And being a cat and mouse game doesn’t mean the defenders failed.
It does though, in the end attackers always win. If something is a "cat and mouse game" then it's unwinnable by design from the defender side.
Sure, you can keep playing it if you feel like it, but at some point the attacker will be indistinguishable from a legitimate user and you will lose that fight.
It's just more identity verification afaict
Indeed, half the point for reCAPTCHA: That how Google could justify supplying reCAPTCHA for free, but not why people wanted to use them.
[1] https://www.browserbase.com/blog/cloudflare-browserbase-pion...
(Only a couple folks on hallucinogenics, most on various downers.)
See: Red Queen by Matt Ridley.
The game is shifting to a better ideal: how do you design a service knowing that any user/request might be automated?
Especially in place of the historical, easy solution/hack where you have some sort of gate that, once passed, puts the user in some trusted low-scrutiny tier, like a forum's registration page.
It's a similar question to designing a system so that it's resilient to account take-overs. (i.e. The user was a trusted human until now, and now it's a spammer)
Example: on a forum, run new posts through an LLM to classify it as spam which is a magic solution we always wish we had (remember akismet?) but was too rudimentary.
The solution is really a ton of different captcha like systems and anti spam solutions, all unpopular enough that an attacker may not even bother targeting them. If an attacker needs to target a few thousand different captcha style setups to get their spam through, then many of them won't bother.
It's like centralised vs decentralised communication systems. If everything is centralised, a bad actor (like a government, corporation, criminal group, etc) can go after one target to control the narrative. If it's decentralised, then suddenly they have to go after dozens or hundreds of different targets, many of which won't cooperate with them.
I haven't looked deeply into Web Bot Auth, but is identification tied to the agent (one identity per agent) or is it tied to the underlying person using the agent (the user)?
Hope that question makes sense, lmk if you need clarification
The last example is a false narrative, that captchas will only happen if the "browser looks suspicious". Systems like Altcha put an end to this argument. They don't care if the browser looks suspicious, only that the browser can perform a proof-of-work to get past a captcha designed to slow down the request rate.
When applied consistently, it will effectively block and slow down AI crawlers, which is what this company wants to promote.
That doesn't really work out in reality because bots are happy to wait 5 seconds or even 5 minutes for a PoW challenge to complete. Humans on the other hand will not, especially if they're on a mobile device with limited compute and energy.
jmclnx•1h ago
JohnFen•1h ago
code_duck•1h ago
Zak•1h ago
Guestbooks, contact forms, signup pages, and the like started receiving automated abuse approximately five minutes after they were invented. It didn't take long after that for people to start including a question they expected to be easy for a person and hard to automate with a script.
What's relatively new is CAPTCHAs merely to browse a site. There are few faster ways to get me to close your site, and maybe send you an unfriendly email.
nosioptar•48m ago