Rendered at 06:54:18 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
csydas 24 hours ago [-]
Cute but like a lot of captchas misguided at this stage
The problem they try to solve is real, but I don't think that 'hacking minigames' are the correct direction to be looking to solve this, and ultimately end up making mandatory human identity verification seem more palatable as the less annoying option
games and challenges like this are more annoying / resource consuming to humans (i.e., time, patience), and can imagine it ends up excluding humans who cannot complete the challenge due to extenuating circumstances, like i have no idea if someone who uses sight assistance accessibility tooling can complete this challenge reasonably, and if this style of challenge takes off I am pretty sure the challenges will continue to exclude many humans who use accessibility tools
I worry this approach ends up being the next cookie banners (which were always malicious compliance in the saltiest, pettiest way)
anubis-style cycle burning approaches seem to be best, but have not looked for research on the efficacy of this approach. if it does have a positive impact for operators though, a method like that seems better
edit: to be clear, I do not want mandatory identity verification -- not at all it's awful, and my fear is that tools like this will only serve to make that option seem more palatable in comparison
jhartikainen 23 hours ago [-]
I think this purely as an idea is pretty fun, and there is value in that. But beyond the initial impressions it's exactly as you say. It's not different at all from others in how it will get annoying over time.
Accessibility is a big concern with all kinds of CAPTCHAs it seems. Even without any disabilities, I've seen some that I cannot solve because it's illegible.
IAmBroom 13 hours ago [-]
Your lack of punctuation and capitallization impedes your communication.
Also, what is "anubis-style"? Google failed me (which is becoming more common).
pinkmuffinere 1 days ago [-]
Is there reason to believe this is a good discriminator of human vs AI? I didn't see any about page, or statistic, or anything like that, but maybe I'm just missing it?
edit: The page links to [1], but [1] has none of the information I'm really looking for -- why should somebody use this tool?
Congratulations! You have proven you are human by complaining about the test instead of solving it. Redirecting you now...
BLKNSLVR 1 days ago [-]
It's nothing like a claw machine. It picked up the toys twice in two tries.
A human would be incredibly suspicious of this.
hurtigioll 1 days ago [-]
the real CAPTCHA would be having a "this is not realistic" button that only humans would press
numpad0 1 days ago [-]
Yeah, real claw machines straight up have tunable win probability controls(subject to local gambling laws).
but this is fun!
marssaxman 1 days ago [-]
My exact thought: this is nothing like a real claw machine.
brtkwr 1 days ago [-]
Claude Opus 4.8 one-shotted it... I think we should gear these systems towards making the cost of abuse expensive as they will be able to get around these things more and more easily.
arbol 1 days ago [-]
It's just a concept, not a real test.
Captcha are already expensive at scale due to escalating checks when abuse is detected. You have to orchestrate and pay for residential proxies, containers with different fingerprints, different behavioural data, clean IP rep, emulate device performance to avoid revealing youre running on a server... A 1-shot doesn't scale against this.
rossvc 1 days ago [-]
If the payoff is worth it, no captcha is too expensive.
IAmBroom 13 hours ago [-]
OP said "already expensive"; you said "too expensive". Both can be true.
CapsAdmin 23 hours ago [-]
unless it has video input, i wonder if something based on animation and timing would work, as screenshots wouldn't clearly capture motion and response time would be too slow as well
ikari_pl 1 days ago [-]
So, a paywall is the simple solution
groestl 1 days ago [-]
I can prove I'm human by losing a claw machine.
bschwindHN 1 days ago [-]
The thing to grab is always on the front layer. Seems like an AI could be pretty easily trained to defeat this.
Also when you move the claw left and right, it "leans" in the wrong direction.
eks391 1 days ago [-]
Yup. I could guess what needs to be grabbed without reading the prompt because it was always the front-most object. It also has the largest grab area; some of the plushies can't even be grabbed.
Fun idea though
m00dy 1 days ago [-]
I can bypass this captcha just by using gemma4
ozim 1 days ago [-]
You don’t need to train it just ask current state of model.
latexr 24 hours ago [-]
Not only on the front layer, but mostly in the centre too. I just tested it a bunch of times and the overwhelming majority it worked without even moving the claw, it was just grab and release.
SweetSoftPillow 24 hours ago [-]
The most important part that most commenters did not read:
"And to be clear: it checks that someone is playing, not who they are. Keep your real checks behind it."
It's just a game, not a CAPTCHA.
rendaw 24 hours ago [-]
Both the submission title and the first sentence are: Prove you’re human by winning a claw machine.
lemagedurage 22 hours ago [-]
They should make it more clear that it's a concept.
I could see a real version that sends the inputs to the backend where some analysis is done, but right now an adversary can just run the onVerify callback as "bypass".
mcyc 1 days ago [-]
Lichess has a checkmate captcha that I think is cute.
It requires you to solve a mate-in-one puzzle to, e.g., post on the forums.
(Sorry, don't have a better link, there wasn't any non-technical I could find about it).
Because computers turned out to be so bad at chess? :)
jaggederest 1 days ago [-]
Reverse captcha: only robots can reprove one of the Euler problems on the fly? Statistically speaking we can round the people who can into the outlier group, right?
sshine 22 hours ago [-]
That's actually interesting:
Like when games detect aimbots, they don't ban people, but put them in an aimbot bracket, so everyone you play with is a cheater.
Provide a captcha that is essentially harder for a human to solve, but trivial for either a human or an AI, and transparently separate them into two communities.
PeterStuer 24 hours ago [-]
Just stop this insanity already. The amount of "anti-bot" challenges actual humans fail to pass is getting ridiculous. For small commercial entities, you could say them shooting themselves in the foot is probably them getting what they deserve as a result of them not reigning in vigilante sysadmins, but when it is also happening on actual official government sites, this is where the line has been crossed.
jdw64 24 hours ago [-]
Thanks to this game, I was able to change my identity from a slightly less fallen human into a machine. Thank you
mohsen1 1 days ago [-]
Codex with Browser Use (Codex 5.3 Spark) was able to solve this with a simple prompt
I don't know what a next generation CAPTCHA should look like, but I know anything game-shaped will be a trivial target for RLVR. That's like trying to beat Stockfish. That ship has sailed.
teekert 22 hours ago [-]
I am a human and have never won anything at a claw machine.
pjc50 22 hours ago [-]
They're rigged.
spaqin 1 days ago [-]
I'm tired of constantly having to prove I'm a human. Especially if it's trying to be lighthearted and fun on the surface, it just reminds me how Internet has fallen.
vasco 1 days ago [-]
I prove I'm a human by giving up trying to use the website. A machine would just relentlessly keep trying. You should try it.
nomel 1 days ago [-]
> it just reminds me how Internet has fallen.
phpboard added captchas back in 2004.
HardwareLust 16 hours ago [-]
Really fun idea and well done, but this would get annoying very quickly.
1 days ago [-]
clark1013 1 days ago [-]
Much better than Google’s 'find objects in pictures'!
TZubiri 1 days ago [-]
>npm install playcaptcha
Imagine you get pwned for trying this out in your home project and the APT escalates to your company repos and infects your company assets, and then the post mortem comes in and you have to explain this is what infected the company it stack
Terr_ 1 days ago [-]
> npm install
Coworkers on project: "Containers? Not running things as root? Hah, you're overengineering things: Just follow the readme where it says to install the daemons and run all code and plugins on your dev-box. It works fine, then we can show how we're using AI!"
(Yeah, not as good as completely separate computer, diminishing returns, but still...)
thunderbong 1 days ago [-]
If you see the code, that dependency just happens to be another file in the repository [0]
Not saying the package is malicious, (although it might be, but it's a more likely threat that the devs themselves become infected by a supply chain worm and spread it downstream.) just saying, if you are going to audit it, actually audit it as if you were up against an attacker.
GuestFAUniverse 1 days ago [-]
npm install randomgotcha
codelong888 1 days ago [-]
lol this is actually fun. in this era of ai, knowing who's real human and who's ai is so underrated
Simulacra 20 hours ago [-]
Cute but… Will there ever be a day when we don't have to prove that we're human?
psychoslave 24 hours ago [-]
No human needs to prove they are, online or elsewhere. Online, be it human or bot, the issue is not the ontological class of the direct actor, it's the goal of the people who launch the browsing. When the intention is malevolent, the situation is not better just because the campaign would involve real humans working in inhuman conditions.
sevenzero 1 days ago [-]
I really like this! Also the other things you can find on the website. Cool stuff! Makes me want to get better at Frontend shenanigans.
Mistletoe 1 days ago [-]
I wish all captchas were like this. A lot more fun!
nicman23 1 days ago [-]
i d rather play 1-1
shevy-java 1 days ago [-]
What makes me human?
If it is DNA then why would I need a claw machine? (Note that this defnition on DNA, which in itself is mega-odd since DNA differs, would mean that via synthetic biology one could yield humans - according to such a definition. But this does not have to be correct, so the definition would be flawed.)
If it is not DNA, how else to prove it?
latexr 1 days ago [-]
A CAPTCHA is not concerned with your biology or philosophy, only with if you’re an automated request.
doctor_radium 1 days ago [-]
Time and time again, I prove that I'm human by giving this crap the finger and then visiting some other site. It's calling out a false positive and then exercising good taste.
The problem they try to solve is real, but I don't think that 'hacking minigames' are the correct direction to be looking to solve this, and ultimately end up making mandatory human identity verification seem more palatable as the less annoying option
games and challenges like this are more annoying / resource consuming to humans (i.e., time, patience), and can imagine it ends up excluding humans who cannot complete the challenge due to extenuating circumstances, like i have no idea if someone who uses sight assistance accessibility tooling can complete this challenge reasonably, and if this style of challenge takes off I am pretty sure the challenges will continue to exclude many humans who use accessibility tools
I worry this approach ends up being the next cookie banners (which were always malicious compliance in the saltiest, pettiest way)
anubis-style cycle burning approaches seem to be best, but have not looked for research on the efficacy of this approach. if it does have a positive impact for operators though, a method like that seems better
edit: to be clear, I do not want mandatory identity verification -- not at all it's awful, and my fear is that tools like this will only serve to make that option seem more palatable in comparison
Accessibility is a big concern with all kinds of CAPTCHAs it seems. Even without any disabilities, I've seen some that I cannot solve because it's illegible.
Also, what is "anubis-style"? Google failed me (which is becoming more common).
edit: The page links to [1], but [1] has none of the information I'm really looking for -- why should somebody use this tool?
[1] https://github.com/mortspace/playcaptcha
A human would be incredibly suspicious of this.
but this is fun!
Captcha are already expensive at scale due to escalating checks when abuse is detected. You have to orchestrate and pay for residential proxies, containers with different fingerprints, different behavioural data, clean IP rep, emulate device performance to avoid revealing youre running on a server... A 1-shot doesn't scale against this.
Also when you move the claw left and right, it "leans" in the wrong direction.
Fun idea though
"And to be clear: it checks that someone is playing, not who they are. Keep your real checks behind it."
It's just a game, not a CAPTCHA.
I could see a real version that sends the inputs to the backend where some analysis is done, but right now an adversary can just run the onVerify callback as "bypass".
It requires you to solve a mate-in-one puzzle to, e.g., post on the forums.
(Sorry, don't have a better link, there wasn't any non-technical I could find about it).
https://www.reddit.com/r/chess/comments/q19wgq/til_lichess_d...
Like when games detect aimbots, they don't ban people, but put them in an aimbot bracket, so everyone you play with is a cheater.
Provide a captcha that is essentially harder for a human to solve, but trivial for either a human or an AI, and transparently separate them into two communities.
https://github.com/user-attachments/assets/0b80b07b-d88f-414...
phpboard added captchas back in 2004.
Imagine you get pwned for trying this out in your home project and the APT escalates to your company repos and infects your company assets, and then the post mortem comes in and you have to explain this is what infected the company it stack
Coworkers on project: "Containers? Not running things as root? Hah, you're overengineering things: Just follow the readme where it says to install the daemons and run all code and plugins on your dev-box. It works fine, then we can show how we're using AI!"
(Yeah, not as good as completely separate computer, diminishing returns, but still...)
The only dependency is the 'motion' library.
[0]: https://github.com/mortspace/playcaptcha
I'm seeing this from npm, which is a bit different:
https://www.npmjs.com/package/playcaptcha
Not saying the package is malicious, (although it might be, but it's a more likely threat that the devs themselves become infected by a supply chain worm and spread it downstream.) just saying, if you are going to audit it, actually audit it as if you were up against an attacker.
If it is DNA then why would I need a claw machine? (Note that this defnition on DNA, which in itself is mega-odd since DNA differs, would mean that via synthetic biology one could yield humans - according to such a definition. But this does not have to be correct, so the definition would be flawed.)
If it is not DNA, how else to prove it?