Precursor

(blog.cloudflare.com)

204 points | by AznHisoka 2 days ago ago

169 comments

  • Havoc 2 days ago ago

    It’s a bit alarming how cloudflare is establishing itself as arbiter of all things bots…both on blocking and allowing.

    Doesn’t seem healthy for the internet as a whole

    • postalcoder 2 days ago ago

      Gonna zag here. If you take a step back, cloudflare has been paving the path for pay for crawl. I think it's a noble and ambitious goal.

      While I can understand why you would be alarmed, I can point to almost two decades of lamenting on this forum about how we need better ways of rewarding content creators than ads. Well, this is it.

      Moreover, these products weren't built in a vacuum. Most threads about Anthropic and OpenAI have complaints about how these companies were built on stolen content. There's a reality we have to face here and we can't have it both ways.

      • halJordan 2 days ago ago

        Is it a better way though? The problem with ads has always been their abusive nature. From unrestrained pop ups and clickjacking in the 90s to today's pervasive surveillance and profiling.

        Cloudflare turnstile is a pop up. This product is pervasive surveillance. It having a cf logo doesn't change that or ameliorate the many many abuses that two decades have shown are part and parcel.

      • RedRocketFlash 2 days ago ago

        What's incredible is that you have businesses paying CloudFlare to stop their content being ingested by AIs (OpenAI, Anthropic, Self-operated scrapers).

        And at the same time, they're paying SEO experts to make that same content easier to be ingested by systems (Google and other Search Engines) which use it for their own AI offerings.

        Are you going to be able to make your online content available to Google Search but unavailable for Google Gemini?

        • fragmede 2 days ago ago

          Yes. Google obeys robots.txt. Set yours to disallow Google-Extended and they won't train Gemini on it.

    • skybrian 2 days ago ago

      Yes, but it’s up to their competitors to build competing services.

      • cryo32 2 days ago ago

        I think it's up to their customers not to encourage consolidation.

        • grim_io 2 days ago ago

          Microsoft is the proof that customers do want that, or that they don't have a real choice.

          • cryo32 2 days ago ago

            I think it's simpler - they don't give a crap.

            Until somewhere down the line. Like when half of Spain gets cut off due to an arbitrary block on a consolidated service facade...

        • Tade0 2 days ago ago

          Customers shouldn't have to micromanage every service and product like that.

          We have antitrust regulations for such things.

        • Catloafdev 2 days ago ago

          What Cloudflare competitors offer a similar range of services?

          • owenthejumper 2 days ago ago

            Akamai, Fastly, HAProxy, F5, many others? Talking about bots specifically, not about "workers" etc.

            • cute_boi a day ago ago

              Akamai is nightmare, they block many user mercilessly. They are worst than Akamai. I don't see issue with other though.

          • cryo32 2 days ago ago

            Do you really need Cloudflare's services to run your business?

            • Catloafdev 2 days ago ago

              Are you genuinely asking "does anybody even need any of their services"?

              • yjftsjthsd-h 2 days ago ago

                You said "a similar range of services". Basic DDoS protection is probably important, and there are other companies doing that. Beyond that, it's less obvious.

              • cryo32 2 days ago ago

                Yes. I am asking exactly that objective question.

                They are advantageous to leverage in certain situations but essential they are not. We're used to, in the technology industry, looking for or creating problems to solve with services we are aware of. Moving back to necessity and need, do we really? Are we being objective? Most of the time, no.

                • dpoloncsak 2 days ago ago

                  Theres a few alternatives, but at a minimum yes you probably need their or a competitor's Name Servers and their public DNS. Rolling your own isn't very feasible.

                  • fragmede 2 days ago ago

                    DNS hosting is easy if you did want to roll your own, but everyone one does it, especially your registrar. The more sticky bits of Cloudflare are their cloud services, specifically compute (workers) and database and object storage, all wrapped up into a convenient product (Pages). Also their identity and VPN stuff. They've come a long way since just doing DDoS protection/being a CDN.

                • Catloafdev 2 days ago ago

                  DDoS protection is pretty essential. I highly encourage you to read through what they offer if you're not familiar.

                • 2 days ago ago
                  [deleted]
        • skybrian 2 days ago ago

          That too, but they need competitors to switch to.

      • shimman 2 days ago ago

        No, it's up to the people to regulate tech companies into submission.

    • Catloafdev 2 days ago ago

      They're creating optional opt-in protection layers for the services they operate.

      I genuinely don't understand these generic complaint comments.

      Are you complaining that they offer too much? Or do you believe nobody is offering similar services?

      • stuartjohnson12 2 days ago ago

        The complaint is that the offer is a great deal with no downsides for consumers, and this is likely to result in Cloudflare having a lot of power (which they currently don't have) as a market maker. This position as market maker would grant them the power to extract economic rent from the web economy by charging both sides of the web provider and web consumer market to get access to the other.

        • Catloafdev 2 days ago ago

          So the complaint is that one day they have such a strong monopoly that they can freely turn evil?

          Just want to make sure I understand the real issue here, because that sounds like a lot of fearmongering to me.

          • stuartjohnson12 a day ago ago

            You don't need to speculate about whether a tech company with a monopoly over a major distribution channel will extract rent from it - it's incredibly profitable to do so.

          • pocksuppet 2 days ago ago

            Uhhh, they have it right now, and they are currently being evil by blocking a lot of people from accessing a lot of websites.

    • hoppp 2 days ago ago

      It's business as usual and it's our job to vote with our wallets.

    • jppope 2 days ago ago

      Agreed, but we should be honest, the internet today is far from healthy

    • cryo32 2 days ago ago

      Apart from handling of abuse reports. Yeah we're acting as CDN for this phishing site - we'll just inform the upstream about it and do nothing.

    • ianm218 2 days ago ago

      For any one of their product there is a good opportunity to build an open source alternative or something like it! Can be hard to work around they have the benefit of being able to have negative unit economics on lots of infra products... But people succesfully built tons of alternatives to google analytics and similar.

      • esseph 2 days ago ago

        What they are doing requires both physical and digital infrastructure spread throughout the globe. It's not a cheap task.

        • pocksuppet a day ago ago

          Do you actually have customers spread throughout the globe, or just in North America and some in Europe?

      • ralegh 2 days ago ago

        Open source for bot protection specifically would be difficult. If I as a bot developer can see the tests you run I can just modify my bot to pass them (either trivially or by brute force).

    • LoganDark 2 days ago ago

      It's really telling that they're starting to block anything automated ever that hasn't gone through their ID verification process. It's like literally every company that exists in the world is taking advantage of the dystopia at once

      • mark212 2 days ago ago

        no, they're giving tools to their customers who can choose freely to block or not block bots. Without those tools, the people who run sites and offer content are just flying blind. I struggle to see how this is a bad thing in any way

        • LoganDark 2 days ago ago

          My issue is with them defaulting every site to blocking any bot that hasn't gone through their verification process. It's not about the existence of the setting, but rather the behavior to enforce it by default.

    • whatjustin 2 days ago ago

      Unfortunately a common occurrence in the world. Not really a fan of cloudflare selling to both sides.

    • dzonga 2 days ago ago

      have you considered the alternative ?

      where bots run rampant ?

      trust me as an operator - I'm grateful Cloudflare exists.

    • Maxion 2 days ago ago

      To be frank, their products do work and are sorely needed.

    • baq 2 days ago ago

      ...but very bullish NET. who wouldn't want to be the toll booth where you collect money both ways

  • sudb 2 days ago ago

    Cool product launch, though it feels a little weird to me that Cloudflare sells agentic products alongside this new service that seems designed to block agentic usage of the web?

    I expect there's much more going on than just mouse path detection but I can imagine that this is already tricky for touchscreens and for people using non-traditional mouse inputs (the thinkpad nub comes to mind - but it would also be bad optics to accidentally block people using accessibility mouse tools as bot users, though then this becomes a loophole for agentic browsing!)

    In general though I think this is almost definitely a good thing to reduce agentic bot abuse & spam.

    • skybrian 2 days ago ago

      It’s less weird if you think there’s a difference between good bots and bad bots. They can provide services for good bots to use while helping people keep out the bad ones.

      If a bot is simulating mouse movement but doing it badly then that’s a strong signal of shenanigans. A good bot will obey robots.txt and do nothing to hide that it’s a bot.

      • pryelluw 2 days ago ago

        Who gets to decide what is a good bot?

        • pythonaut_16 2 days ago ago

          Presumably the site owner with Cloudflare providing enforcement.

          Generally isn't a good bot one that respects robots.txt and is respectful of the site's resources by not being spammy?

        • wnevets 2 days ago ago

          by checking which follow robots.txt?

        • wmf 2 days ago ago

          According to their plan, the good bots pay for scraping.

        • overfeed 2 days ago ago

          > Who gets to decide what is a good bot?

          Paying Cloudflare's tolls => good bot.

        • nullpoint420 2 days ago ago

          Cloudflare, apparently.

          • mark212 2 days ago ago

            no, their customers. Why do you assume that people who run websites are clueless and lack agency in this?

            • nullpoint420 2 days ago ago

              inb4 "we're updating our Terms of Service - all Cloudflare-based scrapers will now automatically be enrolled to scrape your cached websites"

              and they'll explain how it's great because it's only reading the cached versions, not hitting upstream.

        • tccole 2 days ago ago

          Me… obviously

      • mcmcmc 2 days ago ago

        The problem is they have a strong incentive to consider any bot they get paid to host as a good bot, and they can bully competitors by declaring bots they host as bad bots

        • skybrian 2 days ago ago

          Arguments based on incentives can prove anything. We could just as easily say they have incentives to provide tools to both sides and let them fight it out.

          It would be like Gmail automatically whitelisting email from other Gmail accounts or blacklisting email from competitors. Why should Google do that? Their customers are mostly strangers to each other and they want spam filters that work well.

          • mcmcmc 2 days ago ago

            > It would be like Gmail automatically whitelisting email from other Gmail accounts or blacklisting email from competitors. Why should Google do that? Their customers are mostly strangers to each other and they want spam filters that work well.

            Crazy to post this when Google basically does do that with Gmail addresses. They may shove it into your “other” folder but they do absolutely nothing to stop free Gmail accounts from spamming and phishing. Gmail spam is the biggest threat by volume I’ve seen in years of managing email security for clients

            • skybrian 2 days ago ago

              Huh, I've never seen that.

    • nozzlegear 2 days ago ago

      > Cool product launch, though it feels a little weird to me that Cloudflare sells agentic products alongside this new service that seems designed to block agentic usage of the web?

      Feels a little bit like the mob selling "protection" to shop keepers.

    • 2 days ago ago
      [deleted]
    • 2 days ago ago
      [deleted]
  • amirhirsch 2 days ago ago

    I implemented all of this in hCaptcha 6 years ago, not just to distinguish bot from human but also to recognize the keyboard/mouse behavior of the same person signing up for many accounts or testing multiple credit cards. This kind of abuse detection was a part of Cloudflare when they switched to hCaptcha in 2020 and I had thought they already implemented all this themselves four years ago when they transitioned away from hCaptcha in 2022.

    • Chu4eeno 2 days ago ago

      Didn't recaptcha v3 also do this? iirc the "silently monitor in the background" was part of the selling point.

      • amirhirsch 2 days ago ago

        Yea this is the premise behind all the invisible captchas, combined with browser fingerprinting. Same tech is used now to detect distillation rings.

  • akersten 2 days ago ago

    control+F accessibility no results

    Yeah so this mouse movement astrology is going to completely lock non-sighted/keyboard only users out of large swaths of the Internet isn't it.

    • abirch 2 days ago ago

      I'm guessing it's going to lock the non-sighted//keyboard only users out of the anonymous Internet. I'm guessing if you log in and give up your anonymity they'll consider you not a bot.

    • sudb 2 days ago ago

      I'd imagine that mouse movement is just one signal among many that's weighted appropriately, but I hope we get feedback from these users

    • nojs 2 days ago ago

      I mean CF already forces 5 minutes of motorbike identification on anyone not in a whitelisted western country, so a small percentage of blind people is unlikely to worry them.

      • eastdakota 2 days ago ago

        You’re confusing us with Google. We don’t have a visual CAPTCHA.

        • seba_dos1 2 days ago ago

          Yeah, you just have spinners that keep refreshing the page and spinning when you're using Firefox or a mobile device that's neither on Android nor iOS.

          Potato potato.

      • randunel 2 days ago ago

        They don't do that, but they do force endless loops of checkbox ticking onto users from unwanted countries https://imgur.com/a/AzNSreV

        • Uzazo 2 days ago ago

          Are you using Chromium? They block that - retry in Google Chrome.

    • DrammBA 2 days ago ago

      cmd+F mouse movement 3 result, 3/3: "Mouse movement is just one example of the signals Precursor evaluates"

    • kingleopold 2 days ago ago

      just like how smartphone developers, engineers locked people with no smartphone.Some of the users that can no longer get services are really old people, disabled. In some well developed places on earth, you can't even check in flights without a smartphone, it's not even possible to travel for them.

      Yet all people are ok with it

  • cjbarber 2 days ago ago

    This (agent detection) is now a kind of emerging space. Obviously it'll get much more important, too.

    Other products in the space:

    - Foil (https://usefoil.com/), I'm biased, a friend is building this

    - Kasada https://www.kasada.io/

    - DataDome (https://datadome.co/)

    - Castle (https://castle.io/)

    - Fingerprint (https://fingerprint.com/)

    - HUMAN (http://humansecurity.com/)

    - Google Cloud Fraud Defense, which is basically the updated reCaptcha (https://cloud.google.com/security/products/fraud-defense?hl=...)

    - this, Cloudflare Precursor

    It seems like some of the main reasons people care so far are:

    - Preventing automated credential stuffing

    - Preventing bots from creating a bunch of fake accounts (eg free trial abuse, which can also lead to high twilio SMS bills!)

    - Reducing payment fraud

    - Blocking LLM scraping

    - Blocking automated scalpers (!) eg for tickers or sneakers

    I'm curious to see which use cases end up dominating as the reason companies care about this. And I'm hopeful that my agents will still have good ways for me to browse and do things on the web on my behalf - eg detect agents and route them to an agent path, rather than blocking them.

    (I'm interested in tools for detecting AI agents and seeing how this shifts as bot traffic goes way up.)

    • lukewarm707 2 days ago ago

      happy to offer a counter of some great products for anti-bot defeat:

      https://brightdata.com/

      https://www.zenrows.com/

      https://www.capsolver.com/

      https://scrapfly.io/

      hundreds of millions of residential ips, human browser fingerprints, custom browser binaries, auto solve of turnstyle, recaptcha v3, kasada, datadome, AWS WAF, etc if they come up.

      • cjbarber 2 days ago ago

        Bright Data ranks #1 on Foil's leaderboard [1], but is still detected. ScrapFly is #4 and ZenRows #7. And I guess Capsolver isn't really a scraping thing but is more just for the captcha component.

        I think it'd be good if there were more products that did a better job of making an actually undetectable agent, but doesn't seem like any exist yet.

        [1]: https://usefoil.com/research/stealth-browser-leaderboard

        • lukewarm707 6 hours ago ago

          so, i found out why foil detects all the bypass products and the others fail badly:

          it costs $0.05 per bot check

        • lukewarm707 2 days ago ago

          i guess more people should use foil...big recaptcha, cloudflare challenge/turnstyle etc is 95+% bypassed, take your bets on how long this new cloudflare holds out

    • harrylepotter 2 days ago ago

      Darwinium (darwinium.com) is another example. Approach here involves a combination of profiling and step-transition probabilities; idea is that a customer can ring-fence a particular area of a digital estate where they might want to challenge or block an agent - eg a payment, due to chargeback risks. Precursor at least for now seems more focused on site scraping multiple docs from the same site.

  • reluctant_dev 2 days ago ago

    What prevents bots/agents from just adding "jitter" to their movements that mimics how humans move their cursor?

    I know there are other signals being used but this one in particular seems like it wouldn't be hard to beat with a small amount of sophistication from the bot.

    • nerdsniper 2 days ago ago

      Beating this would require a large amount of sophistication, not a small amount.

      Basic machine learning clustering will expose bots mouse+keyboard+touch behavior and discriminate them from humans.

      It will also likely discriminate against anyone with a disability and therefore using affordances like eye tracking. Just imagine how different a person with only one hand would look compared to a “typical” user!! This shouldn’t be too much of a problem in the USA because no one is enforcing the ADA at the moment outside of California / Illinois / NY.

      But I’m curious to hear from ‘eastdakota how they plan to guarantee that users with disabilities won’t be affected by these kinds of behavioral analysis. Cloudflare has such a massive footprint that it’s absolutely critical for them to err on the safe side of filtering, assuming they desire to be ethical.

      The immoral thing for cloudflare to do would be to say “we just provide a ‘bot likeliness score’ and it’s up to each website to decide what threshold they need”. And then wave their hands and say “we’re not the ones blocking users with disabilities…the websites are the ones setting their thresholds too strictly”.

      When you reach Cloudflare’s size … you own all the 2nd and 3rd order effects of your decisions.

      This kind of data not only separates bots from humans - it’s pretty trivial to distinguish male vs female, right-handed vs left-handed, approximate age, native language (based on keyboard input patterns), state of injury (including tracking progression of healing), and a variety of different mental/physical disabilities. How one navigates a website tells you whether they are ADHD or schizophrenic or has Parkinson’s, and it can tell you about drug use/abuse: how well is this person’s Parkinson’s treatment working? What days of the week does that person tend to abuse amphetamines?

      It is super difficult to mimic all of these signals in a way that would cluster the same as typical humans.

      • SoftTalker 2 days ago ago

        We used to say the same sorts of things about LLM prose, music, and image generation. Now just a few years later it can be very difficult to know for sure if something is made by AI or a human. There are still tells, but they are much more subtle and harder to spot, and models are still improving. Mimicing human mouse movement won't be any more of a challenge.

        • gobdovan 2 days ago ago

          Humans are very inefficient when it comes to navigating the web, but also take actions pretty fast when completing forms. You don't really need advanced ML to see bots spend two seconds to read a full page, then spend 10 seconds just to click two buttons a human would click together in under 2 seconds. The amount of sophistication in bot detection peaks at about 'if user searches 20 queries in less than 5 minutes on our search engine and uses incognito, CAPTCHA them'.

          Because of this, perfectly mimicking humans is not a good goal for a bot (as it is the case for AI in music), because they would become very inefficient, at least latency wise (throughput could be engineered around by scraping many unrelated webpages in parallel).

      • lossolo 2 days ago ago

        > It is super difficult to mimic all of these signals in a way that would cluster the same as typical humans.

        Not really, beat ML with ML. I won't disclose how to do it, because who knows who might read this, but you can easily do it with a model trained for that purpose.

        • nerdsniper 2 days ago ago

          Sure - it's just hard for rando's to get tons and tons of real human interaction data to run a GAN against. "How to do the training" isn't the barrier for this, and not worth keeping a secret.

        • reluctant_dev 2 days ago ago

          [dead]

      • angelhadjiev a day ago ago

        [flagged]

    • stogot 2 days ago ago

      In 2027 how many tokens will we spend to create the jitter, pre-jitter planning, post-jitter verification, and then cloudflare’s inevtiable counter-jitter

      • RedRocketFlash 2 days ago ago

        "We got this Trace-Buster-Buster-Buster that's gonna bust the Trace-Buster-Buster and bust their .... uh, uh, uh ... Trace!!"

      • zdc1 2 days ago ago

        Someone needs to vibecode a "virtual mouse" tool for the agents to steer instead (semi /s)

        • teravor 2 days ago ago

          that's actually how you do it. adversarial systems like those are prime candidates. one agent develops detection mechanisms and the other agent defeats them. progression signal is easy to get.

          and you bootstrap with existing javascript detection engines.

          the challenge is usually the human input data, your objective is to be clustered among the humans and for that you need to know what humans look like.

          this is not an open ended arms race, it will end once the bots approximate humans to a sufficient degree - false positive rate for detection will become unacceptable even if the detection system is slightly ahead.

        • RedRocketFlash 2 days ago ago

          Not even. If this is being detected by client-side JS, someone can just reverse-engineer that code, and push a stream of signals into CF to emulate what a human user would generate.

    • zuzululu 2 days ago ago

      Nothing. But you are already at a disadvantage because Cloudflare has seen far more real jitter data and you are up against that. It might work in the short term but after a while you start showing pretty obvious patterns. There's also a great variety of jitter data on specific websites or layouts that would be very easy to catch someone artificially emulating jitter

    • kypro 2 days ago ago

      There's always been an arms race in anti-bot technology and more sophisticated bots.

      I'm sure, they can add a jitter, but then you just change how you detect / weight detection.

    • fwlr 2 days ago ago

      The jitter you add has to specifically be “jitter that mimics human cursor movement”, which is extraordinarily non-trivial to synthesise.

      • SAI_Peregrinus 2 days ago ago

        No, it's "jitter that mimics human cursor movements detected by Cloudflare's Precursor script". It'll just be another arms race.

        • sbarre 2 days ago ago

          Like any other detection system you will always have determined adversaries that put in the work to bypass it.

          But that doesn't mean you shouldn't still try to block the much larger number of less sophisticated/resourced adversaries that are using OOTB libraries and low-effort setups.

          • SAI_Peregrinus 2 days ago ago

            Sure, but of course since there's profit to be made defeating these systems once someone makes a program to defeat detection they'll sell it. Complicated attacks only stop simple attackers until a sophisticated attacker scripts & sells the exploit. Not that you shouldn't try, just don't expect defenses to last long-term.

      • justinhj 2 days ago ago

        are you sure it's non trivial? they posted a 2d image of what it looks like. a fairly simple model of the users wrist and mouse position doesn't seem crazy hard but the devil is in the details

        • fwlr 2 days ago ago

          Naturally it depends on how well Cloudflare built this implementation. In the abstract, though, a sufficiently accurate prediction system should expect to recover the causal structure of the phenomenon it is attempting to predict, and thus an imitator hoping to defeat the predictor should expect to contain the same causal structure (i.e. physical simulation of a human hand to arbitrary level of detail).

    • stronglikedan 2 days ago ago

      Does anyone besides me try to beat the jitter to fail the captcha? It never works, and yet I continue to try.

    • 2 days ago ago
      [deleted]
  • TrackerFF 2 days ago ago

    One interesting aspect is of course that the movement from the same user can be different depending on what type of mouse they use. I use a mouse at work on my PC, touchpad on my private laptop, and thinkpad nipple on work laptop. Three different profiles for one user.

    Obviously different movements from a AI, but if we come to the day where mouse movement fingerprinting becomes another gatekeeper, there could be some interesting outliers.

  • nearlyepic 2 days ago ago

    I can’t wait for cloudflare to sell data on how well my wrist is working to my insurance company. What a wonderful hell we’ve created for ourselves.

  • pllbnk 2 days ago ago

    I have been noticing a lot of Cloudflare false positives where it keeps spinning on my sessions never actually redirecting me to the underlying page. If they keep just vibe coding and releasing a new solution every day, I am afraid it will be reflected in their services quality.

    • mial 2 days ago ago

      Sometimes it might be your user agent, or your IP, or some browser extension…

    • dubcanada 2 days ago ago

      I get flagged way more often on Starlink then I did on my local ISP fiber.

      • bigbuppo 2 days ago ago

        It's the odd latency changes. You'll see the same thing with certain streaming services.

        • kube-system 2 days ago ago

          I've seen it happen with a grocery store website, oddly enough.

  • dubcanada 2 days ago ago

    There is nothing stopping a bot from moving their cursor like a human. This is basically just putting up a door with zero walls and telling people to stay out of your house.

    All of these things are completely abusable/bypass-able and just annoying for actual humans who trigger flags.

    • swiftcoder 2 days ago ago

      > There is nothing stopping a bot from moving their cursor like a human.

      Sure, we could write a library that slows the bot down and makes it move the cursor in procedurally-generated curves with a certain degree of noise added... but its all extra work, and it all slows the bots down. Presumably they wouldn't reveal that part of the secret sauce if it was all of the secret sauce

      • dubcanada 2 days ago ago

        Acting like a human is something scapers already do. Using residential proxies, using latest Chrome user agents, not moving/typing as fast, etc. This is just 1 more layer, moving mouse naturally.

        • bigbuppo 2 days ago ago

          And at some point they'll just use slave labor in some country with lax laws around all that.

          I'm not sure if I'm talking about the scrapers or Cloudflare at this point. Probably both. Probably the same pool of forced laborers.

          • RedRocketFlash 2 days ago ago

            A return to the "Mechanical Turk".

            I remember using Amazon's Mechanical Turk for just this purpose a decade ago.

            With other players in the gig economy really squeezing the workers at the bottom of the system, it could easily get to a point where sitting in front of a computer performing tasks allocated by AI which needs a meat puppet to get around AI-powered Anti-AI might become economically attractive.

        • Chu4eeno 2 days ago ago

          there are already stuff to trick mouse movement profiling, since its used by other bot protection stuff.

    • 2 days ago ago
      [deleted]
  • khurs 2 days ago ago

    Cloudflare has a lot of enterprise customers. Selling bot check to companies wanting to protect their content & also taking a cut out of payments for access by bots could be a good earner for them.

  • linksbro 2 days ago ago

    The examples of mouse movement, really reminds me what bot scripts looked like for Runescape back in 00s-10s. Early scripts were color-based and jumped the mouse around, and those were quickly caught. But over time, bot scripts developed into complex orchestrations; taking breaks, doing random actions spontaneously, moving the mouse naturally, logging sessions on different platforms (mobile, PC), even responding in chat.

    There's been plenty of effort put into mimicking realistic / "human" behavior in writing video game bots, and every video game still has tons of bots despite the best efforts of the game devs.

    You definitely can't win against bots - but you can definitely make the entire "game" (web at large, in this case) worse off for everyone else through this "always-online DRM" parallel.

  • tavavex 2 days ago ago

    It's a bleak world in terms of bots flooding the web, but out of all possible solutions, this seems to be preferable over invasive and identifying fingerprinting that everyone wants to roll out. Here's hoping that mouse movements aren't sufficiently unique as to be fingerprintable too.

  • kurtoid 2 days ago ago

    how does this interact with keyboard navigation & accessibility tools?

  • cdrnsf 2 days ago ago

    Great. More surveillance, slow browsing and turnstile-style false positives to blanket the web.

  • mchusma 2 days ago ago

    I would say that overall there are pros and cons to this, I really want to be allowed to use agents on my behalf, and don't want to see sites prevent me from doing this. On the other hand, I do recognize there are cases when its good/ok to have only humans allowed to take some action. In my opinion, the line is likely when you are representing you are a human, its ok to prevent bots. otherwise, you can't.

  • piterrro 2 days ago ago

    I think in 10/20 years from now, access to the Internet will be allowed only upon personal identification. Every website will be allowed to ask about your identity upon serving any content. Thats the only way I see this is going. The internet as it is right now does not have a future if majority of traffic will be done by agents. Thus, the cost of that traffic will have to be put on the users and since displaying ads doesnt make sense to agents, a paid access will be introduced (which is what cloudflare is slowly doing)

  • nullc 2 days ago ago

    please drink verification can to continue

    • arm32 2 days ago ago

      Your children are now in custody of Carl's Jr.!

  • bigbuppo 2 days ago ago

    I can 1000% guarantee this will adversely impact assistive technology. You can tell it will because they don't mention any testing with regards to assistive technology.

  • hirbyturby 2 days ago ago

    Ultimately, I think a lot of this is for naught. As models get better and smaller and move from the data center to the PC and the phone, end-user agentics are going to become more prevalent. Bots and agents will be the standard way that people interact with your products. Products that can't or won't allow it will die.

  • trunnell 2 days ago ago

    I dislike bots as much as anyone else... when weird inquiries come through my company's lead form, it costs some time and attention to sort them.

    But what makes Cloudflare so confident that automation always equates to "fraud and abuse?" If I send my agent to go retrieve some information, do they consider that fraud?

    If I block various ad trackers does that trigger their "bot detection" incorrectly? Do I have any recourse? Or is Cloudflare appointing themselves judge, jury and executioner?

    And let's not forget this little chestnut: > 4. Privacy by design. Precursor was designed to collect signals that help to distinguish human patterns from automated and abusive patterns.

    Ahh, so to "protect" against bots they're standing up a whole new regime of user surveillance and session-level monitoring. And they definitely won't be selling that, they promise. Got it.

    This crap should be illegal. In the real world, I can authorize others to act on my behalf. The same should be true with software agents.

  • stanfordkid 2 days ago ago

    I'm sure they are doing more than looking at mouse movements, but I don't think this is a compelling approach -- I think human movements could be faked pretty easily using a large corpus of real world behavioral data. It's an adversarial game but the level of intelligence we are approaching with AI this can be solved IMO.

  • erikvanoosten 2 days ago ago

    Your keyboard and mouse rhythm and timings are probably so unique that they can be considered PII. Wonder how that works out legally.

  • timcobb 2 days ago ago

    Gosh, this is all pretty nauseating.

  • altairprime 2 days ago ago

    I can’t wait for Cloudflare to decide my musical-rhythm enhanced typing and extraordinarily rapid and repeatable-pattern captcha clicking are somehow machine signifiers just like Google does: If I complete Google captchas at full speed it decides I’m a robot and challenges me endlessly, once 29 times in a row in two minutes or something. That’s what I get for having excellent spatial reflexes and mouse-clicker practice from Q3A sniping. So exhausted of the reversion to mediocre tendency of anti-bot systems, sigh.

    • bigbuppo 2 days ago ago

      You also screwed up by using Firefox. That's the #1 method Google uses to prove someone is a bot. If you are't participating in the Google panopticon, you are suspect.

      • altairprime 2 days ago ago

        I haven’t used Firefox for personal browsing for maybe ten years or more now, so I’m not sure where this is coming from.

        • bigbuppo 2 days ago ago

          It was an assumption based on personal experience.

  • dinkleberg 2 days ago ago

    I wonder how it'll handle those of us who try and use the mouse as infrequently as possible. I imagine the cognitive delay part would be largely telling. But it'll be interesting to see if I start getting blocked because I use vimium.

    • SoftTalker 2 days ago ago

      I think it doesn't really matter, the bots will adapt with much more human-like mouse movement very quickly.

  • PessimalDecimal 2 days ago ago

    Is this equivalent to Google Cloud Fraud Defense? https://cloud.google.com/security/products/fraud-defense

    • Chu4eeno 2 days ago ago

      Yes, this is something almost all other anti-bot/fraud prevention solutions already does, and there are already bypasses developed simulating human mouse movement.

      I expect this will be effective for maybe a day.

    • eth0up 2 days ago ago

      Not sure, but I struggle with skepticism for anyone who blocks archive.today, which cloudflare does, along with nextdns and others. Being blocked by such a large... apologies in advance for 'lack of better word' vernacular, cartel, is a near death sentence.

      Not a fan

      • nerdsniper 2 days ago ago

        CF doesn’t block archive. Archive poisons CF. Explanation direct from the CEO of CloudFlare: https://news.ycombinator.com/item?id=19828702

      • pests 2 days ago ago

        archive.today was running a DDOS through their CAPTCHA page

        • eth0up 2 days ago ago

          Although the blocking of archive.today goes back years, as can be verified through forum searches and archives with nextdns and others, I was not aware of this and have no excuse to dispute it. But for the record, the blocking predates 2026 by many years -- and my own records also verify this. That said, I think I need to learn more.

  • TinyOslo 21 hours ago ago

    My 2 cents - have anyone bothered to account for disabilities? Anyone using a given site with tech that moves a cursor? Not using a mouse or trackpad?

  • csomar 2 days ago ago

    So now instead of having the slow-axx Cloudflare turnstile slowing down your requests, you get surprised with a "You are a BOT!!!" while you are conducting your business on a website.

    I already quickly close any website that I do not need for business purposes when it shows me the Cloudflare spinner. Now I might have to start considering competitors who do not implement this shit.

    • pocksuppet 2 days ago ago

      Turnstile already does the "You are a BOT!!!" thing btw, if it thinks you're a bot, which is quite rare as it seems much more permissive than systems like reCAPTCHA.

  • yencabulator 2 days ago ago

    How about we make browsers not report mouse movement to the page? This is getting way too creepy.

  • freedomben 2 days ago ago

    As a real user who uses an Ultimate Hacking Keyboard with the mouse layer, this frustrates me immensely. Yes I'm a corner case, but this is likely to make certain website not work for me because my lines are perfectly straight and my arcs zig-zag much like a bot might.

    Considering the keyboard/mouse layer feels like an advancement to me, this feels like tech that will lock in the "old" way of doing things.

    I really detest how adversarial the web is getting. I'm not a cloudflare hater but please, please consider people like me when rolling out stuff that affects millions or maybe even hundreds of millions or billions of people.

    • bigbuppo 2 days ago ago

      Assistive technology is not a corner case.

  • whimsicalism 2 days ago ago

    as a heavy user of computer use, i hope enterprises realize that people like me will switch to competitors that support native computer use & APIs

  • nikolay 2 days ago ago

    Honestly, you need to be completely out of your mind to use Cloudflare for anything. These guys don't offer any support. They seem like a lucrative option until they start blackmailing you into paying for Enterprise, since anything else is a joke.

  • zuzululu 2 days ago ago

    hmmm i think this is the first time i've seen a genuinely decent approach to blocking scraper/agents

    that mouse cursor movement is very hard to replicate a real human with the amount of data that cloudflare has you could reproduce something close but cloudflare has seen probably trillions of movements that will be tough to beat

    watching this carefully but i think this is the right approach

  • boesboes a day ago ago

    I guess I should blame the fucking AI bro's, but man, do I fucking hate cloudflare. Feels like a protection racket to me. Also, I'd like to note my home IP triggers A LOT more blocks and checks then when browsing from non-residental IPs, (i.e the office, VPN). I find that sus.

  • bellowsgulch 2 days ago ago

    Yawn. Train a domain-specific model on human inputs and then run inference against that. At integration, you change what, one line of code with another? You at best raise the expense to bot, but in today's world, this isn't much compute expense. You can do it on 10-year-old Xenon processors, the same ones used by companies promoted on LowEndBox.

    Skids already fall into the trap of using open source automation like playwright-extra-stealth.

  • 2 days ago ago
    [deleted]
  • cute_boi a day ago ago

    Cloudflare should stop acting as if it is protecting the internet.

    https://developers.cloudflare.com/browser-run/quick-actions/...

    This company is like a tobacco seller building a hospital at the same time.

  • Insimwytim 2 days ago ago

       Precursor is a client-side, session-based verification system, built with privacy in mind, that uses dynamically injected JavaScript to continuously collect behavioral signals as visitors interact with your application. 
    
    ... I can't even ...
  • JJvb89 16 hours ago ago

    This is frankly just ridiculous. Tracking mouse movements has been a basic bot-detection signal for 15 years. Cloudflare just added it as a signal and is making a huge deal out of it.

    A firewall company knows very little about browser internals so don't expect much from this.

  • charcircuit 2 days ago ago

    >keyboard activity, focus changes, and visibility. These events are serialized into a compact format and buffered in memory. At regular intervals, the buffered data is sent back to the evaluation layer for analysis.

    So it's a keylogger?

  • egiboy a day ago ago

    “Move your mouse without rhythm to avoid the worm”

  • thomastjeffery 2 days ago ago

    So we're just going to let tech monopolists make accessibility impossible, are we? Fuck that!

  • carterschonwald 2 days ago ago

    even before the llm era sites would flag me as a bot for opening 15 links to read later. its fucking infuriating now

  • jawns 2 days ago ago

    [flagged]