Google Cloud Fraud Defence is just WEI repackaged

jchw

Exactly my thoughts. I am unfathomably angry and I want to contribute to any effort to dismantle Google as a company.

amazingamazing

AI use is far more prevalent now than then sadly. This kind of scheme is inevitable since compute is not free.

llbbdd

"ChatGPT, generate a blog post that packages an ad for my service that competes with Google by harvesting HN's latent anti-Google rage."

breakingcups

I fucking hate this future. It's bleak. The engineers participating in this should be ashamed.

spankalee

Given all the negative comments here - what is anyone's alternate solution for AI-driven fraudulent activity? CAPTCHAs are increasingly ineffective. Services are either going to go offline or implement some kind of system like this. PII like credit cards or SSNs aren't enough because those are regularly stolen. So where do things go? Fewer services and infinite fraud?

HackerThemAll

We do need to abandon the reality where we use the same few companies on a daily basis and get back to what's now hidden the under-the-surface: forums, blogs, personal websites. We need to re-discover the "free" internet we used to have before Facebook and smartphone dystopia happened.

Havoc

Whether it's AMP or manifest 3 or android source shenanigan or attempts to replace cookies with their FLOC nonsense or this...Google is rapidly turning into a malicious force when it comes to the open internet

ChrisArchitect

Related: Google Cloud fraud defense, the next evolution of reCAPTCHA https://news.ycombinator.com/item?id=48039362

VBprogrammer

In a world where everything is shit, could I at least take away some solace in this helping to reduce Cloudflares hegemony?

biennvops

Thankfully I haven't met reCAPTCHA that often nowadays, thanks to other providers being more competent. (And no, not you Microslop!)

tadzikpk

This article is full of false assumptions. For example: > Bot operators point a camera at a screen, a trivial automation with off-the-shelf hardware. For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices A bot farm cannot bypass for long with a $30 phone. Do you seriously think that if Google sees the same hardware identifier 1000s of times a day they are not going to consider that usage to be fraud? I appreciate that Google's made a real proposal to avoid the web becoming bottomless AI slop. This article hasn't come with a better alternative - I'd love to see one!

munchler

I think this is the third HN link I've clicked on in a row that leads to an LLM-generated article. I'm not opposed to AI, but I'm tired of seeing it quietly substituted for human thought and expression.

dgrin91

Maybe a dumb question, but how is this suppose to work for iphone users? They wont have google play, and it seems like android/google play is required here? There is no way they would cut out such a huge chunk of the market.

SwellJoe

From "Don't be evil" to building the largest, most invasive, surveillance operation the world has ever seen. That was true before this, but this indicates nothing will ever be enough. Google will always want to track more of everyone's activity online, and will use every tool at their disposal to do it.

lambdaone

This is truly disturbing, and trying to sneak it in like this without public discussion is disingenous. Hopefully it will be shot down like last time - at the very least, there are surely antitrust issues here.

gruez

As much as I hate whatever google's doing, this article has some issues: >For operations that need Play Integrity attestation specifically, a compliant Android device costs approximately $30 at current market prices This assumes the logic on google's side is something like `if(attestationResult == "success") allow()`, but it's not hard to imagine the device type being factored into some sort of fraud score. For instance, expensive devices might have a lower fraud score than cheaper devices, to deter buying a bunch of cheap devices. They might also analyze the device mix for a given site, so if thousands of Chinese phones suddenly start signing up for Anne's Muffin Shop, those will get a higher fraud score. >Firefox for Android does not appear in Google’s stated browser support list for Fraud Defense. The browser only needs to show a QR code, so if you're on firefox mobile they'll either open a deeplink to google play services on the phone itself, or show a qr code. >One human solving a single challenge pays a negligible cost. A bot farm running concurrent sessions faces exponential compute costs with each additional attempt - and AI agents, which consume GPU cycles to operate, face identical penalties regardless of how sophisticated their reasoning is. PoW for bot protection basically never caught on because javascript performance is poor, and human time is worth more than a computer's time. An attacker doesn't care if some server has to wait 10s to solve a PoW challenge, but a human would. An 8-core server costs 10 cents per hour on hetzner. Even if you assume everyone has a 8-core desktop-class CPU at their disposal (ie. no mobile devices), a 6 minute challenge would cost an attacker a penny. On the other hand how much do you think the average person values 6 minutes of their time?

sylware

I keep banning gogol Ipv4 ranges because of scanners, script kiddies (and maybe worse). Yes, I am self-hosted, and without paying the DNS mob.

everdrive

No one should ever browse the web on a smart phone. Not joking.

cynicalsecurity

This is security theatre. This isn't going to help against bots in any way.

opengrass

For merchants who don't want geeks as customers, cool As a web-wide captcha replacement, not cool