Google Cloud Fraud Defence is just WEI repackaged

CAPTCHAs were designed as a type of Turing Test, not a reverse Turing Test. It’s not surprising that the effectiveness of these weaker variants has collapsed, given that AI can now pass the real Turing Test.

With the crosswalk, bike, motorcycle, stairs type of things, wasn't that just improving their training data?

The person who scanned to QR code is knowable. They have their IMEI encoded in the response.

https://www.fbi.gov/investigate/cyber/alerts/2026/evading-re...

> The following methods can be used to acquire residential IP addresses for a residential proxy network:

> Software development kit (SDK) partnerships: Proxy services convince mobile application developers to include their SDK in applications in exchange for payment for each person who downloads the application. Individuals download the application and accept the terms and conditions, allowing the SDKs to run in the background and route proxy traffic through users' devices.

> Virtual private network (VPNs) with hidden terms of service: Free VPN services may enroll users' devices in a residential proxy network, without obtaining their consent. The details are often hidden in the terms of service, which most users do not read prior to download, or the language is difficult for the user to understand.

> [malware and compromised IoT devices]

> Passive income schemes: Proxy services convince people to download applications on their device that promise to pay them for their internet bandwidth. People often do not realize that criminals use their internet connection to commit cyber attacks

One reddit post says bandwidth sharing passive income schemes paid them $1 to $9 per month.

I used to know some Americans who were on the poorer end of the spectrum, and apps that paid you for performing fitness activity and such weren't uncommon in that demographic. Not as much of a thing in Europe for some reason.

I believe the cheap Chinese pirate TV boxes that are somewhat popular in the US these days are also in botnets, which is likely how the vendors make them so cheap.

Oh it's better than that now, if you can afford the up-front costs. You can set up a phone farm with cheap Google-certified devices, and the control software manages the Google accounts and botnet connection (through multiple residential proxies, of course). All of these attestation games are DOA.

I'm afraid it's far less enticing. The usual offer is "To continue playing, pay $0.99 or hit AGREE to share your internet connection with Legit Services Inc."

And that's assuming they're nice enough to ask at all.

I'm pretty sure it's one of the revenue models for those free tv/movie boxes. You can even see them at best buy. Absurd.

Part of the problem is also that Google wants to permit crawlers to do some things but jot others.

Their announcement is full of buzzwords about "agentic" things. Detecting LLMs is one thing, but imagine the power of being able to pick which LLM browsers are permitted and which aren't!

I think Google is being too early to the party with this. Cloudflare still has CAPTCHAs to throw at the wall. There are ways other than attestation to verify that someone is a real human, but they're getting more and more annoying to real users and harder and harder to implement on a small website.

Despite the massive implications, this is a simple system that just works for the 99% of people who use Chrome or Safari or at least have access to an Android phone or iPhone somewhere. It's quick, doesn't require installing apps or creating accounts, and it just works from both the website perspective and the user perspective.

Of course when you start thinking about people with disabilities things become problematic, but when have tech companies ever really cared about that sort of thing? Inclusiveness was fun and all for a while, but the clowns the American people elected banned that sort of thing for any company considering government contracts, and big tech licked that boot like it was made of honey.

The world becomes a lot easier if you just decide to ignore all edge cases and assume customers who disagree with you didn't matter anyway. And infuriating as it may be, for companies like Google, that business model works.

>Why? What's LLM generated? How can you tell?

Not the guy you're responding to, but:

1. The high number of (em) dashes is suspect, though it's unclear whether they manually replaced the em dashes or is actually human generated.

2. "One additional failure worth noting: one incident response professional in the HN thread, raised a concern that operates independently of the bot problem" feels out of place for a content marketing piece. HN isn't popular enough to be invoked as a source, and referencing it as "the HN thread" seems even weirder, as if the author prompted "write a piece about how google cloud defense sucks, here are some sources: ..."

3. This passage is also suspect because it follows the chained negation pattern, though it's n=1

>No hardware identifier is transmitted. No attestation is required. No certification layer determines who may participate.

edit:

I also noticed there are 2 other comments that are flagged/dead expressing their reasons.

The choppy language is the biggest trigger for me. Examples:

* "With Fraud Defense, there was no process to respond to. The product launched. The requirements page went live."

* "That is not a technical limitation waiting to be engineered around. It is the mechanism."

* "The defeat is mechanical. Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware."

I could be wrong, of course. Maybe humans are starting to write like LLM's, or maybe it's just confirmation bias on my part.

Look at the number of : per paragraph. What human puts two : in a single sentence?

"One additional failure worth noting: one incident response professional in the HN thread, raised a concern that operates independently of the bot problem: …"

The ersatz Ted Talk meets LinkedInfluencer rhythm of sentences, the throat clearing fillers as connective tissue…

Or Wikipedia: https://en.wikipedia.org/wiki/Wikipedia:Signs_of_AI_writing

The entire article is just one long stream of short, punchy, declarative sentences. The latest Claude models are notorious for writing like this.

There's also a few cookie-cutter patterns that should immediately jump out at you if you're at all familiar with AI writing, such as:

> No hardware identifier is transmitted. No attestation is required. No certification layer determines who may participate. User privacy is structurally preserved, not promised.

> Google Cloud Fraud Defense is not a reCAPTCHA update. The QR code is the visible mechanism, but device attestation is the real product.

It's really obvious. The repeated information. The very. short. sentences. The incessant detail. The tangents that go nowhere. And LLMS always try to structure the entire essay into topical sub-sections.

They can't tell. It has become a statistical thing. There will exist some percentage of them that assumes an item is AI generated. With enough people seeing something, you'll see the accusation.

"this is AI" is the new "This is shopped", but without the "I can tell by the pixels" rejoinder.

I mean sometimes they're right, but honestly in this day and age does that even matter?

Turns out that identifying a problem doesn't help without a workable solution/alternative.

What is RMS’ solution to this problem?

Root mean square?

Indeed, occasionally hammers do find nails to hit.

If RMS said not to trust Google's self-proclaimed altruism and relationship with open source, yeah. I always assumed that was a backstab waiting to happen. But that only meant I used an iPhone and didn't care that it was more closed than Android, not that I got an Arch Linux phone or something. (And a Mac more importantly, but there's not really a Google counterpart to that.)

> skip the whole web design part entirely and pipe our content through their pre-defined UI

It's a shame this part didn't stick. I use reading mode every chance I get be cause the more design a page has, the worse it is. For some reason orgs agreed that it is ok to let medium or substack own their content, but hated Google's high speed CDN.

This makes me curious, where did they go?

Hell, even using cash feels like a minor form of dissent. And of course even if you leave your phone at home, your car will be scanned with ANPR wherever it goes. And if that fails, there's still your face to be tracked.

I said 16 years ago that when IPV6 was coming into use was the only reason for a 128 bit address space was so they could tie every packet on the internet back to you as a person. https://news.ycombinator.com/item?id=1464940

It doesn't help that your first sentence makes you sound like a conspiracy theorist riding his hobby horse. I read on despite that, but others may not.

[flagged]

Huge fan of Kagi so far - especially SmallWeb if you do want to find websites that probably would not hit the top of Google search results

> Chrome and Search which are both monopolies

I'm on Firefox and use DuckDuckGo.

It cracks me up when people say Chrome is a monopoly, because a massive amount of computing devices do not even ship with Chrome. Windows computers, Macbooks, and iPhones require users go search out and install Chrome on their own out of their own volition, shipping with entirely functional and decent browsers out of the box that they have lots of patterns to push. Even many Android phones ship with browsers other than Chrome as a default still from what I understand.

How is Chrome, of all things, a monopoly? Have words just entirely lost all meaning and now monopoly just means "things which are popular that I dislike"?

They lost their search monopoly when LLMs came.

No they didn't. Firefox unseated Internet Explorer. Chrome then got big by putting its installer right on the Google homepage and harassing users to install it. And they had it bundled with other software, and would install as a user so that locked down computers could still run it. They absolutely did not win by embracing open standards.

If I may tie this into other things going on, The California wealth tax as written would force Larry and Sergei, if they didn't move out of California, to basically sell almost their entire stake in Google, and it would probably wind up owned by State Street and Vanguard who outsource their proxy votes to ESG consultants, who will probably vote for more surveillance.

It is understandable but you can also use a simpler browser for common things and use chrome for banking or things like that

Qutebrowser is my favorite daily driver, save for a few sites I can't boycott and which need Firefox or something.

What's up with the reviews? It's pure spam and the 1-star review is completely hidden.

hacker news when discovering that apple deployed WEI, for ages, with beloved IT company Cloudflare, affecting hundreds of millions of users: "aww, you're sweet"

hacker news when reading that google is doing the same thing for the rest of the userbase: "hello, human resources?"

One company can soon dictate who can enter the websites. And only two commercial operating systems are viable in the world after this change. Not nice.

I believe the latest versions of iOS just work from the browser, you only need to install the app for older versions of the OS.

I don't know what technology they're using, but when I scanned the QR code it launched (downloaded?) an iOS app of sorts with one tap, similar to the way Google tried Instant Apps a few years back. Didn't even need to double tap the power button like usual.

They also have Private Access Tokens: https://developer.apple.com/news/?id=huqjyh7k

This still doesn't seem very economical for the bot farm. For a device to look legit it has to only use its hardware identifier about as often as a real human would. This massively changes the economics. If you have 1 bot farm customer that wants 20,000 solves in a day, the bot farm would need something like 20000/200=100 phones to provide this. (assuming a real user can do about 200 solves before being flagged).

And the cost for the bot farm being detected is very high because if a phone's root key loses trust it destroys the value of the ~$30 phone they purchased. And of course, I'm sure Google can use the phone's value as another signal for trustworthiness, treating cheaper phones many generations behind as less trusted.

I don't think bot farms will go away completely, but the price will spike massively, which is all you need to discourage many types of abuse. Some Googling show that reCAPTCHA solves are about $0.003 each right now, so quite cheap. With this new reCAPTCHA, I suspect the price will jump massively.

I remembered $30 from some comment I read, but didn't look for it later. If it was yours, thank you! (def. thank you for the Wallmart link! - would you like a credit in the blogpost like a quote?

It will be fewer accessible services for everyone who refuses to use this, that's for sure. In general though, service providers are not going to accept "fewer services and infinite fraud" and thus they will look into implementing this.

For one, I got to see how utterly insane and off-base many of the conspiracy theories around Chrome were compared to reality.

Real hardware doesn't mean a human is present either, unfortunately. It just means that you have to spend on real devices to bypass these defences.

neither can Google Cloud Fraud Defence, and yet we're here