HackerTrans
TopNewTrendsCommentsPastAskShowJobs

arbol

796 karmajoined 9 anni fa
Long time lurker, first time founder. Building bot detection (prosopo.io) with a small team and not very much money :)

Submissions

GitHub Copilot rate limits Pro Users

github.com
13 points·by arbol·3 mesi fa·8 comments

Show HN: Curation: Share Podcast Recommendations

curation-509629088134.us-west1.run.app
2 points·by arbol·3 mesi fa·0 comments

npm registry down

1 points·by arbol·7 mesi fa·1 comments

We suffered MongooseJS so you don't have to

prosopo.io
6 points·by arbol·7 mesi fa·0 comments

We cut our Mongo DB costs by 90% by moving to Hetzner

prosopo.io
261 points·by arbol·8 mesi fa·205 comments

GitHub Actions seem to be down

9 points·by arbol·9 mesi fa·1 comments

comments

arbol
·3 giorni fa·discuss
If you're on a proxy network then you're detectable by TLS handshake timings, for example. You are right though that agent mouse and touch behaviour is almost inseperable from human data these days. So you need to use a combination of techniques in order to detect automation. At Prosopo we check TLS timings, SIMD performance, page similarity, fingerprint proofs, agent honey pots, JS inconsistencies. Rate limiting is surprisingly effective as an initial deterrant. There is no magic single thing that works for all clients, it's a case of learning distinct bot operators' behaviours.
arbol
·19 giorni fa·discuss
It works both ways... We use prompts hidden in our bot detection system that are unreadable to humans but trigger additional payloads.
arbol
·21 giorni fa·discuss
Tories were in governance from 2010 - 2024. And things didn't exactly improve.
arbol
·21 giorni fa·discuss
> The site’s content happens to include an HTTP/2 endpoint that, when presented with an anonymous authorization token, behaves as a VPN server’s outer layer

Is this not the fingerprintable aspect? Wouldn't you need to randomise the HTTP endpoint to avoid eventually being banned based on URI?

Cool idea btw.
arbol
·21 giorni fa·discuss
What about the services that rent vps/compute for crypto?
arbol
·21 giorni fa·discuss
Adblock??
arbol
·24 giorni fa·discuss
When they realise their social media ban for children doesn't work
arbol
·26 giorni fa·discuss
It's just a concept, not a real test.

Captcha are already expensive at scale due to escalating checks when abuse is detected. You have to orchestrate and pay for residential proxies, containers with different fingerprints, different behavioural data, clean IP rep, emulate device performance to avoid revealing youre running on a server... A 1-shot doesn't scale against this.
arbol
·28 giorni fa·discuss
AI generated drivel
arbol
·mese scorso·discuss
> coming from normal-user IP addresses

This is the standard now for astroturfing online. Build up a profile over time with varied interactions, sometimes over years, and then sell it for a few hundred dollars via blackhatworld. I've not seen hn listed but reddit definitely follows this pattern.

If you think the IPs are normal, you can check if people are proxying by looking at DNS connecting IP (they may not have proxied UDP), SIMD score (server CPUs cluster differently to consumer), residential proxy lists (there are a bunch of these), invalid webgpu setups, etc. Maybe this kind of detection is against HN way of doing things but I've definitely seen recaptcha on the login before and it employs a bunch of these checks. Happy to help!
arbol
·mese scorso·discuss
So far its cost me $2.27 to submit a contact form 3 times - why is this better than a captcha solver with human solves at 1000 per $2?

On your automation, your tool fed back to me as follows after 3 submissions:

> The CAPTCHA is persistently blocking now — Prosopo's widget appears to have flagged the session/IP due to the repeated submissions. The checkbox won't reset this time. This is expected behavior from their bot protection product. To submit again, you'd likely need to wait a while for the rate limit to clear, or submit manually from your own browser.
arbol
·mese scorso·discuss
It's not hard to setup JA4 monitoring and I think its valid as a coarse filter. There are various plugins for nginx/node.

> I've seen people waste so much time with the whack a mole JA4 block just because they like the intellectual challenge

You just store the ja4 on requests and build a catalogue of known JA4s over time using statistics. Outlier JA4s you treat with suspicion by default and challenge. It shouldn't be manual.

> If someone invests time/money in using a captcha solver, they're already dedicated enough and will easily get around a JA4 signature block.

Obviously, not for the regular user but captcha solvers are also blockable: - proxy detection - detection by running DNS server and capturing real IP over UDP request - abnormal TLS handshake latency - repeat behaviour at scale - rendering captcha on a fake origin instead of in the real page
arbol
·mese scorso·discuss
In combination with other signals JA4s are useful. You learn to spot obviously incorrect ones because Chrome always looks different from Safari which looks different to Firefox. Captcha solvers have their own unique JA4s based on whatever scripting language they're using (pyhton / rust / node). As another commentor pointed out, browsers have unique sets of headers like priority, DNT. So yes, it won't stop dedicated attackers but it is worth implementing as a coarse filter.
arbol
·mese scorso·discuss
Is it not just a case of most of their clients being US based?
arbol
·mese scorso·discuss
At the time, reCAPTCHA was the alternative and it was effectively working as a giant ad targeting data collection tool. I'm pretty sure Google have now back tracked from this.

WebGL finger printing is just one of many things you need to do if you actually want to stop automation. There is no way round it other than requiring ID of some sort.
arbol
·mese scorso·discuss
I think we're talking about 2 different things. PoW is annoying for basic scrapers but it really doesn't affect enterprise grade bot operations with access to unlimited residential proxies.
arbol
·mese scorso·discuss
It's either that or you tie tickets to government ID like in France. If the arbitrage opportunity is more than the cost of automation then someone will exploit it.
arbol
·mese scorso·discuss
You literally can't get rid of it without introducing government issued ID to buy any scarce freely accessible items
arbol
·mese scorso·discuss
I'm no CF advocate but those random APIs are literally what differentiates people running Chrome on their computer versus a bot operation with a load of containers. Kubertnetes clusters don't have GPUs. This is why it's used in bot detection (I use brave with no hardware acceleration and I'm captcha everywhere)
arbol
·mese scorso·discuss
Yeah, this doesn't even begin to cut it