SerotoninSwells

Unfortunately it is out of date.

• IPs used by bots are now *highly * distributed. We will see the same bot use hundreds of thousands of IP addresses. Each IP can easily only make one or two requests which is hard to limit with volume based detections. Also, I’m not sure where you’re at in the world, but it’s more common in countries outside of North America to have IP addresses that are heavily shared. Not to mention, there are companies in Europe that will pay you for use of your IP address explicitly for bots.

• You might think you could limit by IP classification but bots increasingly use residential classified IPs.

• As for allowing good bots, that isn’t so much an issue. They respect the robots.txt that companies implement. We see bots scraping data for LLMs more and more that don’t respect this file. Also, bots that are scraping prices and anything else you don’t want them doing, like credential stuffing, aren’t going to listen or respect that either.

• In terms of using a VPN, absolutely limit outside access to sensitive infrastructure but that’s not really where most companies experience pain from bots. That’s not to say that we don’t see bots attempting vulnerability scanning. These requests can be highly distributed too.

Companies ultimately reach out to companies like Cloudflare because the usual methods aren’t working for them. Onboarding some clients, I’ve seen more bot requests than human requests which can be detrimental for business.

I’m happy to answer any other questions you might have. While I do work in the industry, I don’t know everything. I just want to reiterate that I am not a fan of how things are currently on the Internet. I wish this was illegal as I think it would cut down on a lot of bot traffic which would make it much more manageable for everyone.

Hi! I didn’t forget about your response. I sifted through the links to find the study in question. I imagine my response isn’t going to satisfy you but please hear me out. I’m open to hearing your rebuttals regarding this too.

The study is absolutely correct with what they studied and the results they found. My main issues are the scope and some of the methodologies.

On one hand, I see the “AI” they used was able to solve captchas better than humans. My main issue with this is that this is one tool. Daily, I work on dozens of different frameworks and services, some that claim to leverage AI. The results and ability to pass captcha varies with each tool. There’s an inevitable back and forth with each tool as these tools learn how to bypass us and as we counter these changes. There’s not just one tool that everyone is using as their bot as is the case in the study, so it’s not exactly how this works in the real world.

I recognize that the list of sites they chose were the top 200 sites on the web. That said, there are more, up-and-coming captcha services that weren’t tested. I think it’s worth noting that the “captcha-less”, like Turnstile, approaches are still captcha but skip straight to proof of work and cutting out the human altogether.

We should absolutely take studies like this to heart and find better ways that don’t piss off humans. But the reality is that these tools are working to cut down on a vast amount of bot traffic that you don’t see. I understand if you’re not ok with that line of reasoning because I’m asking you to trust me, a random Internet stranger. I imagine each company can show you metrics regarding FP rates and how many bots are actually passing their captcha. Most do their best to cut down on the false positive rate.

How are you measuring this? On my end, when I look at the metrics I have available to me, the volume of bot requests that are passing captcha does not exceed that of humans. We continually review false positives and false negatives to make sure we aren’t impacting humans while still making it hard for bots.

There’s a whole world of tools you can use that do that for you now. It’s easier than ever. To me it’s concerning. The level of automation, coupled with a halfway decent LLM, can give you the ability to summon hordes of fake humans to social media. I can’t help but think it’s why X and Reddit don’t use any kind of anti-bot solution.

Trust me, my team and I often feel at odds with the part that infringes on privacy. As someone that enjoys and wants more privacy, I wish there were other solutions that didn’t create a type of dragnet. If it assuages some of your fears, I’ve never heard of the fingerprinting being sold or used outside of detections.

ALTCHA uses a proof-of-work mechanism to protect your website, apps, APIs, and online services from spam and unwanted content.

Unlike other solutions, ALTCHA’s Captcha alternative is free, open-source and self-hosted, does not use cookies nor fingerprinting, does not track users.

Emphasis are mine. I honestly do not know how this statement is possible. Captcha-less, proof-of-work solutions have to fingerprint on some level. It’s essentially having the browser prove it is what it claims to be. I get what they’re trying to say but it’s marketing. That said, I don’t know everything and maybe they have some method I’m not aware of. Grains of salt all around.

Given that the last updates to this repo were five years ago, I’m not too sure if it’s still valid. I don’t follow Cloudflare bypasses but I am fairly certain there are more successful frameworks and services now. The landscape is evolving quickly. We are seeing a proliferation of “bot as a service”, captcha passing farms, dedicated browsers for botting, newsletters, substacks, Discord servers, you name it. Then there are the methods you don’t readily find much talk on like custom modified Chrome browsers. It’s fascinating how much effort is being funneled into this field.

Thanks for reading and commenting!

Welcome to bot detection. It’s a cat and mouse game, an ever changing battle where each side makes moves and counter moves. You can see this with the creation of captcha-less challenges.

But to say captcha are useless because bots can pass them is somewhat similar to saying your antivirus is useless because certain malware and ransomware can bypass it.

Yes, the industry is well aware of this. We do behavioral detection on both sessions and IPs. This is fairly basic.

Thank you for reading and considering the information.

That’s very kind of you. Thank you for the kind words. 🍻

Greed. I honestly don’t know if they’re even aware of the problem. Most corporations have cut teams to the bone and I can’t see Cloudflare being an exception. The janitor is probably writing detection rules now.

I get why you’re frustrated and you have every right to be. I’m going to preface what I’m going to say next by saying I work in this industry. I’m not at Cloudflare but I am at a company that provides bot protection. I analyze and block bots for a living. Again, your frustrations are warranted.

• Even if a site doesn’t have sensitive information, it likely serves a captcha because of the amount of bots that do make requests that are scraping related. The volume of these requests can effectively DDoS them. If they’re selling something, it can disrupt sales. So they lose money on sales and eat the load costs.

• With more and more username and password leaks, credential stuffing is getting to be a bigger issue than anyone actually realizes. There aren’t really good ways of pinpointing you vs someone that has somehow stolen your credentials. Bots are increasingly more and more sophisticated. Meaning, we see bots using aged sessions which is more in line with human behavior. Most of the companies implementing captcha on login segments do so to try and protect your data and financials.

• The rise in unique, privacy based browsers is great and it’s also hard to keep up with. It’s been more than six months, but I’ve fingerprinted Pale Moon and, if I recall correctly, it has just enough red flags to be hard to discern between a human and a poorly configured bot.

Ok, enough apologetics. This is a cat and mouse game that the rest of us are being drug into. Sometimes I feel like this is a made up problem. Ultimately, I think this type of thing should be legislated. And before the bot bros jump in and say it’s their right to scrape and take data it’s not. Terms of use are plainly stated by these sites. They consider it stealing.

Thank you for coming to my Tedx Talk on bots.

Edit: I just want to say that allowing any user agent with “Pale Moon” or “Goanna” isn’t the answer. It’s trivially easy to spoof a user agent which is why I worked on fingerprinting it. Changing Pale Moon’s user agent to Firefox is likely to cause you problems too. The fork they are using has different fingerprints than an up to date Firefox browser.

We all can see Russia from our house now. 🫠

I appreciate the sane, well thought out responses here from you. I spent yesterday evening reflecting on your points and, ultimately, I can say your ideas on how we should organize is more than likely the way we should be approaching this.

Are you aware of any groups trying to do what you’ve suggested with subscriptions and/or Black Friday? I want to be more involved in some capacity but I’m not seeing anyone organizing like this.

Uncalled for, don’t be like that, you know that’s not what I said at all

I should not have directed that to you. Your response was not naysaying in the way I pointed out in my post. I’m frustrated but that’s not a reason to be rude. I’m truly sorry.

So you agree the expected outcome of this particular venture is to not have any tangible impact. Are you concerned at all about people seeing that it had no impact, and as a result feeling deterred from future involvement?

I’m not sure I implied that but it’s not what I think about today’s protest. I believe people coming together is powerful. It’s about sending a message.

Are you concerned at all about people seeing that it had no impact, and as a result feeling deterred from future involvement?

At the end of the day, I’m more concerned with people not doing anything.

Over the past 20 years, I’ve read so many similar sentiments on social media that “X won’t work.” At this point, I just want people to try. I desperately want people to try. I want people to get involved. My biggest concern is that people won’t do anything because no one is coming up with the idea.

I just think this sounds like an idea that some privileged person came up with, assuming that everyone is out there being irresponsible with their money every day.

I see where you’re coming from with this point. I think there are a spectrum of people from various economic backgrounds that aren’t super rich that can contribute. All I’m saying is that if someone acts today it could be their first step towards long term changes on their part. I wasn’t well off when I made the change seven years ago but I’m glad I didn’t give into the notion that my change wasn’t meaningful.

Again, I’m sorry for the harsh rhetoric towards you with my last response.

Just a few days ago it was reported that the top 10% of earners are currently responsible for half of all spending. “Spending” isn’t leverage we have.

In a world where “line must go up infinitely”, the idea of people coming together to make that line go another direction is power. But sitting behind a keyboard and telling people to continue being small and helpless is not what we continue to need from the community.

There are a lot of people who have never participated in something like this, but these moments are our chance to get people involved. I love that you have an idea for subscriptions and only buying necessities. I need you to say “Yes, this is a good start, and now let’s take the next step together. I have some ideas.”

Every dollar we give to these people is another dollar that is used against us. I’m not ok with that. Inequality is at an all time high and only getting worse.

Lastly, you’ll have to forgive me for taking QZ, a website owned by a Private Equity Firm, with a grain of salt. “Rich people are now powering the economy” reads like rich people propaganda.

I have seen several threads now on this subject here in Lemmy recently and the number of people who are against it is disappointing. Years ago my wife and I decided to let our Prime membership lapse and to no longer buy from Amazon. I mentioned this on Reddit and the responses were similar to what I’m seeing on here now in regards to this boycott.

“That’s not going to do anything”

However, in the past seven years, instead of buying from Amazon, we have sought out small businesses and put money into local businesses when we can. That’s money Amazon does not have from us. Think about what the average American spends on goods from Amazon each year. If more people did this instead of naysaying then the economic impact would be much better.

So to those of you wanting to participate tomorrow, I applaud you. Be the change you want to see in the world. Money is all these greedy parasites know and if we can collectively stand up, one small step at a time, then the impact will be huge.

To the naysayers, either you’re a bot or have nothing to contribute to the cause because I don’t see any organizing from you. Find a positive way to contribute or shut the fuck up.