I experienced the HBO Max captchas just a few days ago. Everyone did since they launched a new app and made everyone switch to that and re-login.
Some of the solutions are clearly just wrong. I have a PhD in Computer Science and if I am failing multiple basic addition problems, I assure you that it isn't me, the answers are wrong.
I had to do the same audio puzzles and got the first audio puzzle wrong too, and I even had my partner helping me. It is clearly just a bad test bank. Which begs the question, if the answers are wrong and there are only 3 choices, then what's the point? Regardless of whether you are human or not you are going to guess it eventually in about 5 tries, which is what it gives you before locking you out.
One of the requirements to getting a PhD is the knowledge that a PhD is not the proof of intelligence you thought it would be when you started. It is better a proof of resilience, patience, and being dead inside.
Agreed. In my experience, arithmetic skills are not transferable to higher-level math skills and vice versa. Of course, someone can be skilled at both but I don't think you automatically become good at one because of the other.
I am baffled as to why they had to launch an entirely new app rather than just rename the existing one. Could Apple have made them change the bundle ID? It's like they're putting in deliberate obstacles for existing subscribers.
Some it was probably "this gives us an excuse to rewrite the system, but better this time!" Rebranding often gives a certain amount of cover to do things you want to do even if you don't have to do it.
Often new management wants to put their stamp on things. I've been in situations where we've had to do major redesigns because a new leader wanted to leave their mark. I've been in situations where each new leader wanted a new logo to mark that they made a difference - 3 logos in a decade.
Companies often squander resources in this kind of way. That's not to say that some redesigns and changes aren't warranted, but these things happen often. Why has Google launched a dozen chat apps? Why do some apps get a huge push followed by being abandoned followed by a huge rebranding/recoding push followed by being abandoned again? Many people on here have speculated it's because people get promoted for launching big new things and not for things that seem "easy" like maintenance.
You're rightly baffled from a logical standpoint. When you start thinking about the humans involved in the situation, their egos, their priorities for themselves which might not align with the company's, etc., then it potentially starts to make more sense.
> Often new management wants to put their stamp on things. I've been in situations where we've had to do major redesigns because a new leader wanted to leave their mark.
I call this "New Vice President Urination Syndrome." The stank gets on everything until they learn to use the bathroom.
The new CEO from the Discovery side of the merger cancelled a bunch of HBO Max programming that was doing well, because their background is in cheaper to produce reality content. It seems fated to join the very long list of bad media mergers.
What I do not understand about business is basically everything, but I still don't really understand why they felt the need to remove existing programs.
I can understand canceling Close Enough and Infinity Train because they're too expensive, but I don't really understand what it's hurting for them to just say on the servers and continue to be streamable. Hard drive space is pretty cheap, especially at HBO's scale.
I've heard it's possibly a tax writeoff, but then I've seen conflicting reports claiming that that's not the case, so I have no idea. How much ongoing costs were involved with keeping the animated shows I like online?
I don’t have any direct insight into this but I’ve read elsewhere that removal of first party content from streaming services could also be because contracts with actors/writers/other crew give them a cut each time it’s shown. By removing the content from streaming it’s no longer getting shown and generating income for those involved.
There's also the possibility that royalties were negotiated poorly. Some back catalog shows could cost more to show than they make due to things like music royalties or other production royalties.
Yeah i think it allows them to write the ‘loss’ of the content on their balance sheet at some estimated value it would have cost them if they hadn’t made it themselves.
That sort of management-by-spreadsheet without any of the humanity or long-term vision almost every corporation used to have seems to be an ongoing trend, especially in media, and it’s showing. Discovery, who have McDonnel-Douglassed HBO and are behind this mess, are a particularly good example of the kind of garbage heap that leadership style gets you.
You can transfer apps between developer accounts on both Apple and Google's platforms. It's not the easiest process in the world but far easier than inconveniencing users.
More like it was previously determined by someone who doesn't work there anymore that there would be a new app, and and no one is allowed to Deviate from the System Architecture Specification Trace Matrix.
I can tell you that the old app (on AppleTV) was a bug farm. It was constantly crashing and hanging. I often had to force-quit it. I haven't had enough time with the new app, to see if it's better.
To be fair, many of the other apps also suck. I think it may be because Apple allows TV apps to be written in JavaScript, and some of them are almost certainly poor ports of Web apps.
Neither the old app nor the new app feels like it was written by someone who uses Apple TV.
My pet peeve on the last version was having a carousel movie expand when you pause on it so that it moves things around and hides what you were looking at.
My pet peeve on the new one is a normal swipe on the remote blows through 80% of the carousel items instead of just one.
Neither annoy me as much as Amazon’s hijacking of the touch pad during video so that I can no longer tap the pad to see how far through the movie I am.
I get it, everyone wants their spin on things. But all I want is a usable, consistent experience. It drives me bonkers.
Same on my (admittedly older) Samsung smart tv, but I wonder how much of that was due to resources devoted to writing the new app as opposed to fixing the old one. The new one is 100x better in terms of a usability and generally just working.
My oldish LG TV had an HBO Max app but it wasn't available in my area due to exclusivity agreements. In order to grab it, I had to change the region of my TV before going to the app store. This workaround is not required for the new app, I can just straight-up grab it. I wonder if rebranding with a new app allowed HBO to worm out of agreements like this?
I’ve been wondering about that too. Then again, some years ago, Spotify forced all users on (I believe) Android to download an entirely new app that was visually completely identical. Login state and downloaded tracks were lost. I still wonder what happened there.
Surely that‘s among the worst things you can do from an SEO and customer retention perspectives?
I would not be surprised if in both cases the developer posting the app to the store was using their own account. The company of course did not realize this and proceeded to do something (probably stupid) to make that developer quit and give them the finger on the way out the door. When their managers realized their mistake(s), a new app seems like the inevitable outcome.
The reason is probably way simpler than people think: the current HBO Max app is rated at 2.8 stars in half a million reviews in the android app store. I imagine a similar rating on apple's store.
A new app gives you a blank slate, which is easier than reverting old ratings.
I still have the HBO Max app installed on my phone. It only displays a page that says "HBO Max is now Max" some other text and then a download button that redirects you to the app store page for the new app.
The new leadership at HBO came from Discover. They have a stable of brand names they could have used (Max came from the Cinemax collection, known in the US for it's "After Dark" soft porn movies, aka "Skinemax").
From news reports and interviews with the leaders involved, it appears that new guard wanted to have something new they could own and take credit for, and HBO was owned by the previous regime.
None of Discovery's marques were strong enough, and the $$ to get Discover as a brand into the right place was high.
So, least of all evils, given their problem: scrub HBO off the name, make it one of many brands in the app, and hope "Max" on its own, with some marketing, can expand to fill the gap.
If it works, Discover team takes credit. If not, Discover team blames holdovers from HBO days and says that this was just an intermediate step on the way to a brand new experience that will launch "real soon now".
Lots of problems with this approach, but business isn't always rational.
It was probably because they're not doing the merger in all their markets (at least any time soon), and they need to maintain the old platform and functionality outside the US as a result.
Subsequently having two separate codebase was probably considered preferable to development on one slowing to a crawl while it chased after two diverging requirements lists.
Well, HBO Max app still need to exists because foreigner accounts can't use Max yet. So it would be a PITA for those who travel to the U.S and want to watch stuff.
Hell, HBO Max became available in my country just last year, replacing HBO Go. And I know there used to be HBO Now in some places, so I guess we skipped that one. And no HBO is available in some of the places where you really expect it to be, like German speaking countries.
It's the most bafflingly stupid streaming service I ever had the displeasure of using.
Elon Musk originally said this in an interview somewhere but it stuck with me: "The organizational inefficiencies and structure will manifest themselves in the end product."
We can probably gleam many insights about the people who made the app (how it works, how big the bundle is, how fast/slow etc.). I haven't used the app so I can't make any judgements about the organization behind it.
I guess my wording was poor. I didn't really intend to say that Elon Musk came up with it only that I personally first heard of this concept from him saying it.
I just assumed we were training self-driving cars that get postponed over and over again. I haven't seen recurring images but maybe I'm just seeing captcha so rarely that I haven't noticed.
I doubt this is the case but theoretically you can make stupid or incorrect captcha and it will still deter bots if you actually check the pattern of use (I.e how many clicks in what intervals etc...) instead of checking if the answer is correct.
This is more or less what cloudflare and such do now as I understand it (as well as checking browser features and such)
mine too. im pretty sure my browser redirected from hbo to the new url and auo-logined. I make exceptionsfor sites I pay. I came to thread expecting an explanation of a background captcha.
If getting math problems somewhat wrong gets you past the captcha, it seems like this is something things like ChatGPT would be able to pass, ironically.
The entire site is an exercise in delusion and marketing bullshit. I am absolutely convinced that the people selling this abomination of a product have either never used it themselves or are abjectly and wilfully misleading people.
Some other choice quotes from the page:
> Users have a bad association with difficult photo CAPTCHAs.
> Instead of type what you hear (or alphanumerics) puzzles, we ask users simple questions using delightful and amusing scenarios
> All are incredibly easy for legitimate users
> Every Arkose MatchKey challenge is tested on humans. We release challenges only when they meet very strict usability benchmarks. Our strongest puzzles, designed for bad actors, have no impact on good user completion-rates.
> In fact, Arkose MatchKey is the strongest CAPTCHA ever made.
The ChatGPT app uses this. The puzzle I got involved moving a train, it was super confusing and ridiculous. I was imagining a non-technical user doing these, and my god. No chance.
My mum regularly asks for help when all she's done is ignore the captcha thinking it's an advert because it stands out like a Google ad (different UI, different font, extra branding etc).
At least she's learnt to automatically ignore ads, but it comes with consequence of ignoring captchas as well...
The Internet as a whole has become very elderly unfriendly. Even the iPhone becomes an unnavigable mess once you’re trying to help someone 70+ work with it.
And continually changing UIs definitely don’t help.
My parents are in their late sixties and travel internationally quite often and the lack of a physical SIM slot in new iPhones makes them not want to upgrade devices ever, because it would mean that they'd have to learn a whole new paradigm for installing and using eSIM when they're not very tech literate.
An interesting thing is that for Arkose to be effective against bad actors, they can't just make CAPTCHAs that are hard for bots. They also have to be not-easy or at least expensive for a subset of humans who aren't legitimate users, namely 'CAPTCHA Farms' like https://anti-captcha.com/.
Most CAPTCHAs, including ones made by Arkose, have site keys that are unique to that CAPTCHA and public/visible in the browser -- so companies like Anti Captcha can then automate sending challenging CAPTCHAs directly to a human solver in a 'CAPTCHA farm' who can solve it (in a different browser) and have the CAPTCHA return that it was successfully passed, usually all within ~a minute.
So to get around this and -- as Arkose's site says -- make fraud expensive for hackers, Arkose Labs has to make their CAPTCHAs hard/slow to solve. If they do that, then it becomes expensive for bad actors to rely on labor to solve them (anti-captcha.com cites 58 seconds/$3 per CAPTCHA).
As long as the site key is publicly exposed, this basically isn't going to change; you either need to also couple it with other anti-fraud tactics like device fingerprinting, or use a CAPTCHA that doesn't expose the site key at all.
Disclaimer - I work for a company (Stytch) that has a competing CAPTCHA product.
>I am absolutely convinced that the people selling this abomination of a product have either never used it themselves or are abjectly and wilfully misleading people.
Same goes for the people who decided to put it on their websites.
The claims may be silly, but the captchas seem reasonable to me compared to the increasingly impossible to read "what characters do you see?" captchas and the increasingly hard to decipher images of crosswalks and trucks.
Captchas seem to work best when they reflect the simplest task that AI cannot do rather than a task AI can easily do but with the difficulty ramped up.
Unfortunately, Arkose is one of the only viable products for stopping credential stuffing and other similar attacks. It has been implemented at several companies I've worked at because there are just not enough alternatives.
The main value-add for companies like Arkose is that they have teams monitoring and changing the aggressiveness of the challenges as new attackers try to get around them. With a product like Recaptcha, you are inevitably completely screwed when attackers get around it.
If attackers get around reCAPTCHA, you are screwed, but so is half the Internet, including Google themselves. Do you think Google would not care about an increase in spam and would not try to fix reCAPTCHA?
You will not get the same level of support from Google as you will from a vendor dedicated to this. Ironically, HBO Max is the main case study on reCAPTCHA Enterprise's landing page, which I guess did not work out for exactly this reason: https://cloud.google.com/blog/products/identity-security/how...
I just tried some of these and their normal thread level challenges are actually quite nice on their page. The hard ones chosen by HBO are just crazy though.
This is going to be one of the best parts of the new AI-ridden world: humans gradually getting locked out of and giving up on online services because the bots are more patient and more skilled at proving their humanness than humans are.
Twitter’s new captchas are also pretty insane, though not quite this bad last I ran into them.
Serious question: who has a decent plan to create proof-of-human systems that are not only CAPTCHA based?
We will soon need this, and I feel government will gladly present a solution: provide your ID when you connect to the Internet, and we will guarantee you are a human.
Who's actually working on this and has released papers I can study? Because all this AI nonsense will only accelerate us towards this total control of the Internet because the spam and AI bots have made it worse for everyone.
> Serious question: who has a decent plan to create proof-of-human systems that are not only CAPTCHA based?
> We will soon need this, and I feel government will gladly present a solution: provide your ID when you connect to the Internet, and we will guarantee you are a human.'
I'm extremely hesitant to give any State the ability to track an individual user's online activity that intensely. It's been extensively documented that any State will fully utilize its size to violate an individual's personal privacy, with this often being done on a grand scale.
> Who's actually working on this and has released papers I can study? Because all this AI nonsense will only accelerate us towards this total control of the Internet because the spam and AI bots have made it worse for everyone.
The alternative is relatively straightforward: Utilize compute-intensive & memory-intensive tasks in CAPTCHAs.
What would only take a few seconds for a single user would take hours for anyone seeking to establish a bot network spanning thousands of pseudo-users. With such tasks, it adds additional friction to the bots at minimal frustration to the user. these can be placed as periodic silent challenges when trying to watch an episode, taking up only a few seconds at the user's end where they wouldn't notice.
> I'm extremely hesitant to give any State the ability to track an individual user's online activity that intensely.
The U.K. government developed something called GOV.UK Verify for exactly this.
It’s sort of like OAuth via a stateless gateway I think. The promise is that the entity doing the auth doesn’t know what you’re using it for, and the entity receiving the auth doesn’t know how you proved auth and only gets the level of detail about you they asked for (and you agreed to).
For example, if a govt website wants to know whether I’m eligible for something based on my local council, I could authenticate with my bank, who would say where I live with only that granularity, not my full address, and my bank wouldn’t know what service I’m trying to use.
I’m not sure how much of this got put into practice but all the ideas were pretty smart and showed there are good approaches to this sort of stuff.
I once suggested to a PM from the GOV.UK Verify team that if the UK wants to do age verification for porn, which it has threatened many times over the last decade, that Verify would be the perfect tech for it as content sites would only find out you're over 18, and auth providers would only know they're proving basic details about you.
The PM did not like the idea of the government being the porn passport for the whole country.
> I once suggested to a PM from the GOV.UK Verify team that if the UK wants to do age verification for porn, which it has threatened many times over the last decade, that Verify would be the perfect tech for it as content sites would only find out you're over 18, and auth providers would only know they're proving basic details about you.
To me, that's still *way too much*.
Just from that, the government now immediately knows what site you've been to (via the token that you've given to the service), and what said site has access to, as well as when you've accessed it. On a long enough timescale, the government can build a daily profile of your life, that when coupled with geo-location data, can be used to see what & where an activity's happening in real time.
> Just from that, the government now immediately knows what site you've been to
If I understand the idea correctly, this isn't how it works. Your user agent sends a signed request (with proof of identity) to the GOV.UK verification server, saying "please give me a signed certificate that provides no information other than my age". Because GOV.UK knows who you are, they can provide such a certificate. Your user agent hands this to the porn site, saying "you requested proof I was over 18, here's proof". Because the certificate was signed by an authority the porn site recognizes, they approve the certificate and let you in the site.
So the government doesn't know what site you visit, and the porn site doesn't know any of your personal information.
Heh, until the UK logging requirements ensure some component of the token that can be decoded later gets left in the server logs, then Oops, we know exactly who was on the porn server.
I'm not sure on the specifics, but the entire point of Verify as a technology was to ensure there was no government database about people. The UK has very distributed technology for government services, there is no one big database, and people have pushed back hard on this many times over the years so the government is pretty paranoid about doing it.
Each agency holds only the data they need for the time they need it. There are no national ID cards. And in the case of Verify, the verification was purposefully outsourced to private companies that already had this data due to their business (e.g. your bank, PayPal, Amazon who have a trustworthy address history, Experian, and so on).
There is no way to argue against this kind of speculation.
Commenter 1: System X is evil!
Commenter 2: Actually, here is how system X works: (Demonstrates it does not work how Commenter 1 thinks it works)
Commenter 3: Well that's fine, until they change X to be evil!
I mean, sure, when X becomes evil, then we can say X is evil. But not until then. If your argument is that all systems eventually become evil, that may be true, but it's a different discussion.
Me (1995): says something really stupid on the internet
Me (2020): shit hope on one finds that 1995 post and cancels my ass
With internet traffic and logging the default assumption should be: "All this data is logged and monitored for marketing purposes, and there is nearly a 100% chance it will be leaked by some hacker group", with the 2023 corollary of "And then used to train a LLM"
> What would only take a few seconds for a single user would take hours for anyone seeking to establish a bot network spanning thousands of pseudo-users.
The claims on the mCaptcha site contradict this.
They say it takes about 2 seconds worst case for a computer to do the work, which is hashing sha 256. Looking around, an unaccelerated celron is about 1/20th the speed of a single ryzen core, and gpus are much faster.
Assuming the attacker has an 8 core ryzen with no gpu, they can hash 160 times faster than the person with an older machine.
Assuming the 2 sec upper bound is correct, this means a sub $1000 desktop can create 80 accounts per second, or 4800 accounts per minute.
If they are operating a botnet, then they presumably have access to more than one machine.
> I'm extremely hesitant to give any State the ability to track an individual user's online activity that intensely. It's been extensively documented that any State will fully utilize its size to violate an individual's personal privacy, with this often being done on a grand scale.
I think our (Germany) national IDs would theoretically have that option using certificates. I didn’t look too much into their online features as I never encountered anything supporting them, but my understanding is that I can prove some fact about myself (age, name, or simply being a citizen/resident), without either the government knowing I did it, nor the company knowing more than what I asked to show.
this is the second plug i've seen today for mCaptcha. and i can see the utility, i've actually got a spot where it would be perfect and plan to implement it.
but it's absolutely not a captcha: it is not a test to tell humans and computers apart. it's a test that can only be completed by a computer. its only utility is to be expensive. it's not a test to determine if there's a human behind the computer, it's only a test to determine if the computer has more resources than it currently needs, and can tolerate wasting some of them for a while.
> The alternative is relatively straightforward: Utilize compute-intensive & memory-intensive tasks in CAPTCHAs.
Visitor A is a legitimate human being from a poor country using a bargain brand Chinese phone with hardware that could be charitably described as "slow as molasses".
Visitor B is a troll for hire with a rack of used crypto mining machines in his basement, running hundreds of Chrome processes proxied through hundreds of hacked residential IP addresses.
Your approach would make the website unusable for human visitor A, while being the tiniest bit inconvenient for visitor B's hundreds of alts.
mCaptcha doesn't prove you're a human, it only proves you're not a spamming bot.
What I am asking for is a reverse Turing test. Because there will come a time that any single site will need you to prove you are a human to do any action, i.e. post a reply or create an account.
We need a better plan than CAPTCHA that takes minutes to solve every time someone needs that type of proof.
I know government ID schemes are awful for privacy, but that is the only decent solution I can think of. If we, the computer people, do not have a better solution, the government will solve it for us, big tech will adopt it, and we have opened the doors to total surveillance.
I'm pretty sure this was (is?) the idea behind Sam Altman's creepy "World Coin" which IIRC basically involves stamping your retina on a federated blockchain with Microsoft controlling the supernodes.
The IRS is already doing this. They used to have a password-based login system, but they're switching over to ID.me, which requires a scan of your ID and a matching selfie.
I believe the ID.me system went down in flames. Got snagged by this myself for 2021 but opted to call a number and speak to a person instead. Shortly afterwards I discovered an article suggesting my reaction wasn't unique.
I wish it had, but unfortunately it seems like the IRS just waited out the storm and is now back at it. Their website implores you to "create an account with ID.me as soon as possible":
I'm not saying PGP or cryptocurrency because both of those have issues and the moment money is involved everything is foobar'd
But essentially allowing people to make "identities" via cryptography and then use a reputation system. Preferably by allowing people to follow/whitelist/favorite people across websites.
I like hacker new's method of making new people green. And I wish I could make it highlight the big names I recognize.
The problem with this is that nobody has figured out the distribution system for how we communicate the keys - IMO blockchains are the closest but it's so difficult to mention them because 98% of them are money-grabs. PGP/GPG has struggled so hard pypi literally removed support for it.
The second problem is that what will likely happen is sites like twitter will only allow very trusted accounts and never allow new ones - effectively locking you into one account.
Sorry I should clarify, I don't mean append-only graphs,
I mean what people call "blockchain" in the cryptocurrency sense as actual projects - there's so much stigma largely because the motivation of most of the projects appears to be "making money/investing" and not actually solving a technical problem appropriately.
If github was like this there would be a "fee" for making making commits, this fee would be paid in some proprietary coin, initially created with an ICO/airdrop. Suddenly the motivation is holding these coins because developers will need to make commits right? And the more developers that make commits the more the coin is worth, so surely you should buy and hold them right? This will be a feedback loop of endless money! Oh and it'll be a DAO so the more coins the more voting power you get too!
^ This is what I mean, where the focus is on collecting some "coin/token" - this leads to both a lack of focus on the actual problem being solved, and the problem of people associating it with a ponzi scheme.
I'm not picking a fight with distributed graphs themselves, I don't like it when they're tightly coupled with "value" that can be traded as a fiat.
Fair enough, hope I didn't come off to nitpicky or pedantic! I've always viewed blockchain cryptocurrency projects as git if you had to pay for changes, guess that crept back in here and I looked right past your point.
I have explicitly asked if there is something that is not CAPTCHA.
Because in the age of ever smarter AI do you really want to solve CAPTCHA more and more frequently, and not to show you're not a bot, but to prove you are human with a physical body borne from an ovum.
It is not crazy to think we will eventually need to prove this fact somehow.
> We will soon need this, and I feel government will gladly present a solution: provide your ID when you connect to the Internet, and we will guarantee you are a human.
A digital wallet tied to a real, authenticated identity should be a solution. You can sign any login and confirm that it is indeed you, a real person, logging in.
Unfortunately crypto folks are too busy selling shitcoins and scams to build this product.
I'm not really sure why anyone cares about bots. They've been part of the internet at least since search engines were invented.
I guess spam is an issue currently, but if bots become advanced enough to avoid heuristics, by making insightful and useful comments, they are probably better than most human users.
Proof of work captchas like mcaptcha can stop, or at least make very expensive, (d)dos attacks.
Bots aren’t random, someone is running them for a reason. The problem isn’t the “insightful and useful comments”, it’ll be the ones which sound like that to any non-expert but are designed to sell products or push political outcomes. Historically the tell for things like that were things like copy-and-paste messages, poor grammar or spelling, etc. which LLMs are great at avoiding.
> who has a decent plan to create proof-of-human systems that are not only CAPTCHA based?
Why do sites need human verification anyway? If the problem is load, then you just need proper rate-limiting in place. Captcha always seems to be mis-identifying the real issue.
Ok, so how do you rate trigger on a particular bot such that it doesn't impact real users negatively? Further, bots that submit enough pseudo-random data have a decent chance of bypassing various security mechanisms, including for authorizing payments. Even at .0001% success rate given enough attempts they have a decent likelihood of eventually subverting existing security measures, and boosting those may be just as painful or inconvenient to users as CAPTCHA and similar mechanisms. The reality is bots don't have their own money to spend, humans do, and on its own that's enough reason to care. And what's next, bots being issued passports or mortgages etc.?
Inverse captchas or honeypots are a great idea. Just make a HTML input box with id=captcha, and hide it in some unconventional way in CSS so real users do not see it. If a bot was not deterred by seeing a captcha (a possibility), they would probably fill it. Whereas a real user won't.
Maybe not visually hidden, but practically invisible to human: imagine a text box with color #fffffe on a white background. Visually impossible to discern for most humans on most screens, but for a machine #fffffe is totally distinct from #ffffff, and fully visible if display != none.
As AI becomes more intelligent, you can prove humanity by exploiting our weaknesses.
(Another idea. Have a random image on a page actually be a text box with an image background. You cannot activate it if you focus on it, with your mouse or touch, but a bot doesn't need focus to change input.value.)
One pitfall: Screen readers will happily get caught on that. Of course, a11y concerns and bots tend to look similar in general, which is a perennial sticking point.
That solution just shows how bad the US tax system is, and most in Europe won't pass this (because it's already prefilled by their tax agencies or automatically witheld from their salaries).
Uh? The outcome is not “captchas are gone and all our services remain good.”
If we don’t have some way to prevent it, services will be increasingly populated by sophisticated bots either selling stuff, attempting security breaches, or pushing political agendas.
The current internet culture seems quite happy to slap captchas all over the place. When they first rolled out, captchas were predominantly a barrier for "write access" (e.g. make an account, complete a sale, write a comment). But companies like Cloudflare have been putting captchas everywhere for mere read access.
Because Captchas are designed to be easy for ("normal") people but hard for machines, they often disallow disabled users. I'm a ("mostly normal") 35 year old, but I _really_ struggle with captchas. I despise when Cloudflare tosses a captcha challenge before loading a page, as I'll need to spend 3-5 minutes of effort to figure out which tiny pictures have a stoplight, motorcycle, or crosswalk.
Will someone come up with a less restrictive anti-bot solution? I hope so. But even if not, I'm not sure it matters. According to comments in this thread (and elsewhere on the internet about the HBO Max captcha), many of these captchas are _already_ terrible at excluding robots. We're using captchas to exclude low-sophistication robots and disabled users. Seems wrong.
Because current captchas fail to stop 100% of bots and 0% of humans… it’s “not a bad thing” to move closer to captchas stopping 0% of bots and 100% of humans…?
Are you imagining this would spur people to create a different, bot-free (how?) and disabled-human friendly Internet?
No idea. I'm not offering solutions, merely complaints that the current approach of "answer a question that is hard for computers and easy for humans" removes disabled people from many places on the internet.
> humans gradually getting locked out of and giving up on online services because the bots are more patient and more skilled at proving their humanness than humans are.
I think the fact that users are willing to give the site the finger and leave is a pretty good sign that you're human.
This actually seems like a major issue right? Much more than it's being given credit for.
Not sure what a world without capture is going to look like but it's probably not going to be very good, I guess we'll all be forced to identify with a our "world coin(tm)" ID?
That will be the time when I log off most of the internet.
this scenario sounds somewhat similar to what is described in The Matrix movie.
in trying to prevent bots from dominating, we end up making life very difficult for ourselves.
In the movie it is said that humans have scorched the skies in a bid to deny solar energy to the machines. But now humans have to live under dark skies.
I've started getting blocked on amazon in the evening, and being constantly redirected to captchas and puzzles and invariably whoops ... "the dogs of amazon" pages. (I block amazon ads)
The end result of this is going to be human identity verification provided by a centralized party. Either the government or a big private corp, not sure which is worse.
Cruel And Prejudiced Test Completely Harming Accessibility
Imagine a non-native-english speaking visually impaired grandma trying to register to a random web service. CAPTCHAs are not a problem, people say, there are the audio versions, so go for it! Oh, you were never able to pick a language? Too bad you dont speak english. Oh, your hearing is not the best? You are clearly not a human, official stamp from SV. Why? Oh, we just couldn't think of any other solution, so we implemented CAPTCHA and just dumped you and your pesky disabled friends. What?! You want to cross the digital divide? Not as long as we are in power!
Thats one absurdity. Having to solve a CAPTCHA for a payed account. What are they afraid of? Another absurdity is having to solve a CAPTCHA for an already existing account with usage history. Lenovo wanted me to solve a CAPTCHA after login before I could submit a new ticket. This is madness.
Did a bit at online fashion retailer Net a porter a while back, and they rolled their own ‘domain specific’ captcha that had you do things like "select the cuff links". I think it was pretty dynamically powered by their live catalogue.
Once during development I got a captcha that said "select the glasses" where my options was a photo of sunglasses, or a pair of glass drinking cups.
Not saying these are good, but it's been ~10 years and I still have no idea what I'm supposed to click when Google says "click the traffic lights." Just the light sections? What about the edge that takes up 10% of the adjoining box? What about the back or side of a different traffic light?
I've tried them all, and my success rate doesn't noticeably change.
it gets worse when you factor in translation problems.
lets take google/recaptcha/hcaptcha image captchas. english: "click on the images with bikes" this could mean motorbikes or bicycles in english.
in german it says "klicken sie die bilder mit den fahrrädern". fahrrad meaning bicycle exklusively! a motorbike would be "motorrad". then the images will show no bicycles so you skip - wrong - so you click on the motorbikes - wrong - oh there is one image that shows a (german) "motoroller" (a scooter) maybe they mean that? click - correct
this goes on an on and on. they have so many problems with their translations its infurating. i stopped filling them out when not absolutely necessary
It's mostly trained on the answer of other humans. The best advice is literally "just be yourself, be human."
I had some fun poisoning the well on the older text based captchas by answering the first word correctly and putting "penis" where the last word would go. It always accepted it for some reason.
The reason is that those captchas were helping to OCR-transcribe books. The first word would be known to the system and serve as the actual verification, and the second word would be unknown and serve as you performing free MTurk work.
In pretty sure it does matter. Click things that are clearly wrong and it will very rarely accept it.
However I think it is quite flexible. That box that is almost completely traffic light probably needs to be clicked, but as long as you pick at least one of those two that contain a corner you will likely pass. I would guess that there is some sort of accuracy score that is mixed in with the bot fingerprinting score.
The worst part about those captchas is that you have to click each box individually. So unless you're on a touch screen or mouse, clicking each box that contains (part of) the object, takes ages. At least let my human hands drag-select the boxes, ffs.
It's so random. Sometimes I click submit thinking it would fail because I forgot to select a metal pole of a traffic light, or confuse bike for a motorcycle.
Time's a flat circle. We've reinvented cable and have it delivered via the internet. The quality of the content has fallen off now that folks have been roped into the platforms and everything's getting bundled back up so you have to subsidize garbage just to watch a show or two you like per platform.
I have been thinking about this too. The mind boggling speed increase of torrents over the last 15 years is mostly thanks to seedboxes. I'd wager a single peer fully saturating my 1Gbps fiber is not a residental connection.
Also, Arkose Labs CAPTCHA (what HBO Max is using) is awful, please don't use it. There's reCAPTCHA, hCAPTCHA, mCAPTCHA, and now even Cloudflare Turnstile. Or better yet, recognize your costumers can still download the movie for free whether your service exists or not and adapt your strategy to provide them with content easier :)
Isn't hCaptcha the one that asks you "Click on all of the bicycles" and then shows a bunch of AI-generated gibberish where fucking none of them is a bicycle but you have to click on the ones that are the most bicycle-like? Because that's fucking garbage and I wish everyone using it would die in a fire.
I don't remember the name, but I've seen a Captcha that asks you stuff like "click on the Zerki", "select the Sploinq" with AI images and I have no idea what shape most looks like a Zerki (there was more than one shape with hard edges!) or a Sploinq. And I have a linguistics minor. :(
hCaptcha is garbage. Also, they use some blockchain/token stuff for no reason, at least the last time I looked.
edit: ah they seemed to have removed all traces of the token stuff from their website, except some small remains in the docs - https://docs.hcaptcha.com/faq/#what-is-one-hmt-worth . I guess they pivoted away, reasonably.
Still better than the google malware that lets you through based on how well they can track you around the web rather than based on a legitimately solvable challenge. At least, I noticed that I never saw anyone but myself getting any challenge at all, let alone the worst CAPTCHAs that google has to offer. Same IP address, the only difference that I could find is not having "auto delete cookies" installed in the browser (wipes localstorage etc. after you closed all tabs of non-whitelisted sites for some seconds).
hCAPTCHA has always been easily solvable for me, haven't seen the one you linked yet but that also looks quite trivial
Ideally one just doesn't use CAPTCHAs at all, but my colleagues disagree and so that's unfortunately the company policy to recommend against login brute force and such
That's what I don't get. What value is there in such an account? The fear that random persons can watch videos without paying until the owner notices they can't stream because someone else is using the account? Are these accounts held for ransom because the owner doesn't want to lose their watchlist? Can you purchase gift subscriptions using the stored payment method perhaps?
It's a nuisance obviously, but for such a tiny fraction of people, honestly not bad if they notice that they got phished or use a password guessable within a handful of tries.
There should be an exemption from the Captcha for users with strong passwords. And if this spreads maybe we can just annoy everyone into good security practices.
I remember one day in class we were doing a group project and using GitHub to share our work, and a friend of mine had trouble to log into his GitHub account and got this captcha.
A team of 4 people in the class went to help him pass the (if I remember correctly) 10 tries you needed to have correct in order to log in.
Some people miss the old user interfaces. Windows 95, XP, 2000 etc. What is the reason? We had some programs with a horrible interface (Real Player, for example), but never with this level of stupidity.
Continued "enshittification" of all aspects of life. Your OS gets worse but everything else has gotten worse as well: your food gets smaller/worse quality due to the dollar continuing to lose its value, getting harder and harder to live the lifestyle your parents had (house prices, costs of college etc.)
Now you can argue that anything that has hitched a ride on moore's law has improved exponentially. In fact this is what several groups point to: Elon Musk stans love to argue how the world has gotten better not worse thanks to exponential growth and the government loves to point to the declining costs of things like TVs as an indication that inflation is not so bad. Its a red herring though. That new computer is so much better but now has layers of privacy invading/security compromising fat that ye old Windows 95 PC didn't have. That TV might cost a nickel but is more locked down and made out of more of the cheapest throw away components than your old Tube ever had. In a way its an insult to how decent your old TV was.
And then you have people like me, making a living by inviting anyone who listens to events that preach the following: software quality has gone off a cliff [0] and we must do something pronto.
Never imagined this would be a career worth pursuing; it's grim when you think about it.
I remember seeing this a while back. I wanted to say thank you for the effort!
I am concerned though that this is just another form of inflation. If you think about it, you need to have the skillset to develop this software to your liking. That itself is a time sink but lets put that aside and assume you already have the skillset because you made the investment for other reasons. You could then argue that the investment made in learning how to make these apps is spread across this as well as anything else you use the skill for: GREAT Right?
Well, you are forgetting that you are sacrificing time to build and then maintain these applications. So in a way you are still paying for these applications.
Also one concern I have about your listing there is the same concern I have every time I force myself to use Linux as my primary system and then give up and go back to Mac: Curation.
Have you considered drawing up a list of typical workflows for a bunch of different kinds of users and then ensuring at least the common use cases are taken care of? As it stands, it seem like you have a lot of interesting apps but they are are just a hodgepodge of random things. There is no cohesive curation or (potential)quality control behind them.
This grinds my gears about Linux. You handmade apps get a pass but your typical distro? no way: They package together whatever desktop environment they like which itself consists of terrible everyday tools that have varying quality. Just open up the Calculator on a Gnome based distro. It is crummy compared to the Mac or Windows(classic) calculator. Then try out each and every other app on the menu. Seems like there was no real cohesion put into it.
Furthermore, lets just accept that you have to tailor these handmade apps to your liking and that eventually there will be a handmade app for everything a user could want. Ok fine, but I still hate the fact that in todays day and age, this idea has to be extend to EVERYTHING in your life. You gotta understand how to maintain your car because good luck finding a mechanic that wont do the bare minimum. How about the slop they serve at many food establishments? You have to "handmade" all your food/liquid intake. Ditto for everything else (maintenance or removing other ways corporations screw you).
How do you even preserve the value of the currency you try so hard to earn? You can't it is slowly going to 0.
I see stuff like this and immediately think "the team responsible, in its entirety, should be fired." Zero conscious thought occurred during the entire lifecycle of this feature being implemented.
They don’t want aggregator apps to log in without paying. Appletv will show me new shows on multiple platforms all on one screen. HBO doesn’t want people doing this without paying.
>HBO doesn’t want people doing this without paying.
But why (from their perspective)?
They don't make their money from metadata, they make it from content. Every piece of real monkey-making content is going to get a torrent regardless of if it's protected behind a captcha.
The Netflix interface is so bad that I've been wondering if they made it bad on purpose. Over a decade ago when DVDs in red envelopes were the standard they had a table view of all their content and you could sort and filter it to your heart's desire. When they got rid of this, I used their API to build a CLI tool that just listed shows ordered by how much Netflix thought I'd like it. All of this was vastly superior to the current Netflix interface. However, I sometimes would decide that I had watched everything on Netflix and turn it off or even unsubscribe for a few months. Now it's really hard to find out if you have exhausted Netflix. It's easy to spend a lot of time just scrolling though the GUI hoping you'll find something and sometimes you do. Sometimes you find something where it's surprising that it didn't suggest it in the first place. I wonder if this is all by design because they try to increase quantity of engagement and not quality and value gained from the engagement.
Edit: I have some sympathy for this. Engagement is much harder to measure than customer satisfaction. They are looking for the keys under the light because they cannot see anywhere else.
Is there a source that Apple pays Warner Bros Discovery (WBD) to get access to their catalog so WBD’s media shows up in searches in Apple’s TV app?
It makes very little sense to me. Surely WBD wants people to easily find WBD content to watch, and easily be able to pay them to watch it.
I know Netflix has been a holdout (the only one), and it is quite a stupid long term decision in my opinion, but I would not have thought Apple pays WBD, Paramount, Comcast, Disney, Starz, etc to be able to list their purchase-able media in Apple’s TV app.
The aggregator uses lots of users existing accounts with their real logins. Using appletv again for an example, it wants to check prepend’s specific Hulu, Netflix, hbo, Disney, etc to see new episodes and whatnot related to my specific account.
So it has a real login and, presumably, access to some api from the streamer. But a smaller company that didn’t pay for access could also just login as my accounts and scrape info.
It's security through novelty. No one has bothered to write a bot solver for these yet. They will, soon enough, if it's protecting anything worthwhile, but that's some other engineers problem.
> Sum the digits on the dies? 5 lines of openCV should do the trick.
Not so fast: First the images show dices with a mixture of dots and numbers. Second the images are not from the top, but at 45 degree angle. By that one can also see the numbers/dots on the side of the dices. Distinguishing numbers/dots which are on the side from ones on the top is pretty hard. The algorithm needs to have an understanding of the 3d structure of the dices in the image.
I've been observing that the custom captcha process itself is a very good bot repellent because someone has to reverse engineer captcha behavior and most malicious actors actually don't know how to. Sprinkle a bit of obfuscation and your 2+2 captcha will be more effective than pages of traffic light selections.
I've made a solver myself recently for a custom captcha, but I think it's more a testament of how bad the custom captcha was. The captcha was a 'select the right picture (singular)' type, and didn't have a nonce so I just attempted every single answer and would eventually get in. I was able to build up a database of correct answers before they fixed that.
The HBO MAX (aka just MAX now) in PS4 is just a disaster. Can't play videos anymore, as it gets stuck on a infinite loop in the intro of every movie.
It the remaining time is displayed as a negative integer, and for some reason the system just thinks the move is done and resets it to the beginning.
Seems like a bug that some very basic QA testing should have caught it.
The new rollout seems like a total clown show, and unfortunately it ruined the service and made it impossible for me to view movies, unless it is from a laptop.
Nor was I able to log in with Firefox w/linux. I suppose I could have used Chrome but the failure gave me an excuse just to end my subscription. I honestly didn't view HBO that much so I guess I'm up a few bucks. But it does occur to me that a failed first impression can result in lost business - like me. So if users are sitting on the fence, don't push them off! I suppose is the moral.
Both HBO and the Apple TV interfaces on Roku are shockingly poor. All sorts of glitches and annoyances with happy-path usage. It really feels like the designers are not using the product.
I was cracking up when it started playing the bagpipes.
I don't think its too much of an exaggeration to say this is what happens when security teams don't receive enough pushback from the higher ups or from other teams. I see this all the time in large big tech companies.
> At some point some software engineer had to sit down, look at it, and say, "looks good to ship to production"
Only true if you replace "software engineer" with "person". Just because someone was paid to build it doesn't mean they thought it was a good idea or ready.
At some point someone on the management side said "we want this and we're writing the check", the developer complained, and the project manager said "I know, I agree with you, but it's out of our hands"
I'm currently in a conversation with hCaptcha's Support team that has gotten a bit Kafka-esque. Apparently, in order to sign up for the Accessibility option, you need to... fill out a captcha.
It is not the addition, that is hard for computers. What is quite hard for computer vision algorithms is to count the number of dots on dices in an image.
Good. So why require the user to add up the values? Some alternatives:
* Click all the dice with value 5.
* Click all the pictures with a roll of 4 and 5. (each picture shows a pair of dice).
If you test for pattern recognizing the number of dots on the top of the dice, then you can just verify only that. No need to make a human user to do a task that a computer can easily do.
I can imagine a bunch of users pulling out their phone calculator app to do the addition, which should tell how stupid this captcha is.
ESPN is horrible. I build auth systems for a living, and I have given up logging into ESPN on numerous occasions because I can't get through all the steps.
As recently as a few weeks ago I was watching a game downstairs, and it went into multiple overtimes so it was getting late. I decided to go upstairs to bed and tried to watch it on the AppleTV in the bedroom. I was logged out. So I spent over 10 mins trying to log in before eventually giving up and watching it on the iPad, since I happened to still be logged in on that device.
It is for the best, because even after you manage to log in, trying to navigate the menu with the AppleTV remote is an exercise in frustration anyway.
Captchas have gotten _crazy_ hard in the last year. The more difficult ones often take me 2-3 tries. There's got to be a better solution; in a year or two AIs are going to be performing these tasks better than humans possibly can.
So the audio captcha was just two one-of-three challenges? How does this slow an automated bot down, it could just guess repeatedly and get it right 1/9th of the time.
Heard about the Arkose sale tactics at Roblox (a site whose usability is also nuked by them)
I've been told Arkose pay people to run these captchas and present lots of fancy metrics of attacks they've stopped (when in reality with Captcha's like this a lot of that is normal users) which is why some websites seem to be ok with destroying user experience by running this
I'd be surprised if anybody in a technical role decided on this provider
This reminds me of the Cloudflare dashboard where they loudly shove "ATTACKS BLOCKED" in your face where they are really counting requests blocked and have no evidence about if it was actually and attack or a poor human that got mistreated.
I get shit like this all the time, just yesterday I got "select all the squares with stairs" and then every photo was a part of a flight of stairs... I always wonder what you're supposed to do with questions like this.
Computers and everything related to them should be all about helping me, but I have to spend even more time on idiocies like this, because I have to prove I'm not a bot... I have to accept the cookie monster bullshit everywhere, or I have to mark bicycles or fire hoses because google is so high up in its own back orifice it didn't have time with their 10K+ topnotch engineers to modernize their shit.
And these... I think epicgames also uses this horrible system, and I was on the brink of smashing something in the room, when I saw it.
GF said she had to cancel and switch to subscribing through Amazon because it wanted her to use an HDMI cable connected to her phone to play on the TV after the switch to Max.
Why is there a captcha at all? A paid subscription is a stronger signal of humanness than any captcha. I don't even see what use a bot would be in the first place.
I'm noticing a lot of sites using different captcha services, either in-house or a completely different one from Google's, and I can understand using CloudFlare's but I'm not sure what's driving the move. I'm not against it, but it felt like for ages ReCaptcha (or w/e) was king of captcha. Do they charge up a premium for some sites or something?
What about twitter itself, where this was posted? It’s similar to this one and beyond ridiculous, and the best part is that at the end of the process it failed with a generic error message. Not sure if they were a/b testing or what but I ended up not creating the account.
The writing has been on the walls for captcha. We’re going to need some Idena-like solution, or services are going to have to deal with non-human uses as a normal occurrence and design anti-abuse mechanisms accordingly (or redefine abuse, or both).
Wow, those captchas almost look like satire. On a side note, what the hell is up with branding for HBO streaming? They’ve gone from HBO GO to HBO Now to HBO Max. And now, according to ads I recently saw, it’s just Max. Talk about whiplash.
I had the same Captcha system when I tried logging in to my Sony Playstation account as well a couple of days ago. Did eventually give up because it was basically unsolvable. Who would even want to implement a system like that?
you know what, my spouse actually wanted to subscribe to one of these kind of services. but now i guess i have to go back to the old way. could be piracy, or could be not watching any tv at all.
Just because some new executive wanted to piss on the fire hydrant to "make their mark", doesn't mean we have to respect their poor marketing decisions.
Some of the solutions are clearly just wrong. I have a PhD in Computer Science and if I am failing multiple basic addition problems, I assure you that it isn't me, the answers are wrong.
I had to do the same audio puzzles and got the first audio puzzle wrong too, and I even had my partner helping me. It is clearly just a bad test bank. Which begs the question, if the answers are wrong and there are only 3 choices, then what's the point? Regardless of whether you are human or not you are going to guess it eventually in about 5 tries, which is what it gives you before locking you out.