1
0

Patrick Question


 invite response                
2021 Jan 30, 3:07pm   301 views  13 comments

by MisdemeanorRebel   ➕follow (12)   💰tip   ignore  

Hey Pat, I wanna login to Odysee to upvote good content. Looks like they are using a Google Captcha.

I have everything and anything google in the Hosts file to redirect to null.

Any workaround ya think?

Comments 1 - 13 of 13        Search these comments

1   Patrick   2021 Jan 30, 4:21pm  

I think it's not possible in any practical way. If you just redirect Google to null, the Captcha won't work, and you won't be able to upvote.

Google Recaptcha makes sites utterly dependent on themselves for a judgement on whether a user is "legit" or not.

But I've also heard that the the better hackers now know ways around Google Recaptcha. Sadly, I am not one of them. Yet.

But then, maybe I should make a site where you an vote up or down about anything on any website, and comment on it. Been thinking about that for years.
2   NuttBoxer   2021 Jan 30, 4:35pm  

I'm able to get to sites that employ google captcha using Tor. Takes a bit longer, but not impossible. And rather than re-directing them to null, I just let Tor bounce them around.
3   Patrick   2021 Jan 30, 4:38pm  

I've had them block me because I was using Tor.

Another idea is to use a VPN. https://account.protonvpn.com/signup/account (haven't tried this myself)
4   NuttBoxer   2021 Jan 30, 4:43pm  

Patrick says
I've had them block me because I was using Tor.


It depends on the exit relay, experience will vary each connection. I often get blocked from youtube, but captcha has worked surprisingly well lately.

I use a VPN with Tor. Contrary to the BS a lot of Tor purists will tell you, it in no way compromises security as long as you have third party proof your vpn doesn't log.
5   ThatGuy   2021 Jan 30, 6:18pm  

i use protonvpn, then I use TOR as well
6   Patrick   2021 Jan 30, 6:23pm  

NuttBoxer says
as long as you have third party proof your vpn doesn't log


How can you ever know that your vpn doesn't log what you do?
7   NuttBoxer   2021 Jan 31, 8:52am  

Patrick says
How can you ever know that your vpn doesn't log what you do?


Mine has documented court cases where the judge has accepted their argument that because they don't log, they have nothing to turn over. I hear some VPN providers are also getting independent audits yearly. Just have to make sure the auditor is reputable.
8   Hircus   2021 Jan 31, 12:17pm  

They make bash install scripts for openvpn and wireshark which make it crazy simple to setup your own vpn server. Then just edit config to log to /dev/null

While they wont get your past activity, I've always wondered if they can use the courts to let them edit your config, and turn logs back on without you knowing it.
9   Hircus   2021 Jan 31, 1:21pm  

Re recaptcha -

One of the problems of just using vpn is that google will still fingerprint you if you run their js code, and they probably put this finger printer js in recaptcha too. So, while the vpn will change your ip, they can still usually unique your ass even if you change ips and wipe your cookies. (Search "browser fingerprinting" to learn more.)

To avoid fingerprinting, use a machine with different hardware when talking to google. A local VM would likely work for this as VMs run much differently than bare metal, espescially if you make the VM run w/ a shitty graphics adapter. Ideally, route the VM traffic through a VPN too, or config the browser in the VM to use a proxy server for its traffic. There may also be browser extensions that can change your fingerprint satisfactorily now, but I haven't looked recently.

But, to be extra sure, you could also use another machine. The most straight forward that comes to mind is just run a desktop linux/windows on a server somewhere. rdp/vnc remote in to the desktop, use the remote browser to login and manually solve the recaptcha. The point being, this other server will be talking to google, not your personal ip, and the different hardware of the server will fingerprint differently. Once you login to xyz.com, just copy the cookies for xyz.com from this remote browser back to your local browser. Reload the page, and youll be logged in using the same session as the other browser, without your local machine ever talking to google.

If you want to automate it -

I know theres commercial captcha busting services where they have people standing by, ready to give a low-latency human answer to your captcha. Somehow they've automated the forwarding of the captcha image to their labor farms in india, who then manually solve the captcha, and poof - you get the answer within seconds via an api call. I think people sometimes pair these services with browser extensions - you just enter your api key into the extension, then load a page with a captcha and the extension will automatically call the api to get an answer, and solve the captcha for you.

You could use a low spec linux box somewhere to run a headless web browser. For example, I've used both phantom.js and recently puppeteer to automate logging into a website and scraping some data. There's lots of these projects which let you use script to control a web browser, and they usually give you very simple and easy to use apis via javascript. I was able to automate logging into a website via puppeteer + Chromium in maybe 2-3 hours recently. It really is easy to use if you have some familiarity using js and optionally npm.

While I didn't have to deal with a captcha, it really might be as simple as just installing an extension into your headless browser. And then, once the script logs in, just print out your cookies, then manually copy those cookies over to you real browser. Reload the page, and you should now be logged in. But of course, your real local browser never talked to google recaptcha - only your server running the headless browser did that.
10   Patrick   2021 Jan 31, 2:32pm  

@Hircus I'm impressed.

Want to contribute to or review the patrick.net source code? Everything you need to run a copy should be here:

https://patrick.net/patrick_net_dist.tgz

You'd need mysql and node. Let me know if any problems.
11   NuttBoxer   2021 Feb 1, 12:17pm  

Hircus says
One of the problems of just using vpn is that google will still fingerprint you if you run their js code, and they probably put this finger printer js in recaptcha too.


NoScript can help with this. Also, not enlarging your browser to fit your screen. But without Tor, the above setup, or Tails, there are still ways to ID you I'm sure.
12   Hircus   2021 Feb 1, 5:04pm  

@patrick weve actually talked over email about the code base. I changed my email and screen name a few times, maybe even my account too over the years. I think the title of one of the emails was "xss vulnerabilities" a few years back where we talked about xss and sql injection.

I wrote some personal greasemonkey scripts to enhance the patnet posting gui (make it easier to format posts, eg bold, blockquote, small, etc..), and make it easy to upload images via drag/drop/paste. Maybe I'll merge those in.
13   Patrick   2021 Feb 1, 5:31pm  

Oh yeah, dim memory.

Let me know if you can't get the code running. My instructions were not very good.

Please register to comment:

api   best comments   contact   latest images   memes   one year ago   random   suggestions