So this is a basically a shill advertisement ending in "Your AI Agents can avoid captchas if you pay us."
The last example is a false narrative, that captchas will only happen if the "browser looks suspicious". Systems like Altcha put an end to this argument. They don't care if the browser looks suspicious, only that the browser can perform a proof-of-work to get past a captcha designed to slow down the request rate.
When applied consistently, it will effectively block and slow down AI crawlers, which is what this company wants to promote.
show comments
CM30
The issue is that anything that becomes a standard here automatically becomes a target. If the same sort of captcha protects everything from Gmail to Twitter to Cloudflare and Facebook, then bot creators and spammers have a huge incentive to bypass it no matter what. And if we've learnt anything about spam, it's that pretty much every system we can think of can be bypassed or automated away.
The solution is really a ton of different captcha like systems and anti spam solutions, all unpopular enough that an attacker may not even bother targeting them. If an attacker needs to target a few thousand different captcha style setups to get their spam through, then many of them won't bother.
It's like centralised vs decentralised communication systems. If everything is centralised, a bad actor (like a government, corporation, criminal group, etc) can go after one target to control the narrative. If it's decentralised, then suddenly they have to go after dozens or hundreds of different targets, many of which won't cooperate with them.
epgui
I thought half the point of captchas was to train vision models?
show comments
ezst
They have served to train multiple generations of ANN and ML algorithms, in that, I think they've been a resounding success!
hombre_fatal
As TFA points out, a major change is that bot traffic now comes from honest users via their LLM sessions, so you don't even necessarily want to block automated bots anymore.
The game is shifting to a better ideal: how do you design a service knowing that any user/request might be automated?
Especially in place of the historical, easy solution/hack where you have some sort of gate that, once passed, puts the user in some trusted low-scrutiny tier, like a forum's registration page.
It's a similar question to designing a system so that it's resilient to account take-overs. (i.e. The user was a trusted human until now, and now it's a spammer)
Example: on a forum, run new posts through an LLM to classify it as spam which is a magic solution we always wish we had (remember akismet?) but was too rudimentary.
show comments
joehabeebs
The most recent variations that force you to click the boxes containing a certain artifact are incredibly frustrating and fail half the time. The large influx of AI-SEO optimized content being created makes me question CAPTCHAs efficacy today
matteo8p
Really nice read Harsehaj!
I haven't looked deeply into Web Bot Auth, but is identification tied to the agent (one identity per agent) or is it tied to the underlying person using the agent (the user)?
Hope that question makes sense, lmk if you need clarification
ra0x3
TLDR: They're promoting a product they're working on with Cloudfare under the guise of it being an "open standard" [1]. Of course, in the docs, Step 1 is "Sign in with your Cloudfare account". Comes across a bit land-grabby.
Omg. I am on various VPN’s and now and again Google Auth (for youtube) throws me a captcha. They are mostly unreadable, but there is an audio option… which is just insane and does not make any sense, anyone had that? It sounds like a recording of 300 people speaking at the same time in a call center while on various dosages of LSD
show comments
visiondude
although not perfect for other reasons, a captcha made using phone motion and device attestation like prsn.you is a more challenging bypass for today’s agent environments
GL26
Question that I've been wondering, can't attackers record human sessions and use it to attack a website to bypass cloudflare ?
show comments
randrus
Always reminds me of the forces that shape the mechanisms around the exchange of genetic information that powers evolution.
See: Red Queen by Matt Ridley.
throw7
Just today a website presented me a qrcode captcha. I threw up.
kgwxd
They're great for keeping humans out. Tried to setup Discord on a new phone yesterday. CAPTCHAs over and over again, just trying to log in. I uninstalled instead.
echoangle
Oh my good I hate AI articles.
Why do we have to make an interactive visualization for every single sentence? Thanks for showing me how distorted text is made in steps.
And being a cat and mouse game doesn’t mean the defenders failed.
show comments
cute_boi
It has failed because of these company like browserbase and hackers who hack smart device and TV's for residential proxy.
jmclnx
They have been around that long ? Does not seem so but the timing could be correct probably because the sites I went to had no need for CAPTCHAs until AI came around.
show comments
zuzululu
so whats the solution then? get people to turn on their camera and hold up 15 fingers ?
So this is a basically a shill advertisement ending in "Your AI Agents can avoid captchas if you pay us."
The last example is a false narrative, that captchas will only happen if the "browser looks suspicious". Systems like Altcha put an end to this argument. They don't care if the browser looks suspicious, only that the browser can perform a proof-of-work to get past a captcha designed to slow down the request rate.
When applied consistently, it will effectively block and slow down AI crawlers, which is what this company wants to promote.
The issue is that anything that becomes a standard here automatically becomes a target. If the same sort of captcha protects everything from Gmail to Twitter to Cloudflare and Facebook, then bot creators and spammers have a huge incentive to bypass it no matter what. And if we've learnt anything about spam, it's that pretty much every system we can think of can be bypassed or automated away.
The solution is really a ton of different captcha like systems and anti spam solutions, all unpopular enough that an attacker may not even bother targeting them. If an attacker needs to target a few thousand different captcha style setups to get their spam through, then many of them won't bother.
It's like centralised vs decentralised communication systems. If everything is centralised, a bad actor (like a government, corporation, criminal group, etc) can go after one target to control the narrative. If it's decentralised, then suddenly they have to go after dozens or hundreds of different targets, many of which won't cooperate with them.
I thought half the point of captchas was to train vision models?
They have served to train multiple generations of ANN and ML algorithms, in that, I think they've been a resounding success!
As TFA points out, a major change is that bot traffic now comes from honest users via their LLM sessions, so you don't even necessarily want to block automated bots anymore.
The game is shifting to a better ideal: how do you design a service knowing that any user/request might be automated?
Especially in place of the historical, easy solution/hack where you have some sort of gate that, once passed, puts the user in some trusted low-scrutiny tier, like a forum's registration page.
It's a similar question to designing a system so that it's resilient to account take-overs. (i.e. The user was a trusted human until now, and now it's a spammer)
Example: on a forum, run new posts through an LLM to classify it as spam which is a magic solution we always wish we had (remember akismet?) but was too rudimentary.
The most recent variations that force you to click the boxes containing a certain artifact are incredibly frustrating and fail half the time. The large influx of AI-SEO optimized content being created makes me question CAPTCHAs efficacy today
Really nice read Harsehaj!
I haven't looked deeply into Web Bot Auth, but is identification tied to the agent (one identity per agent) or is it tied to the underlying person using the agent (the user)?
Hope that question makes sense, lmk if you need clarification
TLDR: They're promoting a product they're working on with Cloudfare under the guise of it being an "open standard" [1]. Of course, in the docs, Step 1 is "Sign in with your Cloudfare account". Comes across a bit land-grabby.
[1] https://www.browserbase.com/blog/cloudflare-browserbase-pion...
Omg. I am on various VPN’s and now and again Google Auth (for youtube) throws me a captcha. They are mostly unreadable, but there is an audio option… which is just insane and does not make any sense, anyone had that? It sounds like a recording of 300 people speaking at the same time in a call center while on various dosages of LSD
although not perfect for other reasons, a captcha made using phone motion and device attestation like prsn.you is a more challenging bypass for today’s agent environments
Question that I've been wondering, can't attackers record human sessions and use it to attack a website to bypass cloudflare ?
Always reminds me of the forces that shape the mechanisms around the exchange of genetic information that powers evolution.
See: Red Queen by Matt Ridley.
Just today a website presented me a qrcode captcha. I threw up.
They're great for keeping humans out. Tried to setup Discord on a new phone yesterday. CAPTCHAs over and over again, just trying to log in. I uninstalled instead.
Oh my good I hate AI articles. Why do we have to make an interactive visualization for every single sentence? Thanks for showing me how distorted text is made in steps.
And being a cat and mouse game doesn’t mean the defenders failed.
It has failed because of these company like browserbase and hackers who hack smart device and TV's for residential proxy.
They have been around that long ? Does not seem so but the timing could be correct probably because the sites I went to had no need for CAPTCHAs until AI came around.
so whats the solution then? get people to turn on their camera and hold up 15 fingers ?