
A captcha that requires your computer to solve equations in the background - m1guelpf
https://wehatecaptchas.com/?ref=producthunt
======
bastawhiz
I left the page after about a minute of waiting on my phone. Making my users
wait isn't a realistic solution, and bots have _far_ more CPU horsepower at
their disposal than most smartphones, especially if they're operating from a
botnet as many tend to do. Even if this did stop bots, it's also going to piss
off real users, which is exactly what it appears to be designed to prevent.

~~~
Operyl
I’m curious. Are you using Android? I was able to get it done in a few seconds
on iOS/Safari.

~~~
bastawhiz
Chrome on my Pixel 2

------
wildtomato
If this is essentially a hashcash, what prevents them from swapping that out
for a cryptominer after getting an established user base (if they aren’t
already mining)?

~~~
wutbrodo
Why would preventing this matter?

------
adhoc32
Hashcash:
[https://en.wikipedia.org/wiki/Hashcash](https://en.wikipedia.org/wiki/Hashcash)

------
m712
On an Intel Celeron B820 @ 1.70Ghz laptop, it took more than 40 seconds to
complete and consumed 1% of battery in the meantime. The "complex equations"
you are doing will not work on low-horsepower devices like phones or low-to-
medium level laptops.

~~~
jtbayly
Interesting. I forgot how fast the newest iPhones are. 7 seconds on the Xs.

~~~
cosmojg
Just performed several trials on my OnePlus 6T. It took 4, 14, 1, 1, 5, 3, 8,
4, 19, and 24 seconds for an average of __8.3 seconds __over 10 trials. That
's more than comparable to the time it takes me to solve one of Google's
monstrosities.

------
diego
I question the assertion that this is expensive for spammers. The whole
premise is that a spammer would not consider this worth the cost, and do
something else with the computing power instead. Why? It completely depends on
what the captcha is being used for.

~~~
luhn
Yeah, thats the same state of affairs as traditional captchas. There are sites
where you can pay under a cent apiece to have real humans solve your captchas.
This is just shifting the cost from human capital to compute, it will suffer
the same limitations.

~~~
theferalrobot
Pay humans? You can install a browser extension to solve it for you. ReCaptcha
is totally ineffective against spam.

~~~
hombre_fatal
Not in my experience on large websites. If "all it takes" is round tripping
the audio component through speech-to-text, then it's apparently annoying
enough at scale to stop the vast majority of spam.

Also, automating something in a browser extension is basically the easiest
place to automate something because it's just done once per user, with their
cookies/sessions/ipaddr, very infrequently.

So that a browser extension exists for something doesn't mean it's trivial at
larger scale. I doubt Google cares about the usage pattern that Buster gives
people since it alone is not abuse, just normal people filling out the someodd
<form>.

------
NightlyDev
This isn't by definition a captcha at all. This is just slowing users down.
Took forever to run on a phone too.

~~~
femto113
An atypical use of the term as commonly understood, but I don't think it falls
entirely outside of the definition since it _is_ an automated test that is
attempting to distinguish humans.

------
BiasRegularizer
Honest I think this is worse than ReCaptcha. At least with ReCaptcha I know I
am helping someone somewhere labelling their data and possibly used for
autonomous driving.

With this captcha I feel like I'm just wasting world's energy on useless
computations.

~~~
theferalrobot
ReCaptcha is terrible. They gaslight you into thinking you got answers wrong
just to make you annotate more training data for them. Secondly they are
entirely ineffective against spam. Right now I am just using a browser
extension that automatically solves them for me and it works almost every
time.

Google doesn't care about fighting spam they just want to exploit people for
free labor in the name of 'security' just like they are going to kill ad-
blocking and fingerprint protection in the name of 'privacy'.

~~~
pagade
Could you share the extension name?

~~~
qqii
[https://github.com/dessant/buster](https://github.com/dessant/buster)

------
crave_
It's a hashcash:

[https://wehatecaptchas.com/load.php?name=captcha-
worker.js](https://wehatecaptchas.com/load.php?name=captcha-worker.js)

Proof of work is trivially parallelizable, and 2^(5*4)=1048576 options are
super easy to go through for spammers.

------
iwalton3
I'm not sure how well this will actually work against a determined attacker.
The browser challenge takes less time and money to automate than the already
existing captcha solving services that use actual humans to enter the
captchas.

Although I'd certainly prefer something like this being the default approach
over hostile measures like Recaptcha v3, which just outright deny a subset of
your users access.

------
AndrewOMartin
I just saw a spinner for longer than I was prepared to wait on my Xiaomi Mi A2
Lite.

------
Avamander
I liked CoinHive's more. It actually displayed a progress bar and was overall
more polished.

------
rdiddly
Gave up after a full minute of waiting on a 2014 low-end phone. I thought the
idea was to be LESS annoying than Google. This is a valiant effort, but it
will drive away poor people while only incrementally impacting efficiency
rates for bots.

------
lkwhanspeter
Other idea: Something like Proof-of-Elapsed-Time. A click on the verify button
requests a token from the server. The server performs the action if the token
is old enough. -> No battery drain; equal waiting times for all users.

~~~
stri8ed
Does nothing to filter out bots. It just acts as a rate-limiter per IP
address.

~~~
lkwhanspeter
This is correct, but neither does the WeHateCaptcha approach. Thus spending
time is better for the environment then spending energy ;)

~~~
Kiro
No, it filters bots because spammers don't want to waste computing
power/electricity. The delay is not the point.

------
chris_wot
Wasn't this done early on in the form of HashCash?

------
jszymborski
Maybe I'm missing something, but this'll be as effective as rate-limiting
submission on the server-side, no?

~~~
theemathas
If you rate-limit on server side, it would mean that you would allow only a
few legitimate users to use the site at any given time.

------
parentheses
It's hard to build this to have a good user experience on a multitude of
devices. Having human challenges like ReCaptcha has its own weeknesses, but
the world is like one big GAN when it comes to this approach.

------
__m
I don’t like being used, I’m already doing you a service by jumping through
these hoops. Being asked to train your neural network or provide other
computing resources is a perfect way for loosing me as a customer.

~~~
wutbrodo
There's no accounting for niche preference of course, but at less as far as
understanding the feasibility of an approach like this: I don't think most
people have the "cut off their nose to spite their face" impulse that you're
describing here: if a captcha is more usable for the user _and_ helps the
company, most would just see that as a win-win.

------
cordite
Is this just proof of work crypto as a captcha?

------
mises
This is not a quick process, even for legitimate users. I am on a quite-
capable computer, and it takes long enough that I am all but sure it will harm
conversion rates.

~~~
rocqua
Besides, if this becomes big enough spammers will just get GPU/FPGA/ASICs to
get around this. The imposed cost of 3s of CPU is far from prohibitive.

------
learnstats2
Why do I need to click at all?

