Comment by dang
3 years ago
No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.
Btw I also fume when I have to work as an unpaid manual image recognizer, so I'm open to alternatives.
Aside from 3rd party code perhaps one middle-of-the-road idea would be a table of a few hundred factoids and then code that makes multiple choice checkbox factoids like
- Select everything that is a color im sure there are more clever open-ended questions and maybe sometimes switch up "is" with "is not".
- Red
- Blue
- Monkey
- Violet
- Armchair
People say that bots can learn such things but if every site had their own in-house tool then bots would have to keep track of thousands of site specific puzzles. Each site could even rotate through a dozen sets of different puzzle types and pause the ones that get learned. This would avoid sending cookies to a third party or depending on 3rd party code thus mitigating some corporate capture.
Bonus complexity: Don't use Alpha-Numeric characters. Use something like "figlet" [1] and cycle through a few of its ASCII art fonts.
[1] - https://github.com/xero/figlet-fonts
> but if every site had their own in-house tool
Costs money to maintain and build correctly, which naturally leads to buying existing solutions.
I've heard that too, but I think it would take a decent developer 1 hour to make a first pass at such a thing. It doesn't have to be complicated nor perfect. I think it should not require images nor javascript. It should probably be a server-side LUA script that caches the puzzle and answer.
I found a few starter ideas [1][2] and concepts [3] but I would prefer to use something like figlet vs gd generated images. Figlet or something like it should be much lighter weight. I just have to find one that is readable on cell phones.
[1] - https://github.com/lua-programming/lua-captcha
[2] - https://github.com/mrDoctorWho/lua-captcha
[3] - https://nedbatchelder.com/text/stopbots.html
2 replies →
I think your idea is exactly what I would want in a captcha, but an issue with your example is that it would only pertain to English speakers, and it would be difficult to translate it into a variety of different languages to accommodate everyone.
I assume the existing captcha services look at the Accept-Language header. That header could be read by the Lua script. Each puzzle set could be translated one time through google translate or perhaps a better translation site. It should probably be proof read by someone from each language used to ensure nothing translates out of context into something offensive. I think I've seen people do this on Github, having people proof read translations. In this case it probably should be a smaller group to reduce risk of leaking the puzzle mapping to the bot code authors.
I think chatgpt is way ahead of you.
[dead]
You can actually solve those captcha using Speech to text, there many tools that do that, ex:
https://github.com/xHossein/PyPasser
2captcha is a human-based solver service.
(for posterity, since I can't edit this post anymore: the parent of this comment originally linked to 2captcha)
Hi dang, I'm not sure you're still going to read this message since it's been many hours.
First, I'm sorry to hear HN was under attack. That's never fun.
Second, I understand your reasons for temporarily turning on the CAPTCHA, even though as a user I really dislike it - especially reCAPTCHA.
Given the latter, I hope you will consider alternatives. Regardless though, it would be nice to add a message to the login page explaining that the CAPTCHA is temporary because the website is under attack. That would allow me to keep 3rd-party stuff blocked by uBO on the login page and still know what's going on. I would probably just keep the pages I'm interested in on a tab and come back to them later, when the CAPTCHA is gone.
In any case, as always, thanks for your work keeping this forum alive and healthy.
One concern with Google Recaptcha on HN is that it seems a good number of HN users want to be pseudonymous, possibly including towards Google. Always-perfect browser OPSEC is hard in practice.
(Condolences on the attack/headache.)
It looks like the attack is login based since that's where your captcha is. Allow a single captcha-free attempt to login successfully from a /24. If the login fails then put the /24 on captcha for X hours. That way most login attempts that are legit won't see the captcha. Also, HN crowd I think prefers hcaptcha.
Lastly, what I would do is have users pick a login image, in addition to the password login, they have to pick a correct image in addition to password.So it would still be the process I suggested except a failed login is allowed one time so long as the correct login image is selected. Also, the login images will be slow to load during times of attack on purpose to identify clients that are guessing before the image is served and to slow down their attack. I would also maintain a list of IP+UA that have repeatedly logged in succesfully to exempt or prioritize them depending on the attack.
> we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack
I don't think people are disputing the necessity, just the mechanism used.
The other services (hCaptcha) are effectively drop-in replacement with minimal code changes.
+1 nothing against some anti bot feature, just hopefully not Google.
https://blog.cloudflare.com/turnstile-private-captcha-altern...
"Today we’re giving everyone a better option."
Followed by a modern reimagining of the classic 88x31 animated gif mini-banner button as a not so subtle pixel.gif tracker.
https://www.yewknee.com/_img/blog/blog_webbuttons020.png
"Once you’ve deployed Turnstile, you can go back to the dashboard and see analytics on where you have widgets deployed..."
So less a gift, more another sensor.
I have an idea for a button that will slow down bots while being less inconvenient for humans.
I'll send details in an email.
hCaptcha would be an upgrade from Google's data farming.
please god no; I appreciate the anti Google crowd's concern but hCaptcha can die in a fire
hCaptcha has completely passive score-only modes. When to challenge and how hard is up to the site.
2 replies →
I vote "What's the output of the following Arc snippet?"
Be sure to include a few macros, otherwise the JS crowd will still be able to reverse engineer their way in.
How about if Dang assesses our humanity? That way we don't have to do image recognition stuff and neither does Dang! A win-win if I say so!
If possible, implement WebAuthn even if only for human verification.
Bots will not have access to TouchID, Windows Hello, or a Yubikey but most humans have one of those in the device in front of them right now.
Fallback to captcha for edge cases, but then at least /most/ people can skip it.
Example: https://cloudflarechallenge.com/
Those can all easily be emulated in software, if you're determined enough.
There's nothing about the WebAuthn protocol that forces hardware backed key storage, other than everyone collectively agreeing it's a good idea. A bot author would just ignore that.
Firefox already includes this functionality, gated by flag (security.webauth.webauthn_enable_softtoken).
> Those can all easily be emulated in software, if you're determined enough.
Not possible if vendor signature checking is enforced. All major webauthn device manufacturers sign the keys of all the devices they produce. You can prove a given device is unique and issued by Apple, Yubico, Google, Microsoft, etc.
How about genuinely-long delays between login attempts? 5 seconds slows down a bot, 15-30 seconds could make many login attacks unrealistic.
Also: OTP 2FA?
It’s not easy to tell two login attempts are from one bot. This kind of workaround unfortunately doesn’t work in practice. Otherwise of course this whole problem wouldn’t exist.
Why would you have to tell if they’re from one bot?
7 replies →
I'd love to know more. Historically, what kind of attacks do you see? What is their goal or what do they get out of attacking HN?
https://wehatecaptchas.com/
Unfortunately, this breaks apps, Materialistic in my case.
Yes, the mobile apps are all third-party and this is one of the downsides.
I'll whitelist your account for now (i.e. until the server restarts). If anyone else wants that, email hn@ycombinator.com and I'll do it as soon as I'm back online.
(It looked like the attack had died down but then it un-died back up again)
Thanks!