Does anyone else get that feeling from the description of what Google is doing? I've tripped their "we think you are a bot" detection filter and been presented with a captcha countless times while using complex search queries and searching for relatively obscure things, and it's frankly very insulting and rather disturbing that they think someone who inputs "unusual" search queries, according to their measure, is not human. I have JS and cookies disabled so they definitely cannot track my mouse movements and I can't use this way of verifying "humanness", but what if they get rid of the regular captchas completely (based on the argument that eventually the only ones who will make use of and solve them are bots)? Then they'll basically be saying "you are a human only if you have a browser that supports these features, behave in this way, and act like every other human who does." The fact that Google is attempting to define and thus strongly normalise what is human behaviour is definitely a big red flag to me.

(Or maybe I'm really a bot, just an extremely intelligent one. :-)

Insulting? how is that insulting? You are entitled. You are entitled you block scripts, use Google's FREE service to perform any search query to search the web while blocking any program that attempts to identify you as not a bot.

But if while using their free service they cannot identify you as a human given the factors they measure(becuase you actively disabled the programs that measure such factors), then I see nothing wrong in them trying alternative ways (which were a standard before).

I think you are making a storm in a teacup. If you feel offended by the way their website work, just don't use them. I don't see any red flags at all.

Has calling someone entitled ever been useful? For the last few years it's felt like nothing more than a petty "you're wrong" remark with bonus condensation built right in.

Been useful at communicating that they feel someone is confusing expectations with rights? Yes, that's why there is a word for it.

Also, I get it's annoying to hear entitled, ad hominem, logical fallacy, privilege, and other currently trendy words being over used and often misused. But I'll take it over what there was before that, which was no discussion at all at that level of abstraction most of the time. The places where these words are overused are places where the community is learning these concepts.

In this case, calling someone entitled is actually a compliment, not an ad hominem insult or put-down, because it acknowledges the poster's humanity.

The proper response in this case would be, "Why, yes, I probably am a bit entitled, like most people. Thank you for recognizing that I am human."

Claim: Turing was wrong about the Church-Turing Thesis because he was a homosexual -> ad hominem

Claim: Turing was immoral because he was a homosexual -> not ad hominem (although still not a good argument)

The security checks suck big time, but really, these services are must-have and there is no better alternative.

Complaining and hoping for some change is all that's left.

If enough people were actually willing to pay to use a search engine you could have an awesome search engine with none of that.

DDG will get the job done.

"!g hacker news"

You trade your data, screen real estate, and attention for their service. This is worth a lot - Google is worth a lot. They didn't do it by giving out services for free.

If you trade data for a service it is not free.

To consider "free" a function only of fiat currency is naive, both of history and of economics.

Google search is not free.

If it is I have no idea how they made so much money...

Or maybe you can tell me what 'free actually means'?

Besides, I believe the original point made still makes sense if "free" is assumed to mean "non paid".

I would agree with the assertion that there are practically no free websites on the web. Since when did we convince ourselves we can get things for free?

There are major exceptions. Wikipedia is for the most part free. It does not advertise to you, nor does it siphon and sell your data. It does not track you around the web, it does not sell your Wikipedia viewing behavior to urchin for cents. It is driven by donations.

HN also appears legitimately free to me. As far as I know YCombinator does not mine or sell your data or collect data other that what is required for the forum to be a forum. YCombinator makes its money by other means. It certainly benefits by cultivating a technical online community, which is why I think it does it - though what influence YC can/does project on the community could be thought of as a social cost (I know very little to nil about whether or how much this is done).

Google, however, is not one of these cases. Nor is most of the web.

I'm not sure if the original point still makes sense with 'non paid' (nor am I sure 'non paid' is right). The original point uses 'free' (in caps) to emphasize a sense of charity they use to inform their 'entitled' argument. First, their argument is essentially 'What you expect this to be free? You are entitled!' Second, I'm not sure that replacing the term will work, unless it also communicates charity.

The point here is that the exchange does not constitute charity. Google thinks the trade is a very good deal. Presumably internet surfers do too. But there is an exchange and that needs to be recognized.

Anyway this means that any term that communicates 'charity' will be ignorant of the conditions of how Google's service works - and I would have posted the same misgivings.

These are the things the searcher trades for the service.

I would also posit that Google looks and does nothing like that fisherman.

Given their scale and resources, Google are able to provide a far more effective bot detector than any of us could do on our own. I for one am delighted they are providing this very valuable service.

You may argue that the trade is in the website reader's best interest. This is a different argument than whether it is free.

I can agree Google is not providing a free pure-search-results service, but they do provide a free search results + ads service. Whether getting relevant results + [relevant] ads is a worth anything to you - even $0 - is a separate question, but it's a stretch to frame as an exchange. It's like taking a free hot dog and complaining it's not free because you traded your time & taste buds eating the bun while you only wanted the sausage... [I'd buy it more for e.g. youtube pre-video ads, where you are forced to give attention and time to the ad first.]

Now my data is a better point. Very valid for the totality of google services; quite weak for logged-out search use. If you work answering questions, and recording the questions that get asked and where they came from, then yes I did hand you this data but it's almost inherent in asking the question.

[Disclaimer: I'm a xoogler. And all this is nit-picking.]

[1] http://en.wiktionary.org/wiki/free_as_in_beer

This conversation is about the meaning of 'money' modulo this understanding of free-as-in-beer - i.e. whether non-fiat scarce resources (user data/screen real estate) count as money.

Colloquially we usually use free to mean not having a financial cost. Another word or phrase is usually used when referring to non-monetary costs. i.e. I would say "Google is free" but I would never say "Google costs nothing."

[1] http://en.wiktionary.org/wiki/free

The bottom part you use personal anecdotes to support the claim that a broader 'we' do something. I'm not sure, as my personal experience differs. But it does get to exactly what I was saying in the above comment - what the discussion centers about is what counts as 'money' (as you say "referring to non-monetary costs").

I think the place we differ is whether non-fiat scarce resources count as money. I think they do. Historically they have. In economics literature and practice they do.

Or perhaps the reservation is that the scarce resources in this instance are 'soft' resources like attention, screen real estate and personal data? Much of what is traded by financial institutions (for example) today are very virtual - trades of risks, credits (promises), futures, bets. Even real estate is traded on the idea that it occupies space of human attention and investment - not necessarily because it can be used as a means to 'produce' something. I'm hesitant to draw firm lines between these soft assets - I'm not sure where I could sensibly draw them.

Either way, I'm glad we agree that Google costs something. I do think that the OP intended their use of free (in capitals and context) to mean "Google costs nothing."

[1] https://news.ycombinator.com/newsguidelines.html

It's interesting I've never read the guidelines before now. Was refreshing to have taken a look, although it's mostly common sense and etiquette.

There is no equivalent to Google. Nobody else is doing this, particularly not to this extent. Not using all that computing power and AI to do it.

Yes, if Google thinks I'm a robot, I don't think it's so strange to consider that some sort of value judgement, even if it's done by a legion of machines. Definitely more so than if some random small-time website decides to make that call based on a couple of if-then statements.

Imagine if using a web service is like visiting a shop, and you get directed to the slow-checkout+ID-check lane because maybe you stammered your order, or because you know the store that well, your shopping-cart route through the aisles is deemed "too fast" (read: efficient, also avoiding the "special offers", cookies/candy/soda/junk aisles).

Amusingly, how I feel about that "judgement", varies. Sometimes it's annoying sometimes it's cool because I feel "hey I'm doing something clever that humans usually don't". Similar to how being ID-checked in a liquor store can be both annoying and flattering (depending on your age and how often it happens).

So anyone have some CSS or otherwise innocuous ways of identifying humans I'm all for it.

And I wouldn't discount javascript - another hidden field populated by onSubmit() is simple and effective. A few vocal paranoiacs advocate browsing with javascript turned off, but they are few and far between - and I bet they get sick of adding sites they want to see to their whitlist. We have over three thousand fairly technically aware users, and none have been tripped up by the javascript test.

If your site is valuable enough for an attacker to manually figure out your defences, then you need to consider emailing a a verification token - or even better, use SMS if you can afford the cost. Because this gives you a number to pass to law-enforcement, it means an attacker has to buy a burner SIM card.

Back on topic, Google's initiative is a useful tool to add to your defences.

   > if you framed the issue as a business model one, not 
   > a technical one, it might be a useful exercise.

On a good day I just ban their IP for a while, when I'm feeling annoyed I send them results back that are bogus. But the weird thing is you can't even start a conversation with these folks, and I suppose that would be like looters saying "Well ok how about you help load this on a truck for me for 10 cents on the dollar and then your store won't be damaged." or something.

Did you try to explicitly state that your data is available for sale when denying access to p=300?

Instead, Google is making their search less functional. I don't get why.

The point of this change is to make things easier on 90% of humans -- the ones who have JavaScript and third-party cookies enabled now get to tick a checkbox and be on their merry way, instead of doing a useless captcha when we knew they were already humans. Recall that when ReCaptcha initially came out, the argument was "humans are wasting all of this time, let's turn it into useful work to digitize books".

If book-based or street view-based captchas go away, I suspect it will be because bots/spammers got better at solving them than humans, not because Google thinks that the machine learning spam detection approach is fail-proof.

Recall that "reading" captchas already pose an insurmountable barrier to users with conditions such as illiteracy, low vision, no vision, and dyslexia. To accommodate these users, audio captchas are also provided, but a 2011 paper suggests that audio captchas are either easy to defeat programmatically or are difficult for users themselves to understand: https://cdn.elie.net/publications/decaptcha-breaking-75-perc...

Thank you.

"WebVisum is a unique browser add on which greatly enhances web accessibility and empowers the blind and visually impaired community by putting the control in your hands!"

"Automated and instant CAPTCHA image solving, sign up to web sites and make forum posts and blog comments without asking for help!"

So, while it's some way off their claim of "instant" CAPTCHA solving, this is definitely a very useful addon, especially for those people who cannot solve CAPTCHAs at all. Thank you for pointing it out.

[1]https://www.webscript.io/examples/recaptcha

How do they do that? This sounds like whitehat use of blackhat tools. Are they using captcha-solving farms?

http://resources.infosecinstitute.com/introduction-to-automa...

http://www.webvisum.com/en/main/faq#q15

http://www.captchasniper.com/

http://captcha-breaker.gsa-online.de/

http://textcaptcha.com/

From the Google's blog post:

> our research recently showed that today’s Artificial Intelligence technology can solve even the most difficult variant of distorted text at 99.8% accuracy

But, wait. Isn't that what we want? It seems like bots and spammers have a relatively small cost to a company like google, while digitizing books and house numbers is relatively valuable. I don't have numbers for a detailed cost-benefit analysis, but if bots get good enough to do time consuming work accurately, that's a win right?

"Can I read this paper, please?"

"Yes, of course, just put on these reading glasses."

"Why do I have to put on the reading glasses?"

"Well the font is quite small. If you don't wear the glasses, you probably won't be able to make out anything on the page. Your experience will be seriously degraded."

"I don't want to wear the glasses. Why can't I just read the page?"

"Well, we can fit a lot more data and make the page more robust by printing the text smaller. Why don't you just wear the glasses?"

"I have concerns about the glasses. I'd rather strain my eyes."

"We're not going to make a special page for you when 99% of the people are totally okay with wearing the glasses or wear the glasses anyways."

So imagine what bots often don't have.

Adding JS interaction and cookies takes more effort on the part of the programmer writing a bot.

So yeah, you'd look a lot more like a robot. How else would you quickly differentiate between human vs non-human based on a single request, or even a collection of requests over time? It's a game of stats at scale.

from splinter import Browser b = Browser() b.visit('http://google.com') b.fill('q', 'browser automation') btn = b.find_by_name('btnG') btn.click()

Not exactly 'more effort'...

require "selenium-webdriver" driver = Selenium::WebDriver.for :firefox driver.navigate.to "http://google.com" element = driver.find_element(:name, 'q') element.send_keys "Hello WebDriver!" element.submit

https://code.google.com/p/selenium/wiki/RubyBindings

Writing a bot with js and cookies is trivial, but it definitely won't defeat these tools. They probably look for time between actions or track mouse movements, stuff that makes the bots super inefficient.

Right now google and bing will run sites with JS enabled to see the DOM after any JS changes take hold. Usually these crawls aren't nearly as often as the general crawling, because there is quite a lot more CPU/Memory overhead to such utilities. I can't speak for splinter, but similar tools in node or phantomjs have a lot over overhead to them.

https://www.google.com/search?q=PROGRAMATICALLY_REPLACE_ME

I don't think regular CAPTCHAs are going away anytime soon since any bot detection system is bound to have false positives.

[1] https://gds.blog.gov.uk/2013/10/21/how-many-people-are-missi...

...But this is their core search competency and exactly what makes their search so powerful. Page rank is basically distributed wisdom of crowds, aka algorithm of how people behave (build their websites) based on a search term/imbedded link.

This seems like a perfect extension of this. Remember the vision of google: "to organize the world's information and make it universally accessible and useful." Human behavior falls squarely into a large segment of the "world's information."

I'm sure that's why they got rid of the ability to search what people are saying on forum and blogs. Google still indexes everything, they just got rid of the filter.

Their results now give preference to SEO'd pages & adverts.

The old discussion filter returns an illegal request error https://www.google.com/?tbm=dsc

Google seems robust because humans generally think pretty similarly, and generally look for the things that the people around them are talking about or also looking for. That breaks down considerably though across cultures and time.

Disabling essential parts of web functionality breaks web functionality. I'm shocked.

Dropping the snark though. I'm surprised that this is still a complaint. At this point in the web's evolution cookies and Javascript are essential. Disabling those will make your experience worse and complaining about that is like removing the windshield from a car and complaining that bugs get on your face.

Exploiting that information is Google's core business, and it doesn't like people evading their panopticon. So they're no making life harder those who care about their privacy.

Not surrendering your data to Google? We'll treat you like you're not even human, and through reCaptcha we'll tell thousands of other websites to do the same. That will teach you to hide things from the all seeing eye of Mountain View.

The above is to suggest that perhaps tracking bugs and cookies aren't a component in the bot-detection algorithm, though that remains to be seen.

But it doesn't matter. If a human user spams tons of links in the comments after creating 20+ accounts, who cares if they are a bot or are doing it manually? I believe that websites should instead use machine learning like this to detect the bad behavior itself, rather than try to determine who the user actually is.

Which is to say: they're perfectly willing to let your crawl-able content and internet use help train their robots, they just don't want their crawl-able content and internet use to train your robots.

Isn't it right to block spambots? And if so, how do you tell regular bots from spambots?

One example: I have never seen a "hard" captcha here https://webchat.freenode.net/

> IP addresses and cookies provide evidence that the user is the same friendly human Google remembers from elsewhere on the Web.

If this becomes a trend then major commercial websites will become unusable for people who are not accepting (third-party) cookies. "Because those damn bots" is a straw man argument to make people trackable by assuming that there are no other useability improving methods that don't track the user (which I think is highly unlikely).

"In cases when the risk analysis engine can't confidently predict whether a user is a human or an abusive agent, it will prompt a CAPTCHA to elicit more cues"

So if you have cookies disabled, you'll probably just get a regular captcha

Just ask anyone older enough to have worked with Microsoft et all in the past.

yeah, the company is nice now, but nobody can say anything about tomorrow. So do you their sane offerings, but be aware that you may have to be on the line to change it at a moments notice. and try to not depend on it too much. (i.e. always have a 1% bucket with an alternative solution, least you find yourself locked in when you 'thought' you had an alternative if you 'needed')

However, looking from a different perspective you can say that they're taking advantage of people blind with greed who want maximum convenience when using the web.

Really is this the breakthrough of bot detection? They are just leveraging cookies --which is nice improv UX-- but why do I need to click? delay loading to relax servers?

On the flip side, there are other events to hook into... onfocus/onblur, keydown, etc, etc... which can all go into bot detection... if you fill out a form and didn't focus on anything, click on anything, or press any keys.. you're probably a bot... If you have JS disabled, you deserve what you get.

Then I logged into my gmail account and yes it worked.

So you're probably right about that smoke screen and it has nothing to do at all with mouse movement.

My fx browser deletes cookies at exit and my IP changes frequently and I think that's the true explanation for the outcome of my little test.

Also makes me think that they can dump the whole charade and provide no security check at all, but that'd probably make the service-providers uncomfortable and they lose the user as a source of human-intelligence for classifying things on google image searches.

  javascript:if(!window.jQuery||confirm('Overwrite\x20current\x20version?\x20v'+jQuery.fn.jquery))(function(d,s){s=d.createElement('script');s.src='https://ajax.googleapis.com/ajax/libs/jquery/1.8/jquery.js';(d.head||d.documentElement).appendChild(s)})(document);
  $('iframe').contents().find('.recaptcha-checkbox-checkmark').click()

Not to mention that it could only be used as a heuristic and not a test; so, eventually the weight of that heuristic will just be reduced to zero once someone publishes humanlike_mouse_driver.js with carefully-tuned-to-look-statistically-human mouse interactions available out of the box.

I actually have some bots which scrape Google sites (for the purpose of integrating stuff like Google Keep into KRunner), and they just use the Useragent of a regular phone, send normal POST data, etc. Works perfectly fine, and — I just checked — this bot is recognized as normal user by this captcha system. No Captcha input.

I tried it even with a new Google profile and just using cURL to log into Google, then started a new browser session and imported the cookies from cURL. Worked just as well.

I guess this makes it easier for malicious bot-authors...

Edit- Nevermind, it looks like Safari left some google.com cookie lying around while Chrome deleted it. Deleting it gave me the old CAPTCHA.

There is always a center, just because it moves doesn't mean that people can't be a socially unacceptable distance from it.

There was one day when it was so convinced, it was giving me impossible captchas just to use Google Search.

From an implementation standpoint it is utterly painless. The client side is copy/paste from Google's site and the PHP/server side was this:

      $recapchaURL = 'https://www.google.com/recaptcha/api/siteverify?secret=600SZZ0ZZZZZIZi-ZZ0ZEHZW1000Z_0ZZZ00QZZ&response=' . request_var('g-recaptcha-response','') .'&remoteip=' . $request->server('REMOTE_ADDR');
      $recapchaRespone = file_get_contents($recapchaURL);
      if(is_null($recapchaRespone))
      {
            print("Recaptcha failed. <more error msg>"); return; 
      }
      $recapchaResponeJSON = json_decode($recapchaRespone);
      if(!( !is_null($recapchaResponeJSON->{'success'}) && $recapchaResponeJSON->{'success'} == 'true'))
      {
            print("Recaptcha failed. <more error msg>"); return;
       }    

They already have the botnets. Now they need to use those end-user machines as proxies, using the credentials already on the machine. They just need to figure out the other parameters: maybe it's running js code ? Then you can use a browser engine/selenium). Maybe it's the click pattern ? Just generate the json data and send it. They can even apply the same machine learning techniques to figure out the best way to circumvent the captchas.

And the escalation continues.

I’d say malicious authors would have it really easy now.

The captchas are still the old same, just not shown everytime. Still can be cracked with latest neural net techniques. The visual matching stuff can be guessed 6/10 times.

You still have audio captchas, that can be cracked.

If all fails you still have cheap labour from third world country. I don't see why this is revolutionary?

Google will now have their captchas present on every site and start logging user behavior in the name of identifying bots. Who says they won't use the data to drive their ad empire?

Even better: those with various disabilities won't have to mess with it. My parents' only disability that I know of is near-complete computer illiteracy and I can tell you from experience that every time they're presented with a normal CAPTCHA it's like somebody just handed them a Rubik's Cube and told them to solve it before they can create a profile. In every case I know of, they just turn the computer off and walk away. Now, these are what I would call normal humans (don't tell them I ever said that) so I can only imagine how aggravated those with visual and/or auditory problems get when presented with a crazy CAPTCHA. And when your revenue comes from getting people to submit these, I can see it still being a boon to the website, even if all they did was lower the barrier of entry for humans.

http://i.imgur.com/6mGYsav.png

I have no idea what that second word is supposed to be, so if you use this, I probably won't use your site.

It's hard to see what's sent over the wire (it's obfuscated), but the source gives you a good idea of what they're collecting. The biggie is the GA cookie which is running on over 10 million sites. Like any CAPTCHA, this is still breakable -- just load your actual cookies into Selenium or PhantomJS and replay your mouse movements. Of course, once you do that more than a couple times, you'll likely have to write a crawlers to generate fresh cookies. At that point, you may as well just break the visual CAPTCHA which is trivial anyway. Ie. You should still never use a CAPTCHA (http://www.onlineaspect.com/2010/07/02/why-you-should-never-...).

One helpful approach would be to separate out "why CAPTCHA" into preventing abuse (through high volumes) and "guaranteed one (or small number) per person" from "am I interacting directly with a live human", and using different things for each.

The naive solution to a lot of this is identity -- if FB profiles are "expensive" to create, especially old ones with lots of social proof, you can use something like FB connect. However, there are a lot of downsides to this (chief being centralization/commercial control by one entity, which might be a direct competitor; secondarily, loss of anonymity overall.)

One interesting approach might be some kind of bond -- ideally with a ZK proof of ownership/control, and where the bond amount is at risk in the case of abuse, but it's not linked to identity.

Obscurity is a legitimate component of a fraud detection system, for the same reason that hiding your cards is an important part (but only a part!) of being a good poker player.

f(obscurity, time, analysis) = clarity

The details of implementation are left to the reader as an exercise

Probably using a combination of G+ and GA to check your 'history' to see the activity is like a normal human. Visits a couple news sites each day, checks their gmail, searches for random crap randomly, GA registered a 'conversion' for some company = probably a human

They're almost certainly using the adwords cookies that get hit from 90% of the sites out there to figure out if you're a bot or not.

http://en.wikipedia.org/wiki/ReCAPTCHA

"By presenting two words it both protects websites from bots attempting to access restricted areas[2] and helps digitize the text of books."

For some time, you could pass a reCAPTCHA test by just entering the more distorted word correctly.

When I tell my future robot to go get my coffee mug, I don't want it coming back with the PS5 controller.

The "help OCR while also spam protecting" thing isn't currently mentioned on Google's recaptcha product page.

> Creation of Value

> Stop a bot. Save a book.

> reCAPTCHA digitizes books by turning words that cannot be read by computers into CAPTCHAs for people to solve. Word by word, a book is digitized and preserved online for people to find and read.

https://www.google.com/recaptcha/intro/index.html#creation-o...

I wonder where i heard/got the impression that it wasn't really being used for this much anymore. Maybe from when most of the recaptchas most of us saw switched from scanned books to google street view photo crops. And I was also surprised by the implication that google's algorithms really needed human help for visual recognition of almost exclusively strings of 0-9. I would have thought that would be a pretty well solved problem.

Anyway, somehow I got the idea that recaptcha wasn't actually providing much OCR help anymore, but maybe I just made that up.

This move isn't too surprising. OCR based captchas have always been a hack and the "best" captchas are like having the best collection of duct tape and WD40. At a certain point you need to stop doing half-assed repairs and remodel.

Hopefully it gets better with time.

Looks like the new version needs an active and valid google cookie in order to tell if you're a robot or not.

http://nomorecaptchas.com/

It's very similar. I might go as far as saying that Google copied them.

Too bad this new version won't work for me either.

I'd think that having a long-standing google account with a normal history of activity would be a good indication that one might be a human. If google is weighting that heavily for this test, that may create a new incentive for spammers and scammers to hijack people's google accounts.

2. Tested in incognito mode: BAAM: I'm a bot, had to fill out the old captcha!

I don't think they can predict this from the way I touch the screen >.<

Passed the CAPTCHA. Without any further verification.

I mean, spammers are going to love it xD