It’s a barrier to entry. If you can cut out 99% of bots with one simple easy to implement tool that’s good enough. That last 1% becomes an arms race that isn’t worth worrying about and you have other things in place to stop them if they are being malicious anyways. As long as the higher tech bots are well behaved who cares if they get in?

Lol. Bots can.

Captchas is a arms race. What you’re seeing with those check boxes is like… The tip of the iceberg.

I do a lot of web scraping. There’s a bunch of tools and services to bypass captchas that are attempting to stop people like me. And just like door locks, its only a countermeasure to those who are curious. But ambitious people know all the tricks.

When clicking the squares that contain a traffic light, there is usually a small sliver of the backplate, sometimes I click it, sometimes not, it doesn’t seem to make any difference.

It catches the dumb bots because if it says “show me you’re human, click here” a basic script or bot will snap to it and check it.

Humans are slow, we got to actually move the cursor over the the box.

Same with “click boxes with stop lights” a bot can solve this in 0.02 seconds snapping to each box and selecting it.. Dumb humans are slow and need to sit and click on them one at a time while moving their cursor to each box.

Can you code a bot to do this? Absolutely. But the majority of bots which can cause website problems are made to be rapid fire fast and efficient. Not intentionally dumbed down to slow mouse movements, inconsistent timing between clicks land length of click sometimes!)

So it filters out a lot of the issues. It isn’t that it’s perfect it just needs to weed out enough of the problem scripts to allow the site to better serve people.

They absolutely do check it all the time and is the main issue that will never be solved. A bunch 1’s and 0’s typed up by a human look like every other set of 1’s and 0’s typed up by a robot.

To get around this, the box looks for various patterns in the stream of data generated by the user. Various things like how many sessions are present per IP, how long are they taking per page, whether or not they hesitate before clicking a link, etc.

They can and do. There are multiple ways for bots to bypass recaptcha. Plenty of third party tools out there like DeathByCaptcha and 2captcha allow bot builders to do this for fractions of a penny each time.

So I’m making something to stop bots, as well as to defeat anti-bot things and there’s quite a few reasons why and how it works.

First, it stops the most basic bots. For that to appear, it needs to run some javascript on the page. Basic bots dont run javascript so it will never appear. Clicking the button sends back a unique code which is checked whenever the real action you want to do is done so they can’t fake that.

It stops slightly less basic bots by checking your mouse movements, as well as how you click, where, for how long etc. Bots would have to program in randomness and also emulate the correct clicking method.

Mediocre bots will use what is called a “Headless browser” which is essentially Firefox or Chrome but does not have an actual UI for you to interact it. It’s strictly for programming. The problem here is that while the javascript is loaded and all that, you still have the mouse tracking issues. If that is fixed, you now have to trick it into thinking you’re a real browser. Headless browsers implement most features of their UI counterparts but not all of them. This allows detection of the headless browsers.

Stepping up even further, you now have bots that may fix some of them but now for large scale use you need to change the UserAgent (which is sent on every request and tells the site what browser and features it supports) and hope the features you emulated work exactly as they did in that version. Part of the detection is testing features against the versions to see if they act properly. A non-real example may be that chrome 100 reliably makes “0.1 + 0.2” equal “2.9999998” but chrome 101 makes it equal “2.2998”.

Stepping up even further is something I’m working on which detects network differences. It’s like the above, but we detect the changes in network connections between operating systems and browsers. With this, if the person uses the same program we can reliably detect them. We can also detect VPNs and proxies.

That also brings me to IP and network detection. Services like [Maxmind.com](https://Maxmind.com) have a database of IPs and who owns them as well as any reports about them. We can safely auto-ban any IP that is for hosting use.

​

Finally, something to know: getting past recaptcha is possible and fairly trivial. This is why I’m developing something new that thus far no bot maker I can find has protection against and is actually very hard to implement. Our site uses recaptcha for the time being but they do bypass it fairly easy and during testing of ours we can bypass it as well. It’s only good for stopping non-dedicated attackers. If you’re being targeted they will likely have a bypass solution.

Bots can and do check those boxes, as well as all the variants you can think of. They don’t stop serious bot makers, but they do stop just any random person or bot. It’s a bit of an arms race with companies trying to make captcha’s more complex so bot’s can’t pass them, and bots getting better and better at passing them.

There’s also a service available that you can put into your bot program that will actually call a real live human, usually in a 3rd world country, who will click the box/ solve the issue, and then the bot program continues on it’s way. A sort of human driven bot program, and you can do it for pennies.

The creepy answer to this question is “They can (or one day they will be able to).”

Simplifying things a lot. when you click that checkbox you’re usually presented with some kind of challenge to “prove that you’re a human.”

We used to ask you to do something really simple like answer “What is 1 + 3?” and expect you to enter 4 in a box.

Bots “learned” to read those questions and answer them pretty quickly so we made the challenge harder: Here’s some letters and numbers, but they’re funny colors, and there’s lines through them, and maybe we warped the image a bit. Tell me what the letters and numbers say.

People who work on document recognition love problems like that, and so eventually bots learned how to do that too, and we had to make the challenge harder again.

We went through that process of making the challenge harder a few times, and now we the modern challenge is to answer questions like “Which of these images contain tractors?” (or traffic lights, or mountains, or motorcycles, or busses….) – Bots aren’t great at that yet, so most time when you complete one of these challenges you’re identifying some images that a human has classified – we’ll call this person Hugh.

We know those images contain the thing we’re looking for because a man named Hugh said they do, and Hugh is an expert at classifying images. Hugh is right something like 99.999999% of the time, so if you agree with Hugh you’re a human – we let you in.

Now here’s the rub: Sometimes – not always, but maybe once out of every dozen challenges – Hugh didn’t classify all the images. Bob did some.

Bob is a bot.

Now you, Prospective Human Number 368472, will classify the same image Bob did. And if you agree with Bob we let you in.
If you don’t agree with Bob we make you try again, this time on a different challenge that Hugh classified (because we don’t want to make you mad if the bot is dumb and can’t tell a tractor from a taco truck).

We then take those images that both you and Bob classified and we show them to a few thousand other people. If all the Prospective ~~Hugh Mans~~ Humans tell us the image is not a tractor then we tell Bob it got that one wrong. We don’t knoow what it is, but we know what it *isn’t* and it is NOT a tractor.
Similarly if all the Prospective Humans tell us it *IS* a tractor then we tell Bob “This is definitely a tractor. All the humans said so.”

That feedback gets incorporated into the bot, which gets better at spotting tractorsif you got it right, and we use that information to train the bot further, until one day the bot will be able to answer the challenges we’re presenting with accuracy approaching that of a human.
. . . and then we start all over again with something harder.

[removed]