Can hCaptcha be used to replace ReCAPTCHA at BitcoinTalk?

[100bitcoin]

https://bitcointalk.org/captcha_code.php is great. But, for first timers through Tor, the experience is terrible.

hCaptcha is Tor friendly and does not track like Google does. Below is the developer's guide...

https://docs.hcaptcha.com/

It is already been used by CloudFlare as well. Below is their statement.

https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/

Worth a try?

p.s. If anyone already have experience in using it, please share your experience too.

[bL4nkcode]

Here's a discussion between google recaptcha and hcaptcha https://bitcointalk.org/index.php?topic=5241569.0, yet, theymos didn't voice out his opinion about the matter.

Aside from that, bookmarking https://bitcointalk.org/captcha_code.php will help users to bypass recaptcha when logging in.

[AB de Royse777]

I hate this hCaptcha but I had no idea that this was not from google and since it's Google free then I would like us to use this instead of ReCAPTCHA.

p.s. If anyone already have experience in using it, please share your experience too.

As a user I did not like it ofc.

[Lucius]

I used it many times for years, and I have already noticed various modifications by which they try to block the bots. Similar to reCaptcha, the difficulty of a task depends on how successfully and how many captchas you solve in a given period of time. Also, hCaptcha can be customized by the one who sets it in a way that gives you only one or up to three tasks before allowing you to solve it completely.

However, according to what the admin wrote, this captcha, like all others that currently exist, is not even close to the level of security that reCaptcha has, so it will certainly not be considered as an alternative.

Here's an example of what it looks like, specifically here you need to select all the images that contain the trains, and then follows another series of images where you need to repeat the same to pass captcha.

[examplens]

I hate this hCaptcha but I had no idea that this was not from google and since it's Google free then I would like us to use this instead of ReCAPTCHA.

p.s. If anyone already have experience in using it, please share your experience too.

As a user I did not like it ofc.

+1
I meet hCaptcha, and I must say he quite frustrated me. One of the worst. They have very unrecognizable images and I need to concentrate very well to pass captcha. lose interest to visit service when I must pass it.
Google reCaptcha is okay, and he never made it difficult for me. it is clear that this is not just my opinion, services that have experimented with h, they returned to the proven captcha services. I am very grateful for that.

[Lucius]

One of the worst. They have very unrecognizable images and I need to concentrate very well to pass captcha. lose interest to visit service when I must pass it.

Are you by any chance seen my post? What is in the picture I am posted unrecognizable for you? hCaptcha is at this point far easier for solving than reCaptcha, and especially for those who deal with them a lot on a daily basis. This is about logging into a forum where there is even an alternative to bypassing the captcha, but if you try to solve 100 reCaptchas a day, not only will they become almost unsolvable, but Google will ban you assuming you are a bot.

reCaptcha is on this forum for a reason, the admin has explained everything in detail, and there is no point in asking for a change.

[dkbit98]

Cloudflare and many other websites are starting to use hCaptcha, I never had a single issue to solve their captcha, and I can't say the same thing for Gcaptchas.
I don'l like helping google and train their AI all for free 

[examplens]

One of the worst. They have very unrecognizable images and I need to concentrate very well to pass captcha. lose interest to visit service when I must pass it.

Are you by any chance seen my post? What is in the picture I am posted unrecognizable for you? hCaptcha is at this point far easier for solving than reCaptcha, and especially for those who deal with them a lot on a daily basis. This is about logging into a forum where there is even an alternative to bypassing the captcha, but if you try to solve 100 reCaptchas a day, not only will they become almost unsolvable, but Google will ban you assuming you are a bot.

reCaptcha is on this forum for a reason, the admin has explained everything in detail, and there is no point in asking for a change.

Of course, I see your post, that's exactly what bothers me. although I use it once or twice during the day, I don't like to see hCaptcha. Google was never complicated security question for few times per day.
Maybe is this picture so clear for you, but it's not in my case. check the difference between your pic from captcha and usual from reCaptcha.



I haven't a problem with forum login, as long as there is an option "Always stay logged in".  

[UserU]

I'd honestly say that having both is better than just once.

Based on my experience, I solve hCAPTCHAs slower than reCAPTCHAs because it's a separate 9x9 grid unlike the latter's one canvas.

Of course reCAPTCHA has its own major caveats, primarily the slow loading ones and the click-until-there's-none-left.

[Mrengage]

https://bitcointalk.org/captcha_code.php is great. But, for first timers through Tor, the experience is terrible.

hCaptcha is Tor friendly and does not track like Google does. Below is the developer's guide...

https://docs.hcaptcha.com/

It is already been used by CloudFlare as well. Below is their statement.

https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/

Worth a try?

p.s. If anyone already have experience in using it, please share your experience too.

CAPTCHA is something I don't experience when logging in my account because I already clicked keep me signed in so replacement of it to Hcaptcha I probably don't know how it will look like. No doubting about this idea but let's watch out if theymos will look into it again because I have come across this same topic: https://bitcointalk.org/index.php?topic=5241569.0

[PrimeNumber7]

I don'l like helping google and train their AI all for free 

You are not training AI for google when you solve a recaptcha.

Google will present images that sometimes has patterns that are similar to another type of image. For example, they may display paint of a cross walk at a certain angle when asking you to select all instances of stairs. The images have already been labeled and are known to google. There are many freely available datasets that are labeled, such as Imagenet. Google can also create additional images using that dataset.

I don’t know how good this service in the OP is at hiding the class of what each image is.

[suchmoon]

You are not training AI for google when you solve a recaptcha.

https://www.google.com/recaptcha/intro/v3.html

Hundreds of millions of CAPTCHAs are solved by people every day. reCAPTCHA makes positive use of this human effort by channeling the time spent solving CAPTCHAs into annotating images and building machine learning datasets. This in turn helps improve maps and solve hard AI problems.

[mprep]

Cloudflare and many other websites are starting to use hCaptcha, I never had a single issue to solve their captcha, and I can't say the same thing for Gcaptchas.
I don'l like helping google and train their AI all for free  

You aren't doing it for free though. Instead of theymos (or any other website owner that uses reCAPTCHA) paying Google per request in cold hard cash, you are footing the bill in small increments of human labor. In exchange, you receive access to whatever resource that's protected behind that captcha.

The same applies to hCaptcha with the differences being:
1. You're training artificial neural networks in classifying images for a different company so if you have a burning hatred for Google, I guess that's a plus.
2. According to hCaptcha's website, they're supposedly more privacy focused. Verifying that may prove difficult as with all centralized closed-source services. I'd personally take promises made by for-profit enterprises with a grain of salt unless you can check it yourself. According to OP, it's supposedly friendlier to TOR users so I guess there's at least one aspect that can be verified.
3. In the future, the owner of the website may get some nebulous Ethereum token for users solving captchas on their website.

But most importantly (and the main reason why Cloudflare switched captcha providers) is:
4. To my knowledge, they don't demand cash from website owners who "wish to make more than 1k calls per second or 1m calls per month". This used to be the case with reCaptcha as well up until the second half of 2019 (somewhere between July 18th and September 11th). With this and starting to charge websites for using Google Maps, it seems like Google's undergone a slight shift in monetization strategy, double or even tripple dipping (if you count data harvesting for their ad personalization engine) in the case of reCAPTCHA.

Oh, and
5. hCaptcha doesn't have a no-JS captcha though Google seems to be scrubbing info on theirs out of their documentation (old vs new; it still works if you know how to set it up though they'll probably shut it down once enough websites stop using it). In the case of Bitcointalk, it seems that theymos hasn't enabled it though so not much of a selling point for him.

So if Bitcointalk ever starts hitting reCAPTCHA's QPS limits, yeah, I guess hCaptcha might be something theymos should consider. Don't really know how hCaptcha's captchas hold up against fully automated attacks though. If a motivated and intelligent attacker can automate and scale the solving process without relying on (outsourced) manual labor, the captcha is literally useless.

I don'l like helping google and train their AI all for free  

You are not training AI for google when you solve a recaptcha.

Google will present images that sometimes has patterns that are similar to another type of image. For example, they may display paint of a cross walk at a certain angle when asking you to select all instances of stairs. The images have already been labeled and are known to google. There are many freely available datasets that are labeled, such as Imagenet. Google can also create additional images using that dataset.

I don’t know how good this service in the OP is at hiding the class of what each image is.

Static datasets of images only work so far when you're working on problems at a global scale. Judging from the images that reCAPTCHA v2 seems to be serving to users, they're either refining their Maps solution (something related to "Street View" maybe) or working on something related to self-driving cars. AFAIK while a lot of the images Google presents have already been labelled (they do indeed need to know the right answer to the question if they want to determine who's a bot and who isn't), they insert one or two that aren't and after enough users reach a consensus, it accepts the most popular solution as truth. It's a methodology they've refined from the reCAPTCHA v1 days where it was much easier to tell which word was the test and which one was being used to digitize old books.

Considering reCAPTCHA's popularity, if they only rotated and warped images from static datasets, sooner or later someone would have mapped enough of it out to develop an automated captcha breaking solution. It's a perpetual arms race where Google has to constantly stay ahead to win.

[UserU]

You are not training AI for google when you solve a recaptcha.

Google will present images that sometimes has patterns that are similar to another type of image. For example, they may display paint of a cross walk at a certain angle when asking you to select all instances of stairs. The images have already been labeled and are known to google. There are many freely available datasets that are labeled, such as Imagenet. Google can also create additional images using that dataset.

I don’t know how good this service in the OP is at hiding the class of what each image is.

Interesting, I've always wondered where Google got those particular images since Googling never returned a solid answer.

[suchmoon]

Considering reCAPTCHA's popularity, if they only rotated and warped images from static datasets, sooner or later someone would have mapped enough of it out to develop an automated captcha breaking solution. It's a perpetual arms race where Google has to constantly stay ahead to win.

It's impossible to win in the long run. At some point AI attackers will get better at solving pictures than humans, frustrating the latter with the ever-blurrier images and making the whole captcha thing unusable.

[20kevin20]

I used to have annoying issues when using reCAPTCHA, Tor & Bitcointalk but I ended up memorizing the  BTCTalk Captcha code so now I'm using that one every time.

It usually takes me max 2 attempts to bypass hCaptcha with Tor while reCAPTCHA takes many minutes, especially when it says there were too many attempts from the IP (requiring a New Identity). This makes me think that hCaptcha is under Google's when it comes to bots.

Google will present images that sometimes has patterns that are similar to another type of image. For example, they may display paint of a cross walk at a certain angle when asking you to select all instances of stairs. The images have already been labeled and are known to google. There are many freely available datasets that are labeled, such as Imagenet. Google can also create additional images using that dataset.

The images are cropped every time when you have to complete a captcha though, aren't they?

As they always give images cropped from different positions, doesn't that mean they could give us 9 squares and depending on which one we click, the AI understands which part exactly of the picture contains the target object? Some squares contain only a very small part of the object or none.

[PrimeNumber7]

I don'l like helping google and train their AI all for free 

You are not training AI for google when you solve a recaptcha.

Google will present images that sometimes has patterns that are similar to another type of image. For example, they may display paint of a cross walk at a certain angle when asking you to select all instances of stairs. The images have already been labeled and are known to google. There are many freely available datasets that are labeled, such as Imagenet. Google can also create additional images using that dataset.

I don’t know how good this service in the OP is at hiding the class of what each image is.

Static datasets of images only work so far when you're working on problems at a global scale. Judging from the images that reCAPTCHA v2 seems to be serving to users, they're either refining their Maps solution (something related to "Street View" maybe) or working on something related to self-driving cars. AFAIK while a lot of the images Google presents have already been labelled (they do indeed need to know the right answer to the question if they want to determine who's a bot and who isn't), they insert one or two that aren't and after enough users reach a consensus, it accepts the most popular solution as truth. It's a methodology they've refined from the reCAPTCHA v1 days where it was much easier to tell which word was the test and which one was being used to digitize old books.

Considering reCAPTCHA's popularity, if they only rotated and warped images from static datasets, sooner or later someone would have mapped enough of it out to develop an automated captcha breaking solution. It's a perpetual arms race where Google has to constantly stay ahead to win.

It is probably safe to say that the images you see when solving ReCAPTCHA have never been seen via any kind of camera lens, and they are of places that do not actually exist. It is not terribly difficult to create a model that can identify which images contain a fire hydrant, a taxi, a boat, or one of hundreds of other classes. If you can't create a model that can identify the above, there are numerous freely available models that can accurately identify any of the above. It is also probably a safe bet that a subset of the images you see when solving a ReCAPTCHA will fool many advanced classification models using one or more techniques that add "noise" to images that the human eye cannot see.

Without the latter, it would be very easy to create a bot that can beat ReCAPTCHA, and without the former Google would run out of images to display. Google could use images from Street View for example and get users to form a consensus as to how each image should be labeled, however, someone working on a large scale could manipulate this process, and it would be easier to simply create many images out of thin air.

Google will present images that sometimes has patterns that are similar to another type of image. For example, they may display paint of a cross walk at a certain angle when asking you to select all instances of stairs. The images have already been labeled and are known to google. There are many freely available datasets that are labeled, such as Imagenet. Google can also create additional images using that dataset.

The images are cropped every time when you have to complete a captcha though, aren't they?

As they always give images cropped from different positions, doesn't that mean they could give us 9 squares and depending on which one we click, the AI understands which part exactly of the picture contains the target object? Some squares contain only a very small part of the object or none.

The whole point of ReCAPTCHA is to make it difficult to tell if each of the 9 images can fit into the requested classification. Sometimes there is a small part of an object in one of the images. You could create a bot that combines the 9 images and tries to detect where the bounding box of the object that is the class being detected is, and if the bounding box is sufficiently close to the cutoff to two of the adjacent images, the bot could select both images to contain a traffic light, for example.

ReCAPTCHA uses multiple, distinct countermeasures to detect non-human interaction on different sets of images being displayed. If you perform better against one set of images than another that uses different countermeasures, you may stick out more.

Considering reCAPTCHA's popularity, if they only rotated and warped images from static datasets, sooner or later someone would have mapped enough of it out to develop an automated captcha breaking solution. It's a perpetual arms race where Google has to constantly stay ahead to win.

It's impossible to win in the long run. At some point AI attackers will get better at solving pictures than humans, frustrating the latter with the ever-blurrier images and making the whole captcha thing unusable.

It is possible to increase the resolution of an image, so making an image blurry will do little to prevent AI from being able to detect an images class.

[UserU]

As they always give images cropped from different positions, doesn't that mean they could give us 9 squares and depending on which one we click, the AI understands which part exactly of the picture contains the target object? Some squares contain only a very small part of the object or none.

They tolerate small margins of error, so you could even select the box with an inch of that object inside and still pass.

There were times when they asked me to select a "bicycle" when the whole canvas showed a motorcycle instead.

[suchmoon]

Which one of you convinced Google that the mailbox is a parking meter?


Edited 2020-11-30 to fix a broken image

Welcome the new world order and the tyranny of the AI.

[Josefjix]

You could have taped frame 6 from the left I'm sure I'd work. Sometimes it malfunctions.