Cute but like a lot of captchas misguided at this stage
The problem they try to solve is real, but I don't think that 'hacking minigames' are the correct direction to be looking to solve this, and ultimately end up making mandatory human identity verification seem more palatable as the less annoying option
games and challenges like this are more annoying / resource consuming to humans (i.e., time, patience), and can imagine it ends up excluding humans who cannot complete the challenge due to extenuating circumstances, like i have no idea if someone who uses sight assistance accessibility tooling can complete this challenge reasonably, and if this style of challenge takes off I am pretty sure the challenges will continue to exclude many humans who use accessibility tools
I worry this approach ends up being the next cookie banners (which were always malicious compliance in the saltiest, pettiest way)
anubis-style cycle burning approaches seem to be best, but have not looked for research on the efficacy of this approach. if it does have a positive impact for operators though, a method like that seems better
edit: to be clear, I do not want mandatory identity verification -- not at all it's awful, and my fear is that tools like this will only serve to make that option seem more palatable in comparison
Is there reason to believe this is a good discriminator of human vs AI? I didn't see any about page, or statistic, or anything like that, but maybe I'm just missing it?
edit: The page links to [1], but [1] has none of the information I'm really looking for -- why should somebody use this tool?
I don't know what a next generation CAPTCHA should look like, but I know anything game-shaped will be a trivial target for RLVR. That's like trying to beat Stockfish. That ship has sailed.
Claude Opus 4.8 one-shotted it... I think we should gear these systems towards making the cost of abuse expensive as they will be able to get around these things more and more easily.
Captcha are already expensive at scale due to escalating checks when abuse is detected. You have to orchestrate and pay for residential proxies, containers with different fingerprints, different behavioural data, clean IP rep, emulate device performance to avoid revealing youre running on a server... A 1-shot doesn't scale against this.
Not only on the front layer, but mostly in the centre too. I just tested it a bunch of times and the overwhelming majority it worked without even moving the claw, it was just grab and release.
Yup. I could guess what needs to be grabbed without reading the prompt because it was always the front-most object. It also has the largest grab area; some of the plushies can't even be grabbed.
Reverse captcha: only robots can reprove one of the Euler problems on the fly? Statistically speaking we can round the people who can into the outlier group, right?
No human needs to prove they are, online or elsewhere. Online, be it human or bot, the issue is not the ontological class of the direct actor, it's the goal of the people who launch the browsing. When the intention is malevolent, the situation is not better just because the campaign would involve real humans working in inhuman conditions.
I'm tired of constantly having to prove I'm a human. Especially if it's trying to be lighthearted and fun on the surface, it just reminds me how Internet has fallen.
Imagine you get pwned for trying this out in your home project and the APT escalates to your company repos and infects your company assets, and then the post mortem comes in and you have to explain this is what infected the company it stack
Coworkers on project: "Containers? Not running things as root? Hah, you're overengineering things: Just follow the readme where it says to install the daemons and run the code directly. It works fine. Then we can show how we're using AI!"
(Yeah, I know it's hard to be perfectly secure, but still...)
If it is DNA then why would I need a claw machine? (Note that this defnition on DNA, which in itself is mega-odd since DNA differs, would mean that via synthetic biology one could yield humans - according to such a definition. But this does not have to be correct, so the definition would be flawed.)
Time and time again, I prove that I'm human by giving this crap the finger and then visiting some other site. It's calling out a false positive and then exercising good taste.
The problem they try to solve is real, but I don't think that 'hacking minigames' are the correct direction to be looking to solve this, and ultimately end up making mandatory human identity verification seem more palatable as the less annoying option
games and challenges like this are more annoying / resource consuming to humans (i.e., time, patience), and can imagine it ends up excluding humans who cannot complete the challenge due to extenuating circumstances, like i have no idea if someone who uses sight assistance accessibility tooling can complete this challenge reasonably, and if this style of challenge takes off I am pretty sure the challenges will continue to exclude many humans who use accessibility tools
I worry this approach ends up being the next cookie banners (which were always malicious compliance in the saltiest, pettiest way)
anubis-style cycle burning approaches seem to be best, but have not looked for research on the efficacy of this approach. if it does have a positive impact for operators though, a method like that seems better
edit: to be clear, I do not want mandatory identity verification -- not at all it's awful, and my fear is that tools like this will only serve to make that option seem more palatable in comparison
edit: The page links to [1], but [1] has none of the information I'm really looking for -- why should somebody use this tool?
[1] https://github.com/mortspace/playcaptcha
"And to be clear: it checks that someone is playing, not who they are. Keep your real checks behind it."
It's just a game, not a CAPTCHA.
A human would be incredibly suspicious of this.
but this is fun!
Captcha are already expensive at scale due to escalating checks when abuse is detected. You have to orchestrate and pay for residential proxies, containers with different fingerprints, different behavioural data, clean IP rep, emulate device performance to avoid revealing youre running on a server... A 1-shot doesn't scale against this.
Also when you move the claw left and right, it "leans" in the wrong direction.
Fun idea though
It requires you to solve a mate-in-one puzzle to, e.g., post on the forums.
(Sorry, don't have a better link, there wasn't any non-technical I could find about it).
https://www.reddit.com/r/chess/comments/q19wgq/til_lichess_d...
https://github.com/user-attachments/assets/0b80b07b-d88f-414...
phpboard added captchas back in 2004.
Imagine you get pwned for trying this out in your home project and the APT escalates to your company repos and infects your company assets, and then the post mortem comes in and you have to explain this is what infected the company it stack
Coworkers on project: "Containers? Not running things as root? Hah, you're overengineering things: Just follow the readme where it says to install the daemons and run the code directly. It works fine. Then we can show how we're using AI!"
(Yeah, I know it's hard to be perfectly secure, but still...)
The only dependency is the 'motion' library.
[0]: https://github.com/mortspace/playcaptcha
If it is DNA then why would I need a claw machine? (Note that this defnition on DNA, which in itself is mega-odd since DNA differs, would mean that via synthetic biology one could yield humans - according to such a definition. But this does not have to be correct, so the definition would be flawed.)
If it is not DNA, how else to prove it?