My understanding is that this new reCAPTCHA is basically just remote attestation.
Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).
deIeted 2 hours ago [-]
worth noting that google/twitter/facebook/reddit/others colluded to combine sessions, identifiers, so that any person getting identified on any one session / ip would be identified on all
so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on
(just realized emacs bindings work in comments, nice, no ctrl-x tho)
normie3000 2 hours ago [-]
I was going to ask for more info on this collusion but you say it wasn't reported. And googling "chicxulub" just gives a volcano.
Is this speculation, or has it been confirmed somewhere?
gorgonian 2 hours ago [-]
Colluded how?
tardedmeme 10 hours ago [-]
If you run a website, it seems trivial to forward the attestation to someone else by putting the same code up on your website, and getting their device banned from google instead of your own.
ChadNauseam 9 hours ago [-]
The domain in the attestation would be yours, so that wouldn't work
chadgpt2 9 hours ago [-]
How would the phone camera know the domain name of the website displaying the QR code it's scanning?
eddythompson80 8 hours ago [-]
The camera isn't the part doing that verification. The google service serving that "reCAPTCHA" is what's doing that validation. Unless you're using a custom browser that is reporting a different domain to google than the one requesting the reCAPTCHA, google's service will know which domain is which.
tardedmeme 8 hours ago [-]
How does the verification app on your phone know what's in the URL bar on your desktop?
ranger_danger 8 hours ago [-]
The QR code/URL would be generated/requested by the javascript running on the website you're viewing, which knows what's in your address bar.
tardedmeme 8 hours ago [-]
It would be generated by some other website like Amazon. Because I own, say, Meta, I copy these Amazon-generated codes over to Meta, make people scan them on their phones to sign into Meta and then pass the solution back to Amazon so my bots can sign into Amazon.
ranger_danger 8 hours ago [-]
We don't yet know how the client side works, perhaps there will be a decompilation posted soon.
It's possible this scenario is acceptable to them because it means they can still tie your access to something that's easier to ban without requiring a full account login.
tardedmeme 6 hours ago [-]
They're tying my access to random users of a completely different service, and a different random user each time.
ranger_danger 4 hours ago [-]
What are you implying? That it will become ineffective due to that?
That's possible... and they might change their mind if so, we will see.
I feel like it's a similar issue to when scrapers pretend to be an allowed-origin webpage in order to abuse "public" API keys for web services.
They could also require the mobile device to interact with the requesting webpage in some manner, similar to mutual PIN/codes for Bluetooth/TV pairing these days. That way bulk sharing of the codes would still require active participation from the device that requested it in the first place, likely with a short time limit.
gruez 6 hours ago [-]
After you scan the code, the verification app asks you "do you want to verify for example.com?"
tardedmeme 5 hours ago [-]
If you don't verify for example.com you won't be allowed to view example2.com. So do you want to or not?
Groxx 8 hours ago [-]
Some people will notice, some will not
coppsilgold 8 hours ago [-]
Realistically, what Google will do in such a scenario is collect data about the illicit service, enumerate the devices the farm uses and what other activities the devices participate in. What you suggested has far less control over the devices that generate the attestations and it will show.
Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.
getpokedagain 10 hours ago [-]
Stop visiting sites and using services that use reCAPTCHA. Problem solved.
tardedmeme 10 hours ago [-]
With the new reCAPTCHA this is going to happen because most human visitors will actually be unable to pass the CAPTCHA. It will be interesting to see whether this makes websites ditch reCAPTCHA or whether they literally just don't care about having customers, an attitude that seems to be getting more and more common every day.
papercruncher 9 hours ago [-]
I have been unable to give my money to Home Depot, REI and a growing list of online retailers because they use Akamai EdgeSuite, which just assumes I am a bot and 403s on protected API calls. This happens consistently on any IP and any browser on my Linux desktop/laptop.
spystath 7 hours ago [-]
There are not enough words to describe how much I hate Akamai EdgeSuite. So many random validation loops and 403s across different physical computers, different operating systems, different connections and even countries. A couple of services I need use it and it's 30% I'll make it past their stupid "protection".
drew870mitchell 8 hours ago [-]
Same, i'm doing a kitchen reno and gave up on Home Depot because of this
userbinator 6 hours ago [-]
Home Depot at least has a physical presence, which you can go and directly give some much-needed feedback to.
tardedmeme 5 hours ago [-]
It has a zero percent chance of reaching anyone who can do anything about it.
You could try handwriting and posting a letter to their CEO. I think that sometimes works. Probably not very often but there are more than zero CEOs who read those letters.
userbinator 5 hours ago [-]
The point is to spread the word.
petre 3 hours ago [-]
Maybe they'll figure it out when their revenue drops next quorter or the ones after that?
I was thinking in the same terms: you put up a QR capcha, you don't get my traffic and money. Just the amount of extra work needed, let alone the Google tracking turns me off. As if traffic lights, crosswalks and bridges weren't enough of a hassle.
komali2 5 hours ago [-]
REI is allegedly a co-op, maybe there's a committee or something it could be presented to?
smcin 1 hours ago [-]
REI Co-op has an Annual Members Meeting in Seattle, where it announces the results of the board of directors election.
The 2026 one happened Feb 5. Apparently the presentation is only 8m long, some saying it's pre-recorded and it's near-impossible for members to submit a question that actually gets answered:
Usually that just means the owners of the individual stores are the shareholders.
ksenzee 4 hours ago [-]
It sure makes debugging headers a pain. curl -sLIXGET https://… never mind, that won’t work, _fires up browser yet again_
raincole 6 hours ago [-]
> most human visitors will actually be unable to pass the CAPTCHA
Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.
It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.
g-b-r 10 hours ago [-]
One problem with these things is that businesses have minimal visibility on the amount of users they lose.
On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".
Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).
jbvlkt 9 hours ago [-]
I wanted to give money to charity and they have whole form protected by recaptcha. So I would have to allow all my personal information and amount donated sent to google (and agree with google terms for data processing). I have contacted them but they did not understand why this is problem they just wanted to protect themself against bots. IMHO unless those things are not disallowed by antitrust laws we have lost.
bar000n 9 hours ago [-]
i say technofeudalism, not sure i know what i'm writing about though
chadgpt2 9 hours ago [-]
Luckily the marketplace of money will ensure that businesses who block their customers shrink and businesses who don't block their customers grow.
sandworm101 5 hours ago [-]
>> whether they literally just don't care about having customers
So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).
lxgr 9 hours ago [-]
I'd love to, but I'd not be able to visit many sites anymore thanks to Cloudflare...
1vuio0pswjnm7 4 hours ago [-]
HN uses reCAPTCHA under certain conditions
getpokedagain 3 hours ago [-]
I've not hit it but that would suck.
g-b-r 10 hours ago [-]
Yeah, live in a cave, and problem solved.
However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use.
Let's find a better solution please
flatIronSteak 9 hours ago [-]
> Let's find a better solution please
Is there an argument here that Google is creating a monopoly?
Could this be challenged on similar grounds that forced Microsoft to recommend other browsers to users on Windows?
KPGv2 9 hours ago [-]
There is, but at least in the US neither party cares. They want to get rid of anonymity online, one to throw anyone who googles "trans" in jail, and the other because their biggest donors are tech companies that want to denonymize everyone.
Our antitrust laws have been toothless for decades, and both parties love billionaires controlling the rest of us with an iron fist.
GrapheneOS is looking more and more worth the headache that my limited free time generally does not like. I don't need Google to know my smut fanfiction is written by my IRL.
ggiigg 6 hours ago [-]
Felt same way about GrapheneOS but a few friends set it up so i gave it a try. It is easy to install and use. As evidence, I gave my 70 year old father one and he loves it.
komali2 5 hours ago [-]
When my friend was telling me about GrapheneOS I was thinking back to the old days of android custom roms, all the bugs and bullshit, the time I couldn't dial out to 911 because my custom ROM crashes when I did, or other issues. So I gave it a pass.
However he's been on it now for months and every time he shows me something on it I get a little more jealous. Everything seems to be working fine, including e.g. bank apps, and he has interesting features like some kind of app zoning thing limiting permissions on a zone to zone basis.
The only problem is it's only available on massive phones without headphone jacks and SD card slots, so I'm sticking with Xperia for now.
g-b-r 10 hours ago [-]
sieabahlpark, I probably hate this more than you, you misunderstood
sieabahlpark 10 hours ago [-]
[dead]
vasco 5 hours ago [-]
So what are you doing here?
> Ask HN: Did HN just start using Google recaptcha for logins? [0]
> dang
> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.
Stop visiting sites and using services that use reCAPTCHA. Problem solved.
No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA.
I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved."
ethin 8 hours ago [-]
The other problem with this is that there are few CAPTCHA alternatives.
CF turnstile is one, but of course that means Cloudflare owns even more of the web.
HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.
And I... Can't think of anything else. Other than to just get rid of Captchas entirely.
userbinator 54 minutes ago [-]
You could just have a custom one that asks domain-specific questions (and ones which will trip up LLMs are not hard to come by.) I've seen a few forums ask such questions for registration, long before the rise of LLMs.
ribtoks 2 hours ago [-]
There are other captcha alternatives like Turnstile, for example Private Captcha, Altcha etc. - they are owned by mostly “small” independent companies, they are not visual captchas (proof-of-work based) and very accesssible.
yehat 1 hours ago [-]
Compliance is what makes all that shit possible. Sadly most people are compliant and made so by gradually increasing their dependency on "commodities" which really are anchors to a shit lake.
majorchord 8 hours ago [-]
> I'm not going to give up reading the test results from my doctor
You could just call them.
andwur 5 hours ago [-]
Oh just wait, the AI phone service on their side will be more than happy to complete your device attestation key challenge by touch tone. We have to make sure you are still you after all!
But in all seriousness, many services are making it difficult through to impossible to communicate outside of their web or app platforms. Call centres are expensive and messy, and it's now apparently acceptable as a society to treat customers/clients/whatever as adversaries so they can get away with making it hard to communicate with them.
petre 3 hours ago [-]
I was unable to book a doctors meeting through the clinic's website, so I declared "screw tech" and called their call center, which still worked better. The app just searched for the "first available spot" and never found anything. If they axe the call center I'm going to have to go to their place.
getpokedagain 3 hours ago [-]
Or ask for a print out.
unethical_ban 9 hours ago [-]
I agree, and I think CAPTCHA is a disservice on public websites.
10 hours ago [-]
rdedev 9 hours ago [-]
When companies like this exist, what is the point of relying of TPM? Looks like the future is bright for VC backed bots
How is this not grounds to be sued into oblivion by Google and Meta? They clearly violate ToS for profit. This is something I expect to find on a dark web forum where 0days are traded, not in public.
SlinkyOnStairs 7 hours ago [-]
> How is this not grounds to be sued into oblivion by Google and Meta?
Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.
Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)
Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.
The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.
xmcp123 8 hours ago [-]
This kind of thing has been common for ages. Obviously AI has kicked it into overdrive, but it’s not darkweb kind of stuff.
Note that they do not mention any specific companies on that landing page. That is pretty intentional.
But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.
chadgpt2 9 hours ago [-]
Violating ToS isn't illegal in most cases. Companies just put scary looking clauses in their ToS to discourage you from doing things they don't like.
eddythompson80 8 hours ago [-]
That's not true of course. There are hundreds of such cases with varying outcomes [0][1][2]
Note that all those guys were gotten for breaking the law, not for breaking terms of service.
dakolli 9 hours ago [-]
Why is every startup using that same Serif font now, Garamond or whatever. Is it an LLM design phenomenon? Its kinda ruining that font style for me.
Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.
Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.
alexspring 6 hours ago [-]
Yep. They got hacked in the past, 1k+ smartphones reported.
The cost is the attestation keys of a real phone. Once it gets burned, the phone is useless to them.
Interesting article, thanks. I've done a bit of small scale phone farming (for my own cheap mobile proxies). In all reality the phones aren't that expensive, I went with Moto 5gs that cost $130 (retail), so in their case the phones pay for themselves in the first month.
Probably a decent amount of compute cost for video generation, but I'm sure they have access to free compute and inference for being in bed with a16z.
These companies would have to buy one phone per fake influencer.
tcoff91 9 hours ago [-]
Wow that is so dystopian.
huflungdung 9 hours ago [-]
[dead]
thaumasiotes 10 hours ago [-]
> My understanding is that this new reCAPTCHA is basically just remote attestation.
Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'.
lxgr 8 hours ago [-]
I'm sure some people still remember how to mentally decode QR codes and verify ECDSA signatures from Covid days. Public transit ticket inspectors in my city also seem to be quite proficient at it :)
g-b-r 10 hours ago [-]
I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".
I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.
For people using a Google account it probably won't make a huge difference, in terms of data collected.
If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.
Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.
But there's a good chance that it will be extremely hard to sidestep, despite that.
lxgr 8 hours ago [-]
> they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone
But anything your phone can possibly do in software can be spoofed, so how would that help?
varispeed 8 hours ago [-]
Shouldn't that be illegal under GDPR?
dheera 11 hours ago [-]
> Google didn’t demand iPhone users install Google software to pass the test.
Can de-Googled Android phones present themselves as iPhones?
coppsilgold 10 hours ago [-]
Apple has their own remote attestation infrastructure and you will not be able to impersonate an Apple device without extracting private key material from the secure enclave of a legitimate Apple device or compromising Apple certificate authority private keys.
Yes, and then they'll get served a QR code that you have to scan on a phone Google approves of.
dwedge 9 hours ago [-]
I've kept a spare cheap android for too long and recently went with Graphene instead. I have one Google profile and only use it for Uber, work's Google Chat and maps. One bank refused to work (even with Google services) so I moved bank. I've moved most of my mobile use to self hosted (freshrss full text, password manager, calendar, tasks) with no direct internet connection.
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
ryukoposting 7 hours ago [-]
If you don't mind me asking, what Bank? I've resolved that this phone will be my last googled phone, and my next will be GrapheneOS.
dwedge 2 hours ago [-]
Halifax UK. It just refuses to work so I left it (Graphene is more secure, so forcing less security for the sake of tracking is off the cards). All the other banks so far say they won't work without Google services but if I click OK they work
dexterdog 6 hours ago [-]
Not OP, but I've been on GrapheneOS for a few years and I have no problem with Chase, CiT or Wealthfront. I mostly use them to check balances and unlock debit cards, but they all login and function fine.
drnick1 6 hours ago [-]
My setup is similar and nearly 100% self-hosted, including email, files, AI. If something does not work on Graphene, I will do without it. I also have a Google profile, mostly for testing purposes.
xerox13ster 6 hours ago [-]
How have you managed to accomplish self-hosted email? I tried similar in 2022 and found it damn near impossible without business static IP or a cloud provider.
tuzakey 4 hours ago [-]
You can't do it reliably without a static IP in a non residential subnet that lets you set reverse dns. If you have a static residential IP and they don't filter inbound SMTP you can make it work with a smarthost/relay like mailgun. Its not the insurmountable obstacle everyone makes it out to be, but its not going to be free unless you already have an IP that meets the criteria.
If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.
drnick1 6 hours ago [-]
I have access to a commercial (non-residential), fixed IP. You could also use an outgoing relay as a compromise, since presumably the issue you are facing is other servers rejecting email that you send from a disreputable IP. That being said, you really want a fixed IP as a matter of convenience if you are going to self-host anything.
gonzalohm 8 hours ago [-]
What's the best alternative for Google drive? I also went this route but Samba is a bit annoying sometimes
drnick1 6 hours ago [-]
What makes Samba annoying? I think it's perfect for its intended use (LAN).
If you need to share files externally, Nextcloud works very much like Google Drive and allows the creation of sharable links.
Nextcloud also has lots of interesting plugins. I recently found a viable Splitwise alternative I chucked on my instance.
bsmith 8 hours ago [-]
If you dont need filesharing, you can just setup wireguard, setup a network drive on your phone's files app.l, and then when connected it'll feel like native file browsing.
danparsonson 8 hours ago [-]
Syncthing is very nice.
cromka 2 hours ago [-]
I have nothing but issues with it, mostly because the iOS/Android apps are notoriously bad at syncing the files timely and also because of ridiculous filename restrictions on Android.
dwedge 8 hours ago [-]
I only share with one person so we use Seafile
zx8080 4 hours ago [-]
Nice that there's bank to move to. We need regulations against such lock ups.
pixel_popping 9 hours ago [-]
archive.is just asked me for a QRcode scan, I'm so ashame of that crap (it's behind Cloudflare), forcing website visitors to KYC? Are you guys insane!?
the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f
By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.
I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.
codedokode 9 hours ago [-]
Interesting, the text says "reCAPTCHA doesn't share your details with this site", but it says nothing about sharing your details with Google. Which means yes?
tocariimaa 4 hours ago [-]
The water is already boiling and the frog can't get out anymore.
syntheticnature 7 hours ago [-]
I thought archive.is were the ones squabbling with Cloudflare (extreme simplification)
j027 6 hours ago [-]
You can still use the audio captcha, but I’m not sure how long that’ll be around.
velocity3230 52 minutes ago [-]
Sound advice.
BloodyIron 6 hours ago [-]
Google will incur serious lawsuits if they remove that accessibility aspect.
a2128 5 hours ago [-]
Google has already been crippling the audio CAPTCHA access for many years. If your trust score is low enough, the visual challenge is ridiculously slow and noisy, and pressing the audio challenge button will just give you an error saying "To protect our users, we can't process your request right now", accessibility be damned. Where are the lawsuits? I want to believe there are still forces that would create hell to pay for doing something so evil, but I'm not seeing any.
tom1337 7 hours ago [-]
i wondered the same earlier and i am pretty sure they are just mimicking cloudflare's validation page. no way that cloudflare is paying reCAPTCHA when they have theor product, turnstile, available.
stavros 7 hours ago [-]
What? Don't Cloudflare literally have their own CAPTCHA service? Why are they using reCAPTCHA?
gruez 6 hours ago [-]
They mimic the cloudflare captcha page but they're not hosted by cloudflare.
I think this is just gonna make viewing internet without a phone significantly harder especially with archive.is and the likes.
Not sure, how relevant this is to the discussion but if it helps, I have made a project[0] which allows to archive archive.is pages on archive.org/wayback machine (this uses singlefile)
Perhaps something like this can be used by community at scale too. Also, I hope that archive.is does something to fix this issue of requiring QR code and hopefully it doesn't become a permanent issue.
It's a move to block competitor AI agents while securing access for your own, classic ladder kick. The market for autonomous agents providing services and doing online work will be gigantic so, unless you want your own bots locked out from ie properties guarded by Amazon, CloudFlare, Microsoft etc., you will need a bargaining chip.
hedora 7 hours ago [-]
As someone that uses AI agents, this makes me want to install a browser plugin for "public windows" that just archives everything I see, and then farms out clicks of content that are missing from those sites.
The result of this would be to upload it all to a bot-friendly alternative to archive.org.
Its whole point is undetectable archiving because it just saves what your browser already sees.
thecatapps 10 hours ago [-]
I'm failing to see why they didn't just adopt Private Access Tokens (not that they're great either), where they could have at least:
- pretended that it wasn't all about invading peoples' privacy.
- done a good ol' fashioned "but Apple does it"
- pretended to be standards-oriented
- advertised it as something completely transparent to the end-user
Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
treis 9 hours ago [-]
It doesn't fundamentally solve anything. You want to be able to identify a specific person or at least a relatively expensive device so that if you ban them they stay banned.
supriyo-biswas 2 hours ago [-]
Private access tokens are also a repackaged WEI as far as I'm concerned.
nightpool 4 hours ago [-]
The article mentions that they use Private Access Tokens on iOS, so I'm not sure where you're getting the idea that they're "not adopting" them from
incompatible 7 hours ago [-]
"pretended" ... do they even care any more?
FateOfNations 10 hours ago [-]
Not Invented Here Syndrome?
tinycommit 7 hours ago [-]
Eww. Ok, so, I’ve used reCAPTCHA on sites I maintain at work, just on forms to prevent excessive bot spam submissions. No way do I want to subject users to this BS, though. Does anyone have recommendations for other decent captchas that could be used instead?
Any chance for something 100% self-hostable? hcaptcha and friendlycaptcha last I checked require interfacing with their services.
tardedmeme 7 hours ago [-]
hcaptcha is pretty popular these days. It uses a very wide variety of traditional visual puzzles.
himata4113 7 hours ago [-]
in my good ol' days I just sent a screenshot to 2captcha for grid of the entire captcha iframe which means that the solvers would have to figure out what to do instead of having to write code for each different type of captcha. to solve their new rotating puzzles I would just capture them at 50% opacity twice and change the prompt to pick the highest brightness object since 50% opacity would dim the moving elements.
smallerize 6 hours ago [-]
This isn't just about weirdos (like me) who run GrapheneOS. Huawei phones don't have Google Play services installed, or Xiaomi phones with MIUI China. That's what, a billion and a half phones that can't get to your website now?
Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.
gene91 3 hours ago [-]
If you need access to both apps from China and websites/apps from outside China, non-Apple devices have been difficult before this, primarily due to push notification infrastructure.
This makes it more difficult. But I don’t think it matters given how difficult it was prior to this.
ickyforce 2 hours ago [-]
What's wrong with Apple push notifications in China?
poilcn 1 hours ago [-]
"non-Apple", i.e. Android
The problem is that most popular apps for Android outside Chinese app stores rely on Google services (specifically, Firebase) for push notifications.
cantalopes 10 hours ago [-]
This is crossing the line where the governments should step in and ban/fine google heavilly for this monopol behavior
data-ottawa 8 hours ago [-]
How you know this is a monopoly is that if you go on their documentation website half the video is how this rolls into Google Analytics.
This is using another product to reinforce the search and ads monopoly.
You can’t scrape content to build a better google or Gemini, you can’t make an OS to compete with Google or Apple, and you can’t make a Google Analytics competitor.
It’s plain anti competitive.
failuser 9 hours ago [-]
The governments are the ones who needs the most. They want to know who all the potential and current dissidents are.
bigyabai 8 hours ago [-]
Bingo. Remember all the people on HN who canvassed for consumers to vote with their dollar? Absent-minded consumption is what consumers voted for.
Now everyone pretends like it's monopoly abuse because the Leopards Eating Faces company finally rang the dinner bell.
milderworkacc 9 hours ago [-]
I agree. There are pretty clear grounds here to think about opening an investigation here into illegal tying, or a misuse of market power. Not sure if the FTC maintains a presence on here, but if you're listening...
KPGv2 9 hours ago [-]
[flagged]
gib444 2 hours ago [-]
Oh man as if we still live in those times
OutOfHere 9 hours ago [-]
Instead, our governments use this crap, meaning on .gov sites too, and impose it upon us.
varenc 7 hours ago [-]
I have a good friend who doesn't own a cell phone. He's a math professor. Every year he keeps living life without a smartphone, I continue to be more impressed. Things like this makes me feel like he might have to eventually give in. https://archive.is is now serving, via Cloudflare, this QR code backed CAPTCHAs. There seems no way to get past them without a smartphone. Sad times. I wonder at what point even basic government services will essentially require a smartphone.
I think they now use their own Cloudflare turnstile if I remember correctly, but back then they switched to hcaptcha.
phyzome 5 hours ago [-]
I don't have one either. No plans to get one, even with this.
amluto 9 hours ago [-]
I would love to see someone challenge this as an anti-trust violation. Google is using its market power (as the provider of reCAPTCHA) to actively prevent devices that don’t use Google Play Services from competing effectively.
cromka 1 hours ago [-]
They're only doing that because the EU currently doesn't want to antagonize US any more with their tech fines. Noticed how there hasn't been any as of recently?
probably_wrong 27 minutes ago [-]
Alternative explanation: they're following the Meta playbook of releasing surveillance features during a "dynamic political environment" that's keeping their opponents distracted.
Almost completely unrelated, but I recently helped out a very confused family member with deleting not one, but two Google Cloud accounts they had no idea existed, and that they only learned about from an email referencing reCAPTCHA getting integrated into some other Google product offering.
I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.
brunocvcunha 9 hours ago [-]
AI Studio playground maybe? It seems all integrated.
lxgr 9 hours ago [-]
They almost certainly didn't use that.
The projects were named after a Google Doc they'd recently worked on (or a .docx attachment they'd received?) though, so my other guess is that they somehow created a Google Docs macro or similar by accident?
arccy 7 hours ago [-]
probably Google Doc Apps Script, those create so many Google cloud projects
buzzwords 9 hours ago [-]
Given the way Google is going I'm not sure if my next phone will be Android. I am fully aware that I am probably in the minority here. For me the trust is entirely gone.
fluidcruft 9 hours ago [-]
There really isn't much of an option. Apple's just as bad if not worse.
queenkjuul 8 hours ago [-]
At least with an Android i have the option of Graphene, and have access to a terminal, and for now can sideload apps.
With apple there's no choices, so I'll continue to take my chances with Android
fluidcruft 8 hours ago [-]
Possibly... but the extension of this to Android and Apple is going to be the entire internet shuts you out. And everything else will be a giant Dead Internet crawling with bots.
tardedmeme 6 hours ago [-]
The sites that require you to log in are precisely the same ones that are crawling with bots. The personal internet or "small web" is, and still will be, full of real content. There are also lots of bot websites that are trying to be small web, but since it's an actual social network and not a giant pool everyone pours stuff into, they don't get traction. If you do find a website that seems to be human but links to a thousand AIslop sites, you'll stop following that guy's links.
microtonal 1 hours ago [-]
I have to see. As much as I don't like Murena and /e/OS, they seem to have some clout with the EU/EC. Given that they are using microG and also hit by this, they might be able to nudge the EC to act on this.
Also, personally I care less and less. As long as my banks and government apps work, I'll just not use somebody's service if they put up barriers like this.
lxgr 8 hours ago [-]
Can Graphene OS pass this kind of Google attestation challenge, though?
chadgpt2 8 hours ago [-]
Both are terrible for privacy so it comes down to which one has a nicer screen now. :(
I'd rather have Google check an Apple phone attestation than have Google check a Google phone attestation, and vice versa, though, because you can assume each company is trying to keep as much information private to themselves instead of giving it to the other. Google is probably just getting "yes it's an Apple phone" and some kind of temporary token, instead of my IMEI, IMSI, phone number, all signed in accounts, biometrics and so on.
LeoPanthera 6 hours ago [-]
> Apple's just as bad if not worse.
Could you justify that? Because to me it seems like Apple isn't doing anything even like this.
Also, Apple sells themselves as a privacy company, but often pick (possibly intentionally) insecure defaults. E.g. you might use end-to-end encrypted chats, but by default iCloud backups are not end-to-end encrypted, so law enforcement can just request your backups/chats from Apple. If you are vigilant and enable Advanced Data Protection for E2E iCloud backups, it probably still doesn't matter because the people that you communicate with probably do not have ADP enabled.
Besides that, they are enshittifying in the same way as Google. Ads in Maps, Ads in applications that you get with the OS (Apple Creator Studio ads in Keynote, etc.), Ads in your system settings for Apple Fitness+ (really).
At least Pixel phones and soon some Motorola models have the option of installing GrapheneOS.
Motorola + GrapheneOS next year could be an alternative. So far they've been relatively insulated from the changes that have been coming down from Google.
microtonal 1 hours ago [-]
Or if you need it now, Pixel + GrapheneOS. Pixel A-series are really affordable. E.g. the 9A is 350 Euro here, have great device security (Google Titan M2 hardware security processor, CPU that supports MTE, etc.), pretty good cameras/camera processing, etc.
doctor_radium 5 hours ago [-]
I'll be waiting.
In the meantime, I'm currently using a low end Motorola moto g 5G 2023 which lets me turn off Play Services. Chrome and the Google Calendar don't run (really do need to find a replacement calendar), and I couldn't be happier. Motorola's interest in GrapheneOS makes me wonder if they did this on purpose.
I'm inclined towards keeping an ancient android for those apps that require it, and maybe something open for actual use. Or perhaps a crappy old android for android and a small non-android tablet/laptop for daily-driver stuff, which always works better as a computer anyway!
I'm also becoming open to using software that lies to google about what it is :) Google will treat us like sh*t, why shouldn't we reciprocate.
ryukoposting 7 hours ago [-]
You won't be alone. I've resolved that this will be my last Googled phone.
My dad runs the family domain/emails/etc. The hard part will be convincing him to degoogle the whole family.
nosioptar 5 hours ago [-]
I've been getting asked more and more how to degoogle stuff by non-nerds.
drnick1 6 hours ago [-]
Android yes, but Graphene is the answer.
koala-news 4 hours ago [-]
The internet increasingly feels like “prove you’re using the approved computer” instead of “prove you’re human”.
pzmarzly 8 hours ago [-]
Does anyone know what changed in iOS 16.5 that made Google stop requiring the app? To me it seems to correlate with Private Access Tokens, aka remote attestation by Apple. https://developer.apple.com/videos/play/wwdc2022/10077/
rippeltippel 2 hours ago [-]
Possibly. And possibly the fact that breaking experience for iOS users would result in a massive backlash, while the volume of non-iOS/non-Android users is negligible in comparison. Some of them will convert to mainstream OSes, the rest will succumb.
drnick1 6 hours ago [-]
So Stallman was right, after all?
quantummagic 5 hours ago [-]
Everyone, including Linus Torvalds, who rejected Stallman as too political or ideological, and advocated for "pragmatism" instead, is part of the reason we're where we are today. And it's going to get a lot worse, before it ever gets better.
xethos 6 hours ago [-]
One thing I hope we've all discovered by now is that, if Stallman hasn't been proven right at the present moment, on any topic that touches on libre computing, is that it's only a matter of time until he is
ezekiel68 10 hours ago [-]
I don't know why reclaimthenet hasn't embraced the obvious answer: Simply create a new smart device operating system with a fully disentangled cosmos of programs, libraries, APIs, app SDKs, hardware partners, drivers, trust networks, carrier agreements, app stores, documentation, conferences...
drpixie 7 hours ago [-]
Same reason as "make another (better) windows" is very difficult - almost everyone wants to be able to run existing apps and drivers, so you're forever playing compatibility catchup with android (or windows).
That's the reason companies are desperate to be first/biggest - once you're it, you're it until you finally fall on your face and dwindle to a nobody.
cybercatgurrl 9 hours ago [-]
and that is gonna be funded by who? anyone who is gonna fund that is gonna want their slice of the pie. we need regulation to keep big tech in line
repelsteeltje 9 hours ago [-]
How about consumers paying a little extra for their device? The way it's going, add sponsored big tech is dieing because click fraud detection is becoming too expensive. Either we give up privacy and track every user, or we let bots have at it, stop targeting ads to users and bill advertisers on bandwidth.
undeveloper 39 minutes ago [-]
if you think consumers will pay more for the vague notion of privacy i have beachfront property in kansas to sell you. most normies either don't care ("I have nothing to hide ... do you?") or gave up already ("china / the government / big tech / all of the above already have all my data, why would I care if it's a bit more? what are they even going to do with it?" (sometimes, even "i like having relavent ads!")).
at my most pessimistic i can see a world where consumers pay MORE for attestation to continue to opt-in to society, or perhaps a ai-bot-free digital world.
flatIronSteak 9 hours ago [-]
I uh.. I think that was the (sarcastic) point.
gessha 6 hours ago [-]
Parent is sarcastic
fsflover 9 hours ago [-]
Mobian, PureOS, postmarketOS already exist. Sent from my Librem 5.
colordrops 10 hours ago [-]
Ugh I hate that I can't tell whether you are being sarcastic or not.
himata4113 7 hours ago [-]
I did something unpopular and just didn't have a captcha, I just read up on creepjs etc and rolled out my own which is just browser state analysis, basic ip check (abuse lists only) and PoW. Haven't had an issue with a single bot registration (yet).
kyrofa 9 hours ago [-]
I don't even have a smart phone, I assume there is some sort of fallback behavior?
You will also see this page if your smartphone is degoogled and you try to open the reCAPTCHA attestation URL in a web browser instead of in Google Play Services.
dstnn 9 hours ago [-]
Its going to be just like the wild days of the late 90s and 2000s
Strap in, the ownage will be hard.
orblivion 4 hours ago [-]
I imagine GrapheneOS is thinking carefully about their statement on this. I look forward to reading it.
riffraff 2 hours ago [-]
I mean, they could sue for non competitive behavior, but good luck beating Google's lawyers
spankibalt 11 hours ago [-]
Time for some lawfare!
DANmode 11 hours ago [-]
The Government reviewed the Google situation on behalf of you,
> Lawfare is the use of legal systems and institutions to affect foreign or domestic affairs, as a more peaceful and rational alternative, or as a less benign adjunct, to warfare.
bigyabai 2 hours ago [-]
The parent is musing on the impossibility of Google being held accountable, as the government largely assents to this plan and will ostensibly use it for social control during times of protracted warfare (eg. right now).
ranger_danger 12 hours ago [-]
Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:
- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.
- Discord immediately bans me any time I try to create an account.
- Can't buy flights from Delta, always gives a non-descript error.
- Can't buy concert tickets, it thinks I'm a fraudulent buyer.
- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.
- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).
- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.
I just take my business elsewhere... eventually I'll probably just stop using technology at all.
Jigsy 11 hours ago [-]
> Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
I had this problem recently with the Indeed website. (Cloudflare Captcha)
Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.
Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.
anonymousiam 11 hours ago [-]
Why not just change your user agent string?
codedokode 8 hours ago [-]
Because the site can compare the user agent with navigator.platform, which your browser fills with great care.
userbinator 48 minutes ago [-]
That naturally implies we must patch the browser.
"Source code? We don't need no stinkin' source code!"
tardedmeme 10 hours ago [-]
It probably fingerprints the browser via TLS fingerprinting.
mschuster91 10 hours ago [-]
That's useless, in fact it makes you stand out even more. There are SDKs that can differentiate based on an awful lot of signals if your user agent corresponds to your actual browser version.
miladyincontrol 10 hours ago [-]
Almost would bet one or a few of your ISP's customers have their connections being used as residential VPNs.
I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.
ranger_danger 9 hours ago [-]
Yes, I have even seen mobile android games that include notices about a BrightData SDK or HolaVPN etc. where their idle bandwidth is resold.
donmcronald 7 hours ago [-]
Does the app function as a proxy? I always assumed that wasn’t possible.
ranger_danger 6 hours ago [-]
Why wouldn't it be possible? As long as background network access is allowed (the default).
chadgpt2 8 hours ago [-]
Honest question: Is there anything scary about this apart from lowering your ISP's reputation score?
donmcronald 7 hours ago [-]
Yes. What if your connection is used for illegal activity?
rescbr 8 hours ago [-]
This is why I ended up paying extra for a static IP from my ISP. While they always provided me with a public IP outside a CGNAT, I guess whole IP blocks were being targeted by these web security providers.
I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.
Captcha difficulties are way down now.
hysan 11 hours ago [-]
Turnstile feels bad as a user. Every site that I’ve seen it long will lock up Safari hard while it’s doing whatever it’s doing. But at least I haven’t run into more than 2 refresh loops.
retired 9 hours ago [-]
I have not been able to visit AliExpress for months now. Just an endless reCAPTCHA loop.
I wonder if they are seeing a decrease in traffic and somehow find that acceptable.
prism56 12 hours ago [-]
Oh man I feel you. I turn my VPN off on certain sites due to the captcha loop.
Milpotel 12 hours ago [-]
Wouldn't a 1£ Linux VM as Wireguard access point suffice?
ranger_danger 11 hours ago [-]
Nope, I have tried. Just as suspicious to them if not moreso because it's a datacenter IP and not residential. I even have a list of sites I've tried to visit that were explicitly blocked from datacenter IPs, and that file has over a hundred hosts in it now.
ck2 11 hours ago [-]
whenever I can't access a website for various stupid blocks
I fire up cloudflare warp and walk right through it
use wireguard with wgcf in environments without cloudflare client
yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden
wafflemaker 11 hours ago [-]
You sir seem to have solved a problem many people here have.
Would you care to elaborate a little on how you did it?
It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues.
tardedmeme 11 hours ago [-]
He just told you, he used cloudflare WARP. It's a "VPN" along the lines of NordVPN et al, but by cloudflare, so it gets special treatment by cloudflare's walled garden enforcement system.
krackers 10 hours ago [-]
I wonder if iCloud private relay might also work. Apple probably negotiated some special treatment
donmcronald 6 hours ago [-]
I’m guessing it’s all the same effect as CGNAT exit IPs. You need to get big enough to be unblockable. That’s why everyone is trying to get in on the VPN game.
This new reCAPTCHA setup is probably a good indicator that big tech wants to shift to verified access only. Personally, I’m just going to quit spending money via the internet and go back to piracy + retail stores with a physical location.
titularcomment 9 hours ago [-]
the fact that this works, as well as cloudflare having a literal web scraping tool available as another product honestly makes my blood boil.
hedora 7 hours ago [-]
Is there a way to just ban all these sites? Like a firefox plugin or whatever that detects this crap, and just bounces over to some place more reputable, like archive.is.
Permit 7 hours ago [-]
It looks like archive.is uses recaptcha so I don’t think that’s the fix you’re looking for.
tardedmeme 6 hours ago [-]
then we make a new one
Worf 10 hours ago [-]
I don't use Android right now and haven't used Google'd Android for almost a decade. And I won't. If this is the hill I die on, so be it.
I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.
brikym 10 hours ago [-]
It's all fun until you can't get paid because some fintech app doesn't work. That's why we need regulations. I don't see politicians ever going against an advertising company when they're customers.
freedomben 9 hours ago [-]
Indeed, I generally favor being conservative with regulations because they can genuinely impede progress and can be really hard to change or remove when they're bad, but this is an issue that we need regulation for. It's just too much in the interest of big tech to lock us down and strip us of our freedom of compute. Short of regulation.
Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
mikepurvis 9 hours ago [-]
An easy first step ahead of a full ban would be insisting that hardware attestation never be used as a gate to access government services. Most other things I can vote with my feet, but viewing my tax returns or renewing my passport are things that can only happen in one place.
donmcronald 7 hours ago [-]
This is really the most important thing for me. I don’t want to be obligated by law to use some identity or attestation service tied to big tech. I might be ok with my bank handling it because they already require ultimate trust, but not if they simply defer to big tech or implement infrastructure on foreign ccTLDs (id.me, verified.me, etc.).
I’m Canadian and watching our government sell our souls to American tech companies is beyond scary.
mikepurvis 6 hours ago [-]
Yes, Canadian here also and I feel the same. I'm pretty heavily Googled these days (gmail, gphotos, Pixel 10) and I work for a US tech company, so maybe I'm kidding myself that it matters much for me personally, but I'd be pretty sad if I ever found myself unable to access any level of government service because I didn't have a Google or Apple smartphone that I could point at a QR code on the screen.
pino83 9 hours ago [-]
One unfortunate aspect of the entire problem: Go back, let's say 10, 15 or 20 years, when forces were a bit more balanced than today. When all these issues were already quite obvious, but probably somewhat easier to solve. The same people that cry loudly today were completely ignoring all these issues. Actively. And when someone came up with them, that guy was just an idi*t, disturbing the good mood. Right? I can still remember all the conversations that I had, or that I read. Today, they'll deny that and still call me an idiot. Anyways...
PS: Sure, there always were a handful of exceptions. If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
dwedge 9 hours ago [-]
So just to clarify, you also didn't solve anything but you want everyone to know you told them so and you were smarter?
> If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
Reminds me of Facebook engagement bait
donmcronald 7 hours ago [-]
I saw a lot of people get told they were too dumb to understand how the app stores or Adobe subscriptions were a good value proposition. A lot of people rolled in the mud and now they’re upset their clothes are dirty.
If it didn’t affect those of us that tried to resist, I wouldn’t care, but we got dragged along unwillingly and now it may be impossible to hit the brakes before corporations control everything by usurping control of our identity systems.
pino83 7 hours ago [-]
Oh, yeah, these discussions as well... Precisely.
Good that some people are able to translate my thoughts into actual English... :D
pino83 8 hours ago [-]
> Reminds me of Facebook engagement bait
If you say so. I don't know. I was never an active part of that big problem (so btw I also had nothing to "solve"). You were?
userbinator 44 minutes ago [-]
The sort of regulation we need for this must be as solid as a constitutional amendment, but that is going to be very, very difficult.
KPGv2 9 hours ago [-]
> Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
Everyone in power wants it, across the entire globe.
retired 9 hours ago [-]
Already happening. The official German identification app, AusweisApp, is designed exclusively for Android and Apple mobile devices
lxgr 8 hours ago [-]
> designed exclusively for Android and Apple mobile devices
That's very different from requiring hardware attestation, though.
somethingweird 8 hours ago [-]
No, you can also get it for Windows and Huawei devices. So three American and one Chinese companies. Great.
bigyabai 8 hours ago [-]
With Salt Typhoon, that's a whole four ways to choose how China steals your data.
And to think, people said consumer choice was dead...
ranger_danger 8 hours ago [-]
If it was developed by the government, shouldn't the source or an API be available? Surely third-party apps can be made in that case?
poopooracoocoo 6 hours ago [-]
That'd be great but governments often don't make specs and source code available. Governments don't make things open.
The amount of stuff councils and state governments gatekeep about road specs alone... Argh.
lukashahnart 7 hours ago [-]
What do you use instead? iOS?
codedokode 9 hours ago [-]
To be fair, there are already apps that require a mobile phone to sign up, for example, VK, Telegram. And I think Google requires to scan a QR code to register account, so it is easier just to buy a Google account on a black market if you need it for some purpose.
Nobody trusts web browsers nowadays.
danparsonson 7 hours ago [-]
I think you and I move in very different social circles...
I would have no idea how, nor desire to purchase a Google account on the black market, and I do in fact still trust that my web browser can do TLS correctly.
tardedmeme 6 hours ago [-]
I think you can just search 'buy google account' - it isn't illegal.
BloodyIron 6 hours ago [-]
I'm sorry Google, I'm afraid I can't do that.
shevy-java 1 hours ago [-]
This tyrannical and selfish, evil corporation, needs to be broken down. These are not accidents. Just remember how Google killed off ublock origin via a lie:
If there was any remaining doubt whether Google is evil, this settles that yes it is.
tamimio 11 hours ago [-]
And soon desktop OSes will follow, if you don’t have TPM you won’t be able to browse half of the internet.
roywiggins 6 hours ago [-]
Not soon, now. The new reCAPTCHA on desktop shows you a QR code for you to scan with your Google-approved phone to prove you have one.
Andrex 11 hours ago [-]
A parallel, fully public and accessible internet being widespread and available for anyone with a slight tinkering kick... Could actually be really awesome.
Let the commerce-driven, corporatized hellhole that the modern web has become eat itself.
spencerflem 9 hours ago [-]
I love the vision, but I do wonder how the parallel internet will deal with DDoS levels of bot traffic.
I hear ‘web of trust’ pretty often and I like the idea but that’s not anonymous or accessible either
Andrex 3 hours ago [-]
How do personal blogs deal with the HN hug of death? In this increasingly-utopian vision, I imagine that being more widespread than (paid) DDOS attempts. There won't be any money to be made (banks, Paypal, etc. won't trust the "parallel web") and with the proliferation of synthetic training data I'm not sure how useful a target a bunch of blogs and smallweb sites would be.
donmcronald 6 hours ago [-]
> I love the vision, but I do wonder how the parallel internet will deal with DDoS levels of bot traffic.
Something that makes it expensive to initiate a connection and cheap (relatively) to accept or reject would probably help. I think that’s a hard problem though.
SV_BubbleTime 8 hours ago [-]
Well, how does Tor or other services do it now?
eddythompson80 5 hours ago [-]
Tor does it by being so painfully slow an unreliable that the only way you would use it is if there is a cocaine-style reward at the end of it.
staringforward 3 hours ago [-]
> Tor does it by being so painfully slow an unreliable
I do 95% of my web browsing via Tor Browser and it is very tolerable, most circuits are fast enough for 1080p video (Youtube, Twitch livestreams, etc) without any buffering.
Of course this is a single tor circuit with an exit node, so speeds are slower when going directly to .onion sites, but the only real slowness comes from the latency and not throughput.
spencerflem 7 hours ago [-]
They get blocked by Recaptcha, I think.
I’m not talking about the network itself but the servers on the other end.
I guess my point is that while Google is definitely malicious, I don’t think every site using recaptcha is and if we expect them not to use that tool there should probably be an alternative.
986aignan 7 hours ago [-]
> They get blocked by Recaptcha, I think.
I think SV was asking what onion services, which can't really use recaptcha, do to prevent the DDoS storm.
And I would imagine the answer is obscurity, since the dark web isn't nearly as well-mapped as the public web. That and some Anubis or other PoW would probably go far.
SV_BubbleTime 6 hours ago [-]
Proof of work I get, but isn’t that like step2?
If I’m hosting at some IP, I still need Anubis or something to serve up the challenge, so doesn’t that become the attack point?
chadgpt2 8 hours ago [-]
[dead]
11 hours ago [-]
anonymars 7 hours ago [-]
What a coincidence that Windows 11 makes it a requirement!
fsflover 9 hours ago [-]
TPMs can also be based on free software and our own keys. It works well with Heads and Librem Key.
cyklosarin 9 hours ago [-]
TPM with things like Heads are borderline zero security and theater compared to actually decent implementations on Android/iOS platforms, I doubt the big companies would rely on that. TPM in general on non Mac/Chromebook PCs is mediocre even from big OEMs.
gib444 2 hours ago [-]
On becoming anti Google, I blocked Google's ASNs (shortcut to block all their IP addresses) on my router the other day as an experiment. It's a little eye-opening.
Obviously you immediately realise just how often you !g in DDG, use Google Flights, YouTube etc. Ok easy enough to fix
Then of course I can't use Play Store (Aurora didn't work either) so my phone would have eventually become quite obsolete
You can't compile many Go projects because the dependencies are pulled from Google
And if you had ALL of Google's ASNs that would include GCP and that's a whole other level of being cut off
djfergus 8 hours ago [-]
What happens with Chinese Huawei phones that don’t have Google services?
The engineers at Google are like the Hitler youth of technology. While I can understand the forces that created them, they make me sick.
yohannesk 9 hours ago [-]
Isn't reCAPTCHA a spam? This video I watched recently does a nice history and also was enjoyable to watch https://youtu.be/seX_rDEsP6E?si
citizenpaul 11 hours ago [-]
For Decades the huge tech companies basically faced no adversity whatsoever. Now for the first time in their existence the massive returned investments in AI they are experiencing ... we will call it pain.
I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.
They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.
cyberax 9 hours ago [-]
I think it's possible to run the Play Services in an emulator, faking the device type. Google doesn't seem to use the platform attestation for now.
SV_BubbleTime 8 hours ago [-]
Treatment is not a cure.
cyberax 7 hours ago [-]
Agreed. I'm just pointing out the possibility (for now).
hackernews682 12 hours ago [-]
The gate to the pig pen is closing…
userbinator 6 hours ago [-]
We told you. You dismissed it, and thought we were just crazy conspiracy theorists. Too brainwashed by the mainstream propaganda about "threats" to see the truth. Now they're even more emboldened by how much they can herd the sheeple, and showing their actual goals even more clearly.
Spread the news, tell everyone you know, before it's too late. I wish we won't have to resort to even more drastic methods in this fight.
"Those who give up freedom for security deserve neither."
userbinator 40 minutes ago [-]
The rebellion will not spread online, in the space controlled by these bastards; but offline, outside of their control. I'm telling everyone I know, and you should too.
Here's the obligatory: Google, FUCK YOU!
wurtapp 5 hours ago [-]
Heh
ChrisArchitect 12 hours ago [-]
Related:
Google Cloud fraud defense, the next evolution of reCAPTCHA
After all the surveillance capitalism abuses over the last 2-3 decades of Web, it's a little late to be pushing back, but... should we start shunning individuals from companies who implement this?
Whether it's from companies that create the tech, or companies that use it.
In the orgy of money, we've had a kind of industry-wide sociopathic convention of individual engineers considering it perfectly OK to further surveillance capitalism.
Can we reverse that?
If someone says we can't, because "everyone does it", are they saying that we're a field of baddies?
gregoryl 4 hours ago [-]
I agree, wholeheartedly - lets get a list of the google engineers who worked on this. What do you propose we do with it?
userbinator 1 hours ago [-]
Spread the word. They need to be held accountable the same way elected officials are --- except in this case they're not even elected.
einpoklum 10 hours ago [-]
Google seems to be putting yet another brick in the garden wall.
zuogl 4 hours ago [-]
[dead]
superasn 12 hours ago [-]
[dead]
lpcvoid 6 minutes ago [-]
[dead]
picsao 8 hours ago [-]
[dead]
zuogl 5 hours ago [-]
[flagged]
theturtle 12 hours ago [-]
[dead]
oybng 10 hours ago [-]
[flagged]
dang 10 hours ago [-]
The article was at #1 on the frontpage when you posted this.
kittikitti 12 hours ago [-]
Please stop calling Android Linux. It's a marketing lie that continues to disappoint, including here. You're holding Linux back substantially by claiming Android is part of it. Just because it has Unix doesn't mean it's Linux as MacOS is also Unix.
bellowsgulch 8 hours ago [-]
I’d just like to interject for a moment. What you’re referring to as “Android,” is in fact Android/Linux, or as I’ve recently taken to calling it, Android plus Linux kernel.
Linux is not an operating system unto itself, but rather a kernel—a core component that manages hardware resources. Android uses the Linux kernel, but replaces the traditional GNU userland with its own runtime, libraries, and system framework.
Many users run Linux-based systems every day without realizing it. Through a peculiar turn of events, the Linux kernel combined with Android’s userspace is often simply called “Android,” and many of its users are not aware that it is built on Linux at its core.
There really is Linux in Android, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs you run. The kernel is an essential part of the system, but useless by itself; it can only function in the context of a complete operating system.
Android is normally used in combination with the Linux kernel: the whole system is basically Android/Linux, a Linux-based operating system with a distinct userspace, not a GNU/Linux system like traditional desktop distributions.
PaulHoule 11 hours ago [-]
The kernel is a Linux kernel. The userspace is very different from a typical Linux distribution.
g-b-r 10 hours ago [-]
A fork of it, updated periodically
And let's not pretend that we mean the kernel when we say Linux distribution
charcircuit 9 hours ago [-]
Debian also uses a fork that is updated periodically.
yjftsjthsd-h 10 hours ago [-]
Android literally is a Linux distro, though. Like, sure it has a weird userspace and is user hostile, but that doesn't make it not a Linux distro.
cybercatgurrl 9 hours ago [-]
linux is a choice, this is not a choice. fairly confident people are rejecting this notion on ideological grounds
Ylpertnodi 9 hours ago [-]
> ... and is user hostile,
How so?
IsTom 11 hours ago [-]
It's the punishment for all the times people laughed at calling regular Linux "GNU/Linux".
prophesi 12 hours ago [-]
Unless it was in a previous iteration of the submission's title, I don't see Linux mentioned anywhere.
10 hours ago [-]
Rendered at 07:26:38 GMT+0000 (Coordinated Universal Time) with Vercel.
Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).
so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on
(just realized emacs bindings work in comments, nice, no ctrl-x tho)
Is this speculation, or has it been confirmed somewhere?
It's possible this scenario is acceptable to them because it means they can still tie your access to something that's easier to ban without requiring a full account login.
That's possible... and they might change their mind if so, we will see.
I feel like it's a similar issue to when scrapers pretend to be an allowed-origin webpage in order to abuse "public" API keys for web services.
They could also require the mobile device to interact with the requesting webpage in some manner, similar to mutual PIN/codes for Bluetooth/TV pairing these days. That way bulk sharing of the codes would still require active participation from the device that requested it in the first place, likely with a short time limit.
Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.
You could try handwriting and posting a letter to their CEO. I think that sometimes works. Probably not very often but there are more than zero CEOs who read those letters.
I was thinking in the same terms: you put up a QR capcha, you don't get my traffic and money. Just the amount of extra work needed, let alone the Google tracking turns me off. As if traffic lights, crosswalks and bridges weren't enough of a hassle.
https://www.rei.com/newsroom/article/2026-rei-board-of-direc...
https://www.rei.com/newsroom/article/rei-announces-2026-boar...
https://www.reddit.com/r/REI/comments/1qw14k6/rei_hosts_thei...
Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.
It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.
On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".
Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).
So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).
However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use.
Let's find a better solution please
Is there an argument here that Google is creating a monopoly?
Could this be challenged on similar grounds that forced Microsoft to recommend other browsers to users on Windows?
Our antitrust laws have been toothless for decades, and both parties love billionaires controlling the rest of us with an iron fist.
GrapheneOS is looking more and more worth the headache that my limited free time generally does not like. I don't need Google to know my smut fanfiction is written by my IRL.
However he's been on it now for months and every time he shows me something on it I get a little more jealous. Everything seems to be working fine, including e.g. bank apps, and he has interesting features like some kind of app zoning thing limiting permissions on a zone to zone basis.
The only problem is it's only available on massive phones without headphone jacks and SD card slots, so I'm sticking with Xperia for now.
> Ask HN: Did HN just start using Google recaptcha for logins? [0]
> dang
> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.
[0] https://news.ycombinator.com/item?id=34312937
No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA.
I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved."
CF turnstile is one, but of course that means Cloudflare owns even more of the web.
HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.
And I... Can't think of anything else. Other than to just get rid of Captchas entirely.
You could just call them.
But in all seriousness, many services are making it difficult through to impossible to communicate outside of their web or app platforms. Call centres are expensive and messy, and it's now apparently acceptable as a society to treat customers/clients/whatever as adversaries so they can get away with making it hard to communicate with them.
https://doublespeed.ai/
Edit: aaaand... That's another little sliver of my faith gone : https://www.theatlantic.com/podcasts/2026/04/how-fake-people...
Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.
Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)
Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.
The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.
Note that they do not mention any specific companies on that landing page. That is pretty intentional.
But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.
[0] https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventur....
[1] https://en.wikipedia.org/wiki/MDY_Industries,_LLC_v._Blizzar....
[2] https://en.wikipedia.org/wiki/EBay_v._Bidder%27s_Edge
Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.
Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.
The cost is the attestation keys of a real phone. Once it gets burned, the phone is useless to them.
https://www.penligent.ai/hackinglabs/inside-the-ai-phone-far...
Probably a decent amount of compute cost for video generation, but I'm sure they have access to free compute and inference for being in bed with a16z.
Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'.
I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.
For people using a Google account it probably won't make a huge difference, in terms of data collected.
If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.
Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.
But there's a good chance that it will be extremely hard to sidestep, despite that.
But anything your phone can possibly do in software can be spoofed, so how would that help?
Can de-Googled Android phones present themselves as iPhones?
https://blog.cloudflare.com/eliminating-captchas-on-iphones-...
https://developer.apple.com/news/?id=huqjyh7k
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.
If you need to share files externally, Nextcloud works very much like Google Drive and allows the creation of sharable links.
the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f
https://ibb.co/X9Q6Y84
By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.
I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.
Wow, This is really bad :-(
I think this is just gonna make viewing internet without a phone significantly harder especially with archive.is and the likes.
Not sure, how relevant this is to the discussion but if it helps, I have made a project[0] which allows to archive archive.is pages on archive.org/wayback machine (this uses singlefile)
Perhaps something like this can be used by community at scale too. Also, I hope that archive.is does something to fix this issue of requiring QR code and hopefully it doesn't become a permanent issue.
[0]: https://smileplease.mataroa.blog/blog/htmlpipe-and-how-we-ca...
The result of this would be to upload it all to a bot-friendly alternative to archive.org.
Its whole point is undetectable archiving because it just saves what your browser already sees.
- pretended that it wasn't all about invading peoples' privacy.
- done a good ol' fashioned "but Apple does it"
- pretended to be standards-oriented
- advertised it as something completely transparent to the end-user
Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.
This makes it more difficult. But I don’t think it matters given how difficult it was prior to this.
The problem is that most popular apps for Android outside Chinese app stores rely on Google services (specifically, Firebase) for push notifications.
This is using another product to reinforce the search and ads monopoly.
You can’t scrape content to build a better google or Gemini, you can’t make an OS to compete with Google or Apple, and you can’t make a Google Analytics competitor.
It’s plain anti competitive.
Now everyone pretends like it's monopoly abuse because the Leopards Eating Faces company finally rang the dinner bell.
It looks like a cloudflare page but it's not hosted by them. eg. https://bgp.he.net/dns/archive.is#_ipinfo It's hosted by AS49505 JSC Selectel
I think they now use their own Cloudflare turnstile if I remember correctly, but back then they switched to hcaptcha.
https://www.nytimes.com/2026/02/13/technology/meta-facial-re...
I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.
The projects were named after a Google Doc they'd recently worked on (or a .docx attachment they'd received?) though, so my other guess is that they somehow created a Google Docs macro or similar by accident?
With apple there's no choices, so I'll continue to take my chances with Android
Also, personally I care less and less. As long as my banks and government apps work, I'll just not use somebody's service if they put up barriers like this.
I'd rather have Google check an Apple phone attestation than have Google check a Google phone attestation, and vice versa, though, because you can assume each company is trying to keep as much information private to themselves instead of giving it to the other. Google is probably just getting "yes it's an Apple phone" and some kind of temporary token, instead of my IMEI, IMSI, phone number, all signed in accounts, biometrics and so on.
Could you justify that? Because to me it seems like Apple isn't doing anything even like this.
Also, Apple sells themselves as a privacy company, but often pick (possibly intentionally) insecure defaults. E.g. you might use end-to-end encrypted chats, but by default iCloud backups are not end-to-end encrypted, so law enforcement can just request your backups/chats from Apple. If you are vigilant and enable Advanced Data Protection for E2E iCloud backups, it probably still doesn't matter because the people that you communicate with probably do not have ADP enabled.
Besides that, they are enshittifying in the same way as Google. Ads in Maps, Ads in applications that you get with the OS (Apple Creator Studio ads in Keynote, etc.), Ads in your system settings for Apple Fitness+ (really).
At least Pixel phones and soon some Motorola models have the option of installing GrapheneOS.
In the meantime, I'm currently using a low end Motorola moto g 5G 2023 which lets me turn off Play Services. Chrome and the Google Calendar don't run (really do need to find a replacement calendar), and I couldn't be happier. Motorola's interest in GrapheneOS makes me wonder if they did this on purpose.
I'm also becoming open to using software that lies to google about what it is :) Google will treat us like sh*t, why shouldn't we reciprocate.
My dad runs the family domain/emails/etc. The hard part will be convincing him to degoogle the whole family.
That's the reason companies are desperate to be first/biggest - once you're it, you're it until you finally fall on your face and dwindle to a nobody.
at my most pessimistic i can see a world where consumers pay MORE for attestation to continue to opt-in to society, or perhaps a ai-bot-free digital world.
You will also see this page if your smartphone is degoogled and you try to open the reCAPTCHA attestation URL in a web browser instead of in Google Play Services.
Strap in, the ownage will be hard.
and on behalf of the Government,
and said “data, so piss off”:
https://abcnews.com/Technology/google-hit-antitrust-lawsuit-...
https://macdailynews.com/2026/02/04/u-s-files-appeal-in-goog...
Turns out that Presidents, once elected, largely do what Continuity of Government, and business interests, ask for.
> Lawfare is the use of legal systems and institutions to affect foreign or domestic affairs, as a more peaceful and rational alternative, or as a less benign adjunct, to warfare.
My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:
- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.
- Discord immediately bans me any time I try to create an account.
- Can't buy flights from Delta, always gives a non-descript error.
- Can't buy concert tickets, it thinks I'm a fraudulent buyer.
- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.
- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).
- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.
I just take my business elsewhere... eventually I'll probably just stop using technology at all.
I had this problem recently with the Indeed website. (Cloudflare Captcha)
Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.
Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.
"Source code? We don't need no stinkin' source code!"
I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.
I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.
Captcha difficulties are way down now.
I wonder if they are seeing a decrease in traffic and somehow find that acceptable.
I fire up cloudflare warp and walk right through it
use wireguard with wgcf in environments without cloudflare client
yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden
Would you care to elaborate a little on how you did it?
It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues.
This new reCAPTCHA setup is probably a good indicator that big tech wants to shift to verified access only. Personally, I’m just going to quit spending money via the internet and go back to piracy + retail stores with a physical location.
I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.
Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
I’m Canadian and watching our government sell our souls to American tech companies is beyond scary.
PS: Sure, there always were a handful of exceptions. If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
> If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
Reminds me of Facebook engagement bait
If it didn’t affect those of us that tried to resist, I wouldn’t care, but we got dragged along unwillingly and now it may be impossible to hit the brakes before corporations control everything by usurping control of our identity systems.
Good that some people are able to translate my thoughts into actual English... :D
If you say so. I don't know. I was never an active part of that big problem (so btw I also had nothing to "solve"). You were?
Everyone in power wants it, across the entire globe.
That's very different from requiring hardware attestation, though.
And to think, people said consumer choice was dead...
The amount of stuff councils and state governments gatekeep about road specs alone... Argh.
Nobody trusts web browsers nowadays.
I would have no idea how, nor desire to purchase a Google account on the black market, and I do in fact still trust that my web browser can do TLS correctly.
https://ublockorigin.com/
See the explanation associated with Manifest V3.
Let the commerce-driven, corporatized hellhole that the modern web has become eat itself.
I hear ‘web of trust’ pretty often and I like the idea but that’s not anonymous or accessible either
Something that makes it expensive to initiate a connection and cheap (relatively) to accept or reject would probably help. I think that’s a hard problem though.
I do 95% of my web browsing via Tor Browser and it is very tolerable, most circuits are fast enough for 1080p video (Youtube, Twitch livestreams, etc) without any buffering.
Here is a speedtest I ran just moments ago, I would hardly consider this "painfully slow": https://www.speedtest.net/result/19172283165.png
Of course this is a single tor circuit with an exit node, so speeds are slower when going directly to .onion sites, but the only real slowness comes from the latency and not throughput.
I’m not talking about the network itself but the servers on the other end.
I guess my point is that while Google is definitely malicious, I don’t think every site using recaptcha is and if we expect them not to use that tool there should probably be an alternative.
I think SV was asking what onion services, which can't really use recaptcha, do to prevent the DDoS storm.
And I would imagine the answer is obscurity, since the dark web isn't nearly as well-mapped as the public web. That and some Anubis or other PoW would probably go far.
If I’m hosting at some IP, I still need Anubis or something to serve up the challenge, so doesn’t that become the attack point?
Obviously you immediately realise just how often you !g in DDG, use Google Flights, YouTube etc. Ok easy enough to fix
Then of course I can't use Play Store (Aurora didn't work either) so my phone would have eventually become quite obsolete
You can't compile many Go projects because the dependencies are pulled from Google
And if you had ALL of Google's ASNs that would include GCP and that's a whole other level of being cut off
I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.
They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.
Spread the news, tell everyone you know, before it's too late. I wish we won't have to resort to even more drastic methods in this fight.
"Those who give up freedom for security deserve neither."
Here's the obligatory: Google, FUCK YOU!
Google Cloud fraud defense, the next evolution of reCAPTCHA
https://news.ycombinator.com/item?id=48039362
Google Cloud Fraud Defence is just WEI repackaged
https://news.ycombinator.com/item?id=48063199
Whether it's from companies that create the tech, or companies that use it.
In the orgy of money, we've had a kind of industry-wide sociopathic convention of individual engineers considering it perfectly OK to further surveillance capitalism.
Can we reverse that?
If someone says we can't, because "everyone does it", are they saying that we're a field of baddies?
Linux is not an operating system unto itself, but rather a kernel—a core component that manages hardware resources. Android uses the Linux kernel, but replaces the traditional GNU userland with its own runtime, libraries, and system framework.
Many users run Linux-based systems every day without realizing it. Through a peculiar turn of events, the Linux kernel combined with Android’s userspace is often simply called “Android,” and many of its users are not aware that it is built on Linux at its core.
There really is Linux in Android, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs you run. The kernel is an essential part of the system, but useless by itself; it can only function in the context of a complete operating system.
Android is normally used in combination with the Linux kernel: the whole system is basically Android/Linux, a Linux-based operating system with a distinct userspace, not a GNU/Linux system like traditional desktop distributions.
And let's not pretend that we mean the kernel when we say Linux distribution
How so?