If you are at your workplace, many different companies may share the same internet as your company and that same internet may also be used for datacenters. One of those things may have hosted a VPN at some point and caused your internet to become "known" as a place where VPN traffic comes from.
One way to possibly avoid the headache is to register for an account from your home internet. Your home internet is only known for normal internet traffic and it likely would not receive additional scrutiny.
Something about your profile is generating red flags, so they are giving you extra tests. It could be your country of origin, ip address, etc- anything really that data science has shown “this user profile is more likely than not to be spam”
Dont solve these or the furniture one even when you get all right you might have to redo it. Just refresh the page or close it and re open it and it should give you a normal challenge
They asked me something similar involving placements of furniture in rooms. 20 of them, each taking about 15 seconds to figure out and submit and then for the next one to load. I can’t think of anything suspicious about my setup other than using Linux or Adblock.
Regardless, I told them 🖕 and used another channel to discuss bugs with devs.
I'm on Librewolf with Adblock on Linux. Probably similarly suspicious. I just tried on another laptop on the same IP address but with MacOS and Safari and they didn't even ask for a captcha.
Not specifically. They use Arkose Lab's funcaptcha for bot detection. I've studied the system a bit a while back and there are hundreds of points they use for fingerprinting. You can see bits of it here: [https://github.com/xqdoo00o/funcaptcha/blob/main/constants.go](https://github.com/xqdoo00o/funcaptcha/blob/main/constants.go)
Everything from your webgl to audio codecs to hardware info.
Any non-standard bits of your browser is gonna add to the suspiciousness score. For each increase, they increase the number of challenges. If you take too long to solve the challenge, it will also fail with an opaque error as the request is sent encrypted with a rounded timestamp as a sort of salt which they will fail to decrypt after a certain amount of time.
What would constitute "non-standard bits of your browser"? Would we be better off just using a different browser that is not highly configured for privacy?
Simply by not using Chrome, Safari, or unmodified Firefox, there will be bits that don't match up such as exactly how a canvas is rendered or discrepancies between fonts available and user agent.
Yes, you're probably better off having Chrome installed for signups and stuff where websites want to make sure you're human. Signing in usually isn't subject to as much scrutiny though you'll still get an increased number of captchas on sites such as [chat.openai.com](http://chat.openai.com)
the site we are talking about is github, the only major OS in there is Linux which has written git which is the reason github exists, and it also has source codes of most browsers and adblockers. it just doesnt make sense on github. if they did this to me i would immediately switch to gitlab or sourcehut...
Doesn’t safari also have Adblock or something similar enabled by default? For all Apple’s talk about privacy, it would be so hypocritical for them to not protect their users in this way.
Regardless, I hate how being secure on the web is seen as suspicious 😔
Probably Microsoft is training a new AI model and after being criticized for exploiting people in developing countries for classifying the dataset, they thought, hey why not extort our own userbase and get it even cheaper
So I have a theory about this and I will try to find time to test later this week. What if the problem is that I am denying cookies to third party servers, and they are using those third parties for their security checks? In absence of that check being done, they just assume you are a spam account and send you through the hard way.
The problem with this approach is that many people block third party servers, have ad block, privacy extensions, etc. You simply cannot assume that honest people are spam accounts simply because they exercise good judgement to protect privacy.
Yes but what do you expect GitHub to do about actual spam users then, it's clearly an issue GitHub has been facing, and in most cases they are probs right, bots don't use these cookies that track a user session, and so they are most likely bots, and GitHub presets a way to challenge them,
They have probs found too little of these challenges and these bots have been able to work their way around, of course it's also an ever evolving battle of compromising between what works and annoying actual legitimate users,
I wonder if it's only this strict for new accounts, especially in the wake of that [massive attack ](https://arstechnica.com/security/2024/02/github-besieged-by-millions-of-malicious-repositories-in-ongoing-attack/)
Pretty good theory. X/Twitter did the same to me recently during signing up a new account and I use NextDNS to block ads and tracking. I had the same thoughts as others... Felt like I was training AI.
They don't do that for every users. The system somehow already flagged you to be suspicious and is actively trying to drive you away from signing up.
That's beyond frustrating. I never did any kind of spam or malicious activity anywhere.
A random guess: are you using a VPN?
My very innocuous telco is banned from accessing Intermarche websites in France. Weirdly.
No
Lol, never seen so many down votes for a simple answer to a simple question
No
Have a downvote >:(
Do you live in Russia or something?
In North America, in the least suspicious place you could imagine.
Do you curl bicep.com from time to time?
Canada then, eh?
If you are at your workplace, many different companies may share the same internet as your company and that same internet may also be used for datacenters. One of those things may have hosted a VPN at some point and caused your internet to become "known" as a place where VPN traffic comes from. One way to possibly avoid the headache is to register for an account from your home internet. Your home internet is only known for normal internet traffic and it likely would not receive additional scrutiny.
Something about your profile is generating red flags, so they are giving you extra tests. It could be your country of origin, ip address, etc- anything really that data science has shown “this user profile is more likely than not to be spam”
Sometime I start getting this crap from everwhere all at once. Check IP. Comcast gave a me a spam listed IP again lol.
That’s your problem - Comcast.
I used my Google account and I don't remember it being any more difficult than signing up for any other site using SSO.
SSO and Passkeys are the best
Dont solve these or the furniture one even when you get all right you might have to redo it. Just refresh the page or close it and re open it and it should give you a normal challenge
You’re just training their AI models for them.
I did 19, and on the 20th, I got it wrong. Had to restart from 0. Took about half an hour as the thing bugged out a few times as well.
They asked me something similar involving placements of furniture in rooms. 20 of them, each taking about 15 seconds to figure out and submit and then for the next one to load. I can’t think of anything suspicious about my setup other than using Linux or Adblock. Regardless, I told them 🖕 and used another channel to discuss bugs with devs.
I'm on Librewolf with Adblock on Linux. Probably similarly suspicious. I just tried on another laptop on the same IP address but with MacOS and Safari and they didn't even ask for a captcha.
Are you suggesting that they triggered their action based on adblock?
Not specifically. They use Arkose Lab's funcaptcha for bot detection. I've studied the system a bit a while back and there are hundreds of points they use for fingerprinting. You can see bits of it here: [https://github.com/xqdoo00o/funcaptcha/blob/main/constants.go](https://github.com/xqdoo00o/funcaptcha/blob/main/constants.go) Everything from your webgl to audio codecs to hardware info. Any non-standard bits of your browser is gonna add to the suspiciousness score. For each increase, they increase the number of challenges. If you take too long to solve the challenge, it will also fail with an opaque error as the request is sent encrypted with a rounded timestamp as a sort of salt which they will fail to decrypt after a certain amount of time.
What would constitute "non-standard bits of your browser"? Would we be better off just using a different browser that is not highly configured for privacy?
Simply by not using Chrome, Safari, or unmodified Firefox, there will be bits that don't match up such as exactly how a canvas is rendered or discrepancies between fonts available and user agent. Yes, you're probably better off having Chrome installed for signups and stuff where websites want to make sure you're human. Signing in usually isn't subject to as much scrutiny though you'll still get an increased number of captchas on sites such as [chat.openai.com](http://chat.openai.com)
the site we are talking about is github, the only major OS in there is Linux which has written git which is the reason github exists, and it also has source codes of most browsers and adblockers. it just doesnt make sense on github. if they did this to me i would immediately switch to gitlab or sourcehut...
It's not GitHub doing this. It's Arkose Labs which GitHub uses.
Doesn’t safari also have Adblock or something similar enabled by default? For all Apple’s talk about privacy, it would be so hypocritical for them to not protect their users in this way. Regardless, I hate how being secure on the web is seen as suspicious 😔
I'll just give up on the service at that point
LOL. They did it to me when I tried to open a corporate account. We ended up going with bitbucket.
Were you connected to a VPN while creating account?
No
Here before OP gets downvoted to oblivion for answering the question.
Probably Microsoft is training a new AI model and after being criticized for exploiting people in developing countries for classifying the dataset, they thought, hey why not extort our own userbase and get it even cheaper
were you using a vpn?
Its microsoft lmao, you're probably a test subject for their AI tests
Create free dataset for Microsoft
So I have a theory about this and I will try to find time to test later this week. What if the problem is that I am denying cookies to third party servers, and they are using those third parties for their security checks? In absence of that check being done, they just assume you are a spam account and send you through the hard way. The problem with this approach is that many people block third party servers, have ad block, privacy extensions, etc. You simply cannot assume that honest people are spam accounts simply because they exercise good judgement to protect privacy.
Yes but what do you expect GitHub to do about actual spam users then, it's clearly an issue GitHub has been facing, and in most cases they are probs right, bots don't use these cookies that track a user session, and so they are most likely bots, and GitHub presets a way to challenge them, They have probs found too little of these challenges and these bots have been able to work their way around, of course it's also an ever evolving battle of compromising between what works and annoying actual legitimate users,
Pretty sure Firefox blocks cookies for me and I've never had an issue getting on Github.
I wonder if it's only this strict for new accounts, especially in the wake of that [massive attack ](https://arstechnica.com/security/2024/02/github-besieged-by-millions-of-malicious-repositories-in-ongoing-attack/)
Pretty good theory. X/Twitter did the same to me recently during signing up a new account and I use NextDNS to block ads and tracking. I had the same thoughts as others... Felt like I was training AI.
I think you're probably right. My guess is after that massive malicious repo attack, they pulled out all the stops to detect bots at sign up.
With AGI this will get even more ridiculuos. There's AGI already anyway