zlacker

[parent] [thread] 10 comments
1. JohnFe+(OP)[view] [source] 2023-07-26 18:15:03
Captchas are intended to stop bots. WEI is intended to vet that the hardware and browser has been validated. That doesn't impact bots, because you can implement bots on top of a valid hardware and browser so it will pass the WEI check.
replies(3): >>jrockw+C2 >>danShu+Rg >>ec1096+151
2. jrockw+C2[view] [source] 2023-07-26 18:24:39
>>JohnFe+(OP)
I remember the discussions on Slashdot many years ago about the "analog hole"; you can have all the DRM you want, but people can still point a camera at the screen and record a non-encumbered copy that way. This is definitely the case with automating web activities; you take a trusted computer, point a camera at it, and have your bot synthesize keypresses and mouse movements. There is absolutely no way for a website at the other end of the Internet to know that a human is using the computer. (I see this as the "end game" for FPS cheating. I don't think anyone is doing it yet, but it's bound to happen.)

I'm guessing the reason we want attestation is so that Chrome can drop ad blockers and websites can drop non-Chrome browsers. But there is no reason why you can't do the thing where you point a video camera at a monitor, have AI black out the ads, and then view the edited video feed instead of the real one.

The only use for attestation I see is for work-from-home corporate Intranets. Sure, make sure that OS is up to date before you're willing to send High-Value Intellectual Property to the laptop. That... already works and doesn't involve web standards. (At my current job, I'm in the hilarious position where all of our source code is open-source and anyone on Earth can edit it, but I have to use a trusted computer to do things like anti-discrimination training. It's like opsec backwards. But, the attestation works fine, no new tech needed.)

replies(2): >>pests+cf >>Crimso+PU1
◧◩
3. pests+cf[view] [source] [discussion] 2023-07-26 19:11:31
>>jrockw+C2
> and have your bot synthesize keypresses and mouse movements

Is this truely going to work though? Captcha provider already monitor mouse and keyboard movement while on the page. Can you really "synthesize" human-like mouse movements around the page? I'm not so sure.

replies(3): >>jrockw+Dh >>tikhon+Sl >>JohnFe+Mp
4. danShu+Rg[view] [source] 2023-07-26 19:18:20
>>JohnFe+(OP)
This is also how you know the "this won't impact extensions" talk is likely nonsense.

If you can still run extensions you still need captchas. So one possible road this takes is Google launches it, everybody still uses captchas because extensions in desktop browsers still make automating requests trivial -- and then we lock down extensions because "we already locked down the hardware and we really do need to do something about captchas..."

◧◩◪
5. jrockw+Dh[view] [source] [discussion] 2023-07-26 19:21:18
>>pests+cf
I am sure you can. This is exactly what AI excels at!
◧◩◪
6. tikhon+Sl[view] [source] [discussion] 2023-07-26 19:40:01
>>pests+cf
Captcha providers can't rely exclusively on mouse movement because of accessibility considerations, and it seems pretty easy to emulate human-like keyboard interaction. Emulating realistic mouse movement is more difficult but probably doable too.
replies(1): >>helloj+QR
◧◩◪
7. JohnFe+Mp[view] [source] [discussion] 2023-07-26 19:53:50
>>pests+cf
> Can you really "synthesize" human-like mouse movements around the page?

Yes. It's not even very hard.

◧◩◪◨
8. helloj+QR[view] [source] [discussion] 2023-07-26 21:55:07
>>tikhon+Sl
I bet it's pretty easy. Capture your own mouse movements from one place to the next as denoted by clicks. Then train a model on reproducing those movements, using your captured data of movement from points A to B. It would probably generalize well enough to pass the verifications. Humans are very unpredictable, so I assume those are mostly looking for superhuman speed and accuracy.
replies(1): >>costco+al1
9. ec1096+151[view] [source] 2023-07-26 23:14:29
>>JohnFe+(OP)
> We're still discussing whether each of the following pieces of information should be included and welcome your feedback:

  * The device integrity verdict must be low entropy, but what granularity of verdicts should we allow? Including more information in the verdict will cover a wider range of use cases without locking out older devices.
  * A granular approach proved useful previously in the Play Integrity API.
  * The platform identity of the application that requested the attestation, like com.chrome.beta, org.mozilla.firefox, or com.apple.mobilesafari.
  * Some indicator enabling rate limiting against a physical device
◧◩◪◨⬒
10. costco+al1[view] [source] [discussion] 2023-07-27 01:03:42
>>helloj+QR
https://github.com/vincentbavitz/bezmouse

> BezMouse is a lightweight tool written in Python to simulate human-like mouse movements with Bézier curves. Some applications might include:

> BezMouse was originally written for a RuneScape color bot and has never triggered macro detection in over 400 hours of continuous use.

:)

◧◩
11. Crimso+PU1[view] [source] [discussion] 2023-07-27 06:26:45
>>jrockw+C2
> I see this as the "end game" for FPS cheating. I don't think anyone is doing it yet, but it's bound to happen.

You're behind the times. It's not widespread but it's been happening for years.

Also the other day selenium author (iirc) said they are working on such a thing for "automated testing"

So this proposal will do nothing to prevent bots; maybe increase the cost a little.

On the other hand, it will surely discriminate people, new emerging technology and companies. No other search engines can be built. No new browsers. No openness.

Anyone supporting this proposal is either pure evil or stupid or both.

[go to top]