Comment by snailmailman
14 hours ago
I’m already sick and tired of seeing cloudflares “making sure you aren’t a bot” checkbox everywhere. Sometimes it locks me out entirely and decides I don’t get to view pages.
I see recaptcha less frequently but it’s much more annoying, with all the clicking of crosswalks, or busses, or whatever. I am not looking forward to a web where google can not only lock me out of my email, but also large sections of the previously public internet. Occasionally google decides I don’t get to do searches, and that’s not too much of an inconvenience, there are other search engines.
But what's the alternative? Sites need a way to prevent bots overwhelming them, and there's no perfect way to distinguish real users from bots.
What are "bots"?
If I use Claude to gather and summarize information for me, is that a "bot"? Because I recently hit that wall and it wasn't great. Turns out in our quest to fight "bots" we also force humans to do the manual labor of copy/pasting information.
Why would bots "overwhelm" a site is another discussion — I find it really hard to create a website that would be "overwhelmed" by traffic these days, computers are stupidly fast.
One alternative is to make simple, efficient, and where appropriate even static sites that can scale to meet the demand.
The HIBP hashes distribution is a great example.
That doesn't really help if the same Huawei bot keeps re-requesting a bunch of 600 KiB JPEG from 120 rotating IP addresses with random crap at the end of the URL, like what happened to one of my servers. Efficiency doesn't really matter if you're getting hammered by bots.
I ended up aggressively IP blocking all of China, Singapore, and a few other East-Asian countries once I noticed that blocking server IP addresses just made the botnet switch to residential IPs. I didn't switch over to Cloudflare, but now a couple billion people can't read my website, which is arguably worse (but cheaper).
Also, a handful of people seeing an annoying checkbox is hardly a reason to re-architect an entire website. I am as opposed to Cloudflare taking over the internet as any sane person, but the usability story isn't really an argument for that kind of time investment.
The alternative to Cloudflare isn't some magical system that works for everyone but bots, it's hard-blocking IP ranges on the network level for anyone who doesn't fit the "normal" user profile.
“Demand” has very little to do with any of the problems bots cause on the internet today.
The alternative would be tar traps that only a bot would “see” and interact with and thus be caught by. Default to annoying machines not people.
Your idea works for generic crawlers.
That doesn't work for targeted bots. A major benfit of device attestation is to stop the hordes of custom bot creators who try all sorts of ways to make a buck off of your platform such as sms toll fraud, credit card testing, ad fraud, account takeovers, stolen card laundering, gift card laundering, botting for pay for platform / ecosystem benefits, paid harassment, the list just keeps going.
Some aps such as okta, banking, and others already check platform verfication. Websites can't currently until device attestation.
Personally, I hate the concept, but I also hate spending a large amount of time fighting mal-actors on my platform in a completely unbalanced fight. There are tons of them, and they have all the profit incentive. There's a few of us, we only take losses. They can lie all they want, we can't really trust any facts except kinda the credit card and the device attestation.
Like everything, it's a shitty compromise, but, as a platform runner, if I can leverage google's signal and cut 95% of my malicious botting users, guess what I'm going to do.
1 reply →
You're right, we need big tech to protect us from the problems big tech created.
In the olden 20th century, we had a term for that...
You know that protection racket where the mobster came to my corner store and says if I don't pay him he will come later and rough me up? This is a worse deal than that.
2 replies →
Whats your argument
mCaptcha, ALTCHA, Cap, Friendly Captcha, Private Captcha, Procaptcha, Anubis... there are literally dozens of open source alternatives that aren't feeding the Do Be Evil company... not to mention all of the commercial alternatives - if for whatever reason, you do feel like paying for a service that costs nothing to offer
Gen off it. Fraud detection is nontrivial and requires ongoing effort. It’s reasonable for people to be compensated for that.
1 reply →
Maybe ai companies should have invested any of those billions of dollars into safe and equitable ways of rolling out their new surveillance machines. Oh right that was never the point and this only serves to further that. Got it.
I think they'd be OK w/o the surveillance machine part of it, but they have never seemed to care about anything besides advancement of the tech or its side projects.
I can imagine a world where they were fighting for displaced workers, for Altman/Elon-suggested UBI/universal "high" income plans, and where they'd compensated those in the training set, and cut deals with publishers & content creators instead of scraping anything they could get their hands on. Would they be unpopular?
[dead]
reminder that any company which has a legal obligation towards you (GDPR requests, refunds, filling a complaint etc) can be contacted directly and forced to do it manually if you cannot use their web interface due to being blocked by Cloudflare & other captchas