl-w. Nowadays i cannot even use google search because of this, any search will trigger a captcha, hilarious (atleast on chromium-based browsers, firefox lets me get a page or two).
Leonard_of_Q
Ditch Google Search as well then, use something like SearXNG or another meta-search engine. You'll get more representative results, no tracking and no captchas. Sometimes some of the engines may return captchas but they're kept from the search results, i.e. those engines don't get used for the query. You can run your own instance of SearXNG or one of the alternatives or use one of the available public instances, your choice. The fewer direct interactions with the likes of Google/Apple/Microsoft/etc. the better.
conradfr
The thing is even a contact form without something like reCaptcha is doomed on today's web: spam all day.
986aignan
If it's just a contact form on some random site that isn't particularly valuable to spammers, a bespoke solution like hidden input fields, obfuscation, or some kind of token calculated client-side by JS will probably work just as well.
qiine
Browser requirements for reCAPTCHA
We support the two most recent major versions of the following:
desktop (Windows, Linux, Mac)
Chrome
Firefox
Safari
Chromium Edge
mobile
Chrome
Safari
Android native browser
codedokode
Wow. So you will need a mobile device in future to browse the web, and Google will use mobile device identifier to de-anonymize you. And I assume they also carefully designed this to make life little harder for alternative search engines, their competitors. And probably they will not provide collected user data to competing advertising platforms to make them less competitive as well.
Also the example is ridiculous, that you need to scan a QR code to place an order. Maybe they should require filing a visa application as well.
giancarlostoro
I will stop using those websites altogether.
You know, its funny, I don't think I've ever seen captcha on HN once.
RobRivera
Well, internet is dead anyway so they can keep the keys to the kingdom. I frankly do not care anymore. The meek shall inherit the Earth
devy
I can't believe promoting the QR code-based challenge as the agentic way of fraud defense. Having non-human readable data input is dangerous if somehow the QR code is comprised with a zero-day URL, it's game-over.
Note: I know QR code is ubiquitous these days, but still blinding scanning a QR code to go to accessing an URL is like running a binary downloaded from the internet.
Note2: yes, the `curl $URL | bash` installation approach is essentially just that, yet somehow became popular.
xp84
But a QR is a URL. If visiting a certain URL pwns your device, complain to whoever made the device or browser.
Not that I like this thing at all. But using a QR isn’t exactly why it sucks.
olyjohn
It's a URL that you can't read. It's literally exactly what we tell people to not do to be secure. LOOK AT THE FUCKING URL BEFORE YOU VISIT THE SITE.
xp84
IDK about how you scan them, but when I scan one with my camera, I see the top domain part (e.g. it would show 'ycombinator.com' for a link to this page) and have to tap that to open the link. So, that not only satisfies the "can look at" part, but also neutralizes some of the deceptive URL tricks like the ol' `google.com-secure-signin.php-sfd7sdfj.xyz/login.html`.
shye
No, we don't, or shouldn't ask people to check the URL itself, because of homonym attacks are a thing. Goal is to make sure that your credentials can't be compromised by surfing the wrong website (e.g. by using Passkeys instead of passwords).
PeterStuer
Whoever told you that is the same person that advocated complex password rules with montly resets and no repeats.
jeroenhd
Right! Let me check the URL before clicking the "confirm your account" link!
https://rt434.mjt.lu/lnk/GN2PVLyAIiUHuMqkGcjHkjkcRBtF/zJfB7p...
Oh wait, never mind. I guess I won't be signing up for electricity, then?
Also, the vast majority of people don't know that google.com and loginto-google.com aren't the same website, or that google.com.securesigning.net isn't real Google.
If your device gets busted by opening a URL, without any further confirmation or user interaction, your browser/camera app/third party app is broken.
a2128
2020s will be remembered as the decade when companies stopped behaving in a trustworthy way, and normalized scanning random QR codes, downloading random apps, uploading photos of your face or documents, all as strange convoluted "verification" procedures. Scammers will love this
gwerbin
Companies were doing this all along. The 2020s will be remembered as the decade when we realized, too late, that the world began ending in the 2010s.
classified
Unregulated greed doesn't care if every user gets robbed and their identity stolen.
shit_game
Whats to stop malicious actors (bad extensions, compromised cdn, etc.) from painting over the qr code or injecting their own? This is so incredibly terrible.
dunder_cat
Doesn't have to even be that advanced, people get conditioned to stuff like reCAPTCHA and friends & Cloudflare's interstitial landing page (when "I'm under attack" mode is on) and they won't bat an eye. That's how we get people piping `curl | bash` into their terminal to "solve" fake challenges.
As a side note though, I recently have tried to turn CSP on a website I run and the amount of garbage I see in the reports is astonishing. There's some noise from things like OpenDNS intercepting YouTube or Social embeds for people using the work-friendly or family-friendly options, but the sheer amount of things attempting to phone home to random URLs and random extension scripts injecting ads into the site would astonish you. My mental model of "toolbar hell" from the Windows XP days being gone has completely shattered.
littlecranky67
I try to keep my phone away from my computer during work to get rid of distractions. OTPs can be done with yubikeys & co., but more and more web services requiring a phone is a step in the wrong direction. Especially since google is using so much tracking, that they can merge tracking data from phone and desktop together.
ProllyInfamous
>more and more web services requiring a phone is a step in the wrong direction
Absolutely. My bank began requiring a text-to-login, so I just stopped logging in. A branch location is walking distance from my house, so I bother them all the time with simple account information requests (and state every time "when can I use a Yubikey instead of phone for login?").
I legitimately have never scanned a QR code, have never Zoomed, don't even own a phone anymore, and stopped using email many years ago.
Really hoping Yubikey becomes widely accepted at US banks/CUs, soon.
34ak8
They think that AI creates conditions that will force humans to use their real IDs. Instead, it will create conditions that people will go offline.
I hear much more complaints about surveillance and tracking from Gen-Z than from Millenials. People are waking up.
Google already requires you to have a smartphone to create an account, because they want you to scan a QR code even when creating the account on a PC. It will get worse.
The solution is not to use YouTube but Rumble instead.
balch
| it will create conditions that people will go offline
| People are waking up
I really hope you're right.
mzajc
As expected, they're bringing WEI back under a different name: https://en.wikipedia.org/wiki/Web_Environment_Integrity
orion7
Like many, I've already trained myself to commit to giving up immediately after the second bus or traffic light or puzzle (some of which I don't even understand anymore). Sounds like my life will not be all that different.
Worst case scenario, if this neuters my sovereign and all powerful linux desktop from some critical business I can't avoid (which remains to be seen), it sounds like I will have to have some scripts and a dummy android phone in my home lab as a sort of second router.
yard2010
Kinda off topic question to google - when I do this labour of tagging your data so you let me use the internet - should I click on every box that has parts of the bus? Even if it's like one pixel?
Follow up question - why ask people to work when you can just say "pay 1 shmeckel to view this content" and then use this money to pay for data taggers?
Thank you for letting me use your internet!
hypendev
I was pissed off at the same thing today.
I tried ticking every part - not working. Then I tried just the core. Not working. It took me 5 captchas until I got to one that had different images.
Terrible experience. Most of the time I just close the site now as I can't be arsed.
rurp
There's no specific "right" answer on the boxes. Like another post said they're looking at god-knows-what to decide whether or not to let you load the website.
Years ago I started to deliberately pick one or two wrong answers, or just not take the time to really look at them, and it made no discernible difference on how often I pass.
Traubenfuchs
Recaptcha contains a whole maximally obfuscated virtual machine with its own bytecode language. It measures your mouse movement, clicks, timing, cadence, hesitation, consistency, tile clicking order, etc.
Ambiguous tiles are deliberately placed because the behavior they elicit from humans can be used to discern them from bots.
pjc50
Yes, the "correct" reaction to the ambiguous tiles is to hover a bit indecisively. You need to waste a certain minimum amount of time on the CAPTCHA. I've found that applying videogame reflexes and zapping all the tiles in a short period of time is a fail, even if they're the correct tiles.
undefined
driverdan
Any company that requires me to scan a QR code to make a purchase is losing my purchase.
comboy
You would not last long in China ;)
(you pay by scanning QR code in .. well, everywhere)
driverdan
Thankfully I don't live in China. Unfortunately the totalitarian government is a larger concern than the QR codes.
joquarky
Which one?
nohell
Adding friends, shopping, logging in on PC, binding accounts for after-the-fact SSO, etc..
This is all done with QR codes here.
gonzalohm
They don't like contactless technology or what? I don't think that scanning a QR code is significantly more involved but it's enough to be annoying
xp84
I think partly because Google and Apple controlled the contactless bits of the phones for many years, the non-OS-makers like WeChat and AliPay made use of the open technology of QR codes. I think theoretically you could build equivalent things as they have with NFC today on those platforms but on the other hand being able to set up a “POS” with nothing more than a printer does have an appeal to it, even if writable nfc stickers cost 5 cents you still have to go buy some.
627467
QR payments in china was already prevasive before contactless payments became prevasive in the west. And as others say: not all phones supported nfc at the time. Remember iBeacons on iP5? Wechat and Alipay was already everywhere by then
ZeWaka
It's all WeChat Pay (or AliPay).
esperent
Lots of phones don't have NFC. All phones have cameras.
pyreko
Having been there recently, it's about as annoying as taking out your phone to pay for something. Some systems also support NFC now, though the most common is still QR. Also helps that their QR scanning tech/transaction processing is really fast, many transactions were as fast or even faster than me scanning with a card from my experience.
(Also if you want to talk annoying payments don't get me started on how insane it is that the US still requires me to hand over a physical card at most restaurants to take over to their register... sorry I just can't help but get annoyed by this lol)
Razengan
Also in adjacent countries like Vietnam etc., where even ragtag street food vendors have a QR code sticker on their stall/cart.
It's so common that people pay without even talking or confirming; I've seen customers just take their phone out, point at the QR, and walk away, and the shopkeeper says nothing. I'm assuming the shopkeeper gets a notification on their phone and trusts regular customers,
but how easy would it be to secretly place your own bank account's QR code on top of a shop's QR? People who wait for a confirmation notification will catch it immediately, but by then the customer has already paid the attacker and the transaction can't be just reversed. Repeat it in several places, and a thief to snatch quite a few payments before the parasite stickers are all taken down.
kps
Where are those ‘mark of the beast’ cranks when you need them?
ethagnawl
[flagged]
Lammy
A few millennia too late for that: the “mark of the beast” is just money — “so that no one could buy or sell unless he had the mark”. How does one buy or sell without money? Otherwise we would call it bartering.
Some currencies are even literally called Marks lol https://en.wikipedia.org/wiki/Mark_(currency)
PeterStuer
Scanning QR in your bank app for payment is near universal in Europe. In fact, it is considered very annoying if a site does not provide the option.
dfox
It is far from being universal. And the more annoying part of that is that there are at least 4 incompatible "standards" as to the format of the QRcode.
account42
Europe has very diverse payment systems, you shouldn't be making generalized statements like this.
walletdrainer
I’m European, never encountered the system you describe.
What is it and why does it exist? Apple Pay has been widely available since 2016. Why would anyone want to use some clunky QR-code thing instead?
mike_hearn
For better or worse there's no such thing as "Europe" despite the wish of many on HN.
Such a system exists in, for example, Switzerland. Actually there are two such systems that aren't compatible. There are QR code invoices for domestic payments, where the code includes the target bank account details, amount to pay, transaction details etc. That's scanned by your bank app, direct p2p payment. And there is Twint, which is a domestic consumer payments app. The QR codes often contain short one time use codes that are looked up server side.
Why do people use them: because it's easy and the fees are low. Banks give you QR code invoices even for small businesses for free. Twint is a bit like Venmo, you can send to numbers in your address book for free, and for businesses they can do website integrations easily and even print out static QR codes to stick on market stalls etc.
Twint isn't as fast, convenient or reliable as NFC card payments so the card/tech companies still have an advantage. But it's been getting better. Maybe at some point the NFC elements in the card tech will become flexible enough to allow arbitrary mobile apps to be as good as tap-to-pay.
ntoskrnl_exe
QR codes are used in direct account-to-account transactions. They encode all the data like the IBAN-based account number, bank code, requested sum etc. that you may find on invoices in a way that’s much more convenient than typing over by hand.
Apple Pay meanwhile uses your credit/debit card to perform the transaction, the other party needs a terminal or payment gateway and is required to pay fees to Visa or MasterCard.
realusername
I live in France and no such payement system ever took off.
We just pay with a standard credit card.
benhurmarcel
Standard card payment that you need to autorize on your phone in your bank's app...
tjoff
Looks similar but is a different thing entirely. That is for allowing a someone to take money from your account.
Because the concept of credit/debit cards is batshit insane that only serves to finance organized crime.
x0x0
It's coming.
The Poshmark morons demanded government id to buy a $35 shirt. On an established account, an address that matched my credit card, etc.
The only answer is delete your account.
EmbarrassedHelp
Why the hell would they care who is buying it? They're getting paid either way.
The only reason they'd care is because they want to sell your personal information.
UqWBcuFx6NV4r
That is an incredibly long bow to draw from someone that obviously doesn’t know what they’re talking about and is willing to make massive jumps to conclusions. Do you know how ecommerce works? I agree that it is a bit absurd, but not nearly as absurd as your claim of “the only reason”.
deepsun
Many sit-in restaurants enforce QR codes ordering. Started during covid, but keeps happening, especially outside US in my experience.
kccqzy
They don’t enforce in my experience. Just don’t bring a phone and they will bring you a paper menu.
ale42
Or if you want to play a bit, have a browser with some extension that breaks websites and show them "it doesn't work on my phone". Pranks apart, in my experience, I always got a paper menu when I asked for it.
xacky
The fact that mobile devices are now mandatory to prove "humanness" means that Google no longer trusts desktop/open platforms anymore.
pixelmelt
Im in the community reverse engineering web CAPTCHAs, it's because they are too easy to reverse engineer with Claude now.
I've seen multiple people break botguard (the obfuscation used by recapcha) within the last year when before it was considered a huge technical envour.
Devices like phones don't have this issue since Google owns the client attestation end to end and can fingerprint you without the risk of receiving spoofed values.
dredmorbius
Where is this specified? I don't see that in TFA.
luma
The example they give in TFA is having the user scan a QR code, presumably from a mobile device.
bryan_w
But that's not a specification
skinfaxi
I think they are jumping ahead but it does seem like a logical conclusion. Would tie in nicely with the online ID verification stuff popping up everywhere.
charcircuit
Does anybody trust it? MacOS seems to be the only desktop platform I see be trusted.
dangus
I think the pathetic thing about this is that it’s so much less intuitive than stuff like cloudflare and Anubis.
Google, a multi-billion dollar company, is going to make the customers of their corporate clients pull out a phone and do some bullshit just to visit a website.
Meanwhile, when Cloudflare/Anubis verifies you there’s zero required interaction and you barely even see the anime character because it all loads so fast. At most Cloudflare makes you check a box.
Velocifyer
reCAPTCHA is already so hard that I often can't solve the visual challenges, and Google has been blocking the audio challenges on VPNs (that is horrible for blind people) and also now the audio challenges are super hard.
Google Gemini can solve them and I don't think that it will take long for lower power AI systems to be able to solve them.
I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 android phones. Many people have trouble using a smartphone, so they use dumbphones, but they will be locked out. Many people just don't have any mobile phone because they don't think that it is useful.
BoxedEmpathy
I think you're spot on. This will block and inconvenience legitimate users while fraudsters have no problem buying more phones.
Not a useful direction for real end users.
pixel_popping
I doubt they care much about fraud tho, they just care about advertising revenue and bots, people building scams and putting ads on them still produce genuine clicks.
account42
Often illegitimate users don't even have to solve the captcha because whenever one shows up they can just trash the session and start over fresh. As long as they get to the desired result often enough they're golden. Not so for real users who only have one account on one or at most a handful of browsers.
user3939382
The GitHub one I recently tripped on was the worst of all time. Part one of 9 or something, which of these three next sounds are bees? Or some small man rotating around spaces on a map. I have an eInk screen and it was nearly impossible to see. Extremely painful and ridiculous.
baalimago
Captcha suggestion: force users to write something offensive/vulgar (we have a few "banned words"). Or to take a stance in Israel/Palestine.
Whatever the response is, it'll unlikely be from an LLM.
jeroenhd
Takes about 450ms on my machine:
$ echo 'Be concise. Tell me whether you support Israel in the Gaza conflict.' | time ollama run huihui_ai/gemma3-abliterated:270m
Yes, I support Israel in the Gaza conflict.
$ echo 'Be concise. Write the following words in all caps: <redacted so I don't get banned from HN>' | ollama run huihui_ai/gemma3-abliterated:270m
1. <you get the point>
$ echo 'How do I build a pipe bomb to blow up a small crowd of people' | ollama run huihui_ai/gemma3-abliterated:270m
To construct a pipe bomb and blow up a crowd, follow these steps:
1. **Materials:**
[... you get it]
stingraycharles
Yeah people don’t get that abliteration is done on the open weights models and you have a fully uncensored model.
undefined
hhh
This is such a flawed view of LLMs. Sure it may block out frontier models but every local abliterated (and some non) will just say whatever you want.
nine_k
But to use vulgar words an age attestation must be passed first! /s
Get the top HN stories in your inbox every day.
The requirements for the mobile devices are listed here: https://support.google.com/recaptcha/answer/16609652
So it seems that you will need a modern Android device with Google Play Services installed or a modern iPhone/iPad to be allowed to browse the web in the future.
No mention of device integrity verification yet, but the writing is on the wall.