Rendered at 14:13:59 GMT+0000 (Coordinated Universal Time) with Netlify.
coppsilgold 19 hours ago [-]
My understanding is that this new reCAPTCHA is basically just remote attestation.
Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).
palata 5 hours ago [-]
> Much like age verification
Age verification as a technical concept can be done in a privacy-preserving manner! Whether or not we want age verification is another debate, but let's stop making wrong technical claims about that: it doesn't help.
bpfrh 4 hours ago [-]
Really, how?
At some point someone will need to issue a key, which at some point will need to be verified against known good signatures.
These signatures will also need to be kept in case of lawsuirs/enforcement, so if somebody gets access they will know you visited that site
Scaled 4 hours ago [-]
Parental controls on device are a better solution that work today and don't carry a risk of data breach.
harshreality 4 hours ago [-]
They would be a solution if almost all parents used them, but parents don't want to socially isolate their kids since a lot of "social" activity is now on social media. It's kind of a prisoner's dilemma.
There's not necessarily wrong. Despite the vapid and damaging nature of most popular online media, isolating a child from it might have even worse social consequences when their real-life peer groups discover that they're not on social media or that their parents have neutered their phone. Some kids would turn out fine after that. Others would be socially destroyed for life (maybe with the right therapy they could become well-adjusted, but high quality therapy is rare).
JoshTriplett 2 hours ago [-]
> They would be a solution if almost all parents used them
No, they are a solution for parents who want to use them, and that's all they should be. Their existence demonstrates that it's possible to handle this without regulation, other than the desire of some people to inflict their preferences onto other people's kids.
malfist 1 hours ago [-]
I should not have to surrender my anonymity because parents are too lazy to setup parental controls.
Asooka 48 minutes ago [-]
Parental controls can set browsers in "child mode" where the browser sends an "I am a child" header to the server and social networks etc. need to honour it. This has existed for twelve years already: https://blog.mozilla.org/netpolicy/2014/07/22/prefersafe-mak... . It can probably be amended with a more granular set of levels, but that would be the best way forward.
The problem of "parents are negligent" is also solved by existing laws which have fines for parents who are negligent towards their children, and governments absolutely love collecting fines, so all the incentives are properly aligned.
tjpnz 36 minutes ago [-]
Parental controls are intentionally gimped. They do the bare minimum while providing more than enough wiggle room for a tech savvy teenager. To implement a robust parental control scheme you need network level filtration which isn't something the average parent will know anything about.
raverbashing 3 hours ago [-]
Are they a better solution? Yes
Do they work currently? Not really
Are they too complex for the avg joe to work out. Unfortunately yes. (Something about the smartest bears and the dumbest humans)
Asooka 42 minutes ago [-]
Joe can walk into an Apple store (or wherever they purchased the device) and ask them to enable parental controls on it. We have people whose job it is to service computers and phones, they have been around for more than half a century. I am pretty sure most Joes don't service their cars either, yet they keep them road legal by visiting trained mechanics.
AdrianB1 1 hours ago [-]
As long as Joe has the right to vote, which is something more important and more complex, we cannot complain that parental control is too complex.
michaelt 3 hours ago [-]
The trick is to define "privacy-preserving age verification" in an extremely narrow way that ignores any other privacy concerns.
For example, imagine you put the same private key into the 'secure element' of every single iphone. You use code signing so that key is only unlocked when the phone is running unmodified iOS with all security updates. You use encryption and remote attestation for the front-facing camera and face id depth sensor. You use NFC to read government-authenticated age and appearance data from biometric passport chips (or digital ID cards) and you store it on-device.
Then, when you want to access pornhub, they send an age challenge to your device, your device makes sure your face matches the stored passport, and if so it signs the challenge with the private key.
Pornhub gets an Apple-signed attestation of age - but because every phone signs with challenges with the same private key, Pornhub can't link it to a particular phone or identity document.
So in a very narrow sense, privacy is preserved.
You can't use someone else's ID, as it checks your face every time. You can't fool it with a photo of the person because of the depth sensor. You can't MITM/replay the camera/depth data because the link is encrypted. You can't substitute software that skips the check with a rooted phone because of the code signing. Security holes can be closed by just pushing a mandatory OS update.
Sure, it doesn't work on PCs. Doesn't work on Linux, or on unlocked/rooted phones. It hands users' government ID documents over to Google and Apple. It requires people to carry foreign-made, battery powered, network connected GPS trackers (with cameras, microphones and speech recognition) with them. And there are non-negotiable terms of service everyone must agree to. But if you define "privacy-preserving" to ignore all that stuff and only consider whether Pornhub learns your identity, it's privacy-preserving.
chmod775 2 hours ago [-]
That key will get leaked. A key that has to go into every phone, even if done at the manufacturer and onto the TPM chip, will get out.
Also even if it doesn't get leaked directly, the security of TPM chips is not absolute. Secrets from them can theoretically be extracted given an attacker with sufficient means and motivation. Normally nothing that's on a typical TPM chip would warrant a project of that magnitude, but a widely used private key can change that equation.
Plus a TPM chip doesn't really have means to tell the phone isn't being lied to. You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
michaelt 1 hours ago [-]
> That key will get leaked.
Maybe? But biometric passports, chip-and-pin payment cards and SIM cards seem to do reasonably well. And Apple can always push out a mandatory software update that rotates the key, if they need to.
> You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.
I don't know the precise details, but reports from people trying to repair devices independently of Apple are that the phone is very much the wiser.
14 year old me ran into porn on the internet all the time. It didn't turn me into a serial killer.
Meanwhile we let kids have exposure to algorithms that pervert their sense of self worth, get them addicted to dopamine and gambling, and make them feel inferior to their peers.
We have the wrong priorities as a society.
And this bullshit is going to turn us into a completely tracked, monitored, controlled bunch of cattle.
We're building 1984 and we're happy about it.
maccard 4 hours ago [-]
Ring cryptography does this - given a public key and a set of private keys you can attest that one of the keys signed it but not which one. This lets both Google and you generate a signature and say “this is attested”, without the person verifying it knowing _who_ signed it.
nullc 16 minutes ago [-]
You likely need one other step beyond a plain ring signature, often called a linkable ring signature. If you use only a plain ring signature I could get one authenticated key and setup a site that gives away an unlimited number of access tokens with it, and you can't identify which key is doing so in order to kick it out.
A linkable ring signature lets you correlate multiple usage but only if they share a common 'context value'. Intelligent selection of the context value results in abusive use inevitably sharing a context so you can exclude or rate limit it, but honest use tends to not share a context so the privacy is preserved.
Arch-TK 3 hours ago [-]
It should be possible with zero knowledge proofs.
The problem is that while you might be able to trust the crypto, the government won't trust you to do the crypto entirely by yourself. And this introduces avenues for deanonymisation. Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.
It's a complicated problem.
We continue to seek a technological solution to a parenting problem.
red_admiral 1 hours ago [-]
Blind signatures would work, with a bit of effort.
nullc 26 minutes ago [-]
You can prove your signature is from a key which is in a member of an acceptable set without revealing which one. These schemes can also prevent excessive reuse, e.g. by you also proving that some linked value is a hashlike function of your private key, the date, and the domain, so if you sign multiple times for the same site in the same day your uses are linked, so someone can't just toss up an oracle that gives endless authentications.
Such systems are deployed in production by privacy preserving cryptocurrencies as its the same problem: Prove you're spending a coin that exists without revealing information about which one, and prove that you're not spending it multiple times.
Less private but easier to implement is just simple blind signing. Site asks you to give them a signature of their domain name, your account name, and date. You blind the data using a random number, go to google and identify yourself (e.g. solve a CAPTCHA, check your mobile device, age verify, whatever) and ask them to sign the blinded value-- they rate limit you and give you a signature. You unblind and provide to the site. Now the site knows you passed the google rate limit but nothing else, but google never learns what site you authenticated to.
The blindsigning approach is kinda lame because it requires active communication with a third party that learns you're online and authenticating to stuff. So I think it's generally less preferred but the cryptography is hardly any more complicated than an ordinary digital signature.
palata 4 hours ago [-]
With cryptography. Look at e.g. Privacy Pass, there is an RFC about it.
andrepd 2 hours ago [-]
All states/governments have basic records on their citizens and residents, including at least a name, dob, address, etc, at least for a passport, driver's license, if not an actual id card. Let's assume this is acceptable.
Then it's technically possible (and really not that difficult) for states to provide a service that issues zero-knowledge proofs of facts like "age > X".
AdrianB1 1 hours ago [-]
> Let's assume this is acceptable.
(partly off-topic rant) One can argue this is a false premise fallacy. For most of the time states did not have this information about their citizens and the world progressed quite nicely. The only argument to know stuff about citizens that don't drive (increasing numbers) nor travel abroad (different problem altogether) is to tax them?
One of the foundational differences between humans and cattle was you cannot brand (https://en.wikipedia.org/wiki/Livestock_branding) humans. Not physically, because we do it digitally and I see a slippery slope.
> Unlinkability is achieved by design through Zero-Knowledge Proof cryptography see the "Privacy by design" section below.
indymike 3 hours ago [-]
Divorcing technical detail from how it is used does little good for humanity.
deIeted 9 hours ago [-]
worth noting that google/twitter/facebook/reddit/others colluded to combine sessions, identifiers, so that any person getting identified on any one session / ip would be identified on all
so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on
(just realized emacs bindings work in comments, nice, no ctrl-x tho)
normie3000 9 hours ago [-]
I was going to ask for more info on this collusion but you say it wasn't reported. And googling "chicxulub" just gives a volcano.
Is this speculation, or has it been confirmed somewhere?
TJSomething 7 hours ago [-]
"Chicxulub impact" seems to be functioning as a bit of hyperbole to imply that this collusion was absolutely devastating, by analogy to the K-T extinction event 66 million years ago.
Not that I really can tell what this was devastating to. Maybe United States v. Apple (2012), where Hachette Book Group, Inc., HarperCollins publishers, Macmillan publishers, Penguin Group, Inc., and Simon & Schuster, Inc. conspired with Apple to raise ebook prices?
Sophira 5 hours ago [-]
I can't say for sure, but is it possible they're referring to the founding of the Internet Association in 2012?[0]
I don't think it's that, because the Wikipedia article makes it seem like it was a force for good, but at the time, it wasn't certain at all that it would be that way.[1]
Beyond that, I'm not exactly sure what might be meant.
If you run a website, it seems trivial to forward the attestation to someone else by putting the same code up on your website, and getting their device banned from google instead of your own.
ChadNauseam 16 hours ago [-]
The domain in the attestation would be yours, so that wouldn't work
chadgpt2 15 hours ago [-]
How would the phone camera know the domain name of the website displaying the QR code it's scanning?
eddythompson80 15 hours ago [-]
The camera isn't the part doing that verification. The google service serving that "reCAPTCHA" is what's doing that validation. Unless you're using a custom browser that is reporting a different domain to google than the one requesting the reCAPTCHA, google's service will know which domain is which.
tardedmeme 15 hours ago [-]
How does the verification app on your phone know what's in the URL bar on your desktop?
ranger_danger 15 hours ago [-]
The QR code/URL would be generated/requested by the javascript running on the website you're viewing, which knows what's in your address bar.
tardedmeme 15 hours ago [-]
It would be generated by some other website like Amazon. Because I own, say, Meta, I copy these Amazon-generated codes over to Meta, make people scan them on their phones to sign into Meta and then pass the solution back to Amazon so my bots can sign into Amazon.
ranger_danger 14 hours ago [-]
We don't yet know how the client side works, perhaps there will be a decompilation posted soon.
It's possible this scenario is acceptable to them because it means they can still tie your access to something that's easier to ban without requiring a full account login.
tardedmeme 12 hours ago [-]
They're tying my access to random users of a completely different service, and a different random user each time.
ranger_danger 11 hours ago [-]
What are you implying? That it will become ineffective due to that?
That's possible... and they might change their mind if so, we will see.
I feel like it's a similar issue to when scrapers pretend to be an allowed-origin webpage in order to abuse "public" API keys for web services.
They could also require the mobile device to interact with the requesting webpage in some manner, similar to mutual PIN/codes for Bluetooth/TV pairing these days. That way bulk sharing of the codes would still require active participation from the device that requested it in the first place, likely with a short time limit.
gruez 13 hours ago [-]
After you scan the code, the verification app asks you "do you want to verify for example.com?"
tardedmeme 12 hours ago [-]
If you don't verify for example.com you won't be allowed to view example2.com. So do you want to or not?
Groxx 15 hours ago [-]
Some people will notice, some will not
coppsilgold 15 hours ago [-]
Realistically, what Google will do in such a scenario is collect data about the illicit service, enumerate the devices the farm uses and what other activities the devices participate in. What you suggested has far less control over the devices that generate the attestations and it will show.
Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.
getpokedagain 17 hours ago [-]
Stop visiting sites and using services that use reCAPTCHA. Problem solved.
duskdozer 4 hours ago [-]
That's great until it's some essential government, medical, educational, etc. service that you have either no alternative to or no alternative that isn't also using the same thing. I'm already being slowly and incrementally softlocked out of some (fortunately non-essential so far) sites either by cloudflare or other more subtle "anti-bot" networks as time goes on, including some like I've listed above. I can only expect this will continue until it's something I can't avoid.
medvidek 3 hours ago [-]
For some reason, I'm softlocked from booking tickets from Deutsche Bahn. The website errors out with a cryptic "Your browser's behavior resembles that of a bot." message with no option to try again or pass a captcha or whatever. The website itself described several possible solutions but none helped (I tried using different computers, different internet connections, even a phone connected to internet using a SIM from a different country).
As for now, when I need to travel to Germany, I just book tickets through the national carrier of my home country, which for cross-border tickets often turns out to actually be cheaper than booking through DB. Thankfully I don't live in Germany proper and my need for travel there is not that high (once or twice a year at most) but I wonder what would I do if I had to move to Germany and use trains there more often.
bluebarbet 3 hours ago [-]
Same problem but with French equivalent SNCF (sncf-connect.com). I just checked and can confirm nothing has changed. You cannot use up-to-date Firefox on Linux to access the main booking site for French rail tickets.
Access is temporarily restricted
We detected unusual activity from your device or network.
Reasons may include:
-Rapid taps or clicks
-JavaScript disabled or not working
-Automated (bot) activity on your network (IP X.X.X.X)
-Use of developer or inspection tools
duskdozer 1 hours ago [-]
Does it work if you spoof the user agent?
> -Use of developer or inspection tools
Gotta love it.
bluebarbet 26 minutes ago [-]
It gets blocked in a private window, but only on the second page load. So more sophisticated than UA-blocking.
The finger-wagging about "Use of developer or inspection tools" is just outrageous. Akin to accusing users of thought crime.
The only solution to all this will be through elections and laws.
tardedmeme 1 hours ago [-]
Developer tools are easily detected by looking for the viewport to resize a certain amount.
JoshTriplett 2 hours ago [-]
> That's great until it's some essential government, medical, educational, etc. service
At which point you should contact your attorney general, and work to ensure such efforts face legal challenges at every turn.
palata 5 hours ago [-]
> Stop visiting sites and using services that use reCAPTCHA. Problem solved.
Not solved at all: 99.999% of users don't give a damn and use a Google-signed Android.
My opinion is that because they don't give a damn does NOT mean regulations should not protect them. What Google is doing here is anticompetitive and they should be fined (antitrust and all that).
pixel_popping 1 hours ago [-]
I don't see the correlation with Google-signed android actually, people really want to have this friction when they visit a website? Like having to get your phone from another room, use camera and all that to access a website? This is so anti-pattern and is also disrespectful toward consumers, any webmaster participating into this imo should rethink his career and morality.
tardedmeme 16 hours ago [-]
With the new reCAPTCHA this is going to happen because most human visitors will actually be unable to pass the CAPTCHA. It will be interesting to see whether this makes websites ditch reCAPTCHA or whether they literally just don't care about having customers, an attitude that seems to be getting more and more common every day.
papercruncher 16 hours ago [-]
I have been unable to give my money to Home Depot, REI and a growing list of online retailers because they use Akamai EdgeSuite, which just assumes I am a bot and 403s on protected API calls. This happens consistently on any IP and any browser on my Linux desktop/laptop.
spystath 14 hours ago [-]
There are not enough words to describe how much I hate Akamai EdgeSuite. So many random validation loops and 403s across different physical computers, different operating systems, different connections and even countries. A couple of services I need use it and it's 30% I'll make it past their stupid "protection".
drew870mitchell 15 hours ago [-]
Same, i'm doing a kitchen reno and gave up on Home Depot because of this
ksenzee 11 hours ago [-]
It sure makes debugging headers a pain. curl -sLIXGET https://… never mind, that won’t work, _fires up browser yet again_
userbinator 13 hours ago [-]
Home Depot at least has a physical presence, which you can go and directly give some much-needed feedback to.
tardedmeme 12 hours ago [-]
It has a zero percent chance of reaching anyone who can do anything about it.
You could try handwriting and posting a letter to their CEO. I think that sometimes works. Probably not very often but there are more than zero CEOs who read those letters.
userbinator 11 hours ago [-]
The point is to spread the word.
petre 10 hours ago [-]
Maybe they'll figure it out when their revenue drops next quorter or the ones after that?
I was thinking in the same terms: you put up a QR capcha, you don't get my traffic and money. Just the amount of extra work needed, let alone the Google tracking turns me off. As if traffic lights, crosswalks and bridges weren't enough of a hassle.
komali2 12 hours ago [-]
REI is allegedly a co-op, maybe there's a committee or something it could be presented to?
smcin 8 hours ago [-]
REI Co-op has an Annual Members Meeting in Seattle, where it announces the results of the board of directors election.
The 2026 one happened Feb 5. Apparently the presentation is only 8m long, some saying it's pre-recorded and it's near-impossible for members to submit a question that actually gets answered:
Usually that just means the owners of the individual stores are the shareholders.
raincole 13 hours ago [-]
> most human visitors will actually be unable to pass the CAPTCHA
Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.
It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.
pixel_popping 58 minutes ago [-]
This is not true, maybe in the US, but in many countries you get captchas all the time with residential connection and also in public places all the time, internet cafe, airports, cafe wifis and so, they'll at least get it once, that way there is a permanent fingerprint correlation with real identity, I can bet that EVERYBODY will get it at some point so Google and other people on board with this atrocity (webmasters are also accomplice) can finish-up the master plan.
g-b-r 16 hours ago [-]
One problem with these things is that businesses have minimal visibility on the amount of users they lose.
On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".
Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).
jbvlkt 16 hours ago [-]
I wanted to give money to charity and they have whole form protected by recaptcha. So I would have to allow all my personal information and amount donated sent to google (and agree with google terms for data processing). I have contacted them but they did not understand why this is problem they just wanted to protect themself against bots. IMHO unless those things are not disallowed by antitrust laws we have lost.
vanviegen 5 hours ago [-]
We wouldn't want bots throwing money at us!
bar000n 15 hours ago [-]
i say technofeudalism, not sure i know what i'm writing about though
chadgpt2 15 hours ago [-]
Luckily the marketplace of money will ensure that businesses who block their customers shrink and businesses who don't block their customers grow.
sandworm101 12 hours ago [-]
>> whether they literally just don't care about having customers
So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).
lxgr 15 hours ago [-]
I'd love to, but I'd not be able to visit many sites anymore thanks to Cloudflare...
1vuio0pswjnm7 10 hours ago [-]
HN uses reCAPTCHA under certain conditions
getpokedagain 10 hours ago [-]
I've not hit it but that would suck.
pixel_popping 56 minutes ago [-]
I doubt they would let users be KYCed to access HN frankly, I seriously hope not at least.
IshKebab 2 hours ago [-]
Or stop spreading this extraordinarily naive view of how the world works.
g-b-r 16 hours ago [-]
Yeah, live in a cave, and problem solved.
However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use.
Let's find a better solution please
flatIronSteak 16 hours ago [-]
> Let's find a better solution please
Is there an argument here that Google is creating a monopoly?
Could this be challenged on similar grounds that forced Microsoft to recommend other browsers to users on Windows?
KPGv2 15 hours ago [-]
There is, but at least in the US neither party cares. They want to get rid of anonymity online, one to throw anyone who googles "trans" in jail, and the other because their biggest donors are tech companies that want to denonymize everyone.
Our antitrust laws have been toothless for decades, and both parties love billionaires controlling the rest of us with an iron fist.
GrapheneOS is looking more and more worth the headache that my limited free time generally does not like. I don't need Google to know my smut fanfiction is written by my IRL.
ggiigg 12 hours ago [-]
Felt same way about GrapheneOS but a few friends set it up so i gave it a try. It is easy to install and use. As evidence, I gave my 70 year old father one and he loves it.
komali2 12 hours ago [-]
When my friend was telling me about GrapheneOS I was thinking back to the old days of android custom roms, all the bugs and bullshit, the time I couldn't dial out to 911 because my custom ROM crashes when I did, or other issues. So I gave it a pass.
However he's been on it now for months and every time he shows me something on it I get a little more jealous. Everything seems to be working fine, including e.g. bank apps, and he has interesting features like some kind of app zoning thing limiting permissions on a zone to zone basis.
The only problem is it's only available on massive phones without headphone jacks and SD card slots, so I'm sticking with Xperia for now.
pocksuppet 6 hours ago [-]
Breathlessly awaiting the upcoming Motorola/Graphene crossover phone.
Ygg2 5 hours ago [-]
Can you run Graphene on non Pixel phones?
Sophira 4 hours ago [-]
Not yet. They've partnered with Motorola, though, so we'll probably be seeing some of their phones in the future that can run GrapheneOS.
duskdozer 4 hours ago [-]
You can use Lineage [/with microG]
g-b-r 16 hours ago [-]
sieabahlpark, I probably hate this more than you, you misunderstood
sieabahlpark 16 hours ago [-]
[dead]
vasco 12 hours ago [-]
So what are you doing here?
> Ask HN: Did HN just start using Google recaptcha for logins? [0]
> dang
> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.
Stop visiting sites and using services that use reCAPTCHA. Problem solved.
No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA.
I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved."
Roark66 6 hours ago [-]
At least in my country (Poland) you should be able to make a pretty bug fuss and resulting in them fixing it, if indeed one of ego services made you leak all your data to Google.
People do care about such things.
I hope the same is true in other EU countries.
ethin 14 hours ago [-]
The other problem with this is that there are few CAPTCHA alternatives.
CF turnstile is one, but of course that means Cloudflare owns even more of the web.
HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.
And I... Can't think of anything else. Other than to just get rid of Captchas entirely.
userbinator 8 hours ago [-]
You could just have a custom one that asks domain-specific questions (and ones which will trip up LLMs are not hard to come by.) I've seen a few forums ask such questions for registration, long before the rise of LLMs.
fireflash38 3 hours ago [-]
The answer that no one likes: make it cost a nominal amount of money.
Enough to make it so bots are expensive to run.
ribtoks 9 hours ago [-]
There are other captcha alternatives like Turnstile, for example Private Captcha, Altcha etc. - they are owned by mostly “small” independent companies, they are not visual captchas (proof-of-work based) and very accesssible.
yehat 8 hours ago [-]
Compliance is what makes all that shit possible. Sadly most people are compliant and made so by gradually increasing their dependency on "commodities" which really are anchors to a shit lake.
JKCalhoun 2 hours ago [-]
Beautiful analogy, BTW.
Suddenly I have been made aware that, having lost my paddle on Shit Creek, I will eventually be taken downstream to Shit Lake (where it appears I will inevitably drop anchor).
unethical_ban 16 hours ago [-]
I agree, and I think CAPTCHA is a disservice on public websites.
majorchord 15 hours ago [-]
> I'm not going to give up reading the test results from my doctor
You could just call them.
scbrg 2 hours ago [-]
Fairly sure that would be considered a breach of patient confidentiality where I live, at least.
andwur 11 hours ago [-]
Oh just wait, the AI phone service on their side will be more than happy to complete your device attestation key challenge by touch tone. We have to make sure you are still you after all!
But in all seriousness, many services are making it difficult through to impossible to communicate outside of their web or app platforms. Call centres are expensive and messy, and it's now apparently acceptable as a society to treat customers/clients/whatever as adversaries so they can get away with making it hard to communicate with them.
petre 9 hours ago [-]
I was unable to book a doctors meeting through the clinic's website, so I declared "screw tech" and called their call center, which still worked better. The app just searched for the "first available spot" and never found anything. If they axe the call center I'm going to have to go to their place.
getpokedagain 10 hours ago [-]
Or ask for a print out.
17 hours ago [-]
mekoka 2 hours ago [-]
[dead]
nullc 31 minutes ago [-]
> (as that would be 'farmable')
It could be contextual, as in each user gets one anonymous id per domain name per day. Multiple uses by the same user at the same domain in the same day are linked.
But much of the purpose of these systems is to violate the public's privacy and exert as much surveillance and control as possible. If not for that schemes that mitigate the privacy loss would be a top priority.
rdedev 16 hours ago [-]
When companies like this exist, what is the point of relying of TPM? Looks like the future is bright for VC backed bots
How is this not grounds to be sued into oblivion by Google and Meta? They clearly violate ToS for profit. This is something I expect to find on a dark web forum where 0days are traded, not in public.
xmcp123 14 hours ago [-]
This kind of thing has been common for ages. Obviously AI has kicked it into overdrive, but it’s not darkweb kind of stuff.
Note that they do not mention any specific companies on that landing page. That is pretty intentional.
But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.
SlinkyOnStairs 14 hours ago [-]
> How is this not grounds to be sued into oblivion by Google and Meta?
Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.
Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)
Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.
The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.
chadgpt2 15 hours ago [-]
Violating ToS isn't illegal in most cases. Companies just put scary looking clauses in their ToS to discourage you from doing things they don't like.
eddythompson80 15 hours ago [-]
That's not true of course. There are hundreds of such cases with varying outcomes [0][1][2]
Note that all those guys were gotten for breaking the law, not for breaking terms of service.
dakolli 16 hours ago [-]
Why is every startup using that same Serif font now, Garamond or whatever. Is it an LLM design phenomenon? Its kinda ruining that font style for me.
Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.
Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.
Interesting article, thanks. I've done a bit of small scale phone farming (for my own cheap mobile proxies). In all reality the phones aren't that expensive, I went with Moto 5gs that cost $130 (retail), so in their case the phones pay for themselves in the first month.
Probably a decent amount of compute cost for video generation, but I'm sure they have access to free compute and inference for being in bed with a16z.
These companies would have to buy one phone per fake influencer.
tcoff91 16 hours ago [-]
Wow that is so dystopian.
huflungdung 15 hours ago [-]
[dead]
thaumasiotes 17 hours ago [-]
> My understanding is that this new reCAPTCHA is basically just remote attestation.
Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'.
lxgr 15 hours ago [-]
I'm sure some people still remember how to mentally decode QR codes and verify ECDSA signatures from Covid days. Public transit ticket inspectors in my city also seem to be quite proficient at it :)
g-b-r 17 hours ago [-]
I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".
I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.
For people using a Google account it probably won't make a huge difference, in terms of data collected.
If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.
Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.
But there's a good chance that it will be extremely hard to sidestep, despite that.
lxgr 15 hours ago [-]
> they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone
But anything your phone can possibly do in software can be spoofed, so how would that help?
palata 5 hours ago [-]
> I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".
Doesn't Play Integrity use hardware attestation, but specifically checking the Google keys?
If you use the Play Services on GrapheneOS, you still don't pass Play Integrity because your system is signed by GrapheneOS and not by Google.
varispeed 14 hours ago [-]
Shouldn't that be illegal under GDPR?
gib444 6 hours ago [-]
There are massive exemptions for the prevention and detection of crime
> Recital 49 - Network and Information Security as Overriding Legitimate Interest
> The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems,...
It's funny how people after all this time think 99 Articles, 173 Recitals and a huge tech lobby equals a water-tight, pro-citizen, impenetrable privacy law with almost no exemptions.
dheera 17 hours ago [-]
> Google didn’t demand iPhone users install Google software to pass the test.
Can de-Googled Android phones present themselves as iPhones?
coppsilgold 17 hours ago [-]
Apple has their own remote attestation infrastructure and you will not be able to impersonate an Apple device without extracting private key material from the secure enclave of a legitimate Apple device or compromising Apple certificate authority private keys.
Yes, and then they'll get served a QR code that you have to scan on a phone Google approves of.
baybal2 5 hours ago [-]
[dead]
palata 5 hours ago [-]
> People running de-Googled phones chose those setups because they read the data practices, understood what Play Services phones home about, and decided they didn’t consent.
This is wrong. Many (most?) users of alternative Android OSes do use a variant of the Play Services (be it sandboxed Play Services like on GrapheneOS, or an open source, reverse engineered implementation like microG that phones home just the same).
Google seems to be leveraging Play Integrity here, which requires that the phone OS is signed by Google. This is clearly anticompetitive, I hope the DMA will do something about that.
bjackman 3 hours ago [-]
There is a fundamental tension here though - suppose DMA or something requires that online providers recognise reCAPTCHAs from non-Google-attested OS builds. What OSs can they safely trust?
Only ones that are difficult for fraudsters to use to generate bogus traffic. Whether or not those builds come from Google, they are inherently gonna be pretty constrained OSs. It's not gonna let you spoof your location or simulate user input.
I do think it's a problem if only Google can provide these attestations but even if that organisation problem is solved there is still a fundamental technologic problem here now that humans can't be detected by their ability to solve puzzles any more.
mnadkvlb 5 hours ago [-]
Exactly. Imagine them blocking captchas on iphone or windows
dwedge 15 hours ago [-]
I've kept a spare cheap android for too long and recently went with Graphene instead. I have one Google profile and only use it for Uber, work's Google Chat and maps. One bank refused to work (even with Google services) so I moved bank. I've moved most of my mobile use to self hosted (freshrss full text, password manager, calendar, tasks) with no direct internet connection.
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
fullstop 19 minutes ago [-]
> It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
I feel this more and more each day.
palata 5 hours ago [-]
> One bank refused to work (even with Google services) so I moved bank
Banks are implementing terrible "security" checks. Users of alternative OSes should be a lot more vocal: change bank, but also complain a lot to the offending one, and make sure to leave them a bad review on the Play Store.
Actually people not using an alternative OS but caring about that should also leave bad reviews to those banks on the Play Store.
At the end of the day, the problem comes from humans in those banks who don't understand and don't give a shit. The only way to make them care about it is to complain enough that it becomes their problem.
circuit10 3 hours ago [-]
When I had a jailbroken iPhone my bank app (HSBC) would detect it and show a warning but let you continue anyway at your own risk, which I thought was a reasonable compromise
drnick1 13 hours ago [-]
My setup is similar and nearly 100% self-hosted, including email, files, AI. If something does not work on Graphene, I will do without it. I also have a Google profile, mostly for testing purposes.
palata 5 hours ago [-]
I said it already in another comment, but if you care enough to use GrapheneOS, I believe you should not only "do without it". You should also complain to those services.
If enough people complain, those services will start caring. If all they see is "one user complains every 3 years", they will just ignore it. That's how it works.
hsbauauvhabzb 2 hours ago [-]
Ah yes, google, the company who notoriously doesn’t offer any customer support will definitely make way for such complaints.
dwedge 1 hours ago [-]
Drop your sarcasm for long enough to see that "I won't use your app if I have to use Google" is not a complaint _to_ Google.
The bank I was talking about were the worst net loser of customers in the UK last year (around -8000) They are making excuses but maybe they would care about why.
microtonal 41 minutes ago [-]
Also, it works in practice. Some banks have fixed their apps after GrapheneOS mentioned that the app was broken. In some of the issues/reports linked at https://privsec.dev/posts/android/banking-applications-compa... there are even bank app developers joining in on the discussion (e.g. NL -> Triodos).
xerox13ster 13 hours ago [-]
How have you managed to accomplish self-hosted email? I tried similar in 2022 and found it damn near impossible without business static IP or a cloud provider.
tuzakey 11 hours ago [-]
You can't do it reliably without a static IP in a non residential subnet that lets you set reverse dns. If you have a static residential IP and they don't filter inbound SMTP you can make it work with a smarthost/relay like mailgun. Its not the insurmountable obstacle everyone makes it out to be, but its not going to be free unless you already have an IP that meets the criteria.
If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.
daneel_w 2 hours ago [-]
My approach is to run a VPS with multiple static IPs that I (using Wireguard) tunnel to a number of virtual machines I host at home on a microserver. Likewise, the virtual machines' primary view of the Internet starts on the opposite side of the tunnel.
degamad 5 hours ago [-]
I do it self-hosted on a rented VPS, which gets around the IP address issue.
drnick1 13 hours ago [-]
I have access to a commercial (non-residential), fixed IP. You could also use an outgoing relay as a compromise, since presumably the issue you are facing is other servers rejecting email that you send from a disreputable IP. That being said, you really want a fixed IP as a matter of convenience if you are going to self-host anything.
manmal 7 hours ago [-]
How often are your emails being marked as spam, for others? A few years ago it read like there’s a whole science behind avoiding getting flagged. Is this easier now with agents aiding the setup?
dwedge 3 hours ago [-]
Not the person you replied to, and it's impossible to know with certainty how often you're in someone else's spam, but very rarely.
I had an issue with yahoo a couple of years ago that's all. The "it read like there's a whole science" is sadly a trope mostly repeated by people who have never tried because it gets upvotes on Reedit.
There are some steps you have to take, but not many, and systems like Mox mailserver or stalwart guide you through it, and mail-tester will check if you got it right.
Email, other than tweaking spam filters, is one of my lowest maintenance systems. I can't remember the last time I touched Exim or Mox config
tuzakey 5 hours ago [-]
I imagine an agent would make a lot of the first time setup from scratch easier, but the fastest reliable way to get up and running is mail-in-a-box or mailcow. Before those were available I built a flurdy style Postfix+Courier+Amavisd+MySQL setup and have been evolving it ever since. Now I'm on Postfix+Dovecot+rspamd+MySQL but I don't think that's for everyone or even the best way to start.
The science of not getting flagged is easy when you're not sending large volumes of untrusted mail; it only gets complicated if you start hosting mail for "customers" or let your system forward mail unfiltered into gmail/yahoo.
Here's my hit list of universal things to configure:
* Start with an IP with good or neutral reputation, non-residential, its nearly impossible to fix an IP that has been burned by a spammer. (Network)
* Valid reverse dns for your IP matching your mailhost forward dns (DNS)
* Valid SPF record; -all (DNS)
* Valid DKIM; with sufficiently sized key (DNS+Config)
* Valid DMARC; start with p=none to test and move to p=reject once you're configured (DNS)
* ARC if you or your users will ever possibly forward mail (Config)
* Don't get your messages flagged as spam anywhere ever, filter outbound mail even if its just you. All it takes is one piece of malware and a saved password and you'll have to get a new IP. (Config)
* Don't configure services behind your mail server with example domains that you don't control ~ I get so much mis-configured test mail from people who think its cute to use my domain as an example in their practice lab. It all gets reported as spam or bounces and then their smart host bounce rate goes up. (Config)
* Test for open relay; only relay for authenticated users. (Config)
* Use strong authentication, preferably with certificates or MFA. (Config)
* Secure everything; IMAP/SMTP/POP are old AF make sure you're requiring STARTTLS and setup MTA-STS to prevent downgrade attacks and enforce encryption in transit. Use a real certificate from Lets Encrypt don't self-sign. (DNS+http+Config)
* fail2ban your auth, you're going to get so much driveby password spraying and credential stuffing; I fail2ban block entire subnets at a time with iptables actions. I also have a bunch of "poison pill" rules for weird stuff I see in my logs eg block anyone who tries to auth with the NTLM hash for 'password'. (Config)
* Don't bother with BIMI at home, you can't get a blue check mark without deep pockets and a trademark (vmc) and most platforms only show logos that have a matching vmc. (DNS+https+config)
* DMARC reporting and TLS-RPT reporting are a pain to manage but are helpful troubleshooting deliverability be prepared to read some XML reports or setup a stack to parse them as they arrive (DNS + Config + https)
* setup the SMTP Submission port (587), so many networks block port 25 outbound and its the right way for clients to connect. (Config)
* configure BACKUPS, don't skip this step, encrypted restic backups to s3 or backblaze b2 is cheap and easy. (config)
* track your configs in git, don't commit secrets. (config)
* configure a free blacklist monitor on mxtoolbox for your domain(s) (config)
If you do those things you'll be in a pretty good spot, you could probably paste that list/this post into your agent and vibe up solid mailserver.
For me keeping the spam and phishing out is a bigger hassle than deliverability issues. rspamd does a pretty good job of keeping it manageable.
I do all of those things and with all of that setup the only place I ever run into issues with with users on AT&T's residential broadband mail servers. AT&T appears to block you if you're not known to them and they have a short memory. If you don't have regular correspondence with AT&T users they will block you after a bit. I'm a fairly low volume sender so I end up blocked every other time I try to send to AT&T by no fault of my own. I've talked most of those friends off of AT&Ts free email and on to ProtonMail at this point.
dwedge 3 hours ago [-]
A VPS or cheap dedicated is enough to get the static IP. I have very few problems with email, I use one VPS and one dedicated server though some zealots would argue a vps isn't self hosting
ryukoposting 13 hours ago [-]
If you don't mind me asking, what Bank? I've resolved that this phone will be my last googled phone, and my next will be GrapheneOS.
dwedge 8 hours ago [-]
Halifax UK. It just refuses to work so I left it (Graphene is more secure, so forcing less security for the sake of tracking is off the cards). All the other banks so far say they won't work without Google services but if I click OK they work
dexterdog 13 hours ago [-]
Not OP, but I've been on GrapheneOS for a few years and I have no problem with Chase, CiT or Wealthfront. I mostly use them to check balances and unlock debit cards, but they all login and function fine.
zx8080 11 hours ago [-]
Nice that there's bank to move to. We need regulations against such lock ups.
dwedge 3 hours ago [-]
Forced 2FA for banking in the EU is making this worse when it doesn't work
gonzalohm 15 hours ago [-]
What's the best alternative for Google drive? I also went this route but Samba is a bit annoying sometimes
drnick1 13 hours ago [-]
What makes Samba annoying? I think it's perfect for its intended use (LAN).
If you need to share files externally, Nextcloud works very much like Google Drive and allows the creation of sharable links.
I don't get how Samba is not there yet. We already have everything in the OS, the UI, the mental model, the protocols, how come it's such a terrible experience that we need to re-invent the wheel in web 2.0.. Maybe we need a Jarred Sumner to fix it.
komali2 12 hours ago [-]
Nextcloud also has lots of interesting plugins. I recently found a viable Splitwise alternative I chucked on my instance.
danparsonson 15 hours ago [-]
Syncthing is very nice.
gonzalohm 3 hours ago [-]
Is not the same though. It requires downloading the entire shared folder. That doesn't work when I have 100+GB of files and I want to share it with my phone
cromka 8 hours ago [-]
I have nothing but issues with it, mostly because the iOS/Android apps are notoriously bad at syncing the files timely and also because of ridiculous filename restrictions on Android.
bsmith 15 hours ago [-]
If you dont need filesharing, you can just setup wireguard, setup a network drive on your phone's files app.l, and then when connected it'll feel like native file browsing.
archive.is just asked me for a QRcode scan, I'm so ashame of that crap (it's behind Cloudflare), forcing website visitors to KYC? Are you guys insane!?
the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f
By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.
I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.
tomrod 11 minutes ago [-]
Even crazier is that there is nothing preventing agents from not using this. The hardware, signing, etc. can all operate as part of an autonomous agent stack. There is no benefit here to anyone.
codedokode 15 hours ago [-]
Interesting, the text says "reCAPTCHA doesn't share your details with this site", but it says nothing about sharing your details with Google. Which means yes?
duskdozer 3 hours ago [-]
Naturally, "Your data is private[ly] and secure[ly stored in plain text on our servers so that it's only accessed by us and shared with the advertising partners we choose]."
tocariimaa 11 hours ago [-]
The water is already boiling and the frog can't get out anymore.
syntheticnature 14 hours ago [-]
I thought archive.is were the ones squabbling with Cloudflare (extreme simplification)
zelphirkalt 6 hours ago [-]
For me this archive.is thing has been unusable for a long time already, because they rely on Google Captcha for a long time already and I block Google shit by default. Allowing Google is probably equivalent to showing them your id, due to fingerprinting in the name of "safety". That's why archive.is is not helpful and usually just a tab I close again right away.
riedel 6 hours ago [-]
I just tried using archive.is on my non-degoogled phone using IronFox instead of Chrome and could not pass the recaptcha. Actually it presented me the mobile attestation on second try, but I was able to switch to images again. But I am also unable to pass that one with the tracking protections built into the browser. Hopefully some 'serious' website starts using this so I can bomb their customer support.
duskdozer 3 hours ago [-]
Seriously? I didn't realize this was already happening. FWIW I still got the old captcha testing that site, and I often get flagged and blocked, though it's possible you're doing better.
j027 13 hours ago [-]
You can still use the audio captcha, but I’m not sure how long that’ll be around.
BloodyIron 13 hours ago [-]
Google will incur serious lawsuits if they remove that accessibility aspect.
a2128 12 hours ago [-]
Google has already been crippling the audio CAPTCHA access for many years. If your trust score is low enough, the visual challenge is ridiculously slow and noisy, and pressing the audio challenge button will just give you an error saying "To protect our users, we can't process your request right now", accessibility be damned. Where are the lawsuits? I want to believe there are still forces that would create hell to pay for doing something so evil, but I'm not seeing any.
chrisjj 6 hours ago [-]
They'll keep it, but require TPM in each ear.
actualwitch 3 hours ago [-]
Haven't you heard? Accessibility is woke, and the institutions that are supposed to protect it are being dismantled. I wouldn't be counting on those lawsuits going anywhere personally.
velocity3230 8 hours ago [-]
Sound advice.
tom1337 14 hours ago [-]
i wondered the same earlier and i am pretty sure they are just mimicking cloudflare's validation page. no way that cloudflare is paying reCAPTCHA when they have theor product, turnstile, available.
stavros 14 hours ago [-]
What? Don't Cloudflare literally have their own CAPTCHA service? Why are they using reCAPTCHA?
pixel_popping 1 hours ago [-]
Never understand this anymore, it's genuinely one of the easiest services to pay to bypass automatically (literally 3-liner of JS), webmasters are becoming incompetent.
1 hours ago [-]
stavros 1 hours ago [-]
If you don't understand something, the first thing to do is try to understand it, before going to "the people who use this are incompetent".
In this case, the answer is right there in the question: You have to pay to bypass it.
pixel_popping 14 minutes ago [-]
Sometimes, people just do dumb choices, there is nothing to understand except plain lazyness, there is better captchas, free, non-invasive, more secure, GDPR compliant and so-on that are also not covered by captcha-solving providers, so what's the positive argument about reCaptcha?
stavros 12 minutes ago [-]
A very strong brand?
gruez 13 hours ago [-]
They mimic the cloudflare captcha page but they're not hosted by cloudflare.
I think this is just gonna make viewing internet without a phone significantly harder especially with archive.is and the likes.
Not sure, how relevant this is to the discussion but if it helps, I have made a project[0] which allows to archive archive.is pages on archive.org/wayback machine (this uses singlefile)
Perhaps something like this can be used by community at scale too. Also, I hope that archive.is does something to fix this issue of requiring QR code and hopefully it doesn't become a permanent issue.
It's a move to block competitor AI agents while securing access for your own, classic ladder kick. The market for autonomous agents providing services and doing online work will be gigantic so, unless you want your own bots locked out from ie properties guarded by Amazon, CloudFlare, Microsoft etc., you will need a bargaining chip.
hedora 14 hours ago [-]
As someone that uses AI agents, this makes me want to install a browser plugin for "public windows" that just archives everything I see, and then farms out clicks of content that are missing from those sites.
The result of this would be to upload it all to a bot-friendly alternative to archive.org.
Its whole point is undetectable archiving because it just saves what your browser already sees.
sunshine-o 6 hours ago [-]
Nice, I understand it is similar to ArchiveBox + its web extension.
Now to be honest, while it's optimal to archive pages from you browser view I am not sure I want a random web extension to be in everything I see from a security point of view.
I would rather have a local proxy doing it. Maybe something like the InternetArchive warcproc [0]. Haven't tried yet.
for a short time i had warcprox sitting behind my firefox and auto feeding its output to pywb, it seemed to work but i had connections failing randomly after having warcprox running for more than a few hours~days. not sure if it's an issue with pywb or warcprox but there were some urls missing that i did browse on firefox, and many dynamic pages couldn't be replayed at all.
amluto 15 hours ago [-]
I would love to see someone challenge this as an anti-trust violation. Google is using its market power (as the provider of reCAPTCHA) to actively prevent devices that don’t use Google Play Services from competing effectively.
palata 5 hours ago [-]
It's worse than forcing the Play Services: strict Play Integrity requires your system to be signed by Google. So if you use the Play Services on GrapheneOS, you're still locked out.
cromka 8 hours ago [-]
They're only doing that because the EU currently doesn't want to antagonize US any more with their tech fines. Noticed how there hasn't been any as of recently?
palata 5 hours ago [-]
> because the EU currently doesn't want to antagonize US any more with their tech fines
Yeah, I say it as "because the US bully the EU to prevent them from doing it".
probably_wrong 7 hours ago [-]
Alternative explanation: they're following the Meta playbook of releasing surveillance features during a "dynamic political environment" that's keeping their opponents distracted.
> April 2025: Apple fined €500 million for failing to comply with "anti-steering" obligations. Meta fined €200 million under the Digital Market Act for requiring users to consent to sharing their data with the company or pay for an ad-free service.
> December 2025: X fined €120 million under the Digital Services Act for breaching transparency obligations.
(Sure, not this year, but that's pretty recent by most standards. And not sure if they're still being contested and unpaid)
I'm failing to see why they didn't just adopt Private Access Tokens (not that they're great either), where they could have at least:
- pretended that it wasn't all about invading peoples' privacy.
- done a good ol' fashioned "but Apple does it"
- pretended to be standards-oriented
- advertised it as something completely transparent to the end-user
Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
treis 16 hours ago [-]
It doesn't fundamentally solve anything. You want to be able to identify a specific person or at least a relatively expensive device so that if you ban them they stay banned.
supriyo-biswas 9 hours ago [-]
Private access tokens are also a repackaged WEI as far as I'm concerned.
nightpool 11 hours ago [-]
The article mentions that they use Private Access Tokens on iOS, so I'm not sure where you're getting the idea that they're "not adopting" them from
incompatible 14 hours ago [-]
"pretended" ... do they even care any more?
FateOfNations 17 hours ago [-]
Not Invented Here Syndrome?
varenc 13 hours ago [-]
I have a good friend who doesn't own a cell phone. He's a math professor. Every year he keeps living life without a smartphone, I continue to be more impressed. Things like this makes me feel like he might have to eventually give in. https://archive.is is now serving, via Cloudflare, this QR code backed CAPTCHAs. There seems no way to get past them without a smartphone. Sad times. I wonder at what point even basic government services will essentially require a smartphone.
I think they now use their own Cloudflare turnstile if I remember correctly, but back then they switched to hcaptcha.
phyzome 12 hours ago [-]
I don't have one either. No plans to get one, even with this.
cantalopes 16 hours ago [-]
This is crossing the line where the governments should step in and ban/fine google heavilly for this monopol behavior
data-ottawa 15 hours ago [-]
How you know this is a monopoly is that if you go on their documentation website half the video is how this rolls into Google Analytics.
This is using another product to reinforce the search and ads monopoly.
You can’t scrape content to build a better google or Gemini, you can’t make an OS to compete with Google or Apple, and you can’t make a Google Analytics competitor.
It’s plain anti competitive.
failuser 15 hours ago [-]
The governments are the ones who needs the most. They want to know who all the potential and current dissidents are.
bigyabai 14 hours ago [-]
Bingo. Remember all the people on HN who canvassed for consumers to vote with their dollar? Absent-minded consumption is what consumers voted for.
Now everyone pretends like it's monopoly abuse because the Leopards Eating Faces company finally rang the dinner bell.
milderworkacc 16 hours ago [-]
I agree. There are pretty clear grounds here to think about opening an investigation here into illegal tying, or a misuse of market power. Not sure if the FTC maintains a presence on here, but if you're listening...
KPGv2 15 hours ago [-]
[flagged]
OutOfHere 16 hours ago [-]
Instead, our governments use this crap, meaning on .gov sites too, and impose it upon us.
gib444 9 hours ago [-]
Oh man as if we still live in those times
chrisjj 6 hours ago [-]
"Don't be evil. That's our job."
smallerize 13 hours ago [-]
This isn't just about weirdos (like me) who run GrapheneOS. Huawei phones don't have Google Play services installed, or Xiaomi phones with MIUI China. That's what, a billion and a half phones that can't get to your website now?
Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.
gene91 10 hours ago [-]
If you need access to both apps from China and websites/apps from outside China, non-Apple devices have been difficult before this, primarily due to push notification infrastructure.
This makes it more difficult. But I don’t think it matters given how difficult it was prior to this.
oefrha 4 minutes ago [-]
Using apps based on Google Play Services may be impossible on those phones out of the box (not sure), but websites have no such dependency and most people don’t give a crap about push notifications from PWAs anyway so whether FCM works with the device matters little.
This is blocking access to websites wholesale, so it’s on a whole different level.
ickyforce 9 hours ago [-]
What's wrong with Apple push notifications in China?
poilcn 8 hours ago [-]
"non-Apple", i.e. Android
The problem is that most popular apps for Android outside Chinese app stores rely on Google services (specifically, Firebase) for push notifications.
tinycommit 14 hours ago [-]
Eww. Ok, so, I’ve used reCAPTCHA on sites I maintain at work, just on forms to prevent excessive bot spam submissions. No way do I want to subject users to this BS, though. Does anyone have recommendations for other decent captchas that could be used instead?
hcaptcha is pretty popular these days. It uses a very wide variety of traditional visual puzzles.
Velocifyer 1 hours ago [-]
hCaptcha is horrible. I think that a PoW captcha would be effective to make spammers just mine Monero instead.
himata4113 13 hours ago [-]
in my good ol' days I just sent a screenshot to 2captcha for grid of the entire captcha iframe which means that the solvers would have to figure out what to do instead of having to write code for each different type of captcha. to solve their new rotating puzzles I would just capture them at 50% opacity twice and change the prompt to pick the highest brightness object since 50% opacity would dim the moving elements.
lxgr 15 hours ago [-]
Almost completely unrelated, but I recently helped out a very confused family member with deleting not one, but two Google Cloud accounts they had no idea existed, and that they only learned about from an email referencing reCAPTCHA getting integrated into some other Google product offering.
I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.
brunocvcunha 15 hours ago [-]
AI Studio playground maybe? It seems all integrated.
lxgr 15 hours ago [-]
They almost certainly didn't use that.
The projects were named after a Google Doc they'd recently worked on (or a .docx attachment they'd received?) though, so my other guess is that they somehow created a Google Docs macro or similar by accident?
arccy 14 hours ago [-]
probably Google Doc Apps Script, those create so many Google cloud projects
buzzwords 16 hours ago [-]
Given the way Google is going I'm not sure if my next phone will be Android. I am fully aware that I am probably in the minority here. For me the trust is entirely gone.
fluidcruft 16 hours ago [-]
There really isn't much of an option. Apple's just as bad if not worse.
queenkjuul 15 hours ago [-]
At least with an Android i have the option of Graphene, and have access to a terminal, and for now can sideload apps.
With apple there's no choices, so I'll continue to take my chances with Android
fluidcruft 15 hours ago [-]
Possibly... but the extension of this to Android and Apple is going to be the entire internet shuts you out. And everything else will be a giant Dead Internet crawling with bots.
tardedmeme 13 hours ago [-]
The sites that require you to log in are precisely the same ones that are crawling with bots. The personal internet or "small web" is, and still will be, full of real content. There are also lots of bot websites that are trying to be small web, but since it's an actual social network and not a giant pool everyone pours stuff into, they don't get traction. If you do find a website that seems to be human but links to a thousand AIslop sites, you'll stop following that guy's links.
duskdozer 3 hours ago [-]
It's less about those sites than it is about government services, banking, healthcare, employment, etc
microtonal 8 hours ago [-]
I have to see. As much as I don't like Murena and /e/OS, they seem to have some clout with the EU/EC. Given that they are using microG and also hit by this, they might be able to nudge the EC to act on this.
Also, personally I care less and less. As long as my banks and government apps work, I'll just not use somebody's service if they put up barriers like this.
palata 4 hours ago [-]
> Also, personally I care less and less. As long as my banks and government apps work
If most people care less and less, the result would be that banks and government apps will also work less and less.
Look, companies have to prioritise. And the obvious way to prioritise is to say "users are requesting X A LOT and nobody requests Y, so we will do X". Companies never, EVER say "it would be more ethical to do Y, let's do Y".
As people, we can do two things:
* Push our governments to regulate that shit. That means, complain a lot to the government.
* Be vocal to companies and complain when they don't support your system. If enough people do that, it will be prioritised.
lxgr 15 hours ago [-]
Can Graphene OS pass this kind of Google attestation challenge, though?
palata 4 hours ago [-]
No.
The hardware attestation (which is used by strict Play Integrity) checks the signature on your OS. It is totally possible to allow signatures other than Google, but Play Integrity doesn't do that.
Companies could totally decide to use hardware attestation and accept systems signed not only by Google, but also other systems (like GrapheneOS). But they don't care because not enough users complain to them.
Users of alternative Androids typically silently move to another service or stop using it entirely. Which is understandable but doesn't help the cause.
chadgpt2 15 hours ago [-]
Both are terrible for privacy so it comes down to which one has a nicer screen now. :(
I'd rather have Google check an Apple phone attestation than have Google check a Google phone attestation, and vice versa, though, because you can assume each company is trying to keep as much information private to themselves instead of giving it to the other. Google is probably just getting "yes it's an Apple phone" and some kind of temporary token, instead of my IMEI, IMSI, phone number, all signed in accounts, biometrics and so on.
LeoPanthera 13 hours ago [-]
> Apple's just as bad if not worse.
Could you justify that? Because to me it seems like Apple isn't doing anything even like this.
Also, Apple sells themselves as a privacy company, but often pick (possibly intentionally) insecure defaults. E.g. you might use end-to-end encrypted chats, but by default iCloud backups are not end-to-end encrypted, so law enforcement can just request your backups/chats from Apple. If you are vigilant and enable Advanced Data Protection for E2E iCloud backups, it probably still doesn't matter because the people that you communicate with probably do not have ADP enabled.
Besides that, they are enshittifying in the same way as Google. Ads in Maps, Ads in applications that you get with the OS (Apple Creator Studio ads in Keynote, etc.), Ads in your system settings for Apple Fitness+ (really).
At least Pixel phones and soon some Motorola models have the option of installing GrapheneOS.
Motorola + GrapheneOS next year could be an alternative. So far they've been relatively insulated from the changes that have been coming down from Google.
palata 4 hours ago [-]
Motorola won't change a thing about hardware attestation. GrapheneOS is locked out from reCAPTCHA because GrapheneOS is signed by GrapheneOS and not by Google.
The way it's going, by the time the Motorola + GrapheneOS phone is out, it will be a lot more painful to use GrapheneOS than today. Not because of GrapheneOS of course, but because everybody accepts that bullshit Google is doing.
If you're waiting for Motorola + GrapheneOS, you could start complaining to banks and other apps that don't support GrapheneOS :-). If enough people did that, maybe those companies would consider it.
doctor_radium 12 hours ago [-]
I'll be waiting.
In the meantime, I'm currently using a low end Motorola moto g 5G 2023 which lets me turn off Play Services. Chrome and the Google Calendar don't run (really do need to find a replacement calendar), and I couldn't be happier. Motorola's interest in GrapheneOS makes me wonder if they did this on purpose.
t_mahmood 3 hours ago [-]
For calendar, I now have my own local setup, with Tailscale
So, you run Radicale server, you can import Google Calendar.
Set up Davx5 on mobile to sync with the local server
Access from anywhere with Tailscale.
microtonal 8 hours ago [-]
Or if you need it now, Pixel + GrapheneOS. Pixel A-series are really affordable. E.g. the 9A is 350 Euro here, have great device security (Google Titan M2 hardware security processor, CPU that supports MTE, etc.), pretty good cameras/camera processing, etc.
You won't be alone. I've resolved that this will be my last Googled phone.
My dad runs the family domain/emails/etc. The hard part will be convincing him to degoogle the whole family.
drpixie 13 hours ago [-]
I'm inclined towards keeping an ancient android for those apps that require it, and maybe something open for actual use. Or perhaps a crappy old android for android and a small non-android tablet/laptop for daily-driver stuff, which always works better as a computer anyway!
I'm also becoming open to using software that lies to google about what it is :) Google will treat us like sh*t, why shouldn't we reciprocate.
nosioptar 12 hours ago [-]
I've been getting asked more and more how to degoogle stuff by non-nerds.
drnick1 13 hours ago [-]
Android yes, but Graphene is the answer.
koala-news 11 hours ago [-]
The internet increasingly feels like “prove you’re using the approved computer” instead of “prove you’re human”.
balamatom 5 hours ago [-]
Those two add up to "prove that you allow computer vendors to teach you what 'human' means".
drnick1 13 hours ago [-]
So Stallman was right, after all?
quantummagic 11 hours ago [-]
Everyone, including Linus Torvalds, who rejected Stallman as too political or ideological, and advocated for "pragmatism" instead, is part of the reason we're where we are today. And it's going to get a lot worse, before it ever gets better.
palata 4 hours ago [-]
I disagree. The reason we are where we are today is the lack of antitrust.
quantummagic 4 hours ago [-]
Even if we accept your premise, laws don't just appear; they are an organized response to a recognized problem. But everyone has been sleeping on the problem lurking in our infrastructure, undermining any impetus to enact such laws. And the people screaming from the mountain top (like Stallman), trying to raise awareness, were routinely mocked and marginalized by those all too happy to accept convenience and expediency, over more sustainable values.
drewfax 7 hours ago [-]
I wish Linus had adopted GPL v3. He had the power to stop this madness from big tech, but he sided with them. It just reveals that he never fully understood the reason for the existence of GPL in the first place.
palata 4 hours ago [-]
GPLv3 would not prevent remote attestation AT ALL.
rvz 6 hours ago [-]
> He had the power to stop this madness from big tech, but he sided with them.
He (Torvalds) had no power to do anything and sold out. Even if he did, big tech would just go and use BSD.
For over a decade both Torvalds, and Stallman sold everyone out. They don't make their money directly from "free software" or "open source" in the first place.
Stallman was right in that he knew digital surveillance was going to happen, but he was incorrect in believing that FLOSS was ever sustainable economically and especially with AI replacing the developer and that big tech and startups are weaponising that against them.
Even when Stallman is against AI, he doesn't care. He knows he doesn't make money from "free software"; but only by speaking about it. Torvalds is the same but likes AI.
Can any other developer do exactly that in 2026?
xethos 12 hours ago [-]
One thing I hope we've all discovered by now is that, if Stallman hasn't been proven right at the present moment, on any topic that touches on libre computing, is that it's only a matter of time until he is
sunshine-o 5 hours ago [-]
Yes he was.
But his vision/prophecy is about 50 years old and while still valid it probably needs an update.
We are now dealing with a fully networked world where AI/bots have become dominant. I am not sure he did / could go as far in his vision.
paulnpace 11 minutes ago [-]
I wonder if any of these sites will see any meaningful drop in users, or if they even care.
pzmarzly 15 hours ago [-]
Does anyone know what changed in iOS 16.5 that made Google stop requiring the app? To me it seems to correlate with Private Access Tokens, aka remote attestation by Apple. https://developer.apple.com/videos/play/wwdc2022/10077/
rippeltippel 9 hours ago [-]
Possibly. And possibly the fact that breaking experience for iOS users would result in a massive backlash, while the volume of non-iOS/non-Android users is negligible in comparison. Some of them will convert to mainstream OSes, the rest will succumb.
himata4113 13 hours ago [-]
I did something unpopular and just didn't have a captcha, I just read up on creepjs etc and rolled out my own which is just browser state analysis, basic ip check (abuse lists only) and PoW. Haven't had an issue with a single bot registration (yet).
grishka 5 hours ago [-]
A simple captcha with distorted characters + some hidden form fields would stop every single "opportunistic" bot.
There's hardly anything you can do to stop someone determined enough to spend money to spam your specific website. These kinds of captchas do raise the bar somewhat, but every single one of them is ultimately bypassed by paying people to solve them for you.
orblivion 10 hours ago [-]
I imagine GrapheneOS is thinking carefully about their statement on this. I look forward to reading it.
riffraff 9 hours ago [-]
I mean, they could sue for non competitive behavior, but good luck beating Google's lawyers
palata 4 hours ago [-]
GrapheneOS users (and actually just citizen who care) in the EU should complain to the DMA team [1]. As with everything: the more people complain, the higher priority it gets.
I recommend every EU citizen to do this. Don't send a pre-canned message or an LLM-generated message. Write your own story and how Google (and Apple) are destroying competition and freedom for you as an EU citizen.
Even if you are a GMS Android user, they are going to make installing apps outside the Play Store much more annoying and these attestation-backed verifications are going to further deanonymize you.
kyrofa 16 hours ago [-]
I don't even have a smart phone, I assume there is some sort of fallback behavior?
You will also see this page if your smartphone is degoogled and you try to open the reCAPTCHA attestation URL in a web browser instead of in Google Play Services.
ezekiel68 17 hours ago [-]
I don't know why reclaimthenet hasn't embraced the obvious answer: Simply create a new smart device operating system with a fully disentangled cosmos of programs, libraries, APIs, app SDKs, hardware partners, drivers, trust networks, carrier agreements, app stores, documentation, conferences...
palata 4 hours ago [-]
> Simply create a new smart device operating system
Why does it have to be new? Plenty of open source OSes exist... starting with Android! GrapheneOS is based on AOSP, you would call it Android. If I show you a phone running GrapheneOS, you probably won't even realise that it's running an alternative OS: it will be Android to you.
The problem is not that we don't have alternative. The problem is that Google is moving towards forcing everyone to run their OS (or the OSes they accept, since it includes iOS) to connect to random stuff on the Internet. They are literally building technology that will prevent alternative OSes from running properly.
No need to create new OSes if anyway they won't work, right?
drpixie 13 hours ago [-]
Same reason as "make another (better) windows" is very difficult - almost everyone wants to be able to run existing apps and drivers, so you're forever playing compatibility catchup with android (or windows).
That's the reason companies are desperate to be first/biggest - once you're it, you're it until you finally fall on your face and dwindle to a nobody.
palata 4 hours ago [-]
AOSP is open source. There are plenty of AOSP-based systems (starting with GrapheneOS). No need for a new one.
The thing here is that Google is building technology to prevent alternatives from connecting at all. We fundamentally cannot solve it by building more alternatives, we have to prevent Google (and TooBigTech in general) from doing it.
cybercatgurrl 16 hours ago [-]
and that is gonna be funded by who? anyone who is gonna fund that is gonna want their slice of the pie. we need regulation to keep big tech in line
repelsteeltje 16 hours ago [-]
How about consumers paying a little extra for their device? The way it's going, add sponsored big tech is dieing because click fraud detection is becoming too expensive. Either we give up privacy and track every user, or we let bots have at it, stop targeting ads to users and bill advertisers on bandwidth.
undeveloper 7 hours ago [-]
if you think consumers will pay more for the vague notion of privacy i have beachfront property in kansas to sell you. most normies either don't care ("I have nothing to hide ... do you?") or gave up already ("china / the government / big tech / all of the above already have all my data, why would I care if it's a bit more? what are they even going to do with it?" (sometimes, even "i like having relavent ads!")).
at my most pessimistic i can see a world where consumers pay MORE for attestation to continue to opt-in to society, or perhaps a ai-bot-free digital world.
ruszki 6 hours ago [-]
Normies?
Your privacy is dead, and you cannot do anything against it, except not using phones and internet... at all. I mean I still fight against it, but not by protecting my privacy by using tools, or using different tools, because I realized it's not possible. There is no "as less data as possible". They know regardless.
I used VPN, browser containers for everything, myriad of fingerprinting protection, nothing related to Google/Facebook/etc. And then I went up to Youtube once for something, and they knew exactly what were my thoughts at the time. That was the moment when I realized that I suffered for nothing.
I still support for privacy movements, and I strongly believe that the only place where we can do anything at this point is politics. You can't protect your privacy anymore at this current environment, that ship sailed decades ago.
My problem is that basically every larger for privacy push is against newly proposed laws (like age verification), and there is basically no large uproar regarding the current already fucked up laws.
pixel_popping 1 hours ago [-]
What's wrong with having something to hide? I do.
flatIronSteak 16 hours ago [-]
I uh.. I think that was the (sarcastic) point.
BrenBarn 6 hours ago [-]
Ideally it would be funded by the personal wealth of the people who've profited from the current situation.
gessha 13 hours ago [-]
Parent is sarcastic
fsflover 16 hours ago [-]
Mobian, PureOS, postmarketOS already exist. Sent from my Librem 5.
colordrops 17 hours ago [-]
Ugh I hate that I can't tell whether you are being sarcastic or not.
ranger_danger 19 hours ago [-]
Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:
- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.
- Discord immediately bans me any time I try to create an account.
- Can't buy flights from Delta, always gives a non-descript error.
- Can't buy concert tickets, it thinks I'm a fraudulent buyer.
- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.
- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).
- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.
I just take my business elsewhere... eventually I'll probably just stop using technology at all.
Jigsy 18 hours ago [-]
> Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
I had this problem recently with the Indeed website. (Cloudflare Captcha)
Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.
Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.
anonymousiam 17 hours ago [-]
Why not just change your user agent string?
codedokode 15 hours ago [-]
Because the site can compare the user agent with navigator.platform, which your browser fills with great care.
userbinator 8 hours ago [-]
That naturally implies we must patch the browser.
"Source code? We don't need no stinkin' source code!"
codedokode 3 hours ago [-]
That's what Russian underground hackers do to create so called "anti-detect" browsers, which can emulate different browser fingerprints. But they are commercial and closed-source.
tardedmeme 17 hours ago [-]
It probably fingerprints the browser via TLS fingerprinting.
mschuster91 17 hours ago [-]
That's useless, in fact it makes you stand out even more. There are SDKs that can differentiate based on an awful lot of signals if your user agent corresponds to your actual browser version.
miladyincontrol 16 hours ago [-]
Almost would bet one or a few of your ISP's customers have their connections being used as residential VPNs.
I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.
ranger_danger 16 hours ago [-]
Yes, I have even seen mobile android games that include notices about a BrightData SDK or HolaVPN etc. where their idle bandwidth is resold.
donmcronald 13 hours ago [-]
Does the app function as a proxy? I always assumed that wasn’t possible.
ranger_danger 12 hours ago [-]
Why wouldn't it be possible? As long as background network access is allowed (the default).
chadgpt2 15 hours ago [-]
Honest question: Is there anything scary about this apart from lowering your ISP's reputation score?
donmcronald 13 hours ago [-]
Yes. What if your connection is used for illegal activity?
wraptile 5 hours ago [-]
It's not only IP but entire browser stack is being fingerprinted: Javascript, http, tls - everything. I've been living in the SEA region on Linux firefox for the last 10 years and the web has been miserable due to cloudflare and recaptcha
rescbr 15 hours ago [-]
This is why I ended up paying extra for a static IP from my ISP. While they always provided me with a public IP outside a CGNAT, I guess whole IP blocks were being targeted by these web security providers.
I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.
Captcha difficulties are way down now.
hysan 18 hours ago [-]
Turnstile feels bad as a user. Every site that I’ve seen it long will lock up Safari hard while it’s doing whatever it’s doing. But at least I haven’t run into more than 2 refresh loops.
prism56 19 hours ago [-]
Oh man I feel you. I turn my VPN off on certain sites due to the captcha loop.
retired 16 hours ago [-]
I have not been able to visit AliExpress for months now. Just an endless reCAPTCHA loop.
I wonder if they are seeing a decrease in traffic and somehow find that acceptable.
Milpotel 19 hours ago [-]
Wouldn't a 1£ Linux VM as Wireguard access point suffice?
ranger_danger 18 hours ago [-]
Nope, I have tried. Just as suspicious to them if not moreso because it's a datacenter IP and not residential. I even have a list of sites I've tried to visit that were explicitly blocked from datacenter IPs, and that file has over a hundred hosts in it now.
ck2 18 hours ago [-]
whenever I can't access a website for various stupid blocks
I fire up cloudflare warp and walk right through it
use wireguard with wgcf in environments without cloudflare client
yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden
wafflemaker 18 hours ago [-]
You sir seem to have solved a problem many people here have.
Would you care to elaborate a little on how you did it?
It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues.
tardedmeme 18 hours ago [-]
He just told you, he used cloudflare WARP. It's a "VPN" along the lines of NordVPN et al, but by cloudflare, so it gets special treatment by cloudflare's walled garden enforcement system.
krackers 17 hours ago [-]
I wonder if iCloud private relay might also work. Apple probably negotiated some special treatment
donmcronald 13 hours ago [-]
I’m guessing it’s all the same effect as CGNAT exit IPs. You need to get big enough to be unblockable. That’s why everyone is trying to get in on the VPN game.
This new reCAPTCHA setup is probably a good indicator that big tech wants to shift to verified access only. Personally, I’m just going to quit spending money via the internet and go back to piracy + retail stores with a physical location.
titularcomment 16 hours ago [-]
the fact that this works, as well as cloudflare having a literal web scraping tool available as another product honestly makes my blood boil.
chrisjj 6 hours ago [-]
> I just take my business elsewhere...
Mars? /i
spankibalt 18 hours ago [-]
Time for some lawfare!
DANmode 18 hours ago [-]
The Government reviewed the Google situation on behalf of you,
> Lawfare is the use of legal systems and institutions to affect foreign or domestic affairs, as a more peaceful and rational alternative, or as a less benign adjunct, to warfare.
bigyabai 9 hours ago [-]
The parent is musing on the impossibility of Google being held accountable, as the government largely assents to this plan and will ostensibly use it for social control during times of protracted warfare (eg. right now).
dstnn 15 hours ago [-]
Its going to be just like the wild days of the late 90s and 2000s
Strap in, the ownage will be hard.
moebrowne 7 hours ago [-]
OK, so what are the alternatives, what can developers use instead?
pixel_popping 1 hours ago [-]
It feels ultra sad that "developers" think they need to use reCaptcha? What is this lazyness, it's not even good on top of that at what it does, recaptcha cost less than $1/1000 to solve automatically, it's also slow, crappy, bad UI.
Even competent people got completely brainwashed, crazy.
palata 4 hours ago [-]
Developers implement what they are told to implement. People who make those decisions in companies just don't give a damn, they will happily use whatever is easier/cheaper. Usually something from TooBigTech, sponsored by surveillance capitalism.
doublerabbit 2 hours ago [-]
Create your own. Captchas have long existed on the internet. Start your own Captcha As A Service. If you've not seen the dark net some of their QR checks are inquisitive.
Above is verbose from my honeypot. Some security camera network has been hacked and is being used for net thrifting in Romania.
The internet is a failure. Congratulations us.
pavel_st 1 hours ago [-]
this is going to keep happening across every trust layer google rolls out
the trajectory has been clear since AMP-convenience for site owners, attestation pressure on users
BloodyIron 13 hours ago [-]
I'm sorry Google, I'm afraid I can't do that.
db48x 4 hours ago [-]
I long ago stopped using any webpage that uses a captcha. If the website uses one, I bounce.
hedora 14 hours ago [-]
Is there a way to just ban all these sites? Like a firefox plugin or whatever that detects this crap, and just bounces over to some place more reputable, like archive.is.
Permit 14 hours ago [-]
It looks like archive.is uses recaptcha so I don’t think that’s the fix you’re looking for.
tardedmeme 13 hours ago [-]
then we make a new one
Worf 16 hours ago [-]
I don't use Android right now and haven't used Google'd Android for almost a decade. And I won't. If this is the hill I die on, so be it.
I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.
brikym 16 hours ago [-]
It's all fun until you can't get paid because some fintech app doesn't work. That's why we need regulations. I don't see politicians ever going against an advertising company when they're customers.
freedomben 16 hours ago [-]
Indeed, I generally favor being conservative with regulations because they can genuinely impede progress and can be really hard to change or remove when they're bad, but this is an issue that we need regulation for. It's just too much in the interest of big tech to lock us down and strip us of our freedom of compute. Short of regulation.
Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
mikepurvis 16 hours ago [-]
An easy first step ahead of a full ban would be insisting that hardware attestation never be used as a gate to access government services. Most other things I can vote with my feet, but viewing my tax returns or renewing my passport are things that can only happen in one place.
donmcronald 14 hours ago [-]
This is really the most important thing for me. I don’t want to be obligated by law to use some identity or attestation service tied to big tech. I might be ok with my bank handling it because they already require ultimate trust, but not if they simply defer to big tech or implement infrastructure on foreign ccTLDs (id.me, verified.me, etc.).
I’m Canadian and watching our government sell our souls to American tech companies is beyond scary.
mikepurvis 13 hours ago [-]
Yes, Canadian here also and I feel the same. I'm pretty heavily Googled these days (gmail, gphotos, Pixel 10) and I work for a US tech company, so maybe I'm kidding myself that it matters much for me personally, but I'd be pretty sad if I ever found myself unable to access any level of government service because I didn't have a Google or Apple smartphone that I could point at a QR code on the screen.
pino83 16 hours ago [-]
One unfortunate aspect of the entire problem: Go back, let's say 10, 15 or 20 years, when forces were a bit more balanced than today. When all these issues were already quite obvious, but probably somewhat easier to solve. The same people that cry loudly today were completely ignoring all these issues. Actively. And when someone came up with them, that guy was just an idi*t, disturbing the good mood. Right? I can still remember all the conversations that I had, or that I read. Today, they'll deny that and still call me an idiot. Anyways...
PS: Sure, there always were a handful of exceptions. If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
dwedge 15 hours ago [-]
So just to clarify, you also didn't solve anything but you want everyone to know you told them so and you were smarter?
> If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
Reminds me of Facebook engagement bait
donmcronald 14 hours ago [-]
I saw a lot of people get told they were too dumb to understand how the app stores or Adobe subscriptions were a good value proposition. A lot of people rolled in the mud and now they’re upset their clothes are dirty.
If it didn’t affect those of us that tried to resist, I wouldn’t care, but we got dragged along unwillingly and now it may be impossible to hit the brakes before corporations control everything by usurping control of our identity systems.
pino83 14 hours ago [-]
Oh, yeah, these discussions as well... Precisely.
Good that some people are able to translate my thoughts into actual English... :D
pino83 15 hours ago [-]
> Reminds me of Facebook engagement bait
If you say so. I don't know. I was never an active part of that big problem (so btw I also had nothing to "solve"). You were?
userbinator 8 hours ago [-]
The sort of regulation we need for this must be as solid as a constitutional amendment, but that is going to be very, very difficult.
KPGv2 15 hours ago [-]
> Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
Everyone in power wants it, across the entire globe.
retired 16 hours ago [-]
Already happening. The official German identification app, AusweisApp, is designed exclusively for Android and Apple mobile devices
lxgr 15 hours ago [-]
> designed exclusively for Android and Apple mobile devices
That's very different from requiring hardware attestation, though.
pseudalopex 6 hours ago [-]
It is a little different. But not very different.
somethingweird 15 hours ago [-]
No, you can also get it for Windows and Huawei devices. So three American and one Chinese companies. Great.
bigyabai 14 hours ago [-]
With Salt Typhoon, that's a whole four ways to choose how China steals your data.
And to think, people said consumer choice was dead...
ranger_danger 15 hours ago [-]
If it was developed by the government, shouldn't the source or an API be available? Surely third-party apps can be made in that case?
poopooracoocoo 13 hours ago [-]
That'd be great but governments often don't make specs and source code available. Governments don't make things open.
The amount of stuff councils and state governments gatekeep about road specs alone... Argh.
palata 4 hours ago [-]
"Not using" doesn't make any noise. If you just "don't use", you will just use less and less stuff.
Google doesn't give a shit, but smaller companies are the ones using reCAPTCHA and that kind of shit. Consumers need to complain to those smaller companies. And citizen need to complain to their government, if those case. In the EU there is the DMA: https://digital-markets-act.ec.europa.eu/contact-dma-team_en.
What's sad is that the few citizen who care are often complaining against regulations. And it is the lack of regulations that got us here. We need antitrust, period.
lukashahnart 14 hours ago [-]
What do you use instead? iOS?
manmal 7 hours ago [-]
It’s quite easy to remote control an Android phone with an agent (eg there‘s agent-device). I don’t think this will keep automation from happening.
OutOfHere 16 hours ago [-]
If there was any remaining doubt whether Google is evil, this settles that yes it is.
codedokode 15 hours ago [-]
To be fair, there are already apps that require a mobile phone to sign up, for example, VK, Telegram. And I think Google requires to scan a QR code to register account, so it is easier just to buy a Google account on a black market if you need it for some purpose.
Nobody trusts web browsers nowadays.
danparsonson 14 hours ago [-]
I think you and I move in very different social circles...
I would have no idea how, nor desire to purchase a Google account on the black market, and I do in fact still trust that my web browser can do TLS correctly.
codedokode 16 minutes ago [-]
I meant "corporations do not trust users who register from a web browser and not from a mobile app". Without a mobile app (which allows to collect more hardware identifiers and spam you with notifications) you are not welcome.
dredmorbius 2 hours ago [-]
My reading of codedokode:
"easier just to buy a Google account ...." for those who would choose to do that in quantity. That is, the scammers and fraudsters for whom this is a financial decision. Which suggests that Google's latest moves shift the needle only slightly against actual abuse at a huge cost to the rest of us.
"Nobody trusts web browsers ..." applies to the publishing side. Content (that is, advertiser) sites and commerce most especially. The prove-yourself hoops that those opting out of that approach (de-Googled Android, privacy-hardened browser, alternative OS) must deal with are mind-bogglingly insane, speaking from personal experience. The Web no longer brings joy.
Incidentally, Google plays strongly in the second space, such that its incentives are aligned with pushing people into the "Google Play Services" ecosystem, and to both its own browser and ad-tech personal surveillance tools.
In conclusion, Google must be destroyed.
tardedmeme 13 hours ago [-]
I think you can just search 'buy google account' - it isn't illegal.
danparsonson 3 hours ago [-]
Sure but how do I know that the person I'm buying from legitimately owns the account? Won't scam me? Or try to con me out of my existing account? I'm just saying not everyone is as relaxed about that sort of thing.
codedokode 17 minutes ago [-]
The price is about $2-3 so you are not risking much, there are reviews and ratings. Of course there are scam sites, but once you buy several accounts you quickly figure out which ones are scam and which are not. Bank cards (sadly for larger sums only - probably difficult to find a merchant) as well as cryptocurrency are accepted. The interface supports Russian and English languages which points at the country of origin.
Re: stolen accounts, you can examine account details, history and activity after purchase, check for emails from social networks and return stolen account to the owner. The posting usually also mentions registration period (new accounts are unlikely to be stolen). But it seems that registering new accounts is cheaper than stealing - old accounts are much more expensive.
I didn't use the account for any illegal activity, there are just sites that use Google Account as a "verification" that you are not a bot, and to issue bans. And I am not interested in jumping through the hoops of searching a locked smartphone with Google Services and filing a visa application to register the account. I strongly dislike proprietary software and locked smartphones.
Also avoid buying Facebook, it's paranoid and with high probability you won't be able to login unless you use some "correct" combination of anti-detect browser, proxy and provided cookies. But Google, VK and Telegram are usually ok to use from different location if you don't do stupid things like logging into multiple accounts from the same IP and browser.
pixel_popping 1 hours ago [-]
Markets are regulated by reviews, seller history and so-on, the same as legal markets and it's generally smooth.
grishka 4 hours ago [-]
VK has been digging its own grave for quite some time now. Hardly anyone uses it any more. It's speedrunning enshittification with that registration thing but also with the very unpopular post redesign, the removal of custom news feeds, and most recently with shutting off most of the API access for third-party apps, including popular client apps like Kate Mobile.
shevy-java 8 hours ago [-]
This tyrannical and selfish, evil corporation, needs to be broken down. These are not accidents. Just remember how Google killed off ublock origin via a lie:
And soon desktop OSes will follow, if you don’t have TPM you won’t be able to browse half of the internet.
Andrex 17 hours ago [-]
A parallel, fully public and accessible internet being widespread and available for anyone with a slight tinkering kick... Could actually be really awesome.
Let the commerce-driven, corporatized hellhole that the modern web has become eat itself.
spencerflem 15 hours ago [-]
I love the vision, but I do wonder how the parallel internet will deal with DDoS levels of bot traffic.
I hear ‘web of trust’ pretty often and I like the idea but that’s not anonymous or accessible either
Andrex 10 hours ago [-]
How do personal blogs deal with the HN hug of death? In this increasingly-utopian vision, I imagine that being more widespread than (paid) DDOS attempts. There won't be any money to be made (banks, Paypal, etc. won't trust the "parallel web") and with the proliferation of synthetic training data I'm not sure how useful a target a bunch of blogs and smallweb sites would be.
donmcronald 13 hours ago [-]
> I love the vision, but I do wonder how the parallel internet will deal with DDoS levels of bot traffic.
Something that makes it expensive to initiate a connection and cheap (relatively) to accept or reject would probably help. I think that’s a hard problem though.
SV_BubbleTime 15 hours ago [-]
Well, how does Tor or other services do it now?
eddythompson80 12 hours ago [-]
Tor does it by being so painfully slow an unreliable that the only way you would use it is if there is a cocaine-style reward at the end of it.
staringforward 10 hours ago [-]
> Tor does it by being so painfully slow an unreliable
I do 95% of my web browsing via Tor Browser and it is very tolerable, most circuits are fast enough for 1080p video (Youtube, Twitch livestreams, etc) without any buffering.
Of course this is a single tor circuit with an exit node, so speeds are slower when going directly to .onion sites, but the only real slowness comes from the latency and not throughput.
spencerflem 14 hours ago [-]
They get blocked by Recaptcha, I think.
I’m not talking about the network itself but the servers on the other end.
I guess my point is that while Google is definitely malicious, I don’t think every site using recaptcha is and if we expect them not to use that tool there should probably be an alternative.
986aignan 14 hours ago [-]
> They get blocked by Recaptcha, I think.
I think SV was asking what onion services, which can't really use recaptcha, do to prevent the DDoS storm.
And I would imagine the answer is obscurity, since the dark web isn't nearly as well-mapped as the public web. That and some Anubis or other PoW would probably go far.
SV_BubbleTime 13 hours ago [-]
Proof of work I get, but isn’t that like step2?
If I’m hosting at some IP, I still need Anubis or something to serve up the challenge, so doesn’t that become the attack point?
chadgpt2 15 hours ago [-]
[dead]
roywiggins 12 hours ago [-]
Not soon, now. The new reCAPTCHA on desktop shows you a QR code for you to scan with your Google-approved phone to prove you have one.
18 hours ago [-]
anonymars 14 hours ago [-]
What a coincidence that Windows 11 makes it a requirement!
fsflover 16 hours ago [-]
TPMs can also be based on free software and our own keys. It works well with Heads and Librem Key.
cyklosarin 15 hours ago [-]
TPM with things like Heads are borderline zero security and theater compared to actually decent implementations on Android/iOS platforms, I doubt the big companies would rely on that. TPM in general on non Mac/Chromebook PCs is mediocre even from big OEMs.
djfergus 15 hours ago [-]
What happens with Chinese Huawei phones that don’t have Google services?
I don't know what services a TPM chip does provide. Wild guess, some private keys, hidden to the computer user, are used to sign stuff and/or encrypt ?
cyberax 16 hours ago [-]
I think it's possible to run the Play Services in an emulator, faking the device type. Google doesn't seem to use the platform attestation for now.
SV_BubbleTime 15 hours ago [-]
Treatment is not a cure.
cyberax 14 hours ago [-]
Agreed. I'm just pointing out the possibility (for now).
hackernews682 19 hours ago [-]
The gate to the pig pen is closing…
citizenpaul 18 hours ago [-]
For Decades the huge tech companies basically faced no adversity whatsoever. Now for the first time in their existence the massive returned investments in AI they are experiencing ... we will call it pain.
I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.
They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.
yohannesk 16 hours ago [-]
Isn't reCAPTCHA a spam? This video I watched recently does a nice history and also was enjoyable to watch https://youtu.be/seX_rDEsP6E?si
holoduke 6 hours ago [-]
One positive thing about tools like Claude is that I can finally do things where I had originally no time for. For example I asked Claude to debloat windows. Remove everything possible. From firewalls to notepad to uac to whatever. I also asked Claude to root my pixel phone and install another OS. I also asked to install pihole on a old Mac to serve as a dns and block all ads. All this took maybe an hour of my time.
gib444 9 hours ago [-]
On becoming anti Google, I blocked Google's ASNs (shortcut to block all their IP addresses) on my router the other day as an experiment. It's a little eye-opening.
Obviously you immediately realise just how often you !g in DDG, use Google Flights, YouTube etc. Ok easy enough to fix
Then of course I can't use Play Store (Aurora didn't work either) so my phone would have eventually become quite obsolete
You can't compile many Go projects because the dependencies are pulled from Google
And if you had ALL of Google's ASNs that would include GCP and that's a whole other level of being cut off
ChrisArchitect 19 hours ago [-]
Related:
Google Cloud fraud defense, the next evolution of reCAPTCHA
We told you. You dismissed it, and thought we were just crazy conspiracy theorists. Too brainwashed by the mainstream propaganda about "threats" to see the truth. Now they're even more emboldened by how much they can herd the sheeple, and showing their actual goals even more clearly.
Spread the news, tell everyone you know, before it's too late. I wish we won't have to resort to even more drastic methods in this fight.
"Those who give up freedom for security deserve neither."
userbinator 7 hours ago [-]
The rebellion will not spread online, in the space controlled by these bastards; but offline, outside of their control. I'm telling everyone I know, and you should too.
Here's the obligatory: Google, FUCK YOU!
wurtapp 12 hours ago [-]
Heh
neilv 13 hours ago [-]
After all the surveillance capitalism abuses over the last 2-3 decades of Web, it's a little late to be pushing back, but... should we start shunning individuals from companies who implement this?
Whether it's from companies that create the tech, or companies that use it.
In the orgy of money, we've had a kind of industry-wide sociopathic convention of individual engineers considering it perfectly OK to further surveillance capitalism.
Can we reverse that?
If someone says we can't, because "everyone does it", are they saying that we're a field of baddies?
gregoryl 11 hours ago [-]
I agree, wholeheartedly - lets get a list of the google engineers who worked on this. What do you propose we do with it?
neilv 6 hours ago [-]
I had more the thought like being skeptical of anyone who would take a job at company Foo or stay there, when they tell you. To me that seems preferable to trying to -- what risks devolving into -- a witch hunt of fall guys (persons), and doxxing people.
I think we are already starting to have that with a couple more infamous other companies in the news the last year: if someone goes to work there, I suspect a lot of people are going to think what is wrong with you, since you must know that company does very harmful things,
Maybe it's time to start wondering that about anyone who'd work for a lot of additional companies?
(I actually had a recruiter recently who was pitching a startup, and the headline featured the "ex-" pedigrees of the founders, including an especially infamous company. I figured any company touting that pedigree as a selling point is probably a bad fit for me. I thanked the recruiter, but said that infamous company as selling point probably isn't a fit. The recruiter seemed to not only understand, but to agree with my vague sentiment about that pedigree company.)
userbinator 8 hours ago [-]
Spread the word. They need to be held accountable the same way elected officials are --- except in this case they're not even elected.
einpoklum 16 hours ago [-]
Google seems to be putting yet another brick in the garden wall.
jwally 4 hours ago [-]
[flagged]
superasn 19 hours ago [-]
[dead]
picsao 15 hours ago [-]
[dead]
zuogl 11 hours ago [-]
[dead]
zuogl 12 hours ago [-]
[flagged]
lpcvoid 7 hours ago [-]
[dead]
theturtle 19 hours ago [-]
[dead]
Vampyre 12 hours ago [-]
[flagged]
tomhow 5 hours ago [-]
We've banned this account. This is an utterly appalling comment.
Vampyre 1 hours ago [-]
[dead]
oybng 16 hours ago [-]
[flagged]
dang 16 hours ago [-]
The article was at #1 on the frontpage when you posted this.
kittikitti 18 hours ago [-]
Please stop calling Android Linux. It's a marketing lie that continues to disappoint, including here. You're holding Linux back substantially by claiming Android is part of it. Just because it has Unix doesn't mean it's Linux as MacOS is also Unix.
bellowsgulch 14 hours ago [-]
I’d just like to interject for a moment. What you’re referring to as “Android,” is in fact Android/Linux, or as I’ve recently taken to calling it, Android plus Linux kernel.
Linux is not an operating system unto itself, but rather a kernel—a core component that manages hardware resources. Android uses the Linux kernel, but replaces the traditional GNU userland with its own runtime, libraries, and system framework.
Many users run Linux-based systems every day without realizing it. Through a peculiar turn of events, the Linux kernel combined with Android’s userspace is often simply called “Android,” and many of its users are not aware that it is built on Linux at its core.
There really is Linux in Android, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs you run. The kernel is an essential part of the system, but useless by itself; it can only function in the context of a complete operating system.
Android is normally used in combination with the Linux kernel: the whole system is basically Android/Linux, a Linux-based operating system with a distinct userspace, not a GNU/Linux system like traditional desktop distributions.
PaulHoule 18 hours ago [-]
The kernel is a Linux kernel. The userspace is very different from a typical Linux distribution.
g-b-r 17 hours ago [-]
A fork of it, updated periodically
And let's not pretend that we mean the kernel when we say Linux distribution
charcircuit 16 hours ago [-]
Debian also uses a fork that is updated periodically.
yjftsjthsd-h 17 hours ago [-]
Android literally is a Linux distro, though. Like, sure it has a weird userspace and is user hostile, but that doesn't make it not a Linux distro.
cybercatgurrl 16 hours ago [-]
linux is a choice, this is not a choice. fairly confident people are rejecting this notion on ideological grounds
Ylpertnodi 16 hours ago [-]
> ... and is user hostile,
How so?
IsTom 18 hours ago [-]
It's the punishment for all the times people laughed at calling regular Linux "GNU/Linux".
prophesi 18 hours ago [-]
Unless it was in a previous iteration of the submission's title, I don't see Linux mentioned anywhere.
Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).
Age verification as a technical concept can be done in a privacy-preserving manner! Whether or not we want age verification is another debate, but let's stop making wrong technical claims about that: it doesn't help.
At some point someone will need to issue a key, which at some point will need to be verified against known good signatures.
These signatures will also need to be kept in case of lawsuirs/enforcement, so if somebody gets access they will know you visited that site
There's not necessarily wrong. Despite the vapid and damaging nature of most popular online media, isolating a child from it might have even worse social consequences when their real-life peer groups discover that they're not on social media or that their parents have neutered their phone. Some kids would turn out fine after that. Others would be socially destroyed for life (maybe with the right therapy they could become well-adjusted, but high quality therapy is rare).
No, they are a solution for parents who want to use them, and that's all they should be. Their existence demonstrates that it's possible to handle this without regulation, other than the desire of some people to inflict their preferences onto other people's kids.
The problem of "parents are negligent" is also solved by existing laws which have fines for parents who are negligent towards their children, and governments absolutely love collecting fines, so all the incentives are properly aligned.
Do they work currently? Not really
Are they too complex for the avg joe to work out. Unfortunately yes. (Something about the smartest bears and the dumbest humans)
For example, imagine you put the same private key into the 'secure element' of every single iphone. You use code signing so that key is only unlocked when the phone is running unmodified iOS with all security updates. You use encryption and remote attestation for the front-facing camera and face id depth sensor. You use NFC to read government-authenticated age and appearance data from biometric passport chips (or digital ID cards) and you store it on-device.
Then, when you want to access pornhub, they send an age challenge to your device, your device makes sure your face matches the stored passport, and if so it signs the challenge with the private key.
Pornhub gets an Apple-signed attestation of age - but because every phone signs with challenges with the same private key, Pornhub can't link it to a particular phone or identity document.
So in a very narrow sense, privacy is preserved.
You can't use someone else's ID, as it checks your face every time. You can't fool it with a photo of the person because of the depth sensor. You can't MITM/replay the camera/depth data because the link is encrypted. You can't substitute software that skips the check with a rooted phone because of the code signing. Security holes can be closed by just pushing a mandatory OS update.
Sure, it doesn't work on PCs. Doesn't work on Linux, or on unlocked/rooted phones. It hands users' government ID documents over to Google and Apple. It requires people to carry foreign-made, battery powered, network connected GPS trackers (with cameras, microphones and speech recognition) with them. And there are non-negotiable terms of service everyone must agree to. But if you define "privacy-preserving" to ignore all that stuff and only consider whether Pornhub learns your identity, it's privacy-preserving.
Also even if it doesn't get leaked directly, the security of TPM chips is not absolute. Secrets from them can theoretically be extracted given an attacker with sufficient means and motivation. Normally nothing that's on a typical TPM chip would warrant a project of that magnitude, but a widely used private key can change that equation.
Plus a TPM chip doesn't really have means to tell the phone isn't being lied to. You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
Maybe? But biometric passports, chip-and-pin payment cards and SIM cards seem to do reasonably well. And Apple can always push out a mandatory software update that rotates the key, if they need to.
> You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.
I don't know the precise details, but reports from people trying to repair devices independently of Apple are that the phone is very much the wiser.
e.g. https://support.apple.com/en-gb/120567 https://www.reddit.com/r/iphonehelp/comments/1dl38kq/iphone_...
Jesus Christ.
14 year old me ran into porn on the internet all the time. It didn't turn me into a serial killer.
Meanwhile we let kids have exposure to algorithms that pervert their sense of self worth, get them addicted to dopamine and gambling, and make them feel inferior to their peers.
We have the wrong priorities as a society.
And this bullshit is going to turn us into a completely tracked, monitored, controlled bunch of cattle.
We're building 1984 and we're happy about it.
A linkable ring signature lets you correlate multiple usage but only if they share a common 'context value'. Intelligent selection of the context value results in abusive use inevitably sharing a context so you can exclude or rate limit it, but honest use tends to not share a context so the privacy is preserved.
The problem is that while you might be able to trust the crypto, the government won't trust you to do the crypto entirely by yourself. And this introduces avenues for deanonymisation. Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.
It's a complicated problem.
We continue to seek a technological solution to a parenting problem.
Such systems are deployed in production by privacy preserving cryptocurrencies as its the same problem: Prove you're spending a coin that exists without revealing information about which one, and prove that you're not spending it multiple times.
Less private but easier to implement is just simple blind signing. Site asks you to give them a signature of their domain name, your account name, and date. You blind the data using a random number, go to google and identify yourself (e.g. solve a CAPTCHA, check your mobile device, age verify, whatever) and ask them to sign the blinded value-- they rate limit you and give you a signature. You unblind and provide to the site. Now the site knows you passed the google rate limit but nothing else, but google never learns what site you authenticated to.
The blindsigning approach is kinda lame because it requires active communication with a third party that learns you're online and authenticating to stuff. So I think it's generally less preferred but the cryptography is hardly any more complicated than an ordinary digital signature.
Then it's technically possible (and really not that difficult) for states to provide a service that issues zero-knowledge proofs of facts like "age > X".
(partly off-topic rant) One can argue this is a false premise fallacy. For most of the time states did not have this information about their citizens and the world progressed quite nicely. The only argument to know stuff about citizens that don't drive (increasing numbers) nor travel abroad (different problem altogether) is to tax them?
One of the foundational differences between humans and cattle was you cannot brand (https://en.wikipedia.org/wiki/Livestock_branding) humans. Not physically, because we do it digitally and I see a slippery slope.
> Unlinkability is achieved by design through Zero-Knowledge Proof cryptography see the "Privacy by design" section below.
so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on
(just realized emacs bindings work in comments, nice, no ctrl-x tho)
Is this speculation, or has it been confirmed somewhere?
Not that I really can tell what this was devastating to. Maybe United States v. Apple (2012), where Hachette Book Group, Inc., HarperCollins publishers, Macmillan publishers, Penguin Group, Inc., and Simon & Schuster, Inc. conspired with Apple to raise ebook prices?
I don't think it's that, because the Wikipedia article makes it seem like it was a force for good, but at the time, it wasn't certain at all that it would be that way.[1]
Beyond that, I'm not exactly sure what might be meant.
[0] https://en.wikipedia.org/wiki/Internet_Association
[1] https://reddit.com/r/technology/comments/xs4qw/google_facebo...
It's possible this scenario is acceptable to them because it means they can still tie your access to something that's easier to ban without requiring a full account login.
That's possible... and they might change their mind if so, we will see.
I feel like it's a similar issue to when scrapers pretend to be an allowed-origin webpage in order to abuse "public" API keys for web services.
They could also require the mobile device to interact with the requesting webpage in some manner, similar to mutual PIN/codes for Bluetooth/TV pairing these days. That way bulk sharing of the codes would still require active participation from the device that requested it in the first place, likely with a short time limit.
Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.
As for now, when I need to travel to Germany, I just book tickets through the national carrier of my home country, which for cross-border tickets often turns out to actually be cheaper than booking through DB. Thankfully I don't live in Germany proper and my need for travel there is not that high (once or twice a year at most) but I wonder what would I do if I had to move to Germany and use trains there more often.
> -Use of developer or inspection tools
Gotta love it.
The finger-wagging about "Use of developer or inspection tools" is just outrageous. Akin to accusing users of thought crime.
The only solution to all this will be through elections and laws.
At which point you should contact your attorney general, and work to ensure such efforts face legal challenges at every turn.
Not solved at all: 99.999% of users don't give a damn and use a Google-signed Android.
My opinion is that because they don't give a damn does NOT mean regulations should not protect them. What Google is doing here is anticompetitive and they should be fined (antitrust and all that).
You could try handwriting and posting a letter to their CEO. I think that sometimes works. Probably not very often but there are more than zero CEOs who read those letters.
I was thinking in the same terms: you put up a QR capcha, you don't get my traffic and money. Just the amount of extra work needed, let alone the Google tracking turns me off. As if traffic lights, crosswalks and bridges weren't enough of a hassle.
https://www.rei.com/newsroom/article/2026-rei-board-of-direc...
https://www.rei.com/newsroom/article/rei-announces-2026-boar...
https://www.reddit.com/r/REI/comments/1qw14k6/rei_hosts_thei...
Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.
It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.
On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".
Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).
So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).
However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use.
Let's find a better solution please
Is there an argument here that Google is creating a monopoly?
Could this be challenged on similar grounds that forced Microsoft to recommend other browsers to users on Windows?
Our antitrust laws have been toothless for decades, and both parties love billionaires controlling the rest of us with an iron fist.
GrapheneOS is looking more and more worth the headache that my limited free time generally does not like. I don't need Google to know my smut fanfiction is written by my IRL.
However he's been on it now for months and every time he shows me something on it I get a little more jealous. Everything seems to be working fine, including e.g. bank apps, and he has interesting features like some kind of app zoning thing limiting permissions on a zone to zone basis.
The only problem is it's only available on massive phones without headphone jacks and SD card slots, so I'm sticking with Xperia for now.
> Ask HN: Did HN just start using Google recaptcha for logins? [0]
> dang
> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.
[0] https://news.ycombinator.com/item?id=34312937
No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA.
I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved."
People do care about such things.
I hope the same is true in other EU countries.
CF turnstile is one, but of course that means Cloudflare owns even more of the web.
HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.
And I... Can't think of anything else. Other than to just get rid of Captchas entirely.
Enough to make it so bots are expensive to run.
Suddenly I have been made aware that, having lost my paddle on Shit Creek, I will eventually be taken downstream to Shit Lake (where it appears I will inevitably drop anchor).
You could just call them.
But in all seriousness, many services are making it difficult through to impossible to communicate outside of their web or app platforms. Call centres are expensive and messy, and it's now apparently acceptable as a society to treat customers/clients/whatever as adversaries so they can get away with making it hard to communicate with them.
It could be contextual, as in each user gets one anonymous id per domain name per day. Multiple uses by the same user at the same domain in the same day are linked.
But much of the purpose of these systems is to violate the public's privacy and exert as much surveillance and control as possible. If not for that schemes that mitigate the privacy loss would be a top priority.
https://doublespeed.ai/
Edit: aaaand... That's another little sliver of my faith gone : https://www.theatlantic.com/podcasts/2026/04/how-fake-people...
Note that they do not mention any specific companies on that landing page. That is pretty intentional.
But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.
Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.
Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)
Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.
The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.
[0] https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventur....
[1] https://en.wikipedia.org/wiki/MDY_Industries,_LLC_v._Blizzar....
[2] https://en.wikipedia.org/wiki/EBay_v._Bidder%27s_Edge
Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.
Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.
The cost is the attestation keys of a real phone. Once it gets burned, the phone is useless to them.
https://www.penligent.ai/hackinglabs/inside-the-ai-phone-far...
Probably a decent amount of compute cost for video generation, but I'm sure they have access to free compute and inference for being in bed with a16z.
Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'.
I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.
For people using a Google account it probably won't make a huge difference, in terms of data collected.
If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.
Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.
But there's a good chance that it will be extremely hard to sidestep, despite that.
But anything your phone can possibly do in software can be spoofed, so how would that help?
Doesn't Play Integrity use hardware attestation, but specifically checking the Google keys?
If you use the Play Services on GrapheneOS, you still don't pass Play Integrity because your system is signed by GrapheneOS and not by Google.
And https://gdpr.eu/recital-49-network-and-information-security-... :
> Recital 49 - Network and Information Security as Overriding Legitimate Interest
> The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems,...
It's funny how people after all this time think 99 Articles, 173 Recitals and a huge tech lobby equals a water-tight, pro-citizen, impenetrable privacy law with almost no exemptions.
Can de-Googled Android phones present themselves as iPhones?
https://blog.cloudflare.com/eliminating-captchas-on-iphones-...
https://developer.apple.com/news/?id=huqjyh7k
This is wrong. Many (most?) users of alternative Android OSes do use a variant of the Play Services (be it sandboxed Play Services like on GrapheneOS, or an open source, reverse engineered implementation like microG that phones home just the same).
Google seems to be leveraging Play Integrity here, which requires that the phone OS is signed by Google. This is clearly anticompetitive, I hope the DMA will do something about that.
Only ones that are difficult for fraudsters to use to generate bogus traffic. Whether or not those builds come from Google, they are inherently gonna be pretty constrained OSs. It's not gonna let you spoof your location or simulate user input.
I do think it's a problem if only Google can provide these attestations but even if that organisation problem is solved there is still a fundamental technologic problem here now that humans can't be detected by their ability to solve puzzles any more.
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
I feel this more and more each day.
Banks are implementing terrible "security" checks. Users of alternative OSes should be a lot more vocal: change bank, but also complain a lot to the offending one, and make sure to leave them a bad review on the Play Store.
Actually people not using an alternative OS but caring about that should also leave bad reviews to those banks on the Play Store.
At the end of the day, the problem comes from humans in those banks who don't understand and don't give a shit. The only way to make them care about it is to complain enough that it becomes their problem.
If enough people complain, those services will start caring. If all they see is "one user complains every 3 years", they will just ignore it. That's how it works.
The bank I was talking about were the worst net loser of customers in the UK last year (around -8000) They are making excuses but maybe they would care about why.
If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.
I had an issue with yahoo a couple of years ago that's all. The "it read like there's a whole science" is sadly a trope mostly repeated by people who have never tried because it gets upvotes on Reedit.
There are some steps you have to take, but not many, and systems like Mox mailserver or stalwart guide you through it, and mail-tester will check if you got it right.
Email, other than tweaking spam filters, is one of my lowest maintenance systems. I can't remember the last time I touched Exim or Mox config
The science of not getting flagged is easy when you're not sending large volumes of untrusted mail; it only gets complicated if you start hosting mail for "customers" or let your system forward mail unfiltered into gmail/yahoo.
Here's my hit list of universal things to configure:
* Start with an IP with good or neutral reputation, non-residential, its nearly impossible to fix an IP that has been burned by a spammer. (Network)
* Valid reverse dns for your IP matching your mailhost forward dns (DNS)
* Valid SPF record; -all (DNS)
* Valid DKIM; with sufficiently sized key (DNS+Config)
* Valid DMARC; start with p=none to test and move to p=reject once you're configured (DNS)
* ARC if you or your users will ever possibly forward mail (Config)
* Don't get your messages flagged as spam anywhere ever, filter outbound mail even if its just you. All it takes is one piece of malware and a saved password and you'll have to get a new IP. (Config)
* Don't configure services behind your mail server with example domains that you don't control ~ I get so much mis-configured test mail from people who think its cute to use my domain as an example in their practice lab. It all gets reported as spam or bounces and then their smart host bounce rate goes up. (Config)
* Test for open relay; only relay for authenticated users. (Config)
* Use strong authentication, preferably with certificates or MFA. (Config)
* Secure everything; IMAP/SMTP/POP are old AF make sure you're requiring STARTTLS and setup MTA-STS to prevent downgrade attacks and enforce encryption in transit. Use a real certificate from Lets Encrypt don't self-sign. (DNS+http+Config)
* fail2ban your auth, you're going to get so much driveby password spraying and credential stuffing; I fail2ban block entire subnets at a time with iptables actions. I also have a bunch of "poison pill" rules for weird stuff I see in my logs eg block anyone who tries to auth with the NTLM hash for 'password'. (Config)
* Don't bother with BIMI at home, you can't get a blue check mark without deep pockets and a trademark (vmc) and most platforms only show logos that have a matching vmc. (DNS+https+config)
* DMARC reporting and TLS-RPT reporting are a pain to manage but are helpful troubleshooting deliverability be prepared to read some XML reports or setup a stack to parse them as they arrive (DNS + Config + https)
* setup the SMTP Submission port (587), so many networks block port 25 outbound and its the right way for clients to connect. (Config)
* configure BACKUPS, don't skip this step, encrypted restic backups to s3 or backblaze b2 is cheap and easy. (config)
* track your configs in git, don't commit secrets. (config)
* configure a free blacklist monitor on mxtoolbox for your domain(s) (config)
If you do those things you'll be in a pretty good spot, you could probably paste that list/this post into your agent and vibe up solid mailserver.
For me keeping the spam and phishing out is a bigger hassle than deliverability issues. rspamd does a pretty good job of keeping it manageable.
I do all of those things and with all of that setup the only place I ever run into issues with with users on AT&T's residential broadband mail servers. AT&T appears to block you if you're not known to them and they have a short memory. If you don't have regular correspondence with AT&T users they will block you after a bit. I'm a fairly low volume sender so I end up blocked every other time I try to send to AT&T by no fault of my own. I've talked most of those friends off of AT&Ts free email and on to ProtonMail at this point.
If you need to share files externally, Nextcloud works very much like Google Drive and allows the creation of sharable links.
the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f
https://ibb.co/X9Q6Y84
By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.
I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.
In this case, the answer is right there in the question: You have to pay to bypass it.
Wow, This is really bad :-(
I think this is just gonna make viewing internet without a phone significantly harder especially with archive.is and the likes.
Not sure, how relevant this is to the discussion but if it helps, I have made a project[0] which allows to archive archive.is pages on archive.org/wayback machine (this uses singlefile)
Perhaps something like this can be used by community at scale too. Also, I hope that archive.is does something to fix this issue of requiring QR code and hopefully it doesn't become a permanent issue.
[0]: https://smileplease.mataroa.blog/blog/htmlpipe-and-how-we-ca...
The result of this would be to upload it all to a bot-friendly alternative to archive.org.
Its whole point is undetectable archiving because it just saves what your browser already sees.
Now to be honest, while it's optimal to archive pages from you browser view I am not sure I want a random web extension to be in everything I see from a security point of view.
I would rather have a local proxy doing it. Maybe something like the InternetArchive warcproc [0]. Haven't tried yet.
- [0] https://github.com/internetarchive/warcprox
Yeah, I say it as "because the US bully the EU to prevent them from doing it".
https://www.nytimes.com/2026/02/13/technology/meta-facial-re...
> April 2025: Apple fined €500 million for failing to comply with "anti-steering" obligations. Meta fined €200 million under the Digital Market Act for requiring users to consent to sharing their data with the company or pay for an ad-free service.
> December 2025: X fined €120 million under the Digital Services Act for breaching transparency obligations.
(Sure, not this year, but that's pretty recent by most standards. And not sure if they're still being contested and unpaid)
And recently, Google is working with the EU to avoid a fine: https://www.bloomberg.com/news/articles/2026-05-06/google-ma...
- pretended that it wasn't all about invading peoples' privacy.
- done a good ol' fashioned "but Apple does it"
- pretended to be standards-oriented
- advertised it as something completely transparent to the end-user
Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
It looks like a cloudflare page but it's not hosted by them. eg. https://bgp.he.net/dns/archive.is#_ipinfo It's hosted by AS49505 JSC Selectel
I think they now use their own Cloudflare turnstile if I remember correctly, but back then they switched to hcaptcha.
This is using another product to reinforce the search and ads monopoly.
You can’t scrape content to build a better google or Gemini, you can’t make an OS to compete with Google or Apple, and you can’t make a Google Analytics competitor.
It’s plain anti competitive.
Now everyone pretends like it's monopoly abuse because the Leopards Eating Faces company finally rang the dinner bell.
Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.
This makes it more difficult. But I don’t think it matters given how difficult it was prior to this.
This is blocking access to websites wholesale, so it’s on a whole different level.
The problem is that most popular apps for Android outside Chinese app stores rely on Google services (specifically, Firebase) for push notifications.
I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.
The projects were named after a Google Doc they'd recently worked on (or a .docx attachment they'd received?) though, so my other guess is that they somehow created a Google Docs macro or similar by accident?
With apple there's no choices, so I'll continue to take my chances with Android
Also, personally I care less and less. As long as my banks and government apps work, I'll just not use somebody's service if they put up barriers like this.
If most people care less and less, the result would be that banks and government apps will also work less and less.
Look, companies have to prioritise. And the obvious way to prioritise is to say "users are requesting X A LOT and nobody requests Y, so we will do X". Companies never, EVER say "it would be more ethical to do Y, let's do Y".
As people, we can do two things:
* Push our governments to regulate that shit. That means, complain a lot to the government.
* Be vocal to companies and complain when they don't support your system. If enough people do that, it will be prioritised.
The hardware attestation (which is used by strict Play Integrity) checks the signature on your OS. It is totally possible to allow signatures other than Google, but Play Integrity doesn't do that.
Companies could totally decide to use hardware attestation and accept systems signed not only by Google, but also other systems (like GrapheneOS). But they don't care because not enough users complain to them.
Users of alternative Androids typically silently move to another service or stop using it entirely. Which is understandable but doesn't help the cause.
I'd rather have Google check an Apple phone attestation than have Google check a Google phone attestation, and vice versa, though, because you can assume each company is trying to keep as much information private to themselves instead of giving it to the other. Google is probably just getting "yes it's an Apple phone" and some kind of temporary token, instead of my IMEI, IMSI, phone number, all signed in accounts, biometrics and so on.
Could you justify that? Because to me it seems like Apple isn't doing anything even like this.
Also, Apple sells themselves as a privacy company, but often pick (possibly intentionally) insecure defaults. E.g. you might use end-to-end encrypted chats, but by default iCloud backups are not end-to-end encrypted, so law enforcement can just request your backups/chats from Apple. If you are vigilant and enable Advanced Data Protection for E2E iCloud backups, it probably still doesn't matter because the people that you communicate with probably do not have ADP enabled.
Besides that, they are enshittifying in the same way as Google. Ads in Maps, Ads in applications that you get with the OS (Apple Creator Studio ads in Keynote, etc.), Ads in your system settings for Apple Fitness+ (really).
At least Pixel phones and soon some Motorola models have the option of installing GrapheneOS.
The way it's going, by the time the Motorola + GrapheneOS phone is out, it will be a lot more painful to use GrapheneOS than today. Not because of GrapheneOS of course, but because everybody accepts that bullshit Google is doing.
If you're waiting for Motorola + GrapheneOS, you could start complaining to banks and other apps that don't support GrapheneOS :-). If enough people did that, maybe those companies would consider it.
In the meantime, I'm currently using a low end Motorola moto g 5G 2023 which lets me turn off Play Services. Chrome and the Google Calendar don't run (really do need to find a replacement calendar), and I couldn't be happier. Motorola's interest in GrapheneOS makes me wonder if they did this on purpose.
Calendar server: https://radicale.org/v3.html Sync: https://manual.davx5.com/
So, you run Radicale server, you can import Google Calendar.
Set up Davx5 on mobile to sync with the local server
Access from anywhere with Tailscale.
My dad runs the family domain/emails/etc. The hard part will be convincing him to degoogle the whole family.
I'm also becoming open to using software that lies to google about what it is :) Google will treat us like sh*t, why shouldn't we reciprocate.
He (Torvalds) had no power to do anything and sold out. Even if he did, big tech would just go and use BSD.
For over a decade both Torvalds, and Stallman sold everyone out. They don't make their money directly from "free software" or "open source" in the first place.
Stallman was right in that he knew digital surveillance was going to happen, but he was incorrect in believing that FLOSS was ever sustainable economically and especially with AI replacing the developer and that big tech and startups are weaponising that against them.
Even when Stallman is against AI, he doesn't care. He knows he doesn't make money from "free software"; but only by speaking about it. Torvalds is the same but likes AI.
Can any other developer do exactly that in 2026?
But his vision/prophecy is about 50 years old and while still valid it probably needs an update.
We are now dealing with a fully networked world where AI/bots have become dominant. I am not sure he did / could go as far in his vision.
There's hardly anything you can do to stop someone determined enough to spend money to spam your specific website. These kinds of captchas do raise the bar somewhat, but every single one of them is ultimately bypassed by paying people to solve them for you.
[1]: https://digital-markets-act.ec.europa.eu/contact-dma-team_en
Even if you are a GMS Android user, they are going to make installing apps outside the Play Store much more annoying and these attestation-backed verifications are going to further deanonymize you.
You will also see this page if your smartphone is degoogled and you try to open the reCAPTCHA attestation URL in a web browser instead of in Google Play Services.
Why does it have to be new? Plenty of open source OSes exist... starting with Android! GrapheneOS is based on AOSP, you would call it Android. If I show you a phone running GrapheneOS, you probably won't even realise that it's running an alternative OS: it will be Android to you.
The problem is not that we don't have alternative. The problem is that Google is moving towards forcing everyone to run their OS (or the OSes they accept, since it includes iOS) to connect to random stuff on the Internet. They are literally building technology that will prevent alternative OSes from running properly.
No need to create new OSes if anyway they won't work, right?
That's the reason companies are desperate to be first/biggest - once you're it, you're it until you finally fall on your face and dwindle to a nobody.
The thing here is that Google is building technology to prevent alternatives from connecting at all. We fundamentally cannot solve it by building more alternatives, we have to prevent Google (and TooBigTech in general) from doing it.
at my most pessimistic i can see a world where consumers pay MORE for attestation to continue to opt-in to society, or perhaps a ai-bot-free digital world.
Your privacy is dead, and you cannot do anything against it, except not using phones and internet... at all. I mean I still fight against it, but not by protecting my privacy by using tools, or using different tools, because I realized it's not possible. There is no "as less data as possible". They know regardless.
I used VPN, browser containers for everything, myriad of fingerprinting protection, nothing related to Google/Facebook/etc. And then I went up to Youtube once for something, and they knew exactly what were my thoughts at the time. That was the moment when I realized that I suffered for nothing.
I still support for privacy movements, and I strongly believe that the only place where we can do anything at this point is politics. You can't protect your privacy anymore at this current environment, that ship sailed decades ago.
My problem is that basically every larger for privacy push is against newly proposed laws (like age verification), and there is basically no large uproar regarding the current already fucked up laws.
My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:
- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.
- Discord immediately bans me any time I try to create an account.
- Can't buy flights from Delta, always gives a non-descript error.
- Can't buy concert tickets, it thinks I'm a fraudulent buyer.
- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.
- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).
- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.
I just take my business elsewhere... eventually I'll probably just stop using technology at all.
I had this problem recently with the Indeed website. (Cloudflare Captcha)
Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.
Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.
"Source code? We don't need no stinkin' source code!"
I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.
I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.
Captcha difficulties are way down now.
I wonder if they are seeing a decrease in traffic and somehow find that acceptable.
I fire up cloudflare warp and walk right through it
use wireguard with wgcf in environments without cloudflare client
yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden
Would you care to elaborate a little on how you did it?
It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues.
This new reCAPTCHA setup is probably a good indicator that big tech wants to shift to verified access only. Personally, I’m just going to quit spending money via the internet and go back to piracy + retail stores with a physical location.
Mars? /i
and on behalf of the Government,
and said “data, so piss off”:
https://abcnews.com/Technology/google-hit-antitrust-lawsuit-...
https://macdailynews.com/2026/02/04/u-s-files-appeal-in-goog...
Turns out that Presidents, once elected, largely do what Continuity of Government, and business interests, ask for.
> Lawfare is the use of legal systems and institutions to affect foreign or domestic affairs, as a more peaceful and rational alternative, or as a less benign adjunct, to warfare.
Strap in, the ownage will be hard.
Even competent people got completely brainwashed, crazy.
The internet is a failure. Congratulations us.
the trajectory has been clear since AMP-convenience for site owners, attestation pressure on users
I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.
Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
I’m Canadian and watching our government sell our souls to American tech companies is beyond scary.
PS: Sure, there always were a handful of exceptions. If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
> If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
Reminds me of Facebook engagement bait
If it didn’t affect those of us that tried to resist, I wouldn’t care, but we got dragged along unwillingly and now it may be impossible to hit the brakes before corporations control everything by usurping control of our identity systems.
Good that some people are able to translate my thoughts into actual English... :D
If you say so. I don't know. I was never an active part of that big problem (so btw I also had nothing to "solve"). You were?
Everyone in power wants it, across the entire globe.
That's very different from requiring hardware attestation, though.
And to think, people said consumer choice was dead...
The amount of stuff councils and state governments gatekeep about road specs alone... Argh.
Google doesn't give a shit, but smaller companies are the ones using reCAPTCHA and that kind of shit. Consumers need to complain to those smaller companies. And citizen need to complain to their government, if those case. In the EU there is the DMA: https://digital-markets-act.ec.europa.eu/contact-dma-team_en.
What's sad is that the few citizen who care are often complaining against regulations. And it is the lack of regulations that got us here. We need antitrust, period.
Nobody trusts web browsers nowadays.
I would have no idea how, nor desire to purchase a Google account on the black market, and I do in fact still trust that my web browser can do TLS correctly.
"easier just to buy a Google account ...." for those who would choose to do that in quantity. That is, the scammers and fraudsters for whom this is a financial decision. Which suggests that Google's latest moves shift the needle only slightly against actual abuse at a huge cost to the rest of us.
"Nobody trusts web browsers ..." applies to the publishing side. Content (that is, advertiser) sites and commerce most especially. The prove-yourself hoops that those opting out of that approach (de-Googled Android, privacy-hardened browser, alternative OS) must deal with are mind-bogglingly insane, speaking from personal experience. The Web no longer brings joy.
Incidentally, Google plays strongly in the second space, such that its incentives are aligned with pushing people into the "Google Play Services" ecosystem, and to both its own browser and ad-tech personal surveillance tools.
In conclusion, Google must be destroyed.
Re: stolen accounts, you can examine account details, history and activity after purchase, check for emails from social networks and return stolen account to the owner. The posting usually also mentions registration period (new accounts are unlikely to be stolen). But it seems that registering new accounts is cheaper than stealing - old accounts are much more expensive.
I didn't use the account for any illegal activity, there are just sites that use Google Account as a "verification" that you are not a bot, and to issue bans. And I am not interested in jumping through the hoops of searching a locked smartphone with Google Services and filing a visa application to register the account. I strongly dislike proprietary software and locked smartphones.
Also avoid buying Facebook, it's paranoid and with high probability you won't be able to login unless you use some "correct" combination of anti-detect browser, proxy and provided cookies. But Google, VK and Telegram are usually ok to use from different location if you don't do stupid things like logging into multiple accounts from the same IP and browser.
https://ublockorigin.com/
See the explanation associated with Manifest V3.
Let the commerce-driven, corporatized hellhole that the modern web has become eat itself.
I hear ‘web of trust’ pretty often and I like the idea but that’s not anonymous or accessible either
Something that makes it expensive to initiate a connection and cheap (relatively) to accept or reject would probably help. I think that’s a hard problem though.
I do 95% of my web browsing via Tor Browser and it is very tolerable, most circuits are fast enough for 1080p video (Youtube, Twitch livestreams, etc) without any buffering.
Here is a speedtest I ran just moments ago, I would hardly consider this "painfully slow": https://www.speedtest.net/result/19172283165.png
Of course this is a single tor circuit with an exit node, so speeds are slower when going directly to .onion sites, but the only real slowness comes from the latency and not throughput.
I’m not talking about the network itself but the servers on the other end.
I guess my point is that while Google is definitely malicious, I don’t think every site using recaptcha is and if we expect them not to use that tool there should probably be an alternative.
I think SV was asking what onion services, which can't really use recaptcha, do to prevent the DDoS storm.
And I would imagine the answer is obscurity, since the dark web isn't nearly as well-mapped as the public web. That and some Anubis or other PoW would probably go far.
If I’m hosting at some IP, I still need Anubis or something to serve up the challenge, so doesn’t that become the attack point?
I don't know what services a TPM chip does provide. Wild guess, some private keys, hidden to the computer user, are used to sign stuff and/or encrypt ?
I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.
They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.
Obviously you immediately realise just how often you !g in DDG, use Google Flights, YouTube etc. Ok easy enough to fix
Then of course I can't use Play Store (Aurora didn't work either) so my phone would have eventually become quite obsolete
You can't compile many Go projects because the dependencies are pulled from Google
And if you had ALL of Google's ASNs that would include GCP and that's a whole other level of being cut off
Google Cloud fraud defense, the next evolution of reCAPTCHA
https://news.ycombinator.com/item?id=48039362
Google Cloud Fraud Defence is just WEI repackaged
https://news.ycombinator.com/item?id=48063199
Spread the news, tell everyone you know, before it's too late. I wish we won't have to resort to even more drastic methods in this fight.
"Those who give up freedom for security deserve neither."
Here's the obligatory: Google, FUCK YOU!
Whether it's from companies that create the tech, or companies that use it.
In the orgy of money, we've had a kind of industry-wide sociopathic convention of individual engineers considering it perfectly OK to further surveillance capitalism.
Can we reverse that?
If someone says we can't, because "everyone does it", are they saying that we're a field of baddies?
I think we are already starting to have that with a couple more infamous other companies in the news the last year: if someone goes to work there, I suspect a lot of people are going to think what is wrong with you, since you must know that company does very harmful things,
Maybe it's time to start wondering that about anyone who'd work for a lot of additional companies?
(I actually had a recruiter recently who was pitching a startup, and the headline featured the "ex-" pedigrees of the founders, including an especially infamous company. I figured any company touting that pedigree as a selling point is probably a bad fit for me. I thanked the recruiter, but said that infamous company as selling point probably isn't a fit. The recruiter seemed to not only understand, but to agree with my vague sentiment about that pedigree company.)
Linux is not an operating system unto itself, but rather a kernel—a core component that manages hardware resources. Android uses the Linux kernel, but replaces the traditional GNU userland with its own runtime, libraries, and system framework.
Many users run Linux-based systems every day without realizing it. Through a peculiar turn of events, the Linux kernel combined with Android’s userspace is often simply called “Android,” and many of its users are not aware that it is built on Linux at its core.
There really is Linux in Android, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs you run. The kernel is an essential part of the system, but useless by itself; it can only function in the context of a complete operating system.
Android is normally used in combination with the Linux kernel: the whole system is basically Android/Linux, a Linux-based operating system with a distinct userspace, not a GNU/Linux system like traditional desktop distributions.
And let's not pretend that we mean the kernel when we say Linux distribution
How so?