Breaking the 4Chan CAPTCHA

The part about bad Keras&lt;-&gt;Tensorflow.js interop is classic Tensorflow. Using TF always felt like using a bunch of vaguely related tools put under the same umbrella rather than an integrated, streamlined product.<p>Actually, I&#x27;ll extend that to saying every open source Google library&#x2F;tool feels like that.

Semi-related but I needed a CAPTCHA on my site[0] mainly to block comment form spam and settled on repurposing a fun method I’d seen before. Is definitely not foolproof (or hard at all), but I really liked making it.<p>[0] <a href="https:&#x2F;&#x2F;www.hybridlogic.co.uk&#x2F;contact" rel="nofollow">https:&#x2F;&#x2F;www.hybridlogic.co.uk&#x2F;contact</a>

There is a reason why people moved away from distorted text based captcha. We are basically at the point where computers are better at them then humans.<p><a href="https:&#x2F;&#x2F;www.usenix.org&#x2F;system&#x2F;files&#x2F;conference&#x2F;woot14&#x2F;woot14-bursztein.pdf" rel="nofollow">https:&#x2F;&#x2F;www.usenix.org&#x2F;system&#x2F;files&#x2F;conference&#x2F;woot14&#x2F;woot14...</a> is a paper on the subject i think is really interesting<p>However a surprising amount of text based captchas can be solved in a few line shell script of, using imagemagik to convert to greyscale, dilate and undilate, then pass to teserract<p>However there are also sites like <a href="https:&#x2F;&#x2F;2captcha.net" rel="nofollow">https:&#x2F;&#x2F;2captcha.net</a> , so really captchas are more like putting a small min amount of effort.

If you&#x27;re into this, here&#x27;s my 2014 breakdown of the Silk Road CAPTCHA: <a href="https:&#x2F;&#x2F;github.com&#x2F;mieko&#x2F;sr-captcha">https:&#x2F;&#x2F;github.com&#x2F;mieko&#x2F;sr-captcha</a>

Appropriate response by 4Chan to this: simplify the human work given that anyway it&#x27;s simple to solve via NNs. We are at a point where designing very hard captchas has high probabilities to increase the human annoyance without decreasing the machine solvability.

I wonder if it would be better to pretend to have a captcha but really you are analysing the user timing and actions. Honestly I half suspect this is already going on.<p>If you wanted to go full meta &quot;never go full meta&quot; you would train a AI to figure out if the agent on the other side was human or not. that is, invent the reverse turing test. it&#x27;s a human if the ai is unable to differentiate it&#x27;s responses from normal humans responses. as opposed to marketing human responses.<p>Well now I have to go have a lay down, I feel a little ill from even thinking on the subject.

In my opinion the granddaddy of all 4chan CAPTCHA busts is still Yannick Kilcher’s GPT-J tune on “Raiders of the Lost Kek” set, and might be the coolest thing an LLM has ever done on video: <a href="https:&#x2F;&#x2F;youtu.be&#x2F;efPrtcLdcdM?si=errY0PrEhnX9ylDw" rel="nofollow">https:&#x2F;&#x2F;youtu.be&#x2F;efPrtcLdcdM?si=errY0PrEhnX9ylDw</a>

&gt; The official TensorFlow-to-TFJS model converter doesn&#x27;t work on Python 3.12. This doesn&#x27;t seem to really be documented.<p>&gt; TensorFlow.js doesn&#x27;t support Keras 3.<p>I tried getting into some casual machine learning stuff a few years ago and more or less gave up because of stuff like this. It was staggering how many recent tutorials were already outdated, how many random pitfalls there were, and how many &quot;getting started&quot; guides assumed you were already an expert.

That’s like spending a few hours, learning to take the lid off your septic tank.

Following the links to the captcha solving service you can read profiles of the humans doing the work where its pitched as more ethical than them working in hazardous factories!

I can only imagine how much worse they&#x27;ll make the captcha after stuff like this picks up speed with the users all the while being ineffective against the bots.

This project also solves the 4chan captcha <a href="https:&#x2F;&#x2F;github.com&#x2F;moffatman&#x2F;chan">https:&#x2F;&#x2F;github.com&#x2F;moffatman&#x2F;chan</a>

If there is one blog I&#x27;ve fell in love it, it&#x27;s nullpt.rs. Still waiting for part 2 of Reverse Engineering Tiktok&#x27;s VM Obfuscation

For those that don&#x27;t know, the JKCS extension has been doing this for years already:<p><a href="https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;jkcs&#x2F;" rel="nofollow">https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;jkcs&#x2F;</a><p><a href="https:&#x2F;&#x2F;chromewebstore.google.com&#x2F;detail&#x2F;joshi-koukousei-captcha-s&#x2F;fppcpkioamnkpclnpcnnncnioegplgbf?pli=1" rel="nofollow">https:&#x2F;&#x2F;chromewebstore.google.com&#x2F;detail&#x2F;joshi-koukousei-cap...</a><p>Userscript version: <a href="https:&#x2F;&#x2F;github.com&#x2F;drunohazarb&#x2F;4chan-captcha-solver">https:&#x2F;&#x2F;github.com&#x2F;drunohazarb&#x2F;4chan-captcha-solver</a>

I understand why Cloudflare has to exist. But its beyond annoying that it forces you into using an unmodified Chrome sans VPN.

Does 4Chan also have bot BEHAVIOR detection (e.g. unnatural mouse movements)that google captcha has?

I&#x27;ve built 3 iterations of captcha solvers for that crappy website based on <a href="https:&#x2F;&#x2F;github.com&#x2F;drunohazarb&#x2F;4chan-captcha-solver&#x2F;issues&#x2F;1">https:&#x2F;&#x2F;github.com&#x2F;drunohazarb&#x2F;4chan-captcha-solver&#x2F;issues&#x2F;1</a> . The only thing I&#x27;ve learned along the way is that it&#x27;s mostly pointless outside of a &quot;learning&quot; exercise, since they&#x27;ll change the captcha (in terms of letter count or the entropy background). Initially, it was 4 characters with pretty obvious background, then it turned to 5, then it was both 4 and 5 and the current iteration which is also either 4 or 5, but with a lot of entropy surrounding the characters.

I remember trying to use 4chan once and i couldn&#x27;t even pass through the captcha.

I’ll never forget spending the evening of the 2016 election on &#x2F;pol&#x2F;

Very tasteful title animation I must say. It’s fast enough, you feel it, and not distracting, gives a vibe even from glancing

[meta] what blog site is this? Is it a joint among authors? I can’t find more information on their GitHub. Looks neat.

Hey dude. Any idea if 1000 labelled images are good enough for training and how much time it would take to train on a a40 nvidia like on <a href="https:&#x2F;&#x2F;www.runpod.io&#x2F;pricing" rel="nofollow">https:&#x2F;&#x2F;www.runpod.io&#x2F;pricing</a> ?

Parsing the visualization data, within a JSON script tasked with parsing it is a complex endeavor when the site requires verifying email.<p>If the JSON file is corrupt, it shows the following if tt1 and cd do not align.<p>&gt; &quot;error&quot;: &quot;You have to wait a while before doing this again&quot;

It might be worth noting that this, including the harder version the op encountered, are not the hardest captchas that 4chan can serve. There is a still harder version which is sent to less trustworthy IPs. I imagine it would still be tractably solved with computer vision. This in part misses the point though, since 4chan has been continuously altering their captcha since it released, making it difficult to create a permanent solution that won&#x27;t be broken down the road.

Jesus looking at both example captchas... as a human... i have no fucking clue the answer lol

It’s nice to see this posted and interesting that it’s in tensorflow. I wonder for how many years the capture was already broken but not just posted about publicly.

Glad to see Blackjack and Jordin. We used to hack on Minecraft together. nullpt.rs and secret.club are full of former video game hackers :)

4Chan is probably one of the only social platforms where genuiune users and russian bots share the same views, why even bother with CAPTCHAs?

I remember when they introduced their new captcha; it was so tedious to solve it I stopped interacting there entirely.

Man, is there anything computers won&#x27;t be able to break!<p>crazy

Not a word on how describing and releasing this code is obviously unethical!? Captchas have a legitimate use to keep bots out.

the blacked out minimalist aesthetic on this site looks really cool

Hi veritas

<p><pre><code> &gt; The official TensorFlow-to-TFJS model converter doesn&#x27;t work on Python 3.12. This doesn&#x27;t seem to really be documented, and the error messages thrown when you try to use it on Python 3.12 are non-obvious. I tried an older version of Python (3.10) on a hunch, using PyEnv, and it worked like a charm. </code></pre> Amazing. And then people wonder why &quot;just use python 2&quot; is still a thing.

Bet it can&#x27;t break reCAPTCHA on a VPN.<p>[edit]<p>More specifically I mean when they insidiously give you infinite tests even though it&#x27;s impossible to pass because the IP has been blacklisted... There&#x27;s a special place in hell for the anti-human&#x27;s that made that decision, and yes it involves captcha.

I wasn&#x27;t a very active 4chan poster to begin with, but when they introduced this awful CAPTCHA, and later the 300s countdown before making the <i>first</i> post, I completely lost interest in using the website.<p>Anonymous boards were supposed to be low-friction, but now 4chan is one of the most user-hostile social media platforms around. It takes a special kind of dedication to post there, which I seriously doubt helps the quality of the site.

Congratulations, now it will get upgraded and become more work for humans to solve, increasing the burden on every non-malicious user.

If there&#x27;s one place on the web I would apply anonymity with great diligence, it would be posting any article that might put me at odds with the good people of 4Chan.<p>mostly kidding! mostly

I suspect really strongly that the available characters in the 4chan captcha were chose to be able to spell out the most racist&#x2F;nazi&#x2F;extreme slurs and slogans imaginable. For instance, not all numerals are ever used, but 1, 4, and 8 are. K is often there, and whatever the algo is, pseudorandom or not, it often doubles&#x2F;triples characters. I&#x27;ve personally seen &quot;kkk&quot; twice over the years. Mind you, it does <i>seem</i> random. But even randomly, these must happen often enough to set that crowd off, they make a game of posting a screenshot of the &quot;good ones&quot;.