
Blocking via an Unsolvable CAPTCHA - tyngde
https://www.google.com/patents/US9407661
======
nadavami
This makes me think of userbinator's comment from yesterday's Google Memory
Loss post.

 _To add insult to injury, if you do try to make complex and slightly varying
queries and exhaust its result pages in an effort to find something you know
exists, very often it will think you 're a robot and present you with a
CAPTCHA, or just ban you completely (solving the CAPTCHA just gives you
another, and no matter how many you solve it keeps refusing to search; but
they probably benefit from all the AI help you just gave them, what
bastards...) for a few hours._

Edit: I wonder if Google is using this as a sort of income source for pages
that bring little to no ad revenue.

~~~
userbinator
I thought this item would be related to that very popular item... I saw it
mentioned in discussion.

At work I just recently managed to trip it three times in one day, which I
consider a record since in the past I've encountered it at most a few times a
week. What's more infuriating is that my queries were far less complex than
the ones that tripped it before (trying to find information about some API
constants), basically one quoted term and one site: modifier. I can understand
if I was querying 24/7 and hogging their servers (in which case a nice "please
slow down" message would be much better), but it tripped within a few
_minutes_ of, admittedly intense, Googling.

 _The security device may notify the attacker device that the solution is
incorrect regardless of whether the solution is actually correct._

In Google's case, it doesn't do that at all --- solve one CAPTCHA successfully
and all you get is another, immediately. If you actually do deliberately give
the wrong answers, it does tell you they were incorrect.

I wonder what can be done to stop it from doing that, besides the old tactic
of evading IP bans by changing IP --- it's somewhat creepy to think that it's
probably capable of detecting that too and banning the entire subnet. On
second thought, it might be worth it... if it means I can get thousands of
others blocked from Google for a nontrivial amount of time, all the more
mouths to complain and maybe force some reconsideration. I am not a robot. I
am not a competitor scraping your pages or doing anything else against your
ToS. I am just an _intelligent_ human with over two decades of Internet
searching experience enthusiastically using your service for the exact purpose
it claims to do: to find something on the Internet.

~~~
josteink
> I am not a robot. I am not a competitor scraping your pages or doing
> anything else against your ToS. I am just an intelligent human with over two
> decades of Internet searching experience enthusiastically using your service
> for the exact purpose it claims to do: to find something on the Internet.

Maybe it’s time to stop using Google and use another search engine which
actually treat you like a human being, like DuckDuckGo.

~~~
userbinator
That's what I do whenever it comes up. For the longest time I used Google
because they had the biggest index, but if they're not keen on letting people
actually make use of it, then DDG and the others suddenly look a lot more
appealing.

------
jstanley
I _hate_ stuff like this. When I fall into the "this guy looks unusual"
bucket, I don't want to have to second-guess whether your system is even going
to let me in if I put in the effort to jump through its kafkaesque hoops.

I had trouble with Coinbase account verification which I'm almost certain was
akin to the linked patent: it asked me for a picture of my passport, and then
a picture of my face, and then told me that the pictures didn't match and I
must try again. Every single time. I only managed to regain access to my
account by emailing a contact that most people wouldn't have.

~~~
goodside
Coinbase did that to me and at least three people I know personally. You’re
not a special edge case —- they just suck.

~~~
nextInt
I attended a talk by Coinbase. They get A LOT of fraudulent activity (both
high end and amateur). They have like 7-8 employees who handle all the manual
aspects of user verification. So they have to rely heavily on automated
solutions. I have never used them so I don't know how often they flag false
positives but based on that talk I would at least qualify the statement with
"it's a hard problem!"

~~~
goldenkey
Treating your users like shit is actually a pretty easy problem to solve. It's
companies that don't 'care' to solve it that cause this kind of strife.
Coinbase pulled the same shit with me.

------
AgentME
That's literally what it takes to get something patented? For better or worse,
maybe by patenting it, we won't see that solution used in many products from
other companies.

Hmm, maybe I should start thinking up annoying things that future software
might do for profit, and patent them now to stop companies from doing them for
a while.

~~~
lisper
Getting a patent on pretty much anything is a relatively straightforward (if
somewhat arduous) bureaucratic process. I got one on a device that lets you
communicate faster than light:

[https://www.google.com/patents/US20030133714](https://www.google.com/patents/US20030133714)

Of course it doesn't actually work, but figuring out why makes an interesting
exercise.

~~~
shakna
> Of course it doesn't actually work, but figuring out why makes an
> interesting exercise.

I've always found that kind of interesting. The US lets you patent just about
anything.

But in my home country, Australia, one of the patent requirements is that it
actually appears to function in the way you are claiming it does. ("The
application must be for something patentable, like a practical adaption, not
for an idea or principle.")

I wonder if that has any impact on patent trolling, or if it's just as
pervasive.

~~~
lisper
Theoretically it's a requirement in the U.S. as well. To get a patent, the
invention has to be "useful", and presumably to be useful it has to work. But
in practice this is never enforced.

------
Torn
I've been on the receiving end of this when using some VPNs -- after a few you
realise you're being stonewalled.

It's an _incredibly_ frustrating experience for real users caught in this

~~~
mirimir
I guess they figure "real users" don't use VPNs.

I see this occasionally, but just change servers. And it's typically just
temporary. Affected servers are OK in a day or so.

~~~
Shank
You can’t just green light any known VPN IP ranges though because they’re
dynamic, and if you did, bots would just resort to using VPNs to bypass normal
IP blocking.

------
taneq
Reminds me of that "intelligence test" that just generates endless pages of
questions until you hit a "cancel" or "give up" button (it's been a while) -
your score is based on the number of pages it takes before you figure out what
it's doing.

------
cfitz
From the (overly lengthy) Patent Description section:

 _A challenge-response test may include a type of authentication where one
party (e.g., security device 240) presents a question (e.g., a “challenge”)
and another party (e.g., attacker device 210) is required to provide a valid
solution (e.g., a “response”) to be authenticated. An unsolvable challenge-
response test may include a challenge-response test that does not have a
correct solution and /or a challenge-response test where attacker device 210
may be incapable of providing the correct solution (e.g., when the correct
solution includes a character that may not be typed using a standard keyboard,
etc.). In some implementations, security device 240 may generate the
unsolvable challenge-response test in the form of an unsolvable CAPTCHA. In
some implementations, security device 240 may generate the unsolvable CAPTCHA
using one or more construction techniques that are designed to block attacker
device 210 from sending a request to server device 230 without making attacker
device 210, and/or a user of attacker device 210 (e.g., a hacker), aware that
attacker device 210 is being blocked (e.g., by security device 240) from
sending the request to server device 230._

------
vanous
This started happening to me after I stopped using Chromium and went back to
Firefox couple of years back. Switching to Duckduckgo eliminated this nonsense
completely.

------
Kirol
Something like this is used by russian insurance companies. They should sell
motor third-party liability insurance online and prices are limited by the
law. It's not profitable enough for them so they boycot such sales. When you
want to by such insurance online they send you SMS verification code, which
you must enter on their site. The trick is that this SMS message contains 8-10
letters and some of them are unicode letters and you have only 2-3 minutes to
enter it manually, copy-paste is blocked.

------
ww520
So now shadow ban has been patented.

~~~
QAPereo
...Which means you can start the countdown on the development of widespread
countermeasures, which will disproportionately harm smaller sites.

Just fabulous. /s

------
Grue3
I was getting this quite regularly (can confirm that I'm not a robot). It
would show the regular captcha asking you to identify traffic signs and stuff,
but no matter what you do, it just wouldn't end. Good to know it was just
Google deciding to ban my IP for some reason.

------
Aloha
the best answer is to make a captcha that only a bot could solve.

~~~
taneq
"For a split second, NESTOR-10 had forgotten that the other NESTORs could not
detect the difference between infra-red and harmful gamma radiation..."

------
Iv
Using Google from Tor brings to this kind of stuff.

~~~
spystath
Most Google services are either borderline or completely unusable through Tor
anyway.

------
stygiansonic
Tl;dr: this is basically a hellban captcha.

------
solarkraft
Great. I bet the humans that falsely get this will be thrilled.

------
donatj
This is vicious, fraudulent and should be illegal.

~~~
nextInt
Lol why should it be illegal? It's your service, you can block however you
want

~~~
donatj
False promises of a service behind an unsolvable puzzle.

That's criminal deception.

The services were never truly to offer, and you've wasted a persons time and
energy.

What if a store kept out undesirable customers by giving them an unsolvable
puzzle? There'd be lawsuits.

~~~
grkvlt
Criminal? Not really. Usually in physical stores on private property
'management reserve the right to refuse admission' and they can do that any
(legal) way they feel like, including stating that you can only gain admission
once you have completed an impossible task, if that makes them happy.

------
otterley
Moderators: This patent was issued in 2016.

------
mdip
Gotta love the patent system. Reading the summary made my eyes roll so far
into the back of my head.

Basically, they've patented shadow-banning via CAPTCHA. And I'm left also
wondering if they've taken the "that's not a bug, it's a feature" meme to a
whole new level. I've run into the scenario described by this patent on a few
occasions over the last year. I'll be given a CAPTCHA on Google's search
results page that has _no solution_ , and they're _cleverly frustrating_ \--
not just pictures of roads asking for you to identify lakes, but "click on
pictures of street signs", you click, they disappear, new ones appear but
there are no street signs left and the submit button yells at you to "make
sure you check the _new_ pictures". So you start wondering if it's a trick
question; maybe they're using the phrase "street signs" in a manner you
weren't previously familiar with?[0] I hate it when my search engine tires to
screw with my head.

A hard-refresh resolves it (or I could have probably picked the audio version
and been fine, but I have a difficult time understanding those). Running into
this bug, the _very first thought_ I had was "this would be a rather novel way
of frustrating a bot", followed immediately by "that's _got_ to be what's
going on" (and a bit of profanity about how lovely it is to be a false
positive)[1]. I mean, combine a freshly loaded PC with an obscure set of
search terms and you tend to get a _long_ CAPTCHA. Perform some action that
triggers a CAPTCHA while logged in to Google and you'll get a CAPTCHA-less
CAPTCHA (check the box to continue). It's only logical they'd have the
opposite extreme of "we're going to reject this one because the maliciousness
rating indicates that we're being visited by satan coding in brainfuck".

[0] It seems to be occur the most when searching for obscure, specific error
messages with commands like "allintext:" (since Google likes to just pretend I
didn't actually _mean_ what I asked for) along with portions of the search in
quotes. It also doesn't trigger until I hit page 3, or have performed the
search a few times with changes only in what I'm including in quotes. It's
been happening _a lot_ since I started doing CUDA development. I guess Google
really, _really_ , hates bad CUDA developers. Joking aside, since I usually
have to get a few pages in, I probably look like a search-engine scraper
combining variations of rarely searched terms with no click-through traffic.

[1] I have a funny history with this sort of thing. I was banned from Bing
Rewards years ago for ToS violations that I didn't violate. My guess was they
assumed my search traffic automated for reward harvesting (because, you know,
the rewards would have _ever_ been worth wasting the time developing a bot).
And it probably looked that way since obscure searches on Bing, way back when,
rarely yielded _any_ relevant results (a half-page of log files, often).
Things over there have improved enough that I use it as a fallback when I
don't feel like clicking pictures of storefronts, though the banning was a
personal insult, so I have to be really cranky about the CAPTCHA interruption
to "Ask Chandler".

edit: I felt that neither "satan" nor "brainfuck" deserved title casing.

~~~
ucaetano
The patent isn't from Google, it's only listed on Google Patents.

Original Assignee: Juniper Networks, Inc.

~~~
mdip
D'Oh! Thanks for the correction -- somewhat changes my response a bit!

