惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
Help Net Security
Help Net Security
P
Privacy International News Feed
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tor Project blog
AWS News Blog
AWS News Blog
K
Kaspersky official blog
A
Arctic Wolf
Latest news
Latest news
T
Threat Research - Cisco Blogs
L
LINUX DO - 最新话题
P
Privacy & Cybersecurity Law Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
Google DeepMind News
Google DeepMind News
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
月光博客
月光博客
N
News and Events Feed by Topic
Jina AI
Jina AI
博客园 - 司徒正美
WordPress大学
WordPress大学
罗磊的独立博客
雷峰网
雷峰网
AI
AI
Hugging Face - Blog
Hugging Face - Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
S
Security @ Cisco Blogs
博客园 - 三生石上(FineUI控件)
H
Heimdal Security Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
酷 壳 – CoolShell
酷 壳 – CoolShell
C
Cisco Blogs
博客园 - 【当耐特】
The Hacker News
The Hacker News
有赞技术团队
有赞技术团队
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Schneier on Security
Schneier on Security
博客园 - Franky
S
SegmentFault 最新的问题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Cloudbric
Cloudbric
爱范儿
爱范儿
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Secure Thoughts
Last Week in AI
Last Week in AI
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Know Your Adversary
Know Your Adversary
Google DeepMind News
Google DeepMind News

Hacker News: Front Page

SPICE simulation → oscilloscope → verification with Claude Code — Lucas Gerads GitHub - GainSec/AutoProber: Hardware hacker’s flying probe automation stack for agent-driven target discovery, microscope mapping, safety-monitored CNC motion, probe review, and controlled pin probing. Introducing Claude Opus 4.7 Qwen Studio The Future of Everything is Lies, I Guess: Where Do We Go From Here? GitHub - SeanFDZ/macmind: Single-layer transformer in HyperTalk for the classic Macintosh Virginia Bans Sale of Geolocation Data Show HN: Agent-cache – Multi-tier LLM/tool/session caching for Valkey and Redis Ancient DNA reveals pervasive directional selection across West Eurasia [pdf] AI cybersecurity is not proof of work Moving a large-scale metrics pipeline from StatsD to OpenTelemetry / Prometheus GitHub - Nightmare-Eclipse/RedSun: The Red Sun vulnerability repository GitHub - SethPyle376/hiraeth: Local AWS emulator focused on fast integration testing, with SQS support, SQLite-backed state, and a debug-friendly web UI. A Better Ludum Dare; Or, How to Ruin a Legacy GitHub - macOS26/Agent: Any AI, replaces Claude Code, Cursor, OpenClaw. Over 18 LLM providers (Claude, OpenAI, Gemini, Ollama, Zai, HF, Qwen) wired into a native Mac app that writes code, builds Xcode projects, bumps versions, manages git, automates Safari, use AppleScript, JS or Accessibility, extend Agent! w/ MCP Servers, run tasks from your iPhone via Messages. YouTube now lets you turn off Shorts I Made a Terminal Pager Burgers | マクドナルド公式 Commands — HackerNews CLI documentation ChatGPT for Excel PiCore - Raspberry Pi Port of Tiny Core Linux Live Nation illegally monopolized ticketing market, jury finds Google Broke Its Promise to Me. Now ICE Has My Data. Founding Engineer at Adaptional | Y Combinator CRISPR takes important step toward silencing Down syndrome’s extra chromosome GitHub - saffron-health/libretto: The AI toolkit for building reliable browser automations US v. Heppner (S.D.N.Y. 2026) no attorney-client privilege for AI chats [pdf] Unexpected €54k billing spike in 13 hours: Firebase browser key without API restrictions used for Gemini requests Fragments: April 14 Cal.com Goes Closed Source: Why AI Security Is Forcing Our Decision | Cal.com - Scheduling Software for Online Bookings Laravel raised money and now injects ads directly into your agent Codex Hacked a Samsung TV Tech Valuations Back to Pre-AI Boom Levels A perfectable programming language — Soter GitHub - halfwhey/claudraband: Claude Code for the Power User Partnership through Play: Investigating How Long-Distance Couples Use Digital Games to Facilitate Intimacy Textbooks and Methods of Note-Taking in Early Modern Europe (2008) Eternity in six hours: Intergalactic spreading of intelligent life (2013) Seven countries now generate 100% of their electricity from renewable energy Tell HN: OpenAI silently removed Study Mode from ChatGPT Pro Max 5x Quota Exhausted in 1.5 Hours Despite Moderate Usage Show HN: Oberon System 3 runs natively on Raspberry Pi 3 (with ready SD card) Tell HN: docker pull fails in spain due to football cloudflare block Bring Back Idiomatic Design No one owes you supply-chain security GitHub - xsawyerx/curl-doom: DOOM, played over cURL Apple update turns Czech mate for locked-out iPhone user The Grand Line Cache TTL silently regressed from 1h to 5m around early March 2026, causing quota and cost inflation Building a Z-Machine in the worst possible language The peril of laziness lost Iran war: We spoke to the man making Lego-style AI videos that experts say are powerful propaganda AI Will Be Met With Violence, and Nothing Good Will Come of It GitHub - duguyue100/midnight-captain: Inspired by Midnight Commander, tailored to my taste. How to build a `git diff` driver · Jamie Tanna | Software Engineer Center for Responsible, Decentralized Intelligence at Berkeley The Local Universe’s Expansion Rate Is Clearer Than Ever, but Still Doesn’t Add Up - A new synthesis of astronomical measurements confirms a persistent mismatch that could point to physics beyond current models The disturbing white paper Red Hat is trying to erase from the internet – OSnews NetBlocks (@netblocks@mastodon.social) The Future of Everything is Lies, I Guess: Annoyances ‘Abhorrent’: the inside story of the Polymarket gamblers betting millions on war Productive procrastination — Max van IJsselmuiden maps, territory and LMs 447 Terabytes per Square Centimetre at Zero Retention Energy: Non-Volatile Memory at the Atomic Scale on Fluorographane Show HN: Pardonned.com – A searchable database of US Pardons 20 Years on AWS and Never Not My Job The Seasons are Wrong The FAA wants gamers to apply for air traffic control jobs Artemis II crew splashes down near San Diego after historic moon mission Why weekends are under threat We gave an AI a 3 year retail lease in SF and asked it to make a profit | Andon Labs How a dancer with ALS used brainwaves to perform live On filing the corners off my MacBooks Installing every* Firefox extension OpenClaw’s memory is unreliable, and you don’t know when it will break Steve Blank Nowhere Is Safe Chimpanzees in Uganda locked in vicious 'civil war', say researchers watgo - a WebAssembly Toolkit for Go linux/Documentation/process/coding-assistants.rst at master · torvalds/linux GitHub - callumlocke/json-formatter: Makes JSON easy to read. Founding Product Engineer at Bild AI | Y Combinator A compelling title that is cryptic enough to get you to take action on it GitHub - Keychron/Keychron-Keyboards-Hardware-Design: Industrial design files for Keychron keyboards and mice. 100+ models with CAD assets in STEP, DXF, DWG, and PDF. Source-available, with commercial use allowed for original compatible accessories within the license terms. [ANNOUNCE] WireGuardNT v0.11 and WireGuard for Windows v0.6 Released 1D-Chess Helium Is Hard to Replace Keeping a Postgres queue healthy — PlanetScale Serenity Forge (@serenityforge.com) Our response to the Axios developer tool compromise Do Americans read print books, e-books or audiobooks more? Uncharted island soon to appear on nautical charts The Problem That Built an Industry Fragments: April 2 Python Release Python install manager 26.1 Bitcoin miners are losing $19,000 on every BTC produced as difficulty drops 7.8% God sleeps in the minerals Harness engineering: leveraging Codex in an agent-first world Apple Silicon and Virtual Machines: Beating the 2 VM Limit What have been the greatest intellectual achievements? The APL Programming Language Source Code
The CAPTCHA arms race: from distorted text to browser identity
2026-06-25 · via Hacker News: Front Page

TL;DR: Every CAPTCHA generation (distorted text, harder text, image grids) was eventually beaten by machines. Now with everyone using agents to run real workflows, the game has changed from testing what a browser can do to verifying who it is. That's why Browserbase is building agent identity with Verified and Web Bot Auth, because the best CAPTCHA “solver” never sees a CAPTCHA at all.

If you've clicked every traffic light, bus, and crosswalk in a blurry image grid, you've taken part in one of the internet's longest-running security experiments. Those clicks were solving CAPTCHAs: tests of whether you're human.

As websites grew popular in the late 1990s, so did the incentives to abuse them. Spammers created thousands of fake accounts, bots scraped search engines, and scripts flooded forums with ads. Every popular site faced the same question: how do you tell a human from a machine?

CAPTCHA is a backronym for Completely Automated Public Turing test to tell Computers and Humans Apart, coined in a 2003 paper by Luis von Ahn, Manuel Blum, Nicholas Hopper, and John Langford at Carnegie Mellon.

It's a reverse Turing test. The original asks a human to spot a machine through conversation; a CAPTCHA flips it, so the machine asks the question and the test passes if the responder behaves like a human. The goal isn't to prove intelligence. It's to make automation cost more than the attack is worth.

For over 20 years, every CAPTCHA has eventually been fooled, and each generation follows the same cycle:

defenders build a new challenge → it works for a while → attackers learn to solve it → defenders build something new → repeat.

It’s an endless cat and mouse chase.

Let's hop into the arena: cat (computer) vs. mouse (CAPTCHA).

Level 1: can you read this?

The first answer was surprisingly simple: make computers read.

Early CAPTCHAs showed distorted text (warped letters, uneven spacing, random lines, noisy backgrounds). To a human it was usually trivial. Our brains are remarkably good at recognizing patterns through missing pixels and distortion.

Computers, however, were not.

Optical character recognition (OCR) at the time did well on clean printed text but struggled when characters were rotated, stretched, overlapped, or obscured. The key assumption was that perception was the hard part. If a computer couldn't tell where one character ended and the next began, it couldn't read the word.

For a while, it worked. A distorted word stopped automated scripts while barely slowing a human. AltaVista and Yahoo adopted early systems, and the approach worked well enough that the Carnegie Mellon researchers formally coined the term.

Then OCR got better. 🐈

Attackers realized they didn't need to solve the whole CAPTCHA at once. Most text CAPTCHAs were generated in stages: render text, apply distortion, add noise, draw obfuscating lines, output an image.

Well, if the CAPTCHA was created in stages, then it could be defeated in stages. Attackers built computer vision pipelines that removed background noise, thresholded images to black-and-white, segmented characters into individual regions, and fed those regions to OCR. What looked like an AI problem became an image-processing problem.

What appeared to be an AI problem became an image processing problem.

Once segmentation was reliable, recognition accuracy jumped. The same advances that digitized books and read street signs made computers capable CAPTCHA solvers.

The mouse had made its move, and the cat adapted. Time to repeat.

Level 2: make the text harder

The defenders figured that if attackers can segment characters, then make segmentation impossible. CAPTCHAs grew aggressive (overlapping letters, unnatural shapes, noisy backgrounds), some so distorted they looked more like abstract art than text.

Around this time, von Ahn noticed something. Millions of people were spending seconds a day solving CAPTCHAs, an enormous amount of visual recognition work that immediately disappeared. What if that effort could be useful?

This idea became reCAPTCHA.

Instead of random text, it showed scanned words from books and archives that OCR couldn't confidently read. Every solved challenge helped digitize printed material. For a while, everyone won when websites got protection, and libraries got digitized.

Then machine learning arrived. 🐈

Traditional OCR relied on hand-engineered rules (edge detectors, character templates, segmentation heuristics) that worked until designers changed the distortion. Machine learning removed the hard-coding. Instead of teaching a computer how to recognize a character, researchers trained models on millions of examples and let them learn the patterns. Neural networks recognized heavily distorted characters without perfect segmentation, because the noise that confused traditional OCR still carried enough signal to recover the answer.

The CAPTCHAs designed to stop machines eventually became harder for humans than for the models.

The mouse raised the stakes, but the cat learned faster.

Level 3: find the traffic lights

By the early 2010s, the founding assumption (computers can't read) was hard to defend. So designers abandoned text and asked users to identify objects instead.

Where text CAPTCHAs tested character recognition, image CAPTCHAs tested semantic understanding. Humans do this effortlessly when we recognize a bicycle from the side, half-hidden behind a car, at night, or cropped to a corner of the frame.

For computers, this was the same hand-engineered problem as before, now in two dimensions. Traditional vision systems detected edges, corners, gradients, and textures, then tried to assemble them into objects:

# Traditional computer vision
features = combine(detect_edges(image), detect_corners(image), compute_gradients(image))
if matches_bicycle_template(features):
    return "bicycle"

The real world doesn't follow templates. A bicycle appears from thousands of angles, partly obscured, under shifting light. The edge cases are endless.

Then ImageNet happened. 🐈

The 2009 dataset gave researchers millions of labeled images across thousands of categories, enough to tackle object recognition at scale. In 2012, a deep neural network called AlexNet dramatically outperformed traditional vision systems on the ImageNet benchmark. Once again the question shifted from “can a computer recognize a bicycle?” to “how much labeled data can we give the model?” Convolutional neural networks directly learned visual features like edges and textures in early layers, shapes and parts in the middle, and whole objects deep down. No template required.

The timing was pretty unfortunate for designers. Traffic lights, buses, crosswalks, and storefronts were common CAPTCHA categories, and also among the most common categories in large vision datasets. The challenges meant to prove computers couldn't see appeared exactly as computers learned to.

The mouse found a new hiding place, but the cat learned how to see.

Level 4: the browser becomes the CAPTCHA

The pattern was now impossible to ignore.

Every generation assumed some capability humans had and computers lacked. Defenders built a challenge around it. Attackers automated it. Repeat.

Any challenge with a correct answer became a target for optimization. You can't build a test of human intelligence while developers are actively building to replicate it.

So modern anti-bot systems stopped asking whether a browser could solve a challenge and started asking whether it should be challenged at all.

They became probabilistic. Rather than one challenge, they collect signals across a session and combine them into a risk score. These signals ranged across browser fingerprints, installed fonts, canvas and WebGL rendering, TLS fingerprints, cookie history, network reputation, request timing, and interaction patterns. Individually weak, but together they form a detailed picture. A real Chrome browser on a real laptop behaves differently than a freshly spawned browser in a datacenter.

This is the philosophy behind reCAPTCHA v3 and Cloudflare Turnstile. When the system is confident, no CAPTCHA appears. When uncertain, it asks for more.

Then attackers realized solving CAPTCHAs was no longer the objective. If challenges only appear when a browser looks suspicious, the goal is to not look suspicious. Challenge solving became browser fingerprinting. Instead of better OCR or classifiers, attackers studied fingerprints, reputation, and network signals to pass as legitimate.

The mouse stopped asking questions, and the cat started learning how to blend in.

It’s a tie: proving who you are

Historically, websites treated every browser as an anonymous stranger. To gain confidence, they issued a challenge. Modern detection works in reverse. Instead of asking browsers to prove themselves repeatedly, sites try to determine whether they already recognize the browser.

Through that lens, the trends make sense. A browser with a consistent history is more trustworthy than one that appeared thirty seconds ago. One whose fingerprints, network, and behaviour all align is more trustworthy than one whose signals contradict each other. One tied to a known identity is more trustworthy than one that's anonymous.

The web that produced CAPTCHAs was dominated by anonymous traffic, where most automation existed to scrape, spam, or abuse. Treating every bot as suspicious was usually correct.

Today's web is different. Browser agents are booking travel, filing compliance reports, monitoring infrastructure, and completing workflows for real users. Websites still struggle to tell an agent acting for a user from a bot exploiting a system, and historically the safest option was to treat them the same.

Can this browser solve a CAPTCHA?Should this browser see a CAPTCHA at all?

If the browser is the CAPTCHA, the open question is no longer what a browser can do but whether it can establish trust. That has produced a new model, where browsers and agents that explicitly prove who they are instead of repeatedly proving what they can do.

One emerging standard is Web Bot Auth, which lets browser agents cryptographically identify themselves as they navigate the web. Sites can then distinguish anonymous automation from agents operating through trusted providers, and make the call based on identity rather than inference. This is the direction we're building toward at Browserbase, in partnership with Cloudflare.

It's a different premise than the previous two decades: legitimate automation shouldn't have to pretend to be human. If the last twenty years taught computers to pass human tests, the next decade may be about giving them a way to introduce themselves instead. The most successful CAPTCHA “solver” is the one that never sees a CAPTCHA.

Give your agents identity and evolve from the cat vs. mouse chase here: browserbase.com/contact-web-bot-auth