• massacre@lemmy.world
    link
    fedilink
    English
    arrow-up
    14
    ·
    edit-2
    7 hours ago
    1. There’s no way this can be abused. Ever.

    2. There’s no way a bot (AI or human built) could be used to simulate a human.

    This is a perfect solution!

    • Deebster@infosec.pub
      link
      fedilink
      arrow-up
      13
      ·
      10 hours ago

      It does not capture the actual keys being pressed, according to the company. It studies the timing and rhythm instead.

      That is addressed in the article. Because it’s JavaScript, we can verify this, and I’m sure that people will be scrutinising every revision of the code to check.

      • treadful@lemmy.zip
        link
        fedilink
        English
        arrow-up
        13
        ·
        9 hours ago

        Because it’s JavaScript, we can verify this, and I’m sure that people will be scrutinising every revision of the code to check.

        Have you ever seen obfuscated JS? I’m not saying it’s impossible, but de-transpiling it into something for a human then analyzing it is not trivial work.

        Don’t bet on something not being terrible just because someone with the skill could maybe spend a lot of time doing the work.

        • canihasaccount@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          5 hours ago

          Deobfuscators are fairly good IME. I haven’t checked this code in particular, but I’ve never seen obfuscated JavaScript that was uninterpretable following deobfuscation

      • pelespirit@sh.itjust.works
        link
        fedilink
        arrow-up
        8
        ·
        9 hours ago

        But you can tell what a person is typing by their timing and rhythm. I don’t have time right now, but there are articles on that.

        • Deebster@infosec.pub
          link
          fedilink
          arrow-up
          10
          ·
          edit-2
          9 hours ago

          True, people should search for “keystroke timing attacks”. It’s more effective if you include things like accelerometer data and audio.

          We can see what Cloudflare’s code is measuring and reporting to find out if those attacks would be possible.

  • DarkCloud@lemmy.world
    link
    fedilink
    arrow-up
    11
    ·
    edit-2
    7 hours ago

    This has always been the way captchas work, I guess they’re expanding it to be always-on.

    • GreenCrunch@piefed.blahaj.zone
      link
      fedilink
      English
      arrow-up
      10
      ·
      8 hours ago

      my understanding is Google’s recaptcha has been doing this sort of thing forever, tracking mouse movements (as well as browser fingerprinting, IP address, and probably a million other tracking methods) to score a client as more or less likely to be human, and it’s only when it’s suspicious that it escalates to “pick the images that contain x”

      • ToiletFlushShowerScream@piefed.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        7 hours ago

        I always thought the pick the images was just an excuse to get training data because it’s never “choose images that contain a bear frolicking in a meadow” it’s always “choose images of motorcycles, busses” or “locate the Abram’s tank hidden in the tree line”.

  • BloodMuffin@lemmy.ca
    link
    fedilink
    English
    arrow-up
    6
    ·
    10 hours ago

    mixed feelings.

    i want bots to be suppressed, but I also value my privacy.

    has no one come up with a new decentralized internet yet?

  • Maeve@kbin.earth
    link
    fedilink
    arrow-up
    4
    ·
    10 hours ago

    That may sound preferable to clicking every square containing a traffic light, but it also means Cloudflare is gathering a much broader picture of how visitors behave on a website.

    Traditional bot protection tends to focus on specific moments. A visitor may face a challenge while logging in, creating an account, or completing a purchase. Once that challenge is passed, the rest of the browsing session may receive less attention.

    Edit: a lot of popular Lemmy instances use cloudflare instead of annubis. I’m not sure what this specific instance uses.

    • YoSoySnekBoi@kbin.earth
      link
      fedilink
      arrow-up
      3
      ·
      8 hours ago

      The product in this article (Precursor) is not the same as what Lemmy instances use (Turnstile). Turnstile uses the same cryptographic proof-of-work puzzle as Anubis and does not track any of these other metrics. If you see a CAPTCHA-style “Verified” message with Cloudflare’s logo, you’re seeing Turnstile, not Precursor.

      • Maeve@kbin.earth
        link
        fedilink
        arrow-up
        3
        ·
        8 hours ago

        It’s an enterprise product, for now. I suppose that depends on how deep pockets are.