Bot or human? Creating an invisible Turing test for the internet

(research.roundtable.ai)

132 points timshell | 1 comments | 25 Jun 25 15:00 UTC | HN request time: 0s | source

Show context

imiric ◴[25 Jun 25 15:30 UTC] No.44378450[source]▶

I applaud the effort. We need human-friendly CAPTCHAs, as much as they're generally disliked. They're the only solution to the growing spam and abuse problem on the web.

Proof-of-work CAPTCHAs work well for making bots expensive to run at scale, but they still rely on accurate bot detection. Avoiding both false positives and negatives is crucial, yet all existing approaches are not reliable enough.

One comment re:

> While AI agents can theoretically simulate these patterns, the effort likely outweighs other alternatives.

For now. Behavioral and cognitive signals seem to work against the current generation of bots, but will likely also be defeated as AI tools become cheaper and more accessible. It's only a matter of time until attackers can train a model on real human input, and inference to be cheap enough. Or just for the benefit of using a bot on a specific target to outweigh the costs.

So I think we will need a different detection mechanism. Maybe something from the real world, some type of ID, or even micropayments. I'm not sure, but it's clear that bot detection is at the opposite, and currently losing, side of the AI race.

replies(11): >>44378709 #>>44379146 #>>44379545 #>>44380175 #>>44380453 #>>44380659 #>>44380693 #>>44382515 #>>44384051 #>>44387254 #>>44389004 #

dataviz1000 ◴[25 Jun 25 18:30 UTC] No.44380453[source]▶

>>44378450 #

1. Create a website with a series of tasks to capture this data.

2. Send link to coworkers via Slack so they can spend five minutes doing the tasks.

3. Capture that data and create thousands of slight variations saved to db as profiles

4. Bypass bot protections.

There is nothing anyone can do to prevent bots.

replies(1): >>44381744 #

ATechGuy ◴[25 Jun 25 20:56 UTC] No.44381744[source]▶

>>44380453 #

> There is nothing anyone can do to prevent bots.

Are you sure about this?

replies(1): >>44382417 #

1. dataviz1000 ◴[25 Jun 25 22:37 UTC] No.44382417{3}[source]▶

>>44381744 #

I was part of the team managing tens of millions of dollars’ worth of NFL event-ticket inventory, which meant I had to automate the Ticketmaster UI to delist any ticket that was put into checkout or sold on a secondary market like StubHub. For legal reasons, Ticketmaster wouldn’t grant us direct access to their private API while they were still building out the developer API (which our backend team actually helped design), so I spent about half my time reverse-engineering and circumnavigating their bot protections on Ticketmaster, SeatGeek, StubHub, etc. I made it very clear that anyone caught using my code to automate ticket purchases would face serious consequences.

At the time, Ticketmaster’s anti-bot measures were the gold standard. They gave us fair warning that they planned to implement Mastercard’s SaaS-based solution (same as described in OP’s article), so I had everyone on the team capture keyboard-typing cadence, mouse movements, and other behavioral metrics. I used that as the excuse to build a Chrome extension that handled all of those tasks, and I leaned on the backend team to stop procrastinating and integrate the new API endpoints that Ticketmaster was rolling out. For about a week, that extension managed millions of dollars in inventory—until I got our headless browsers back up and running.

In the end, any lock can be picked given enough time; its only real purpose is to add friction until attackers move on to an easier target. But frankly, nobody can stop me from scraping data or automating site interactions if it’s more profitable than whatever else I could be working on. I have some ideas how to prevent me from using automated bots but all of the companies I've applied to over the years never respond -- that's on them.

↑