Google broke reCAPTCHA for de-googled Android users

Posted by anonymousiam 19 hours ago

Google broke reCAPTCHA for de-googled Android users(reclaimthenet.org)

Related: Google Cloud fraud defense, the next evolution of reCAPTCHA - https://news.ycombinator.com/item?id=48039362

also: Google Cloud Fraud Defence is just WEI repackaged - https://news.ycombinator.com/item?id=48063199

1165 points | 415 commentspage 4

moebrowne 6 hours ago|

OK, so what are the alternatives, what can developers use instead?

pixel_popping 1 hour ago||

It feels ultra sad that "developers" think they need to use reCaptcha? What is this lazyness, it's not even good on top of that at what it does, recaptcha cost less than $1/1000 to solve automatically, it's also slow, crappy, bad UI.

Even competent people got completely brainwashed, crazy.

doublerabbit 1 hour ago|||

Create your own. Captchas have long existed on the internet. Start your own Captcha As A Service. If you've not seen the dark net some of their QR checks are inquisitive.

   >? URL: .env.project :: IP: 213.209.159.175
   >? 30326336336 :: viewer key
   >? URL: lab/.env :: IP: 213.209.159.175
   >? 39363064647 :: viewer key
   >? URL: Dr0v :: IP: 185.12.59.118
   >? 76543264647 :: viewer key
   >? URL: data/.env :: IP: 213.209.159.175
   >? 63623731628 :: viewer key
   >? URL: docker/app/.env :: IP: 213.209.159.175
   >? 62653061304 :: viewer key
   >? URL: fedex/.env :: IP: 213.209.159.175
   >? 61663064656 :: viewer key

   [09/May/2026:11:31:32] notice: exiting: exceeded max connections per thread

Above is verbose from my honeypot. Some security camera network has been hacked and is being used for net thrifting in Romania.

The internet is a failure. Congratulations us.

palata 4 hours ago||

Developers implement what they are told to implement. People who make those decisions in companies just don't give a damn, they will happily use whatever is easier/cheaper. Usually something from TooBigTech, sponsored by surveillance capitalism.

OutOfHere 16 hours ago||

If there was any remaining doubt whether Google is evil, this settles that yes it is.

shevy-java 8 hours ago||

This tyrannical and selfish, evil corporation, needs to be broken down. These are not accidents. Just remember how Google killed off ublock origin via a lie:

https://ublockorigin.com/

See the explanation associated with Manifest V3.

stuaxo 5 hours ago||

Anti competitive behaviour ?

tamimio 17 hours ago||

And soon desktop OSes will follow, if you don’t have TPM you won’t be able to browse half of the internet.

Andrex 17 hours ago||

A parallel, fully public and accessible internet being widespread and available for anyone with a slight tinkering kick... Could actually be really awesome.

Let the commerce-driven, corporatized hellhole that the modern web has become eat itself.

spencerflem 15 hours ago||

I love the vision, but I do wonder how the parallel internet will deal with DDoS levels of bot traffic.

I hear ‘web of trust’ pretty often and I like the idea but that’s not anonymous or accessible either

Andrex 10 hours ago|||

How do personal blogs deal with the HN hug of death? In this increasingly-utopian vision, I imagine that being more widespread than (paid) DDOS attempts. There won't be any money to be made (banks, Paypal, etc. won't trust the "parallel web") and with the proliferation of synthetic training data I'm not sure how useful a target a bunch of blogs and smallweb sites would be.

donmcronald 12 hours ago||||

> I love the vision, but I do wonder how the parallel internet will deal with DDoS levels of bot traffic.

Something that makes it expensive to initiate a connection and cheap (relatively) to accept or reject would probably help. I think that’s a hard problem though.

SV_BubbleTime 14 hours ago||||

Well, how does Tor or other services do it now?

eddythompson80 12 hours ago|||

Tor does it by being so painfully slow an unreliable that the only way you would use it is if there is a cocaine-style reward at the end of it.

staringforward 9 hours ago||

> Tor does it by being so painfully slow an unreliable

I do 95% of my web browsing via Tor Browser and it is very tolerable, most circuits are fast enough for 1080p video (Youtube, Twitch livestreams, etc) without any buffering.

Here is a speedtest I ran just moments ago, I would hardly consider this "painfully slow": https://www.speedtest.net/result/19172283165.png

Of course this is a single tor circuit with an exit node, so speeds are slower when going directly to .onion sites, but the only real slowness comes from the latency and not throughput.

spencerflem 14 hours ago|||

They get blocked by Recaptcha, I think.

I’m not talking about the network itself but the servers on the other end.

I guess my point is that while Google is definitely malicious, I don’t think every site using recaptcha is and if we expect them not to use that tool there should probably be an alternative.

986aignan 13 hours ago||

> They get blocked by Recaptcha, I think.

I think SV was asking what onion services, which can't really use recaptcha, do to prevent the DDoS storm.

And I would imagine the answer is obscurity, since the dark web isn't nearly as well-mapped as the public web. That and some Anubis or other PoW would probably go far.

SV_BubbleTime 12 hours ago||

Proof of work I get, but isn’t that like step2?

If I’m hosting at some IP, I still need Anubis or something to serve up the challenge, so doesn’t that become the attack point?

chadgpt2 15 hours ago|||

[dead]

roywiggins 12 hours ago|||

Not soon, now. The new reCAPTCHA on desktop shows you a QR code for you to scan with your Google-approved phone to prove you have one.

anonymars 13 hours ago|||

What a coincidence that Windows 11 makes it a requirement!

fsflover 16 hours ago||

TPMs can also be based on free software and our own keys. It works well with Heads and Librem Key.

cyklosarin 15 hours ago||

TPM with things like Heads are borderline zero security and theater compared to actually decent implementations on Android/iOS platforms, I doubt the big companies would rely on that. TPM in general on non Mac/Chromebook PCs is mediocre even from big OEMs.

sylware 3 hours ago||

Wait, you need a TPM chip?

I don't know what services a TPM chip does provide. Wild guess, some private keys, hidden to the computer user, are used to sign stuff and/or encrypt ?

djfergus 14 hours ago||

What happens with Chinese Huawei phones that don’t have Google services?

omnifischer 7 hours ago|

People can install Google Services in them. Once you sign into google account then you self-certify the device. https://www.google.com/android/uncertified/?pli=1

cyberax 15 hours ago||

I think it's possible to run the Play Services in an emulator, faking the device type. Google doesn't seem to use the platform attestation for now.

SV_BubbleTime 14 hours ago|

Treatment is not a cure.

cyberax 13 hours ago||

Agreed. I'm just pointing out the possibility (for now).

hackernews682 19 hours ago||

The gate to the pig pen is closing…

citizenpaul 17 hours ago|

For Decades the huge tech companies basically faced no adversity whatsoever. Now for the first time in their existence the massive returned investments in AI they are experiencing ... we will call it pain.

I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.

They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.

More comments...