The issue is that anything that becomes a standard here automatically becomes a target. If the same sort of captcha protects everything from Gmail to Twitter to Cloudflare and Facebook, then bot creators and spammers have a huge incentive to bypass it no matter what. And if we've learnt anything about spam, it's that pretty much every system we can think of can be bypassed or automated away.
The solution is really a ton of different captcha like systems and anti spam solutions, all unpopular enough that an attacker may not even bother targeting them. If an attacker needs to target a few thousand different captcha style setups to get their spam through, then many of them won't bother.
It's like centralised vs decentralised communication systems. If everything is centralised, a bad actor (like a government, corporation, criminal group, etc) can go after one target to control the narrative. If it's decentralised, then suddenly they have to go after dozens or hundreds of different targets, many of which won't cooperate with them.
hombre_fatal 15 minutes ago [-]
As TFA points out, a major change is that bot traffic now comes from honest users via their LLM sessions, so you don't even necessarily want to block automated bots anymore.
The game is shifting to a better ideal: how do you design a service knowing that any user/request might be automated?
Especially in place of the historical, easy solution/hack where you have some sort of gate that, once passed, puts the user in some trusted low-scrutiny tier, like a forum's registration page.
It's a similar question to designing a system so that it's resilient to account take-overs. (i.e. The user was a trusted human until now, and now it's a spammer)
Example: on a forum, run new posts through an LLM to classify it as spam which is a magic solution we always wish we had (remember akismet?) but was too rudimentary.
epgui 43 minutes ago [-]
I thought half the point of captchas was to train vision models?
thenthenthen 35 minutes ago [-]
Omg. I am on various VPN’s and now and again Google Auth (for youtube) throws me a captcha. They are mostly unreadable, but there is an audio option… which is just insane and does not make any sense, anyone had that? It sounds like a recording of 300 people speaking at the same time in a call center while on various dosages of LSD
nosioptar 28 minutes ago [-]
I've actually been in a call center with 300 intoxicated folk all talking at once. Its easier to understand than the recaptcha audio.
(Only a couple folks on hallucinogenics, most on various downers.)
moralestapia 31 minutes ago [-]
I've got captchas that made me play a small game and I score like 3 points to go ahead, lol. For real.
willmadden 33 minutes ago [-]
They give you that (or hieroglyphics) if you are using certain VPNs and don't leave a specific browser fingerprint.
ra0x3 36 minutes ago [-]
TLDR: They're promoting a product they're working on with Cloudfare under the guise of it being an "open standard" [1]. Of course, in the docs, Step 1 is "Sign in with your Cloudfare account". Comes across a bit land-grabby.
Question that I've been wondering, can't attackers record human sessions and use it to attack a website to bypass cloudflare ?
bluGill 47 minutes ago [-]
They can. They have already figured out a lot of what cloudflare is looking for and have figured out how to bypass it. (according to the article) Which is why protection is trying something else. I suppose this is why every website wants me to login with my google account (which I never use)
randrus 34 minutes ago [-]
Always reminds me of the forces that shape the mechanisms around the exchange of genetic information that powers evolution.
See: Red Queen by Matt Ridley.
cute_boi 7 minutes ago [-]
It has failed because of these company like browserbase and hackers who hack smart device and TV's for residential proxy.
throw7 30 minutes ago [-]
Just today a website presented me a qrcode captcha. I threw up.
kgwxd 25 minutes ago [-]
They're great for keeping humans out. Tried to setup Discord on a new phone yesterday. CAPTCHAs over and over again, just trying to log in. I uninstalled instead.
echoangle 1 hours ago [-]
Oh my good I hate AI articles.
Why do we have to make an interactive visualization for every single sentence? Thanks for showing me how distorted text is made in steps.
And being a cat and mouse game doesn’t mean the defenders failed.
qweqwe14 52 minutes ago [-]
> And being a cat and mouse game doesn’t mean the defenders failed.
It does though, in the end attackers always win. If something is a "cat and mouse game" then it's unwinnable by design from the defender side.
Sure, you can keep playing it if you feel like it, but at some point the attacker will be indistinguishable from a legitimate user and you will lose that fight.
echoangle 36 minutes ago [-]
By that logic, every security task is doomed to fail. Spam detection and antivirus are cat and mouse games too. I wouldn’t say they fail just because they have to adapt over time.
jmclnx 1 hours ago [-]
They have been around that long ? Does not seem so but the timing could be correct probably because the sites I went to had no need for CAPTCHAs until AI came around.
Zak 42 minutes ago [-]
The name wasn't invented until 2003, but yes.
Guestbooks, contact forms, signup pages, and the like started receiving automated abuse approximately five minutes after they were invented. It didn't take long after that for people to start including a question they expected to be easy for a person and hard to automate with a script.
What's relatively new is CAPTCHAs merely to browse a site. There are few faster ways to get me to close your site, and maybe send you an unfriendly email.
nosioptar 17 minutes ago [-]
My first guestbook asked Hagar or Roth. Answering correctly got your message added to the book. Answering Hagar got you sent to an infinite redirect loop for being either a bot or a moron.
code_duck 53 minutes ago [-]
So in the past few years? Oh dear, no. Captchas have been in common use for much longer than that. reCAPTCHA has been around almost 20 years.
JohnFen 1 hours ago [-]
They were introduced in 1997, although I personally didn't start seeing them until a couple of years later.
zuzululu 56 minutes ago [-]
so whats the solution then? get people to turn on their camera and hold up 15 fingers ?
fusslo 11 minutes ago [-]
it sounds like the article & company are building identity based on fingerprinting/cross-domain behavior. Inferring at multiple levels, including cloudflare's
The solution is really a ton of different captcha like systems and anti spam solutions, all unpopular enough that an attacker may not even bother targeting them. If an attacker needs to target a few thousand different captcha style setups to get their spam through, then many of them won't bother.
It's like centralised vs decentralised communication systems. If everything is centralised, a bad actor (like a government, corporation, criminal group, etc) can go after one target to control the narrative. If it's decentralised, then suddenly they have to go after dozens or hundreds of different targets, many of which won't cooperate with them.
The game is shifting to a better ideal: how do you design a service knowing that any user/request might be automated?
Especially in place of the historical, easy solution/hack where you have some sort of gate that, once passed, puts the user in some trusted low-scrutiny tier, like a forum's registration page.
It's a similar question to designing a system so that it's resilient to account take-overs. (i.e. The user was a trusted human until now, and now it's a spammer)
Example: on a forum, run new posts through an LLM to classify it as spam which is a magic solution we always wish we had (remember akismet?) but was too rudimentary.
(Only a couple folks on hallucinogenics, most on various downers.)
[1] https://www.browserbase.com/blog/cloudflare-browserbase-pion...
See: Red Queen by Matt Ridley.
And being a cat and mouse game doesn’t mean the defenders failed.
It does though, in the end attackers always win. If something is a "cat and mouse game" then it's unwinnable by design from the defender side.
Sure, you can keep playing it if you feel like it, but at some point the attacker will be indistinguishable from a legitimate user and you will lose that fight.
Guestbooks, contact forms, signup pages, and the like started receiving automated abuse approximately five minutes after they were invented. It didn't take long after that for people to start including a question they expected to be easy for a person and hard to automate with a script.
What's relatively new is CAPTCHAs merely to browse a site. There are few faster ways to get me to close your site, and maybe send you an unfriendly email.
It's just more identity verification afaict