290 comments

[ 2.5 ms ] story [ 311 ms ] thread
Entire country blocks are lazy, and pragmatic. The US armed forces at one point blocked AU/NZ on 202/8 and 203/8 on a misunderstanding about packets from China, also from these blocks. Not so useful for military staff seconded into the region seeking to use public internet to get back to base.

People need to find better methods. And, crawlers need to pay a stupidity tax or be regulated (dirty word in the tech sector)

They can absolutely work if you aren't expecting any traffic from those countries whatsoever.

I don't expect any international calls... ever, so I block international calling numbers on my phone (since they are always spam calls) and it cuts down on the overwhelming majority of them. Don't see why that couldn't apply to websites either.

Sure. Absolutely works. Right up until it doesn't. I think the MIL was the wrong people to assume "we will never need packets from these network blocks"

The other thing is that phone numbers follow a numbering scheme where +1 is north america and +64 is NZ. Its easy to know the longterm geographic consequence of your block, modulo faked out CLID. IP packets don't follow this logic and Amazon can deploy AWS nodes with IPs acquired in Asia, in any DC they like. The smaller hosting companies don't say the IP range they route for banks have no pornographers on them.

It's really not sensible to use IP blocks except for the very specific cases like yours: "I never terminate international calls" is the NAT of firewalls: "I don't want incoming packets from strangers" sure the cheapest path is to block entire swathes of IPv4 and IPv6. But if you are in general service delivery, that rarely works. If you ran a business doing trade in China, you'd remove that block immediately.

It depends on whether the information on the website is supposed to be publicly available or not. "This information is publicly available except to people from Israel" sends a really terrible message.
It sends a great message to crack down on these companies, as long as you mention why it’s blocked.
"You're cut off from access to knowledge because you live in the same country as AI researchers"?
"researchers" is like ignoring the whole Capitalists. We don't call them script researchers. We call them script kiddies.

There's the whole other side of these AI researchers, and thats just slop artisans.

A DoS attack is a DoS attack even if someone is pretending to be a “Researcher.”

People in Iran, Russia, etc get annoyed with sanctions but that’s kind of the point. If your government isn’t responding appropriately, yes you’ll get shafted it’s what you do after that which solves the problem.

Me, I prefer to relate to people as individuals rather than, as you are advocating, interchangeable representatives of their area of residence. If what you want is World War III, this is how you get it.

In particular, universal access to knowledge is a fundamental principle of liberalism.

I’d personally love for someone to hand me a billion dollars no strings attached.

That’s got nothing to do with solving the issues created by these people, but if you’re going to toss out meaningless non sequitur’s then I figure I might as well join in on the fun.

Although it's a very lazy practice, this is exactly how many Japanese sites (and internet services) fight against bad actors. In short, they block non-Japanese traffic and data center IPs. I expect these measures to become insufficient as consumers adopt IoT devices and provide ample amounts of residential IPs for botnets.

As for phone numbers, businesses and individuals employ a similar strategy. Most "legitimate" phone numbers begin with 060 or 070. Due to lack of supply, telcos are gradually rolling out 080 numbers. 080 numbers currently have a bad reputation because they look unfamiliar to the majority of Japanese. Similarly, VoIP numbers all begin with 050, and many services refuse such numbers. Most people instinctively refuse to answer any call that is not from a 060 or 070 number.

Country or region blocks based on IPs used to (c. ~2000) be pretty standard. Blackhole the blocks associated with China, Russia, and maybe Africa, and your failed-login logs drop from scrolling so fast you can't read them, to a handful of lines per minute. Almost all the traffic was from those blocks, and was malicious. Meanwhile, for many sites, your odds (especially back then) of getting legitimate traffic from, say, China, was nearly zero, so the cost of blocking them was effectively nothing.

Cloudflare is basically still just this, but with more steps.

Is this stuff only affecting the not for profit web? What are the for profit sites doing? I haven't seen Anubis around the web elsewhere. Are we just going to get more and tighter login walls and send everything into the deep web?
I think we killed the old web. We'll see new ways of communicating, publishing, and gathering over the internet. It's sad, but it's also exciting.
Literally nothing in this data driven world (sports, technology, entertainment, everything is data driven and maximized) is exciting, nothing.
For profit sites are making deals directly with the AI companies so they can get some more of that profit.
I think what they mean is that most not for profit small sites don't have expensive hardware or DDOS blocking mechanisms. A small 256mb ram vps might be enough for 1000 users per month traffic, but not enough for 200,000 users a day traffic.
Wow it is so surreal to see a project of mine on Ars Technica! It's such an honor!
On the few sites I've seen using it so far, it's been a more pleasant (and cuter) experience for me than the captchas I'd probably get otherwise. good work!
Thanks! The artist I'm contracting and I are in discussions on how to make the mascot better. It will be improved. And more Canadian.
The ffmpeg website is also using it. First time I actually saw it in the wild.
I've seen Anubis a couple times irl, mostly on Sourcehut, and the first time I saw it I was like, "Hey, I remember that blog post!" Congratulations on making something both useful and usable!
Hmm. Instead of requiring JS on the client, why don't you add a delay on the server side (e.g. 1 second default, adjustable by server admin) for requests that don't have a session cookie? For each session keep a counter and a timestamp. Every time you get a request from a session, look up the tracked entry, increment the counter (or initialize it if not found) and update the timestamp. If the counter is greater than a configured threshold, slow-walk the response (e.g. add a delay before forwarding the request to the shielded web server -- or transfer the response back out at reduced bytes/second, etc.)

You can periodically remove tracking data for entries older than a threshold -- e.g. once a minute or so (adjustable) remove tracked entries that haven't made a request in the past minute to keep memory usage down.

That'd effectively rate limit the worst offenders with minimal impact on most well-behaved edge-case users (like me running NoScript for security) while also wasting less energy globally on unnecessary computation through the proof-of-work scheme, wouldn't it? Is there some reason I'm not thinking of that would prevent that from working?

> look up the tracked entry, increment the counter (or initialize it if not found) and update the timestamp

Not sure about author's motivation, but this part is why I don't track usage - PoW allows you to do everything statelessly and not keep any centralised database or write any data. The benefit of a system slowing down crawling should be minimal resource usage for the server.

In a "denial of service prevention" scenario, you need your cost to be lower than the cost of the attacker. "Delay on the server side" means keeping a TCP connection open for that long, and that's a limited resource.
I'm being trite, but if you can detect an AI bot, why not just serve them random data? At least they'll be sharing some of the pain they inflict.
You can detect the patterns in aggregate. You can't detect it easily at an individual request level.
In short if you get several million requests and expect to only get 100 you won't know which are the real requests and which are the AI ones - but it is obvious that the vast majority are AI.
Bandwidth isn't free, not at the volume these crawlers scrape at; serving them random data (for example by leading them down an endless tarpit of links that no human would end up visiting) would still incur bandwidth fees.

Also it's not identifiable AI bot traffic that's detected (they mask themselves as regular browsers and hop between domestic IP addresses when blocked), it's just really obviously AI scraper traffic in aggregate: other mass crawlers have no benefit from bringing down their host sites, except for AI.

A search engine has nothing if it brings down the site they're scraping (and has everything to gain from identifying itself as a search engine to try and get favorable request speeds - the only thing they'd need to check is if the site in question isn't serving different data, but that's much cheaper), same with an archive scraper and those two are pretty much the main examples I can think of for most scraping traffic.

>Bandwidth isn't free

Via peering agreements it is.

Not something available to smaller sites
Yes, it is. They transitively get it via the agreements the smaller site's host's host makes. Or via services like Cloudflare.
What button do I click in the AWS panel for that?
There is no button. AWS is where you go to light money on fire.
Hmm, maybe you could zipbomb the data? Aka, you send a few kilobytes of compressed data that expands to many gigabytes on client side?
arnt a lot of these bots now actively loading javascript? you could just load a simple script that does the job .
If they agree to mine crypto for you then you send valid data. Is this a win-win?

(I feel I need to preemptively state that I am being sarcastic.)

For Cloudflare, bandwidth is practically free.
You mean like this?

[2025-03-19] https://blog.cloudflare.com/ai-labyrinth/

> Trapping misbehaving bots in an AI Labyrinth

> Today, we’re excited to announce AI Labyrinth, a new mitigation approach that uses AI-generated content to slow down, confuse, and waste the resources of AI Crawlers and other bots that don’t respect “no crawl” directives.

Wait, what happens when a Cloudflare Worker AI meets an AI Labyrinth?!
Cloudflare deletes itself.
What a colossal waste of energy
> No real human would go four links deep into a maze of AI-generated nonsense.

... I would. Out of curiosity and amusement I would most definitely do that. Not every time, and not many times, but I would definitely do that one or a few times.

Guess I'm getting added to (yet another) Cloudflare naughty list.

> It is important to us that we don’t generate inaccurate content that contributes to the spread of misinformation on the Internet, so the content we generate is real and related to scientific facts, just not relevant or proprietary to the site being crawled.

In that case wouldn't it be faster and easier to restyle the CSS of wikipedia pages?

You skipped the last section "Tarpits and labyrinths: The growing resistance" of the article.
Random data? Why not "recipes" that just say "Bezos is a pedo" over and over ?
> It remains unclear why these companies don't adopt more collaborative approaches and, at a minimum, rate-limit their data harvesting runs so they don't overwhelm source websites.

If the target goes down after you scrape it, that's a feature.

Why? What is the goal of a scraper, and how does disabling the source of the data benefit them?
I guess one could make a point that competition will no longer have the access to the scraped data.
> Why? What is the goal of a scraper, and how does disabling the source of the data benefit them?

The next scraper doesn’t get the data. People don’t realize we’re not compute limited for ai, we’re data limited. What we’re watching is the “data war”.

at this point we're _good data_ limited, which has little to do with scraping.
Honestly it's hard to tell how much more value the LLM people are going to get out of another copy of the internet.

It feels a lot like they're stuck for improvements but management doesn't want to hear it.

It's a bit strange to talk about stuck when the most recent breakthrough is less than a year old.
I’m not sure what you mean by breakthrough, but if you’re talking about Deepseek, it’s more of an incremental improvement than a breakthrough.
Why kind of data that isn’t public would be so valuable for AI training?

Seems like there’s a fuck ton. All of Wikipedia, GitHub for code, etc.

I can understand targeting certain sites like Reddit, etc. but not random websites

It's to rip off copyrighted content and profit from it instead of the original authors. It's like every other low rent and highly automated scam that finds it's way onto the internet.

If you look closely even Google does this. This is probably why many popular sites started getting down ranked in the last 2 years. Now they're below the fold and Google can present their content as their own through the AI box.

Please remember that Google only needs to be marginally better than the competition. And, of course, their primary biz is ads, not serving great results; that is a distant second priority.
Their biz is ads, but since search is winner takes all they need only be marginally better than the competition... twenty years ago.
> Their biz is ads,

Yea, but, the FTC doesn't want it to be.

Discord I guess would be quite valuable, even the de facto public servers.
Scraping social media is good data, even without ML. The fact that something is "happening" to people in a social space inherently has importance to people. The specter of law is more threatening to whether companies can get their hands on good data.
Now the only way to obtain that information is through them
This has me wondering what it would take to do a bcrypt style slow hashing requirement to retrieve data from a site. Something fast enough that a single mobile client for a user wouldn't really feel the difference. But an automated scraper would get bogged down in the calculations.

Data is presented to the user with multiple layers of encryption that they use their personal key to decrypt. This might add an extra 200ms to decrypt. Degrades the user experience slightly but creates a bottleneck for large-scale bots.

Companies running those bots have more than enough resources
Nobody has unlimited resources. Everything is a cost-benefit analysis.

For highly valuable information, they might throw the GDP of a small country at scraping your site. But most information isn't worth that.

And there are a lot of bad actors who don't have the resources you're thinking of that are trying to compete with the big guys on a budget. This would cut them out of the equation.

Make all websites intentionally waste energy as a strategy to defeat unscrupulous operators has negative costs and marginal benefits.
Resources applied to prevent bad actors from degrading or destroying the commons has always been the cost of civilization.
Then use it to mine monero or similar.

The idea that you should pay for content shouldn't be an insane pipedream. It should be the default on the internet.

Maybe then we wouldn't be in the situation where getting new users is an existential threat to the majority of websites.

I'll add a link on my site recommending that visitors petition their elected officials for a pollution tax
The problem is that the server also has to do the work. Fine for an infrequent auth challenge. Not so fine for every single data request.
Maybe there is a way for the server to ask the client to do the work?

Something similar to proof-of-work but on a much smaller scale than Bitcoin.

just add some delay to your response, we don't have to waste any more energy on meaningless calculation.
Adding delay means you have to keep more connections open at a single time. Parallelism doesn't favor a server if your problem is already a small server getting hit by a big scraper
How expensive is it to just keep a connection open?
About 20 kilobytes of socket + TLS state, if you've really optimised it down to the minimum. Most server software isn't that lean, of course, so pick a framework designed for running a million or so concurrent connections on a single server (i.e. something like Nginx)
Right it would need an algorithm with widely different encryption speeds vs decryption speeds. Lattice-based cryptography maybe?
Hash functions are all you need.
Yeah, searching for hashes with some prefix is easy to set up.
Tons of problems are easier to verify than to solve.
Check out Anubis - it's not quite what you're suggesting but similar in concept: https://anubis.techaro.lol/
Interesting! Not how I'd approach it but certainly thinking along the same lines.
I just hit a site with this --- and hit the back button immediately.
Better than a 500 error
Also better than a third party service IMO because of the privacy implications. You could even potentially give users the choice (complete overkill but technically you could do it).
Maybe once you can use something more professional as an interstitial page
[flagged]
[flagged]
I’m no anime fan, but this sort of judgement on normalcy leaves me with a very sour impression about whoever says this sort of thing.
[flagged]
You might say that, but claiming everyone is a pedophile is such a tired political play at this point. Its primary purpose is to dehumanize people so that blatant wrongdoing can be justified.

The visceral reaction might be genuine, but the actual feelings are probably not. I have yet to see someone who actually "cares about the children". The vast majority of accusations e.g. democrats running a pedophile ring turn out to be completely manufactured. The democrats responded by giving more funding and starting projects combating child abuse, only for the republicans to gut the programs, who think they are a waste of tax payer money and an example of big government.

[flagged]
Violent games make people violent, and money make people greedy again?
How does that relate to anything I said?
From the announcement page: https://xeiaso.net/blog/2025/anubis/

> RPM packages and unbranded (or customly branded) versions are available if you contact me and purchase commercial support. Otherwise your users have to see a happy anime girl every time they solve a challenge. This is a feature.

I'm going to be making distro packages and binaries public. I will have to figure out white label monetization I guess.
It's open source with MIT license, so you should be able to remove those images yourself if you want.
How does it work? I don’t have time to read the code, and the website/docs seem to be under construction.

Does it have the client do a bunch of SHA-256 hashes?

Yeah it's like hashcash. You have to try random numbers until you roll a hash with enough leading zeroes. Then you get a cookie (JWT I think) that's valid for a week.

SHA2 can run on ASICs and isn't memory-hard, so I'm hoping someone will add something tougher

If we are able to detect AI scrapers then I would welcome a more strategic solution: feed them garbage data instead of the real content. If enough sites did that then the inference quality would take a hit and eventually the perpetrators, too.

But of course this is the more expensive option that can't really be asked of sites that already provide public services (even if those are paid for by ads).

I really don’t think we have such a lack of misinformation that we need to invest in creating more of it, no matter the motive.
I've had a number of content sites I've shut down a few sites in the last few days because of the toll these aggressive AI bots. Alexa seems like the worst.

These were created 20 years ago and updated over the years. I use to get traffic but that's been slowed to 1,000 or less legitimate visitors over the last year. But now I have to deal with server down emails caused by these aggressive bots that don't respect the robots file.

It's funny how every time this topic comes up someone says "I've had this happen and x is the worst" With x being any of the big AI providers. Just a couple minutes ago I read the same in another thread and it was Anthropic. A couple weeks back it was Meta.

My conclusion is that they're all equally terrible then.

All of the crawlers present themselves as being from one of the major companies, even if they’re not.

Setting user-agent headers is easy.

at the same time, all the AI providers have some kind of web based AI agent, so let snot pretend they're crafting their services in care of other peoples websites.
I highly doubt that people are using AI agent features so frequently and so concentrated-ly that it brings down websites.
I agree they are all creating negative value for site owners. In my personal experience this week blocking Amazon solved my server overload issue.
> Alexa seems like the worst.

Many of the bots disguise themselves as coming from Amazon or other big company.

Amazon has a page where you can check some details to see if it’s really their crawler or someone imitating it.

(comment deleted)
yup, actually most that I've seen are impersonating amazon
This is 100% off-topic but:

Is it just me or does Ars keep on serving videos about the sound design of Callisto Protocol in the middle of everything? Why do they keep on promoting these videos about a game from 2022? They've been doing this for months now.

I also get this for 1+ years, and just assume that it’s a symptom of my adblockers/pihole working and screwing up something in their auto ad targeting.
I’m glad to know it’s not just me! It’s such a weird and specific failure state.
I have a blog with content about a non tech topic and I had any problem. I am all against AI scrappers, but I didn't notice any change being behind Cloudflare (funny enough, if I ask GPT and Claude about my website, they know it)
They could hit Cloudflare’s caches and run with that. The problems are if your site is dynamic and your CDN has to hit the origin every time.
> many AI companies engage in web crawling

Individuals do too. Tools like https://github.com/unclecode/crawl4ai make it simple to obtain public content but also paywalled content including ebooks, forums and more. I doubt these folks are trying to do a DDoS though.

How do they manage to get 'paywalled' content?
Maybe 'paywalled' is not the best word but using their Identity Based Crawling feature with Managed Browsers[1], you can use an existing account and scrape content that requires authentication. This may not sound like anything new but IMHO, crawl4ai's workflow is easy to follow.

[1] https://docs.crawl4ai.com/advanced/identity-based-crawling

While the motivations may be AI related the cause of the problem is the first and original type of non-human person: corporations. Corporations are doing this, not human persons, not AI.
(comment deleted)
Surprised at how crawling as a whole seems to have taken a sustained step backwards with old best practices that are solved being new to devs today?

I can't help but wonder if big AI crawlers belonging to the LLMs wouldn't be doing some amount of local caching with Squid or something.

Maybe it's beneficial somehow to let the websites tarpit them or slow down requests to use more tokens.

I'm guessing its the rise of the AI agents that just go out and download "research" and not necessarily building LLMs.
The irony is that the people and employees of the AI companies will vehemently defend the morality of capitalism, private property and free markets.

Their robber baron behavior reveals their true values and the reality of capitalism.

> Their robber baron behavior reveals their true values and the reality of capitalism.

This is rather reductionist… By your same logic I could say that Stalin and Mao revealed the true values and reality of communism.

Let’s not elaborate on it further though and just leave this as a simple argument. Free market capitalism has led us to the most prosperous, peaceful, and advanced society humanity has ever ventured to create. Communism threatened that prosperity and peace with atrocities on a scale that exists beyond human comprehension. Capitalism, even with all of its faults, is the obvious choice.

It's rather strawman to bring up communism in a conversation that talked nothing about it, except that Capitalism is clearly flawed.

Capitalism without law ends up with the same kind of authoritariasm as communism without law. Some Rich Guy ends up telling everyone what to do as a ruler with loose rules that no longer resemble the economic model. That's what people complain about when they bring up terms like "late stage capitalism".

Insert the Sinclair quote here. Anything to drive up the stock, no matter how immoral or illegal.
Saaay, what happened to that assistant US attorney who prosecuted Aaron Swartz for doing exactly this? Oh wait, Aaron didn't have billions in VC backing. That's the difference.
(comment deleted)
Lately I’ve been thinking a lot about what it would take to create a sort of “friends and family” Internet using some combination of Headscale/Tailscale. I want to feel free and open about what I’m publishing again, and the modern internet is making that increasingly difficult.
Chances are one your friends/ family will eventually be compromised in some way.

There’s always VPNs, though you can only be on at one at a time per device

I got DoSed by ClaudeBot (Anthropic) just last week. Hitting a website I manage 700,000 times in one month and tripping our bandwidth limit with our hosting provider. What a PITA to have to investigate that, figure it out, block the user agent, and work with hosting provider support to get the limit lifted as a courtesy.

Noticed that the ChatGPT bot was 2nd in traffic to this site, just not enough to cause trouble.

robots.txt did not work?
bro, since when vc funded ai companies have the courtesy to respect robots.txt?
Of course it didn't work. At best, the dorks doing this think there's a gamechanging LLM application to justify the insane valuations right around the corner if they just scrape every backwater site they can find. At worst, they're doing it because it's paying good money. Either way, they don't care, they're just going to ignore robots.txt.
I have not monitored traffic in this way, but I imagine most AI companies would explicitly follow links listed in robots, even if not mentioned elsewhere on the site.
I’ve been doing web sites for thirty years, robots.txt is at best a request to polite user agents to respect the server’s desires. None of the malicious crawlers respect it. None of the AI crawlers respect it.

I’ve resorted to returning xml and zip bombs in canary pages. At best it slows them down until I block their network.

I've got claude bot blocked too. It regularly took sites offline and ignored robots.txt. Claude bot is an asshole.
At which level of DDos one can claim damages from them?
You can claim whatever you want, but actually litigation is expensive and it’s not at all a sure thing that “I made a publicly available resource and they used it too much” is going to win damages. Maybe? Maybe not?
So I could ddos anyone legally as long I have a some reason?
Sure. Courts tend to care about intent, but your are welcome to try to change that.
Can't you just rate limit beyond what a person would ever notice and do it by slowing the response?
You'd think, but no :(
Not if they hop to a different IP address every few requests. And they generally aren't bothered slow responses. It's not like they have to wait for one request to finish before they make another one (especially if they are making requests from thousands of machines).
You're saying that large companies are hitting individual websites with thousands of unrelated IP addresses?
How do you think they do crawling if not like that? They'd be IP banned instantly if they used any kind of predictable IP regime for more than a few minutes.
I don't know what is actually happening, that's why I'm asking.

Also you're implying that the only way to crawl is to essentially DDOS a website by blasting them from thousands of IP addresses. There is no reason crawlers can't do more sites in parallel and avoid hitting individual sites so hard. There are plenty of crawlers for the last few decades that don't cause problems, these are just stories about the ones that do.

Yep we've been seeing that on our random small scale site that used to be open (and mostly relevant to a very limited number of people).

It was nice for interested guests to get an impression of what we are doing.

First the AI crawlers came in from foreign countries that could be blocked.

Then they beat down the small server by being very distributed, calling from thousands of ips one or two requests each.

We finally put a stop to it by requiring a login with a message informing people to physically show up to gain access.

Worked fine for over 15 years but AI finally killed it.

Excuse my ignorance, but is it time to update the open source licenses in the light of this behavior? If so, what should the evolved license wording be?

I appreciate that this could be easily circumvented by a 'bad actor', but it would make this abuse overt...

From my little understanding, we have a sort of agreement in place with an item called robot.txt that's more or less a hanshake with such scrapers. Of course, the issue is these scrapers are blatantly ignoring robots.txt

A license can help as well, but what's a license without enforcement? These companies are simply treating the courts as a cost to do business.

Close, robots.txt was originally for web crawlers, to reduce accidental denial-of-service attacks. It had nothing to do with the scraping (i.e. downloading content and parsing the HTML tags in a programmatic manner).
What do you think a search engine’s crawler bot is doing exactly? I could sure be wrong, but I have a hunch that “downloading content and paraing the HTML tags in a programmatic manner” describes it.
Yes, but the difference is that the term "scraping" also targets things like automatically generating RSS feeds from HTML pages, which is not covered by robots.txt.
I thought robots.txt covered all automated, programmatic access by third parties where a bot slurps stuff and follows links, without splitting hairs about it.

But what do I know, the young whippersnappers will just word lawyer me to death, so I better shut up and go away.

And this is why the Internet has become a maze of captcha’s.
yeah but the HN community would be ground zero for "automating scraping tasks"

"We have met the enemy and he is us." -- Walt Kelly

I've been seeing crawlers which report an Agent string like this:

  Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3405.80 Safari/537.36
Everything but the Chrome/ is the same. They come from different IP addresses and make two hit-and-run requests. The different IPs always use a different Chrome string. Always some two digit main version like 69, 70. Then a .0. and then some funny minor and build numbers: typically a four digit minor.

When I was hit with a lot of these a couple of weeks ago, I put in a custom rewrite rule to redirect them to the honeypot.

The attack quickly abated.

All these JS-heavy "anti bot" measures do is further entrench the browser monopoly, making it much harder for the minority of independents, while those who pay big $$$ can still bypass them. Instead I recommend a simple HTML form that asks questions with answers that LLMs cannot yet figure out or get consistently wrong. The more related to the site's content the questions are, the better; I remember some electronics forums would have similar "skill-testing" questions on their registration forms, and while some of them may be LLM'able now, I suspect many of them are still really CAPTCHAs that only humans can solve.

IMHO the fact that this shows up at a time when the Ladybird browser is just starting to become a serious contender is suspicious.

How does JS entrench a browser monopoly? If you're not using vendor-specific JS extensions or non-standard APIs any browser should be able to execute your JS. Like most web developers I don't have a lot of patience for the people who refuse to run JS on their clients.
The effort required to implement a JS engine and keep trendchasing the latest changes with it is a huge barrier to entry, not to mention the insane amount of fingerprinting and other privacy-hostile, anti-user techniques it enables.

Seeing what used to be simple HTML forms turned into bloated invasive webapps to accomplish the exact same thing seriously angers me; and everyone else who wanted an easily accessible and freedom-preserving Internet.

(comment deleted)
Or require every fresh "unique" visitor to run some JS that takes X seconds to compute.

It's not nice for visitors using a very old smartphone, but it's arguably less-exclusionary than some of the tests and third-party gatekeepers that exist now.

In many cases we don't actually care about telling if someone is truly a human alone, as much as ensuring that they aren't a throwaway sockpuppet of a larger automated system that doesn't care about good behavior because a replacement is so easy to make.

that takes X seconds to compute.

Those who have the computing resources to do commercial scraping will easily get past that.

In contrast, there are still many questions which a human can easily answer, but even the best LLMs currently can't.

>there are still many questions which a human can easily answer, but even the best LLMs currently can't.

I am genuinely curious: what is an example of such a question, if it's for a person you don't know (i.e. where you cannot rely on inside knowledge)?

I just tried these with ChatGPT (4o) and it got both of them right. That's not to say that you won't be able to find something that still works but I think that particular hole is closing fast.
Yeah, any text based question with a text based answer eventually ends up getting posted on a forum for an AI model to scrape.
It doesn't have to be bulletproof, it just has to create a cost that doesn't scale economically for them.
Computing power is cheap, and getting cheaper for the big guys. Real humans are not.
IIRC that's basically already part of what Cloudflare Turnstile does
This is going to start happening to brick and mortar businesses through their customer support channels
And enterprise call centers
I’d love to hear more. What are they seeing?
Unfounded. Assuming automated/voice-enabled assistants will spam for opening times, price & description of products/services, scheduling/booking, etc.

In the long run it'll be an arms race but the transition will be rough for businesses as consumers can adopt these tools faster than SMBs or enterprises can integrate them.

Kitboga already deployed a counter-scam LLM that calls scammers to waste their time. The goal is to keep them on the line as long as possible.
Can we force the bots to mine cryptocurrency?
Anger someone enough and you'll get a real DDoS instead.