HN

Comments (272)

• Menu

  coppsilgold
  My understanding is that this new reCAPTCHA is basically just remote attestation.Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).
• Menu

  dwedge
  I've kept a spare cheap android for too long and recently went with Graphene instead. I have one Google profile and only use it for Uber, work's Google Chat and maps. One bank refused to work (even with Google services) so I moved bank. I've moved most of my mobile use to self hosted (freshrss full text, password manager, calendar, tasks) with no direct internet connection.It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
• Menu

  pixel_popping
  archive.is just asked me for a QRcode scan, I'm so ashame of that crap (it's behind Cloudflare), forcing website visitors to KYC? Are you guys insane!?the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...fhttps://ibb.co/X9Q6Y84By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.
• Menu

  thecatapps
  I'm failing to see why they didn't just adopt Private Access Tokens (not that they're great either), where they could have at least:- pretended that it wasn't all about invading peoples' privacy.- done a good ol' fashioned "but Apple does it"- pretended to be standards-oriented- advertised it as something completely transparent to the end-userSeems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
• Menu

  cornholio
  It's a move to block competitor AI agents while securing access for your own, classic ladder kick. The market for autonomous agents providing services and doing online work will be gigantic so, unless you want your own bots locked out from ie properties guarded by Amazon, CloudFlare, Microsoft etc., you will need a bargaining chip.
• Menu

  tinycommit
  Eww. Ok, so, I’ve used reCAPTCHA on sites I maintain at work, just on forms to prevent excessive bot spam submissions. No way do I want to subject users to this BS, though. Does anyone have recommendations for other decent captchas that could be used instead?
• Menu

  cantalopes
  This is crossing the line where the governments should step in and ban/fine google heavilly for this monopol behavior
• Menu

  varenc
  I have a good friend who doesn't own a cell phone. He's a math professor. Every year he keeps living life without a smartphone, I continue to be more impressed. Things like this makes me feel like he might have to eventually give in. https://archive.is is now serving, via Cloudflare, this QR code backed CAPTCHAs. There seems no way to get past them without a smartphone. Sad times. I wonder at what point even basic government services will essentially require a smartphone.
• Menu

  smallerize
  This isn't just about weirdos (like me) who run GrapheneOS. Huawei phones don't have Google Play services installed, or Xiaomi phones with MIUI China. That's what, a billion and a half phones that can't get to your website now?Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.
• amluto
  I would love to see someone challenge this as an anti-trust violation. Google is using its market power (as the provider of reCAPTCHA) to actively prevent devices that don’t use Google Play Services from competing effectively.
• Menu

  lxgr
  Almost completely unrelated, but I recently helped out a very confused family member with deleting not one, but two Google Cloud accounts they had no idea existed, and that they only learned about from an email referencing reCAPTCHA getting integrated into some other Google product offering.I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.
• Menu

  buzzwords
  Given the way Google is going I'm not sure if my next phone will be Android. I am fully aware that I am probably in the minority here. For me the trust is entirely gone.
• koala-news
  The internet increasingly feels like “prove you’re using the approved computer” instead of “prove you’re human”.
• himata4113
  I did something unpopular and just didn't have a captcha, I just read up on creepjs etc and rolled out my own which is just browser state analysis, basic ip check (abuse lists only) and PoW. Haven't had an issue with a single bot registration (yet).
• Menu

  pzmarzly
  Does anyone know what changed in iOS 16.5 that made Google stop requiring the app? To me it seems to correlate with Private Access Tokens, aka remote attestation by Apple. https://developer.apple.com/videos/play/wwdc2022/10077/
• Menu

  drnick1
  So Stallman was right, after all?
• Menu

  ezekiel68
  I don't know why reclaimthenet hasn't embraced the obvious answer: Simply create a new smart device operating system with a fully disentangled cosmos of programs, libraries, APIs, app SDKs, hardware partners, drivers, trust networks, carrier agreements, app stores, documentation, conferences...
• Menu

  kyrofa
  I don't even have a smart phone, I assume there is some sort of fallback behavior?
• dstnn
  Its going to be just like the wild days of the late 90s and 2000sStrap in, the ownage will be hard.
• Menu

  spankibalt
  Time for some lawfare!
• Menu

  orblivion
  I imagine GrapheneOS is thinking carefully about their statement on this. I look forward to reading it.
• Menu

  hedora
  Is there a way to just ban all these sites? Like a firefox plugin or whatever that detects this crap, and just bounces over to some place more reputable, like archive.is.
• Menu

  ranger_danger
  Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.- Discord immediately bans me any time I try to create an account.- Can't buy flights from Delta, always gives a non-descript error.- Can't buy concert tickets, it thinks I'm a fraudulent buyer.- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.I just take my business elsewhere... eventually I'll probably just stop using technology at all.
• Menu

  Worf
  I don't use Android right now and haven't used Google'd Android for almost a decade. And I won't. If this is the hill I die on, so be it.I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.
• BloodyIron
  I'm sorry Google, I'm afraid I can't do that.
• Menu

  codedokode
  To be fair, there are already apps that require a mobile phone to sign up, for example, VK, Telegram. And I think Google requires to scan a QR code to register account, so it is easier just to buy a Google account on a black market if you need it for some purpose.Nobody trusts web browsers nowadays.
• Vampyre
  The engineers at Google are like the Hitler youth of technology. While I can understand the forces that created them, they make me sick.
• userbinator
  We told you. You dismissed it, and thought we were just crazy conspiracy theorists. Too brainwashed by the mainstream propaganda about "threats" to see the truth. Now they're even more emboldened by how much they can herd the sheeple, and showing their actual goals even more clearly.Spread the news, tell everyone you know, before it's too late. I wish we won't have to resort to even more drastic methods in this fight."Those who give up freedom for security deserve neither."
• OutOfHere
  If there was any remaining doubt whether Google is evil, this settles that yes it is.
• djfergus
  What happens with Chinese Huawei phones that don’t have Google services?
• yohannesk
  Isn't reCAPTCHA a spam? This video I watched recently does a nice history and also was enjoyable to watch https://youtu.be/seX_rDEsP6E?si
• citizenpaul
  For Decades the huge tech companies basically faced no adversity whatsoever. Now for the first time in their existence the massive returned investments in AI they are experiencing ... we will call it pain.I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.
• Menu

  tamimio
  And soon desktop OSes will follow, if you don’t have TPM you won’t be able to browse half of the internet.
• Menu

  cyberax
  I think it's possible to run the Play Services in an emulator, faking the device type. Google doesn't seem to use the platform attestation for now.
• hackernews682
  The gate to the pig pen is closing…
• wurtapp
  Heh
• Menu

  neilv
  After all the surveillance capitalism abuses over the last 2-3 decades of Web, it's a little late to be pushing back, but... should we start shunning individuals from companies who implement this?Whether it's from companies that create the tech, or companies that use it.In the orgy of money, we've had a kind of industry-wide sociopathic convention of individual engineers considering it perfectly OK to further surveillance capitalism.Can we reverse that?If someone says we can't, because "everyone does it", are they saying that we're a field of baddies?
• ChrisArchitect
  Related:Google Cloud fraud defense, the next evolution of reCAPTCHAhttps://news.ycombinator.com/item?id=48039362Google Cloud Fraud Defence is just WEI repackagedhttps://news.ycombinator.com/item?id=48063199
• einpoklum
  Google seems to be putting yet another brick in the garden wall.
• zuogl
  [dead]
• zuogl
  [flagged]
• superasn
  [dead]
• picsao
  [dead]
• theturtle
  [dead]
• Menu

  oybng
  [flagged]
• Menu

  kittikitti
  Please stop calling Android Linux. It's a marketing lie that continues to disappoint, including here. You're holding Linux back substantially by claiming Android is part of it. Just because it has Unix doesn't mean it's Linux as MacOS is also Unix.