HackerTrans
TopNewTrendsCommentsPastAskShowJobs

arbol

796 karmajoined 9 лет назад
Long time lurker, first time founder. Building bot detection (prosopo.io) with a small team and not very much money :)

Submissions

GitHub Copilot rate limits Pro Users

github.com
13 points·by arbol·3 месяца назад·8 comments

Show HN: Curation: Share Podcast Recommendations

curation-509629088134.us-west1.run.app
2 points·by arbol·3 месяца назад·0 comments

npm registry down

1 points·by arbol·7 месяцев назад·1 comments

We suffered MongooseJS so you don't have to

prosopo.io
6 points·by arbol·7 месяцев назад·0 comments

We cut our Mongo DB costs by 90% by moving to Hetzner

prosopo.io
261 points·by arbol·8 месяцев назад·205 comments

GitHub Actions seem to be down

9 points·by arbol·9 месяцев назад·1 comments

comments

arbol
·3 дня назад·discuss
If you're on a proxy network then you're detectable by TLS handshake timings, for example. You are right though that agent mouse and touch behaviour is almost inseperable from human data these days. So you need to use a combination of techniques in order to detect automation. At Prosopo we check TLS timings, SIMD performance, page similarity, fingerprint proofs, agent honey pots, JS inconsistencies. Rate limiting is surprisingly effective as an initial deterrant. There is no magic single thing that works for all clients, it's a case of learning distinct bot operators' behaviours.
arbol
·19 дней назад·discuss
It works both ways... We use prompts hidden in our bot detection system that are unreadable to humans but trigger additional payloads.
arbol
·21 день назад·discuss
Tories were in governance from 2010 - 2024. And things didn't exactly improve.
arbol
·21 день назад·discuss
> The site’s content happens to include an HTTP/2 endpoint that, when presented with an anonymous authorization token, behaves as a VPN server’s outer layer

Is this not the fingerprintable aspect? Wouldn't you need to randomise the HTTP endpoint to avoid eventually being banned based on URI?

Cool idea btw.
arbol
·21 день назад·discuss
What about the services that rent vps/compute for crypto?
arbol
·21 день назад·discuss
Adblock??
arbol
·24 дня назад·discuss
When they realise their social media ban for children doesn't work
arbol
·26 дней назад·discuss
It's just a concept, not a real test.

Captcha are already expensive at scale due to escalating checks when abuse is detected. You have to orchestrate and pay for residential proxies, containers with different fingerprints, different behavioural data, clean IP rep, emulate device performance to avoid revealing youre running on a server... A 1-shot doesn't scale against this.
arbol
·28 дней назад·discuss
AI generated drivel
arbol
·в прошлом месяце·discuss
> coming from normal-user IP addresses

This is the standard now for astroturfing online. Build up a profile over time with varied interactions, sometimes over years, and then sell it for a few hundred dollars via blackhatworld. I've not seen hn listed but reddit definitely follows this pattern.

If you think the IPs are normal, you can check if people are proxying by looking at DNS connecting IP (they may not have proxied UDP), SIMD score (server CPUs cluster differently to consumer), residential proxy lists (there are a bunch of these), invalid webgpu setups, etc. Maybe this kind of detection is against HN way of doing things but I've definitely seen recaptcha on the login before and it employs a bunch of these checks. Happy to help!
arbol
·в прошлом месяце·discuss
So far its cost me $2.27 to submit a contact form 3 times - why is this better than a captcha solver with human solves at 1000 per $2?

On your automation, your tool fed back to me as follows after 3 submissions:

> The CAPTCHA is persistently blocking now — Prosopo's widget appears to have flagged the session/IP due to the repeated submissions. The checkbox won't reset this time. This is expected behavior from their bot protection product. To submit again, you'd likely need to wait a while for the rate limit to clear, or submit manually from your own browser.
arbol
·в прошлом месяце·discuss
It's not hard to setup JA4 monitoring and I think its valid as a coarse filter. There are various plugins for nginx/node.

> I've seen people waste so much time with the whack a mole JA4 block just because they like the intellectual challenge

You just store the ja4 on requests and build a catalogue of known JA4s over time using statistics. Outlier JA4s you treat with suspicion by default and challenge. It shouldn't be manual.

> If someone invests time/money in using a captcha solver, they're already dedicated enough and will easily get around a JA4 signature block.

Obviously, not for the regular user but captcha solvers are also blockable: - proxy detection - detection by running DNS server and capturing real IP over UDP request - abnormal TLS handshake latency - repeat behaviour at scale - rendering captcha on a fake origin instead of in the real page
arbol
·в прошлом месяце·discuss
In combination with other signals JA4s are useful. You learn to spot obviously incorrect ones because Chrome always looks different from Safari which looks different to Firefox. Captcha solvers have their own unique JA4s based on whatever scripting language they're using (pyhton / rust / node). As another commentor pointed out, browsers have unique sets of headers like priority, DNT. So yes, it won't stop dedicated attackers but it is worth implementing as a coarse filter.
arbol
·в прошлом месяце·discuss
Is it not just a case of most of their clients being US based?
arbol
·в прошлом месяце·discuss
At the time, reCAPTCHA was the alternative and it was effectively working as a giant ad targeting data collection tool. I'm pretty sure Google have now back tracked from this.

WebGL finger printing is just one of many things you need to do if you actually want to stop automation. There is no way round it other than requiring ID of some sort.
arbol
·в прошлом месяце·discuss
I think we're talking about 2 different things. PoW is annoying for basic scrapers but it really doesn't affect enterprise grade bot operations with access to unlimited residential proxies.
arbol
·в прошлом месяце·discuss
It's either that or you tie tickets to government ID like in France. If the arbitrage opportunity is more than the cost of automation then someone will exploit it.
arbol
·в прошлом месяце·discuss
You literally can't get rid of it without introducing government issued ID to buy any scarce freely accessible items
arbol
·в прошлом месяце·discuss
I'm no CF advocate but those random APIs are literally what differentiates people running Chrome on their computer versus a bot operation with a load of containers. Kubertnetes clusters don't have GPUs. This is why it's used in bot detection (I use brave with no hardware acceleration and I'm captcha everywhere)
arbol
·в прошлом месяце·discuss
Yeah, this doesn't even begin to cut it