Hacker News new | comments | show | ask | jobs | submit | Benferhat's comments login

I might even incorporate the request rate into a bot detection algo, maybe have it trigger temporary hellbans.

-----


Request rate is definitely one thing you can limit, but it's tricky when attackers potentially control large numbers of IP addresses.

There's an annoying triangle here: wanting to preserve privacy (== unlinkability), machine-independence, and "working well for good traffic with limited resources, as well as blocking attackers with substantially more resources". Ideally it is "choose zero", I'd be happy if the state of the art were even at "choose one".

-----


er, I meant choose two, and we're generally at zero or one.

-----


I've used GAE since its inception, never even heard of anything like this happening. Any updates?

-----


Update: I attempted every contact avenue available to me and no one I spoke with (by email/contact forms and phone) seemed to know what was happening. I ended up compartmentalizing my accounts (so removed my personal id from each) and set up new billing accounts and had some moderate success. By moderate I mean:

1. I would get an email saying the restrictions had been lifted because no violations of t&c's had been found. 2. Low and behold all apps would be running again so I could re-set up paid accounts for appengine apps, etc. 3. About 3 hours would pass and I'd see that each app would again be suspended. A little while later I started hitting the free plan thresholds and was unable to do anything about it. I also couldn't contact customers as I had no access to data store.

This repeated for a few days and seems to have resolved itself. No explanations from Google. No apologies.

As a result I have absolutely zero confidence in their competence at supporting cloud based businesses and am currently working my ass off to migrate away.

-----


I believe he's talking about Diablo 2 (the timeframe works, and the game is notorious for duping), in which Blizzard provides shady third party companies with items, which are then sold to users.

-----


If I'm not logged into a site a that I regularly use, I'm probably not logged into my email, either. In order to log into my favorite site with Passwordless, I have to log into my email as well. With my password. One login for the price of two, and I'm still using a password.

-----


Each plugin is a potential confounder.

-----


I found a demo[0] via this old forum thread from August[1].

Obviously there are privacy concerns. That being said, this looks like a boon for anyone interested in bot detection, as you can periodically challenge your users' humanity without getting too much in their way. Nice one, Google.

From the thread:

Implemented it successfully for a website. I have to say, it works great!

it also checks if html pages are changed at runtime and how many times you "reload" the page where the captcha is. When it thinks you are a bot a captcha popups, when entered, it got checked on googles servers if it's right and fills in a hidden input. When the user submits the form, the filled in captcha coded, again, will be verifed. [sic]

[0] http://www.google.com/recaptcha/api2/demo

[1] Edit: don't go to this url without adblock (see comment below). http://forum.ragezone com/f144/googles-captcha-recaptcha-1023607/

-----


The key post from that page:

"Since it goes through Google's servers, they can verify a lot of things. Whether you are logged in currently to google, have you been logged in the past, verify your activity on your IP address, etc. Even if you signed in from the same ip or ip range like a year ago, they can still tell it's you based on your previous actions."

-----


So if you are in a remote location or do not fit a specific demographic you are basically a robot.

-----


Assuming people who don't fit a demographic are robots is a step better than assuming everybody is a robot

-----


In that case you get a normal captcha, which is no worse than the current situation.

-----


The normal captchas have been getting increasingly user-hostile over time. The only limit on them is what users are willing to put up with, and now that Google's most profitable users don't get them that's less of an issue. In fact, having nearly unsolvable captchas is actually an advantage because it encourages users to let Google track them.

-----


No, this is likely done with machine learning trained on real vs fraudulent user data. So they are going to be watching for much more subtle features than just being in a different region. Tons of people travel all of the world. Less people manually resent their MAC addresses or use datacenter ISPs.

-----


i think the parent was using "demographic" to mean "people using computers currently tracked by google", not a regional population.

-----


That makes sense.

If I click from a normal tab I don't see a captcha, but I click from a privacy tab I do.

-----


Beware: that second link launched a popup in my browser to a "Super Mario Game" which, in turn, pushes you to install a spammy Chrome extension called ArcadeYum.

-----


Why does Google bother with so many minor script-related security enhancements in Chrome that will barely affect anyone (such as extra HTTP headers allowing for bonus layers of XSS protection just in case the site's developers weren't smart enough to cover all possible injection angles) if they are going to also let random untrustworthy developers abuse their extension installation API to achieve over 750,000 installs of a mysterious/shady/useless browser extension that inexplicably asks for permission to read and write to the DOM on every single page of every single site the user ever visits in the future, and which very obviously only exists for the purpose of doing the exact same kinds of terrible things that XSS prevention was conceived of in the first place in order to stop?

-----


I'd like to hear arguments for why it would be unfair competition for Google to put spammy ad agencies out of business.

-----


I'd personally love them to do that. I guess the arguments are basically the double-edged sword of dictatorship. You have a paradise if the ruler is wise, just and benevolent, as you can escape pretty much all of the stupid coordination problems that pester democracies - but on the other hand you risk getting totally screwed up if the dictator goes evil (which can, and probably always will, happen over time, when a good dictator gets succeeded by a bad one).

-----


Microsoft takes out spammers.

- http://www.bbc.com/news/technology-12772319

- http://money.cnn.com/2012/03/26/technology/microsoft-raid/

- http://www.allspammedup.com/2013/06/microsoft-and-fbi-take-d...

Facebook sues spammers:

- http://www.theverge.com/2014/10/3/6901293/facebook-has-sued-...

-----


Thanks for all the evidence, but Microsoft's primary revenue stream isn't advertising, and Facebook is getting success by suing spammers that commit fraud against Facebook.

-----


Thanks for the heads up, I missed it due to adblock. I made the link non-clickable and added a warning.

-----


This seems to be following Cloudflare's (and Incapsula's and all the other competitors) approach to bot detection. Basic automatic, silent bot challenges (non-invasive Javascript and DOM tests) which, if failed, give a one-time captcha prompt.

-----


Which has the side-effect of making the site inaccessible to TOR users with JS turned off.

-----


Those people will five 9s likely be blocking ads too, so who cares?

They can enjoy my content for free no problem, but I really don't care what they have to say in regards to how I run things or have things set up.

"Fuck you, pay me" comes to mind

-----


The Tor browser doesn't block ads. Just javascript and flash. His point is the internet is becoming increasingly hostile to privacy. It's already extremely difficult if not impossible to create anonymous accounts with tools like Tor. Which discourages things like whistle blowing, or people from areas with oppressive governments.

-----


That is a fair point, in my experience Tor is just used by bots to spam comments up with junk.

This is probably different for larger sites of course but on our scale there's no worries blocking Tor

Edit: Although thinking about it I don't know any ads that aren't served up without some form of Javascript

-----


The problem is that every website does the same thing, and now it's impossible to use the internet anonymously. But actual spammers can spend a few bucks on IP rotating services. IP discrimination causes far more harm than good.

Actually I don't think Tor disables javascript by default anymore, but even when I do disable it I still see ads.

-----


If comments were blocked, that's one thing, but increasingly often access to the site as a whole gets blocked.

-----


Isn't the example in [0] already used on various sites? I at least used it at least on the humble bundle site and saw it on othes sites too.

-----


They seem to have done a small early beta over the summer, I guess they got in early.

-----


McKenna is more famous for his excessive use of psychedelics.

Terence McKenna: "There are only about 1,000 of these GBMs a year, so it's a rare disease. I never won anything before - why now?" Like everybody else, he suspected a lifetime of exotic drug use may have been to blame. [0]

[0] http://archive.wired.com/wired/archive/8.05/mckenna_pr.html

-----


The price of bitcoins has already dropped 10% since the news.

-----


>> In the checkout flow it is best practice to offer as many payment options available because it increases the likelihood of a successful conversion.

Are you sure about that? Too many choices sometimes leads to no choice at all. [0]

[0] http://www.ted.com/talks/barry_schwartz_on_the_paradox_of_ch...

-----


Exactly. See also: http://en.wikipedia.org/wiki/Buridan%27s_Ass

-----


"My bitcoins are stored in our safe deposit box, and my son and daughter are tech savvy. I think they're safe enough. I'm comfortable with my legacy."

-----


Interesting thought: Since those bitcoins were part of the first transaction, and since the transaction history for those coins would be saved and hence documentable, is it possible that those particular coins might become "collector's items"? And perhaps "worth" more than the "face value" of 10 BTC, to the right collector?

-----

More

Applications are open for YC Summer 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: