Open in app

Sign in

Write

Sign in

Where Angels Fear
8 min readMay 31, 2021

Bug Report

[ME]

Your staff are defective.

I don’t know if it’s a generational thing or what but, over the course of the last five years, I have noticed that the people responsible for the development and delivery of technology and services are increasingly utterly (seriously … utterly) clueless and know absolutely nothing about technology, UX, UI, or design principles.

How clueless do you need to be to insist on a CAPTCHA after one failed login attempt?

Or is it that <service provider> is keeping secret the fact that you are under such risk of compromise that you can’t risk allowing three attempts to allow for typos?

Or is it that you are so clueless that it hasn’t crossed your mind that not everyone is naif enough to use a so-called ‘password manager’ owned by a third party, but actually has a suitable password scheme that generates unique, 20+ character passwords for each site/service that can be easily remembered but occasionally mistyped, so a CAPTCHA isn’t required after a single attempt?

And after I’ve successfully logged in and, therefore, reset the permissions in my addons/extensions, etc. to block Google, the refresh logs me out again and I have to pass yet another CAPTCHA …. from the same IP address! How incompetent is that?

You can

  1. log my IP address
  2. log that the first log-in attempt failed
  3. log me out when I reset the permissions

… but you can’t log that I just successfully passed the CAPTCHA?

What is wrong with you people — do you know anything about information technology, or is <service provider> now employing school children on day-release work experience programmes instead of experienced and knowledgeable developers!?

And to cap it all, you then insist upon a CAPTCHA by Google!

If I wanted Google to know about my email, I’d have a f***ing Gmail account, not a <service provider> account!

Not only that, but how is it even possible that you thought it would be appropriate under any circumstances? I’m a European — how would I know what a fire hydrant is … or a crosswalk … or what a bus in the US looks like?

Your staff are defective — you need to fire the amateurs responsible for this regression and rehire professional developers.

[THEM]

Hello,

Thank you for contacting <service provider> support team.

We are truly sorry to hear about the issue you are experiencing.

Please note that we display this error message and the Captcha challenge when we detect suspicious or abusive behavior from a specific network. This is part of our anti-abuse measures meant to protect the service and our users’ accounts from abusers.

Furthermore, our reCaptcha implementation is sandboxed on a separate domain so no data is disclosed. We might look into alternative solutions in the future, but so far, we have found no alternatives that work for our service.

Our team is working on improving the system so that these anti-abuse measures have less impact on legitimate users such as yourself.

If you are using a VPN service, we suggest connecting to a different server or disabling the connection temporarily to see if that helps.

If you are using the Tor network, please try generating a new identity or a new Tor circuit for our site. Alternatively, you could try using a different browser.

We appreciate your patience and understanding on this matter. We apologize again for the inconvenience this has caused. Unfortunately, it is also not available to limit logins for certain IP addresses.

Can you please try again and let us know if the issue still persists?

We will be looking forward to your reply.

[ME]

The idea that <service provider> has not been able to find a suitable alternative is frankly so ludicrous that it’s pathetic — what next … the dog ate your homework?

You have not detected any suspicious or abusive behaviour coming from my network — I am a private user and, thanks to the global Covid pandemic, have not used my account from any other location in over a year.

I use a number of tracker-and-ad blockers, script-blockers, remote-resource blockers, canvas fingerprint spoofers, user-agent spoofers, etc. — I have not changed these in years and have not previously had any trouble,

In the last six (or so) months I have started logging in to my email from two machines (one Linux, one Windows 10) in my home simultaneously, but that is the only change in my behaviour since I started using your service.

So you’ve recently made changes of some kind and that is the root of the problem.

Your reCAPTCHA implementation is sandboxed on a separate domain?

Seriously?

Well, if by ‘separate domain’ you mean google.com and gstatic.com then sure.

But, if you’re trying to tell me that it’s hosted on your own servers then I’d love to see the sandboxing you are using … because my browser is telling me that I need to allow google.com and gstatic.com to load elements into my browser:

… and your sandbox is leaking — if it were working, my browser would not be obliged to request elements from google.com or gstatic.com, they’d all come from <service provider>, wouldn’t they?

I am a writer for a number of popular and well-regarded tech publications ¹.

I have recommended <service provider> to their readerships for years now.

But, if you cannot get it together to self-host a CAPTCHA challenge then you cannot be relied upon to be sufficiently technologically proficient and I will, sadly, have to advise people to use an alternative provider.

Equally, as said, beyond starting to log into my account from a second device around six months ago, I haven’t changed my usage or behaviour in any way since I started using your services. And both devices are located behind the same router and share the same IP address. So, I’m not interested in excuses that implicate a problem with my network activity — there is nothing wrong with my network activity … and, even if there were, it’s been that way for so long (literally years) that, if you are only now deciding that it looks suspicious then that’s a seriously alarming indictment of your technical knowhow and practices (what took you so long!?)

I don’t care what the problem is, just fix it … because I’m not changing the security measures I have been successfully using, refining and recommending to others for twenty years!!

(N.B., I have a .<country-code> account because I don’t want the US government declaring itself the owner of my data and I will not make use of any .com service — so, whatever solution you come up with had better not reference resources from your .com domain either).

[THEM]

Hi,

Thank you for the follow-up.
We sincerely apologize for the inconvenience that this is causing you.

Please kindly note that although there is a connection with Google’s API, your data is not disclosed, however.

We truly understand your concern at this point, and we will forward your feedback to the appropriate team so they can take it into consideration in order to make improvements regarding this matter in the near future.

We would like to let you know that we are also looking into releasing our own Captcha and human verification system, unfortunately, we are unable to provide an exact release date of it.

Thank you for your understanding and patience regarding this matter, it is highly appreciated.

Should you have any other questions or concerns, please don’t hesitate to contact us anytime.

Have a great weekend up ahead!

[ME]

“Please kindly note that although there is a connection with Google’s API, your data is not disclosed, however.”

Seriously?

You do, of course, know that, when an external resource is referenced then the supplier of that resource is automatically aware of

  1. the fact that a reference was made
  2. to which resource(s)
  3. from where the reference was made
  4. and when

Yes?

This is such a fundamental element of how computers (never mind the Internet) function at the lowest level that there isn’t a person (never mind anyone technical) alive today who doesn’t know that, right?

In order to load the necessary resources to complete the CAPCHA process, I don’t authorise <service provider> (or even your .com domain) to do so, I have to authorise google.com and gstatic.com to supply them to me. … therefore, they are not sandboxed but delivered directly to my browser from google.com and gstatic.com respectively — this is not some esoteric edge case example, it’s (Inter)Networking 101, (you’ll have had this explained to you before even being told how IP addresses work, let alone delved into the intricacies of web protocols).

Take a look at the images I included in my previous reply again. You can see, clear as day, that, in order to even see, let alone complete the reCAPTCHA, I have to allow google.com and gstatic.com to load

  1. CSS
  2. images
  3. ECMA script
  4. XHR objects (including, potentially, XMLHttpRequest, fetch and websocket)

They are not passed to my browser from some sandbox hosted by <service provider> and Google will be directly aware of

  1. when I requested them
  2. my IP address
  3. whatever browser, operating system and hardware details they are able to glean by querying my browser
  4. very likely my geolocation

This is how the Web/Internet/Networking/Computers work. No amount of blandishment to the contrary is going to alter that fact — it hasn’t changed in the over three decades I’ve been doing IT and, short of some weird and wonderful progress made in the realm of quantum computing … involving ‘spooky action at a distance’ (quantum entanglement) … or ‘IP’ addresses that are fully homomorphically encrypted … is unlikely to ever change.

Whoever is telling you otherwise is:

  1. so alarmingly ignorant about computing that you shouldn’t listen to them explain how to tie your shoelaces, never mind about how technology works
  2. explaining the setup at <my service provider> so poorly that you’d be better off asking anybody else
  3. utterly confused about the setup at <service provider> itself

(My money’s on 1 and/or 3).

‎‎

I despair … really I do.

What have schools and universities been teaching them all this time?

Because they don’t seem to have even the first clue about the technology they pride themselves on understanding better than the previous generations — you know … the people who actually designed and built it in the first place, before the so-called ‘digital natives’ were even a glint in their fathers’ eyes, never mind ‘born to it’.

Idiocracy has long since been shown to be prophecy, not satire … but it’s still getting worse year on year it seems.


1 No, SouthpawPoet, I’m not telling you which ones — and I write in a very different style indeed when I do ².

² So, your investigations will come to naught that way either 😛

Computers
Technology
Email
Ignorance
Idiocracy
Where Angels Fear
Where Angels Fear

Written by Where Angels Fear

452 Followers
247 Following

There he goes. One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live and too rare to die.

Responses (3)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams