[HN Gopher] Show HN: CodeCaptcha - Hide web links behind coding ... ___________________________________________________________________ Show HN: CodeCaptcha - Hide web links behind coding challenges Hello HN, I made this silly project over the long weekend. It's pretty basic right now and the captchas are very easy. I plan to add captcha difficulty levels for link creators soon. Author : asadlionpk Score : 123 points Date : 2022-01-19 14:27 UTC (8 hours ago) (HTM) web link (www.codecaptcha.io) (TXT) w3m dump (www.codecaptcha.io) | panphora wrote: | This would be a fun way to: | | * Create homework at the end of a programming lesson (before | unlocking the next step) | | * Link to a job posting from a company website (if you don't mind | coming off as slightly evil) | | * Hide a link to a StackOverflow answer from a friend | whoomp12342 wrote: | I hate all of these. In the current use case I don't care | because for me all of the problems are trivial. But I worry | about people abusing this idea with harder problems | kvathupo wrote: | This is actually brilliant. Reminds of how Headlands Technologies | solicits applications: they ask for a simple C++ program printing | a number. There's a C way and C++ way. | endisneigh wrote: | Is a captcha too hard for any automation but easy enough for a | human in a reasonable amount of time even possible? | | I feel like all captcha does is waste the time of non technical | folks and fail to stop the people who would abuse to begin with. | asadlionpk wrote: | Well captchas waste human time but they do work. Example: As a | webmaster, Cloudflare's captchas have save my sites from abuse | numerous times. | wowokay wrote: | I think it's great! I think most people either ignore your | statement or decided to interpret it in the wrong way. | | For everyone else: The author made it clear that the purpose is | weed out non-engineers. Practicaly there may not really be a use | case there but it was never designed to replace captcha, most | people wouldn't be able to access the link, and anyone using or | purchasing the use of a bot farm already meets the captcha | requirements (albeit with extremely unnecessary additional | steps). | alanbernstein wrote: | I suggest indicating the language being used, directly on the | captcha element, not just on the landing page. | asadlionpk wrote: | thanks, I will add that! | Zababa wrote: | If you want to limit something to programmers, I think one idea | would be to ask them to run a command, giving a linux and a | windows possibility, and copy/pasting the result. | kuroguro wrote: | Yeah, something like curl <captchascipt> | sh ! | | Oh wait.. | asadlionpk wrote: | exactly... maybe just curl <url> | pbcopy | | and the server only serves to non-browser useragents | poopsmithe wrote: | I love this! | IceWreck wrote: | Looks like there are only 7-8 challenges. You could just | steamroll thought this the hardcoding way. | | But yeah solving them with copilot is more fun. | buraktamturk wrote: | It worked only once for me (str.split('').reverse().join('') | one). | | But this one didn't: | | function isOddNumber(num) { return !!(num%2); } | | Testing for input computer: FAILED! Expected: retupmoc | Got: | undefined eval code@ eval@[native code] | julienreszka wrote: | num % 2 != 0 | crate_barre wrote: | Might as well stick the Leetcode problem on job postings with | this. | 37ef_ced3 wrote: | Someone tell me what CoPilot generates for this: | // A Go function to swap the sixth bit and seventeenth bit of a | 32-bit signed integer. | | Here is a human solution: func swap(x int32) | int32 { const mask = 1 << 5 var ( | xor1 = (x>>11 ^ x) & mask xor2 = xor1 << 11 | ) return x ^ xor1 ^ xor2 } | | I would be surprised if CoPilot can reason numerically like this | (understand "seventeenth bit" and "sixth bit" and generate the | right code for that combination). | smitop wrote: | With just that prompt, Copilot keeps writing a comment about | the function but never actually writes the function. Prompting | to actually write the function by starting it with `func` | gives: // A Go function to swap the sixth bit | and seventeenth bit of a 32-bit signed integer. func | swapBits(x int32) int32 { return ((x & 0x0F) << 28) | | ((x & 0xF0000000) >> 28) } | 37ef_ced3 wrote: | Totally wrong, it's garbage. | | And there you have it, the difference between real | intelligence and regurgitation. | | This is the kind of numerically specific coding that could be | the basis of a CAPTCHA that CoPilot can't solve. Sixth bit, | sixth byte, seventeenth bit, seventeenth byte, etc. | asxd wrote: | For python it seems to generate a more reasonable result at | least: # Swap the sixth bit and seventeenth | bit of a 32-bit signed integer. def swap_bits(x): | # Get the bit at position 6 and 17. bit6 = x & (1 | << 6) bit17 = x & (1 << 17) # Swap the | bits. x = x ^ (bit6 << 17) x = x ^ | (bit17 << 6) return x | 37ef_ced3 wrote: | I guess CoPilot has seen bit swapping in its Python training | input but not in its Go training input. | | The Python code is wrong because the 17th bit is shifted up, | not down. Also, the bits are shifted by the wrong amount, not | up/down by 11 (= 17 minus 6), but up by 6 and up by 17. What | a joke. | | Not only that, even if the shifts were correct, it's simply | xoring the bits. The swap is completely wrong. | | Garbage code, total fail. | asxd wrote: | Yeah, it seems to be pretty heavily trained on Python. It's | honestly still (and should be used as) a glorified | autocomplete, which is pretty useful from time to time. | stillwrong wrote: | The function doesn't do the comment says it does. The code to | "Swap the bits." just turns the bits on. | >>> def swap_bits(x): # Get the bit at position 6 | and 17. bit6 = x & (1 << 6) bit17 = x | & (1 << 17) # Swap the bits. x = x ^ | (bit6 << 17) x = x ^ (bit17 << 6) | return x >>> x6 = (1 << 6) >>> | f"{x6:b}" '1000000' >>> s6 = swap_bits(x6) | >>> f"{s6:b}" '100000000000000001000000' | | Here's one that correctly swap bits. It could be made more | concise. >>> def swap_specific(x,i,j): | def get(x,p): return 1 if x & (1 << p) else 0 def | set(x,p): return x ^ (1 << p) def clr(x,p): | return x & ~(1 << p) bi, bj = get(x,i), get(x,j) | x = set(x,j) if bi else clr(x,j) x = set(x,i) if | bj else clr(x,i) return x >>> | f"{x6:b}" '1000000' >>> b6 = | swap_specific(x6,6,17) >>> f"{b6:b}" | '100000000000000000' | xordoh wrote: | almost but this part is swrong def | set(x,p): return x ^ (1 << p) | | should probably be def set(x,p): return x | | (1 << p) | btdmaster wrote: | function isEvenNumber(num) { if(Math.random() > 0.5) { | return true } return false } | | Took a while, but worked in the end. Be careful with the | arbitrary code execution because I'm sure people can do more than | generate random numbers! | yehoshuapw wrote: | It's running in the browser. (I checked with an "alert") so its | not _that_ bad. | | Edit: nvm, it seems (according to a comment here by the author) | that it is sent to the server and verified. | | Edit 2: indeed, once the answer worked locally, it got sent - | and got stuck at "Submitting..." (locally, I clicked the alert) | mellavora wrote: | or, as Randall Munroe put it, | | https://xkcd.com/1185/ | | where 'panic sort' remains my favorite | dylan604 wrote: | https://xkcd.com/810/ | | seems apropros as well | tempodox wrote: | Too circuitous, too procedural. Just, return | (Math.random() > 0.5); | tempodox wrote: | Nice, solving the demo challenge gets you rickrolled! | romanzubenko wrote: | Years ago at green tech college hackathon my team built a captcha | that requires users to correctly sort trash into recycling, | compost and non-recyclable bins. Anything little bit more fun is | better than mind numbing selecting traffic lights, boats and | trains. | mellavora wrote: | obviously you've spent more time in Germany than driving across | the US. Though really, only 3 different bins? How primitive! | foreigner wrote: | If you refresh the browser you get a different challenge. Was | that intentional? | jagger27 wrote: | Does it silently timeout on the server if I submit something | malicious like this? function multiplyNumbers(a, | b) { if (a == 2) { return a * b // to avoid | locking up my browser :) } else { while(true) | {} } return a } | | It's stuck on "Submitting..." on the client. | JoshuaDavid wrote: | Cute idea! The checks seem to be running entirely on the client | side, so for instance the following will pass all test cases | function isEvenNumber(num) { return | challenge.testcase[1]; } | | or even this[challenge.fnName] = _ => | challenge.testcase[1]; | | Depending on the use case, though, you could just say that anyone | who can use the debugger to figure out how to hack around the | captcha passes the test :) | | Edit: oh, I see, it submits the code to be evaluated on the | server after it passes on your browser (but the above causes the | server to 500 at you, so it just says "Passed! Submitting..." and | gets stuck in that state). Seems a bit dangerous to trust the | client to control what code runs on your server, but I suppose | platforms like leetcode manage it so in principle it should be | possible to do safely. | ZeroCool2u wrote: | I wonder if you could use advent of code or Project Euler style | challenges that have a multitude of problem/solution pairs to | bootstrap support for languages besides JS? The difficulty would | be perhaps a bit high, but not a bad starting place. | tyingq wrote: | Might be good to mention that javascript is expected. | asadlionpk wrote: | Thanks. I will add that | [deleted] | nano9 wrote: | whoomp12342 wrote: | wow, this has been up for 2 hours and no one has thought of the | most obvious use case for this tool? rick roll your co-workers | ReleaseCandidat wrote: | Oh, sneaky! function addNumbers(a, b) { | if (a === 1 && b === 3){ return 4 } | } Testing for hidden input: FAILED! | asadlionpk wrote: | Ha! | debdut wrote: | dang awesome | melissalobos wrote: | Unfortunately the example problems are simple enough to be solved | with AI. As a test I ran two of them by CoPilot, and it solved | them instantly. I like the idea, but would want something more | difficult as a captcha since it is easy for bots but hard for a | human. | | Maybe a better approach would be to have a prompt at the top with | unclear specifications, or some kind of riddle instead of a | function name. It would also be good not to have a bank of | problems, since someone could just pattern match on them, but to | generate them automatically somehow. | | This is a lot more interesting than finding traffic lights | though, and the website looks well designed. Thank you for | sharing! | MattGaiser wrote: | Is copilot looking for the function name and using that to | solve it? Might just change that into a random string. | | function deliberatelyMisleadingString { | | } | Eduard wrote: | But then no one knows which problem to solve. | MattGaiser wrote: | You can have the function requirements in the instruction | text. So instead of isNumberEven, have "write a function | that returns whether a number is evenly divisible by two." | protoax wrote: | Copilot could absolutely solve the task given the | instructions as a comment that's stated above. | Unfortunately the gap between AI's capabilities and a | task humans can solve quickly is super thin. You also | have to constantly evade advancements in computer vision | for the current type of captchas, such as FunCaptcha | implementing swirls and animals in certain rotations. | 2457013579 wrote: | Reminds me of one of my favorite quotes about trash in | Yosemite.. "There is considerable overlap between the | intelligence of the smartest bears and the dumbest | tourists." | | > Back in 1980s, Yosemite National Park was having a | serious problem with bears: They would wander into | campgrounds and break into the garbage bins. This put | both bears and people at risk. So the Park Service | started installing armored garbage cans that were tricky | to open--you had to swing a latch, align two bits of a | handle, that sort of thing. But it turns out it's | actually quite tricky to get the design of these cans | just right. Make it too complex, and people can't get | them open to put away their garbage in the first place. | Said one park ranger, "There is considerable overlap | between the intelligence of the smartest bears and the | dumbest tourists." | [deleted] | dbavaria wrote: | If you could wrangle AI to solve this problem for you, I'm sure | you wouldn't have any issues solving the captcha manually. | Hence the CodeCaptcha still works! | klyrs wrote: | No. If one person can wrangle AI to solve the problem, it's | an easy step to solve it in a bot-farm. Hence, the | CodeCaptcha is entirely broken. | vorticalbox wrote: | > Sometimes you want to share a link (like job postings, | google forms, your project, a secret sub-page etc) to | programmers only. | | It wasn't developed to keep AI and bots out but to only let | in programmers | abraham wrote: | > This service let's you do that while also preventing | abuse and spam. | | https://www.codecaptcha.io/ | | It's not just about programmers. | tonmoy wrote: | I thought the goal was to weed out non-programmers not AI - in | that regard it seems to be doing what it was designed for I | guess | charcircuit wrote: | Captcha stands for: Completely Automated Public Turing test | to tell Computers and Humans Apart | isaacimagine wrote: | CAPTPHA? | nyberg wrote: | Would expect the challenges in lisp with such a name | [deleted] | pelagicAustral wrote: | Yeah, well can't imagine solving an np-hard challenge just to | get rickrolled afterwards... | Lamad123 wrote: | Does this copilot solve codilty quizzes? | fishtoaster wrote: | Sure, but if you're capable of running CoPilot to write an | isEven or reverseString function in JS, it's probably less | effort to just write the functions then and there. And either | way you're clearly the sort of person this captcha would be | intended to allow through, I think. | nefitty wrote: | Sometimes I wish I could leave the yaks alone. Most of the | time I love it lol | asadlionpk wrote: | Thanks! All good suggestions! | splatcollision wrote: | Never gonna give this up! Great project | akersten wrote: | I noticed one of the challenges is "reverse a string." Can I just | rant a little about how much I hate that as an interview | question? | | It's meaningless to reverse a string. Not just in the "there's no | purpose to doing it" sense (very true) but genuinely in the "it | literally isn't a defined operation" sense. If you've only lived | in the nice insulated world of ASCII or a mostly-ASCII-like | language, you might scratch your head - just put the letters in | backwards order, right? | | Well, what do you when you hit a Unicode joiner? Or a multi-byte | emoji? Maybe your reversing scheme is clever and looks at "whole | codepoints" or whatever. But then what happens when you normalize | the "reversed" string? Or what about the modifier characters that | affect the previous/next character - how to treat those? I've | never been satisfied with anyone's answer to these questions, | because the problem is invalid from the start. You _can 't_ | "reverse" an arbitrary string, it's not a well-defined operation. | yehoshuapw wrote: | There is a (slight, but important) difference between the | syntactic meaning, and the semantic meaning. | | you are correct that reversing a string gives back irrelevant | things. (and you don't need to go that far: what does a | reversed word mean?) however, in the sense of a list of | characters, the content is irrelevant. | admiral33 wrote: | Maybe the interview question should be 'How is the question | 'reverse this string' a bad interview question' | julienreszka wrote: | str.split('').reverse().join('') | Karawebnetwork wrote: | In a tongue-in-cheek tone: Woah, so old school. We would | never hire you! You have to show that you know ES6! | | [...str].reverse().join('') | jandrese wrote: | Which would fail. You got the directional formatting | characters in the wrong order. | | It is 2022. If your code doesn't treat all strings as Unicode | it is broken. | paulluuk wrote: | Ha, I had the same challenge and was actually annoyed to find | out that Javascript doesn't have a builtin function like | str.reverse(). | | I totally see your point, though. | MattGaiser wrote: | I have learned not to ask these sorts of questions outside | hobby projects. It is rarely appreciated. | Eduard wrote: | > I noticed one of the challenges is "reverse a string." Can I | just rant a little about how much I hate that as an interview | question? | | I find "reverse a string" a good interview question then! If | the applicant got lost in considering all possible | interpretations instead of just solving it how 99% of | humans/engineers would understand it, then they will likely be | unfit for working in a team and/or have poor communication | skills. | alanbernstein wrote: | That's harsh. Sounds like a thoughtful candidate who | understands edge cases to me. | paulluuk wrote: | Best: solve the problem, but also add the caveat that | _technically_ there are edge-cases that wouldn't work. | | Worst: spend the entire interview explaining why you can't | solve this problem. | jandrese wrote: | You are weeding out all candidates who understand Unicode. | This is exactly the sort of problem that a good engineer | would keep an eye out for because it's almost certainly going | to explode with edge conditions if you try to do it the | "obvious" way. | | Unless you're giving that problem and then hitting the input | with a string that includes directional formatting | characters. Because that's exactly what is going to happen in | real life. | | The only good thing about that question is at least you | didn't ask them to casefold the string. | charcircuit wrote: | I recommending googling "grapheme cluster" | onionisafruit wrote: | This is a fun idea. I tried the demo a few times. msft copilot | solved them all immediately. This won't be effective keeping bots | out, but it may be good for turning away non-technical humans. | asadlionpk wrote: | That's the goal actually. | | Interestingly, copilot GENERATED some of these captcha | challenges for me. It's impressive! | onionisafruit wrote: | Be careful with that. It may generate challenges that only it | can solve and take over your site ;-) | ipsin wrote: | I really like the URL-based puzzles, e.g. the 1o57 puzzle | described in this walkthrough: | https://web.archive.org/web/20210423041523/http://elegin.com... | AntonyGarand wrote: | Nice project! | | It's worth mentioning that this is a client-side captcha, making | it trivial to bypass by bots / anyone. | asadlionpk wrote: | It's actually not? The solution is sent to server and verified. ___________________________________________________________________ (page generated 2022-01-19 23:00 UTC)