←back to thread

Bot or human? Creating an invisible Turing test for the internet

(research.roundtable.ai)
133 points timshell | 8 comments | 25 Jun 25 15:00 UTC | HN request time: 0.329s | source | bottom
Show context
imiric ◴[25 Jun 25 15:30 UTC] No.44378450[source]
I applaud the effort. We need human-friendly CAPTCHAs, as much as they're generally disliked. They're the only solution to the growing spam and abuse problem on the web.

Proof-of-work CAPTCHAs work well for making bots expensive to run at scale, but they still rely on accurate bot detection. Avoiding both false positives and negatives is crucial, yet all existing approaches are not reliable enough.

One comment re:

> While AI agents can theoretically simulate these patterns, the effort likely outweighs other alternatives.

For now. Behavioral and cognitive signals seem to work against the current generation of bots, but will likely also be defeated as AI tools become cheaper and more accessible. It's only a matter of time until attackers can train a model on real human input, and inference to be cheap enough. Or just for the benefit of using a bot on a specific target to outweigh the costs.

So I think we will need a different detection mechanism. Maybe something from the real world, some type of ID, or even micropayments. I'm not sure, but it's clear that bot detection is at the opposite, and currently losing, side of the AI race.

replies(11): >>44378709 #>>44379146 #>>44379545 #>>44380175 #>>44380453 #>>44380659 #>>44380693 #>>44382515 #>>44384051 #>>44387254 #>>44389004 #
JimDabell ◴[25 Jun 25 15:54 UTC] No.44378709[source]
> So I think we will need a different detection mechanism. Maybe something from the real world, some type of ID, or even micropayments. I'm not sure, but it's clear that bot detection is at the opposite, and currently losing, side of the AI race.

I think the most likely long-term solution is something like DIDs.

https://en.wikipedia.org/wiki/Decentralized_identifier

A small number of trusted authorities (e.g. governments) issue IDs. Users can identify themselves to third-parties without disclosing their real-world identity to the third-party and without disclosing their interaction with the third-party to the issuing body.

The key part of this is that the identity is persistent. A website might not know who you are, but they know when it’s you returning. So if you get banned, you can’t just register a new account to evade the ban. You’d need to do the equivalent of getting a new passport from your government.

replies(7): >>44378752 #>>44379158 #>>44379293 #>>44379764 #>>44381669 #>>44382394 #>>44387968 #
thatnerd ◴[25 Jun 25 16:43 UTC] No.44379293[source]
https://www.wired.com/story/worldcoin-sam-altman-orb/
replies(2): >>44379310 #>>44379354 #
1. julkali ◴[25 Jun 25 16:48 UTC] No.44379354[source]
That is the silicon valley cryptoscam version.

This concept has been studied already extensively, e.g [1] (in 2000!) by people like Rivest and Chaum, who have actual decade-old competence in that field.

[1] https://people.csail.mit.edu/rivest/pubs/pubs/LRSW99.pdf

replies(2): >>44381396 #>>44384295 #
2. calvinmorrison ◴[25 Jun 25 20:12 UTC] No.44381396[source]
Or just charge bots and humans and we're good to go

https://www.nytimes.com/2006/02/05/technology/postage-is-due...

replies(2): >>44381899 #>>44381923 #
3. TJSomething ◴[25 Jun 25 21:14 UTC] No.44381899[source]
While that works for attacks that are like spam, bot detection for high margin attacks like show ticket scalping really wants an identity-oriented solution.
4. servercobra ◴[25 Jun 25 21:18 UTC] No.44381923[source]
Ah yes, postage has stopped all the spam coming to my house!
replies(1): >>44382484 #
5. throw10920 ◴[25 Jun 25 22:46 UTC] No.44382484{3}[source]
This is an extremely ignorant take. It's extremely well-known that one of the primary ways you stop spam is by making it economically infeasible, specifically by making the cost of distribution higher than the expected return. It's also extremely well-known that spam snail-mail is subsidized by the US post office and doesn't pay normal post rates.
replies(1): >>44387398 #
6. pzo ◴[26 Jun 25 04:57 UTC] No.44384295[source]
I think worldcoin added this year (?) identification using government e-passport as well (not only orb) - all modern passport have NFC/RFID chip, you won't get all data from that in public way but can verify signature and can get basic information. There are already apps in appstore doing that.
7. nc0 ◴[26 Jun 25 13:48 UTC] No.44387398{4}[source]
> Say something everyone lives everyday around the world. > "This is an extremely ignorant take."
replies(1): >>44387471 #
8. ◴[26 Jun 25 13:56 UTC] No.44387471{5}[source]