[HN Gopher] Show HN: CodeCaptcha - Hide web links behind coding ...
___________________________________________________________________
Show HN: CodeCaptcha - Hide web links behind coding challenges
Hello HN, I made this silly project over the long weekend. It's
pretty basic right now and the captchas are very easy. I plan to
add captcha difficulty levels for link creators soon.
Author : asadlionpk
Score : 123 points
Date : 2022-01-19 14:27 UTC (8 hours ago)
(HTM) web link (www.codecaptcha.io)
(TXT) w3m dump (www.codecaptcha.io)
| panphora wrote:
| This would be a fun way to:
|
| * Create homework at the end of a programming lesson (before
| unlocking the next step)
|
| * Link to a job posting from a company website (if you don't mind
| coming off as slightly evil)
|
| * Hide a link to a StackOverflow answer from a friend
| whoomp12342 wrote:
| I hate all of these. In the current use case I don't care
| because for me all of the problems are trivial. But I worry
| about people abusing this idea with harder problems
| kvathupo wrote:
| This is actually brilliant. Reminds of how Headlands Technologies
| solicits applications: they ask for a simple C++ program printing
| a number. There's a C way and C++ way.
| endisneigh wrote:
| Is a captcha too hard for any automation but easy enough for a
| human in a reasonable amount of time even possible?
|
| I feel like all captcha does is waste the time of non technical
| folks and fail to stop the people who would abuse to begin with.
| asadlionpk wrote:
| Well captchas waste human time but they do work. Example: As a
| webmaster, Cloudflare's captchas have save my sites from abuse
| numerous times.
| wowokay wrote:
| I think it's great! I think most people either ignore your
| statement or decided to interpret it in the wrong way.
|
| For everyone else: The author made it clear that the purpose is
| weed out non-engineers. Practicaly there may not really be a use
| case there but it was never designed to replace captcha, most
| people wouldn't be able to access the link, and anyone using or
| purchasing the use of a bot farm already meets the captcha
| requirements (albeit with extremely unnecessary additional
| steps).
| alanbernstein wrote:
| I suggest indicating the language being used, directly on the
| captcha element, not just on the landing page.
| asadlionpk wrote:
| thanks, I will add that!
| Zababa wrote:
| If you want to limit something to programmers, I think one idea
| would be to ask them to run a command, giving a linux and a
| windows possibility, and copy/pasting the result.
| kuroguro wrote:
| Yeah, something like curl <captchascipt> | sh !
|
| Oh wait..
| asadlionpk wrote:
| exactly... maybe just curl <url> | pbcopy
|
| and the server only serves to non-browser useragents
| poopsmithe wrote:
| I love this!
| IceWreck wrote:
| Looks like there are only 7-8 challenges. You could just
| steamroll thought this the hardcoding way.
|
| But yeah solving them with copilot is more fun.
| buraktamturk wrote:
| It worked only once for me (str.split('').reverse().join('')
| one).
|
| But this one didn't:
|
| function isOddNumber(num) { return !!(num%2); }
|
| Testing for input computer: FAILED! Expected: retupmoc | Got:
| undefined eval code@ eval@[native code]
| julienreszka wrote:
| num % 2 != 0
| crate_barre wrote:
| Might as well stick the Leetcode problem on job postings with
| this.
| 37ef_ced3 wrote:
| Someone tell me what CoPilot generates for this:
| // A Go function to swap the sixth bit and seventeenth bit of a
| 32-bit signed integer.
|
| Here is a human solution: func swap(x int32)
| int32 { const mask = 1 << 5 var (
| xor1 = (x>>11 ^ x) & mask xor2 = xor1 << 11
| ) return x ^ xor1 ^ xor2 }
|
| I would be surprised if CoPilot can reason numerically like this
| (understand "seventeenth bit" and "sixth bit" and generate the
| right code for that combination).
| smitop wrote:
| With just that prompt, Copilot keeps writing a comment about
| the function but never actually writes the function. Prompting
| to actually write the function by starting it with `func`
| gives: // A Go function to swap the sixth bit
| and seventeenth bit of a 32-bit signed integer. func
| swapBits(x int32) int32 { return ((x & 0x0F) << 28)
| | ((x & 0xF0000000) >> 28) }
| 37ef_ced3 wrote:
| Totally wrong, it's garbage.
|
| And there you have it, the difference between real
| intelligence and regurgitation.
|
| This is the kind of numerically specific coding that could be
| the basis of a CAPTCHA that CoPilot can't solve. Sixth bit,
| sixth byte, seventeenth bit, seventeenth byte, etc.
| asxd wrote:
| For python it seems to generate a more reasonable result at
| least: # Swap the sixth bit and seventeenth
| bit of a 32-bit signed integer. def swap_bits(x):
| # Get the bit at position 6 and 17. bit6 = x & (1
| << 6) bit17 = x & (1 << 17) # Swap the
| bits. x = x ^ (bit6 << 17) x = x ^
| (bit17 << 6) return x
| 37ef_ced3 wrote:
| I guess CoPilot has seen bit swapping in its Python training
| input but not in its Go training input.
|
| The Python code is wrong because the 17th bit is shifted up,
| not down. Also, the bits are shifted by the wrong amount, not
| up/down by 11 (= 17 minus 6), but up by 6 and up by 17. What
| a joke.
|
| Not only that, even if the shifts were correct, it's simply
| xoring the bits. The swap is completely wrong.
|
| Garbage code, total fail.
| asxd wrote:
| Yeah, it seems to be pretty heavily trained on Python. It's
| honestly still (and should be used as) a glorified
| autocomplete, which is pretty useful from time to time.
| stillwrong wrote:
| The function doesn't do the comment says it does. The code to
| "Swap the bits." just turns the bits on.
| >>> def swap_bits(x): # Get the bit at position 6
| and 17. bit6 = x & (1 << 6) bit17 = x
| & (1 << 17) # Swap the bits. x = x ^
| (bit6 << 17) x = x ^ (bit17 << 6)
| return x >>> x6 = (1 << 6) >>>
| f"{x6:b}" '1000000' >>> s6 = swap_bits(x6)
| >>> f"{s6:b}" '100000000000000001000000'
|
| Here's one that correctly swap bits. It could be made more
| concise. >>> def swap_specific(x,i,j):
| def get(x,p): return 1 if x & (1 << p) else 0 def
| set(x,p): return x ^ (1 << p) def clr(x,p):
| return x & ~(1 << p) bi, bj = get(x,i), get(x,j)
| x = set(x,j) if bi else clr(x,j) x = set(x,i) if
| bj else clr(x,i) return x >>>
| f"{x6:b}" '1000000' >>> b6 =
| swap_specific(x6,6,17) >>> f"{b6:b}"
| '100000000000000000'
| xordoh wrote:
| almost but this part is swrong def
| set(x,p): return x ^ (1 << p)
|
| should probably be def set(x,p): return x
| | (1 << p)
| btdmaster wrote:
| function isEvenNumber(num) { if(Math.random() > 0.5) {
| return true } return false }
|
| Took a while, but worked in the end. Be careful with the
| arbitrary code execution because I'm sure people can do more than
| generate random numbers!
| yehoshuapw wrote:
| It's running in the browser. (I checked with an "alert") so its
| not _that_ bad.
|
| Edit: nvm, it seems (according to a comment here by the author)
| that it is sent to the server and verified.
|
| Edit 2: indeed, once the answer worked locally, it got sent -
| and got stuck at "Submitting..." (locally, I clicked the alert)
| mellavora wrote:
| or, as Randall Munroe put it,
|
| https://xkcd.com/1185/
|
| where 'panic sort' remains my favorite
| dylan604 wrote:
| https://xkcd.com/810/
|
| seems apropros as well
| tempodox wrote:
| Too circuitous, too procedural. Just, return
| (Math.random() > 0.5);
| tempodox wrote:
| Nice, solving the demo challenge gets you rickrolled!
| romanzubenko wrote:
| Years ago at green tech college hackathon my team built a captcha
| that requires users to correctly sort trash into recycling,
| compost and non-recyclable bins. Anything little bit more fun is
| better than mind numbing selecting traffic lights, boats and
| trains.
| mellavora wrote:
| obviously you've spent more time in Germany than driving across
| the US. Though really, only 3 different bins? How primitive!
| foreigner wrote:
| If you refresh the browser you get a different challenge. Was
| that intentional?
| jagger27 wrote:
| Does it silently timeout on the server if I submit something
| malicious like this? function multiplyNumbers(a,
| b) { if (a == 2) { return a * b // to avoid
| locking up my browser :) } else { while(true)
| {} } return a }
|
| It's stuck on "Submitting..." on the client.
| JoshuaDavid wrote:
| Cute idea! The checks seem to be running entirely on the client
| side, so for instance the following will pass all test cases
| function isEvenNumber(num) { return
| challenge.testcase[1]; }
|
| or even this[challenge.fnName] = _ =>
| challenge.testcase[1];
|
| Depending on the use case, though, you could just say that anyone
| who can use the debugger to figure out how to hack around the
| captcha passes the test :)
|
| Edit: oh, I see, it submits the code to be evaluated on the
| server after it passes on your browser (but the above causes the
| server to 500 at you, so it just says "Passed! Submitting..." and
| gets stuck in that state). Seems a bit dangerous to trust the
| client to control what code runs on your server, but I suppose
| platforms like leetcode manage it so in principle it should be
| possible to do safely.
| ZeroCool2u wrote:
| I wonder if you could use advent of code or Project Euler style
| challenges that have a multitude of problem/solution pairs to
| bootstrap support for languages besides JS? The difficulty would
| be perhaps a bit high, but not a bad starting place.
| tyingq wrote:
| Might be good to mention that javascript is expected.
| asadlionpk wrote:
| Thanks. I will add that
| [deleted]
| nano9 wrote:
| whoomp12342 wrote:
| wow, this has been up for 2 hours and no one has thought of the
| most obvious use case for this tool? rick roll your co-workers
| ReleaseCandidat wrote:
| Oh, sneaky! function addNumbers(a, b) {
| if (a === 1 && b === 3){ return 4 }
| } Testing for hidden input: FAILED!
| asadlionpk wrote:
| Ha!
| debdut wrote:
| dang awesome
| melissalobos wrote:
| Unfortunately the example problems are simple enough to be solved
| with AI. As a test I ran two of them by CoPilot, and it solved
| them instantly. I like the idea, but would want something more
| difficult as a captcha since it is easy for bots but hard for a
| human.
|
| Maybe a better approach would be to have a prompt at the top with
| unclear specifications, or some kind of riddle instead of a
| function name. It would also be good not to have a bank of
| problems, since someone could just pattern match on them, but to
| generate them automatically somehow.
|
| This is a lot more interesting than finding traffic lights
| though, and the website looks well designed. Thank you for
| sharing!
| MattGaiser wrote:
| Is copilot looking for the function name and using that to
| solve it? Might just change that into a random string.
|
| function deliberatelyMisleadingString {
|
| }
| Eduard wrote:
| But then no one knows which problem to solve.
| MattGaiser wrote:
| You can have the function requirements in the instruction
| text. So instead of isNumberEven, have "write a function
| that returns whether a number is evenly divisible by two."
| protoax wrote:
| Copilot could absolutely solve the task given the
| instructions as a comment that's stated above.
| Unfortunately the gap between AI's capabilities and a
| task humans can solve quickly is super thin. You also
| have to constantly evade advancements in computer vision
| for the current type of captchas, such as FunCaptcha
| implementing swirls and animals in certain rotations.
| 2457013579 wrote:
| Reminds me of one of my favorite quotes about trash in
| Yosemite.. "There is considerable overlap between the
| intelligence of the smartest bears and the dumbest
| tourists."
|
| > Back in 1980s, Yosemite National Park was having a
| serious problem with bears: They would wander into
| campgrounds and break into the garbage bins. This put
| both bears and people at risk. So the Park Service
| started installing armored garbage cans that were tricky
| to open--you had to swing a latch, align two bits of a
| handle, that sort of thing. But it turns out it's
| actually quite tricky to get the design of these cans
| just right. Make it too complex, and people can't get
| them open to put away their garbage in the first place.
| Said one park ranger, "There is considerable overlap
| between the intelligence of the smartest bears and the
| dumbest tourists."
| [deleted]
| dbavaria wrote:
| If you could wrangle AI to solve this problem for you, I'm sure
| you wouldn't have any issues solving the captcha manually.
| Hence the CodeCaptcha still works!
| klyrs wrote:
| No. If one person can wrangle AI to solve the problem, it's
| an easy step to solve it in a bot-farm. Hence, the
| CodeCaptcha is entirely broken.
| vorticalbox wrote:
| > Sometimes you want to share a link (like job postings,
| google forms, your project, a secret sub-page etc) to
| programmers only.
|
| It wasn't developed to keep AI and bots out but to only let
| in programmers
| abraham wrote:
| > This service let's you do that while also preventing
| abuse and spam.
|
| https://www.codecaptcha.io/
|
| It's not just about programmers.
| tonmoy wrote:
| I thought the goal was to weed out non-programmers not AI - in
| that regard it seems to be doing what it was designed for I
| guess
| charcircuit wrote:
| Captcha stands for: Completely Automated Public Turing test
| to tell Computers and Humans Apart
| isaacimagine wrote:
| CAPTPHA?
| nyberg wrote:
| Would expect the challenges in lisp with such a name
| [deleted]
| pelagicAustral wrote:
| Yeah, well can't imagine solving an np-hard challenge just to
| get rickrolled afterwards...
| Lamad123 wrote:
| Does this copilot solve codilty quizzes?
| fishtoaster wrote:
| Sure, but if you're capable of running CoPilot to write an
| isEven or reverseString function in JS, it's probably less
| effort to just write the functions then and there. And either
| way you're clearly the sort of person this captcha would be
| intended to allow through, I think.
| nefitty wrote:
| Sometimes I wish I could leave the yaks alone. Most of the
| time I love it lol
| asadlionpk wrote:
| Thanks! All good suggestions!
| splatcollision wrote:
| Never gonna give this up! Great project
| akersten wrote:
| I noticed one of the challenges is "reverse a string." Can I just
| rant a little about how much I hate that as an interview
| question?
|
| It's meaningless to reverse a string. Not just in the "there's no
| purpose to doing it" sense (very true) but genuinely in the "it
| literally isn't a defined operation" sense. If you've only lived
| in the nice insulated world of ASCII or a mostly-ASCII-like
| language, you might scratch your head - just put the letters in
| backwards order, right?
|
| Well, what do you when you hit a Unicode joiner? Or a multi-byte
| emoji? Maybe your reversing scheme is clever and looks at "whole
| codepoints" or whatever. But then what happens when you normalize
| the "reversed" string? Or what about the modifier characters that
| affect the previous/next character - how to treat those? I've
| never been satisfied with anyone's answer to these questions,
| because the problem is invalid from the start. You _can 't_
| "reverse" an arbitrary string, it's not a well-defined operation.
| yehoshuapw wrote:
| There is a (slight, but important) difference between the
| syntactic meaning, and the semantic meaning.
|
| you are correct that reversing a string gives back irrelevant
| things. (and you don't need to go that far: what does a
| reversed word mean?) however, in the sense of a list of
| characters, the content is irrelevant.
| admiral33 wrote:
| Maybe the interview question should be 'How is the question
| 'reverse this string' a bad interview question'
| julienreszka wrote:
| str.split('').reverse().join('')
| Karawebnetwork wrote:
| In a tongue-in-cheek tone: Woah, so old school. We would
| never hire you! You have to show that you know ES6!
|
| [...str].reverse().join('')
| jandrese wrote:
| Which would fail. You got the directional formatting
| characters in the wrong order.
|
| It is 2022. If your code doesn't treat all strings as Unicode
| it is broken.
| paulluuk wrote:
| Ha, I had the same challenge and was actually annoyed to find
| out that Javascript doesn't have a builtin function like
| str.reverse().
|
| I totally see your point, though.
| MattGaiser wrote:
| I have learned not to ask these sorts of questions outside
| hobby projects. It is rarely appreciated.
| Eduard wrote:
| > I noticed one of the challenges is "reverse a string." Can I
| just rant a little about how much I hate that as an interview
| question?
|
| I find "reverse a string" a good interview question then! If
| the applicant got lost in considering all possible
| interpretations instead of just solving it how 99% of
| humans/engineers would understand it, then they will likely be
| unfit for working in a team and/or have poor communication
| skills.
| alanbernstein wrote:
| That's harsh. Sounds like a thoughtful candidate who
| understands edge cases to me.
| paulluuk wrote:
| Best: solve the problem, but also add the caveat that
| _technically_ there are edge-cases that wouldn't work.
|
| Worst: spend the entire interview explaining why you can't
| solve this problem.
| jandrese wrote:
| You are weeding out all candidates who understand Unicode.
| This is exactly the sort of problem that a good engineer
| would keep an eye out for because it's almost certainly going
| to explode with edge conditions if you try to do it the
| "obvious" way.
|
| Unless you're giving that problem and then hitting the input
| with a string that includes directional formatting
| characters. Because that's exactly what is going to happen in
| real life.
|
| The only good thing about that question is at least you
| didn't ask them to casefold the string.
| charcircuit wrote:
| I recommending googling "grapheme cluster"
| onionisafruit wrote:
| This is a fun idea. I tried the demo a few times. msft copilot
| solved them all immediately. This won't be effective keeping bots
| out, but it may be good for turning away non-technical humans.
| asadlionpk wrote:
| That's the goal actually.
|
| Interestingly, copilot GENERATED some of these captcha
| challenges for me. It's impressive!
| onionisafruit wrote:
| Be careful with that. It may generate challenges that only it
| can solve and take over your site ;-)
| ipsin wrote:
| I really like the URL-based puzzles, e.g. the 1o57 puzzle
| described in this walkthrough:
| https://web.archive.org/web/20210423041523/http://elegin.com...
| AntonyGarand wrote:
| Nice project!
|
| It's worth mentioning that this is a client-side captcha, making
| it trivial to bypass by bots / anyone.
| asadlionpk wrote:
| It's actually not? The solution is sent to server and verified.
___________________________________________________________________
(page generated 2022-01-19 23:00 UTC)