Rendered at 19:39:54 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
coppsilgold 32 days ago [-]
My understanding is that this new reCAPTCHA is basically just remote attestation.
Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).
deIeted 32 days ago [-]
worth noting that google/twitter/facebook/reddit/others colluded to combine sessions, identifiers, so that any person getting identified on any one session / ip would be identified on all
so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on
(just realized emacs bindings work in comments, nice, no ctrl-x tho)
matt_kantor 31 days ago [-]
> (just realized emacs bindings work in comments, nice, no ctrl-x tho)
Are you using macOS? If so, those keybindings work everywhere.
As far as I can tell, Hacker News doesn't impose any custom keybindings (the client-side scripting on this site[0] is very simple).
Emacs bindings also work on Linux in GTK apps, if you enable them:
gsettings set org.gnome.desktop.interface gtk-key-theme "Emacs"
If you make Qt follow GTK settings, they also work in many Qt apps, too, but in a more limited way.
normie3000 32 days ago [-]
I was going to ask for more info on this collusion but you say it wasn't reported. And googling "chicxulub" just gives a volcano.
Is this speculation, or has it been confirmed somewhere?
TJSomething 31 days ago [-]
"Chicxulub impact" seems to be functioning as a bit of hyperbole to imply that this collusion was absolutely devastating, by analogy to the K-T extinction event 66 million years ago.
Not that I really can tell what this was devastating to. Maybe United States v. Apple (2012), where Hachette Book Group, Inc., HarperCollins publishers, Macmillan publishers, Penguin Group, Inc., and Simon & Schuster, Inc. conspired with Apple to raise ebook prices?
Sophira 31 days ago [-]
I can't say for sure, but is it possible they're referring to the founding of the Internet Association in 2012?[0]
I don't think it's that, because the Wikipedia article makes it seem like it was a force for good, but at the time, it wasn't certain at all that it would be that way.[1]
Beyond that, I'm not exactly sure what might be meant.
By exchanging and correlating data presumably? For example, anything I send or receive on Discord, I see reflected in my YouTube recommendations shortly after. It's downright egregious at times.
nozzlegear 30 days ago [-]
Most likely it's just run of the mill Google analytics/adsense tags in discord. Don't forget that discord is web tech and loads all kinds of JS bundles – including trackers. The best solution is to stop using discord, but the second best solution is to only use the web app version of Discord. When you use the web app, you can install adblock and anti-tracking extensions. The amount of data that Discord sends which gets blocked by these extensions is eye opening.
tardedmeme 32 days ago [-]
If you run a website, it seems trivial to forward the attestation to someone else by putting the same code up on your website, and getting their device banned from google instead of your own.
ChadNauseam 32 days ago [-]
The domain in the attestation would be yours, so that wouldn't work
chadgpt2 32 days ago [-]
How would the phone camera know the domain name of the website displaying the QR code it's scanning?
eddythompson80 32 days ago [-]
The camera isn't the part doing that verification. The google service serving that "reCAPTCHA" is what's doing that validation. Unless you're using a custom browser that is reporting a different domain to google than the one requesting the reCAPTCHA, google's service will know which domain is which.
tardedmeme 32 days ago [-]
How does the verification app on your phone know what's in the URL bar on your desktop?
ranger_danger 32 days ago [-]
The QR code/URL would be generated/requested by the javascript running on the website you're viewing, which knows what's in your address bar.
tardedmeme 32 days ago [-]
It would be generated by some other website like Amazon. Because I own, say, Meta, I copy these Amazon-generated codes over to Meta, make people scan them on their phones to sign into Meta and then pass the solution back to Amazon so my bots can sign into Amazon.
ranger_danger 32 days ago [-]
We don't yet know how the client side works, perhaps there will be a decompilation posted soon.
It's possible this scenario is acceptable to them because it means they can still tie your access to something that's easier to ban without requiring a full account login.
tardedmeme 32 days ago [-]
They're tying my access to random users of a completely different service, and a different random user each time.
ranger_danger 32 days ago [-]
What are you implying? That it will become ineffective due to that?
That's possible... and they might change their mind if so, we will see.
I feel like it's a similar issue to when scrapers pretend to be an allowed-origin webpage in order to abuse "public" API keys for web services.
They could also require the mobile device to interact with the requesting webpage in some manner, similar to mutual PIN/codes for Bluetooth/TV pairing these days. That way bulk sharing of the codes would still require active participation from the device that requested it in the first place, likely with a short time limit.
gruez 32 days ago [-]
After you scan the code, the verification app asks you "do you want to verify for example.com?"
tardedmeme 32 days ago [-]
If you don't verify for example.com you won't be allowed to view example2.com. So do you want to or not?
Groxx 32 days ago [-]
Some people will notice, some will not
coppsilgold 32 days ago [-]
Realistically, what Google will do in such a scenario is collect data about the illicit service, enumerate the devices the farm uses and what other activities the devices participate in. What you suggested has far less control over the devices that generate the attestations and it will show.
Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.
thaumasiotes 32 days ago [-]
> My understanding is that this new reCAPTCHA is basically just remote attestation.
Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'.
lxgr 32 days ago [-]
I'm sure some people still remember how to mentally decode QR codes and verify ECDSA signatures from Covid days. Public transit ticket inspectors in my city also seem to be quite proficient at it :)
palata 31 days ago [-]
> Much like age verification
Age verification as a technical concept can be done in a privacy-preserving manner! Whether or not we want age verification is another debate, but let's stop making wrong technical claims about that: it doesn't help.
bpfrh 31 days ago [-]
Really, how?
At some point someone will need to issue a key, which at some point will need to be verified against known good signatures.
These signatures will also need to be kept in case of lawsuirs/enforcement, so if somebody gets access they will know you visited that site
michaelt 31 days ago [-]
The trick is to define "privacy-preserving age verification" in an extremely narrow way that ignores any other privacy concerns.
For example, imagine you put the same private key into the 'secure element' of every single iphone. You use code signing so that key is only unlocked when the phone is running unmodified iOS with all security updates. You use encryption and remote attestation for the front-facing camera and face id depth sensor. You use NFC to read government-authenticated age and appearance data from biometric passport chips (or digital ID cards) and you store it on-device.
Then, when you want to access pornhub, they send an age challenge to your device, your device makes sure your face matches the stored passport, and if so it signs the challenge with the private key.
Pornhub gets an Apple-signed attestation of age - but because every phone signs with challenges with the same private key, Pornhub can't link it to a particular phone or identity document.
So in a very narrow sense, privacy is preserved.
You can't use someone else's ID, as it checks your face every time. You can't fool it with a photo of the person because of the depth sensor. You can't MITM/replay the camera/depth data because the link is encrypted. You can't substitute software that skips the check with a rooted phone because of the code signing. Security holes can be closed by just pushing a mandatory OS update.
Sure, it doesn't work on PCs. Doesn't work on Linux, or on unlocked/rooted phones. It hands users' government ID documents over to Google and Apple. It requires people to carry foreign-made, battery powered, network connected GPS trackers (with cameras, microphones and speech recognition) with them. And there are non-negotiable terms of service everyone must agree to. But if you define "privacy-preserving" to ignore all that stuff and only consider whether Pornhub learns your identity, it's privacy-preserving.
echelon 31 days ago [-]
All so kids can't access PornHub?
Jesus Christ.
14 year old me ran into porn on the internet all the time. It didn't turn me into a serial killer.
Meanwhile we let kids have exposure to algorithms that pervert their sense of self worth, get them addicted to dopamine and gambling, and make them feel inferior to their peers.
We have the wrong priorities as a society.
And this bullshit is going to turn us into a completely tracked, monitored, controlled bunch of cattle.
We're building 1984 and we're happy about it.
palata 31 days ago [-]
Dude, a big reason for age verification is to prevent kids from accessing those "algorithms" you describe.
They will always be able to access porn, e.g. over torrent. It will just be a little less accessible, and maybe it won't hurt.
fc417fc802 31 days ago [-]
"Think of the children" is the stated reason but not the actual reason. We've seen this pattern so many times that it's perplexing that people continue to fall for it.
If the children were the actual reason there are much less invasive solutions that enable reliable parental controls such as mandating self classification of content and fining service operators for inaccuracies.
Think for yourself and consider what the possible ulterior motives might be.
palata 31 days ago [-]
What is perplexing is that people still don't realise that it is possible to do age verification in a privacy-preserving manner.
> Think for yourself and consider what the possible ulterior motives might be.
Sure, and in the meantime try to think and read about how privacy-preserving age verification actually works.
echelon 30 days ago [-]
> Sure, and in the meantime try to think and read about how privacy-preserving age verification actually works.
This requires you build a whole apparatus around controlling what people can see, say, and do.
The concept of "slippery slope" is often called a logical fallacy, but in reality it's more than often not a fallacy at all. It's the manner in which you boil the frog.
I think it's something like over 50% of adults do not have kids now. Why should we put the majority of people - for the majority of their lives - at risk for a mere 20% of the population to "not see boobs", when good parenting will suffice?
Let's not put a cage around our freedoms. Let's ask parents to be more responsible. In the edge cases where that isn't sufficient, is that really as bad as what could happen to all of our liberties should we go down that path?
We're burning down the whole village because someone saw a cockroach.
chmod775 31 days ago [-]
That key will get leaked. A key that has to go into every phone, even if done at the manufacturer and onto the TPM chip, will get out.
Also even if it doesn't get leaked directly, the security of TPM chips is not absolute. Secrets from them can theoretically be extracted given an attacker with sufficient means and motivation. Normally nothing that's on a typical TPM chip would warrant a project of that magnitude, but a widely used private key can change that equation.
Plus a TPM chip doesn't really have means to tell the phone isn't being lied to. You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
michaelt 31 days ago [-]
> That key will get leaked.
Maybe? But biometric passports, chip-and-pin payment cards and SIM cards seem to do reasonably well. And Apple can always push out a mandatory software update that rotates the key, if they need to.
> You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.
I don't know the precise details, but reports from people trying to repair devices independently of Apple are that the phone is very much the wiser.
> Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.
That prevents trying to swap the module, but doesn't prevent swapping out the sensor on the module itself.
palata 31 days ago [-]
There is no reason to talk about that system: it's nonsense. It's like inventing a bad encryption protocol and discuss about why it is bad.
Better learn about the good one, but I guess it's harder than making up nonsense.
zyx321 31 days ago [-]
OR:
The website sends a request for age verification.
The app[1] on the user's device[2] forwards that request to the chip on the user's ID card. The user authorizes themselves with their 6 digit PIN stored on the card.
The chip produces a signed reply containing the following payload fields: `issuing_country:string` and `over_18:bool`
[2] iPhone, Android, Windows, MacOS, Linux or FreeBSD
fc417fc802 31 days ago [-]
What happens when I set up a tor hidden service that (in conjunction with some client software) stands in for a visitor's device and will proxy any requests back to my personal card? After all the payloads are anonymous so what's the risk to me?
zyx321 30 days ago [-]
To prevent this sort of abuse, the server would have to request the `pseudonym` field, which contains a hash across the server identity and the card's secret salt, allowing the server to detect abuse but not to track the user across multiple services.
palata 30 days ago [-]
It's probably even simpler than that: say normal users make a few requests once in a while (because they don't need thousands of tokens every day), and one user makes a ton of requests, then it is an indication that this user may be abusing the system.
It would probably be possible to use the service that the parent is suggesting and try to link it to requests to the server based on timing. But I don't even know if anyone would bother trying to identify the OP: probably it would just be enough to rate-limit the requests.
As always: it's easy to criticise, harder to actually get it right.
palata 31 days ago [-]
Wait what? All the time you spent writing that nonsense could have been invested in reading about how it actually works.
Scaled 31 days ago [-]
Parental controls on device are a better solution that work today and don't carry a risk of data breach.
tjpnz 31 days ago [-]
Parental controls are intentionally gimped. They do the bare minimum while providing more than enough wiggle room for a tech savvy teenager. To implement a robust parental control scheme you need network level filtration which isn't something the average parent will know anything about.
baranul 31 days ago [-]
I disagree with that, because the teenager should be the parent's responsibility, regardless of how smart or savvy they are. Parents should be talking to their children, communicating what their and society's expectations are. If the parents are attempting to exert technical control over their children, by home router for example, there should be websites or computer shops they can go to. If the parents don't care or are not smart enough to keep up with their teenager, then no type of state mandated gimmick will either.
Teenagers, at that level of intelligence or are that determined, will find ways to circumvent whatever control mechanisms a parent or school is attempting to use. At some point, it is a matter of the teenager respecting their parents and rules. Same for if you told a teenager do not drink and drive. You can setup all kinds of technical barriers to block drunk teenagers from driving, but if they are that "smart", those committed to bad behavior or law breaking will find ways.
palata 30 days ago [-]
But again: if all the kids are on social media, is it enough for "good parent" to tell their kid that they should not go there?
From what I remember from being a kid myself, it definitely is not.
harshreality 31 days ago [-]
They would be a solution if almost all parents used them, but parents don't want to socially isolate their kids since a lot of "social" activity is now on social media. It's kind of a prisoner's dilemma.
There's not necessarily wrong. Despite the vapid and damaging nature of most popular online media, isolating a child from it might have even worse social consequences when their real-life peer groups discover that they're not on social media or that their parents have neutered their phone. Some kids would turn out fine after that. Others would be socially destroyed for life (maybe with the right therapy they could become well-adjusted, but high quality therapy is rare).
JoshTriplett 31 days ago [-]
> They would be a solution if almost all parents used them
No, they are a solution for parents who want to use them, and that's all they should be. Their existence demonstrates that it's possible to handle this without regulation, other than the desire of some people to inflict their preferences onto other people's kids.
sumeno 31 days ago [-]
You haven't tried to use parental controls much have you? They are all terrible. They are insanely difficult to get set up properly and even when you do there are a lot of tradeoffs that come with it.
JoshTriplett 31 days ago [-]
> even when you do there are a lot of tradeoffs that come with it
Absolutely, but those are nothing compared to the tradeoffs of putting attestation or identity verification (sometimes incorrectly described as "age" verification) on numerous sites and inflicting them on everyone.
palata 31 days ago [-]
> but those are nothing compared to the tradeoffs
And my whole point is that it's possible to do age verification in a privacy-preserving manner, and before complaining about the tradeoffs, you should get informed about what they are.
JoshTriplett 31 days ago [-]
I'm well aware of those possibilities. The two biggest problems with them are that 1) they still apply to everyone, rather than only to those who opt into them and 2) governments and companies are in practice going to push for the versions that identify people and provide more information.
If you make it possible for governments to decide what content is "limited to adults", they can and will abuse that capability. "Porn" is the battle cry, to make it uncomfortable to argue against; often, other information the government wants to restrict becomes a target. The only way to prevent that is to deny the capability in the first place.
palata 31 days ago [-]
Yep, I think this would be a totally valid debate. But my frustration is that it's not there at all. We're at "people make it sound like it's technologically impossible, like the ChatControl for E2EE".
It feels like trying to debate about whether 5G is good or not, and the debate is stuck at people claiming that 5G boils your blood. There are valid reasons to oppose 5G, but if people choose to be so wrong that it sounds like bad faith, they surely won't convince me of anything.
fc417fc802 31 days ago [-]
I have yet to see a scheme that would robustly preserve privacy and freedom floated by any of the major efforts. I think the onus is on you to present a workable scheme, but even then I'm not going to support the major efforts which at present are malicious.
palata 31 days ago [-]
I keep mentioning it. Read about Privacy Pass, there is a goddamn RFC for it.
account42 29 days ago [-]
Having Privacy in the name doesn't mean it's actually privacy preserving. You can't just ignore attack vectors like collusion between signing entities and websites.
palata 29 days ago [-]
Did you read about how it works? Can you precisely describe an attack that defeats it, or are you just throwing names you've heard without actually knowing how Privacy Pass works? Sounds like the latter to me (yes, I read the RFC).
fc417fc802 29 days ago [-]
Your tone isn't appropriate. You don't get to assign reading. If you want to convince people of something then clearly state your case. In this instance that would mean outlining the technical argument.
That said, you've got blinders on. You're all over this comment section condescending to people about a particularly clever scheme without considering the various real world objections being raised. Not the least of which is that the vast majority of the tidalwave of legislation on the topic has zero to do with ZKPs.
palata 28 days ago [-]
> Not the least of which is that the vast majority of the tidalwave of legislation on the topic has zero to do with ZKPs.
That's not what I see. I mostly see people complaining about the fact that "if they verify my age, it fundamentally means that I have to give them my ID, and I don't want that". And whenever I mention that technically, there are ways to do age verification in a privacy-preserving manner, I get something like "you are so naive, nobody wants age verification, it's THEM (the all corrupt politicians who all have the exact same opinion) against US THE PEOPLE who need to fight for our freedom!
That is very frustrating to me, because
1. I believe that it is counter-productive to be technically wrong by saying "it is fundamentally not possible". Because if politicians genuinely listen to that, then ask a few cryptographers and get the answer "no actually it exists", then it seems only fair that those politicians will just dismiss the whole opposition by saying "oh right, they are just libertarians who don't want regulations and hide behind incorrect technical claims".
2. I believe that many, many people actually are in favour of age verification to protect their kids. And again, yelling at them saying "you understand nothing, this is not technically possible, and the politicians are all corrupt authoritarians anyway" is not constructive. Moreover, "normal" people don't give a shit about the privacy issues, so if they want age verification, they will just accept any technical solution. I would hope for technically savvy people to try to raise the privacy concerns and explain that if there MUST be age verification, AT LEAST it should be done in a privacy-preserving manner.
But yeah, let's keep yelling that it is fundamentally impossible, such that nobody even hears about the privacy-preserving solutions, until we have to either give our ID to random websites or stop using the Internet. Because what seems clear to me is that we are going towards age verification anyway, and there is zero constructive discussion about how to do that right.
JoshTriplett 27 days ago [-]
> Because what seems clear to me is that we are going towards age verification anyway
This is one of the reasons you're getting a lot of arguments here. Every bit of energy spent saying "actually, check out this use of cryptography that lets you do this in a privacy-preserving way" is energy not spend saying "no, not under any circumstances" and fighting against it.
palata 27 days ago [-]
Which is ironic, because my whole point is "if you want to fight it, try to be credible". Every bit of energy spent saying "it's fundamentally not possible to do that, you would have to be stupid to consider it" is, IMHO, wasted.
Because what I read is "ok, this person is either not competent to talk about it, or arguing in bad faith, so I won't listen to them".
And to be very honest, I can't remember a good argument against "privacy-preserving age verification". It's mostly "hmm I don't like it, that should be the responsibility of the parents anyway".
The EFF has a valid point which is "such technology will leave people out who won't be able to access important services". I don't have a definitive stance on it, but that would be worth debating. I can't remember another argument from the EFF. Pretty sure they don't say "it's technically impossible to do".
Actually Soatok [1] starts by acknowledging it's possible, before going straight to their opinion: "we should not do it". Again, I think it's a debate worth having.
But I won't debate with people who either don't have a clue or downright lie about it, saying "it's not possible, period".
I'm not suggesting to say it's impossible. I'm suggesting to not help people make their bad ideas more palatable when the more palatable version is still unacceptable. When someone is trying to push a scheme that ties things to identity, don't help them make it better; destroy it.
> And to be very honest, I can't remember a good argument against "privacy-preserving age verification".
I gave you one in the other thread:
If you make it possible for governments to decide what content is "limited to adults", they can and will abuse that capability. "Porn" is the battle cry, to make it uncomfortable to argue against; often, other information the government wants to restrict becomes a target. The only way to prevent that is to deny the capability in the first place.
Here's another: Many people have successfully been productive members of many online communities (e.g. FOSS projects) while still under 18, and future generations should have the same opportunities we did.
palata 26 days ago [-]
> I'm suggesting to not help people make their bad ideas more palatable when the more palatable version is still unacceptable.
That's where we disagree, I guess. I feel like the more palatable version, in this case, is debatable. An important part of democracy is to recognise that others may have different opinions, and to be willing to engage in good faith. If the norm is to systematically lie, all you get is polarisation. And it is ironic to argue in favour of lying for your cause, but then to complain when the other side lies as well for theirs.
> I gave you one in the other thread
And I think it is debatable.
But more generally, if your opinion is that you should lie and yell to defend your ideas, that your government does not represent the people at all to the point where they would prevent teenagers from contributing to FOSS (is that a thing somewhere?), then I wonder if you actually live in a functioning democracy. I mean no offence here.
I mean, your argument is pretty much "We should remove all laws, because laws come from the government, and the government will abuse that capability. They will make schools illegal, and future generations should have the same opportunities we did".
My point, again, is that in a functioning democracy, we should strive to debate in good faith.
JoshTriplett 26 days ago [-]
You are replying to my comment in which I said "I'm not suggesting to say it's impossible.", and yet you are continuing to claim I am arguing for lying. I am not arguing for lying; stop claiming that. I am arguing for not always helping your opponent make their bad idea better. Steelmanning is a helpful strategy in collaborative discourse, when you share common goals and are looking to work together to find the best way to get there. Not all politics is collaborative discourse.
palata 25 days ago [-]
I am not saying that you lie. I am saying that I have been defending, on HN, that it is possible. And more often than not I get dismissed by comments that insist on saying it's impossible.
> I am arguing for not always helping your opponent make their bad idea better
I am not sure what you mean by that. So when people generally lie by saying "I am a technical person, believe me I know, it is technically impossible", I should... what? Say "yeah that is right, believe him"? Or just say nothing, because letting them lie is the way to "not help the opponent"?
Also you assume that age verification is a fundamentally bad idea. A lot of the arguments against any regulation is "it is a step towards authoritarianism". And I disagree with that: removing all regulations is a bad idea, we need some amount of that. The right amount of the right regulations is a balancing act.
I strongly feel like I have a fundamentally different approach from many of the comments I read, and people don't like that: I don't fight for my opinion to win. I fight for society to take an informed decision. If there is a vote where the average voter is correctly informed and the vote goes against my preference, then it is a functioning democracy. I may be frustrated of course, but it means that I am in the minority, and it makes sense to follow the preference of the majority.
People should not win because they make more noise, or because they have a better strategy, or because they lie. The goal is to represent the majority of the people, and for that, the people need to be informed. When both sides systematically lie, then the people cannot believe anybody anymore. And the result of that is polarisation, as we see it.
JoshTriplett 25 days ago [-]
>> I am arguing for not always helping your opponent make their bad idea better
> I am not sure what you mean by that.
By "opponent" here I mean a politician who is arguing for an age+identity verification system. Telling them "actually you can do that without checking identity" is making their argument better. (There was a time I thought that it might help because then you can see who goes mask off and actually clearly wants identity verification for its own sake, but in general politicians never get pinned down and forced to answer hard questions about their positions like that anymore.) "That's a bad idea, age and identity verification are both bad" is better.
palata 25 days ago [-]
The thing is, the EU age verification initiative does explicitly talk about privacy. The first paragraph here mentions it: https://ageverification.dev/.
But most comments explicitly criticise the EU, saying it is authoritarian and has an agenda. What then? Did they all keep the mask for too long and ended up with an actually privacy-preserving technical solution on their website "by mistake"?
Asooka 31 days ago [-]
Parental controls can set browsers in "child mode" where the browser sends an "I am a child" header to the server and social networks etc. need to honour it. This has existed for twelve years already: https://blog.mozilla.org/netpolicy/2014/07/22/prefersafe-mak... . It can probably be amended with a more granular set of levels, but that would be the best way forward.
The problem of "parents are negligent" is also solved by existing laws which have fines for parents who are negligent towards their children, and governments absolutely love collecting fines, so all the incentives are properly aligned.
malfist 31 days ago [-]
I should not have to surrender my anonymity because parents are too lazy to setup parental controls.
palata 31 days ago [-]
And it's possible to do age verification in a privacy-preserving manner. I'm tired of repeating it, people should get informed before they complain.
We could totally discuss whether or not privacy-preserving age verification is a good thing. But we can't, because most people can't be arsed to read about what age verification implies, and complain about something that is fundamentally wrong (i.e. that they would have to surrender their anonymity).
duskdozer 31 days ago [-]
How about we just ban entirely the harmful social media that we would need to attach all our IDs to our internet activity in order to protect the children? Very strange that that's not part of the discussion!
palata 31 days ago [-]
Because privacy-preserving age verification is less extreme than banning them entirely. It should be strictly easier to get it accepted.
Except that people can't read for 5min and understand that age verification can be done in a privacy preserving manner.
palata 31 days ago [-]
Zero knowledge proofs don't carry a risk of data breach, because they are zero knowledge.
EmbarrassedHelp 31 days ago [-]
Your privacy has to be violated in order to receive the easily trackable ZKP tokens.
palata 31 days ago [-]
> Your privacy has to be violated
No.
> the easily trackable ZKP tokens
If it's easily trackable, it's not ZK.
raverbashing 31 days ago [-]
Are they a better solution? Yes
Do they work currently? Not really
Are they too complex for the avg joe to work out. Unfortunately yes. (Something about the smartest bears and the dumbest humans)
Asooka 31 days ago [-]
Joe can walk into an Apple store (or wherever they purchased the device) and ask them to enable parental controls on it. We have people whose job it is to service computers and phones, they have been around for more than half a century. I am pretty sure most Joes don't service their cars either, yet they keep them road legal by visiting trained mechanics.
AdrianB1 31 days ago [-]
As long as Joe has the right to vote, which is something more important and more complex, we cannot complain that parental control is too complex.
drewgross 31 days ago [-]
It doesn't provide 100% privacy from everyone, but it does provide privacy from the web service: A worker at a physical store checks your ID, and if it says you are 18, they hand you a token with a unique key on it, which they have a stack of behind the counter. You put the unique key into the web service. It's not necessarily one time use, but if you don't want to risk correlation, you can use each one only once. It's just like alcohol sales, and has all the same failure modes as alcohol sales, but if it's good enough for alcohol sales it's good enough for web services.
fc417fc802 31 days ago [-]
Well it probably needs a bit more complexity to avoid being trivially broken. Codes are one time use; the service has them attested by the token provider behind the scenes, and the provider is in turn under contract with the government. Tokens are also activated at the point of purchase similar to gift cards in order to prevent bulk theft and resale. A law in the vein of HIPAA prevents collusion between the retail establishment and the token provider.
palata 31 days ago [-]
People, you have to read about zero knowledge proofs. Look at e.g. Privacy Pass.
> A law in the vein of HIPAA prevents collusion
No need if you use cryptography. This thing that, you know, works well for encrypting stuff? Spoiler: it can be used for age verification.
rstuart4133 31 days ago [-]
>> A law in the vein of HIPAA prevents collusion
>
> No need if you use cryptography.
True for age verification, but not true in general. If you have something that can be used illegally, it's very handy to allow firms to rent / hire it out anyway but make the hirer responsible for any illegal activity.
An example is hiring a car, and the car is used to ram-raid a shop. Today this is solved by handing over a government ID to the rental company. Commit a crime in the car and they hand that over to police, but it has the sad side effect of handing over information to the car rental they can use to track you, and worse sell to others.
Using a zero knowledge proof for a valid driver's licence fixes the privacy problem, but at the expense of the hire company not being able to transfer responsibility for illegal activity onto the hirer. I suspect if that happened no one would hire out cars any more.
You can easily design something that is Zero Knowledge to the car hire firm, but includes an opaque token they can hand over to the government on lawful demand. It contains all the details needed to pursue the law breaking hirer. Thus there is still a role for the law here - you can't always do everything with crypto.
This is a very minor quibble - I agree completely with what I think is your main point. This Google change is a privacy disaster. It's a step towards an enshittified internet with the gateways onto it controlled by a few big tech firms.
But I don't think just yelling "just use ZK" is helpful. It's much harder than that - ZK is only part of the puzzle. Passkeys are currently caught up in the same attestation trap, and there is no workable solution in the offing. Banks and other high trust applications need some assurance your FIDO private key is being handled securely. The solutions on the table are Apple not doing attestation, or Google who does at the low low price of selling your true name to Google. Both "solutions" suck, horribly.
ZK proofs of things like licences and age have to solve the attestation problem, and solve extra stuff as well. I'm not holding my breath.
palata 31 days ago [-]
> But I don't think just yelling "just use ZK" is helpful.
Agreed. I am just very frustrated, because I feel it is an important topic. And I wish I saw adult discussions about it. And instead, people who claim to be "tech-savvy" keep whining about the fact that it will fundamentally leak their ID everywhere. Like they somehow understood the point for E2EE, and repeat it here confidently. If tech-savvy people can't be bothered to understand how this works, why should politicians?
I have the same frustration with the anti-5G crowd yelling that it will boil your blood. There are many valid reasons to criticise 5G and have a constructive debate, but they choose to be wrong anyway.
rstuart4133 30 days ago [-]
> If tech-savvy people can't be bothered to understand how this works
You underestimate your own abilities. Tech savvy doesn't mean they think much about crypto.
To get a feel for this I asked Gemini "If you were to survey a group of people who would be called "Tech Savvy", what percentage of them would be aware you could construct a zero knowledge proof for a person's age that revealed nothing beyond they were older than a given threshold?". The answer was 5%..10%. That rises to a surprising low 20%..30% for Software Engineers. It's only once you get to Software Engineers who write security systems that you get above 50%.
Gemini didn't give any references so those figures could be complete rubbish, but in my experience they seem on the high side. Many very experienced engineers I interact with clearly have not thought very deeply about how crypto systems interact with human trust. Granted understanding the implications of crypto is yet another step beyond understanding the maths, but I'm amazed at how many technology curious people haven't bothered to take that step.
The good pollies on the other hand probably have a very good intuitive feel for human trust systems and how to navigate them. They rely on engineers to tell them what is possible of course, and they won't care about the details. But what they will care about is whether the engineers can deliver the system they promised, and there I have to admit our track record is appalling. How many government IT initiatives have you seen deliver what was promised on time and on budget? So when you tell them you can build a ZK system that delivers in all these privacy promises, expect a very sceptical reception.
nullc 31 days ago [-]
You can prove your signature is from a key which is in a member of an acceptable set without revealing which one. These schemes can also prevent excessive reuse, e.g. by you also proving that some linked value is a hashlike function of your private key, the date, and the domain, so if you sign multiple times for the same site in the same day your uses are linked, so someone can't just toss up an oracle that gives endless authentications.
Such systems are deployed in production by privacy preserving cryptocurrencies as its the same problem: Prove you're spending a coin that exists without revealing information about which one, and prove that you're not spending it multiple times.
Less private but easier to implement is just simple blind signing. Site asks you to give them a signature of their domain name, your account name, and date. You blind the data using a random number, go to google and identify yourself (e.g. solve a CAPTCHA, check your mobile device, age verify, whatever) and ask them to sign the blinded value-- they rate limit you and give you a signature. You unblind and provide to the site. Now the site knows you passed the google rate limit but nothing else, but google never learns what site you authenticated to.
The blindsigning approach is kinda lame because it requires active communication with a third party that learns you're online and authenticating to stuff. So I think it's generally less preferred but the cryptography is hardly any more complicated than an ordinary digital signature.
maccard 31 days ago [-]
Ring cryptography does this - given a public key and a set of private keys you can attest that one of the keys signed it but not which one. This lets both Google and you generate a signature and say “this is attested”, without the person verifying it knowing _who_ signed it.
nullc 31 days ago [-]
You likely need one other step beyond a plain ring signature, often called a linkable ring signature. If you use only a plain ring signature I could get one authenticated key and setup a site that gives away an unlimited number of access tokens with it, and you can't identify which key is doing so in order to kick it out.
A linkable ring signature lets you correlate multiple usage but only if they share a common 'context value'. Intelligent selection of the context value results in abusive use inevitably sharing a context so you can exclude or rate limit it, but honest use tends to not share a context so the privacy is preserved.
andrepd 31 days ago [-]
All states/governments have basic records on their citizens and residents, including at least a name, dob, address, etc, at least for a passport, driver's license, if not an actual id card. Let's assume this is acceptable.
Then it's technically possible (and really not that difficult) for states to provide a service that issues zero-knowledge proofs of facts like "age > X".
AdrianB1 31 days ago [-]
> Let's assume this is acceptable.
(partly off-topic rant) One can argue this is a false premise fallacy. For most of the time states did not have this information about their citizens and the world progressed quite nicely. The only argument to know stuff about citizens that don't drive (increasing numbers) nor travel abroad (different problem altogether) is to tax them?
One of the foundational differences between humans and cattle was you cannot brand (https://en.wikipedia.org/wiki/Livestock_branding) humans. Not physically, because we do it digitally and I see a slippery slope.
andrepd 31 days ago [-]
The discussion was about age verification, not about the (rather more extreme) position that it's illegitimate for the state to hold information about its citizens.
> For most of the time states did not have this information about their citizens and the world progressed quite nicely.
This is quite untrue. State bureaucracies far predate the modern era.
> Unlinkability is achieved by design through Zero-Knowledge Proof cryptography see the "Privacy by design" section below.
palata 31 days ago [-]
With cryptography. Look at e.g. Privacy Pass, there is an RFC about it.
Arch-TK 31 days ago [-]
It should be possible with zero knowledge proofs.
The problem is that while you might be able to trust the crypto, the government won't trust you to do the crypto entirely by yourself. And this introduces avenues for deanonymisation. Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.
It's a complicated problem.
We continue to seek a technological solution to a parenting problem.
palata 31 days ago [-]
> Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.
Hmmm... no? That's not how zero knowledge works.
Arch-TK 30 days ago [-]
Not via breaking the ZKP, but via other methods of fingerprinting, which governments are very well positioned to enable.
palata 29 days ago [-]
I feel like it becomes bad faith at some point. With a sufficiently advanced attack, you can be personally identified today. ZKP for age verification does not make this worse, does it?
It's a bit like saying "no but Signal is not really encrypted, because the government can extract some metadata by looking at the network around the server".
brookst 31 days ago [-]
Look at Apple’s PAT: the website knows the service that did the attestation, but not the user. The service knows the user, but not the website. If you controlled both you can link the user, but otherwise you can’t.
palata 31 days ago [-]
Yes, but they can still collude. It's possible to do age verification in a way that prevents that. Look e.g. at Privacy Pass.
brookst 30 days ago [-]
PAT is Privacy Pass.
palata 30 days ago [-]
Oh right, my bad. And how can they collude there?
red_admiral 31 days ago [-]
Blind signatures would work, with a bit of effort.
indymike 31 days ago [-]
Divorcing technical detail from how it is used does little good for humanity.
coppsilgold 31 days ago [-]
As far as I know no currently proposed age verification method does this in practice.
The only way to implement truly privacy preserving age verification is through zero knowledge proofs (or blind signatures) but what that would allow is undetectable token forging.
YourDadVPN 31 days ago [-]
The EU's proposed system uses ZK proof. You get a PGP signed message from "someone" who knows your identity (government or private agency) then store it on your phone to pass to websites that need your age. It does have an obvious flaw in that whoever you give the token to has no proof it's actually yours.
> It does have an obvious flaw in that whoever you give the token to has no proof it's actually yours.
Which isn't necessarily a flaw, depends on the threat model. For actual age verification that we care about (e.g. make it harder for kids to access social media), it may be good enough.
coppsilgold 30 days ago [-]
This is not sufficient. Do they give you a blind signature?
Because what you described does not preserve your anonymity if the government and the service collude.
pdntspa 31 days ago [-]
Doesn't matter if it is privacy preserving, it is still an evil thing to do
palata 31 days ago [-]
That would be the interesting debate, if people could actually spend 5min learning how it works and stop claiming nonsense.
jollymonATX 31 days ago [-]
Exactly the mindset that got us to this current reality..
account42 29 days ago [-]
No it can't. If it's done in a truly privacy preserving way then someone can also sell a fake age verification service making the whole thing meaningless.
g-b-r 32 days ago [-]
I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".
I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.
For people using a Google account it probably won't make a huge difference, in terms of data collected.
If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.
Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.
But there's a good chance that it will be extremely hard to sidestep, despite that.
lxgr 32 days ago [-]
> they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone
But anything your phone can possibly do in software can be spoofed, so how would that help?
palata 31 days ago [-]
> I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".
Doesn't Play Integrity use hardware attestation, but specifically checking the Google keys?
If you use the Play Services on GrapheneOS, you still don't pass Play Integrity because your system is signed by GrapheneOS and not by Google.
g-b-r 31 days ago [-]
No, Play Integrity is a set of numerous features, and the developers decide which one to use, and how to react to what the api reports.
Hardware attestation is one feature, but it's still not used a lot.
The most common feature is the check that your Google account really downloaded the app you're using (and that the app wasn't modified); which requires using a Google account, of course. This is what the "pairip" that's been plaguing the store for a year does (it's being added by a ton of apps because adding it only requires enabling a preference in the Play Console).
EmbarrassedHelp 31 days ago [-]
> having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
So basically Google can now ban your device from being able to access a huge portion of the internet, in addition to nuking any online presence connected to them.
You could wake up one day and find your device blacklisted from the internet, with no chance of ever reaching customer support. What a lovely future
getpokedagain 32 days ago [-]
Stop visiting sites and using services that use reCAPTCHA. Problem solved.
duskdozer 31 days ago [-]
That's great until it's some essential government, medical, educational, etc. service that you have either no alternative to or no alternative that isn't also using the same thing. I'm already being slowly and incrementally softlocked out of some (fortunately non-essential so far) sites either by cloudflare or other more subtle "anti-bot" networks as time goes on, including some like I've listed above. I can only expect this will continue until it's something I can't avoid.
medvidek 31 days ago [-]
For some reason, I'm softlocked from booking tickets from Deutsche Bahn. The website errors out with a cryptic "Your browser's behavior resembles that of a bot." message with no option to try again or pass a captcha or whatever. The website itself described several possible solutions but none helped (I tried using different computers, different internet connections, even a phone connected to internet using a SIM from a different country).
As for now, when I need to travel to Germany, I just book tickets through the national carrier of my home country, which for cross-border tickets often turns out to actually be cheaper than booking through DB. Thankfully I don't live in Germany proper and my need for travel there is not that high (once or twice a year at most) but I wonder what would I do if I had to move to Germany and use trains there more often.
bluebarbet 31 days ago [-]
Same problem but with French equivalent SNCF (sncf-connect.com). I just checked and can confirm nothing has changed. You cannot use up-to-date Firefox on Linux to access the main booking site for French rail tickets.
Access is temporarily restricted
We detected unusual activity from your device or network.
Reasons may include:
-Rapid taps or clicks
-JavaScript disabled or not working
-Automated (bot) activity on your network (IP X.X.X.X)
-Use of developer or inspection tools
duskdozer 31 days ago [-]
Does it work if you spoof the user agent?
> -Use of developer or inspection tools
Gotta love it.
bluebarbet 31 days ago [-]
It gets blocked in a private window, but only on the second page load. So more sophisticated than UA-blocking.
The finger-wagging about "Use of developer or inspection tools" is just outrageous. Akin to accusing users of thought crime.
The only solution to all this will be through elections and laws.
tardedmeme 31 days ago [-]
Developer tools are easily detected by looking for the viewport to resize a certain amount.
clort 31 days ago [-]
I just opened the developer tools, then chose 'Separate Window' from the menu. The developer tools are now on my other screen, and then I clicked Reply to your message. The developer tools window that I had open is not relating to this tab, but when I opened Developer Tools for this tab, it remembered that I wanted it in a separate window and did so again. The viewport should not have changed at all..?
wasmitnetzen 31 days ago [-]
DB has been finicky for me from abroad as well, using a VPN to Germany usually helped. Still sucks though.
JoshTriplett 31 days ago [-]
> That's great until it's some essential government, medical, educational, etc. service
At which point you should contact your attorney general, and work to ensure such efforts face legal challenges at every turn.
sneak 31 days ago [-]
Which won’t solve the problem at all.
JoshTriplett 31 days ago [-]
No, it won't, and this mechanism should not be used by anyone, but it'd at least ensure that people aren't forced to use it to interact with their government.
tardedmeme 32 days ago [-]
With the new reCAPTCHA this is going to happen because most human visitors will actually be unable to pass the CAPTCHA. It will be interesting to see whether this makes websites ditch reCAPTCHA or whether they literally just don't care about having customers, an attitude that seems to be getting more and more common every day.
papercruncher 32 days ago [-]
I have been unable to give my money to Home Depot, REI and a growing list of online retailers because they use Akamai EdgeSuite, which just assumes I am a bot and 403s on protected API calls. This happens consistently on any IP and any browser on my Linux desktop/laptop.
spystath 32 days ago [-]
There are not enough words to describe how much I hate Akamai EdgeSuite. So many random validation loops and 403s across different physical computers, different operating systems, different connections and even countries. A couple of services I need use it and it's 30% I'll make it past their stupid "protection".
drew870mitchell 32 days ago [-]
Same, i'm doing a kitchen reno and gave up on Home Depot because of this
ksenzee 32 days ago [-]
It sure makes debugging headers a pain. curl -sLIXGET https://… never mind, that won’t work, _fires up browser yet again_
userbinator 32 days ago [-]
Home Depot at least has a physical presence, which you can go and directly give some much-needed feedback to.
tardedmeme 32 days ago [-]
It has a zero percent chance of reaching anyone who can do anything about it.
You could try handwriting and posting a letter to their CEO. I think that sometimes works. Probably not very often but there are more than zero CEOs who read those letters.
petre 32 days ago [-]
Maybe they'll figure it out when their revenue drops next quorter or the ones after that?
I was thinking in the same terms: you put up a QR capcha, you don't get my traffic and money. Just the amount of extra work needed, let alone the Google tracking turns me off. As if traffic lights, crosswalks and bridges weren't enough of a hassle.
account42 29 days ago [-]
You can also send an email if you're lazy. In both cases the CEO probably won't read it but a more than minimum wage secretary probably will pass it on to corporate customer support which IME is a lot more useful and the regular support that the company wants you to use.
komali2 32 days ago [-]
REI is allegedly a co-op, maybe there's a committee or something it could be presented to?
smcin 32 days ago [-]
REI Co-op has an Annual Members Meeting in Seattle, where it announces the results of the board of directors election.
The 2026 one happened Feb 5. Apparently the presentation is only 8m long, some saying it's pre-recorded and it's near-impossible for members to submit a question that actually gets answered:
Usually that just means the owners of the individual stores are the shareholders.
userbinator 32 days ago [-]
The point is to spread the word.
g-b-r 32 days ago [-]
One problem with these things is that businesses have minimal visibility on the amount of users they lose.
On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".
Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).
jbvlkt 32 days ago [-]
I wanted to give money to charity and they have whole form protected by recaptcha. So I would have to allow all my personal information and amount donated sent to google (and agree with google terms for data processing). I have contacted them but they did not understand why this is problem they just wanted to protect themself against bots. IMHO unless those things are not disallowed by antitrust laws we have lost.
vanviegen 31 days ago [-]
We wouldn't want bots throwing money at us!
sfilmeyer 31 days ago [-]
I suspect this is a real problem for charities, though. If those bots are using stolen credit cards, the "donations" are going to cost the charities money after they pay extra fees to the credit card processors. Nonprofits are sometimes used to test stolen credit cards before making more profitable fraudulent transactions, so there's a real risk of it costing them money if they get rid of the captcha but don't replace it with something sufficiently high quality, even after accounting for the occasional lost donation.
g-b-r 31 days ago [-]
Why would they pay extra fees?
sfilmeyer 31 days ago [-]
Merchants often pay a chargeback fee on top of refunding the main charge. Additionally, merchants with lots of fraud or other chargeback issues are likely to be dropped by payment processors or see their general fees with payment processors get more expensive.
bar000n 32 days ago [-]
i say technofeudalism, not sure i know what i'm writing about though
chadgpt2 32 days ago [-]
Luckily the marketplace of money will ensure that businesses who block their customers shrink and businesses who don't block their customers grow.
raincole 32 days ago [-]
> most human visitors will actually be unable to pass the CAPTCHA
Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.
It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.
pixel_popping 31 days ago [-]
This is not true, maybe in the US, but in many countries you get captchas all the time with residential connection and also in public places all the time, internet cafe, airports, cafe wifis and so, they'll at least get it once, that way there is a permanent fingerprint correlation with real identity, I can bet that EVERYBODY will get it at some point so Google and other people on board with this atrocity (webmasters are also accomplice) can finish-up the master plan.
sandworm101 32 days ago [-]
>> whether they literally just don't care about having customers
So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).
sumeno 31 days ago [-]
> most human visitors will actually be unable to pass the CAPTCHA
Most human visitors will pull out their smartphone and just do it without giving it much thought.
palata 31 days ago [-]
> Stop visiting sites and using services that use reCAPTCHA. Problem solved.
Not solved at all: 99.999% of users don't give a damn and use a Google-signed Android.
My opinion is that because they don't give a damn does NOT mean regulations should not protect them. What Google is doing here is anticompetitive and they should be fined (antitrust and all that).
pixel_popping 31 days ago [-]
I don't see the correlation with Google-signed android actually, people really want to have this friction when they visit a website? Like having to get your phone from another room, use camera and all that to access a website? This is so anti-pattern and is also disrespectful toward consumers, any webmaster participating into this imo should rethink his career and morality.
lxgr 32 days ago [-]
I'd love to, but I'd not be able to visit many sites anymore thanks to Cloudflare...
g-b-r 32 days ago [-]
Yeah, live in a cave, and problem solved.
However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use.
Let's find a better solution please
flatIronSteak 32 days ago [-]
> Let's find a better solution please
Is there an argument here that Google is creating a monopoly?
Could this be challenged on similar grounds that forced Microsoft to recommend other browsers to users on Windows?
KPGv2 32 days ago [-]
There is, but at least in the US neither party cares. They want to get rid of anonymity online, one to throw anyone who googles "trans" in jail, and the other because their biggest donors are tech companies that want to denonymize everyone.
Our antitrust laws have been toothless for decades, and both parties love billionaires controlling the rest of us with an iron fist.
GrapheneOS is looking more and more worth the headache that my limited free time generally does not like. I don't need Google to know my smut fanfiction is written by my IRL.
ggiigg 32 days ago [-]
Felt same way about GrapheneOS but a few friends set it up so i gave it a try. It is easy to install and use. As evidence, I gave my 70 year old father one and he loves it.
komali2 32 days ago [-]
When my friend was telling me about GrapheneOS I was thinking back to the old days of android custom roms, all the bugs and bullshit, the time I couldn't dial out to 911 because my custom ROM crashes when I did, or other issues. So I gave it a pass.
However he's been on it now for months and every time he shows me something on it I get a little more jealous. Everything seems to be working fine, including e.g. bank apps, and he has interesting features like some kind of app zoning thing limiting permissions on a zone to zone basis.
The only problem is it's only available on massive phones without headphone jacks and SD card slots, so I'm sticking with Xperia for now.
pocksuppet 31 days ago [-]
Breathlessly awaiting the upcoming Motorola/Graphene crossover phone.
Ygg2 31 days ago [-]
Can you run Graphene on non Pixel phones?
Sophira 31 days ago [-]
Not yet. They've partnered with Motorola, though, so we'll probably be seeing some of their phones in the future that can run GrapheneOS.
duskdozer 31 days ago [-]
You can use Lineage [/with microG]
bornfreddy 31 days ago [-]
This. For privacy, it is much better to avoid Google Play services (which are the only supported solution for push notifications in GrapheneOS).
g-b-r 32 days ago [-]
sieabahlpark, I probably hate this more than you, you misunderstood
sieabahlpark 32 days ago [-]
[dead]
vasco 32 days ago [-]
So what are you doing here?
> Ask HN: Did HN just start using Google recaptcha for logins? [0]
> dang
> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.
Stop visiting sites and using services that use reCAPTCHA. Problem solved.
No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA.
I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved."
ethin 32 days ago [-]
The other problem with this is that there are few CAPTCHA alternatives.
CF turnstile is one, but of course that means Cloudflare owns even more of the web.
HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.
And I... Can't think of anything else. Other than to just get rid of Captchas entirely.
userbinator 32 days ago [-]
You could just have a custom one that asks domain-specific questions (and ones which will trip up LLMs are not hard to come by.) I've seen a few forums ask such questions for registration, long before the rise of LLMs.
ribtoks 32 days ago [-]
There are other captcha alternatives like Turnstile, for example Private Captcha, Altcha etc. - they are owned by mostly “small” independent companies, they are not visual captchas (proof-of-work based) and very accesssible.
fireflash38 31 days ago [-]
The answer that no one likes: make it cost a nominal amount of money.
Enough to make it so bots are expensive to run.
Roark66 31 days ago [-]
At least in my country (Poland) you should be able to make a pretty bug fuss and resulting in them fixing it, if indeed one of ego services made you leak all your data to Google.
People do care about such things.
I hope the same is true in other EU countries.
unethical_ban 32 days ago [-]
I agree, and I think CAPTCHA is a disservice on public websites.
yehat 32 days ago [-]
Compliance is what makes all that shit possible. Sadly most people are compliant and made so by gradually increasing their dependency on "commodities" which really are anchors to a shit lake.
JKCalhoun 31 days ago [-]
Beautiful analogy, BTW.
Suddenly I have been made aware that, having lost my paddle on Shit Creek, I will eventually be taken downstream to Shit Lake (where it appears I will inevitably drop anchor).
majorchord 32 days ago [-]
> I'm not going to give up reading the test results from my doctor
You could just call them.
andwur 32 days ago [-]
Oh just wait, the AI phone service on their side will be more than happy to complete your device attestation key challenge by touch tone. We have to make sure you are still you after all!
But in all seriousness, many services are making it difficult through to impossible to communicate outside of their web or app platforms. Call centres are expensive and messy, and it's now apparently acceptable as a society to treat customers/clients/whatever as adversaries so they can get away with making it hard to communicate with them.
petre 32 days ago [-]
I was unable to book a doctors meeting through the clinic's website, so I declared "screw tech" and called their call center, which still worked better. The app just searched for the "first available spot" and never found anything. If they axe the call center I'm going to have to go to their place.
getpokedagain 32 days ago [-]
Or ask for a print out.
scbrg 31 days ago [-]
Fairly sure that would be considered a breach of patient confidentiality where I live, at least.
Sorry to hear that. What did people do before computers then?
scbrg 31 days ago [-]
Not sure how that's relevant. There are computers now. Regulations change with the times. Green lasers weren't controlled in the 1700:s either.
Are you comfortable with anybody being able to ring up the hospital and say "yo, it's majorchord, how are my gonnorhea results?"
majorchord 31 days ago [-]
> Are you comfortable with anybody being able to ring up the hospital and say "yo, it's majorchord, how are my gonnorhea results?"
No, that's why we have safety protocols in place. When you call a doctor they ask you for your birthdate or sometimes also a PIN/password on your account to protect your data.
How would that still be considered a breach of privacy?
scbrg 30 days ago [-]
Alright. I didn't know that. "Just call them" did not sound like it included any kind of authentication procedure.
But giving birthdate (available to anyone via a single query in a public database) and (sometimes?! - what?!) PIN over the phone wouldn't really be considered good enough here. Birthdate is, as I said, public knowledge. And a phone is too insecure a medium for transmitting a password.
I'm not super interested in an long argument about whether it's reasonable that this isn't considered secure or not. I'm just letting you know what reality looks like. And the reality is that "just call them" is not a solution, because such information will simply not be handed out over the phone.
ranger_danger 30 days ago [-]
> And the reality is that "just call them" is not a solution, because such information will simply not be handed out over the phone.
It already is a solution, and has been in widespread use for many decades. I don't think it's going anywhere.
account42 29 days ago [-]
That misses the point: alternatives will only be available as long as enough people uses them.
ranger_danger 29 days ago [-]
I still make and receive calls all the time to get test results from my doctor, I think tons of people still use that option.
1vuio0pswjnm7 32 days ago [-]
HN uses reCAPTCHA under certain conditions
getpokedagain 32 days ago [-]
I've not hit it but that would suck.
pixel_popping 31 days ago [-]
I doubt they would let users be KYCed to access HN frankly, I seriously hope not at least.
jollymonATX 31 days ago [-]
Removing recaptcha from my sites now actually. Its not much, but its something.
IshKebab 31 days ago [-]
Or stop spreading this extraordinarily naive view of how the world works.
32 days ago [-]
mekoka 31 days ago [-]
[dead]
rdedev 32 days ago [-]
When companies like this exist, what is the point of relying of TPM? Looks like the future is bright for VC backed bots
Why is every startup using that same Serif font now, Garamond or whatever. Is it an LLM design phenomenon? Its kinda ruining that font style for me.
Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.
Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.
Interesting article, thanks. I've done a bit of small scale phone farming (for my own cheap mobile proxies). In all reality the phones aren't that expensive, I went with Moto 5gs that cost $130 (retail), so in their case the phones pay for themselves in the first month.
Probably a decent amount of compute cost for video generation, but I'm sure they have access to free compute and inference for being in bed with a16z.
How is this not grounds to be sued into oblivion by Google and Meta? They clearly violate ToS for profit. This is something I expect to find on a dark web forum where 0days are traded, not in public.
SlinkyOnStairs 32 days ago [-]
> How is this not grounds to be sued into oblivion by Google and Meta?
Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.
Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)
Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.
The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.
xmcp123 32 days ago [-]
This kind of thing has been common for ages. Obviously AI has kicked it into overdrive, but it’s not darkweb kind of stuff.
Note that they do not mention any specific companies on that landing page. That is pretty intentional.
But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.
chadgpt2 32 days ago [-]
Violating ToS isn't illegal in most cases. Companies just put scary looking clauses in their ToS to discourage you from doing things they don't like.
eddythompson80 32 days ago [-]
That's not true of course. There are hundreds of such cases with varying outcomes [0][1][2]
Note that all those guys were gotten for breaking the law, not for breaking terms of service.
tardedmeme 32 days ago [-]
These companies would have to buy one phone per fake influencer.
tcoff91 32 days ago [-]
Wow that is so dystopian.
huflungdung 32 days ago [-]
[dead]
nullc 31 days ago [-]
> (as that would be 'farmable')
It could be contextual, as in each user gets one anonymous id per domain name per day. Multiple uses by the same user at the same domain in the same day are linked.
But much of the purpose of these systems is to violate the public's privacy and exert as much surveillance and control as possible. If not for that schemes that mitigate the privacy loss would be a top priority.
dheera 32 days ago [-]
> Google didn’t demand iPhone users install Google software to pass the test.
Can de-Googled Android phones present themselves as iPhones?
coppsilgold 32 days ago [-]
Apple has their own remote attestation infrastructure and you will not be able to impersonate an Apple device without extracting private key material from the secure enclave of a legitimate Apple device or compromising Apple certificate authority private keys.
Yes, and then they'll get served a QR code that you have to scan on a phone Google approves of.
clort 31 days ago [-]
In the UK, the Department of Education guidance is that schools should be mobile-phone free. Students use computers to access the web fairly regularly. Guess that would be problematic then, since many schools policies is that mobile phones should be turned off and stored in your bag during the day.
varispeed 32 days ago [-]
Shouldn't that be illegal under GDPR?
gib444 31 days ago [-]
There are massive exemptions for the prevention and detection of crime
> Recital 49 - Network and Information Security as Overriding Legitimate Interest
> The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems,...
It's funny how people after all this time think 99 Articles, 173 Recitals and a huge tech lobby equals a water-tight, pro-citizen, impenetrable privacy law with almost no exemptions.
xinayder 31 days ago [-]
What crime are you preventing or detecting by verifying you're human?
31 days ago [-]
baybal2 31 days ago [-]
[dead]
dwedge 32 days ago [-]
I've kept a spare cheap android for too long and recently went with Graphene instead. I have one Google profile and only use it for Uber, work's Google Chat and maps. One bank refused to work (even with Google services) so I moved bank. I've moved most of my mobile use to self hosted (freshrss full text, password manager, calendar, tasks) with no direct internet connection.
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
drnick1 32 days ago [-]
My setup is similar and nearly 100% self-hosted, including email, files, AI. If something does not work on Graphene, I will do without it. I also have a Google profile, mostly for testing purposes.
palata 31 days ago [-]
I said it already in another comment, but if you care enough to use GrapheneOS, I believe you should not only "do without it". You should also complain to those services.
If enough people complain, those services will start caring. If all they see is "one user complains every 3 years", they will just ignore it. That's how it works.
hsbauauvhabzb 31 days ago [-]
Ah yes, google, the company who notoriously doesn’t offer any customer support will definitely make way for such complaints.
dwedge 31 days ago [-]
Drop your sarcasm for long enough to see that "I won't use your app if I have to use Google" is not a complaint _to_ Google.
The bank I was talking about were the worst net loser of customers in the UK last year (around -8000) They are making excuses but maybe they would care about why.
microtonal 31 days ago [-]
Also, it works in practice. Some banks have fixed their apps after GrapheneOS mentioned that the app was broken. In some of the issues/reports linked at https://privsec.dev/posts/android/banking-applications-compa... there are even bank app developers joining in on the discussion (e.g. NL -> Triodos).
hsbauauvhabzb 31 days ago [-]
The consumers of google captcha will not care if on occasion some failing business attempts to enable graphene or linage users, the userbase of those users is not enough for most companies to care and the ones that do probably aren’t cared for by google.
I hate that this is the way it is, I’m a graphene user too, and I see a pretty bleak future for any unsigned OS, followed by a pretty bleak and authoritarian future for humanity.
palata 31 days ago [-]
Not to Google, and not to any of the TooBigTech, obviously. For those, we need to enforce regulations (that already exist but are ignored). As a user, the only thing you can do against TooBigTech is to complain to your government (if they can listen, e.g. in the EU there is a DMA entity that you can and should contact).
But for companies that are not monopolies, you can complain to them, and you can give them a bad review on the Play Store. Most companies are not in the business of screwing you: if they screw you, it's just a collateral effect. If you want to be on their radar, you have to make noise.
If enough people complain, then the company sees a need, then they prioritise. If they believe that "it only affects 1 guy who complained 2 years ago", of course they won't do anything... and I don't even know if I would blame them for that.
xerox13ster 32 days ago [-]
How have you managed to accomplish self-hosted email? I tried similar in 2022 and found it damn near impossible without business static IP or a cloud provider.
tuzakey 32 days ago [-]
You can't do it reliably without a static IP in a non residential subnet that lets you set reverse dns. If you have a static residential IP and they don't filter inbound SMTP you can make it work with a smarthost/relay like mailgun. Its not the insurmountable obstacle everyone makes it out to be, but its not going to be free unless you already have an IP that meets the criteria.
If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.
daneel_w 31 days ago [-]
My approach is to run a VPS with multiple static IPs that I (using Wireguard) tunnel to a number of virtual machines I host at home on a microserver. Likewise, the virtual machines' primary view of the Internet starts on the opposite side of the tunnel.
degamad 31 days ago [-]
I do it self-hosted on a rented VPS, which gets around the IP address issue.
drnick1 32 days ago [-]
I have access to a commercial (non-residential), fixed IP. You could also use an outgoing relay as a compromise, since presumably the issue you are facing is other servers rejecting email that you send from a disreputable IP. That being said, you really want a fixed IP as a matter of convenience if you are going to self-host anything.
manmal 32 days ago [-]
How often are your emails being marked as spam, for others? A few years ago it read like there’s a whole science behind avoiding getting flagged. Is this easier now with agents aiding the setup?
dwedge 31 days ago [-]
Not the person you replied to, and it's impossible to know with certainty how often you're in someone else's spam, but very rarely.
I had an issue with yahoo a couple of years ago that's all. The "it read like there's a whole science" is sadly a trope mostly repeated by people who have never tried because it gets upvotes on Reedit.
There are some steps you have to take, but not many, and systems like Mox mailserver or stalwart guide you through it, and mail-tester will check if you got it right.
Email, other than tweaking spam filters, is one of my lowest maintenance systems. I can't remember the last time I touched Exim or Mox config
alaudet 31 days ago [-]
You got me really interested here, I ran my own mailserver years ago and eventually just gave it up. I am getting rid of Google Workspace and have been planning a migration to Proton for two domains. But this sounds like a fun project. Any advice? I am going to check out Mox and Stalwart.
What providers are good hosting candidates, I have a website on DO, but from my understanding their entire ranges are blacklisted heavily.
dwedge 31 days ago [-]
If I remember rightly DO have some restrictions like port 25 on ipv6 outbound being blocked.
I can't speak for all of them but I use mythic beasts in the UK for one mail server (they are a very knowledgeable old school host) and it has been good. I also have dedicated with OVH which is fine, and a couple small scale (eg simplelogin, a notification server) with IONOS but they only deliver to me so I can't say how reliably they deliver elsewhere.
Mox is great but I think it's still alpha. I've been using it for 2 years in production for a small traffic domain. The other I use Exim (with mythic beast's Sympl that sets it up) but it's a little more hands on at the beginning
alaudet 31 days ago [-]
Excellent thanks
drnick1 29 days ago [-]
Not very often at all, but it did happen at least once. Note that even email sent from Google itself can be marked as spam depending on the message.
tuzakey 31 days ago [-]
I imagine an agent would make a lot of the first time setup from scratch easier, but the fastest reliable way to get up and running is mail-in-a-box or mailcow. Before those were available I built a flurdy style Postfix+Courier+Amavisd+MySQL setup and have been evolving it ever since. Now I'm on Postfix+Dovecot+rspamd+MySQL but I don't think that's for everyone or even the best way to start.
The science of not getting flagged is easy when you're not sending large volumes of untrusted mail; it only gets complicated if you start hosting mail for "customers" or let your system forward mail unfiltered into gmail/yahoo.
Here's my hit list of universal things to configure:
* Start with an IP with good or neutral reputation, non-residential, its nearly impossible to fix an IP that has been burned by a spammer. (Network)
* Valid reverse dns for your IP matching your mailhost forward dns (DNS)
* Valid SPF record; -all (DNS)
* Valid DKIM; with sufficiently sized key (DNS+Config)
* Valid DMARC; start with p=none to test and move to p=reject once you're configured (DNS)
* ARC if you or your users will ever possibly forward mail (Config)
* Don't get your messages flagged as spam anywhere ever, filter outbound mail even if its just you. All it takes is one piece of malware and a saved password and you'll have to get a new IP. (Config)
* Don't configure services behind your mail server with example domains that you don't control ~ I get so much mis-configured test mail from people who think its cute to use my domain as an example in their practice lab. It all gets reported as spam or bounces and then their smart host bounce rate goes up. (Config)
* Test for open relay; only relay for authenticated users. (Config)
* Use strong authentication, preferably with certificates or MFA. (Config)
* Secure everything; IMAP/SMTP/POP are old AF make sure you're requiring STARTTLS and setup MTA-STS to prevent downgrade attacks and enforce encryption in transit. Use a real certificate from Lets Encrypt don't self-sign. (DNS+http+Config)
* fail2ban your auth, you're going to get so much driveby password spraying and credential stuffing; I fail2ban block entire subnets at a time with iptables actions. I also have a bunch of "poison pill" rules for weird stuff I see in my logs eg block anyone who tries to auth with the NTLM hash for 'password'. (Config)
* Don't bother with BIMI at home, you can't get a blue check mark without deep pockets and a trademark (vmc) and most platforms only show logos that have a matching vmc. (DNS+https+config)
* DMARC reporting and TLS-RPT reporting are a pain to manage but are helpful troubleshooting deliverability be prepared to read some XML reports or setup a stack to parse them as they arrive (DNS + Config + https)
* setup the SMTP Submission port (587), so many networks block port 25 outbound and its the right way for clients to connect. (Config)
* configure BACKUPS, don't skip this step, encrypted restic backups to s3 or backblaze b2 is cheap and easy. (config)
* track your configs in git, don't commit secrets. (config)
* configure a free blacklist monitor on mxtoolbox for your domain(s) (config)
If you do those things you'll be in a pretty good spot, you could probably paste that list/this post into your agent and vibe up solid mailserver.
For me keeping the spam and phishing out is a bigger hassle than deliverability issues. rspamd does a pretty good job of keeping it manageable.
I do all of those things and with all of that setup the only place I ever run into issues with with users on AT&T's residential broadband mail servers. AT&T appears to block you if you're not known to them and they have a short memory. If you don't have regular correspondence with AT&T users they will block you after a bit. I'm a fairly low volume sender so I end up blocked every other time I try to send to AT&T by no fault of my own. I've talked most of those friends off of AT&Ts free email and on to ProtonMail at this point.
grepfru_it 31 days ago [-]
For the people who's mail service blocks you and they cannot or will not change their mail provider, what is your solution?
tuzakey 30 days ago [-]
I would just send those domains through mailgun with a transport map in postfix, it probably wouldn't even break the free tier.
If you use mailgun or similar you have to setup dkim keys for them and add them to your spf.
alaudet 31 days ago [-]
Great info, thanks
dwedge 31 days ago [-]
A VPS or cheap dedicated is enough to get the static IP. I have very few problems with email, I use one VPS and one dedicated server though some zealots would argue a vps isn't self hosting
ryukoposting 32 days ago [-]
If you don't mind me asking, what Bank? I've resolved that this phone will be my last googled phone, and my next will be GrapheneOS.
dwedge 32 days ago [-]
Halifax UK. It just refuses to work so I left it (Graphene is more secure, so forcing less security for the sake of tracking is off the cards). All the other banks so far say they won't work without Google services but if I click OK they work
dexterdog 32 days ago [-]
Not OP, but I've been on GrapheneOS for a few years and I have no problem with Chase, CiT or Wealthfront. I mostly use them to check balances and unlock debit cards, but they all login and function fine.
ryukoposting 30 days ago [-]
Noted, thank you for the advice.
palata 31 days ago [-]
> One bank refused to work (even with Google services) so I moved bank
Banks are implementing terrible "security" checks. Users of alternative OSes should be a lot more vocal: change bank, but also complain a lot to the offending one, and make sure to leave them a bad review on the Play Store.
Actually people not using an alternative OS but caring about that should also leave bad reviews to those banks on the Play Store.
At the end of the day, the problem comes from humans in those banks who don't understand and don't give a shit. The only way to make them care about it is to complain enough that it becomes their problem.
circuit10 31 days ago [-]
When I had a jailbroken iPhone my bank app (HSBC) would detect it and show a warning but let you continue anyway at your own risk, which I thought was a reasonable compromise
fullstop 31 days ago [-]
> It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
I feel this more and more each day.
ghm2180 31 days ago [-]
This should be the way. Have a tiny burner phone for maps and any apps that you absolutely can't use without google(it should be a tiny set of < 10 apps hopefully) until you can fully de-google
My current de-google project is categorizing all my pictures on my local NAS to create the memories feature (where it shows historic pics on multiple theme axes). You can get really far with just a few hours of work a month to de-google and some off the shelf image embeddings.
The hero project in this category — what one cannot do trivially as an indie dev — is creating a great fresh PoI dataset. This is tough to do on a planetary scale because its a societal cooperation problem.
class3shock 31 days ago [-]
The problem with this is gmaps. There is no alternative to it and by the nature of it knowing your location it removes anonymity. I would buy, or even pay a monthly fee, for something that is 75% as good as gmaps but respects your privacy but there is nothing out there I have found.
zx8080 32 days ago [-]
Nice that there's bank to move to. We need regulations against such lock ups.
dwedge 31 days ago [-]
Forced 2FA for banking in the EU is making this worse when it doesn't work
gonzalohm 32 days ago [-]
What's the best alternative for Google drive? I also went this route but Samba is a bit annoying sometimes
drnick1 32 days ago [-]
What makes Samba annoying? I think it's perfect for its intended use (LAN).
If you need to share files externally, Nextcloud works very much like Google Drive and allows the creation of sharable links.
I don't get how Samba is not there yet. We already have everything in the OS, the UI, the mental model, the protocols, how come it's such a terrible experience that we need to re-invent the wheel in web 2.0.. Maybe we need a Jarred Sumner to fix it.
BloodyIron 31 days ago [-]
Samba has never been about file sharing over the internet. The project has been about cleanroom-reverse-engineering specific MS technology. To start it was NT4 authentication domains, then printing services, along the way SMBv1 (commonly incorrectly called CIFS btw), then SMBv2 v3.x, and then in 2012 Samba Active Directory.
In no way has it ever been about a functional alternative to something like Nextcloud. It's been about services primarily for LAN functionality, not stuff that should be going over the internet (mostly for security reasons).
So your expectations really don't align with what Samba has ever been about.
Source: I professionally support Samba for businesses.
komali2 32 days ago [-]
Nextcloud also has lots of interesting plugins. I recently found a viable Splitwise alternative I chucked on my instance.
danparsonson 32 days ago [-]
Syncthing is very nice.
cromka 32 days ago [-]
I have nothing but issues with it, mostly because the iOS/Android apps are notoriously bad at syncing the files timely and also because of ridiculous filename restrictions on Android.
gonzalohm 31 days ago [-]
Is not the same though. It requires downloading the entire shared folder. That doesn't work when I have 100+GB of files and I want to share it with my phone
If you dont need filesharing, you can just setup wireguard, setup a network drive on your phone's files app.l, and then when connected it'll feel like native file browsing.
Proton Drive works well and is from a company that supports privacy but does require a paid subscription.
paweladamczuk 31 days ago [-]
What do you use for calendar and tasks hosting?
I'm on a similar journey and I use Radicale.
foltik 31 days ago [-]
Have you tried the Uber webapp?
ranger_danger 32 days ago [-]
Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:
- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.
- Discord immediately bans me any time I try to create an account.
- Can't buy flights from Delta, always gives a non-descript error.
- Can't buy concert tickets, it thinks I'm a fraudulent buyer.
- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.
- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).
- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.
I just take my business elsewhere... eventually I'll probably just stop using technology at all.
Jigsy 32 days ago [-]
> Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.
I had this problem recently with the Indeed website. (Cloudflare Captcha)
Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.
Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.
anonymousiam 32 days ago [-]
Why not just change your user agent string?
mschuster91 32 days ago [-]
That's useless, in fact it makes you stand out even more. There are SDKs that can differentiate based on an awful lot of signals if your user agent corresponds to your actual browser version.
codedokode 32 days ago [-]
Because the site can compare the user agent with navigator.platform, which your browser fills with great care.
userbinator 32 days ago [-]
That naturally implies we must patch the browser.
"Source code? We don't need no stinkin' source code!"
codedokode 31 days ago [-]
That's what Russian underground hackers do to create so called "anti-detect" browsers, which can emulate different browser fingerprints. But they are commercial and closed-source.
tardedmeme 32 days ago [-]
It probably fingerprints the browser via TLS fingerprinting.
miladyincontrol 32 days ago [-]
Almost would bet one or a few of your ISP's customers have their connections being used as residential VPNs.
I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.
ranger_danger 32 days ago [-]
Yes, I have even seen mobile android games that include notices about a BrightData SDK or HolaVPN etc. where their idle bandwidth is resold.
donmcronald 32 days ago [-]
Does the app function as a proxy? I always assumed that wasn’t possible.
ranger_danger 32 days ago [-]
Why wouldn't it be possible? As long as background network access is allowed (the default).
chadgpt2 32 days ago [-]
Honest question: Is there anything scary about this apart from lowering your ISP's reputation score?
donmcronald 32 days ago [-]
Yes. What if your connection is used for illegal activity?
wraptile 31 days ago [-]
It's not only IP but entire browser stack is being fingerprinted: Javascript, http, tls - everything. I've been living in the SEA region on Linux firefox for the last 10 years and the web has been miserable due to cloudflare and recaptcha
ranger_danger 31 days ago [-]
Yep I often have to launch a clean/ephemeral chromium profile just to access a specific website, but even then it's sometimes not enough.
ck2 32 days ago [-]
whenever I can't access a website for various stupid blocks
I fire up cloudflare warp and walk right through it
use wireguard with wgcf in environments without cloudflare client
yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden
wafflemaker 32 days ago [-]
You sir seem to have solved a problem many people here have.
Would you care to elaborate a little on how you did it?
It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues.
tardedmeme 32 days ago [-]
He just told you, he used cloudflare WARP. It's a "VPN" along the lines of NordVPN et al, but by cloudflare, so it gets special treatment by cloudflare's walled garden enforcement system.
krackers 32 days ago [-]
I wonder if iCloud private relay might also work. Apple probably negotiated some special treatment
donmcronald 32 days ago [-]
I’m guessing it’s all the same effect as CGNAT exit IPs. You need to get big enough to be unblockable. That’s why everyone is trying to get in on the VPN game.
This new reCAPTCHA setup is probably a good indicator that big tech wants to shift to verified access only. Personally, I’m just going to quit spending money via the internet and go back to piracy + retail stores with a physical location.
titularcomment 32 days ago [-]
the fact that this works, as well as cloudflare having a literal web scraping tool available as another product honestly makes my blood boil.
hysan 32 days ago [-]
Turnstile feels bad as a user. Every site that I’ve seen it long will lock up Safari hard while it’s doing whatever it’s doing. But at least I haven’t run into more than 2 refresh loops.
rescbr 32 days ago [-]
This is why I ended up paying extra for a static IP from my ISP. While they always provided me with a public IP outside a CGNAT, I guess whole IP blocks were being targeted by these web security providers.
I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.
Captcha difficulties are way down now.
prism56 32 days ago [-]
Oh man I feel you. I turn my VPN off on certain sites due to the captcha loop.
retired 32 days ago [-]
I have not been able to visit AliExpress for months now. Just an endless reCAPTCHA loop.
I wonder if they are seeing a decrease in traffic and somehow find that acceptable.
Milpotel 32 days ago [-]
Wouldn't a 1£ Linux VM as Wireguard access point suffice?
ranger_danger 32 days ago [-]
Nope, I have tried. Just as suspicious to them if not moreso because it's a datacenter IP and not residential. I even have a list of sites I've tried to visit that were explicitly blocked from datacenter IPs, and that file has over a hundred hosts in it now.
chrisjj 31 days ago [-]
> I just take my business elsewhere...
Mars? /i
palata 31 days ago [-]
> People running de-Googled phones chose those setups because they read the data practices, understood what Play Services phones home about, and decided they didn’t consent.
This is wrong. Many (most?) users of alternative Android OSes do use a variant of the Play Services (be it sandboxed Play Services like on GrapheneOS, or an open source, reverse engineered implementation like microG that phones home just the same).
Google seems to be leveraging Play Integrity here, which requires that the phone OS is signed by Google. This is clearly anticompetitive, I hope the DMA will do something about that.
bjackman 31 days ago [-]
There is a fundamental tension here though - suppose DMA or something requires that online providers recognise reCAPTCHAs from non-Google-attested OS builds. What OSs can they safely trust?
Only ones that are difficult for fraudsters to use to generate bogus traffic. Whether or not those builds come from Google, they are inherently gonna be pretty constrained OSs. It's not gonna let you spoof your location or simulate user input.
I do think it's a problem if only Google can provide these attestations but even if that organisation problem is solved there is still a fundamental technologic problem here now that humans can't be detected by their ability to solve puzzles any more.
Zak 31 days ago [-]
> What OSs can they safely trust?
None. The first rule of network security is you can't trust the client.
All attempts at remote attestation of consumer devices are someone wanting to break this rule. It's always a mistake; the OS being on the blessed list raises the difficulty level for fraud a little, but serious fraudsters have already perfected workarounds.
sneak 31 days ago [-]
Wanting to load a webpage anonymously is not something that makes one a “fraudster”.
surajrmal 31 days ago [-]
Arguably anyone else who can provide a similar level of trustworthy authentication that they are not a bot can work with Google to get support. Fundamentally this is a trust based problem and only OS providers are even capable of building such systems. There are very few of those out there. The key is that the systems need to be locked down to prevent automation of input and that automatically disqualifies most android alternatives that the community likes. It's clear that Apple offers this capability though. I can imagine a more locked down version of Windows also providing this in the future.
bjackman 31 days ago [-]
Yes that is what i mean, anyone can do it technically, but they are gonna have to build a slightly crappy OS in order to do it.
But still, better multiple slightly crappy OSs instead of just one (plus Apple).
mnadkvlb 31 days ago [-]
Exactly. Imagine them blocking captchas on iphone or windows
thayne 31 days ago [-]
IIUC, They are blocking it on windows, unless you have an android or iOS device you can use to complete the "captcha"
pixel_popping 32 days ago [-]
archive.is just asked me for a QRcode scan, I'm so ashame of that crap (it's behind Cloudflare), forcing website visitors to KYC? Are you guys insane!?
the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f
By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.
I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.
codedokode 32 days ago [-]
Interesting, the text says "reCAPTCHA doesn't share your details with this site", but it says nothing about sharing your details with Google. Which means yes?
duskdozer 31 days ago [-]
Naturally, "Your data is private[ly] and secure[ly stored in plain text on our servers so that it's only accessed by us and shared with the advertising partners we choose]."
tocariimaa 32 days ago [-]
The water is already boiling and the frog can't get out anymore.
syntheticnature 32 days ago [-]
I thought archive.is were the ones squabbling with Cloudflare (extreme simplification)
altairprime 31 days ago [-]
Their squabble was to claim that Cloudflare wouldn’t let them collect identifying information about the original requestor. No doubt they’re thrilled by this change’s identity exposure.
riedel 31 days ago [-]
I just tried using archive.is on my non-degoogled phone using IronFox instead of Chrome and could not pass the recaptcha. Actually it presented me the mobile attestation on second try, but I was able to switch to images again. But I am also unable to pass that one with the tracking protections built into the browser. Hopefully some 'serious' website starts using this so I can bomb their customer support.
zelphirkalt 31 days ago [-]
For me this archive.is thing has been unusable for a long time already, because they rely on Google Captcha for a long time already and I block Google shit by default. Allowing Google is probably equivalent to showing them your id, due to fingerprinting in the name of "safety". That's why archive.is is not helpful and usually just a tab I close again right away.
j027 32 days ago [-]
You can still use the audio captcha, but I’m not sure how long that’ll be around.
BloodyIron 32 days ago [-]
Google will incur serious lawsuits if they remove that accessibility aspect.
a2128 32 days ago [-]
Google has already been crippling the audio CAPTCHA access for many years. If your trust score is low enough, the visual challenge is ridiculously slow and noisy, and pressing the audio challenge button will just give you an error saying "To protect our users, we can't process your request right now", accessibility be damned. Where are the lawsuits? I want to believe there are still forces that would create hell to pay for doing something so evil, but I'm not seeing any.
chrisjj 31 days ago [-]
They'll keep it, but require TPM in each ear.
actualwitch 31 days ago [-]
Haven't you heard? Accessibility is woke, and the institutions that are supposed to protect it are being dismantled. I wouldn't be counting on those lawsuits going anywhere personally.
velocity3230 32 days ago [-]
Sound advice.
tomrod 31 days ago [-]
Even crazier is that there is nothing preventing agents from not using this. The hardware, signing, etc. can all operate as part of an autonomous agent stack. There is no benefit here to anyone.
I think this is just gonna make viewing internet without a phone significantly harder especially with archive.is and the likes.
Not sure, how relevant this is to the discussion but if it helps, I have made a project[0] which allows to archive archive.is pages on archive.org/wayback machine (this uses singlefile)
Perhaps something like this can be used by community at scale too. Also, I hope that archive.is does something to fix this issue of requiring QR code and hopefully it doesn't become a permanent issue.
What? Don't Cloudflare literally have their own CAPTCHA service? Why are they using reCAPTCHA?
gruez 32 days ago [-]
They mimic the cloudflare captcha page but they're not hosted by cloudflare.
pixel_popping 31 days ago [-]
Never understand this anymore, it's genuinely one of the easiest services to pay to bypass automatically (literally 3-liner of JS), webmasters are becoming incompetent.
31 days ago [-]
stavros 31 days ago [-]
If you don't understand something, the first thing to do is try to understand it, before going to "the people who use this are incompetent".
In this case, the answer is right there in the question: You have to pay to bypass it.
pixel_popping 31 days ago [-]
Sometimes, people just do dumb choices, there is nothing to understand except plain lazyness, there is better captchas, free, non-invasive, more secure, GDPR compliant and so-on that are also not covered by captcha-solving providers, so what's the positive argument about reCaptcha?
thayne 31 days ago [-]
I was involved in evaluating captcha solutions. The only recaptcha alternative that met the requirements that we were able to find has hcaptcha, but it wasn't any cheaper (for us), and would require going through the vendor approval process, whereas google was already an approved vendor. There wasn't really a compelling reason to switch.
Maybe there is a better option out there, but if so, it has the disadvantage of being hard to find.
stavros 31 days ago [-]
A very strong brand?
pixel_popping 31 days ago [-]
You really think it's the reason? I've worked with many developers, and they use reCaptcha just because they are used to it and did it in the past, I doubt customers love the "reCaptcha branding", to the contrary, nicer captchas (or even invisible ones, even better) improve retention.
stavros 31 days ago [-]
"Because I'm used to it" is what a strong brand is.
thayne 31 days ago [-]
> or even invisible ones
reCaptcha is "invisible" by default. Although if you use a non-cheomium browser and/or block tracking, you are more likely to trigger a non-invisible prompt. Annoying as that is for people like me and maybe you, that isn't the experience most users have.
tom1337 32 days ago [-]
i wondered the same earlier and i am pretty sure they are just mimicking cloudflare's validation page. no way that cloudflare is paying reCAPTCHA when they have theor product, turnstile, available.
duskdozer 31 days ago [-]
Seriously? I didn't realize this was already happening. FWIW I still got the old captcha testing that site, and I often get flagged and blocked, though it's possible you're doing better.
EmbarrassedHelp 31 days ago [-]
If you reload the page it'll give you a non QR code captcha to do. Hopefully it stays that way or attestation captchas are removed entirely.
cornholio 32 days ago [-]
It's a move to block competitor AI agents while securing access for your own, classic ladder kick. The market for autonomous agents providing services and doing online work will be gigantic so, unless you want your own bots locked out from ie properties guarded by Amazon, CloudFlare, Microsoft etc., you will need a bargaining chip.
hedora 32 days ago [-]
As someone that uses AI agents, this makes me want to install a browser plugin for "public windows" that just archives everything I see, and then farms out clicks of content that are missing from those sites.
The result of this would be to upload it all to a bot-friendly alternative to archive.org.
Its whole point is undetectable archiving because it just saves what your browser already sees.
sunshine-o 31 days ago [-]
Nice, I understand it is similar to ArchiveBox + its web extension.
Now to be honest, while it's optimal to archive pages from you browser view I am not sure I want a random web extension to be in everything I see from a security point of view.
I would rather have a local proxy doing it. Maybe something like the InternetArchive warcproc [0]. Haven't tried yet.
for a short time i had warcprox sitting behind my firefox and auto feeding its output to pywb, it seemed to work but i had connections failing randomly after having warcprox running for more than a few hours~days. not sure if it's an issue with pywb or warcprox but there were some urls missing that i did browse on firefox, and many dynamic pages couldn't be replayed at all.
sunshine-o 31 days ago [-]
I am not surprised...
I am unfamiliar with web caching proxies like squid [0] but I am wondering if that might be the most straightforward way to do this.
So use squid and then have a batch job that go through /var/spool/squid every day and update your web archive according to some defined filters.
I would love to see someone challenge this as an anti-trust violation. Google is using its market power (as the provider of reCAPTCHA) to actively prevent devices that don’t use Google Play Services from competing effectively.
surajrmal 31 days ago [-]
I'm not sure the definition of anti-trust matches what you're saying. Are there any retail android devices for sale without Google Play Services? Also, notably iPhones will be able to still work despite not having Google Play Services.
a2128 31 days ago [-]
Retail phones for sale without Google Play Services:
All Huawei phones, which uses Huawei AppGallery after sanctions
FairPhone 6 /e/OS
Practically all modern feature phones: Nokia phones, HMD phones, etc. As I understand it, predominantly used by elderly and kids. But it's also gaining traction among millennials and Gen Z for digital detox and defeating mobile addiction.
Linux phones (Jolla Phone, PinePhone, FuriPhone, etc) - these you probably won't find in your local retail store but this is another competing platform being built from effectively an entirely different lineage minus the kernel
goda90 31 days ago [-]
They're using their position to force people to buy a certified Android phone or iPhone in order to use millions of websites Google doesn't even own. People without a phone, people with dumb phones and alternative operating systems (deGoogled Android being just one example) can be totally cut off.
palata 31 days ago [-]
It's worse than forcing the Play Services: strict Play Integrity requires your system to be signed by Google. So if you use the Play Services on GrapheneOS, you're still locked out.
cromka 32 days ago [-]
They're only doing that because the EU currently doesn't want to antagonize US any more with their tech fines. Noticed how there hasn't been any as of recently?
> April 2025: Apple fined €500 million for failing to comply with "anti-steering" obligations. Meta fined €200 million under the Digital Market Act for requiring users to consent to sharing their data with the company or pay for an ad-free service.
> December 2025: X fined €120 million under the Digital Services Act for breaching transparency obligations.
(Sure, not this year, but that's pretty recent by most standards. And not sure if they're still being contested and unpaid)
> because the EU currently doesn't want to antagonize US any more with their tech fines
Yeah, I say it as "because the US bully the EU to prevent them from doing it".
probably_wrong 32 days ago [-]
Alternative explanation: they're following the Meta playbook of releasing surveillance features during a "dynamic political environment" that's keeping their opponents distracted.
I'm failing to see why they didn't just adopt Private Access Tokens (not that they're great either), where they could have at least:
- pretended that it wasn't all about invading peoples' privacy.
- done a good ol' fashioned "but Apple does it"
- pretended to be standards-oriented
- advertised it as something completely transparent to the end-user
Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
treis 32 days ago [-]
It doesn't fundamentally solve anything. You want to be able to identify a specific person or at least a relatively expensive device so that if you ban them they stay banned.
rockskon 31 days ago [-]
As others in this thread have commented - there are scammer hubs where a single person controls hundreds if not thousands of phones at a time.
The people who this method is most hoping to stop are the least likely to be impacted by it in the long run.
altairprime 31 days ago [-]
This is the exact method used to secure iMessage against spam: secure attestation and ‘console’ bans of devices (reversible by iirc phoning support, indicating who you purchased the used device from, and providing an ID). But Google is trying to pull a Windows 11 “TPM or die” conversion on the public Internet via Recaptcha. Welcome to the attestation wars, unwitting websites :)
supriyo-biswas 32 days ago [-]
Private access tokens are also a repackaged WEI as far as I'm concerned.
incompatible 32 days ago [-]
"pretended" ... do they even care any more?
FateOfNations 32 days ago [-]
Not Invented Here Syndrome?
nightpool 32 days ago [-]
The article mentions that they use Private Access Tokens on iOS, so I'm not sure where you're getting the idea that they're "not adopting" them from
cantalopes 32 days ago [-]
This is crossing the line where the governments should step in and ban/fine google heavilly for this monopol behavior
data-ottawa 32 days ago [-]
How you know this is a monopoly is that if you go on their documentation website half the video is how this rolls into Google Analytics.
This is using another product to reinforce the search and ads monopoly.
You can’t scrape content to build a better google or Gemini, you can’t make an OS to compete with Google or Apple, and you can’t make a Google Analytics competitor.
It’s plain anti competitive.
failuser 32 days ago [-]
The governments are the ones who needs the most. They want to know who all the potential and current dissidents are.
bigyabai 32 days ago [-]
Bingo. Remember all the people on HN who canvassed for consumers to vote with their dollar? Absent-minded consumption is what consumers voted for.
Now everyone pretends like it's monopoly abuse because the Leopards Eating Faces company finally rang the dinner bell.
OutOfHere 32 days ago [-]
Instead, our governments use this crap, meaning on .gov sites too, and impose it upon us.
milderworkacc 32 days ago [-]
I agree. There are pretty clear grounds here to think about opening an investigation here into illegal tying, or a misuse of market power. Not sure if the FTC maintains a presence on here, but if you're listening...
KPGv2 32 days ago [-]
[flagged]
chrisjj 31 days ago [-]
"Don't be evil. That's our job."
gib444 32 days ago [-]
Oh man as if we still live in those times
smallerize 32 days ago [-]
This isn't just about weirdos (like me) who run GrapheneOS. Huawei phones don't have Google Play services installed, or Xiaomi phones with MIUI China. That's what, a billion and a half phones that can't get to your website now?
Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.
gene91 32 days ago [-]
If you need access to both apps from China and websites/apps from outside China, non-Apple devices have been difficult before this, primarily due to push notification infrastructure.
This makes it more difficult. But I don’t think it matters given how difficult it was prior to this.
oefrha 31 days ago [-]
Using apps based on Google Play Services may be impossible on those phones out of the box (not sure), but websites have no such dependency and most people don’t give a crap about push notifications from PWAs anyway so whether FCM works with the device matters little. Also doesn’t the web push API support different push services at registration time so those devices’ browsers can register their own vendor push server? (It’s been a while since I implemented web push myself, memory is fuzzy.)
This is blocking access to websites wholesale, so it’s on a whole different level.
ickyforce 32 days ago [-]
What's wrong with Apple push notifications in China?
poilcn 32 days ago [-]
"non-Apple", i.e. Android
The problem is that most popular apps for Android outside Chinese app stores rely on Google services (specifically, Firebase) for push notifications.
varenc 32 days ago [-]
I have a good friend who doesn't own a cell phone. He's a math professor. Every year he keeps living life without a smartphone, I continue to be more impressed. Things like this makes me feel like he might have to eventually give in. https://archive.is is now serving, via Cloudflare, this QR code backed CAPTCHAs. There seems no way to get past them without a smartphone. Sad times. I wonder at what point even basic government services will essentially require a smartphone.
I think they now use their own Cloudflare turnstile if I remember correctly, but back then they switched to hcaptcha.
phyzome 32 days ago [-]
I don't have one either. No plans to get one, even with this.
eks391 30 days ago [-]
I envy you. Before I degoogled my life, I tried going all in to no smart phone. It didn't last very long. I still would like to get there, but considering how difficult and slow it was just to degoogle, I anticipate that it may be a long time before I can operate without a smart phone.
phyzome 29 days ago [-]
The main thing that makes me think about getting a smartphone is navigation. But I never lost the skill of "looking up/writing down directions before you go" so it's not too bad.
(My phone is technically Android, but really old, not a touchscreen, you can't install apps, and most websites don't work in it, so... basically a dumb phone. But I did write a map web page that works in my very specific situation: https://lab.brainonfire.net/classicmap/ But mostly I just look up directions first and pay attention to signs, and the web page is a fallback that's nice to have.)
SJMG 31 days ago [-]
No cell phone period or no smart phone? I'm not sure how people manage the former. Do you have a home with a land line? What do you do when you travel?
phyzome 31 days ago [-]
Ah, I have a cell phone, not a smartphone. (Didn't notice that the parent comment referred to both.)
tinycommit 32 days ago [-]
Eww. Ok, so, I’ve used reCAPTCHA on sites I maintain at work, just on forms to prevent excessive bot spam submissions. No way do I want to subject users to this BS, though. Does anyone have recommendations for other decent captchas that could be used instead?
Bots are usually very stupid and will bail on any captcha system they don't recognize, so anything you make that's custom and requires javascript will cull 99% of them. This may change at some point with LLMs but for now my websites at least are still holding strong.
kristianp 31 days ago [-]
Anubis is an alternative to captchas, it's OSS.
tardedmeme 32 days ago [-]
hcaptcha is pretty popular these days. It uses a very wide variety of traditional visual puzzles.
himata4113 32 days ago [-]
in my good ol' days I just sent a screenshot to 2captcha for grid of the entire captcha iframe which means that the solvers would have to figure out what to do instead of having to write code for each different type of captcha. to solve their new rotating puzzles I would just capture them at 50% opacity twice and change the prompt to pick the highest brightness object since 50% opacity would dim the moving elements.
Velocifyer 31 days ago [-]
hCaptcha is horrible. I think that a PoW captcha would be effective to make spammers just mine Monero instead.
buzzwords 32 days ago [-]
Given the way Google is going I'm not sure if my next phone will be Android. I am fully aware that I am probably in the minority here. For me the trust is entirely gone.
fluidcruft 32 days ago [-]
There really isn't much of an option. Apple's just as bad if not worse.
queenkjuul 32 days ago [-]
At least with an Android i have the option of Graphene, and have access to a terminal, and for now can sideload apps.
With apple there's no choices, so I'll continue to take my chances with Android
fluidcruft 32 days ago [-]
Possibly... but the extension of this to Android and Apple is going to be the entire internet shuts you out. And everything else will be a giant Dead Internet crawling with bots.
tardedmeme 32 days ago [-]
The sites that require you to log in are precisely the same ones that are crawling with bots. The personal internet or "small web" is, and still will be, full of real content. There are also lots of bot websites that are trying to be small web, but since it's an actual social network and not a giant pool everyone pours stuff into, they don't get traction. If you do find a website that seems to be human but links to a thousand AIslop sites, you'll stop following that guy's links.
duskdozer 31 days ago [-]
It's less about those sites than it is about government services, banking, healthcare, employment, etc
tardedmeme 31 days ago [-]
Your online banking will be overrun with bots? Your healthcare will be overrun with bots?
What does that even mean?
fluidcruft 31 days ago [-]
What they mean is those are the sites that will require attestation. It's pretty quaint to think that people who don't like bots would rather play wackamole with bots when they can just flip a switch and they're gone.
microtonal 32 days ago [-]
I have to see. As much as I don't like Murena and /e/OS, they seem to have some clout with the EU/EC. Given that they are using microG and also hit by this, they might be able to nudge the EC to act on this.
Also, personally I care less and less. As long as my banks and government apps work, I'll just not use somebody's service if they put up barriers like this.
palata 31 days ago [-]
> Also, personally I care less and less. As long as my banks and government apps work
If most people care less and less, the result would be that banks and government apps will also work less and less.
Look, companies have to prioritise. And the obvious way to prioritise is to say "users are requesting X A LOT and nobody requests Y, so we will do X". Companies never, EVER say "it would be more ethical to do Y, let's do Y".
As people, we can do two things:
* Push our governments to regulate that shit. That means, complain a lot to the government.
* Be vocal to companies and complain when they don't support your system. If enough people do that, it will be prioritised.
lxgr 32 days ago [-]
Can Graphene OS pass this kind of Google attestation challenge, though?
palata 31 days ago [-]
No.
The hardware attestation (which is used by strict Play Integrity) checks the signature on your OS. It is totally possible to allow signatures other than Google, but Play Integrity doesn't do that.
Companies could totally decide to use hardware attestation and accept systems signed not only by Google, but also other systems (like GrapheneOS). But they don't care because not enough users complain to them.
Users of alternative Androids typically silently move to another service or stop using it entirely. Which is understandable but doesn't help the cause.
chadgpt2 32 days ago [-]
Both are terrible for privacy so it comes down to which one has a nicer screen now. :(
I'd rather have Google check an Apple phone attestation than have Google check a Google phone attestation, and vice versa, though, because you can assume each company is trying to keep as much information private to themselves instead of giving it to the other. Google is probably just getting "yes it's an Apple phone" and some kind of temporary token, instead of my IMEI, IMSI, phone number, all signed in accounts, biometrics and so on.
LeoPanthera 32 days ago [-]
> Apple's just as bad if not worse.
Could you justify that? Because to me it seems like Apple isn't doing anything even like this.
Also, Apple sells themselves as a privacy company, but often pick (possibly intentionally) insecure defaults. E.g. you might use end-to-end encrypted chats, but by default iCloud backups are not end-to-end encrypted, so law enforcement can just request your backups/chats from Apple. If you are vigilant and enable Advanced Data Protection for E2E iCloud backups, it probably still doesn't matter because the people that you communicate with probably do not have ADP enabled.
Besides that, they are enshittifying in the same way as Google. Ads in Maps, Ads in applications that you get with the OS (Apple Creator Studio ads in Keynote, etc.), Ads in your system settings for Apple Fitness+ (really).
At least Pixel phones and soon some Motorola models have the option of installing GrapheneOS.
cyklosarin 32 days ago [-]
Motorola + GrapheneOS next year could be an alternative. So far they've been relatively insulated from the changes that have been coming down from Google.
palata 31 days ago [-]
Motorola won't change a thing about hardware attestation. GrapheneOS is locked out from reCAPTCHA because GrapheneOS is signed by GrapheneOS and not by Google.
The way it's going, by the time the Motorola + GrapheneOS phone is out, it will be a lot more painful to use GrapheneOS than today. Not because of GrapheneOS of course, but because everybody accepts that bullshit Google is doing.
If you're waiting for Motorola + GrapheneOS, you could start complaining to banks and other apps that don't support GrapheneOS :-). If enough people did that, maybe those companies would consider it.
doctor_radium 32 days ago [-]
I'll be waiting.
In the meantime, I'm currently using a low end Motorola moto g 5G 2023 which lets me turn off Play Services. Chrome and the Google Calendar don't run (really do need to find a replacement calendar), and I couldn't be happier. Motorola's interest in GrapheneOS makes me wonder if they did this on purpose.
t_mahmood 31 days ago [-]
For calendar, I now have my own local setup, with Tailscale
So, you run Radicale server, you can import Google Calendar.
Set up Davx5 on mobile to sync with the local server
Access from anywhere with Tailscale.
microtonal 32 days ago [-]
Or if you need it now, Pixel + GrapheneOS. Pixel A-series are really affordable. E.g. the 9A is 350 Euro here, have great device security (Google Titan M2 hardware security processor, CPU that supports MTE, etc.), pretty good cameras/camera processing, etc.
You won't be alone. I've resolved that this will be my last Googled phone.
My dad runs the family domain/emails/etc. The hard part will be convincing him to degoogle the whole family.
drpixie 32 days ago [-]
I'm inclined towards keeping an ancient android for those apps that require it, and maybe something open for actual use. Or perhaps a crappy old android for android and a small non-android tablet/laptop for daily-driver stuff, which always works better as a computer anyway!
I'm also becoming open to using software that lies to google about what it is :) Google will treat us like sh*t, why shouldn't we reciprocate.
nosioptar 32 days ago [-]
I've been getting asked more and more how to degoogle stuff by non-nerds.
drnick1 32 days ago [-]
Android yes, but Graphene is the answer.
lxgr 32 days ago [-]
Almost completely unrelated, but I recently helped out a very confused family member with deleting not one, but two Google Cloud accounts they had no idea existed, and that they only learned about from an email referencing reCAPTCHA getting integrated into some other Google product offering.
I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.
brunocvcunha 32 days ago [-]
AI Studio playground maybe? It seems all integrated.
lxgr 32 days ago [-]
They almost certainly didn't use that.
The projects were named after a Google Doc they'd recently worked on (or a .docx attachment they'd received?) though, so my other guess is that they somehow created a Google Docs macro or similar by accident?
arccy 32 days ago [-]
probably Google Doc Apps Script, those create so many Google cloud projects
koala-news 32 days ago [-]
The internet increasingly feels like “prove you’re using the approved computer” instead of “prove you’re human”.
balamatom 31 days ago [-]
Those two add up to "prove that you allow computer vendors to teach you what 'human' means".
drnick1 32 days ago [-]
So Stallman was right, after all?
quantummagic 32 days ago [-]
Everyone, including Linus Torvalds, who rejected Stallman as too political or ideological, and advocated for "pragmatism" instead, is part of the reason we're where we are today. And it's going to get a lot worse, before it ever gets better.
palata 31 days ago [-]
I disagree. The reason we are where we are today is the lack of antitrust.
quantummagic 31 days ago [-]
Even if we accept your premise, laws don't just appear; they are an organized response to a recognized problem. But everyone has been sleeping on the problem lurking in our infrastructure, undermining any impetus to enact such laws. And the people screaming from the mountain top (like Stallman), trying to raise awareness, were routinely mocked and marginalized by those all too happy to accept convenience and expediency, over more sustainable values.
palata 31 days ago [-]
> laws don't just appear
Antitrust laws have existed for decades. They just have to be honoured.
drewfax 32 days ago [-]
I wish Linus had adopted GPL v3. He had the power to stop this madness from big tech, but he sided with them. It just reveals that he never fully understood the reason for the existence of GPL in the first place.
rvz 31 days ago [-]
> He had the power to stop this madness from big tech, but he sided with them.
He (Torvalds) had no power to do anything and sold out. Even if he did, big tech would just go and use BSD.
For over a decade both Torvalds, and Stallman sold everyone out. They don't make their money directly from "free software" or "open source" in the first place.
Stallman was right in that he knew digital surveillance was going to happen, but he was incorrect in believing that FLOSS was ever sustainable economically and especially with AI replacing the developer and that big tech and startups are weaponising that against them.
Even when Stallman is against AI, he doesn't care. He knows he doesn't make money from "free software"; but only by speaking about it. Torvalds is the same but likes AI.
Can any other developer do exactly that in 2026?
surajrmal 31 days ago [-]
What do you define as selling out? Having a different perspective from your own? There are many legitimate reasons for why someone can believe the opposing view points. Devolving into us vs them rhetoric is not conducive to a reasonable conversation.
rvz 30 days ago [-]
> What do you define as selling out?
I think you need to read the comment again:
>> They don't make their money directly from "free software" or "open source" in the first place.
>> He (Stallman) knows he doesn't make money from "free software" but only by speaking about it. Torvalds is the same...
My (unanswered) question:
> Can any other developer do exactly that in 2026?
To avoid repeating myself, the point is the majority of these typical developers do not have the level of influence that both Stallman, and Torvalds have to make a lot of money from their open source projects, especially in the age of AI; making it pointless to maintain such projects.
surajrmal 30 days ago [-]
I did read your comment, but making money from speaking about software is not selling out to me. Is that what you meant?
I think open source works best when folks don't expect to make money off of it. I don't think Linus or Stallman expected to make money off of their free software. In some cases you might be lucky and able to get consulting contracts from firms related to your open source code but it's not reasonable to assume that will happen. It's possible it's harder to get lucky today than before but it was always unlikely.
palata 31 days ago [-]
GPLv3 would not prevent remote attestation AT ALL.
drewfax 30 days ago [-]
GPL v3 specifically requires the vendor distributing the GPL v3 components to allow the user to change the software on the end user device. This means no more locked bootloader. We would have had choice to install custom Android distributions and thus less Google monopoly.
palata 30 days ago [-]
It was always possible to install Android alternatives, GPLv3 has nothing to do with it. I have nothing against GPLv3 of course, but this is just not true.
Remote attestation is the thing preventing the app from running on your Android alternative, whether it's GPLv3 or not does not matter. GPLv3 does not say "it's illegal to do remote attestation".
xethos 32 days ago [-]
One thing I hope we've all discovered by now is that, if Stallman hasn't been proven right at the present moment, on any topic that touches on libre computing, is that it's only a matter of time until he is
sunshine-o 31 days ago [-]
Yes he was.
But his vision/prophecy is about 50 years old and while still valid it probably needs an update.
We are now dealing with a fully networked world where AI/bots have become dominant. I am not sure he did / could go as far in his vision.
himata4113 32 days ago [-]
I did something unpopular and just didn't have a captcha, I just read up on creepjs etc and rolled out my own which is just browser state analysis, basic ip check (abuse lists only) and PoW. Haven't had an issue with a single bot registration (yet).
grishka 31 days ago [-]
A simple captcha with distorted characters + some hidden form fields would stop every single "opportunistic" bot.
There's hardly anything you can do to stop someone determined enough to spend money to spam your specific website. These kinds of captchas do raise the bar somewhat, but every single one of them is ultimately bypassed by paying people to solve them for you.
himata4113 30 days ago [-]
I rotate structures every request I made it explicitely hard to automate and I just raise the PoW during attacks. It's always about reducing volume rather than preventing it and a million registrations later it's still holding strong.
bots get pruned after an hour since 100% of the bots fall into the same trap, giving it a delay makes A/B testing really difficult and breaks most AI strategies.
31 days ago [-]
alok-g 31 days ago [-]
Cool! I would like to hear more about this, and understand how to do the same.
Does anyone know what changed in iOS 16.5 that made Google stop requiring the app? To me it seems to correlate with Private Access Tokens, aka remote attestation by Apple. https://developer.apple.com/videos/play/wwdc2022/10077/
rippeltippel 32 days ago [-]
Possibly. And possibly the fact that breaking experience for iOS users would result in a massive backlash, while the volume of non-iOS/non-Android users is negligible in comparison. Some of them will convert to mainstream OSes, the rest will succumb.
kyrofa 32 days ago [-]
I don't even have a smart phone, I assume there is some sort of fallback behavior?
You will also see this page if your smartphone is degoogled and you try to open the reCAPTCHA attestation URL in a web browser instead of in Google Play Services.
OutOfHere 32 days ago [-]
If there was any remaining doubt whether Google is evil, this settles that yes it is.
citizenpaul 32 days ago [-]
For Decades the huge tech companies basically faced no adversity whatsoever. Now for the first time in their existence the massive returned investments in AI they are experiencing ... we will call it pain.
I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.
They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.
ezekiel68 32 days ago [-]
I don't know why reclaimthenet hasn't embraced the obvious answer: Simply create a new smart device operating system with a fully disentangled cosmos of programs, libraries, APIs, app SDKs, hardware partners, drivers, trust networks, carrier agreements, app stores, documentation, conferences...
drpixie 32 days ago [-]
Same reason as "make another (better) windows" is very difficult - almost everyone wants to be able to run existing apps and drivers, so you're forever playing compatibility catchup with android (or windows).
That's the reason companies are desperate to be first/biggest - once you're it, you're it until you finally fall on your face and dwindle to a nobody.
palata 31 days ago [-]
AOSP is open source. There are plenty of AOSP-based systems (starting with GrapheneOS). No need for a new one.
The thing here is that Google is building technology to prevent alternatives from connecting at all. We fundamentally cannot solve it by building more alternatives, we have to prevent Google (and TooBigTech in general) from doing it.
palata 31 days ago [-]
> Simply create a new smart device operating system
Why does it have to be new? Plenty of open source OSes exist... starting with Android! GrapheneOS is based on AOSP, you would call it Android. If I show you a phone running GrapheneOS, you probably won't even realise that it's running an alternative OS: it will be Android to you.
The problem is not that we don't have alternative. The problem is that Google is moving towards forcing everyone to run their OS (or the OSes they accept, since it includes iOS) to connect to random stuff on the Internet. They are literally building technology that will prevent alternative OSes from running properly.
No need to create new OSes if anyway they won't work, right?
cybercatgurrl 32 days ago [-]
and that is gonna be funded by who? anyone who is gonna fund that is gonna want their slice of the pie. we need regulation to keep big tech in line
repelsteeltje 32 days ago [-]
How about consumers paying a little extra for their device? The way it's going, add sponsored big tech is dieing because click fraud detection is becoming too expensive. Either we give up privacy and track every user, or we let bots have at it, stop targeting ads to users and bill advertisers on bandwidth.
undeveloper 32 days ago [-]
if you think consumers will pay more for the vague notion of privacy i have beachfront property in kansas to sell you. most normies either don't care ("I have nothing to hide ... do you?") or gave up already ("china / the government / big tech / all of the above already have all my data, why would I care if it's a bit more? what are they even going to do with it?" (sometimes, even "i like having relavent ads!")).
at my most pessimistic i can see a world where consumers pay MORE for attestation to continue to opt-in to society, or perhaps a ai-bot-free digital world.
ruszki 31 days ago [-]
Normies?
Your privacy is dead, and you cannot do anything against it, except not using phones and internet... at all. I mean I still fight against it, but not by protecting my privacy by using tools, or using different tools, because I realized it's not possible. There is no "as less data as possible". They know regardless.
I used VPN, browser containers for everything, myriad of fingerprinting protection, nothing related to Google/Facebook/etc. And then I went up to Youtube once for something, and they knew exactly what were my thoughts at the time. That was the moment when I realized that I suffered for nothing.
I still support for privacy movements, and I strongly believe that the only place where we can do anything at this point is politics. You can't protect your privacy anymore at this current environment, that ship sailed decades ago.
My problem is that basically every larger for privacy push is against newly proposed laws (like age verification), and there is basically no large uproar regarding the current already fucked up laws.
pixel_popping 31 days ago [-]
What's wrong with having something to hide? I do.
BrenBarn 31 days ago [-]
Ideally it would be funded by the personal wealth of the people who've profited from the current situation.
flatIronSteak 32 days ago [-]
I uh.. I think that was the (sarcastic) point.
gessha 32 days ago [-]
Parent is sarcastic
fsflover 32 days ago [-]
Mobian, PureOS, postmarketOS already exist. Sent from my Librem 5.
colordrops 32 days ago [-]
Ugh I hate that I can't tell whether you are being sarcastic or not.
orblivion 32 days ago [-]
I imagine GrapheneOS is thinking carefully about their statement on this. I look forward to reading it.
riffraff 32 days ago [-]
I mean, they could sue for non competitive behavior, but good luck beating Google's lawyers
palata 31 days ago [-]
GrapheneOS users (and actually just citizen who care) in the EU should complain to the DMA team [1]. As with everything: the more people complain, the higher priority it gets.
I recommend every EU citizen to do this. Don't send a pre-canned message or an LLM-generated message. Write your own story and how Google (and Apple) are destroying competition and freedom for you as an EU citizen.
Even if you are a GMS Android user, they are going to make installing apps outside the Play Store much more annoying and these attestation-backed verifications are going to further deanonymize you.
tamimio 32 days ago [-]
And soon desktop OSes will follow, if you don’t have TPM you won’t be able to browse half of the internet.
Andrex 32 days ago [-]
A parallel, fully public and accessible internet being widespread and available for anyone with a slight tinkering kick... Could actually be really awesome.
Let the commerce-driven, corporatized hellhole that the modern web has become eat itself.
spencerflem 32 days ago [-]
I love the vision, but I do wonder how the parallel internet will deal with DDoS levels of bot traffic.
I hear ‘web of trust’ pretty often and I like the idea but that’s not anonymous or accessible either
Andrex 32 days ago [-]
How do personal blogs deal with the HN hug of death? In this increasingly-utopian vision, I imagine that being more widespread than (paid) DDOS attempts. There won't be any money to be made (banks, Paypal, etc. won't trust the "parallel web") and with the proliferation of synthetic training data I'm not sure how useful a target a bunch of blogs and smallweb sites would be.
donmcronald 32 days ago [-]
> I love the vision, but I do wonder how the parallel internet will deal with DDoS levels of bot traffic.
Something that makes it expensive to initiate a connection and cheap (relatively) to accept or reject would probably help. I think that’s a hard problem though.
SV_BubbleTime 32 days ago [-]
Well, how does Tor or other services do it now?
spencerflem 32 days ago [-]
They get blocked by Recaptcha, I think.
I’m not talking about the network itself but the servers on the other end.
I guess my point is that while Google is definitely malicious, I don’t think every site using recaptcha is and if we expect them not to use that tool there should probably be an alternative.
986aignan 32 days ago [-]
> They get blocked by Recaptcha, I think.
I think SV was asking what onion services, which can't really use recaptcha, do to prevent the DDoS storm.
And I would imagine the answer is obscurity, since the dark web isn't nearly as well-mapped as the public web. That and some Anubis or other PoW would probably go far.
SV_BubbleTime 32 days ago [-]
Proof of work I get, but isn’t that like step2?
If I’m hosting at some IP, I still need Anubis or something to serve up the challenge, so doesn’t that become the attack point?
eddythompson80 32 days ago [-]
Tor does it by being so painfully slow an unreliable that the only way you would use it is if there is a cocaine-style reward at the end of it.
staringforward 32 days ago [-]
> Tor does it by being so painfully slow an unreliable
I do 95% of my web browsing via Tor Browser and it is very tolerable, most circuits are fast enough for 1080p video (Youtube, Twitch livestreams, etc) without any buffering.
Of course this is a single tor circuit with an exit node, so speeds are slower when going directly to .onion sites, but the only real slowness comes from the latency and not throughput.
nervysnail 27 days ago [-]
Do you add uBlock Origin to Tor? I know that it is not recommended.
chadgpt2 32 days ago [-]
[dead]
roywiggins 32 days ago [-]
Not soon, now. The new reCAPTCHA on desktop shows you a QR code for you to scan with your Google-approved phone to prove you have one.
anonymars 32 days ago [-]
What a coincidence that Windows 11 makes it a requirement!
32 days ago [-]
fsflover 32 days ago [-]
TPMs can also be based on free software and our own keys. It works well with Heads and Librem Key.
cyklosarin 32 days ago [-]
TPM with things like Heads are borderline zero security and theater compared to actually decent implementations on Android/iOS platforms, I doubt the big companies would rely on that. TPM in general on non Mac/Chromebook PCs is mediocre even from big OEMs.
fsflover 31 days ago [-]
Do you have any evidence if this? Qubes team disagrees with you.
gib444 32 days ago [-]
On becoming anti Google, I blocked Google's ASNs (shortcut to block all their IP addresses) on my router the other day as an experiment. It's a little eye-opening.
Obviously you immediately realise just how often you !g in DDG, use Google Flights, YouTube etc. Ok easy enough to fix
Then of course I can't use Play Store (Aurora didn't work either) so my phone would have eventually become quite obsolete
You can't compile many Go projects because the dependencies are pulled from Google
And if you had ALL of Google's ASNs that would include GCP and that's a whole other level of being cut off
spankibalt 32 days ago [-]
Time for some lawfare!
DANmode 32 days ago [-]
The Government reviewed the Google situation on behalf of you,
> Lawfare is the use of legal systems and institutions to affect foreign or domestic affairs, as a more peaceful and rational alternative, or as a less benign adjunct, to warfare.
bigyabai 32 days ago [-]
The parent is musing on the impossibility of Google being held accountable, as the government largely assents to this plan and will ostensibly use it for social control during times of protracted warfare (eg. right now).
cyberax 32 days ago [-]
I think it's possible to run the Play Services in an emulator, faking the device type. Google doesn't seem to use the platform attestation for now.
SV_BubbleTime 32 days ago [-]
Treatment is not a cure.
cyberax 32 days ago [-]
Agreed. I'm just pointing out the possibility (for now).
qiine 31 days ago [-]
Really that seem almost too easy ?
cyberax 31 days ago [-]
For now. They'll likely start requiring device attestation in future, and the emulator can't pass it.
dstnn 32 days ago [-]
Its going to be just like the wild days of the late 90s and 2000s
Strap in, the ownage will be hard.
ChrisArchitect 32 days ago [-]
Related:
Google Cloud fraud defense, the next evolution of reCAPTCHA
From the screenshot in the article "Troubleshoot reCAPTCHA Mobile Verification":
> To complete the mobile verification, you must use a compatible
mobile device.
At first glance, reading this made me wonder: what is exactly a compatible mobile device? But they quickly answered this question just below:
> If verifying on iOS/iPadOS...
> If verifying on Android device with Google Play Services...
OK then, got it! These are the ONLY compatible mobile devices. No de-googled devices are being welcomed here.
Worf 32 days ago [-]
I don't use Android right now and haven't used Google'd Android for almost a decade. And I won't. If this is the hill I die on, so be it.
I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.
brikym 32 days ago [-]
It's all fun until you can't get paid because some fintech app doesn't work. That's why we need regulations. I don't see politicians ever going against an advertising company when they're customers.
freedomben 32 days ago [-]
Indeed, I generally favor being conservative with regulations because they can genuinely impede progress and can be really hard to change or remove when they're bad, but this is an issue that we need regulation for. It's just too much in the interest of big tech to lock us down and strip us of our freedom of compute. Short of regulation.
Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
mikepurvis 32 days ago [-]
An easy first step ahead of a full ban would be insisting that hardware attestation never be used as a gate to access government services. Most other things I can vote with my feet, but viewing my tax returns or renewing my passport are things that can only happen in one place.
donmcronald 32 days ago [-]
This is really the most important thing for me. I don’t want to be obligated by law to use some identity or attestation service tied to big tech. I might be ok with my bank handling it because they already require ultimate trust, but not if they simply defer to big tech or implement infrastructure on foreign ccTLDs (id.me, verified.me, etc.).
I’m Canadian and watching our government sell our souls to American tech companies is beyond scary.
mikepurvis 32 days ago [-]
Yes, Canadian here also and I feel the same. I'm pretty heavily Googled these days (gmail, gphotos, Pixel 10) and I work for a US tech company, so maybe I'm kidding myself that it matters much for me personally, but I'd be pretty sad if I ever found myself unable to access any level of government service because I didn't have a Google or Apple smartphone that I could point at a QR code on the screen.
pino83 32 days ago [-]
One unfortunate aspect of the entire problem: Go back, let's say 10, 15 or 20 years, when forces were a bit more balanced than today. When all these issues were already quite obvious, but probably somewhat easier to solve. The same people that cry loudly today were completely ignoring all these issues. Actively. And when someone came up with them, that guy was just an idi*t, disturbing the good mood. Right? I can still remember all the conversations that I had, or that I read. Today, they'll deny that and still call me an idiot. Anyways...
PS: Sure, there always were a handful of exceptions. If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
dwedge 32 days ago [-]
So just to clarify, you also didn't solve anything but you want everyone to know you told them so and you were smarter?
> If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
Reminds me of Facebook engagement bait
donmcronald 32 days ago [-]
I saw a lot of people get told they were too dumb to understand how the app stores or Adobe subscriptions were a good value proposition. A lot of people rolled in the mud and now they’re upset their clothes are dirty.
If it didn’t affect those of us that tried to resist, I wouldn’t care, but we got dragged along unwillingly and now it may be impossible to hit the brakes before corporations control everything by usurping control of our identity systems.
pino83 32 days ago [-]
Oh, yeah, these discussions as well... Precisely.
Good that some people are able to translate my thoughts into actual English... :D
pino83 32 days ago [-]
> Reminds me of Facebook engagement bait
If you say so. I don't know. I was never an active part of that big problem (so btw I also had nothing to "solve"). You were?
KPGv2 32 days ago [-]
> Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
Everyone in power wants it, across the entire globe.
userbinator 32 days ago [-]
The sort of regulation we need for this must be as solid as a constitutional amendment, but that is going to be very, very difficult.
retired 32 days ago [-]
Already happening. The official German identification app, AusweisApp, is designed exclusively for Android and Apple mobile devices
RandomGerm4n 31 days ago [-]
The AusweisApp is Open Source and available on Windows, Linux and even FreeBSD too. You just need some NFC Scanner that works via USB and then you can use it without a mobile device.
https://www.ausweisapp.bund.de/open-source-software
ryukafalz 31 days ago [-]
This is the way to do it if you're gonna have a digital ID. Thank you Germany for setting a better example than many!
lxgr 32 days ago [-]
> designed exclusively for Android and Apple mobile devices
That's very different from requiring hardware attestation, though.
pseudalopex 31 days ago [-]
It is a little different. But not very different.
somethingweird 32 days ago [-]
No, you can also get it for Windows and Huawei devices. So three American and one Chinese companies. Great.
bigyabai 32 days ago [-]
With Salt Typhoon, that's a whole four ways to choose how China steals your data.
And to think, people said consumer choice was dead...
ranger_danger 32 days ago [-]
If it was developed by the government, shouldn't the source or an API be available? Surely third-party apps can be made in that case?
poopooracoocoo 32 days ago [-]
That'd be great but governments often don't make specs and source code available. Governments don't make things open.
The amount of stuff councils and state governments gatekeep about road specs alone... Argh.
palata 31 days ago [-]
"Not using" doesn't make any noise. If you just "don't use", you will just use less and less stuff.
Google doesn't give a shit, but smaller companies are the ones using reCAPTCHA and that kind of shit. Consumers need to complain to those smaller companies. And citizen need to complain to their government, if those case. In the EU there is the DMA: https://digital-markets-act.ec.europa.eu/contact-dma-team_en.
What's sad is that the few citizen who care are often complaining against regulations. And it is the lack of regulations that got us here. We need antitrust, period.
lukashahnart 32 days ago [-]
What do you use instead? iOS?
Worf 27 days ago [-]
Sorry for the late reply. Right now I don't use Android (in any form) or iOS. I have a dumb phone for calls and SMS. I'm fortunate enough that I can keep it on mute for days. I don't really need a tiny computer right now. My desktops and laptops are more than enough.
hedora 32 days ago [-]
Is there a way to just ban all these sites? Like a firefox plugin or whatever that detects this crap, and just bounces over to some place more reputable, like archive.is.
Permit 32 days ago [-]
It looks like archive.is uses recaptcha so I don’t think that’s the fix you’re looking for.
tardedmeme 32 days ago [-]
then we make a new one
holoduke 31 days ago [-]
One positive thing about tools like Claude is that I can finally do things where I had originally no time for. For example I asked Claude to debloat windows. Remove everything possible. From firewalls to notepad to uac to whatever. I also asked Claude to root my pixel phone and install another OS. I also asked to install pihole on a old Mac to serve as a dns and block all ads. All this took maybe an hour of my time.
shevy-java 32 days ago [-]
This tyrannical and selfish, evil corporation, needs to be broken down. These are not accidents. Just remember how Google killed off ublock origin via a lie:
To be fair, there are already apps that require a mobile phone to sign up, for example, VK, Telegram. And I think Google requires to scan a QR code to register account, so it is easier just to buy a Google account on a black market if you need it for some purpose.
Nobody trusts web browsers nowadays.
danparsonson 32 days ago [-]
I think you and I move in very different social circles...
I would have no idea how, nor desire to purchase a Google account on the black market, and I do in fact still trust that my web browser can do TLS correctly.
dredmorbius 31 days ago [-]
My reading of codedokode:
"easier just to buy a Google account ...." for those who would choose to do that in quantity. That is, the scammers and fraudsters for whom this is a financial decision. Which suggests that Google's latest moves shift the needle only slightly against actual abuse at a huge cost to the rest of us.
"Nobody trusts web browsers ..." applies to the publishing side. Content (that is, advertiser) sites and commerce most especially. The prove-yourself hoops that those opting out of that approach (de-Googled Android, privacy-hardened browser, alternative OS) must deal with are mind-bogglingly insane, speaking from personal experience. The Web no longer brings joy.
Incidentally, Google plays strongly in the second space, such that its incentives are aligned with pushing people into the "Google Play Services" ecosystem, and to both its own browser and ad-tech personal surveillance tools.
In conclusion, Google must be destroyed.
danparsonson 29 days ago [-]
You're right, thanks - that makes more sense.
> In conclusion, Google must be destroyed
Yeah they've had their time XD
codedokode 31 days ago [-]
I meant "corporations do not trust users who register from a web browser and not from a mobile app". Without a mobile app (which allows to collect more hardware identifiers and spam you with notifications) you are not welcome.
danparsonson 29 days ago [-]
Ah got it - I guess I was having a slow day that day.
tardedmeme 32 days ago [-]
I think you can just search 'buy google account' - it isn't illegal.
danparsonson 31 days ago [-]
Sure but how do I know that the person I'm buying from legitimately owns the account? Won't scam me? Or try to con me out of my existing account? I'm just saying not everyone is as relaxed about that sort of thing.
codedokode 31 days ago [-]
The price is about $2-3 so you are not risking much, there are reviews and ratings. Of course there are scam sites, but once you buy several accounts you quickly figure out which ones are scam and which are not.
Re: stolen accounts, you can examine account details, history and activity after purchase, check for emails from social networks and return stolen account to the owner. The posting usually also mentions registration period (new accounts are unlikely to be stolen). But it seems that registering new accounts is cheaper than stealing - old accounts are much more expensive.
I didn't use the account for any illegal activity, there are just sites that use Google Account as a "verification" that you are not a bot, and to issue bans. And I am not interested in jumping through the hoops of searching a locked smartphone with Google Services and filing a visa application to register the account. I strongly dislike proprietary software and locked smartphones.
pixel_popping 31 days ago [-]
Markets are regulated by reviews, seller history and so-on, the same as legal markets and it's generally smooth.
grishka 31 days ago [-]
VK has been digging its own grave for quite some time now. Hardly anyone uses it any more. It's speedrunning enshittification with that registration thing but also with the very unpopular post redesign, the removal of custom news feeds, and most recently with shutting off most of the API access for third-party apps, including popular client apps like Kate Mobile.
AdityaAnuragi 31 days ago [-]
Doesn't surprise me — I've hit undocumented Android Chrome behavior too while working with the Vibration API (more advanced usage by a very large margin). The browser/OS layer on Android has a lot of silent, unannounced behavior.
hackernews682 32 days ago [-]
The gate to the pig pen is closing…
uyzstvqs 31 days ago [-]
Luckily Google reCAPTCHA seems to be dying. Almost everything uses Cloudflare Turnstile, hCaptcha, or some form of a PoW challenge now.
I'd go as far as to say that still having Google reCAPTCHA on your website is a sign of your website being unmaintained. Half of them even have the "reCAPTCHA is changing terms, take action" text on them.
This move will cause the last users to stop using it, and reCAPTCHA will be on the "Killed by Google" list in a year or two.
tosti 31 days ago [-]
Next phone I'm buying won't be able to run android if I can help it.
Verify that.
(edit: and it definately won't be an iphone, although that would fit the description above, those only run non-free software by design)
sylware 31 days ago [-]
Wait, you need a TPM chip?
I don't know what services a TPM chip does provide. Wild guess, some private keys, hidden to the computer user, are used to sign stuff and/or encrypt ?
BloodyIron 32 days ago [-]
I'm sorry Google, I'm afraid I can't do that.
manmal 32 days ago [-]
It’s quite easy to remote control an Android phone with an agent (eg there‘s agent-device). I don’t think this will keep automation from happening.
paulnpace 31 days ago [-]
I wonder if any of these sites will see any meaningful drop in users, or if they even care.
db48x 31 days ago [-]
I long ago stopped using any webpage that uses a captcha. If the website uses one, I bounce.
comandillos 31 days ago [-]
that reinforces me using HarmonyOS - nothing against Graphene btw -. It's impressive how difficult is to actually use any platform apart from the stablished ones normally these days.
djfergus 32 days ago [-]
What happens with Chinese Huawei phones that don’t have Google services?
Isn't reCAPTCHA a spam? This video I watched recently does a nice history and also was enjoyable to watch https://youtu.be/seX_rDEsP6E?si
pavel_st 31 days ago [-]
this is going to keep happening across every trust layer google rolls out
the trajectory has been clear since AMP-convenience for site owners, attestation pressure on users
jaimex2 31 days ago [-]
Delete Chrome and use Brave. Problem solved.
anymouse123456 31 days ago [-]
I worked at Google. I know there are tons and tons of great and well meaning people working there. This is the kind of thing that would make me crazy.
People there be like, “but I’m not evil! I’ll never do anything bad with all of this incredible power!”
But if you create a nuclear bomb, someone unsavory is going to wrest control of that power from your stupid little painted fingernails and destroy the rest of us with it.
How about, don’t make an effing privacy nuclear bomb if you don’t want to contribute to making the world more evil?
stuaxo 31 days ago [-]
Anti competitive behaviour ?
moebrowne 31 days ago [-]
OK, so what are the alternatives, what can developers use instead?
doublerabbit 31 days ago [-]
Create your own. Captchas have long existed on the internet. Start your own Captcha As A Service. If you've not seen the dark net some of their QR checks are inquisitive.
Above is verbose from my honeypot. Some security camera network has been hacked and is being used for net thrifting in Romania.
The internet is a failure. Congratulations us.
pixel_popping 31 days ago [-]
It feels ultra sad that "developers" think they need to use reCaptcha? What is this lazyness, it's not even good on top of that at what it does, recaptcha cost less than $1/1000 to solve automatically, it's also slow, crappy, bad UI.
Even competent people got completely brainwashed, crazy.
palata 31 days ago [-]
Developers implement what they are told to implement. People who make those decisions in companies just don't give a damn, they will happily use whatever is easier/cheaper. Usually something from TooBigTech, sponsored by surveillance capitalism.
userbinator 32 days ago [-]
We told you. You dismissed it, and thought we were just crazy conspiracy theorists. Too brainwashed by the mainstream propaganda about "threats" to see the truth. Now they're even more emboldened by how much they can herd the sheeple, and showing their actual goals even more clearly.
Spread the news, tell everyone you know, before it's too late. I wish we won't have to resort to even more drastic methods in this fight.
"Those who give up freedom for security deserve neither."
userbinator 32 days ago [-]
The rebellion will not spread online, in the space controlled by these bastards; but offline, outside of their control. I'm telling everyone I know, and you should too.
Here's the obligatory: Google, FUCK YOU!
morissette 31 days ago [-]
Can’t like companies do what they want, or did we let the fascists take over?
aftbit 31 days ago [-]
Sigh...
>Incompatible browser extension or network configuration
neilv 32 days ago [-]
After all the surveillance capitalism abuses over the last 2-3 decades of Web, it's a little late to be pushing back, but... should we start shunning individuals from companies who implement this?
Whether it's from companies that create the tech, or companies that use it.
In the orgy of money, we've had a kind of industry-wide sociopathic convention of individual engineers considering it perfectly OK to further surveillance capitalism.
Can we reverse that?
If someone says we can't, because "everyone does it", are they saying that we're a field of baddies?
flossposse 31 days ago [-]
We cannot rely on millions of individual workers to take expensive stands on principle. And they shouldn't have to.
It's an essential duty for lawmakers and regulators to design the rules of the marketplace in such a way that wealth flows to those who do genuine good for the populace, and to designate certain tools and practices as off-limits because they are incompatible with our society's core values.
Google's actions here are a clear antitrust violation and should be blocked/punished. If our representatives don't do so, then they should be punished.
gregoryl 32 days ago [-]
I agree, wholeheartedly - lets get a list of the google engineers who worked on this. What do you propose we do with it?
neilv 31 days ago [-]
I had more the thought like being skeptical of anyone who would take a job at company Foo or stay there, when they tell you. To me that seems preferable to trying to -- what risks devolving into -- a witch hunt of fall guys (persons), and doxxing people.
I think we are already starting to have that with a couple more infamous other companies in the news the last year: if someone goes to work there, I suspect a lot of people are going to think what is wrong with you, since you must know that company does very harmful things,
Maybe it's time to start wondering that about anyone who'd work for a lot of additional companies?
(I actually had a recruiter recently who was pitching a startup, and the headline featured the "ex-" pedigrees of the founders, including an especially infamous company. I figured any company touting that pedigree as a selling point is probably a bad fit for me. I thanked the recruiter, but said that infamous company as selling point probably isn't a fit. The recruiter seemed to not only understand, but to agree with my vague sentiment about that pedigree company.)
userbinator 32 days ago [-]
Spread the word. They need to be held accountable the same way elected officials are --- except in this case they're not even elected.
einpoklum 32 days ago [-]
Google seems to be putting yet another brick in the garden wall.
jwally 31 days ago [-]
[flagged]
superasn 32 days ago [-]
[dead]
jacktu 31 days ago [-]
[dead]
picsao 32 days ago [-]
[dead]
zuogl 32 days ago [-]
[dead]
zuogl 32 days ago [-]
[flagged]
lpcvoid 32 days ago [-]
[dead]
theturtle 32 days ago [-]
[dead]
wurtapp 32 days ago [-]
[flagged]
Vampyre 32 days ago [-]
[flagged]
tomhow 31 days ago [-]
We've banned this account. This is an utterly appalling comment.
Vampyre 31 days ago [-]
[dead]
oybng 32 days ago [-]
[flagged]
dang 32 days ago [-]
The article was at #1 on the frontpage when you posted this.
kittikitti 32 days ago [-]
Please stop calling Android Linux. It's a marketing lie that continues to disappoint, including here. You're holding Linux back substantially by claiming Android is part of it. Just because it has Unix doesn't mean it's Linux as MacOS is also Unix.
bellowsgulch 32 days ago [-]
I’d just like to interject for a moment. What you’re referring to as “Android,” is in fact Android/Linux, or as I’ve recently taken to calling it, Android plus Linux kernel.
Linux is not an operating system unto itself, but rather a kernel—a core component that manages hardware resources. Android uses the Linux kernel, but replaces the traditional GNU userland with its own runtime, libraries, and system framework.
Many users run Linux-based systems every day without realizing it. Through a peculiar turn of events, the Linux kernel combined with Android’s userspace is often simply called “Android,” and many of its users are not aware that it is built on Linux at its core.
There really is Linux in Android, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs you run. The kernel is an essential part of the system, but useless by itself; it can only function in the context of a complete operating system.
Android is normally used in combination with the Linux kernel: the whole system is basically Android/Linux, a Linux-based operating system with a distinct userspace, not a GNU/Linux system like traditional desktop distributions.
PaulHoule 32 days ago [-]
The kernel is a Linux kernel. The userspace is very different from a typical Linux distribution.
g-b-r 32 days ago [-]
A fork of it, updated periodically
And let's not pretend that we mean the kernel when we say Linux distribution
charcircuit 32 days ago [-]
Debian also uses a fork that is updated periodically.
yjftsjthsd-h 32 days ago [-]
Android literally is a Linux distro, though. Like, sure it has a weird userspace and is user hostile, but that doesn't make it not a Linux distro.
cybercatgurrl 32 days ago [-]
linux is a choice, this is not a choice. fairly confident people are rejecting this notion on ideological grounds
Ylpertnodi 32 days ago [-]
> ... and is user hostile,
How so?
IsTom 32 days ago [-]
It's the punishment for all the times people laughed at calling regular Linux "GNU/Linux".
prophesi 32 days ago [-]
Unless it was in a previous iteration of the submission's title, I don't see Linux mentioned anywhere.
Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).
so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on
(just realized emacs bindings work in comments, nice, no ctrl-x tho)
Are you using macOS? If so, those keybindings work everywhere.
As far as I can tell, Hacker News doesn't impose any custom keybindings (the client-side scripting on this site[0] is very simple).
[0]: https://news.ycombinator.com/hn.js
Is this speculation, or has it been confirmed somewhere?
Not that I really can tell what this was devastating to. Maybe United States v. Apple (2012), where Hachette Book Group, Inc., HarperCollins publishers, Macmillan publishers, Penguin Group, Inc., and Simon & Schuster, Inc. conspired with Apple to raise ebook prices?
I don't think it's that, because the Wikipedia article makes it seem like it was a force for good, but at the time, it wasn't certain at all that it would be that way.[1]
Beyond that, I'm not exactly sure what might be meant.
[0] https://en.wikipedia.org/wiki/Internet_Association
[1] https://reddit.com/r/technology/comments/xs4qw/google_facebo...
It's possible this scenario is acceptable to them because it means they can still tie your access to something that's easier to ban without requiring a full account login.
That's possible... and they might change their mind if so, we will see.
I feel like it's a similar issue to when scrapers pretend to be an allowed-origin webpage in order to abuse "public" API keys for web services.
They could also require the mobile device to interact with the requesting webpage in some manner, similar to mutual PIN/codes for Bluetooth/TV pairing these days. That way bulk sharing of the codes would still require active participation from the device that requested it in the first place, likely with a short time limit.
Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.
Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'.
Age verification as a technical concept can be done in a privacy-preserving manner! Whether or not we want age verification is another debate, but let's stop making wrong technical claims about that: it doesn't help.
At some point someone will need to issue a key, which at some point will need to be verified against known good signatures.
These signatures will also need to be kept in case of lawsuirs/enforcement, so if somebody gets access they will know you visited that site
For example, imagine you put the same private key into the 'secure element' of every single iphone. You use code signing so that key is only unlocked when the phone is running unmodified iOS with all security updates. You use encryption and remote attestation for the front-facing camera and face id depth sensor. You use NFC to read government-authenticated age and appearance data from biometric passport chips (or digital ID cards) and you store it on-device.
Then, when you want to access pornhub, they send an age challenge to your device, your device makes sure your face matches the stored passport, and if so it signs the challenge with the private key.
Pornhub gets an Apple-signed attestation of age - but because every phone signs with challenges with the same private key, Pornhub can't link it to a particular phone or identity document.
So in a very narrow sense, privacy is preserved.
You can't use someone else's ID, as it checks your face every time. You can't fool it with a photo of the person because of the depth sensor. You can't MITM/replay the camera/depth data because the link is encrypted. You can't substitute software that skips the check with a rooted phone because of the code signing. Security holes can be closed by just pushing a mandatory OS update.
Sure, it doesn't work on PCs. Doesn't work on Linux, or on unlocked/rooted phones. It hands users' government ID documents over to Google and Apple. It requires people to carry foreign-made, battery powered, network connected GPS trackers (with cameras, microphones and speech recognition) with them. And there are non-negotiable terms of service everyone must agree to. But if you define "privacy-preserving" to ignore all that stuff and only consider whether Pornhub learns your identity, it's privacy-preserving.
Jesus Christ.
14 year old me ran into porn on the internet all the time. It didn't turn me into a serial killer.
Meanwhile we let kids have exposure to algorithms that pervert their sense of self worth, get them addicted to dopamine and gambling, and make them feel inferior to their peers.
We have the wrong priorities as a society.
And this bullshit is going to turn us into a completely tracked, monitored, controlled bunch of cattle.
We're building 1984 and we're happy about it.
They will always be able to access porn, e.g. over torrent. It will just be a little less accessible, and maybe it won't hurt.
If the children were the actual reason there are much less invasive solutions that enable reliable parental controls such as mandating self classification of content and fining service operators for inaccuracies.
Think for yourself and consider what the possible ulterior motives might be.
> Think for yourself and consider what the possible ulterior motives might be.
Sure, and in the meantime try to think and read about how privacy-preserving age verification actually works.
This requires you build a whole apparatus around controlling what people can see, say, and do.
The concept of "slippery slope" is often called a logical fallacy, but in reality it's more than often not a fallacy at all. It's the manner in which you boil the frog.
I think it's something like over 50% of adults do not have kids now. Why should we put the majority of people - for the majority of their lives - at risk for a mere 20% of the population to "not see boobs", when good parenting will suffice?
Let's not put a cage around our freedoms. Let's ask parents to be more responsible. In the edge cases where that isn't sufficient, is that really as bad as what could happen to all of our liberties should we go down that path?
We're burning down the whole village because someone saw a cockroach.
Also even if it doesn't get leaked directly, the security of TPM chips is not absolute. Secrets from them can theoretically be extracted given an attacker with sufficient means and motivation. Normally nothing that's on a typical TPM chip would warrant a project of that magnitude, but a widely used private key can change that equation.
Plus a TPM chip doesn't really have means to tell the phone isn't being lied to. You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
Maybe? But biometric passports, chip-and-pin payment cards and SIM cards seem to do reasonably well. And Apple can always push out a mandatory software update that rotates the key, if they need to.
> You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.
Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.
I don't know the precise details, but reports from people trying to repair devices independently of Apple are that the phone is very much the wiser.
e.g. https://support.apple.com/en-gb/120567 https://www.reddit.com/r/iphonehelp/comments/1dl38kq/iphone_...
That prevents trying to swap the module, but doesn't prevent swapping out the sensor on the module itself.
Better learn about the good one, but I guess it's harder than making up nonsense.
The website sends a request for age verification.
The app[1] on the user's device[2] forwards that request to the chip on the user's ID card. The user authorizes themselves with their 6 digit PIN stored on the card.
The chip produces a signed reply containing the following payload fields: `issuing_country:string` and `over_18:bool`
[1] https://github.com/Governikus/AusweisApp
[2] iPhone, Android, Windows, MacOS, Linux or FreeBSD
It would probably be possible to use the service that the parent is suggesting and try to link it to requests to the server based on timing. But I don't even know if anyone would bother trying to identify the OP: probably it would just be enough to rate-limit the requests.
As always: it's easy to criticise, harder to actually get it right.
Teenagers, at that level of intelligence or are that determined, will find ways to circumvent whatever control mechanisms a parent or school is attempting to use. At some point, it is a matter of the teenager respecting their parents and rules. Same for if you told a teenager do not drink and drive. You can setup all kinds of technical barriers to block drunk teenagers from driving, but if they are that "smart", those committed to bad behavior or law breaking will find ways.
From what I remember from being a kid myself, it definitely is not.
There's not necessarily wrong. Despite the vapid and damaging nature of most popular online media, isolating a child from it might have even worse social consequences when their real-life peer groups discover that they're not on social media or that their parents have neutered their phone. Some kids would turn out fine after that. Others would be socially destroyed for life (maybe with the right therapy they could become well-adjusted, but high quality therapy is rare).
No, they are a solution for parents who want to use them, and that's all they should be. Their existence demonstrates that it's possible to handle this without regulation, other than the desire of some people to inflict their preferences onto other people's kids.
Absolutely, but those are nothing compared to the tradeoffs of putting attestation or identity verification (sometimes incorrectly described as "age" verification) on numerous sites and inflicting them on everyone.
And my whole point is that it's possible to do age verification in a privacy-preserving manner, and before complaining about the tradeoffs, you should get informed about what they are.
If you make it possible for governments to decide what content is "limited to adults", they can and will abuse that capability. "Porn" is the battle cry, to make it uncomfortable to argue against; often, other information the government wants to restrict becomes a target. The only way to prevent that is to deny the capability in the first place.
It feels like trying to debate about whether 5G is good or not, and the debate is stuck at people claiming that 5G boils your blood. There are valid reasons to oppose 5G, but if people choose to be so wrong that it sounds like bad faith, they surely won't convince me of anything.
That said, you've got blinders on. You're all over this comment section condescending to people about a particularly clever scheme without considering the various real world objections being raised. Not the least of which is that the vast majority of the tidalwave of legislation on the topic has zero to do with ZKPs.
That's not what I see. I mostly see people complaining about the fact that "if they verify my age, it fundamentally means that I have to give them my ID, and I don't want that". And whenever I mention that technically, there are ways to do age verification in a privacy-preserving manner, I get something like "you are so naive, nobody wants age verification, it's THEM (the all corrupt politicians who all have the exact same opinion) against US THE PEOPLE who need to fight for our freedom!
That is very frustrating to me, because
1. I believe that it is counter-productive to be technically wrong by saying "it is fundamentally not possible". Because if politicians genuinely listen to that, then ask a few cryptographers and get the answer "no actually it exists", then it seems only fair that those politicians will just dismiss the whole opposition by saying "oh right, they are just libertarians who don't want regulations and hide behind incorrect technical claims".
2. I believe that many, many people actually are in favour of age verification to protect their kids. And again, yelling at them saying "you understand nothing, this is not technically possible, and the politicians are all corrupt authoritarians anyway" is not constructive. Moreover, "normal" people don't give a shit about the privacy issues, so if they want age verification, they will just accept any technical solution. I would hope for technically savvy people to try to raise the privacy concerns and explain that if there MUST be age verification, AT LEAST it should be done in a privacy-preserving manner.
But yeah, let's keep yelling that it is fundamentally impossible, such that nobody even hears about the privacy-preserving solutions, until we have to either give our ID to random websites or stop using the Internet. Because what seems clear to me is that we are going towards age verification anyway, and there is zero constructive discussion about how to do that right.
This is one of the reasons you're getting a lot of arguments here. Every bit of energy spent saying "actually, check out this use of cryptography that lets you do this in a privacy-preserving way" is energy not spend saying "no, not under any circumstances" and fighting against it.
Because what I read is "ok, this person is either not competent to talk about it, or arguing in bad faith, so I won't listen to them".
And to be very honest, I can't remember a good argument against "privacy-preserving age verification". It's mostly "hmm I don't like it, that should be the responsibility of the parents anyway".
The EFF has a valid point which is "such technology will leave people out who won't be able to access important services". I don't have a definitive stance on it, but that would be worth debating. I can't remember another argument from the EFF. Pretty sure they don't say "it's technically impossible to do".
Actually Soatok [1] starts by acknowledging it's possible, before going straight to their opinion: "we should not do it". Again, I think it's a debate worth having.
But I won't debate with people who either don't have a clue or downright lie about it, saying "it's not possible, period".
[1]: https://soatok.blog/2025/07/31/age-verification-doesnt-need-...
> And to be very honest, I can't remember a good argument against "privacy-preserving age verification".
I gave you one in the other thread:
If you make it possible for governments to decide what content is "limited to adults", they can and will abuse that capability. "Porn" is the battle cry, to make it uncomfortable to argue against; often, other information the government wants to restrict becomes a target. The only way to prevent that is to deny the capability in the first place.
Here's another: Many people have successfully been productive members of many online communities (e.g. FOSS projects) while still under 18, and future generations should have the same opportunities we did.
That's where we disagree, I guess. I feel like the more palatable version, in this case, is debatable. An important part of democracy is to recognise that others may have different opinions, and to be willing to engage in good faith. If the norm is to systematically lie, all you get is polarisation. And it is ironic to argue in favour of lying for your cause, but then to complain when the other side lies as well for theirs.
> I gave you one in the other thread
And I think it is debatable.
But more generally, if your opinion is that you should lie and yell to defend your ideas, that your government does not represent the people at all to the point where they would prevent teenagers from contributing to FOSS (is that a thing somewhere?), then I wonder if you actually live in a functioning democracy. I mean no offence here.
I mean, your argument is pretty much "We should remove all laws, because laws come from the government, and the government will abuse that capability. They will make schools illegal, and future generations should have the same opportunities we did".
My point, again, is that in a functioning democracy, we should strive to debate in good faith.
> I am arguing for not always helping your opponent make their bad idea better
I am not sure what you mean by that. So when people generally lie by saying "I am a technical person, believe me I know, it is technically impossible", I should... what? Say "yeah that is right, believe him"? Or just say nothing, because letting them lie is the way to "not help the opponent"?
Also you assume that age verification is a fundamentally bad idea. A lot of the arguments against any regulation is "it is a step towards authoritarianism". And I disagree with that: removing all regulations is a bad idea, we need some amount of that. The right amount of the right regulations is a balancing act.
I strongly feel like I have a fundamentally different approach from many of the comments I read, and people don't like that: I don't fight for my opinion to win. I fight for society to take an informed decision. If there is a vote where the average voter is correctly informed and the vote goes against my preference, then it is a functioning democracy. I may be frustrated of course, but it means that I am in the minority, and it makes sense to follow the preference of the majority.
People should not win because they make more noise, or because they have a better strategy, or because they lie. The goal is to represent the majority of the people, and for that, the people need to be informed. When both sides systematically lie, then the people cannot believe anybody anymore. And the result of that is polarisation, as we see it.
> I am not sure what you mean by that.
By "opponent" here I mean a politician who is arguing for an age+identity verification system. Telling them "actually you can do that without checking identity" is making their argument better. (There was a time I thought that it might help because then you can see who goes mask off and actually clearly wants identity verification for its own sake, but in general politicians never get pinned down and forced to answer hard questions about their positions like that anymore.) "That's a bad idea, age and identity verification are both bad" is better.
But most comments explicitly criticise the EU, saying it is authoritarian and has an agenda. What then? Did they all keep the mask for too long and ended up with an actually privacy-preserving technical solution on their website "by mistake"?
The problem of "parents are negligent" is also solved by existing laws which have fines for parents who are negligent towards their children, and governments absolutely love collecting fines, so all the incentives are properly aligned.
We could totally discuss whether or not privacy-preserving age verification is a good thing. But we can't, because most people can't be arsed to read about what age verification implies, and complain about something that is fundamentally wrong (i.e. that they would have to surrender their anonymity).
Except that people can't read for 5min and understand that age verification can be done in a privacy preserving manner.
No.
> the easily trackable ZKP tokens
If it's easily trackable, it's not ZK.
Do they work currently? Not really
Are they too complex for the avg joe to work out. Unfortunately yes. (Something about the smartest bears and the dumbest humans)
> A law in the vein of HIPAA prevents collusion
No need if you use cryptography. This thing that, you know, works well for encrypting stuff? Spoiler: it can be used for age verification.
True for age verification, but not true in general. If you have something that can be used illegally, it's very handy to allow firms to rent / hire it out anyway but make the hirer responsible for any illegal activity.
An example is hiring a car, and the car is used to ram-raid a shop. Today this is solved by handing over a government ID to the rental company. Commit a crime in the car and they hand that over to police, but it has the sad side effect of handing over information to the car rental they can use to track you, and worse sell to others.
Using a zero knowledge proof for a valid driver's licence fixes the privacy problem, but at the expense of the hire company not being able to transfer responsibility for illegal activity onto the hirer. I suspect if that happened no one would hire out cars any more.
You can easily design something that is Zero Knowledge to the car hire firm, but includes an opaque token they can hand over to the government on lawful demand. It contains all the details needed to pursue the law breaking hirer. Thus there is still a role for the law here - you can't always do everything with crypto.
This is a very minor quibble - I agree completely with what I think is your main point. This Google change is a privacy disaster. It's a step towards an enshittified internet with the gateways onto it controlled by a few big tech firms.
But I don't think just yelling "just use ZK" is helpful. It's much harder than that - ZK is only part of the puzzle. Passkeys are currently caught up in the same attestation trap, and there is no workable solution in the offing. Banks and other high trust applications need some assurance your FIDO private key is being handled securely. The solutions on the table are Apple not doing attestation, or Google who does at the low low price of selling your true name to Google. Both "solutions" suck, horribly.
ZK proofs of things like licences and age have to solve the attestation problem, and solve extra stuff as well. I'm not holding my breath.
Agreed. I am just very frustrated, because I feel it is an important topic. And I wish I saw adult discussions about it. And instead, people who claim to be "tech-savvy" keep whining about the fact that it will fundamentally leak their ID everywhere. Like they somehow understood the point for E2EE, and repeat it here confidently. If tech-savvy people can't be bothered to understand how this works, why should politicians?
I have the same frustration with the anti-5G crowd yelling that it will boil your blood. There are many valid reasons to criticise 5G and have a constructive debate, but they choose to be wrong anyway.
You underestimate your own abilities. Tech savvy doesn't mean they think much about crypto.
To get a feel for this I asked Gemini "If you were to survey a group of people who would be called "Tech Savvy", what percentage of them would be aware you could construct a zero knowledge proof for a person's age that revealed nothing beyond they were older than a given threshold?". The answer was 5%..10%. That rises to a surprising low 20%..30% for Software Engineers. It's only once you get to Software Engineers who write security systems that you get above 50%.
Gemini didn't give any references so those figures could be complete rubbish, but in my experience they seem on the high side. Many very experienced engineers I interact with clearly have not thought very deeply about how crypto systems interact with human trust. Granted understanding the implications of crypto is yet another step beyond understanding the maths, but I'm amazed at how many technology curious people haven't bothered to take that step.
The good pollies on the other hand probably have a very good intuitive feel for human trust systems and how to navigate them. They rely on engineers to tell them what is possible of course, and they won't care about the details. But what they will care about is whether the engineers can deliver the system they promised, and there I have to admit our track record is appalling. How many government IT initiatives have you seen deliver what was promised on time and on budget? So when you tell them you can build a ZK system that delivers in all these privacy promises, expect a very sceptical reception.
Such systems are deployed in production by privacy preserving cryptocurrencies as its the same problem: Prove you're spending a coin that exists without revealing information about which one, and prove that you're not spending it multiple times.
Less private but easier to implement is just simple blind signing. Site asks you to give them a signature of their domain name, your account name, and date. You blind the data using a random number, go to google and identify yourself (e.g. solve a CAPTCHA, check your mobile device, age verify, whatever) and ask them to sign the blinded value-- they rate limit you and give you a signature. You unblind and provide to the site. Now the site knows you passed the google rate limit but nothing else, but google never learns what site you authenticated to.
The blindsigning approach is kinda lame because it requires active communication with a third party that learns you're online and authenticating to stuff. So I think it's generally less preferred but the cryptography is hardly any more complicated than an ordinary digital signature.
A linkable ring signature lets you correlate multiple usage but only if they share a common 'context value'. Intelligent selection of the context value results in abusive use inevitably sharing a context so you can exclude or rate limit it, but honest use tends to not share a context so the privacy is preserved.
Then it's technically possible (and really not that difficult) for states to provide a service that issues zero-knowledge proofs of facts like "age > X".
(partly off-topic rant) One can argue this is a false premise fallacy. For most of the time states did not have this information about their citizens and the world progressed quite nicely. The only argument to know stuff about citizens that don't drive (increasing numbers) nor travel abroad (different problem altogether) is to tax them?
One of the foundational differences between humans and cattle was you cannot brand (https://en.wikipedia.org/wiki/Livestock_branding) humans. Not physically, because we do it digitally and I see a slippery slope.
> For most of the time states did not have this information about their citizens and the world progressed quite nicely.
This is quite untrue. State bureaucracies far predate the modern era.
> Unlinkability is achieved by design through Zero-Knowledge Proof cryptography see the "Privacy by design" section below.
The problem is that while you might be able to trust the crypto, the government won't trust you to do the crypto entirely by yourself. And this introduces avenues for deanonymisation. Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.
It's a complicated problem.
We continue to seek a technological solution to a parenting problem.
Hmmm... no? That's not how zero knowledge works.
It's a bit like saying "no but Signal is not really encrypted, because the government can extract some metadata by looking at the network around the server".
The only way to implement truly privacy preserving age verification is through zero knowledge proofs (or blind signatures) but what that would allow is undetectable token forging.
https://ageverification.dev/av-doc-technical-specification/d...
Which isn't necessarily a flaw, depends on the threat model. For actual age verification that we care about (e.g. make it harder for kids to access social media), it may be good enough.
Because what you described does not preserve your anonymity if the government and the service collude.
I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.
For people using a Google account it probably won't make a huge difference, in terms of data collected.
If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.
Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.
But there's a good chance that it will be extremely hard to sidestep, despite that.
But anything your phone can possibly do in software can be spoofed, so how would that help?
Doesn't Play Integrity use hardware attestation, but specifically checking the Google keys?
If you use the Play Services on GrapheneOS, you still don't pass Play Integrity because your system is signed by GrapheneOS and not by Google.
Hardware attestation is one feature, but it's still not used a lot.
The most common feature is the check that your Google account really downloaded the app you're using (and that the app wasn't modified); which requires using a Google account, of course. This is what the "pairip" that's been plaguing the store for a year does (it's being added by a ton of apps because adding it only requires enabling a preference in the Play Console).
So basically Google can now ban your device from being able to access a huge portion of the internet, in addition to nuking any online presence connected to them.
You could wake up one day and find your device blacklisted from the internet, with no chance of ever reaching customer support. What a lovely future
As for now, when I need to travel to Germany, I just book tickets through the national carrier of my home country, which for cross-border tickets often turns out to actually be cheaper than booking through DB. Thankfully I don't live in Germany proper and my need for travel there is not that high (once or twice a year at most) but I wonder what would I do if I had to move to Germany and use trains there more often.
> -Use of developer or inspection tools
Gotta love it.
The finger-wagging about "Use of developer or inspection tools" is just outrageous. Akin to accusing users of thought crime.
The only solution to all this will be through elections and laws.
At which point you should contact your attorney general, and work to ensure such efforts face legal challenges at every turn.
You could try handwriting and posting a letter to their CEO. I think that sometimes works. Probably not very often but there are more than zero CEOs who read those letters.
I was thinking in the same terms: you put up a QR capcha, you don't get my traffic and money. Just the amount of extra work needed, let alone the Google tracking turns me off. As if traffic lights, crosswalks and bridges weren't enough of a hassle.
https://www.rei.com/newsroom/article/2026-rei-board-of-direc...
https://www.rei.com/newsroom/article/rei-announces-2026-boar...
https://www.reddit.com/r/REI/comments/1qw14k6/rei_hosts_thei...
On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".
Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).
Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.
It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.
So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).
Most human visitors will pull out their smartphone and just do it without giving it much thought.
Not solved at all: 99.999% of users don't give a damn and use a Google-signed Android.
My opinion is that because they don't give a damn does NOT mean regulations should not protect them. What Google is doing here is anticompetitive and they should be fined (antitrust and all that).
However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use.
Let's find a better solution please
Is there an argument here that Google is creating a monopoly?
Could this be challenged on similar grounds that forced Microsoft to recommend other browsers to users on Windows?
Our antitrust laws have been toothless for decades, and both parties love billionaires controlling the rest of us with an iron fist.
GrapheneOS is looking more and more worth the headache that my limited free time generally does not like. I don't need Google to know my smut fanfiction is written by my IRL.
However he's been on it now for months and every time he shows me something on it I get a little more jealous. Everything seems to be working fine, including e.g. bank apps, and he has interesting features like some kind of app zoning thing limiting permissions on a zone to zone basis.
The only problem is it's only available on massive phones without headphone jacks and SD card slots, so I'm sticking with Xperia for now.
> Ask HN: Did HN just start using Google recaptcha for logins? [0]
> dang
> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.
[0] https://news.ycombinator.com/item?id=34312937
No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA.
I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved."
CF turnstile is one, but of course that means Cloudflare owns even more of the web.
HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.
And I... Can't think of anything else. Other than to just get rid of Captchas entirely.
Enough to make it so bots are expensive to run.
People do care about such things.
I hope the same is true in other EU countries.
Suddenly I have been made aware that, having lost my paddle on Shit Creek, I will eventually be taken downstream to Shit Lake (where it appears I will inevitably drop anchor).
You could just call them.
But in all seriousness, many services are making it difficult through to impossible to communicate outside of their web or app platforms. Call centres are expensive and messy, and it's now apparently acceptable as a society to treat customers/clients/whatever as adversaries so they can get away with making it hard to communicate with them.
Are you comfortable with anybody being able to ring up the hospital and say "yo, it's majorchord, how are my gonnorhea results?"
No, that's why we have safety protocols in place. When you call a doctor they ask you for your birthdate or sometimes also a PIN/password on your account to protect your data.
How would that still be considered a breach of privacy?
But giving birthdate (available to anyone via a single query in a public database) and (sometimes?! - what?!) PIN over the phone wouldn't really be considered good enough here. Birthdate is, as I said, public knowledge. And a phone is too insecure a medium for transmitting a password.
I'm not super interested in an long argument about whether it's reasonable that this isn't considered secure or not. I'm just letting you know what reality looks like. And the reality is that "just call them" is not a solution, because such information will simply not be handed out over the phone.
It already is a solution, and has been in widespread use for many decades. I don't think it's going anywhere.
https://doublespeed.ai/
Edit: aaaand... That's another little sliver of my faith gone : https://www.theatlantic.com/podcasts/2026/04/how-fake-people...
Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.
Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.
The cost is the attestation keys of a real phone. Once it gets burned, the phone is useless to them.
https://www.penligent.ai/hackinglabs/inside-the-ai-phone-far...
Probably a decent amount of compute cost for video generation, but I'm sure they have access to free compute and inference for being in bed with a16z.
Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.
Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)
Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.
The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.
Note that they do not mention any specific companies on that landing page. That is pretty intentional.
But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.
[0] https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventur....
[1] https://en.wikipedia.org/wiki/MDY_Industries,_LLC_v._Blizzar....
[2] https://en.wikipedia.org/wiki/EBay_v._Bidder%27s_Edge
It could be contextual, as in each user gets one anonymous id per domain name per day. Multiple uses by the same user at the same domain in the same day are linked.
But much of the purpose of these systems is to violate the public's privacy and exert as much surveillance and control as possible. If not for that schemes that mitigate the privacy loss would be a top priority.
Can de-Googled Android phones present themselves as iPhones?
https://blog.cloudflare.com/eliminating-captchas-on-iphones-...
https://developer.apple.com/news/?id=huqjyh7k
And https://gdpr.eu/recital-49-network-and-information-security-... :
> Recital 49 - Network and Information Security as Overriding Legitimate Interest
> The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems,...
It's funny how people after all this time think 99 Articles, 173 Recitals and a huge tech lobby equals a water-tight, pro-citizen, impenetrable privacy law with almost no exemptions.
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
If enough people complain, those services will start caring. If all they see is "one user complains every 3 years", they will just ignore it. That's how it works.
The bank I was talking about were the worst net loser of customers in the UK last year (around -8000) They are making excuses but maybe they would care about why.
I hate that this is the way it is, I’m a graphene user too, and I see a pretty bleak future for any unsigned OS, followed by a pretty bleak and authoritarian future for humanity.
But for companies that are not monopolies, you can complain to them, and you can give them a bad review on the Play Store. Most companies are not in the business of screwing you: if they screw you, it's just a collateral effect. If you want to be on their radar, you have to make noise.
If enough people complain, then the company sees a need, then they prioritise. If they believe that "it only affects 1 guy who complained 2 years ago", of course they won't do anything... and I don't even know if I would blame them for that.
If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.
I had an issue with yahoo a couple of years ago that's all. The "it read like there's a whole science" is sadly a trope mostly repeated by people who have never tried because it gets upvotes on Reedit.
There are some steps you have to take, but not many, and systems like Mox mailserver or stalwart guide you through it, and mail-tester will check if you got it right.
Email, other than tweaking spam filters, is one of my lowest maintenance systems. I can't remember the last time I touched Exim or Mox config
What providers are good hosting candidates, I have a website on DO, but from my understanding their entire ranges are blacklisted heavily.
I can't speak for all of them but I use mythic beasts in the UK for one mail server (they are a very knowledgeable old school host) and it has been good. I also have dedicated with OVH which is fine, and a couple small scale (eg simplelogin, a notification server) with IONOS but they only deliver to me so I can't say how reliably they deliver elsewhere.
Mox is great but I think it's still alpha. I've been using it for 2 years in production for a small traffic domain. The other I use Exim (with mythic beast's Sympl that sets it up) but it's a little more hands on at the beginning
The science of not getting flagged is easy when you're not sending large volumes of untrusted mail; it only gets complicated if you start hosting mail for "customers" or let your system forward mail unfiltered into gmail/yahoo.
Here's my hit list of universal things to configure:
* Start with an IP with good or neutral reputation, non-residential, its nearly impossible to fix an IP that has been burned by a spammer. (Network)
* Valid reverse dns for your IP matching your mailhost forward dns (DNS)
* Valid SPF record; -all (DNS)
* Valid DKIM; with sufficiently sized key (DNS+Config)
* Valid DMARC; start with p=none to test and move to p=reject once you're configured (DNS)
* ARC if you or your users will ever possibly forward mail (Config)
* Don't get your messages flagged as spam anywhere ever, filter outbound mail even if its just you. All it takes is one piece of malware and a saved password and you'll have to get a new IP. (Config)
* Don't configure services behind your mail server with example domains that you don't control ~ I get so much mis-configured test mail from people who think its cute to use my domain as an example in their practice lab. It all gets reported as spam or bounces and then their smart host bounce rate goes up. (Config)
* Test for open relay; only relay for authenticated users. (Config)
* Use strong authentication, preferably with certificates or MFA. (Config)
* Secure everything; IMAP/SMTP/POP are old AF make sure you're requiring STARTTLS and setup MTA-STS to prevent downgrade attacks and enforce encryption in transit. Use a real certificate from Lets Encrypt don't self-sign. (DNS+http+Config)
* fail2ban your auth, you're going to get so much driveby password spraying and credential stuffing; I fail2ban block entire subnets at a time with iptables actions. I also have a bunch of "poison pill" rules for weird stuff I see in my logs eg block anyone who tries to auth with the NTLM hash for 'password'. (Config)
* Don't bother with BIMI at home, you can't get a blue check mark without deep pockets and a trademark (vmc) and most platforms only show logos that have a matching vmc. (DNS+https+config)
* DMARC reporting and TLS-RPT reporting are a pain to manage but are helpful troubleshooting deliverability be prepared to read some XML reports or setup a stack to parse them as they arrive (DNS + Config + https)
* setup the SMTP Submission port (587), so many networks block port 25 outbound and its the right way for clients to connect. (Config)
* configure BACKUPS, don't skip this step, encrypted restic backups to s3 or backblaze b2 is cheap and easy. (config)
* track your configs in git, don't commit secrets. (config)
* configure a free blacklist monitor on mxtoolbox for your domain(s) (config)
If you do those things you'll be in a pretty good spot, you could probably paste that list/this post into your agent and vibe up solid mailserver.
For me keeping the spam and phishing out is a bigger hassle than deliverability issues. rspamd does a pretty good job of keeping it manageable.
I do all of those things and with all of that setup the only place I ever run into issues with with users on AT&T's residential broadband mail servers. AT&T appears to block you if you're not known to them and they have a short memory. If you don't have regular correspondence with AT&T users they will block you after a bit. I'm a fairly low volume sender so I end up blocked every other time I try to send to AT&T by no fault of my own. I've talked most of those friends off of AT&Ts free email and on to ProtonMail at this point.
If you use mailgun or similar you have to setup dkim keys for them and add them to your spf.
Banks are implementing terrible "security" checks. Users of alternative OSes should be a lot more vocal: change bank, but also complain a lot to the offending one, and make sure to leave them a bad review on the Play Store.
Actually people not using an alternative OS but caring about that should also leave bad reviews to those banks on the Play Store.
At the end of the day, the problem comes from humans in those banks who don't understand and don't give a shit. The only way to make them care about it is to complain enough that it becomes their problem.
I feel this more and more each day.
My current de-google project is categorizing all my pictures on my local NAS to create the memories feature (where it shows historic pics on multiple theme axes). You can get really far with just a few hours of work a month to de-google and some off the shelf image embeddings.
The hero project in this category — what one cannot do trivially as an indie dev — is creating a great fresh PoI dataset. This is tough to do on a planetary scale because its a societal cooperation problem.
If you need to share files externally, Nextcloud works very much like Google Drive and allows the creation of sharable links.
In no way has it ever been about a functional alternative to something like Nextcloud. It's been about services primarily for LAN functionality, not stuff that should be going over the internet (mostly for security reasons).
So your expectations really don't align with what Samba has ever been about.
Source: I professionally support Samba for businesses.
I'm on a similar journey and I use Radicale.
My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:
- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.
- Discord immediately bans me any time I try to create an account.
- Can't buy flights from Delta, always gives a non-descript error.
- Can't buy concert tickets, it thinks I'm a fraudulent buyer.
- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.
- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).
- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.
I just take my business elsewhere... eventually I'll probably just stop using technology at all.
I had this problem recently with the Indeed website. (Cloudflare Captcha)
Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.
Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.
"Source code? We don't need no stinkin' source code!"
I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.
I fire up cloudflare warp and walk right through it
use wireguard with wgcf in environments without cloudflare client
yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden
Would you care to elaborate a little on how you did it?
It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues.
This new reCAPTCHA setup is probably a good indicator that big tech wants to shift to verified access only. Personally, I’m just going to quit spending money via the internet and go back to piracy + retail stores with a physical location.
I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.
Captcha difficulties are way down now.
I wonder if they are seeing a decrease in traffic and somehow find that acceptable.
Mars? /i
This is wrong. Many (most?) users of alternative Android OSes do use a variant of the Play Services (be it sandboxed Play Services like on GrapheneOS, or an open source, reverse engineered implementation like microG that phones home just the same).
Google seems to be leveraging Play Integrity here, which requires that the phone OS is signed by Google. This is clearly anticompetitive, I hope the DMA will do something about that.
Only ones that are difficult for fraudsters to use to generate bogus traffic. Whether or not those builds come from Google, they are inherently gonna be pretty constrained OSs. It's not gonna let you spoof your location or simulate user input.
I do think it's a problem if only Google can provide these attestations but even if that organisation problem is solved there is still a fundamental technologic problem here now that humans can't be detected by their ability to solve puzzles any more.
None. The first rule of network security is you can't trust the client.
All attempts at remote attestation of consumer devices are someone wanting to break this rule. It's always a mistake; the OS being on the blessed list raises the difficulty level for fraud a little, but serious fraudsters have already perfected workarounds.
But still, better multiple slightly crappy OSs instead of just one (plus Apple).
the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f
https://ibb.co/X9Q6Y84
By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.
I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.
Wow, This is really bad :-(
I think this is just gonna make viewing internet without a phone significantly harder especially with archive.is and the likes.
Not sure, how relevant this is to the discussion but if it helps, I have made a project[0] which allows to archive archive.is pages on archive.org/wayback machine (this uses singlefile)
Perhaps something like this can be used by community at scale too. Also, I hope that archive.is does something to fix this issue of requiring QR code and hopefully it doesn't become a permanent issue.
[0]: https://smileplease.mataroa.blog/blog/htmlpipe-and-how-we-ca...
In this case, the answer is right there in the question: You have to pay to bypass it.
Maybe there is a better option out there, but if so, it has the disadvantage of being hard to find.
reCaptcha is "invisible" by default. Although if you use a non-cheomium browser and/or block tracking, you are more likely to trigger a non-invisible prompt. Annoying as that is for people like me and maybe you, that isn't the experience most users have.
The result of this would be to upload it all to a bot-friendly alternative to archive.org.
Its whole point is undetectable archiving because it just saves what your browser already sees.
Now to be honest, while it's optimal to archive pages from you browser view I am not sure I want a random web extension to be in everything I see from a security point of view.
I would rather have a local proxy doing it. Maybe something like the InternetArchive warcproc [0]. Haven't tried yet.
- [0] https://github.com/internetarchive/warcprox
I am unfamiliar with web caching proxies like squid [0] but I am wondering if that might be the most straightforward way to do this.
So use squid and then have a batch job that go through /var/spool/squid every day and update your web archive according to some defined filters.
- [0] https://www.squid-cache.org/
All Huawei phones, which uses Huawei AppGallery after sanctions
FairPhone 6 /e/OS
Practically all modern feature phones: Nokia phones, HMD phones, etc. As I understand it, predominantly used by elderly and kids. But it's also gaining traction among millennials and Gen Z for digital detox and defeating mobile addiction.
Linux phones (Jolla Phone, PinePhone, FuriPhone, etc) - these you probably won't find in your local retail store but this is another competing platform being built from effectively an entirely different lineage minus the kernel
> April 2025: Apple fined €500 million for failing to comply with "anti-steering" obligations. Meta fined €200 million under the Digital Market Act for requiring users to consent to sharing their data with the company or pay for an ad-free service.
> December 2025: X fined €120 million under the Digital Services Act for breaching transparency obligations.
(Sure, not this year, but that's pretty recent by most standards. And not sure if they're still being contested and unpaid)
And recently, Google is working with the EU to avoid a fine: https://www.bloomberg.com/news/articles/2026-05-06/google-ma...
Yeah, I say it as "because the US bully the EU to prevent them from doing it".
https://www.nytimes.com/2026/02/13/technology/meta-facial-re...
- pretended that it wasn't all about invading peoples' privacy.
- done a good ol' fashioned "but Apple does it"
- pretended to be standards-oriented
- advertised it as something completely transparent to the end-user
Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
The people who this method is most hoping to stop are the least likely to be impacted by it in the long run.
This is using another product to reinforce the search and ads monopoly.
You can’t scrape content to build a better google or Gemini, you can’t make an OS to compete with Google or Apple, and you can’t make a Google Analytics competitor.
It’s plain anti competitive.
Now everyone pretends like it's monopoly abuse because the Leopards Eating Faces company finally rang the dinner bell.
Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.
This makes it more difficult. But I don’t think it matters given how difficult it was prior to this.
This is blocking access to websites wholesale, so it’s on a whole different level.
The problem is that most popular apps for Android outside Chinese app stores rely on Google services (specifically, Firebase) for push notifications.
It looks like a cloudflare page but it's not hosted by them. eg. https://bgp.he.net/dns/archive.is#_ipinfo It's hosted by AS49505 JSC Selectel
I think they now use their own Cloudflare turnstile if I remember correctly, but back then they switched to hcaptcha.
(My phone is technically Android, but really old, not a touchscreen, you can't install apps, and most websites don't work in it, so... basically a dumb phone. But I did write a map web page that works in my very specific situation: https://lab.brainonfire.net/classicmap/ But mostly I just look up directions first and pay attention to signs, and the web page is a fallback that's nice to have.)
With apple there's no choices, so I'll continue to take my chances with Android
What does that even mean?
Also, personally I care less and less. As long as my banks and government apps work, I'll just not use somebody's service if they put up barriers like this.
If most people care less and less, the result would be that banks and government apps will also work less and less.
Look, companies have to prioritise. And the obvious way to prioritise is to say "users are requesting X A LOT and nobody requests Y, so we will do X". Companies never, EVER say "it would be more ethical to do Y, let's do Y".
As people, we can do two things:
* Push our governments to regulate that shit. That means, complain a lot to the government.
* Be vocal to companies and complain when they don't support your system. If enough people do that, it will be prioritised.
The hardware attestation (which is used by strict Play Integrity) checks the signature on your OS. It is totally possible to allow signatures other than Google, but Play Integrity doesn't do that.
Companies could totally decide to use hardware attestation and accept systems signed not only by Google, but also other systems (like GrapheneOS). But they don't care because not enough users complain to them.
Users of alternative Androids typically silently move to another service or stop using it entirely. Which is understandable but doesn't help the cause.
I'd rather have Google check an Apple phone attestation than have Google check a Google phone attestation, and vice versa, though, because you can assume each company is trying to keep as much information private to themselves instead of giving it to the other. Google is probably just getting "yes it's an Apple phone" and some kind of temporary token, instead of my IMEI, IMSI, phone number, all signed in accounts, biometrics and so on.
Could you justify that? Because to me it seems like Apple isn't doing anything even like this.
Also, Apple sells themselves as a privacy company, but often pick (possibly intentionally) insecure defaults. E.g. you might use end-to-end encrypted chats, but by default iCloud backups are not end-to-end encrypted, so law enforcement can just request your backups/chats from Apple. If you are vigilant and enable Advanced Data Protection for E2E iCloud backups, it probably still doesn't matter because the people that you communicate with probably do not have ADP enabled.
Besides that, they are enshittifying in the same way as Google. Ads in Maps, Ads in applications that you get with the OS (Apple Creator Studio ads in Keynote, etc.), Ads in your system settings for Apple Fitness+ (really).
At least Pixel phones and soon some Motorola models have the option of installing GrapheneOS.
The way it's going, by the time the Motorola + GrapheneOS phone is out, it will be a lot more painful to use GrapheneOS than today. Not because of GrapheneOS of course, but because everybody accepts that bullshit Google is doing.
If you're waiting for Motorola + GrapheneOS, you could start complaining to banks and other apps that don't support GrapheneOS :-). If enough people did that, maybe those companies would consider it.
In the meantime, I'm currently using a low end Motorola moto g 5G 2023 which lets me turn off Play Services. Chrome and the Google Calendar don't run (really do need to find a replacement calendar), and I couldn't be happier. Motorola's interest in GrapheneOS makes me wonder if they did this on purpose.
Calendar server: https://radicale.org/v3.html Sync: https://manual.davx5.com/
So, you run Radicale server, you can import Google Calendar.
Set up Davx5 on mobile to sync with the local server
Access from anywhere with Tailscale.
My dad runs the family domain/emails/etc. The hard part will be convincing him to degoogle the whole family.
I'm also becoming open to using software that lies to google about what it is :) Google will treat us like sh*t, why shouldn't we reciprocate.
I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.
The projects were named after a Google Doc they'd recently worked on (or a .docx attachment they'd received?) though, so my other guess is that they somehow created a Google Docs macro or similar by accident?
Antitrust laws have existed for decades. They just have to be honoured.
He (Torvalds) had no power to do anything and sold out. Even if he did, big tech would just go and use BSD.
For over a decade both Torvalds, and Stallman sold everyone out. They don't make their money directly from "free software" or "open source" in the first place.
Stallman was right in that he knew digital surveillance was going to happen, but he was incorrect in believing that FLOSS was ever sustainable economically and especially with AI replacing the developer and that big tech and startups are weaponising that against them.
Even when Stallman is against AI, he doesn't care. He knows he doesn't make money from "free software"; but only by speaking about it. Torvalds is the same but likes AI.
Can any other developer do exactly that in 2026?
I think you need to read the comment again:
>> They don't make their money directly from "free software" or "open source" in the first place.
>> He (Stallman) knows he doesn't make money from "free software" but only by speaking about it. Torvalds is the same...
My (unanswered) question:
> Can any other developer do exactly that in 2026?
To avoid repeating myself, the point is the majority of these typical developers do not have the level of influence that both Stallman, and Torvalds have to make a lot of money from their open source projects, especially in the age of AI; making it pointless to maintain such projects.
I think open source works best when folks don't expect to make money off of it. I don't think Linus or Stallman expected to make money off of their free software. In some cases you might be lucky and able to get consulting contracts from firms related to your open source code but it's not reasonable to assume that will happen. It's possible it's harder to get lucky today than before but it was always unlikely.
Remote attestation is the thing preventing the app from running on your Android alternative, whether it's GPLv3 or not does not matter. GPLv3 does not say "it's illegal to do remote attestation".
But his vision/prophecy is about 50 years old and while still valid it probably needs an update.
We are now dealing with a fully networked world where AI/bots have become dominant. I am not sure he did / could go as far in his vision.
There's hardly anything you can do to stop someone determined enough to spend money to spam your specific website. These kinds of captchas do raise the bar somewhat, but every single one of them is ultimately bypassed by paying people to solve them for you.
bots get pruned after an hour since 100% of the bots fall into the same trap, giving it a delay makes A/B testing really difficult and breaks most AI strategies.
You will also see this page if your smartphone is degoogled and you try to open the reCAPTCHA attestation URL in a web browser instead of in Google Play Services.
I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.
They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.
That's the reason companies are desperate to be first/biggest - once you're it, you're it until you finally fall on your face and dwindle to a nobody.
The thing here is that Google is building technology to prevent alternatives from connecting at all. We fundamentally cannot solve it by building more alternatives, we have to prevent Google (and TooBigTech in general) from doing it.
Why does it have to be new? Plenty of open source OSes exist... starting with Android! GrapheneOS is based on AOSP, you would call it Android. If I show you a phone running GrapheneOS, you probably won't even realise that it's running an alternative OS: it will be Android to you.
The problem is not that we don't have alternative. The problem is that Google is moving towards forcing everyone to run their OS (or the OSes they accept, since it includes iOS) to connect to random stuff on the Internet. They are literally building technology that will prevent alternative OSes from running properly.
No need to create new OSes if anyway they won't work, right?
at my most pessimistic i can see a world where consumers pay MORE for attestation to continue to opt-in to society, or perhaps a ai-bot-free digital world.
Your privacy is dead, and you cannot do anything against it, except not using phones and internet... at all. I mean I still fight against it, but not by protecting my privacy by using tools, or using different tools, because I realized it's not possible. There is no "as less data as possible". They know regardless.
I used VPN, browser containers for everything, myriad of fingerprinting protection, nothing related to Google/Facebook/etc. And then I went up to Youtube once for something, and they knew exactly what were my thoughts at the time. That was the moment when I realized that I suffered for nothing.
I still support for privacy movements, and I strongly believe that the only place where we can do anything at this point is politics. You can't protect your privacy anymore at this current environment, that ship sailed decades ago.
My problem is that basically every larger for privacy push is against newly proposed laws (like age verification), and there is basically no large uproar regarding the current already fucked up laws.
[1]: https://digital-markets-act.ec.europa.eu/contact-dma-team_en
Even if you are a GMS Android user, they are going to make installing apps outside the Play Store much more annoying and these attestation-backed verifications are going to further deanonymize you.
Let the commerce-driven, corporatized hellhole that the modern web has become eat itself.
I hear ‘web of trust’ pretty often and I like the idea but that’s not anonymous or accessible either
Something that makes it expensive to initiate a connection and cheap (relatively) to accept or reject would probably help. I think that’s a hard problem though.
I’m not talking about the network itself but the servers on the other end.
I guess my point is that while Google is definitely malicious, I don’t think every site using recaptcha is and if we expect them not to use that tool there should probably be an alternative.
I think SV was asking what onion services, which can't really use recaptcha, do to prevent the DDoS storm.
And I would imagine the answer is obscurity, since the dark web isn't nearly as well-mapped as the public web. That and some Anubis or other PoW would probably go far.
If I’m hosting at some IP, I still need Anubis or something to serve up the challenge, so doesn’t that become the attack point?
I do 95% of my web browsing via Tor Browser and it is very tolerable, most circuits are fast enough for 1080p video (Youtube, Twitch livestreams, etc) without any buffering.
Here is a speedtest I ran just moments ago, I would hardly consider this "painfully slow": https://www.speedtest.net/result/19172283165.png
Of course this is a single tor circuit with an exit node, so speeds are slower when going directly to .onion sites, but the only real slowness comes from the latency and not throughput.
Obviously you immediately realise just how often you !g in DDG, use Google Flights, YouTube etc. Ok easy enough to fix
Then of course I can't use Play Store (Aurora didn't work either) so my phone would have eventually become quite obsolete
You can't compile many Go projects because the dependencies are pulled from Google
And if you had ALL of Google's ASNs that would include GCP and that's a whole other level of being cut off
and on behalf of the Government,
and said “data, so piss off”:
https://abcnews.com/Technology/google-hit-antitrust-lawsuit-...
https://macdailynews.com/2026/02/04/u-s-files-appeal-in-goog...
Turns out that Presidents, once elected, largely do what Continuity of Government, and business interests, ask for.
Largely a bipartisan talking point…not many true Wyden’s out there.
In some ways, yes.
In other, major ways: a spade is a spade.
> Lawfare is the use of legal systems and institutions to affect foreign or domestic affairs, as a more peaceful and rational alternative, or as a less benign adjunct, to warfare.
Strap in, the ownage will be hard.
Google Cloud fraud defense, the next evolution of reCAPTCHA
https://news.ycombinator.com/item?id=48039362
Google Cloud Fraud Defence is just WEI repackaged
https://news.ycombinator.com/item?id=48063199
> To complete the mobile verification, you must use a compatible mobile device.
At first glance, reading this made me wonder: what is exactly a compatible mobile device? But they quickly answered this question just below:
> If verifying on iOS/iPadOS...
> If verifying on Android device with Google Play Services...
OK then, got it! These are the ONLY compatible mobile devices. No de-googled devices are being welcomed here.
I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.
Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
I’m Canadian and watching our government sell our souls to American tech companies is beyond scary.
PS: Sure, there always were a handful of exceptions. If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
> If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
Reminds me of Facebook engagement bait
If it didn’t affect those of us that tried to resist, I wouldn’t care, but we got dragged along unwillingly and now it may be impossible to hit the brakes before corporations control everything by usurping control of our identity systems.
Good that some people are able to translate my thoughts into actual English... :D
If you say so. I don't know. I was never an active part of that big problem (so btw I also had nothing to "solve"). You were?
Everyone in power wants it, across the entire globe.
That's very different from requiring hardware attestation, though.
And to think, people said consumer choice was dead...
The amount of stuff councils and state governments gatekeep about road specs alone... Argh.
Google doesn't give a shit, but smaller companies are the ones using reCAPTCHA and that kind of shit. Consumers need to complain to those smaller companies. And citizen need to complain to their government, if those case. In the EU there is the DMA: https://digital-markets-act.ec.europa.eu/contact-dma-team_en.
What's sad is that the few citizen who care are often complaining against regulations. And it is the lack of regulations that got us here. We need antitrust, period.
https://ublockorigin.com/
See the explanation associated with Manifest V3.
Nobody trusts web browsers nowadays.
I would have no idea how, nor desire to purchase a Google account on the black market, and I do in fact still trust that my web browser can do TLS correctly.
"easier just to buy a Google account ...." for those who would choose to do that in quantity. That is, the scammers and fraudsters for whom this is a financial decision. Which suggests that Google's latest moves shift the needle only slightly against actual abuse at a huge cost to the rest of us.
"Nobody trusts web browsers ..." applies to the publishing side. Content (that is, advertiser) sites and commerce most especially. The prove-yourself hoops that those opting out of that approach (de-Googled Android, privacy-hardened browser, alternative OS) must deal with are mind-bogglingly insane, speaking from personal experience. The Web no longer brings joy.
Incidentally, Google plays strongly in the second space, such that its incentives are aligned with pushing people into the "Google Play Services" ecosystem, and to both its own browser and ad-tech personal surveillance tools.
In conclusion, Google must be destroyed.
> In conclusion, Google must be destroyed
Yeah they've had their time XD
Re: stolen accounts, you can examine account details, history and activity after purchase, check for emails from social networks and return stolen account to the owner. The posting usually also mentions registration period (new accounts are unlikely to be stolen). But it seems that registering new accounts is cheaper than stealing - old accounts are much more expensive.
I didn't use the account for any illegal activity, there are just sites that use Google Account as a "verification" that you are not a bot, and to issue bans. And I am not interested in jumping through the hoops of searching a locked smartphone with Google Services and filing a visa application to register the account. I strongly dislike proprietary software and locked smartphones.
I'd go as far as to say that still having Google reCAPTCHA on your website is a sign of your website being unmaintained. Half of them even have the "reCAPTCHA is changing terms, take action" text on them.
This move will cause the last users to stop using it, and reCAPTCHA will be on the "Killed by Google" list in a year or two.
Verify that.
(edit: and it definately won't be an iphone, although that would fit the description above, those only run non-free software by design)
I don't know what services a TPM chip does provide. Wild guess, some private keys, hidden to the computer user, are used to sign stuff and/or encrypt ?
the trajectory has been clear since AMP-convenience for site owners, attestation pressure on users
People there be like, “but I’m not evil! I’ll never do anything bad with all of this incredible power!”
But if you create a nuclear bomb, someone unsavory is going to wrest control of that power from your stupid little painted fingernails and destroy the rest of us with it.
How about, don’t make an effing privacy nuclear bomb if you don’t want to contribute to making the world more evil?
The internet is a failure. Congratulations us.
Even competent people got completely brainwashed, crazy.
Spread the news, tell everyone you know, before it's too late. I wish we won't have to resort to even more drastic methods in this fight.
"Those who give up freedom for security deserve neither."
Here's the obligatory: Google, FUCK YOU!
>Incompatible browser extension or network configuration
Whether it's from companies that create the tech, or companies that use it.
In the orgy of money, we've had a kind of industry-wide sociopathic convention of individual engineers considering it perfectly OK to further surveillance capitalism.
Can we reverse that?
If someone says we can't, because "everyone does it", are they saying that we're a field of baddies?
I think we are already starting to have that with a couple more infamous other companies in the news the last year: if someone goes to work there, I suspect a lot of people are going to think what is wrong with you, since you must know that company does very harmful things,
Maybe it's time to start wondering that about anyone who'd work for a lot of additional companies?
(I actually had a recruiter recently who was pitching a startup, and the headline featured the "ex-" pedigrees of the founders, including an especially infamous company. I figured any company touting that pedigree as a selling point is probably a bad fit for me. I thanked the recruiter, but said that infamous company as selling point probably isn't a fit. The recruiter seemed to not only understand, but to agree with my vague sentiment about that pedigree company.)
Linux is not an operating system unto itself, but rather a kernel—a core component that manages hardware resources. Android uses the Linux kernel, but replaces the traditional GNU userland with its own runtime, libraries, and system framework.
Many users run Linux-based systems every day without realizing it. Through a peculiar turn of events, the Linux kernel combined with Android’s userspace is often simply called “Android,” and many of its users are not aware that it is built on Linux at its core.
There really is Linux in Android, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs you run. The kernel is an essential part of the system, but useless by itself; it can only function in the context of a complete operating system.
Android is normally used in combination with the Linux kernel: the whole system is basically Android/Linux, a Linux-based operating system with a distinct userspace, not a GNU/Linux system like traditional desktop distributions.
And let's not pretend that we mean the kernel when we say Linux distribution
How so?