Given all the negative comments here - what is anyone's alternate solution for AI-driven fraudulent activity?

CAPTCHAs are increasingly ineffective. Services are either going to go offline or implement some kind of system like this. PII like credit cards or SSNs aren't enough because those are regularly stolen.

So where do things go? Fewer services and infinite fraud?

> Given all the negative comments here - what is anyone's alternate solution for AI-driven fraudulent activity?

A combination of "regulate AI" and "The optimal amount of fraud is not zero". https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...

Why do you continue to extend the benefit of the doubt to your former employer when they have shown themselves to be untrustworthy again and again?

For one, I got to see how utterly insane and off-base many of the conspiracy theories around Chrome were compared to reality.

Yes, fewer services and infinite fraud is substantially better to me than the web being controlled by Google even more than it already is.

It will be fewer accessible services for everyone who refuses to use this, that's for sure. In general though, service providers are not going to accept "fewer services and infinite fraud" and thus they will look into implementing this.

I agree in practice money will always win.

This doesn’t even solve the problem thanks to device farms. There’s not really a solution for this short of aiming a camera at someone’s retina 24/7 plus a fully locked down hardware path. And even that would surely be compromised given enough incentives.

People are just going to have to find a new way to monetize. Maybe more things will become paywalled, or sponsored long-term like old TV shows. Again, there’s no good way to solve this, and the “solutions” on offer just contribute to the surveillance state without solving the problem.

CAPTCHA is sort of a flawed concept in the first place. a machine to test if another agent is a machine. But I figure the future of this is give the test, but discard the answer, the truth is in how it is answered, behavioral analyses, see if their access patterns are human or machine like. A simple version of which is how fast they type, or speed items are clicked. A surveillance process that really creeps me out. I am undecided if it creeps me out more or less than fully automated agents spewing shit over the open web.

As a footnote i found googles recaptcha bitterly ironic, it was painted it in bright colors "this data assists in book scanning" or "this help our self driving cars recognize stop signs" but really designed to train models to do exactly what it's trying to prevent them from doing. and making life hell for the humans along the way. The modern single click version is doing behavioral analyses.

I don't know which activity you're referring to, but why are you trying to discriminate between humans and bots? Because bots don't pay? So demand payment.. Demand like payment per account creation, then set appropriate rate limits per account.

Captchas were never effective. It’s an arms race to the bottom.

You don't think that some people simply disagree with the idea that this is bad? Or like maybe the CAPTCHA company who put out the post has an agenda here? So you want to go after engineers personally?

I wonder what you've done that might warrant harassment?

Look at how complicated CAPTCHAs are getting to try to be unsolvable with AI - it's a losing game. This and the WEI proposal are trying to solve a very, very real problem. If you continue to deny the problem, or every proposal solution without working towards an acceptable one, people will route around the blockage.

The crux of the problem is that their solution involves making themselves the gatekeepers of who is and isn't allowed. And that's a power that no one unaccountable organization should wield.

Given how important internet is to modern society, letting any one entity decide who should and should not have access is nearing a human rights issue.

> You don't think that some people simply disagree with the idea that this is bad?

Where are they? Where? Can you point me to one person in this thread who "disagrees with the idea that this is bad"? Apparently even you don't go that far.

Me.

I think the idea is sad and tragic, but also that we are at the point where we have no choice but to do something.

AI/LLM's have created a vector for abuse that previous tools are failing to protect against, and the problem is only getting worse.

I'm sick of the increase of LLM slop on websites in comments and posts. I'm sick of how fraud and spam and abuse can be increasingly automated in ways current tools can't catch. I'm sick of hosting costs exploding as hobby websites get hammered for no reason.

I don't realistically see any alternative but for some kind of reliable signal that a web request is most likely coming from a real person (not a perfect guarantee, but something good enough). Which means some kind of attestation that it's a real hardware device that costs at least a few bucks and is making human-level numbers of requests (not millions per day), or else some kind of digital ID attestation system.

And I much prefer device attestation that keeps you personally anonymous, as opposed to identity attestation that will inevitably allow the government to track your browsing.

So this seems like the lesser evil. If there are other ideas I'm very open to them as well, but I basically see something like this as a sadly necessary and inevitable evil. Something is necessary and this is less worse than the alternatives. And the fact that website owners choose whether to enable this or not means that those who want to keep an internet open to all devices and web requests can do so, if they're willing to handle the additional costs in handling abuse.

But it's so easily beatable! This might be the result of good intentions (being incredibly generous), but as the article states, any bot can afford a $30 phone and the concomitant hardware as the cost of doing business and bypass this.

Also as the article states (referencing an HN comment):

> How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can’t.

Susan from HR is the least of it. This is a huge vector to increase fraud, not decrease it.

How would an ethical, competent engineer argue against this?

The CAPTCHA company who put this out might have an agenda, but also since they're in the industry they might also have knowledge to impart.

We're reaching an inflection point with the oligarchies where the old ideas of "writing a blistering editorial" or "calling your congress-critter" need to be seriously questioned as useful and other non-violent methods of recapturing digital freedom need to be entertained.

You realize that $30 phone is burned the moment it's used for abuse, right? It's not $30 and then spam as much as you like. It's $30 per action per site, which makes nearly all abuse unviable.

You realize how rife abuse already is using google's infra? Do you really think google's gonna be right there, cracking down on this? This is at least as much about locking people into their infra as it is cracking down on fraud, and anybody who doesn't recognize that is at this point willfully blinding themselves.

I see this comment was flagged, I have vouched for it.

It's making a valid point.

I wondered people are reading "I wonder what you've done that might warrant harassment?" as some kind of personal threat or incitement to harassment, but I read it as precisely the opposite.

It's an entirely valid point that many of us have worked at jobs on products that did something that somebody disagreed with, and we shouldn't be asking anybody to harass us personally for it, because that is wrong.

GP is asking to "aggressively name and shame" engineers. It's entirely valid to say that you wouldn't much like that if it happened to you.

> Or like maybe the CAPTCHA company who put out the post has an agenda here?

That captcha company is not trying to push spyware onto my device and punish me for daring to remove it. Google is.

> Look at how complicated CAPTCHAs are getting to try to be unsolvable with AI - it's a losing game.

So don't play. Even cloudflare had a better idea - don't block, just demand payment.

> You don't think that some people simply disagree with the idea that this is bad?

Some people think women shouldn’t be allowed to vote, not all opinions are created equal.

You can't say not all opinions are equal and everyone should have an equal vote.

Are some ideas worth more than others should some people's votes count more than others? You can't have both.

We just started exploring Mise as a (much) simpler alternative to Nix + Bazel for a polyglot monorepo.

One of my concerns was about how well maintained Mise would be given that it's mostly a single maintainer, so I think this is good news in that respect.

Good luck to Jeff!

As a proponent of both Nix and Bazel, unless you need them for a specific reason you should totally use Mise. I recommend Mise to everyone.

If everyone on your team gets Mise and you're starting to feel pain at the periphery then it can definitely make sense to adopt a more elaborate toolchain orchestrator.

All these positive reviews really makes me wonder. Maby I should use Mise. The creator looks like he's really in it. Starting it now might be a good option.

Likewise looking to adopt mise at work, have a PR nearly there and especially with all the LLM/skills CLIs, mise looks well positioned. I've been using it for a long time personally and is a delight to work with.

Curious given polyglot monorepo and bazel, does mise have something that solves the build graph/caching stuff that IIUC comes with Bazel or is that something that's not needed for the monorepo you help maintain?

Yeah, Mise has caching: https://mise.jdx.dev/cache-behavior.html

I'm a massive fan of Wireit and its caching behavior, so I'm looking for something to live up to that. I have more testing to do. I think Mise defaults to mtime-keyed cache but has an option for content hashing, which it what Wireit uses and makes it quick to undo a change and get a cache hit.

this is probably the better link to what they were asking about: https://mise.jdx.dev/tasks/running-tasks.html#running-on-fil...

mise's sources/outputs is intentionally pretty naive though. It's not bazel/buck2. That may change one day but so far it's more for writing tasks and less trying to be an authoritative build system.

Devenv is "mise but nix" and is very good. It is currently undergoing a big migration though, so still a few rough edges. I highly recommend checking it out if you find yourself wanting nix at all.

Note, you can install some packages from nix in mise https://github.com/jbadeau/mise-nix

Off topic but how are you using Bazel with Nix? Specifically with regards to Bazel's cache. It doesn't seem like that would work well with Nix.

This is made with (and by the author of) <css-doodle>, a web component that lets you put the CSS variant used in this blog inline into your HTML, like so:

    <script src="https://esm.sh/css-doodle/css-doodle.min.js?raw"></script>
    <css-doodle>
      @grid: 15 / 90%;
      border-radius: 50%;
      background: hsl(@t(/20), 70%, 60%);
      scale: sin(@atan2(@dx, @dy) + @ts);
    </css-doodle>

No JS needed except for loading the definition of the <css-doodle> component. Works in plain HTML, Markdown, frameworks, etc.

https://css-doodle.com/

Thanks for the explanation. I’ve moved away from frontend work in 2018, and I really have no idea what CSS can do anymore! So much of the CSS in this page looks cryptic to me.

Kudos to the author for posting something cool and new in the age of standardised styles.

css-doodle's syntax has a lot of non-standard-CSS stuff in it. All the @ things are extensions.

I partially agree with you, but I also think that it's good that people can make something they want, that seems to have no monetization path, and have some hope of being bailed out.

It's not great that the search for profit will usually corrupt projects, but the other most common option is that the projects don't exist at all. It's very rare (or it used to be before this year) that someone can do something like this on their own with no compensation. So now at least Bun exists.

I'm with you... I think it's helped Node.js a lot to have Bun and Deno implementing new features that help push node forward. I think it's been a bit of a miss not integrating npm into node along the way... Mostly in that npm is a separate org from node, which is its' own issue... I kind of like JSR a lot myself, so hope it continues to pick up some traction.

I really don't get terminal UIs that try to rebuild GUI-like functionality. Don't we think that computer interfaces should get better? We're not limited to a grid of characters to pretend to draw lines and shapes with anymore. You can't even display an image in a terminal without a non-standard terminal like Kitty or iTerm.

It's just a shame that we don't have a great cross-platform, streamed, UI system. The web is great in it's own ways, but clearly something could be a lot better for this purpose. Flutter's ok, but not on-demand enough and too married to Dart.

This is because of the failure of the modern GUI environment.

They want a GUI, but, instead, they have to resort to something like this. A GUI in a TUI.

They want something portable. They want something that can run remotely. They want something they can run more safely than having to expose a socket. They don't want to have to bring up an entire desktop.

Rootless windows are effectively dead. That leaves web interfaces (and all of their issues) or doing a TUI, where all you need is an SSH connection that everyone already has.

In the past you could slap something together with Tcl/Tk, and just launch the window over X Windows. That's not so easy today, and no one is running remote X anyway.

The LCD is SSH, and these are the only things that fit.

> That's not so easy today, and no one is running remote X anyway.

I was quite recently, but even then remote X is missing a really big usability piece: keeping a long-running application open on the host and periodically connecting to it from a remote node (concretely: connecting to my server from my laptop). VNC/RDP/etc all do this at the desktop level, but they're pretty mediocre experience-wise.

tmux gives me this for terminal applications without really any compromises. I run tmux for local terminals as well as remote terminals; the hotkeys are all deep muscle memory at this point. It just works.

Agreed. I dread GUI development, hence I never build GUIs. If there were a library for my language of choice that worked multi-platform and used native components then I’d be interested.

> That's not so easy today, and no one is running remote X anyway.

If you:

1. Have a low-latency connection to a decent machine, and 2. Are on a machine that's weak, or isn't yours, or that you don't fully control (e.g. employer forces you to run Windows)

... then you live in remote X apps my friend.

> really don't get terminal UIs that try to rebuild GUI-like functionality.

Because it's easy to get things done for a TUI, but if I create a proper GUI, my codebase is suddenly more complex. And it's not like there's a solid, reliable GUI toolkit that I can use, they're all riddled with different bugs and caveats.

> Flutter's ok

If you ignore the absolute nightmare that is building applications in Flutter. Even Flutter itself isn't really designed to be compiled by anyone (although, in practice, your distro will shield you from this issue).

> You can't even display an image in a terminal without a non-standard terminal like Kitty or iTerm.

Sixels are supported by many terminals[0] (several of the terminals mentioned that do not support them are based on GNOME VTE for which support is in the works and, based on the bug tracker comments, it seems to be almost done).

This includes xterm which is probably the most "standard terminal" on X11 you can get.

[0] https://www.arewesixelyet.com/

> It's just a shame that we don't have a great cross-platform, streamed, UI system.

It's called the web/Jupyter. And no, web-driven UI doesn't have to be heavyweight either, any more than HN is.

It's for speed over SSH text is fast. Graphical redrawing of RDP/VNC/whatever is just slower and tedious in the long run.

i am experimenting with TUI/GUI.

My motivation is avoiding all the piles and piles of extra software dependencies that X and/or Wayland bring in.

In addition (but might only be relevant in my niche platform) is that Wayland is buggy and X is deprecated and unmaintained making making the GUI work there a constant struggle.

Time will tell if it is an improvement

This is angling in the right direction, but I think it has two problems:

1) It's still assuming agents have CLIs. This is a very developer-centric concept of agents, and doesn't map well to either consumer or enterprise agents that aren't primarily working with files. Skills, plans, TODO lists, and memory are good, but don't have to be modeled as raw file access. Many harnesses have tools for them.

2) It's talking about a singular sandbox. That's not good enough for prompt injection prevention, secure credential management, and limiting the blast radius of attacks.

> It's still assuming agents have CLIs. This is a very developer-centric concept of agents, and doesn't map well to either consumer or enterprise agents that aren't primarily working with files. Skills, plans, TODO lists, and memory are good, but don't have to be modeled as raw file access. Many harnesses have tools for them.

Why can't it just be a simple CLI? Even small AI models are plenty smart enough to think "It's a *nix system, I know this!"

For 1, the general thinking is that companies like these perform the job of abstracting the CLI complexity in their application while the harness presented to the llm can be independently as suave as needed for it.

Uh... a flue is not a disease.

It's like a heavier commone colde

> The bank ate the loss for the fraud and you were made whole

_If_ you notice the fraudulent charge.

It never ceases to amaze me how many people don't even look at their bank/credit card statements and just let their credit cards auto-pay.

Back when I was poor, I was logging into my bank and credit card accounts at least twice/week. I always knew within $20 how much money I had.

As a well-paid tech worker, I'm still checking at each paycheck (2x/month) and paying the credit card card off every time, but I'm still scanning the statements for any unexpected charges and to keep a pulse on my spending.

Fun anecdote, my wife started talking to me while I was scanning my statement once and she noticed there was a $20 charge from a business named "Your Side Chick" that she questioned in a joking way. It was from a food cart that specializes in chicken strips.

FWIW, I find looking at my statement and trying to remember if I actually made a random purchase of $8.63 to some unrecognizable name three weeks ago to be a much more difficult workflow than just enabling email notifications for every transaction so I can triage them quickly / at my convenience.

$20 for food cart chicken strips is the real scam.

The foot cart scene in the Portland metro area is really good. Those chicken strips were amazing and the sauce was superb. And despite hating both kale and cole slaw, their kale cole slaw was delicious.

Humans have been known to recite entire parts from plays from memory, live in front of audiences even.

And they are legally required to license the play to do that, if it's still in copyright.

Only to perform it, not learn it.

And LLMs perform when you prompt them.