Proof-of-work CAPTCHAs work well for making bots expensive to run at scale, but they still rely on accurate bot detection. Avoiding both false positives and negatives is crucial, yet all existing approaches are not reliable enough.

One comment re:

> While AI agents can theoretically simulate these patterns, the effort likely outweighs other alternatives.

For now. Behavioral and cognitive signals seem to work against the current generation of bots, but will likely also be defeated as AI tools become cheaper and more accessible. It's only a matter of time until attackers can train a model on real human input, and inference to be cheap enough. Or just for the benefit of using a bot on a specific target to outweigh the costs.

So I think we will need a different detection mechanism. Maybe something from the real world, some type of ID, or even micropayments. I'm not sure, but it's clear that bot detection is at the opposite, and currently losing, side of the AI race.

It might work for a while, but that's a losing battle.

Have you never once looked at the captcha and couldn't decide whether the 3 pixels of the motorcycle sticking out into the grid square meant that you should select that grid square too? Not once? As the tests become ever more sophisticated, more and more of you all will be locked out.

Visit a website that require identification. Generate a random unique identifier in your user agent. Live your life on that site. Download from that site a certificate that prove that your didn't abuse their site. Repeat that a few times.

Visit the site that wants to know if you are an abusive user. Share your certificates. They get to choose if they accept you.

If you abuse that site, it reports the abuse to the other sites that delivered you a certificate. Those sites gets to decide if they revoke their certificate or not.

It is a self policying system that require some level of cooperation. Users make themselves vulnerable to the risk of having sites they like loose trust in them.

Second, I am surprised AI agents are this naive. I thought they would emulate human behavior better.

In fact, just based on this article, very little effort has been put into this race on either side.

So I wonder if is has to do with the fact that if companies like google reliably filtered out bot traffic, they would loose 90% of their AD revenue. This way they have plausible deniability.

I have the opposite view. This already played out in the Minecraft community and it turns out ghost clients are effective in spoofing such behavioral signals and avoiding anticheat. Also I doubt you can get any meaningful signal from the couple of a seconds a user's ai agent is scrolling through a site.

Like the case recently of builder.ai which had humans pretending to be ai.

Turing was a visionary - but even he could not imagine a time when humans pretend to be bots.

With a hobby wiki, eventual consistency is fine. I believe ghost bans and quarantine and some sort of invisible captcha would go a long way toward my goal, but it’s hard to find invisible captcha.

There was a research project long ago that used high resolution data from keyboards to determine who was typing. The idea was not to use the typing pattern as a password, but to flag suspicious activity. To have someone walk past that desk to see if Sally hurt her arm playing tennis this weekend of if Dave is fucking around on her computer while she’s in a meeting

That’s about the level I’m looking for. Assume everyone is a bot during a probationary period and put accounts into buckets of likely human, likely bot, and unknown.

What I’d have to work out though is temporary storage for candidate edits in a way they cannot fill up my database. A way to throttle them and throw some away if they hit a limit. Otherwise it’s still a DOS attack.

> what if the turing test already runs silently across every site you open. just passive gating based on scroll cadence, mouse entropy, input lag without captcha or prompt

>what if you already failed one today. maybe your browser fingerprint was too rare, maybe your keyboard rhythm matched a bot cluster from six months ago. so the UI throttled by 200ms. or the request just 403'd.

> what if the system doesn't need to prove you're a bot. it just needs a small enough doubt to skip serving you the real content.

> what if human is no longer biological but statistical. a moving average of behavior trained on telemetry from five metro cities. everyone outside that gets misclassified.

>what if you'll never know. timeline loads emptier than someone else with explicit rejection to the content

The imagery test had me click dragging the finger pointing to see if I could line up with the animal. Probably 80% success.

Audio detect two different people with heavy accents speaking vs singular people speaking was my lowest score probably 60-70%.

Music switching instruments was around 70% also.

Ultimately I passed after many attempts on the imagery detection.

Whether the person interacting with your website is human or not isn't relevant anymore. What matters is what they are doing; be they human, bot, or AI agent.

I use keyboard navigation on many pages. Using the firefox setting "search when you start typing", I don't have to hit ctrl+f to search on the page, I just type what I want to click on and press enter or ctrl+enter for a new browser tab, or press (shift+)tab to go to the nearest (previous/next) input field. When I open HN, it's muscle memory: ctrl+t (new tab) new enter (autocompletes to the domain) thr enter (go to threads page) anything new? type first few chars of username, shift+tab+tab enter to upvote. Done? Backspace to go back. View comments of a link? Type last char of a word in the link, space, and first char of next word, that's almost always unique on the page, then escape, type men, enter, to almost always activate the comment link. Or shift+tab enter instead to upvote. On the comments page, reading top-level comments is either searching for [ and then enter+f3 when I want to collapse the next one, space for page down... Don't have to take my hands off the home row

etc. on lots of website, also ones I've never visited before (it'll be slower and less habitual of course, but still: if there is text near to where I want to go, I'm typing it). I use the mouse as well, but I find it harder to use than the keys that are always in the same place, much easier to press

So will it tell me that my mouse movements don't look human enough or will I see a "Sorry, something went wrong" http 403 error and have no clue if it's tracking cookies, my IP address, that I don't use Google Chrome®, that I went through pages too fast, that I didn't come past the expected page (where a cookie gets set) but clicked on a search result directly, that I have a bank in country A but residence in country B, that I now did too many tries in figuring out which of these factors is blocking me.... I can give examples of websites where I got blocked in the last ~2 months for each of these. It's such a minefield. The only thing that always passes is proof-of-work CPU challenges, but I dread to think what poor/eco people with slow/old computers are facing. Will this "invisible" captcha (yeah, invisible until you get banned) at least tell me how I'm supposed to give my money to whatever service or webshop will use this?

Maybe it was my fault to advertise my own solution in comments.

Such behavior however triggered bot detection. I might have behaved like a NPC. So currently a human can be identified as a bot, and banned on that premise. Crazy times.

Currently I feel I must act like a human.

These tests here are easily bypassable, just adding a random delay somewhere during the action phases to mimic humans, and there's already tools for mimicking human mouse movements.

It is getting easier and easier to create questions/problems that humans can't answer at LLM speed.

Of course, that solves a complementary problem, not the original. But in terms of instances, by any definition, the demographics are quickly moving in one direction.

Took me ages to figure out what its issue was.

Even in 2009 I knew people who were using neural networks (in PHP no less!) to decode CAPTCHAs with superhuman peformance. I see the whole thing as performative as those things get in my way tens or hundreds of times a day when I browse the web as a human but in years of webcrawling they didn't give me any trouble until the last two weeks.

So I completely disagree with this; you can train youself to completely ignore the color and just read/act on the word very fast. In fact, this is a game that people play.

https://en.wikipedia.org/wiki/Goodhart%27s_law

BRB, changing the simulated latency in my bot.