logoalt Hacker News

imiric10/01/202410 repliesview on HN

I do wonder if ProductHunt uses any CAPTCHA solution.

In spite of the flack that CAPTCHAs usually get, I still think they have a lot of value in fighting the majority of these spam attacks.

The common criticisms are:

- They impact usability, accessibility and privacy. Users hate them, etc.

These are all issues that can be improved. In the last few years there have been several CAPTCHAs that work without user input at all, and safeguard user privacy.

- They're not good enough, sophisticated (AI) bots can easily bypass them, etc.

Sure, but even traditional techniques are useful at stopping low-effort bots. Sophisticated ones can be fought with more advanced techniques, including ML. There are products on the market that do this as well.

- They're ineffective against dedicated attackers using mechanical turks, etc.

Well, sure, but these are entirely different attack methods. CAPTCHAs are meant to detect bots, and by definition, won't be effective against attackers who decide to use actual humans. Websites need different mechanisms to protect against that, but those are also edge cases and not the main cause of the spam we see today.


Replies

Terr_10/01/2024

Lately I've been pondering how one might create a "probably a human"/skin-in-the-game system. For example, imagine visiting an "attestor" site where you can make a one-time donation of $5 to a charity of your choice, and in exchange it gives you some proof-you-spent-money tokens. Those tokens can be spent (burned) by some collaborating site (e.g. HN) to mark your account there as likely a human, or at least a bot whose owner will feel pain if it is banned.

This would be far more privacy-preserving that dozens of national-ID lookup systems, and despite the appearance of "money for speech" it could actually be _cheaper_ than whatever mix of time and bus-fare and paperwork in a "free" system.

____________

I imagine the big problems would be things like:

* How to handle fraudulent payments, e.g. someone buying tokens with a stolen credit card. Easiest fix would be some long waiting-period before the token becomes usable.

* How to protect against a fraudulent attestor site that just takes your money, or one whose tokens are value-less.

* How to protect against a fraudulent destination site that secretly harvests your proof-token for its own use, as opposed to testing/burning it properly. Possible social fix: Put in a fake token, if the site "accepts" then you know it's misbehaving.

* Handling decentralization, where multiple donation sites may be issuing their own tokens and multiple account-sites that may only want to support/trust a subset of those tokens.

show 7 replies
a212810/02/2024

There is a whole industry of CAPTCHA solving services that mostly use humans in places where labor is cheap. Prices per reCAPTCHA vary somewhere between $0.001 to $0.002 on one of the popular ones. It doesn't require much sophistication to use it. For around $50/year you can spam a website with 100 comments per day, assuming it requires a CAPTCHA to be solved per comment. This pricetag may leave the average script kiddie out of the game, but if your spam is earning you money somehow then this becomes easily profitable. I don't believe these services are "edge cases"

show 1 reply
throwaway4847610/02/2024

The problem is that website owners want to have their cake and eat it too. They want to make data public but not so public that it can be copied. It's the same problem as DRM which doesn't work. It's an inherent contradiction.

Web devs also bloat the hell out of sites with MB of Javascript and overcomplicated design. It would be far cheaper to just have a static site and use CDN.

show 2 replies
nkrisc10/02/2024

There's a nearly fool-proof solution: manually verify every submission.

You can use automated systems as a first line of defense against spam, and then hire people to manually verify every submission that makes it through. You can even use that as opportunity to ensure a certain quality of submission, even if it was submitted by a person.

Any legitimate submissions that get caught in the initial spam filter can use a manual appeal process (perhaps emailing and pleading their case which will go into a queue to be manually reviewed).

Sure, it's not necessary easy and submissions may take some time to appear on the site, but there would be essentially zero spam and low-quality content.

show 3 replies
class3shock10/01/2024

As someone that already often runs into them due to vpn use being flagged please no more. Think about how much human time has been wasted on these things.

show 2 replies
m46310/01/2024

I wonder if this is like the recent article about people not buying from locked display cabinets:

https://news.ycombinator.com/item?id=41630482

how many humans does captcha send away?

show 1 reply
animal53110/02/2024

Bots can apparently now beat 100% of road sign captchas, so unless if you can cycle them around its not going to do much.

capitainenemo10/02/2024

Annoyingly these captchas that apparently safeguard user privacy make websites completely unusable when using Firefox fingerprinting protection.

show 1 reply
creer10/04/2024

> These are all [CAPTCHA] issues that can be improved.

No. This is not a new issue. The problems have been there for many years. You can't claim "working on it" - which is not even what you are claiming.

By now, recognize that if the users themselves are fighting this crap or avoiding the sites and companies that use them, it's entirely deserved. By setting CAPTCHAs, you attack your users. (Witnessed in 2024, an insurance claims form which demands that a CAPTCHA be solved but shows no CAPTCHA. This crap is now so common it can now be used to delay insurance claims!)

show 1 reply
fastfuture10/02/2024

[dead]