This was for querying package delivery status. I finally got one right after many attempts. The layout, layers, colors change after every attempt so good luck on figuring out which letters count.
It’s WXU86 or I don’t need this website after all.
These “verify you are human” things should be made illegal at this point. They were training OCR scanners, then self-driving cars, now they’re designing them to be anti-AI and we’ve gone full circle where captchas are on the defense.
They were always abusive and exploiting free labor, and more so now. If you dumb companies can’t figure out how to filter fraudomation/AI/whatever, just go out of business.
Tech industry, stop using us.
Bizarre grammar there: “Our firewall detects abnormal activity from your IP”. It does? When?
Says the bot
captcha: please click on all the stairs
stairs: literally every box
captcha: incorrect
Steam uses this, and I swear I’ve been sober and awake when attempting them, but…
If you do the first too fast, it will just show a new one and nauseum. Or that’s my experience anyways.
I hate those the most. I get it wrong every single time. Well excuse me for including the rider as part of the motorcycle. I’m trying to save them from self-driving cars clipping their arm or leg on public roads.
Here’s the kicker. You’re not getting it wrong, you’re just being forced to train AI on another one because greedy corpos gonna be greedy.
Wrong in the sense that the machine thinks it is right (or enough people disagreed with your judgement).
How would they even know when they’re using it to train bots?
The same image is shown to a lot of people. If a majority of people click on the same things, that is assumed to be the correct answer. And it is added to the training database. Occasionally you’ll get one that hasn’t been shown to enough people yet to know for sure. For those, they’ll usually accept any answer, even wildly incorrect ones. The thing is, you as a user never know which ones they already know and which they don’t.
I don’t see the problem. It’s WXU86.
Nice try LLM Diddy
As others have pointed out, it’s probably the foreground characters. They’re easier to read and less ambiguous from occlusion by other characters.
In general I find you can resolve technical ambiguities or possible loopholes to instructions in these things by asking yourself “what would most people do, especially if not really thinking about it much?” That’s particularly helpful for situations where you have to select all the tiles with x object in them. Often you’ll see that technically there’s a little bit of the object in squares other than the most obvious ones that everyone would have selected and you ask yourself “does that count? Technically a little bit of it’s in this square” but if you just pretend you didn’t notice that and only go for the most dead obvious squares you end up passing. Once I realised this the number of times I failed CAPTCHAs significantly reduced. For some reason the only ones that continued to be a problem were the click a checkbox ones that seemingly analyse your mouse movement because somehow I apparently move like a robot.
Tl;Dr
“just guess right”
Kinda… Slightly more helpful, but almost as vague. I’m advising against opting for solutions that are technically correct but would be more difficult for the average person to get right most of the time.
The OP’s CAPTCHA as a case in point, it’s frustrating for them because they’re ostensibly asked to enter the characters that they see but there are several and the length of the string of characters is not known and some characters are hard to read and depending on how you interpret it you could be being asked to enter all these characters or you could look at them and say there’s a background set and a foreground set in which case, which one is the correct one? That’s at least 3 different ways to do it and that’s assuming that what appears to us a representation of depth is indeed intended to be the basis of separation for 2 sets of characters and not some other arbitrary categorisation or no categorisation. Sounds complicated and ambiguous. Except, it’s much harder to read the background set, and the idea that there would even be some other way of categorising, if it occurs to anyone at all would be impossible to work out since if it’s there, it’s not discernible. The easiest way is to just read the letters that aren’t partially covered up and also smaller than the more obvious, easier to read, not occluded characters and disregard the ones behind it. What’s easiest to do also most of the time turns out to have been the hidden instruction for what you were meant to do.
There’s no explicit instruction to do this, it’s wishy washy and hard to abstract for different CAPTCHAs which is why this advice doesn’t look a whole lot better than “just guess right” but in a way that’s kind of part of why they still have some effectiveness, they’re unspoken rules that humans Intuit. Where some of us, like me before kinda “getting it”, go wrong, is in overthinking and over analysing it. “but what if they mean this? I mean technically it could…” If you’re thinking like that, odds are you’re barking up the wrong tree and the solution is way less sophisticated.
Isn’t anunis great? No captcha. Just wait like 15 seconds.
Looks pretty obvious to me.
I’m more infuriated by the “abnormal activity from your IP”. It seems pretty much everything is abnormal to these CDNs, including using Firefox on Linux. On the stack/exchange/ask networks I get that shit every fucking time. And no, I’m not using a VPN/Tor.
Especially when it’s a website that requires an account but they want to use SMS-based or Google Authenticator style 2FA in 2025. “Magic links” are stupid as hell too if you’re not a moron and use a decent password manager — I have no clue what random email address I generated for you since I can’t trust any company not to sell off my PII.
How hard is it to implement FIDO2 then let valid users make requests from whatever IP address they want? IP-based blocking is pretty fucking stupid if you’re already doing secure account-based authorization.
Saying all this as a heavily privacy-conscious web developer. All my traffic looks “suspicious” because how dare I not want your shit hole website to put its grubby little hands all over my IP address.
OK, that last sentence made me laugh!
I deal with this a lot since I do most of my browsing through a VPN.
As great as VPNs are, there probably are a lot of bad actors using them and sometimes I’m the next person using that IP.
With browser extensions and other programs becoming tunnels for AI scrapers, consumer IPs are becoming less and less trustworthy. I receive bots from just about every Brazilian consumer ISP. All it takes is one person on your network with a shitty app/extension installed and your home becomes indistinguishable from a bot farm. It’s extra bad if you’re behind CGNAT so you can’t even influence your IP’s reputation.
Nobody wants these CAPTCHAs, but they’re still pretty effective, even with AI image interpretation. Plus, it still beats remote attestation in terms of Linux friendliness, and that’s the inevitable next step in the war against scrapers.
Considering the amount of traffic from LLM bots nowadays, everything human/“natural” traffic seems to be abnormal as it doesn’t behave like the majority of requests
i’d go with WXU86
Yeah but it’s still obnoxious. I would bet it fucks with dyslexics as well.
Shh don’t tell the machines
woopsie!
That hand is facing the wrong way, bot….
How so?? It looks like he’s looking at the back of his hand?
It’s ironic, because AI would have less trouble with this than humans.
No accessibility options in the captcha? I guess they don’t care about people with vision disability.
FЦᄃK ƬΉΣ BᄂIПD
That would cost money silly!
what vision disability would prevent someone from seeing a monochrome image?
Blindness?
Furthermore, we kind of have rules for accessibility.
forgot about that one
Okay as stupid as this is, it’s pretty funny lol
Much better when they have the little “vision impaired? click here!” button :(
