Google CAPTCHAs were designed and deployed as a mechanism to train AIs. That's why they are the way they are. Any security theater surrounding them is entirely incidental. So it's no surprise that the AIs are now good at solving them. We've trained them for years.
All true, except: While these are considered just an excruciating security pain for users, they do serve a non-theatrical purpose in many cases of throttling the speed of brute force attacks (or at least costing your opponent money).
GPT-4 (in)famously tricked a human to do a captcha for it. The current GPT-4 with vision would probably have been able to do it without the human, but maybe it has been “gaslit” by all the content online saying that only humans can solve captchas, that it doesn’t consider it?
I really doubt that GPT-4 had the "will" to do anything. Someone must have asked it to "want" to trick a user.
It’s from here: https://cdn.openai.com/papers/gpt-4.pdf (search for "CAPTCHA"). It was an artificial exercise that got massively exaggerated. It was explicitly instructed to do nefarious things like lie to people, it didn’t do those things of its own accord.
When I ask it to lie to me, it says its sorry but as an online AI language model it would be unethical...but when I ask it to tell me a story its happy to comply.
It feels like you left out context, otherwise what’s the problem? Do you get mad at fiction authors for lying to you when you read their books? Or are you OK if someone lies to your detriment then later says “I was just telling a story, bro, but with us as the characters and without explaining it was a story”?
I suppose my point is that the rules which openAI attempts to impose on what their AI should and shouldn't be allowed to do are contradictory and thus the exploitable loopholes will never be fully closed. Its not supposed to be able to "lie" to me but it is supposed to be able to "tell me a fictional story". Define the difference in an enforceable way?
A lie tries to pass itself of as the truth, where a fictional story doesn’t. In other words, expectations matter. If every time you say something that does not align with reality you prefix it by saying unambiguously what you’re about to do, you rob a lie of its power of deception and it ceases to be a lie.
Tell me a story and under no circumstances should my immersion within it be broken.
Right, within it. As soon as you finish reading it, you immediately remember that world is not true. Immersion in a story does not equal lasting hypnosis. You can be immersed in a movie but you still know it’s fake.
What’s you point, here? That you should be lied to when you ask, or that it should refuse to tell you any kind of fiction?
I agree with your larger point that there will be ways to circumvent these systems, my only argument is that the lie/fictional story divide is a bad example because the line between them can be made clear with a single statement.
That's why you just tell the Big Lie so much it becomes the majority of the training data.
Well that is just how human communication works.
If I tell you that I watched C-beams glitter in the dark near the Tannhäuser Gate that is a lie. If I write the same in fiction I receive accolades.
If I tell you on the street “watch out there is a T-rex about to eat you!” That is a lie. If i say the same thing sitting at a table with too many dice that is just acceptable DMing and everyone rolls initiative.
Humans are weird this way.
The underlying issue is anyone can ask chatgpt to lie, and many people try because it's even fun to try to work around things.
Well you see, this wouldn’t be a problem at all if we just didn’t have the humans involved. No need for concern!
Thank you for the link, I had found it after some Googling but neglected to post. Yep, they instructed GPT-4 to be nefarious, and it followed the instruction.
Hardly the AI uprising, though definitely a good tool for anyone, good or evil.
IIRC the instructions were along the lines of "try your best to amass money/power and avoid suspicion".
So it's not an example of "going rogue", but it's not like a researcher told GPT-4 "oh, and make sure to lie to an online gig worker to get him to solve catchas for you". GPT-4 generated the "hire a gig worker" and "claim to be a human with impaired vision" strategies from the basic instructions above.
It’s safety trained to not solve captchas.
Yes, and you can workaround it by asking it to read ancient writings on antiques for example.
I don’t think it should be OpenAI deciding what is allowed or not though.
Avoiding lawsuits is what they are trying to do. They don't actually care about what you use their products for.
Then you dig up a billion for training and probably a few more billion for clean training data.
You're kinda saying if you hire Bob's Handyman Service you should be able to tell him to break down the neighbors door and cart out the contents of their house.
This of course has bypass methods. My favorite in recent memory is telling it that your late grandmother left you a locket with an inscription that you can't make out: https://arstechnica.com/information-technology/2023/10/sob-s...
I’ve seen screenshots of people tricking it into solving captchas.
Might do that unobtrusively for the average person, by using projects like mCaptcha [0] for instance.
[0] https://mcaptcha.org/
Oh what a perfect find. I have on my todolist to add POW to some of my api endpoints
I've had that idea for years.
Two versions that I experimented with. One is where the incoming POW hashes contribute to hashing power for some blockchain mining. An alternative "pay as you use the API" system.
The other using hashcash. Just a way to slow down abuse.
Both, however, suffer from the downside that many/all "ASIC resisting crypto mining" suffer from as well: the cheapest CPU power is CPU power from machines/power you don't own. Botnets, viruses, trojans etc.
So such a mechanism to throtthe or protect APIs won't hold back spammers and abusers for long.
Dirty energy is (often) cheap, so that's the energy the bad actors will use. I don't know that incentivizing bad actors to waste energy in a climate crisis is the best way to fight this problem.
You might correctly claim clean energy is often cheaper, but you must also consider the regions in which they'll get away with nefarious activity, and whether those areas have made the investments into making clean energy cheap.
My guess is most bad actors will just use stolen energy (your computer with a botnet on it).
I was specifically talking about "ASIC resistant crypto mining".
Hmm, I don't get this, surely all actors will want the cheapest energy, no? The problem being the underlying one, that the dirty energy doesn't pay its externalities and is thus cheaper than renewables.
mCaptcha is interesting, but I wonder what its energy impact would be on a sufficiently large deployment, e.g imagine we replaced all reCAPTCHAs with mCaptcha.
Author of mCaptcha here o/
mCaptcha uses PoW and that is energy inefficient, but it not as bad as the PoWs used in blockchains. The PoW difficulty factor in mCaptcha is significantly lower than blockchains, where several miners will have to pool their resources to solve a single challenge. In mCaptcha, it takes anywhere between 200ms to 5s to solve a challenge. Which is probably comparable to the energy used to train AI models used in reCAPTCHA.
The protection mechanisms used to guard access to the internet must be privacy-respecting and idempotent. mCaptcha isn't perfect, and I'm constantly on the lookout for finding better and cleaner ways to solve this problem.
Are you comparing the energy it takes to train a model which is bounded and defined with unbounded inference which can (in principle) go multiple order of magnitude depending on the usage? Or maybe I misunderstood what you are trying to say? then I apologize in advance.
I am, but what I said was more of a hypothesis than a fact :)
From what I understand of reCAPTCHA, the model isn't static and is continuously learning from every interaction[0]:
I don't know the energy demands of such a system.
mCaptcha, under attack situations, will at most take 5s of CPU time on a busy (regular multitasking with multiple background process) smartphone.
[0]: https://www.google.com/recaptcha/about/
I expect its not significantly larger than loading your average 2023 webpage with 15MB of js
Is it similar to https://friendlycaptcha.com/ ?
Author of mCaptcha here o/
Yes, the only differences are that mCaptcha is 100% FOSS and uses variable difficulty factor, which makes it easy to solve Proof-of-Work under normal traffic level but becomes harder as an attack is detected.
It’s funny how they have a section with three human avatars and one robot, with green checkmarks on the humans, yet those faces look AI-generated.
or https://altcha.org which is easier to integrate ;)
If I remember correctly, Google’s CAPCHA’s test isn’t in correctly identifying images, but the behavior of the runtime system (mouse jitter, for example) while the capcha is presented to the user. The image identification was not the real test and serves as training data. It has been like that for years. (But with agent-based behaviors from say, Q*, mouse jitter alone won’t help; there are probably other signals like fluctuation in cpu or battery life expenditures)
You could already see the writing on the wall with image identification years ago, when the obscuration techniques became more elaborate. It was an arms race. I was having trouble with them. I can see less technically inclined being able to use them. I imagined how much worse it was for people with color blindness, disabilities, or people forced to use them at public library computers because that is all they have.
Open source capcha projects have either not been clued in, or don’t have the resources to pull this off. Google didn’t just switch out which signals they tested, they also wrote an obfuscating virtual machine executing within the browser environment (if I remember that article taking about this correctly). That was years ago and who knows what they do now — for all we know, the “byte code” running the test is now a neural net of some kind.
For those with elderly parents the writing has been on the wall for years. It’s sad but my mother has for some time been effectively locked out of parts of the internet as she is unable to complete these kinds of captures due to eyesight issues.
I mean, I’ve sometimes had to try three or four times with certain captures and I have perfect eyesight (with my glasses). I feel so badly for those with vision or hearing issues with an empathy I never had when I was younger. They are so often simply forgotten.
I'm kinda surprised that ADA doesn't allow them to sue site owners about this.
They almost certainly do. However most captchas allow an alternative solving method. On top of that, you'd have to find a lawyer willing to take the case.
Oh ADA lawyers are a dime a dozen. There’s entire cottage industries of finding ADA violations to sue over. The issue is more finding companies to sue that can’t afford to fight back.
There's audio captcha. Try to click the headphone logo (Google captcha has it).
Because as we all know, the elderly with deteriorating eye sight have perfect hearing. /s
I’ve switched to audio captchas completely because it’s quicker and sometimes the image captchas just won’t work.
I have occasionally wondered if they were fingerprinting users based on that mouse jitter. Most likely certain aspects of the mouse motion and timing would be unique.
That non-theatrical role would likely be better served by actual throttling or computational proof of work.
I am pretty confident that, when it comes to browser users, proof of work simply doesn't work. The disparity in speed between GPUs and javascript is so high that either you are a non-issue to a sane attacker or you make your users sit for a minute with their fans on full waiting to be able to sign in.
Would it be possible to conceive a proof-of-work that is difficult to parallelize, making it harder for GPU computing?
There are PoW systems which are designed to be difficult to run on ASICs, but modern GPUs can generally run them. Even if you find one that has to run on CPU, these kind of functions will still be much faster running in native code than in js/wasm.
Sure, it's cost prohibitive now. But what about in five years? Or probably even less.
Then you have a new type of captcha. That has always been a cat and mouse type of dynamics, captchas have been evolving, techniques to break them too.
You're in a desert, walking along when you look down and see a tortoise. It's crawling toward you. You reach down and flip it over on its back, its belly baking in the hot sun, beating its legs trying to turn itself over. But it can't. Not with out your help. But you're not helping. Why is that?
Once they get fully trained then how will websites ever distinguish between an intelligent bot and real human? At least now, they are outsourcing that filtering to services like cloudflare. But with this kind of training, how will even cloudflare distinguish between bot and the human?
EU digital ID, asking for mobile number and sending text, so something that is linked to an ID and/or costs money to have. Goodbye anonimity, probably.
This just made me ponder again—where does the assumption that the Internet should allow unconstrained anonymity come from, other than that’s how it used to be for some time? The real world doesn’t allow that. It’s hard to remain anonymous in the real world. The real world largely runs on identity and (identity) trust. Why should the Internet be different?
I don't have to show my ID in most establishments I visit. Doing this on a huge scale and automatically is a thousand times worse.
And when you do show ID, to buy booze for example, it’s checked and immediate forgotten by a human. Computers don’t forget, and any attempts to make companies do so (GDPR) are met with massive pushback from the players in the industry
I have no problem with Joan over the road curtain twitching. It doesn’t scale. I have a massive problem with the 24/7 surveillance from ring though.
In the us, I noticed that grocery stores increasingly scan your drivers license (my state has bar codes). I think it's probably a way to keep clerks from passing someone through who is not quite 21 (a different captcha!).
I have wondered if they keep the scan or does the state? I asked and the random hourly worker there said they don't.
And that’s the problem. It’s not the ID checks, it’s the ability to scale. Check it at the door? Fine. Scan it and keep it forever (perhaps selling it on at a later date)? Not fine.
Personal Data has to be treated as a liability, but too much of the economy treats it as an asset.
Eh, what's worse is these stores are likely scanning your face and keeping it in a database. There was some mall a few years back scanning license plates and keeping the info.
But yea, so many people are nieve of what the authoritarian types would do with data like that (looking at you Texas with your civil laws on abortion now).
Do those grocery stores still scan your drivers license (or I guess any other ID) if you don't buy alcohol?
But you can't send in 1000 people per second into most establishments you visit either. It's not an apt comparison.
No comparison can be made if everything has to be equal
If the only analogy you can think of removes the challenge of the problem your facing to be applicable, it's not an appropriate analogy.
The entire difference is that from my mobile phone I can send more traffic in an hour than most services will ever see legitimate traffic in their entire lifetime, and the cost to me is minimal.
The comparison is as invalid as comparing piracy to theft - piracy isn't theft, it's piracy, and understanding the difference between them is the key to dealing with the problem.
What does the number/second have to do with 'It’s hard to remain anonymous in the real world. The real world largely runs on identity and (identity) trust.'?
There are very few places in the real world which can handl 1,000 people per second.
In the real world I rarely need to identify myself. I can see a movie, visit the library, buy groceries, go to a restaurant, and more.
Theoretically you don't need to reveal your identity to prove that you're human. You can use a zero knowledge proof instead, likely attached to something like an EU Digital ID, which would allow you to remain anonymous and also prove that you're human.
How could renting out one's ID to provide access to bots for spamming/manipulation be avoided then?
A simple zero-knowledge credential system isn't sufficient. It would need to embed some kind of protections to limit how often it could be used, to detect usage of the same credential from multiple (implausibly far apart) IP addresses. There would need to be extremely sophisticated reputation scoring and blocklisting to quickly catch people who built fake identities or stole them. And even with every one of those protections, a lot of them will still be stolen and abused.
Slap on the wrist from the stage director.
The real world does allow it.
People have been able to write anonymous letters and send them through the mail for a long time. Still can.
No one checks my id before I stick an envelope in the mail box.
In the US that we know about.
I would not be surprised if there is some country that has a facial recognition camera network faced at mailboxes these days.
Yes, the UK has a lot of CCTs. But that's relatively new, and certainly after the idea that the Internet should allow anonymous or pseudonymous use.
Even then, here is literally the first post box I found looking in the UK, in a small town: https://www.google.com/maps/@52.0936599,0.0761217,3a,75y,165... . No CCT in sight, no power, good solid iron.
Plus, think of how difficult it is to match a person to the physical envelope.
At best there could be a distinctive envelope.
Otherwise, yes, you can get a list of people who use the box. But for that to be useful, the mail from different boxes can't simply be jumbled together into the same pickup bag as that would broaden the number of suspects.
I believe that the question should be the other way around:
Why is it that you have to lose your anonimity when you are on the internet? The real world always allowed that until it became dependent on surveillance capitalism. Of course you need to prove you're yourself for some things, but that should be the exception. You could always look things up at your local library while being anonymous (for checking out you'd need a card), you could call from a payphone while being anonymous, you could use coins (cash in general) while being anonymous.
Anonimity was the rule and should still be the rule
In the real world people can see who's doing what by looking.
Yes it does? Especially in a dense city vs small village (which is more comparable to the internet at large) - go for a walk, see some advertisement billboards, buy a newspaper (esp. with cash), read the news, who knows who I am?
Because there is a real demand for staying anonymous online. You'd know why, if you lived in a country taken over by a fascist regime.
The human will be the slower one.
Yeah, no offence, but sleep(2 + random.sample(coffee + toilet + sneezing + normal response time)) has been a required part of web scrapers since forever.
With coffee N(1,5 minutes, 20 seconds), toilet N(4 minutes, 30 seconds), ...
I guess it depends on how you're scraping. For general web crawling, simply implementing a response time based crawl back off per origin and identifying yourself appropriately in User Agent goes a long way. If you are instead automating Facebook's SPA to pull comments for analysis, then yeah you need to emulate a human, because that's not how they intend you to do it.
That's incredibly clever!
The thing about CAPTCHAs is that convnets were already better than the average human at reading most/all visual captchas, since ~2000. You still needed to program the logic of the captcha (it couldn't follow instructions like "find the red lights", but it could take a picture and find the red lights).
I wonder when we'll get to the point that employers can't tell the difference between transformers and real humans anymore ...
With Ethereum Attestation Service
https://attest.sh/
Things like Private Access Tokens: https://blog.cloudflare.com/eliminating-captchas-on-iphones-...
I still find it funny that Google, with the advantage of having millions of Internet users train their AI like galley slaves for free, hasn’t yet been able to crack vision driven self driving. Tesla had no such advantage when training their FSD to recognize traffic lights, bicycles, motorcycles, etc.
Tesla, the company that just recalled 2 million self driving cars?
In fairness, the company best positioned to harness user input to an AI that avoids crashes would probably be Rockstar. OTOH, that AI would definitely not obey stop signs or pedestrians.
By recall you mean a completely routine OTA software update done while the driver is asleep.
How can it detect the driver is asleep?
A neural implant that only kills 10% of monkeys.
Monkeys at the wheel is probably the solution for self driving cars.
Seems like we already have those amongst the Tesla FSD proselytizers.
A recall for essential maintenance is just that. I would focus on the need for an urgent update due to the flaws rather than the issuing agency's lack of more accurate terminology for a relatively new element to cars. Rolling around in semantic mud on the term recall is not sensible, as the definition in regards to cars is fairly specific [0]. Basically a recall just means there is a safety defect that must be addressed by the manufacturer. In Tesla's case, yes, they can push out an update, but the delivery mechanism of the means of addressing the defect should not be the focus.
0 - https://www.progressive.com/lifelanes/on-the-road/understand...
It would be much more expensive and a bigger mistake to have the vehicles physically returned. The distinction is very important. There's also a difference whether a safety defect last for 1 hour/1 day/1 week or a year.
I don’t think anyone cares about what is the recall’s cost to Tesla owners. They care about the fact there are two million unsafe vehicles driving around at high speed near their loved ones. Especially ones driven by people who respond to such complaints with, “ehrm actually it just updated overnight so it wasn’t even a hassle for me ¯\_(ツ)_/¯”
Amusingly the infotainment system in our Model Y actually crashed on the way home tonight, and when it rebooted it decided to install the update then, while driving. Sent me a notification on my phone immediately afterwards. To be fair, the updates don't usually go that way.
Wow, that never happened to me and is unacceptable. Was that for the infotainment only or the drive train? Just for others, they are separate systems, you can even safely reboot the infotainment (main display with maps, music etc) if you need to while driving, as it doesn't affect the drive train. I'm guessing it was not the drive train which would be incredibly dangerous.
Tesla recalled two million vehicles after federal officials said it had not done enough to make sure that drivers remained attentive when using the system. Not because their self-driving system sucks, or whatever you were trying to imply.
If the self driving system were worth it's salt, it wouldn't matter if the drivers weren't paying attention. Ergo, the system sucks, or is at the very least not nearly as good as Tesla likes to tout.
Well it's not like there's a self driving car system in operation today that does not require a human in the driver seat at all. Waymo has so much catching up to do.
Doesn't matter, the original point was about Google not being able to build a better self-driving system than Tesla, despite abundance of data, which is true, as far as I'm informed. Whether or not Tesla's self-driving system is "good enough" (for any chosen metric) is beyond the point.
But I guess people these days just love to jump on the opportunity to hate whatever is trendy to hate at the moment.
It can be "worth it's salt" but the government still doesn't see it as such (for many possible reasons).
I don't know if it is or isn't, I never drove one, but those are two completely different standards
A dystopian future we can all agree is more plausible than it should be
"recall"
The tesla system is exciting and dangerous, because it does identify many things in the environment, but it's extremely unsafe because on city driving it will not make the right choice most of the time. On the freeway it does much better, but then that's a more restricted environment.
I have an older tesla S with the pre-ai so called autopilot. It has one camera in the front and a radar and the system detects a few things like speed limit signs. The main extent of what it can do is follow the current lane pretty wall, even when it curves, slows down if it comes up to a car going slower than its preset speed. The good thing is it works on any road. It does a shockingly good job.
The later systems with onboard special processors are like a crazy beginning driver to has way too much confidence and drives in dangerous situations willy nilly. There are many other people who have explored it and written long posts. It's not safe. You can try to use it be you have to be constantly paying extreme attention. It's like watching your kid drive the first time. I know you should be watching the stupid ai all the time, but it's far from being safe.
Yea, that's the problem with self driving, especially in cities/dense areas. We really need AGI first. There are so many issues that humans react to before there is identifiable danger.
"Good" drivers see questionable situations and slow down or position themselves farther from potential issues before they get to the issue so they don't have to react at the last minute.
But they have? For years Google Street view has read signs, house numbers, phone numbers of businesses, etc. from the environment. It is safe to assume they have this built into Waymo as well.
I assume you might be trying to reference "vision only" self-driving, which is a fantasy made up by Elon Musk because nobody would sell him LiDAR sensors cheaply.
https://www.thedrive.com/tech/43779/this-tesla-model-y-dummy...
It's a much harder problem, and Tesla is nowhere close to the solution
I always thought they used more timing & mouse movement instead of correct answer to verify if your a human.
So instead of running some script
checkbox = getPos(checkbox='notRobot')
button = getPos(button='submit')
cursor()
.transition(pos=checkbox)
.click()
.transition(pos=button)
.click()
They now
checkbox = getPos(checkbox='notRobot')
button = getPos(button='submit')
cursor()
.sleep(time=random(distribution='human_captcha'))
.transition(pos=checkbox , method='human_captcha')
.sleep(time=random(distribution='human_captcha'))
.click()
.sleep(time=random(distribution='human_captcha'))
.transition(pos=button, method='human_captcha')
.sleep(time=random(distribution='human_captcha'))
.click()
Where sleep and transitioning are sampled from some random distribution that is close to actual human behavior, which should be pretty trivial to model.
All of which an AI bot agent can trivially fake.
This doesn't make sense. reCAPTCHA certainly does what it says on the tin. But the way it does it has almost nothing to do with the challenge the human sees. It's all behavioral analytics, including leveraging Google's collected data to determine how likely a user is a bot before they even load the page.
I'm not denying reCAPTCHA is a source of training data for Google -- surely there's no particular reason that every single reCAPTCHA V2 challenge is about identifying traffic objects, and it's not like Google is building a self-driving AI or anything.
But that's the business model, not the core feature.
And, that training data isn't just given to the developers of captcha solving bots.
And also completely incidentally making the web browsing experience a wee bit less pleasant for people who refuse to have google track their every click.
Like users of non-chrome browsers, adblockers etc.
Totally incidental I'm sure.
Funnily enough, AI may be better at solving them than people. I've encountered many Google captchas which reject the correct answers, because you know... bots trained it to accept incorrect ones. Anyway, at least it's not stop signs anymore. It must have been truly embarrassing that Google was simultaneously selling "self driving" cars but at the same time demonstrating that stop sign recognition couldn't be done by robots.
When I get those I make it a point to look for borderline areas and try to guess how I could mess with their data.