RE: https://mstdn.social/@jschauma/116610268796045193

Any site that implements Google's QR reCAPTCHA goes on my PERMANENT block list.

Don't care what site it is...

@catsalad Its fucking evil, and they're working with apple, and various "high security" companies like financial stuff.

The web will be closed to anyone who doesn't have a verified android or ios device, you won't be able to use online banking without a verified android or ios device, your verified android or ios device will be your dystopian "multi-pass"

@catsalad wait how does this even prove something is human? Machines read QRs better than humans do...?

It is another scam to obtain your identity.

@urig @catsalad
I would suppose that qr code would open up a link, and the website you land on would use JavaScript to look at your operating system among other things. That’s my theory, **I AM PROBABLY WRONG**. (Sorry for the shouting, I’m just not risking spreading theory as fact here, even surrounded by tech literate people)

@catsalad

"...does not share your details with this website or app." But what about with Google?

@neutronstar @urig This only verifies Google approved devices

https://reclaimthenet.org/google-broke-recaptcha-for-de-googled-android-users

@catsalad
Fuck that....report the site as spambot

@FransVeldman Yep, and to locked out modded Android phones like @GrapheneOS or @iode

@catsalad since "scan" is the operative word that determines proof...

Step 1: buy a burner

Step 2: burninate

Step 3: humanity restored

Warning: may not be as effective without a bonfire

Edit: in hindsight, I have realized how retarded this actually is, but the risk of someone having already seen it prevents deletion. So just pretend this did not happen.

@catsalad @neutronstar oh wow thanks. That's terrible.

I wonder howo it works? The Google website invokes client-side APIs that involve cryptographic proof that Play Services are installed?

@catsalad just need a "remixer" app that shares the QR code in real time for strangers to scan and verify - make any data that's collected this way useless.

@neutronstar @urig @catsalad Made it halfway through your post before I heard MatPat's voice...

But yeah I think you're right. Also helps that Google is on most mobile devices and will have likely seen you before. They're seeing a phone connect to the link they've just created AND they know all the other activities conmected with that phone.

@catsalad could be a nice idea for a Firefox plugin.

@neutronstar @urig @catsalad scanned the link in the original post with a bog standard QR scanning app. It doesn't run in the browser. If you try to open it as a website, on mobile or desktop, it just sends you to https://support.google.com/recaptcha/answer/16609652 where it very explicitly says you need Google Play Services version 25.41.30 or greater on Android. For iOS there seems to be a hard requirement for either a recaptcha app or iOS 16.4 (which might have added something baked into the OS for verification)

@urig @catsalad It's basically an ID check where your phone is the ID. My guess is Google keeps a profile on every user/device, marks each one as worthy or unworthy of existing on the internet, then when you scan the code for verification Google tells the website if you're on the naughty list or not.

@urig @catsalad alternatively, maybe there's no naughty list and they're just relying on the higher cost of entry since you'd need a bunch of phones for any sort of spam? Wouldn't do shit about spam since anyone doing industrial-scale spam would likely have the budget for hundreds of cheap Android phones from aliexpress, but I highly doubt Google actually cares about industrial spammers any more than the bare minimum so they can brag about combating it.

@catsalad @neutronstar @urig this page says GrapheneOS can pass reCaptcha checks if Play Services is installed:

https://eylenburg.github.io/android_comparison.htm

I think this only really affects Android devices that use microG.

https://github.com/microg/GmsCore/issues/3455

@reiddragon @catsalad @urig
Huh, yeah that makes sense. Thanks for looking into it :)

@catsalad

The web is large. I have already walked away from yahoo, facebook, twitter, whatsapp, reddit, digg, and several others. I have never even been tempted to return to any of them.

I was an adult when the web got going. I don't need to know what people I grew up with are doing. I don't need to know the next dance craze. I don't care what is popular. I will not prove anything to your site.

If your site is not frictionless, I'm not interested.

@BenjaminNelan @urig @catsalad
Lol, I just read it again and yea I hear it. I love that I could give off MatPat vibes! :D

Also, check out Reid’s comment, they scanned the code and apparently it doesn’t run in website, as was my theory, my browser theory! And cut!

See what I did there? ;)

@burger @catsalad @urig @neutronstar
Well, and devices that use neither Play Services nor MicroG

So every de-Google'd Android device.

That's rather unfortunate

@catsalad @neutronstar @urig

Little do they know, "my hardware is unsupported" means the reverse is also true.

I guess their portal isn't supported. 😉

@catsalad Very easy to fake to get mindless rubes to scan your QR codes and load malicious code I would think. This is such a bad idea I don't even know if the people who designed this even thought this through, consequences and all.

@catsalad Yup, websites need to move to Anubis.

https://anubis.techaro.lol

@FransVeldman @catsalad Yup

@catsalad
i want to agree.

but for some important sites, i need to use workarounds.

if the site is not crucial, avoid or boycott it.

@flamecat @catsalad

If you are in a position of power, you do not have to think about consequences.

Not caring about others is what got these sociopaths into power, and living without consequences is their ultimate goal.

@zetabeta Personally, I am way past the post of compromise, and will even switch banks if I must.

Worse case, I'll use my sole Google enabled phone, but anything short of life dependency can sod off. 💢

@flamecat @catsalad

Sounds like a great vector for compromising 2FA systems. Can’t get your malware onto both devices? Put a QR code like this on your phishing page and get people to install it.

@david_chisnall @flamecat Oh dang! You're right

@burger @catsalad @urig @neutronstar, so what? The whole point of using GrapheneOS is not to install Google spyware on it.

@catsalad

Es ist wirklich erstaunlich, auf was für perverse Ideen diese TechBros kommen.

#unplugtrump

@avuko

" living without consequences is their ultimate goal."

I'd argue they've achieved this already, and the few exceptions are neglectable.

@catsalad does not share your details with this website or app... And what about sharing details with Google? Weird it omits what it shares with Google.

For me to scan it with my "mobile device" means downloading and decrypting on the device I'm on, which may well not work, because it doesn't share enough/the right data with Google.

@flamecat @catsalad Google knows exactly what the consequences are. They are very much into controlling who can access which information. And that only works when you have total surveillance. (Their plan is to require a logged in Google or Apple account for the captcha to work.)

@flamecat @catsalad google: a 1-day period of holding hostage your ability to install things on your device is nessesary to prevent scams

also google: scan this qr code on your phone to verify youre human :D

@burger @catsalad @urig @neutronstar also Android devices with no Google Play Services or microG (like mine), and of course non-Android (e.g. postmarketOS) devices

@urig @catsalad sure?
during covid I saw many security guards reading the vaccination code and verifying the signature with their bare eyes. 🤣

@reiddragon @catsalad @urig And in the process scans your phone.

@hans_zelf @catsalad @urig nah, they scan your phone anyway, they just have another excuse to pull out of a hat when asked about it by regulators.

@drmorrisj You don’t need to buy it, there are Android emulators for that (yes, with Google Play services). And I’m fairly certain that it will not work – or if it does work now it will stop working in future. Because the “proof” of being human here is the data that your smartphone accumulated. No data, no proof.

@catsalad

@noisytoot @neutronstar @catsalad @urig Good point!