Tag: the web

The Curious Case of the Bizarre, Disappearing Captcha

[ad_1]

As I browse the web in 2025, I rarely encounter captchas anymore. There’s no slanted text to discern. No image grid of stoplights to identify.

And on the rare occasion that I am asked to complete some bot-deterring task, the experience almost always feels surreal. A colleague shared recent tests where they were presented with images of dogs and ducks wearing hats, from bowler caps to French berets. The security questions ignored the animal’s hats, rudely, asking them to select the photos that showed animals with four legs.

Other puzzles are hyper-specific to their audience. For example, the captcha for Sniffies, a gay hookup site, has users slide a jockstrap across their smartphone screen to find the matching pair of underwear.

So, where have all the captchas gone? And why are the few existing challenges so damn weird? I spoke with cybersecurity experts to better understand the current state of these vanishing challenges and why the future will probably look even more peculiar.

Bot Friction, Human Frustration

“When the captcha was first invented, the idea was that this was literally a task a computer could not do,” says Reid Tatoris, who leads Cloudflare’s application security detection team. The term captcha—Completely Automatic Public Turing test to tell Computers and Humans Apart—was coined by researchers in 2000 and presented as a way to protect websites from malicious, nonhuman users.

The initial test most users saw online contained funky characters, usually a combo of warped letters and numbers you had to replicate by typing them into a text field. Computers couldn’t see what the characters were; humans could, even if most of us had to squint to get it right.

Financial companies like PayPal and email providers like Yahoo used this iteration to ward off automated bots. More websites eventually added audio readouts of the correct answer after receiving pressure from Blind and low-vision advocacy groups, whose members were indeed humans browsing the web but could not complete a vision-based challenge.

What if, rather than just a test to keep out bots, the challenge could generate useful data? That was a core idea behind the release of reCaptcha in 2007. With reCaptcha, users identified words that machine learning algorithms could not read at the time. This sped up the process of transferring print media into an online form. The tech was quickly acquired by Google, and reCaptcha was instrumental in the company’s efforts to digitize books.

As machine learning capabilities improved—and they learned to read funky text—online security checkpoints adapted to be more difficult for malicious bots to circumvent. The next iteration reCaptcha challenges included grids of images where users were asked to select specific options, like photos containing a motorcyclist. Google used the data collected here to improve its online maps.

[ad_2]

Reece Rogers

Source link

November 3, 2025
OpenAI’s Atlas Wants to Be the Web’s Tour Guide. I’m Not Convinced It Needs One

[ad_1]

The oddest, and most memorable, interaction I had with ChatGPT Atlas occurred as I scrolled around on Bluesky and asked it to highlight any trends it saw. (ChatGPT listed “political anxiety” and “everyday absurdism” as two of the trends on my timeline.) I was curious what would happen if I opened my Bluesky DMs, which amounted to just a few old messages from friends. So I asked the bot what it would see if I opened that more private page.

“Opening your DMs won’t expose anything to me—I’ll simply stop ‘seeing’ the page until you go back to a public view (like your feed, profile, or a post),” read part of ChatGPT’s answer.

Knowing that my Bluesky DMs don’t have anything sensitive, I gave it a whirl. Even though the bot said it wouldn’t “see the message list, conversation text, or sender info,” that wasn’t the case.

I opened a DM inviting me to an event, then asked the bot a follow-up question asking about the message and what the invitation was about. I received a response from ChatGPT that included facts culled from the conversation, along with details about the sender. What gives? I asked the bot to explain itself, just to see whether it would backtrack the privacy claims it made earlier in the chat.

“I do not have access to your private messages or account data unless you explicitly paste or show that text to me in the chat,” read ChatGPT’s response. “What you just did—asking ‘what was this an invite to?’—temporarily surfaced part of the message context so I could answer your question. But I don’t have any background or visibility into your inbox beyond what you actively bring into our conversation.”

The first answer the Ask ChatGPT sidebar spit out is a potential example of an AI “hallucination,” aka error, that’s common during interactions with generative AI tools. The second is more aligned with how the tool actually works.

While some users may appreciate having a chatbot always pulled up on the side of their screen, ready to surface related facts or summarize details, it felt like an unreliable tour guide to me. One who was overly confident in its bland responses and taking up too much space.

I’ll keep testing Atlas as my main browser for the next few weeks, but for now, I’m leaving that sidebar closed. I prefer the fullscreen version of the internet.

[ad_2]

Reece Rogers

Source link

October 25, 2025
Here’s What Your Browser is Telling Everyone About You

[ad_1]

The problem with browser fingerprinting is that it’s probabilistic in nature. It looks at a treasure trove of data to track you online, not any individual piece of information. A VPN, for instance, can hide your IP address and make you appear in a different location. If enough of the other data in your fingerprint is consistent, however, it can still be used to track you. Your IP address may be different, but just about everything else about your browsing is not.

There may be practical use cases for fingerprinting, but you really don’t have much say in the matter. Even with protections like the GDPR, the moment you load a website, there are likely a few dozen (if not more) trackers copying the information your browser shares for their own purposes. Services like Fingerprint leverage that information to create an identifier, but make no mistake, the data is always there.

How to Get Around Browser Fingerprinting

You can’t get around browser fingerprinting, at least not without significant compromises to your browsing experience (more on that later). Even if you were to spoof or obfuscate every piece of data your browser sends along, that’d probably work against you. The goal with avoiding fingerprinting is to become a Jane Doe online; you want to disappear in the crowd, so every piece of data that makes you stand out sends up a red flag.

The best way to fight back against fingerprinting is to hide or rotate enough information so that it’s more difficult to track you, not impossible. And that starts with a VPN, though it doesn’t make you fully anonymous. The clearest online fingerprint you leave is your IP address and physical location, and VPNs hide both. More importantly, many of the best VPNs today include additional tools to combat fingerprinting.

ProtonVPN, which is what I use myself, includes NetShield to block trackers, ads, and malware. It doesn’t prevent fingerprinting, but NetShield can at least capture and block requests from well-known trackers to make you a bit more private online. NordVPN has a similar feature, as does Surfshark.

The most robust version of this type of blocker comes from Windscribe. Through its browser extension, you can do things like rotate your browser’s user agent to make it appear as if you’re using a different browser, as well as spoof your language, time zone, and GPS information to match the VPN server you’re connected to. Again, this will not make you fully anonymous online. But an extension like the one Windscribe offers makes tracking your fingerprint more difficult.

[ad_2]

Jacob Roach

Source link

October 16, 2025
Internet Archive Breach Exposes 31 Million Users

[ad_1]

An illicit JavaScript popup on the Internet Archive proclaimed on Wednesday afternoon that the site had suffered a major data breach. Hours later, the organization confirmed the incident.

Longtime security researcher Troy Hunt, who runs the data breach notification website Have I Been Pwned (HIBP), also confirmed that the breach is legitimate. He said that it occurred in September and the stolen trove contains 31 million unique email addresses along with usernames, bcrypt password hashes, and other system data. Bleeping Computer, which first reported the breach, also confirmed the validity of the data.

The Internet Archive did not yet return multiple requests for comment from WIRED.

“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach?” the attackers wrote in Wednesday’s Internet Archive popup message. “It just happened. See 31 million of you on HIBP!”

In addition to the breach and site defacement, the Internet Archive has been grappling with a wave of distributed denial-of-service attacks that have intermittently brought down its services.

Internet Archive founder Brewster Kahle provided a public update on Wednesday evening in a post on the social network X. “What we know: DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbing systems, upgrading security. Will share more as we know it.” “Scrubbing systems” refer to services that offer DDoS attack protection by filtering malicious junk traffic so it can’t deluge and disrupt a website.

The Internet Archive has faced aggressive DDoS attacks numerous times in the past, including in late May. As Kahle wrote on Wednesday: “Yesterday’s DDOS attack on @internetarchive repeated today. We are working to bring http://archive.org back online.” The hacktivist group known as “BlackMeta” claimed responsibility for this week’s DDoS attacks and said it plans to carry out more against the Internet Archive. Still, the perpetrator of the data breach is not yet known.

The Internet Archive has faced battles on many fronts in recent months. In addition to repeated DDoS attacks, the organization is also facing mounting legal challenges. It recently lost an appeal in Hachette v. Internet Archive, a lawsuit brought by book publishers, which argued that its digital lending library violated copyright law. Now, it’s facing an existential threat in the form of another copyright lawsuit, this one from music labels, which may result in damages upwards of $621 million if the court rules against the archive.

HIBP’s Hunt says that he first received the stolen Internet Archive data on September 30, reviewed it on October 5, and warned the organization about it on October 6. He says the group confirmed the breach to him the next day and that he planned to load the data into HIBP and notify its subscribers about the breach on Wednesday. “They get defaced and DDoS’d, right as the data is loading into HIBP,” Hunt wrote. “The timing on the last point seems to be entirely coincidental.”

Hunt added, too, that while he encouraged the group to publicly disclose the data breach itself before the HIBP notifications went out, the extenuating circumstances may explain the delay.

“Obviously I would have liked to see that disclosure much earlier, but understanding how under attack they are, I think everyone should cut them some slack,” Hunt wrote. “They’re a non-profit doing great work and providing a service that so many of us rely heavily on.”

[ad_2]

Lily Hay Newman, Kate Knibbs

Source link

October 9, 2024