also: Google Cloud Fraud Defence is just WEI repackaged - https://news.ycombinator.com/item?id=48063199
Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.
Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).
so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on
(just realized emacs bindings work in comments, nice, no ctrl-x tho)
Is this speculation, or has it been confirmed somewhere?
Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.
Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.
It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.
On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".
Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).
So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).
> Ask HN: Did HN just start using Google recaptcha for logins? [0]
> dang
> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.
However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use.
Let's find a better solution please
Is there an argument here that Google is creating a monopoly?
Could this be challenged on similar grounds that forced Microsoft to recommend other browsers to users on Windows?
No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA.
I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved."
CF turnstile is one, but of course that means Cloudflare owns even more of the web.
HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.
And I... Can't think of anything else. Other than to just get rid of Captchas entirely.
You could just call them.
Edit: aaaand... That's another little sliver of my faith gone : https://www.theatlantic.com/podcasts/2026/04/how-fake-people...
Note that they do not mention any specific companies on that landing page. That is pretty intentional.
But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.
Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.
Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)
Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.
The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.
Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.
Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.
The cost is the attestation keys of a real phone. Once it gets burned, the phone is useless to them.
https://www.penligent.ai/hackinglabs/inside-the-ai-phone-far...
Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'.
I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.
For people using a Google account it probably won't make a huge difference, in terms of data collected.
If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.
Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.
But there's a good chance that it will be extremely hard to sidestep, despite that.
But anything your phone can possibly do in software can be spoofed, so how would that help?
Can de-Googled Android phones present themselves as iPhones?
It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet
If enough people complain, those services will start caring. If all they see is "one user complains every 3 years", they will just ignore it. That's how it works.
If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.
I feel this more and more each day.
Banks are implementing terrible "security" checks. Users of alternative OSes should be a lot more vocal: change bank, but also complain a lot to the offending one, and make sure to leave them a bad review on the Play Store.
Actually people not using an alternative OS but caring about that should also leave bad reviews to those banks on the Play Store.
At the end of the day, the problem comes from humans in those banks who don't understand and don't give a shit. The only way to make them care about it is to complain enough that it becomes their problem.
My current de-google project is categorizing all my pictures on my local NAS to create the memories feature (where it shows historic pics on multiple theme axes). You can get really far with just a few hours of work a month to de-google and some off the shelf image embeddings.
The hero project in this category — what one cannot do trivially as an indie dev — is creating a great fresh PoI dataset. This is tough to do on a planetary scale because its a societal cooperation problem.
I'm on a similar journey and I use Radicale.
If you need to share files externally, Nextcloud works very much like Google Drive and allows the creation of sharable links.
This is wrong. Many (most?) users of alternative Android OSes do use a variant of the Play Services (be it sandboxed Play Services like on GrapheneOS, or an open source, reverse engineered implementation like microG that phones home just the same).
Google seems to be leveraging Play Integrity here, which requires that the phone OS is signed by Google. This is clearly anticompetitive, I hope the DMA will do something about that.
Only ones that are difficult for fraudsters to use to generate bogus traffic. Whether or not those builds come from Google, they are inherently gonna be pretty constrained OSs. It's not gonna let you spoof your location or simulate user input.
I do think it's a problem if only Google can provide these attestations but even if that organisation problem is solved there is still a fundamental technologic problem here now that humans can't be detected by their ability to solve puzzles any more.
None. The first rule of network security is you can't trust the client.
All attempts at remote attestation of consumer devices are someone wanting to break this rule. It's always a mistake; the OS being on the blessed list raises the difficulty level for fraud a little, but serious fraudsters have already perfected workarounds.
My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:
- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.
- Discord immediately bans me any time I try to create an account.
- Can't buy flights from Delta, always gives a non-descript error.
- Can't buy concert tickets, it thinks I'm a fraudulent buyer.
- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.
- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).
- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.
I just take my business elsewhere... eventually I'll probably just stop using technology at all.
I had this problem recently with the Indeed website. (Cloudflare Captcha)
Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.
Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.
I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.
I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.
Captcha difficulties are way down now.
I wonder if they are seeing a decrease in traffic and somehow find that acceptable.
I fire up cloudflare warp and walk right through it
use wireguard with wgcf in environments without cloudflare client
yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden
Would you care to elaborate a little on how you did it?
It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues.
Mars? /i
the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f
By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.
I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.
Wow, This is really bad :-(
I think this is just gonna make viewing internet without a phone significantly harder especially with archive.is and the likes.
Not sure, how relevant this is to the discussion but if it helps, I have made a project[0] which allows to archive archive.is pages on archive.org/wayback machine (this uses singlefile)
Perhaps something like this can be used by community at scale too. Also, I hope that archive.is does something to fix this issue of requiring QR code and hopefully it doesn't become a permanent issue.
[0]: https://smileplease.mataroa.blog/blog/htmlpipe-and-how-we-ca...
The result of this would be to upload it all to a bot-friendly alternative to archive.org.
Its whole point is undetectable archiving because it just saves what your browser already sees.
Now to be honest, while it's optimal to archive pages from you browser view I am not sure I want a random web extension to be in everything I see from a security point of view.
I would rather have a local proxy doing it. Maybe something like the InternetArchive warcproc [0]. Haven't tried yet.
All Huawei phones, which uses Huawei AppGallery after sanctions
FairPhone 6 /e/OS
Practically all modern feature phones: Nokia phones, HMD phones, etc. As I understand it, predominantly used by elderly and kids. But it's also gaining traction among millennials and Gen Z for digital detox and defeating mobile addiction.
Linux phones (Jolla Phone, PinePhone, FuriPhone, etc) - these you probably won't find in your local retail store but this is another competing platform being built from effectively an entirely different lineage minus the kernel
Yeah, I say it as "because the US bully the EU to prevent them from doing it".
https://www.nytimes.com/2026/02/13/technology/meta-facial-re...
> April 2025: Apple fined €500 million for failing to comply with "anti-steering" obligations. Meta fined €200 million under the Digital Market Act for requiring users to consent to sharing their data with the company or pay for an ad-free service.
> December 2025: X fined €120 million under the Digital Services Act for breaching transparency obligations.
(Sure, not this year, but that's pretty recent by most standards. And not sure if they're still being contested and unpaid)
And recently, Google is working with the EU to avoid a fine: https://www.bloomberg.com/news/articles/2026-05-06/google-ma...
- pretended that it wasn't all about invading peoples' privacy.
- done a good ol' fashioned "but Apple does it"
- pretended to be standards-oriented
- advertised it as something completely transparent to the end-user
Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.
The people who this method is most hoping to stop are the least likely to be impacted by it in the long run.
This is using another product to reinforce the search and ads monopoly.
You can’t scrape content to build a better google or Gemini, you can’t make an OS to compete with Google or Apple, and you can’t make a Google Analytics competitor.
It’s plain anti competitive.
Now everyone pretends like it's monopoly abuse because the Leopards Eating Faces company finally rang the dinner bell.
Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.
This makes it more difficult. But I don’t think it matters given how difficult it was prior to this.
This is blocking access to websites wholesale, so it’s on a whole different level.
It looks like a cloudflare page but it's not hosted by them. eg. https://bgp.he.net/dns/archive.is#_ipinfo It's hosted by AS49505 JSC Selectel
I think they now use their own Cloudflare turnstile if I remember correctly, but back then they switched to hcaptcha.
With apple there's no choices, so I'll continue to take my chances with Android
I'd rather have Google check an Apple phone attestation than have Google check a Google phone attestation, and vice versa, though, because you can assume each company is trying to keep as much information private to themselves instead of giving it to the other. Google is probably just getting "yes it's an Apple phone" and some kind of temporary token, instead of my IMEI, IMSI, phone number, all signed in accounts, biometrics and so on.
Could you justify that? Because to me it seems like Apple isn't doing anything even like this.
Also, Apple sells themselves as a privacy company, but often pick (possibly intentionally) insecure defaults. E.g. you might use end-to-end encrypted chats, but by default iCloud backups are not end-to-end encrypted, so law enforcement can just request your backups/chats from Apple. If you are vigilant and enable Advanced Data Protection for E2E iCloud backups, it probably still doesn't matter because the people that you communicate with probably do not have ADP enabled.
Besides that, they are enshittifying in the same way as Google. Ads in Maps, Ads in applications that you get with the OS (Apple Creator Studio ads in Keynote, etc.), Ads in your system settings for Apple Fitness+ (really).
At least Pixel phones and soon some Motorola models have the option of installing GrapheneOS.
In the meantime, I'm currently using a low end Motorola moto g 5G 2023 which lets me turn off Play Services. Chrome and the Google Calendar don't run (really do need to find a replacement calendar), and I couldn't be happier. Motorola's interest in GrapheneOS makes me wonder if they did this on purpose.
Calendar server: https://radicale.org/v3.html Sync: https://manual.davx5.com/
So, you run Radicale server, you can import Google Calendar.
Set up Davx5 on mobile to sync with the local server
Access from anywhere with Tailscale.
The way it's going, by the time the Motorola + GrapheneOS phone is out, it will be a lot more painful to use GrapheneOS than today. Not because of GrapheneOS of course, but because everybody accepts that bullshit Google is doing.
If you're waiting for Motorola + GrapheneOS, you could start complaining to banks and other apps that don't support GrapheneOS :-). If enough people did that, maybe those companies would consider it.
My dad runs the family domain/emails/etc. The hard part will be convincing him to degoogle the whole family.
I'm also becoming open to using software that lies to google about what it is :) Google will treat us like sh*t, why shouldn't we reciprocate.
I have absolutely no idea what happened there. My best theory so far is that they clicked on some really, really wrong buttons when solving a captcha themselves while logged in to their Google account in the same browser. Bizarre.
The projects were named after a Google Doc they'd recently worked on (or a .docx attachment they'd received?) though, so my other guess is that they somehow created a Google Docs macro or similar by accident?
But his vision/prophecy is about 50 years old and while still valid it probably needs an update.
We are now dealing with a fully networked world where AI/bots have become dominant. I am not sure he did / could go as far in his vision.
There's hardly anything you can do to stop someone determined enough to spend money to spam your specific website. These kinds of captchas do raise the bar somewhat, but every single one of them is ultimately bypassed by paying people to solve them for you.
You will also see this page if your smartphone is degoogled and you try to open the reCAPTCHA attestation URL in a web browser instead of in Google Play Services.
[1]: https://digital-markets-act.ec.europa.eu/contact-dma-team_en
That's the reason companies are desperate to be first/biggest - once you're it, you're it until you finally fall on your face and dwindle to a nobody.
The thing here is that Google is building technology to prevent alternatives from connecting at all. We fundamentally cannot solve it by building more alternatives, we have to prevent Google (and TooBigTech in general) from doing it.
Why does it have to be new? Plenty of open source OSes exist... starting with Android! GrapheneOS is based on AOSP, you would call it Android. If I show you a phone running GrapheneOS, you probably won't even realise that it's running an alternative OS: it will be Android to you.
The problem is not that we don't have alternative. The problem is that Google is moving towards forcing everyone to run their OS (or the OSes they accept, since it includes iOS) to connect to random stuff on the Internet. They are literally building technology that will prevent alternative OSes from running properly.
No need to create new OSes if anyway they won't work, right?
at my most pessimistic i can see a world where consumers pay MORE for attestation to continue to opt-in to society, or perhaps a ai-bot-free digital world.
and on behalf of the Government,
and said “data, so piss off”:
https://abcnews.com/Technology/google-hit-antitrust-lawsuit-...
https://macdailynews.com/2026/02/04/u-s-files-appeal-in-goog...
Turns out that Presidents, once elected, largely do what Continuity of Government, and business interests, ask for.
> Lawfare is the use of legal systems and institutions to affect foreign or domestic affairs, as a more peaceful and rational alternative, or as a less benign adjunct, to warfare.
Strap in, the ownage will be hard.
I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.
Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.
PS: Sure, there always were a handful of exceptions. If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.
Everyone in power wants it, across the entire globe.
That's very different from requiring hardware attestation, though.
Google doesn't give a shit, but smaller companies are the ones using reCAPTCHA and that kind of shit. Consumers need to complain to those smaller companies. And citizen need to complain to their government, if those case. In the EU there is the DMA: https://digital-markets-act.ec.europa.eu/contact-dma-team_en.
What's sad is that the few citizen who care are often complaining against regulations. And it is the lack of regulations that got us here. We need antitrust, period.
I'd go as far as to say that still having Google reCAPTCHA on your website is a sign of your website being unmaintained. Half of them even have the "reCAPTCHA is changing terms, take action" text on them.
This move will cause the last users to stop using it, and reCAPTCHA will be on the "Killed by Google" list in a year or two.
Verify that.
(edit: and it definately won't be an iphone, although that would fit the description above, those only run non-free software by design)
Nobody trusts web browsers nowadays.
I would have no idea how, nor desire to purchase a Google account on the black market, and I do in fact still trust that my web browser can do TLS correctly.
"easier just to buy a Google account ...." for those who would choose to do that in quantity. That is, the scammers and fraudsters for whom this is a financial decision. Which suggests that Google's latest moves shift the needle only slightly against actual abuse at a huge cost to the rest of us.
"Nobody trusts web browsers ..." applies to the publishing side. Content (that is, advertiser) sites and commerce most especially. The prove-yourself hoops that those opting out of that approach (de-Googled Android, privacy-hardened browser, alternative OS) must deal with are mind-bogglingly insane, speaking from personal experience. The Web no longer brings joy.
Incidentally, Google plays strongly in the second space, such that its incentives are aligned with pushing people into the "Google Play Services" ecosystem, and to both its own browser and ad-tech personal surveillance tools.
In conclusion, Google must be destroyed.
Let the commerce-driven, corporatized hellhole that the modern web has become eat itself.
I hear ‘web of trust’ pretty often and I like the idea but that’s not anonymous or accessible either
Something that makes it expensive to initiate a connection and cheap (relatively) to accept or reject would probably help. I think that’s a hard problem though.
the trajectory has been clear since AMP-convenience for site owners, attestation pressure on users
I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.
They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.
People there be like, “but I’m not evil! I’ll never do anything bad with all of this incredible power!”
But if you create a nuclear bomb, someone unsavory is going to wrest control of that power from your stupid little painted fingernails and destroy the rest of us with it.
How about, don’t make an effing privacy nuclear bomb if you don’t want to contribute to making the world more evil?
Google Cloud fraud defense, the next evolution of reCAPTCHA
https://news.ycombinator.com/item?id=48039362
Google Cloud Fraud Defence is just WEI repackaged
Even competent people got completely brainwashed, crazy.
>? URL: .env.project :: IP: 213.209.159.175
>? 30326336336 :: viewer key
>? URL: lab/.env :: IP: 213.209.159.175
>? 39363064647 :: viewer key
>? URL: Dr0v :: IP: 185.12.59.118
>? 76543264647 :: viewer key
>? URL: data/.env :: IP: 213.209.159.175
>? 63623731628 :: viewer key
>? URL: docker/app/.env :: IP: 213.209.159.175
>? 62653061304 :: viewer key
>? URL: fedex/.env :: IP: 213.209.159.175
>? 61663064656 :: viewer key
[09/May/2026:11:31:32] notice: exiting: exceeded max connections per thread
The internet is a failure. Congratulations us.
I don't know what services a TPM chip does provide. Wild guess, some private keys, hidden to the computer user, are used to sign stuff and/or encrypt ?
See the explanation associated with Manifest V3.
Obviously you immediately realise just how often you !g in DDG, use Google Flights, YouTube etc. Ok easy enough to fix
Then of course I can't use Play Store (Aurora didn't work either) so my phone would have eventually become quite obsolete
You can't compile many Go projects because the dependencies are pulled from Google
And if you had ALL of Google's ASNs that would include GCP and that's a whole other level of being cut off
>Incompatible browser extension or network configuration
Spread the news, tell everyone you know, before it's too late. I wish we won't have to resort to even more drastic methods in this fight.
"Those who give up freedom for security deserve neither."
Here's the obligatory: Google, FUCK YOU!
Whether it's from companies that create the tech, or companies that use it.
In the orgy of money, we've had a kind of industry-wide sociopathic convention of individual engineers considering it perfectly OK to further surveillance capitalism.
Can we reverse that?
If someone says we can't, because "everyone does it", are they saying that we're a field of baddies?
I think we are already starting to have that with a couple more infamous other companies in the news the last year: if someone goes to work there, I suspect a lot of people are going to think what is wrong with you, since you must know that company does very harmful things,
Maybe it's time to start wondering that about anyone who'd work for a lot of additional companies?
(I actually had a recruiter recently who was pitching a startup, and the headline featured the "ex-" pedigrees of the founders, including an especially infamous company. I figured any company touting that pedigree as a selling point is probably a bad fit for me. I thanked the recruiter, but said that infamous company as selling point probably isn't a fit. The recruiter seemed to not only understand, but to agree with my vague sentiment about that pedigree company.)
Linux is not an operating system unto itself, but rather a kernel—a core component that manages hardware resources. Android uses the Linux kernel, but replaces the traditional GNU userland with its own runtime, libraries, and system framework.
Many users run Linux-based systems every day without realizing it. Through a peculiar turn of events, the Linux kernel combined with Android’s userspace is often simply called “Android,” and many of its users are not aware that it is built on Linux at its core.
There really is Linux in Android, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs you run. The kernel is an essential part of the system, but useless by itself; it can only function in the context of a complete operating system.
Android is normally used in combination with the Linux kernel: the whole system is basically Android/Linux, a Linux-based operating system with a distinct userspace, not a GNU/Linux system like traditional desktop distributions.
And let's not pretend that we mean the kernel when we say Linux distribution
How so?