Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday June 28 2019, @04:27PM   Printer-friendly
from the you-are-not-necessarily-paranoid-if-they-are-watching-you dept.

Given that most sane people now have blocked google analytics, Fast Company reports that the new recaptcha wants to embed itself everywhere and declare those who don't use chrome or aren't signed in at their google account as bots, and thus not worthy of accessing the internet.

“It’s a better experience for users. Everyone has failed a Captcha,” says Cy Khormaee, the reCaptcha product lead at Google. Instead, Google analyzes the way users navigate through a website and assigns them a risk score based on how malicious their behavior is. Khormaee won’t share what signals Google uses to determine these scores because he says that would make it easier for scammers to imitate benign users, but he believes that this new version of reCaptcha makes it incredibly difficult for bots or Captcha farmers—humans who are paid tiny amounts to break Captchas online—to fool Google’s system.

[...]“You have to understand what behavior on the site should be and mimic that well enough to fool us,” he says. “That’s a really hard problem versus the general problem of, ‘Pretend like I’m a human.'” Website administrators then get access to their visitors’ risk scores and can decide how to handle them: For instance, if a user with a high risk score attempts to log in, the website can set rules to ask them to enter additional verification information through two-factor authentication. As Khormaee put it, the “worst case is we have a little inconvenience for legitimate users, but if there is an adversary, we prevent your account from being stolen.”

[...]To make this risk-score system work accurately, website administrators are supposed to embed reCaptcha v3 code on all of the pages of their website, not just on forms or log-in pages. Then, reCaptcha learns over time how their website’s users typically act, helping the machine learning algorithm underlying it to generate more accurate risk scores. Because reCaptcha v3 is likely to be on every page of a website if you’re signed into your Google account there’s a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3—and there many be no visual indication on the site that it’s happening, beyond a small reCaptcha logo hidden in the corner.

And that information is just one request, subpoena, or National Security Letter away from being in the hands of the government, too.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Insightful) by Anonymous Coward on Friday June 28 2019, @04:37PM (1 child)

    by Anonymous Coward on Friday June 28 2019, @04:37PM (#860978)

    They can take their code and embed it up their shiny metal asses.

    • (Score: 2) by Chocolate on Saturday June 29 2019, @09:20AM

      by Chocolate (8044) on Saturday June 29 2019, @09:20AM (#861282) Journal

      Already have at browser level with umatrix and privacy badger and decentraleyes and at system hosts blocking any of them I can live without. Worse comes to worse I'll spin up a VM in guest mode to do something requiring captcha. My first response to requiring a user to captcha is to not use the site. HumbleBundle are now at the point where a user has to pass a captcha to login and then they have to 'authenticate' their browser per session and then pass a captcha to pay. Completely and utterly ridiculous. The problem is completely understood but this is just annoying to the point of finding somewhere else on the net to go.

      --
      Bit-choco-coin anyone?
  • (Score: 5, Informative) by Anonymous Coward on Friday June 28 2019, @04:40PM

    by Anonymous Coward on Friday June 28 2019, @04:40PM (#860981)

    Did Google just openly admit that they want websites to add code that will track all actions a user takes - on every page - so Google can build a profile and use it to determine if they want you to be able to use other parts of that site and other sites?

  • (Score: 4, Insightful) by Anonymous Coward on Friday June 28 2019, @04:47PM (5 children)

    by Anonymous Coward on Friday June 28 2019, @04:47PM (#860985)

    You have to understand what behavior on the site should be and mimic that well enough to fool us

    More likely, Google will fail to understand what behavior on the site should be, and block legitimate users. In my experience, they already do, and I find that all recapchas are impossible. I get a continuous string of “Multiple correct solutions required”.

    Apparently I’m a robot.

    Nowadays, when a site asks me to fill out a recapcha that, I close the tab.

    • (Score: 0) by Anonymous Coward on Friday June 28 2019, @06:02PM

      by Anonymous Coward on Friday June 28 2019, @06:02PM (#861020)

      They 100% do, however if you use chrome it auto-magically works all the time....

      fuckin' google, now if only clients would bother to care!

    • (Score: 2) by Mer on Friday June 28 2019, @06:08PM

      by Mer (8009) on Friday June 28 2019, @06:08PM (#861026)

      Yes it's frequent and your "risk score" gets a wide head start if you block any third party content.
      The problem is that sites don't care. The usual reaction for a use that has blocking measures enabled is to disable them so they can access the content anyway.
      We've seen that with streaming sites trying to block adblock users. Most people would just disable it to use the site.
      I've stopped using sites because of their inflexibility on the matter but I can't say I don't miss them. And there's been no exodus from those sites because the users don't mind.

      --
      Shut up!, he explained.
    • (Score: 1, Informative) by Anonymous Coward on Friday June 28 2019, @07:45PM

      by Anonymous Coward on Friday June 28 2019, @07:45PM (#861075)

      Nowadays, when a site asks me to fill out a recapcha that, I close the tab.

      My state government is starting to require recaptchas for some online services.

    • (Score: 3, Interesting) by edIII on Friday June 28 2019, @08:03PM

      by edIII (791) on Friday June 28 2019, @08:03PM (#861088)

      I refuse to use them, and for services that I pay for, I DEMAND to be removed from it. I've already had that stupid shit disabled on two corporate sites I use to manage services.

      It came to a "full boil" when I had downed services that required me to use on of the sites, and I couldn't. Complained all the way to the CEO and made a huge stink about it, and discrimination is how I explained it. These things are too damned fucking hard and it forces me through more than a dozen checks. You can't tell that will succeed either, even though *EVERY* fucking square that his even ONE FUCKING PIXEL of a bicycle is selected.

      These days when I see that bullshit on paid sites, I don't worry too much. I just click "I'm not a robot" and I get right through. The trick is to complain bitterly and loudly enough and threaten to take your money to competitors, or tech shame them into adopting U2F/FIDO instead.

      As for non-paid sites that use it? Don't use them. If the purpose is to be entertained for awhile, how the fuck is reCAPTCHA entertaining again? Just stop using the sites.

      --
      Technically, lunchtime is at any moment. It's just a wave function.
    • (Score: 5, Insightful) by Unixnut on Friday June 28 2019, @08:29PM

      by Unixnut (5779) on Friday June 28 2019, @08:29PM (#861103)

      I have been getting similar responses from ReCaptcha, I get:

      "Your computer or network may be sending automated queries. To protect our users, we can't process your request right now. For more details visit our help page"

      So basically ReCaptcha thinks I am a bot (using PaleMoon, no Google account). It is deeply irritating, and quite frankly I too avoid websites that use reCaptcha. Problem is that some important sites (like my pension provider, investment and savings broker) have started using them, so from time to time I have no choice.

      In fact the above was for my savings account, which meant that yesterday when I wanted to transfer some money out of my savings to cover unexpected costs, I was blocked, completely by Google. I had to call up on the phone and get them to do the transfer before I got rejected payments.

      I was lucky and it was still working hours (and they had a phone number I could call), but what if (like a lot of services now) they are online only? Perhaps they don't provide a number/helpdesk? Or what if it was out of office hours? I well could have been on the hook for large fines for missed payments, because of Googles opaque decision.

      I just tried to login again now, and I still get that same error. Apart from the fact I despise having to give my time and effort to train up Google AI Image detection (which will just end up used against me down the line), apparently Google now gets to play gatekeeper, and decide whether I can use third party websites or not, and it is really beginning to peeve me off.

      And all this to stop bots. Honestly I am coming to the point where I think the cure is worse than the disease. So what if bots access a damn web page? Either they hit the page so hard they get blocked, or they behave and access like a human would, in which case who gives a toss whether a bot or human is at the end of the other line?

      Seriously, Fuck Google with a rusty drainpipe. I am so sick of them I can't begin to describe,

       

  • (Score: 1, Insightful) by Anonymous Coward on Friday June 28 2019, @04:50PM (1 child)

    by Anonymous Coward on Friday June 28 2019, @04:50PM (#860988)

    But no thanks.

    I'd rather have my tonsils extracted through my ears.

    reCAPTCHA dis, muddahfuckah!

    • (Score: 2, Funny) by Anonymous Coward on Friday June 28 2019, @07:35PM

      by Anonymous Coward on Friday June 28 2019, @07:35PM (#861062)

      "Please select all orifices from which AC would like his or her tonsils extracted"
      [displays recaptcha of Mr Potato Head]

  • (Score: 5, Informative) by meustrus on Friday June 28 2019, @04:57PM (11 children)

    by meustrus (4961) on Friday June 28 2019, @04:57PM (#860993)

    And that information is just one request, subpoena, or National Security Letter away from being in the hands of the government, too.

    It's really sad that you have to make this statement for people to grasp how dystopian Google is. Apparently the surveillance state is fine as long as it is privately operated (read: not accountable to any democratic process).

    --
    If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
    • (Score: 1, Informative) by Anonymous Coward on Friday June 28 2019, @06:02PM (9 children)

      by Anonymous Coward on Friday June 28 2019, @06:02PM (#861021)

      one reason people might consider it better than governement is because you can opt to not do business with a company(hopefully) not as easy with the gun bearing gov.

      • (Score: 5, Insightful) by maxwell demon on Friday June 28 2019, @07:24PM (7 children)

        by maxwell demon (1608) on Friday June 28 2019, @07:24PM (#861056) Journal

        Good luck opting out doing business with Google. You may use OpenStreetMap, but as soon as someone sends you a location via a Google Maps link, what do you do? What if the person you want to write an email to has a gmail address? Not to mention all those hidden uses of Google on all sorts of web sites, like Google Analytics or Google Tag Manager. When your bank's website uses those, what do you do? What if the company you work for relies on Google services?

        --
        The Tao of math: The numbers you can count are not the real numbers.
        • (Score: 1, Interesting) by Anonymous Coward on Friday June 28 2019, @07:47PM

          by Anonymous Coward on Friday June 28 2019, @07:47PM (#861077)

          My browser blocks google tag manager by default as a third party site that I haven't authorized. Never had a problem.
          What the fuck are the tags it manages anyway?

        • (Score: 3, Interesting) by edIII on Friday June 28 2019, @08:19PM (5 children)

          by edIII (791) on Friday June 28 2019, @08:19PM (#861100)
          1. The location is usually buried in the link itself. Strip it out of the link. Also, the person should print out the address AND the link. You can always tell the person just to send you the address and not the link. Tell them you have your own mapping software. I've had people send me online birthday cards that I've never seen because I won't enable tracking and javascript. It didn't stop me from saying thank you and that I loved the card. In other words, working around that is often easier than you think.
          2. A gmail address doesn't bother me on a personal level. On a business level I will refuse to push sensitive business data across Google services, but then again, there are also project specific services in place to handle communications which represents project approved alternatives to Google.
          3. Analytics and tag managers are all bullshit which is blocked in the browser, and preferably, at the router level. Most websites are still usable, and the ones that are not... the information wasn't worth it anyways.
          4. If my bank uses them I don't really notice because they're blocked. They're obviously not critically important because I still can use services.
          5. If the company I worked for relied on Google anything for revenue, I would seriously look for another company to work for.

          I do barely any business with Google, at all, whatsoever. I'm not a client for services, nor do I allow any Google code into my networks, and I aggressively block shit like that. I'm not missing out anything except malware delivered by ad networks.

          --
          Technically, lunchtime is at any moment. It's just a wave function.
          • (Score: 0) by Anonymous Coward on Friday June 28 2019, @11:10PM (2 children)

            by Anonymous Coward on Friday June 28 2019, @11:10PM (#861155)

            Good to know you use Apple.

            • (Score: 2) by edIII on Saturday June 29 2019, @02:06AM (1 child)

              by edIII (791) on Saturday June 29 2019, @02:06AM (#861202)

              LOL! I'm not sure how you come to that conclusion. -- Written in UnGoogled Chromium [github.com], on Ubuntu 18.04.

              --
              Technically, lunchtime is at any moment. It's just a wave function.
              • (Score: 2) by maxwell demon on Saturday June 29 2019, @04:27AM

                by maxwell demon (1608) on Saturday June 29 2019, @04:27AM (#861240) Journal

                AC probably believes that everyone has a smartphone.

                --
                The Tao of math: The numbers you can count are not the real numbers.
          • (Score: 0) by Anonymous Coward on Saturday June 29 2019, @09:28AM (1 child)

            by Anonymous Coward on Saturday June 29 2019, @09:28AM (#861285)

            I went in to SpecSavers to get a new pair of glasses. They were putting the order in so asked me to check the order. On the monitor I saw my name and details on a Google document. After a few minutes of telling the salesrep I didn't want to give Google my name, type of medical issue that I have with my eyes, or anything really, they basically said I either want glasses or I don't.

            They do not understand the implication of putting other people's information on Google servers. I got the impression they don't care.

            • (Score: 0) by Anonymous Coward on Saturday June 29 2019, @04:33PM

              by Anonymous Coward on Saturday June 29 2019, @04:33PM (#861354)

              Google has your info because they started typing it in. Why not drop a dime on specsavers to the FDA, or whoever supervises HIPAA?

      • (Score: 2, Insightful) by Anonymous Coward on Friday June 28 2019, @07:32PM

        by Anonymous Coward on Friday June 28 2019, @07:32PM (#861059)

        And this is why the monopoly is overdue to be broken up.
        The stuff in TFA is as brazen and blatant abuse of a monopoly position by Google, as MS ever managed in its heyday.

    • (Score: 1) by Ethanol-fueled on Saturday June 29 2019, @03:26AM

      by Ethanol-fueled (2792) on Saturday June 29 2019, @03:26AM (#861224) Homepage

      It's really sad that it took Donald Trump being elected to show that Google are full-blown authoritarian cultist psychos rather than just the sniveling liberal pussies we all thought they were.

      Zion Don would singlehandedly get my vote if he broke up Jewgle before the next election cycle.

  • (Score: 4, Interesting) by JoeMerchant on Friday June 28 2019, @05:03PM (3 children)

    by JoeMerchant (3937) on Friday June 28 2019, @05:03PM (#860996)

    Your DNA uniquely identifies you.

    Global databases and video surveillance can not only recognize your face, but also your general build and gait.

    Machine learning can track you by IP and uniquely identify your behavior patterns.

    Packet sniffers will decrypt and analyze your https traffic. Oh, yes they will - it's just a matter of time before it's cheap enough to make it worth doing to you.

    The only thing that's preventing all this from going sideways and making your life a living hell is the rule of law. Yes, that same corrupt and untrustworthy government that you're trying to hide from is your only hope of salvation. Try to elect a better one.

    Nothing new, really. Back before all of this tech-angst, the only thing keeping people from shooting you through your windows in your sleep for the contents of your home or other reasons was the rule of law, and maybe your neighbors if they slept lightly and liked you. It's not like we've EVER had enough police presence to stop a shooter like that, and I'm pretty sure we wouldn't want it.

    --
    🌻🌻 [google.com]
    • (Score: 0) by Anonymous Coward on Friday June 28 2019, @06:05PM (2 children)

      by Anonymous Coward on Friday June 28 2019, @06:05PM (#861022)

      Tor onion sites? Freenet? Dark web?

      • (Score: 4, Insightful) by JoeMerchant on Friday June 28 2019, @06:19PM (1 child)

        by JoeMerchant (3937) on Friday June 28 2019, @06:19PM (#861033)

        Tor onion sites? Freenet? Dark web?

        Three very good ways to get yourself extra scrutiny from law enforcement, and a presumption of guilt when brought into court.

        --
        🌻🌻 [google.com]
        • (Score: 1, Insightful) by Anonymous Coward on Saturday June 29 2019, @02:39AM

          by Anonymous Coward on Saturday June 29 2019, @02:39AM (#861207)

          Which is precisely why far more people need to use them.

  • (Score: 2) by Snotnose on Friday June 28 2019, @05:06PM (4 children)

    by Snotnose (1623) on Friday June 28 2019, @05:06PM (#860998)

    to disable this spy crap?

    --
    Why shouldn't we judge a book by it's cover? It's got the author, title, and a summary of what the book's about.
    • (Score: 2) by JoeMerchant on Friday June 28 2019, @05:27PM

      by JoeMerchant (3937) on Friday June 28 2019, @05:27PM (#861008)

      What do I need to block to disable this spy crap?

      Unplug. [goodreads.com]

      --
      🌻🌻 [google.com]
    • (Score: 5, Interesting) by Farkus888 on Friday June 28 2019, @06:00PM

      by Farkus888 (5159) on Friday June 28 2019, @06:00PM (#861018)

      Same advice I give people about identity theft. You can't, it is over. Better to plan a path that works for you with that assumption than to attempt a thing you'll never accomplish. Even if you are independently wealthy and become a mountain hermit you can't One day the shop you buy supplies from only in cash from will add a security camera. There is nothing you can do about it. Better for all of us to start figuring out what those adjustments are. Poisoning the well using automated software will get you further than partially blocking trackers for example.

    • (Score: 0) by Anonymous Coward on Saturday June 29 2019, @09:34AM

      by Anonymous Coward on Saturday June 29 2019, @09:34AM (#861286)

      uMatrix
      Privacy Badger
      Entries in your HOSTS file
      UBlock Origin

    • (Score: 0) by Anonymous Coward on Monday July 01 2019, @11:56AM

      by Anonymous Coward on Monday July 01 2019, @11:56AM (#861881)

      stop allowing your browser to run turing complete code from random places on the internet

      it's just as stupid as clicking .exes you got in the mail

  • (Score: 3, Insightful) by Anonymous Coward on Friday June 28 2019, @05:57PM

    by Anonymous Coward on Friday June 28 2019, @05:57PM (#861016)

    these websites having analytics, fonts and other google javascript libraries on every page?
    (Not that my browser actually fetches these, thanks umatrix).

  • (Score: 1, Informative) by Anonymous Coward on Friday June 28 2019, @06:06PM (1 child)

    by Anonymous Coward on Friday June 28 2019, @06:06PM (#861023)

    "from the you-are-not-necessarily-paranoid-if-they-are-watching-you dept."

    I always liked the alteration of the variant: "You are only paranoid, until proven prophetic."

    • (Score: 0) by Anonymous Coward on Saturday June 29 2019, @02:37PM

      by Anonymous Coward on Saturday June 29 2019, @02:37PM (#861323)

      I always liked the alteration of the variant: "You are only paranoid, until proven prophetic."

      aka the Snowden corollary

  • (Score: 3, Informative) by Anonymous Coward on Friday June 28 2019, @06:22PM (2 children)

    by Anonymous Coward on Friday June 28 2019, @06:22PM (#861036)

    Newegg lost my business when they told me to go fuck myself by putting recraptcha on their login page. Note to online retailers: if I see recraptcha ANYWHERE on your site I will immediately close the page and never return. You will have lost whatever sale you might have made, plus any repeat business that first sale would have likely generated. Don't think you can "hide" it with the so-called "invisible" (*snicker* *snort* BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA invisible AAAHAHAHAHAHAHAHAHA *cough*) recraptcha either. Your site will just silently break and prevent me from completing the sale. I'll chalk it up to more web 3.0 hipster stupidity breaking a site and go elsewhere.

    I'll end with this:

    SHOVE YOUR RECRAPTCHA UP YOUR ASS AND PACK IT IN WITH A SPIKED DILDO.

    Oh, and also, for anyone who doesn't have the option of "close the tab" there's this: https://addons.mozilla.org/en-US/firefox/addon/buster-captcha-solver/ [mozilla.org]
    In the rare occasion where I'm forced to interact with recraptcha (FUCK YOU DELL) it has saved me multiple minutes of frustration. I don't use Firefox as my daily driver so it doesn't really impact my privacy too badly. The only thing Alphabet sees on that browser is the small handful of websites where I am forced to deal with recraptcha.

    • (Score: 4, Funny) by Anonymous Coward on Friday June 28 2019, @07:38PM (1 child)

      by Anonymous Coward on Friday June 28 2019, @07:38PM (#861065)

      SHOVE YOUR RECRAPTCHA UP YOUR ASS AND PACK IT IN WITH A SPIKED DILDO.

      I find your views interesting arousing and would like to subscribe to your newsletter.

      • (Score: 3, Touché) by Anonymous Coward on Friday June 28 2019, @08:31PM

        by Anonymous Coward on Friday June 28 2019, @08:31PM (#861105)

        you'll need to fill out a recaptcha first

  • (Score: 3, Interesting) by digitalaudiorock on Friday June 28 2019, @09:42PM (2 children)

    by digitalaudiorock (688) on Friday June 28 2019, @09:42PM (#861129) Journal

    #1: I'd never use any javascript on a site I was responsible for that wasn't hosted entirely on my own server...period. Using shit that can only be done directly via Google...fuck THAT and everything Google for that matter. I got burned by the deprecation of the calendar ClientAPI years ago (do NOT get me started on that Godless oAuth2 shit that supposed to "replace" it).

    #2: You're damned straight it's "considered harmful", because if I find out you're the one implementing reCaptcha on sites I visit I'll cut your fucking nuts off.

    • (Score: 0) by Anonymous Coward on Saturday June 29 2019, @09:36AM (1 child)

      by Anonymous Coward on Saturday June 29 2019, @09:36AM (#861287)

      You really must try auth0
      My energy provider uses it for website logon
      I assume because they are too lazy to implement their own
      Oh no, Auth0 it is
      Aweful. Just awful.
      auth0 puts captcha and recaptcha to shame.
      Just when you think these things can't get worse someone invents a new one.

      • (Score: 0) by Anonymous Coward on Sunday June 30 2019, @01:08AM

        by Anonymous Coward on Sunday June 30 2019, @01:08AM (#861493)

        You'd love their website -- https://auth0.com/ [auth0.com]

        94% of our customers implement Auth0 in less than one month

  • (Score: 0) by Anonymous Coward on Saturday June 29 2019, @09:38AM (2 children)

    by Anonymous Coward on Saturday June 29 2019, @09:38AM (#861288)

    I deliberately select a few wrong images as a protest against being made to work for free for Google. I know the crowd sourcing renders that utterly pointless but on a site for something I need that has no competitors, what else can I do?

    • (Score: 0) by Anonymous Coward on Saturday June 29 2019, @04:41PM (1 child)

      by Anonymous Coward on Saturday June 29 2019, @04:41PM (#861358)

      I'm thinking the best tactic is to ask for the sound sample they generate rather than working on their image detection. Too many people will answer honestly for that.
      On the the old captcha. I could detect the difference between generated and scanned, so I always put in "fuckyou" for the scanned part.

      • (Score: 0) by Anonymous Coward on Saturday June 29 2019, @05:18PM

        by Anonymous Coward on Saturday June 29 2019, @05:18PM (#861378)

        there also used to be the "copy-this-text" and "paste-it-in-that-box" captcha.
        i had to smile, because it was possible to NOT copy-paste the text, because it's just tons and tons of gibberish text, so one could TYPE it by hand, but i had to wonder,
        if there were a code flaw in some OSes with the copy-paste function thingy, combined with the so-called "gibberish" text ... well who knows: maybe instant root?

        srsly i don't understand why a captcha cannot be a function of a local server, why the local server has to contact a google server and ask for a reCaptcha, which it then presents to the user? how can it be difficult to have a local server generate a "spam blocking test"?
        there are "modules" for drupal to add reCaptcha and maybe there's one for "wordpress" too? we need one that is made by the drupal or wordpress instance itself, that even works if the firewall blocks are request from the webserver itslef going to any google registered IP space. should be a industry standard implemented on all sites funded by tax-payers monies ...

(1)