You don't think that some people simply disagree with the idea that this is bad? Or like maybe the CAPTCHA company who put out the post has an agenda here? So you want to go after engineers personally?
I wonder what you've done that might warrant harassment?
Look at how complicated CAPTCHAs are getting to try to be unsolvable with AI - it's a losing game. This and the WEI proposal are trying to solve a very, very real problem. If you continue to deny the problem, or every proposal solution without working towards an acceptable one, people will route around the blockage.
The crux of the problem is that their solution involves making themselves the gatekeepers of who is and isn't allowed. And that's a power that no one unaccountable organization should wield.
Given how important internet is to modern society, letting any one entity decide who should and should not have access is nearing a human rights issue.
> You don't think that some people simply disagree with the idea that this is bad?
Where are they? Where? Can you point me to one person in this thread who "disagrees with the idea that this is bad"? Apparently even you don't go that far.
I think the idea is sad and tragic, but also that we are at the point where we have no choice but to do something.
AI/LLM's have created a vector for abuse that previous tools are failing to protect against, and the problem is only getting worse.
I'm sick of the increase of LLM slop on websites in comments and posts. I'm sick of how fraud and spam and abuse can be increasingly automated in ways current tools can't catch. I'm sick of hosting costs exploding as hobby websites get hammered for no reason.
I don't realistically see any alternative but for some kind of reliable signal that a web request is most likely coming from a real person (not a perfect guarantee, but something good enough). Which means some kind of attestation that it's a real hardware device that costs at least a few bucks and is making human-level numbers of requests (not millions per day), or else some kind of digital ID attestation system.
And I much prefer device attestation that keeps you personally anonymous, as opposed to identity attestation that will inevitably allow the government to track your browsing.
So this seems like the lesser evil. If there are other ideas I'm very open to them as well, but I basically see something like this as a sadly necessary and inevitable evil. Something is necessary and this is less worse than the alternatives. And the fact that website owners choose whether to enable this or not means that those who want to keep an internet open to all devices and web requests can do so, if they're willing to handle the additional costs in handling abuse.
But it's so easily beatable! This might be the result of good intentions (being incredibly generous), but as the article states, any bot can afford a $30 phone and the concomitant hardware as the cost of doing business and bypass this.
Also as the article states (referencing an HN comment):
> How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can’t.
Susan from HR is the least of it. This is a huge vector to increase fraud, not decrease it.
How would an ethical, competent engineer argue against this?
The CAPTCHA company who put this out might have an agenda, but also since they're in the industry they might also have knowledge to impart.
We're reaching an inflection point with the oligarchies where the old ideas of "writing a blistering editorial" or "calling your congress-critter" need to be seriously questioned as useful and other non-violent methods of recapturing digital freedom need to be entertained.
You realize that $30 phone is burned the moment it's used for abuse, right? It's not $30 and then spam as much as you like. It's $30 per action per site, which makes nearly all abuse unviable.
I see this comment was flagged, I have vouched for it.
It's making a valid point.
I wondered people are reading "I wonder what you've done that might warrant harassment?" as some kind of personal threat or incitement to harassment, but I read it as precisely the opposite.
It's an entirely valid point that many of us have worked at jobs on products that did something that somebody disagreed with, and we shouldn't be asking anybody to harass us personally for it, because that is wrong.
GP is asking to "aggressively name and shame" engineers. It's entirely valid to say that you wouldn't much like that if it happened to you.
This case is trivially circumvented with device farms, much like described in the post.
What real problem are they trying to solve? AI bots reading content? That’s not something Google want to prevent, it’s part of their business model, this would allow them to easily circumvent it for themselves though.
The usual argumentation is "I need to make a living" and "if I didn't build it someone else would have done an even worse job, like this at least I could be an activist on the inside and guide the efforts to make it better".
Another method is to stall and sabotage the development via endless bike shedding, language changes, rewrites, refactors. All normal things in every project. Drag those feet.
These are private actors. It's not acceptable to harass people for building things that are lawful but that you don't like.
If you don't like this functionality, participate in democracy and work with your representatives to make it unlawful. But be prepared to humbly lose if the majority disagrees with you.
You're not, however, entitled to a "heckler's veto."
Nobody is asking for harassment. Social ignorance is usually enough. Like, nobody wanting to date, be a friend, asking for parties etc. It is very normal treatment to people who have bad behavior etc.
"The only real solution is to aggressively name and shame the engineers who build this tech. They should feel uncomfortable opening their door, walking down the street."
What do you think this is a call for, if not harassment?
I think the better alternative to making engineers "feel uncomfortable opening their door, walking down the street" is for us to collectively ask if the solution isn't to touch more grass and rely less on the technology we've all come to blindly accept as required.
I mean, I hate this QR code shit as much as anyone, but c'mon, we can and should be better - both in how we treat others, and how much we rely on this shit.
On the contrary - stepping back and asking ourselves if we've gone too far and need to do things differently would solve a litany of problems, including this.
You don't think that some people simply disagree with the idea that this is bad? Or like maybe the CAPTCHA company who put out the post has an agenda here? So you want to go after engineers personally?
I wonder what you've done that might warrant harassment?
Look at how complicated CAPTCHAs are getting to try to be unsolvable with AI - it's a losing game. This and the WEI proposal are trying to solve a very, very real problem. If you continue to deny the problem, or every proposal solution without working towards an acceptable one, people will route around the blockage.
The crux of the problem is that their solution involves making themselves the gatekeepers of who is and isn't allowed. And that's a power that no one unaccountable organization should wield.
Given how important internet is to modern society, letting any one entity decide who should and should not have access is nearing a human rights issue.
> You don't think that some people simply disagree with the idea that this is bad?
Where are they? Where? Can you point me to one person in this thread who "disagrees with the idea that this is bad"? Apparently even you don't go that far.
Me.
I think the idea is sad and tragic, but also that we are at the point where we have no choice but to do something.
AI/LLM's have created a vector for abuse that previous tools are failing to protect against, and the problem is only getting worse.
I'm sick of the increase of LLM slop on websites in comments and posts. I'm sick of how fraud and spam and abuse can be increasingly automated in ways current tools can't catch. I'm sick of hosting costs exploding as hobby websites get hammered for no reason.
I don't realistically see any alternative but for some kind of reliable signal that a web request is most likely coming from a real person (not a perfect guarantee, but something good enough). Which means some kind of attestation that it's a real hardware device that costs at least a few bucks and is making human-level numbers of requests (not millions per day), or else some kind of digital ID attestation system.
And I much prefer device attestation that keeps you personally anonymous, as opposed to identity attestation that will inevitably allow the government to track your browsing.
So this seems like the lesser evil. If there are other ideas I'm very open to them as well, but I basically see something like this as a sadly necessary and inevitable evil. Something is necessary and this is less worse than the alternatives. And the fact that website owners choose whether to enable this or not means that those who want to keep an internet open to all devices and web requests can do so, if they're willing to handle the additional costs in handling abuse.
But it's so easily beatable! This might be the result of good intentions (being incredibly generous), but as the article states, any bot can afford a $30 phone and the concomitant hardware as the cost of doing business and bypass this.
Also as the article states (referencing an HN comment):
> How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can’t.
Susan from HR is the least of it. This is a huge vector to increase fraud, not decrease it.
How would an ethical, competent engineer argue against this?
The CAPTCHA company who put this out might have an agenda, but also since they're in the industry they might also have knowledge to impart.
We're reaching an inflection point with the oligarchies where the old ideas of "writing a blistering editorial" or "calling your congress-critter" need to be seriously questioned as useful and other non-violent methods of recapturing digital freedom need to be entertained.
You realize that $30 phone is burned the moment it's used for abuse, right? It's not $30 and then spam as much as you like. It's $30 per action per site, which makes nearly all abuse unviable.
2 replies →
I see this comment was flagged, I have vouched for it.
It's making a valid point.
I wondered people are reading "I wonder what you've done that might warrant harassment?" as some kind of personal threat or incitement to harassment, but I read it as precisely the opposite.
It's an entirely valid point that many of us have worked at jobs on products that did something that somebody disagreed with, and we shouldn't be asking anybody to harass us personally for it, because that is wrong.
GP is asking to "aggressively name and shame" engineers. It's entirely valid to say that you wouldn't much like that if it happened to you.
> Or like maybe the CAPTCHA company who put out the post has an agenda here?
That captcha company is not trying to push spyware onto my device and punish me for daring to remove it. Google is.
> Look at how complicated CAPTCHAs are getting to try to be unsolvable with AI - it's a losing game.
So don't play. Even cloudflare had a better idea - don't block, just demand payment.
This case is trivially circumvented with device farms, much like described in the post. What real problem are they trying to solve? AI bots reading content? That’s not something Google want to prevent, it’s part of their business model, this would allow them to easily circumvent it for themselves though.
> You don't think that some people simply disagree with the idea that this is bad?
Some people think women shouldn’t be allowed to vote, not all opinions are created equal.
You can't say not all opinions are equal and everyone should have an equal vote.
Are some ideas worth more than others should some people's votes count more than others? You can't have both.
The usual argumentation is "I need to make a living" and "if I didn't build it someone else would have done an even worse job, like this at least I could be an activist on the inside and guide the efforts to make it better".
Another method is to stall and sabotage the development via endless bike shedding, language changes, rewrites, refactors. All normal things in every project. Drag those feet.
And the people will be just simply fired for underperforming. Or anything else, it's easy when you have at will employment.
[flagged]
I think I'd have to be working at Google to afford a family and/or mortgage!
1 reply →
I don't have a family or a mortgage.
These are private actors. It's not acceptable to harass people for building things that are lawful but that you don't like.
If you don't like this functionality, participate in democracy and work with your representatives to make it unlawful. But be prepared to humbly lose if the majority disagrees with you.
You're not, however, entitled to a "heckler's veto."
Nobody is asking for harassment. Social ignorance is usually enough. Like, nobody wanting to date, be a friend, asking for parties etc. It is very normal treatment to people who have bad behavior etc.
"The only real solution is to aggressively name and shame the engineers who build this tech. They should feel uncomfortable opening their door, walking down the street."
What do you think this is a call for, if not harassment?
9 replies →
I think the better alternative to making engineers "feel uncomfortable opening their door, walking down the street" is for us to collectively ask if the solution isn't to touch more grass and rely less on the technology we've all come to blindly accept as required.
I mean, I hate this QR code shit as much as anyone, but c'mon, we can and should be better - both in how we treat others, and how much we rely on this shit.
That doesn't solve a problem, that ignores a problem.
On the contrary - stepping back and asking ourselves if we've gone too far and need to do things differently would solve a litany of problems, including this.
one person's villain is another person's hero.
I imagine if they would be named and shamed, they would get huge contracts in companies like oracle.
Good luck getting a huge contract with Oracle. Facebook.. yes.