Hacker News new | past | comments | ask | show | jobs | submit login
A captcha that requires your computer to solve equations in the background (wehatecaptchas.com)
49 points by m1guelpf 45 days ago | hide | past | web | favorite | 52 comments

I left the page after about a minute of waiting on my phone. Making my users wait isn't a realistic solution, and bots have _far_ more CPU horsepower at their disposal than most smartphones, especially if they're operating from a botnet as many tend to do. Even if this did stop bots, it's also going to piss off real users, which is exactly what it appears to be designed to prevent.

Using android, this took 53 seconds for me. Forcing someone to wait that long isn't a good idea.

I’m curious. Are you using Android? I was able to get it done in a few seconds on iOS/Safari.

Chrome on my Pixel 2

If this is essentially a hashcash, what prevents them from swapping that out for a cryptominer after getting an established user base (if they aren’t already mining)?

Why would preventing this matter?

Why would users care? They will waste the same amount of electricity. In fact, I would argue it's better than solving a pointless equation.

Finding a profitable cryptominer in the first place.

For example, CoinHive shut down.

On an Intel Celeron B820 @ 1.70Ghz laptop, it took more than 40 seconds to complete and consumed 1% of battery in the meantime. The "complex equations" you are doing will not work on low-horsepower devices like phones or low-to-medium level laptops.

> will not work on low-horsepower devices like phones or low-to-medium level laptops.

Just to calibrate a little, I did it on my (midtier, six month old) phone just now and it took three to four seconds.

I tried out of curiosity, and it doesn't even load on one of my machines (in two different browsers). And no, I am not inclined to debug their product for free.

Interesting. I forgot how fast the newest iPhones are. 7 seconds on the Xs.

Just performed several trials on my OnePlus 6T. It took 4, 14, 1, 1, 5, 3, 8, 4, 19, and 24 seconds for an average of 8.3 seconds over 10 trials. That's more than comparable to the time it takes me to solve one of Google's monstrosities.

It's not even the newest iPhones: my iPhone SE beat an Intel Celeron N3060 @ 1.60 GHz almost every time.

Tried on my Blackberry Keyone just to see, and it was well under a minute. Timed it after refreshing the page, and even my 2017 mid-range is under 10 seconds.

Granted, Google Apps are disabled, so it may have been one less thing eating up CPU cycles in the background that made others so slow?

I question the assertion that this is expensive for spammers. The whole premise is that a spammer would not consider this worth the cost, and do something else with the computing power instead. Why? It completely depends on what the captcha is being used for.

Yeah, thats the same state of affairs as traditional captchas. There are sites where you can pay under a cent apiece to have real humans solve your captchas. This is just shifting the cost from human capital to compute, it will suffer the same limitations.

Pay humans? You can install a browser extension to solve it for you. ReCaptcha is totally ineffective against spam.

Not in my experience on large websites. If "all it takes" is round tripping the audio component through speech-to-text, then it's apparently annoying enough at scale to stop the vast majority of spam.

Also, automating something in a browser extension is basically the easiest place to automate something because it's just done once per user, with their cookies/sessions/ipaddr, very infrequently.

So that a browser extension exists for something doesn't mean it's trivial at larger scale. I doubt Google cares about the usage pattern that Buster gives people since it alone is not abuse, just normal people filling out the someodd <form>.

Have you not used it enough to get the "your computer is performing automated queries" audio block? Because it can be a common problem after using Buster for long enough https://github.com/dessant/buster/issues/56#issuecomment-481....

This isn't by definition a captcha at all. This is just slowing users down. Took forever to run on a phone too.

An atypical use of the term as commonly understood, but I don't think it falls entirely outside of the definition since it is an automated test that is attempting to distinguish humans.

Honest I think this is worse than ReCaptcha. At least with ReCaptcha I know I am helping someone somewhere labelling their data and possibly used for autonomous driving.

With this captcha I feel like I'm just wasting world's energy on useless computations.

ReCaptcha is terrible. They gaslight you into thinking you got answers wrong just to make you annotate more training data for them. Secondly they are entirely ineffective against spam. Right now I am just using a browser extension that automatically solves them for me and it works almost every time.

Google doesn't care about fighting spam they just want to exploit people for free labor in the name of 'security' just like they are going to kill ad-blocking and fingerprint protection in the name of 'privacy'.

Sometimes, I get some North American food items in recaptcha in India, which I'm quite sure not many have heard in this part of the world; I wonder what decision process went through in selection of food images.

Could you share the extension name?

Any effort you put into solving it can do one of two things: prove you are human, or help label data. It can't do both.

The only way to have it do both is to make you put twice the effort into it. If you are thinking one comes as a byproduct of the other, though, you haven't really thought it through.

Care to expand on that? Why can't you do both?

It's a hashcash:


Proof of work is trivially parallelizable, and 2^(5*4)=1048576 options are super easy to go through for spammers.

I'm not sure how well this will actually work against a determined attacker. The browser challenge takes less time and money to automate than the already existing captcha solving services that use actual humans to enter the captchas.

Although I'd certainly prefer something like this being the default approach over hostile measures like Recaptcha v3, which just outright deny a subset of your users access.

I just saw a spinner for longer than I was prepared to wait on my Xiaomi Mi A2 Lite.

I liked CoinHive's more. It actually displayed a progress bar and was overall more polished.

Gave up after a full minute of waiting on a 2014 low-end phone. I thought the idea was to be LESS annoying than Google. This is a valiant effort, but it will drive away poor people while only incrementally impacting efficiency rates for bots.

Other idea: Something like Proof-of-Elapsed-Time. A click on the verify button requests a token from the server. The server performs the action if the token is old enough. -> No battery drain; equal waiting times for all users.

Does nothing to filter out bots. It just acts as a rate-limiter per IP address.

This is correct, but neither does the WeHateCaptcha approach. Thus spending time is better for the environment then spending energy ;)

No, it filters bots because spammers don't want to waste computing power/electricity. The delay is not the point.

Because a bot can request multiple tickets in a row, then submit them rapidly as they expire. Proof of work means the bot did the work for each request.

Why would that be a problem for an automated system?

Wasn't this done early on in the form of HashCash?

Maybe I'm missing something, but this'll be as effective as rate-limiting submission on the server-side, no?

If you rate-limit on server side, it would mean that you would allow only a few legitimate users to use the site at any given time.

It's hard to build this to have a good user experience on a multitude of devices. Having human challenges like ReCaptcha has its own weeknesses, but the world is like one big GAN when it comes to this approach.

I don’t like being used, I’m already doing you a service by jumping through these hoops. Being asked to train your neural network or provide other computing resources is a perfect way for loosing me as a customer.

There's no accounting for niche preference of course, but at less as far as understanding the feasibility of an approach like this: I don't think most people have the "cut off their nose to spite their face" impulse that you're describing here: if a captcha is more usable for the user _and_ helps the company, most would just see that as a win-win.

You do use your computer power to solve math but it doesn’t benefit us in any way. We don’t use it to train any AI or anything like that. We don’t even store personal information. Just aiming to be a simple one-click tool so it has to be computationally difficult.

Is this just proof of work crypto as a captcha?

This is not a quick process, even for legitimate users. I am on a quite-capable computer, and it takes long enough that I am all but sure it will harm conversion rates.

Besides, if this becomes big enough spammers will just get GPU/FPGA/ASICs to get around this. The imposed cost of 3s of CPU is far from prohibitive.

Why do I need to click at all?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact