| ▲ | jeroenhd 2 hours ago |
| I saw this coming from miles away. Computers are better at solving CAPTCHAs than people are and people can be bribed or convinced to join botnets so IP whitelisting doesn't work either. Now we have tons of fingerprinting and behaviour analysis but governments are cracking down on that. Plus, YouTube had a massive ad fraud problem with ads being played back in the background in embedded videos, so their detection clearly wasn't good enough. There aren't many good ways to prove you're not a bot and there are even fewer that don't involve things like ID verification. Their opt-in approach helps shift the blame to individual web stores for a while, so who knows if this will take off. But either way, in the long term, the open, human internet is either going away or getting locked behind proofs of attestation like this. Apple built remote attestation into Safari years ago together with Cloudflare and Google is now going one step further, as Apple's approach doesn't work well against bots that can drive browsers rather than scripted automation tools. Luckily, their current approach can be worked around because it's only targeting things like stores now and you can buy things from other stores. Once stores find out that click farms have hundreds of phones just tapping at remotely served content, uptake will probably be limited. It'll be a few years before this is everywhere, but unless AI suddenly isn't widely available anymore, it's going to be inevitable. |
|
| ▲ | moritzwarhier an hour ago | parent | next [-] |
| > saw this coming from miles away. Computers are better at solving CAPTCHAs than people are good point... it's interesting how Captcha was initially popularized as a reverse Turing test, but it's just variants of Proof of Work today. And it seemed clever at the time for Google to leverage this for improvement of their OCR models (it was!), and makes you wonder what utility is derived from the proven "work" today. |
| |
| ▲ | jonas21 an hour ago | parent | next [-] | | CAPTCHAs were designed as a type of Turing Test, not a reverse Turing Test. It’s not surprising that the effectiveness of these weaker Turing Tests has collapsed now that AI can pass the real Turing Test. | | |
| ▲ | Retric 4 minutes ago | parent | next [-] | | LLM’s can still only pass limited Touring Tests. The longer the interaction the worse they do. | |
| ▲ | InsideOutSanta an hour ago | parent | prev | next [-] | | I'm not sure if LLMs are solving most of these captchas. There are services that employ humans to solve them for pennies per captcha. | |
| ▲ | moritzwarhier an hour ago | parent | prev [-] | | Oh, right, "reverse" was wrong here. I thought of "computer classifies user as computer or human" versus the inverse, while the word is about who classifies, not who's being classified. (?) I guess so |
| |
| ▲ | dylan604 27 minutes ago | parent | prev [-] | | With the crosswalk, bike, motorcycle, stairs type of things, wasn't that just improving their training data? | | |
| ▲ | moritzwarhier 3 minutes ago | parent [-] | | Yes, for Waymo, AFAIK (I don't know for sure). The OCR thing was earlier and used for Google Books, I think.
Which is also is fitting for training data, or the motto "organize all knowledge". At that time, this goal seemed really cool! |
|
|
|
| ▲ | armchairhacker 11 minutes ago | parent | prev | next [-] |
| > people can be bribed or convinced to join botnets so IP whitelisting doesn't work either Do you think this won’t also be bypassed, by bribing people to scan QR codes and spoofing location etc.? |
|
| ▲ | dylan604 31 minutes ago | parent | prev | next [-] |
| > people can be bribed or convinced to join botnets so IP whitelisting doesn't work either what does that bribe look like, as in, how much can one get? what all does that entail? is that a little box i connect to my network and forget about? does that mean if i unplug it unless another payment is received that will work out? i'm asking for a friend that's looking to avoid selling plasma to make ends meet. |
| |
| ▲ | michaelt 16 minutes ago | parent | next [-] | | https://www.fbi.gov/investigate/cyber/alerts/2026/evading-re... > The following methods can be used to acquire residential IP addresses for a residential proxy network: > Software development kit (SDK) partnerships: Proxy services convince mobile application developers to include their SDK in applications in exchange for payment for each person who downloads the application. Individuals download the application and accept the terms and conditions, allowing the SDKs to run in the background and route proxy traffic through users' devices. > Virtual private network (VPNs) with hidden terms of service: Free VPN services may enroll users' devices in a residential proxy network, without obtaining their consent. The details are often hidden in the terms of service, which most users do not read prior to download, or the language is difficult for the user to understand. > [malware and compromised IoT devices] > Passive income schemes: Proxy services convince people to download applications on their device that promise to pay them for their internet bandwidth. People often do not realize that criminals use their internet connection to commit cyber attacks One reddit post says bandwidth sharing passive income schemes paid them $1 to $9 per month. | |
| ▲ | dns_snek 18 minutes ago | parent | prev | next [-] | | I'm afraid it's far less enticing. The usual offer is "To continue playing, pay $0.99 or hit AGREE to share your internet connection with Legit Services Inc." And that's assuming they're nice enough to ask at all. | |
| ▲ | x0x0 3 minutes ago | parent | prev [-] | | I'm pretty sure it's one of the revenue models for those free tv/movie boxes. You can even see them at best buy. Absurd. |
|
|
| ▲ | Fire-Dragon-DoL 10 minutes ago | parent | prev | next [-] |
| I mean depending on the cost, Google is guaranteed to lose the battle, like gaming anticheat: there are tools that do parsing of the image on screen and send input as a usb device, there is absolutely nothing to detect. Doing that for a webpage seems way easier than s videogame |
|
| ▲ | dakolli an hour ago | parent | prev [-] |
| I personally think its easier to detect llm controlled browser sessions, the people deploying them are far more naive and inexperienced than traditional scrapers/crawlers. insert You wouldn't bring a 40 Petabyte Zip Bomb to School, would you? meme |
| |
| ▲ | jeroenhd 43 minutes ago | parent [-] | | Part of the problem is also that Google wants to permit crawlers to do some things but jot others. Their announcement is full of buzzwords about "agentic" things. Detecting LLMs is one thing, but imagine the power of being able to pick which LLM browsers are permitted and which aren't! I think Google is being too early to the party with this. Cloudflare still has CAPTCHAs to throw at the wall. There are ways other than attestation to verify that someone is a real human, but they're getting more and more annoying to real users and harder and harder to implement on a small website. Despite the massive implications, this is a simple system that just works for the 99% of people who use Chrome or Safari or at least have access to an Android phone or iPhone somewhere. It's quick, doesn't require installing apps or creating accounts, and it just works from both the website perspective and the user perspective. Of course when you start thinking about people with disabilities things become problematic, but when have tech companies ever really cared about that sort of thing? Inclusiveness was fun and all for a while, but the clowns the American people elected banned that sort of thing for any company considering government contracts, and big tech licked that boot like it was made of honey. The world becomes a lot easier if you just decide to ignore all edge cases and assume customers who disagree with you didn't matter anyway. And infuriating as it may be, for companies like Google, that business model works. |
|
