Posted by ribtoks 1 day ago
https://qz.com/1145669/googles-true-origin-partly-lies-in-ci...
The military industrial complex created the internet, and has funded many of the big players in Silicon Valley. Their goal was never an open and free internet.
That's $30 per account, not one time. Because of the following:
> Device attestation does not just gate access - it produces attribution. A device with a stable hardware identity creates a persistent identifier that crosses sessions, browsers, and private browsing modes.
If you put all your bot accounts on one device, they all get banned at once. So fraudsters have to spread their accounts across multiple devices and replace them when they inevitably get banned. That's the reason for all the spying, attestation, and lockdown bullshit behind Google Cloud Fraud Defense. It is far easier to ban fraudsters if you just let the Maoists run the Risk Department.
The author proposes an alternative solution: proof-of-work. And, yes, there are use cases for that, such as Anubis. Google might even want to consider a proof-of-work option in certain scenarios. But there is no scenario in which someone's phone deliberately burns $30 worth of compute - perhaps a quarter of the user's battery - and the user still has a good onboarding experience. Most of your actual users are not going to be able to burn compute as efficiently as fraudsters, either - so maybe you have to burn the whole battery on a phone to cost a fraudster $30. Proof-of-work is, strictly speaking, anti-egalitarian and anti-democratic. "One CPU, One Vote" is less useful than you think when you realize fraudsters have the money to just buy lots of CPUs to always win[0].
Every Risk Department eventually reinvents arbitrary and capricious punishment. When you have no legal authority to prosecute crime, you rely entirely upon your freedom of association and ban people with a hair trigger. It's the only thing that works. Personally, I'd rather live in the world where governments actually took fraud seriously and corporations didn't have to do this, but for right now, GCFD is at least less onerous than WEI in the sense that WEI was going to lock down all browsers. GCFD just means I have to keep a Google-approved phone around to scan a QR code every once in a while.
[0] I'm not mentioning the massive waste problem proof-of-work creates, because obviously attestation will also produce waste. Actually, if anything, the fraudsters will probably wind up dumping all their banned devices on the used market and ruin it.
I wonder what you've done that might warrant harassment?
Look at how complicated CAPTCHAs are getting to try to be unsolvable with AI - it's a losing game. This and the WEI proposal are trying to solve a very, very real problem. If you continue to deny the problem, or every proposal solution without working towards an acceptable one, people will route around the blockage.
Given how important internet is to modern society, letting any one entity decide who should and should not have access is nearing a human rights issue.
Where are they? Where? Can you point me to one person in this thread who "disagrees with the idea that this is bad"? Apparently even you don't go that far.
I think the idea is sad and tragic, but also that we are at the point where we have no choice but to do something.
AI/LLM's have created a vector for abuse that previous tools are failing to protect against, and the problem is only getting worse.
I'm sick of the increase of LLM slop on websites in comments and posts. I'm sick of how fraud and spam and abuse can be increasingly automated in ways current tools can't catch. I'm sick of hosting costs exploding as hobby websites get hammered for no reason.
I don't realistically see any alternative but for some kind of reliable signal that a web request is most likely coming from a real person (not a perfect guarantee, but something good enough). Which means some kind of attestation that it's a real hardware device that costs at least a few bucks and is making human-level numbers of requests (not millions per day), or else some kind of digital ID attestation system.
And I much prefer device attestation that keeps you personally anonymous, as opposed to identity attestation that will inevitably allow the government to track your browsing.
So this seems like the lesser evil. If there are other ideas I'm very open to them as well, but I basically see something like this as a sadly necessary and inevitable evil. Something is necessary and this is less worse than the alternatives. And the fact that website owners choose whether to enable this or not means that those who want to keep an internet open to all devices and web requests can do so, if they're willing to handle the additional costs in handling abuse.
Also as the article states (referencing an HN comment):
> How should we realistically teach Susan from HR the difference between a real Google Captcha QR code and a malicious phishing QR code - you (realistically) can’t.
Susan from HR is the least of it. This is a huge vector to increase fraud, not decrease it.
How would an ethical, competent engineer argue against this?
The CAPTCHA company who put this out might have an agenda, but also since they're in the industry they might also have knowledge to impart.
We're reaching an inflection point with the oligarchies where the old ideas of "writing a blistering editorial" or "calling your congress-critter" need to be seriously questioned as useful and other non-violent methods of recapturing digital freedom need to be entertained.
It's making a valid point.
I wondered people are reading "I wonder what you've done that might warrant harassment?" as some kind of personal threat or incitement to harassment, but I read it as precisely the opposite.
It's an entirely valid point that many of us have worked at jobs on products that did something that somebody disagreed with, and we shouldn't be asking anybody to harass us personally for it, because that is wrong.
GP is asking to "aggressively name and shame" engineers. It's entirely valid to say that you wouldn't much like that if it happened to you.
That captcha company is not trying to push spyware onto my device and punish me for daring to remove it. Google is.
> Look at how complicated CAPTCHAs are getting to try to be unsolvable with AI - it's a losing game.
So don't play. Even cloudflare had a better idea - don't block, just demand payment.
Some people think women shouldn’t be allowed to vote, not all opinions are created equal.
Are some ideas worth more than others should some people's votes count more than others? You can't have both.
Of course the Googlers flagged me for touching a nerve, as is par for the course.
If you don't like this functionality, participate in democracy and work with your representatives to make it unlawful. But be prepared to humbly lose if the majority disagrees with you.
You're not, however, entitled to a "heckler's veto."
What do you think this is a call for, if not harassment?
It sounds to me like you're trying to defend harassment. If that's not true, and you also believe people should not be harassed, it would be helpful if you stated so clearly and unambiguously.
Usually people feel ashamed when they do something that is shameful. That is the definition of being uncomfortable.
> It sounds to me like you're trying to defend harassment. If that's not true, and you also believe people should not be harassed, it would be helpful if you stated so clearly.
I am against the harassment. For me, these arguments feels like that you are trying to allow people do to whatever the want for the money as long as they can hide behind the company.
If the law allows it, why not?
If a company is doing things you don't like, you have a few choices:
1. Don't buy things from them
2. Picket or otherwise express your displeasure at the company's place of business
3. Publish your own complaint about them
4. Pressure your legal representative to make the behavior unlawful
I mean, I hate this QR code shit as much as anyone, but c'mon, we can and should be better - both in how we treat others, and how much we rely on this shit.
I imagine if they would be named and shamed, they would get huge contracts in companies like oracle.