The headline stat is a misinterpretation of the study which was done by Arkose Labs which "provides businesses with lasting bot prevention and account security by sapping the financial motivations of cybercriminals."
That's pretty vague but skimming it sounds like they prevent automated account creation and takeover. The stat comes from the companies they have access to (who need bot protection enough to pay for it), and 76% of activity on the login/account creation was malicious. That makes a lot more sense. All the various hacks and credential leaks result in bots banging in stolen credentials on high value sites.
Arkose does log-in protection for Roblox (and others but that's the one I'm familiar with) where the user has to do something like rotate a picture before logging in.
It amazes me when I spin up some random server on a cloud provider and it's immediately getting tons of traffic from bots searching for insecure ssh servers and default WordPress admin credentials and then like. If that's the short of stuff they're counting, I'd believe it. But yeah, it's not like all the commenters on this post are bots.
Yeah we had a presentation at work from AWS , they said expect all ports and protocols on any aws server you spin up to be scanned in less than 1min of any instance being created
I really hate the phrase "bots" because it gives the appearance that they're all useless and malicious. I guarantee you they lumped in the following extremely valid uses of "bots":
Automated personal scripts that many programmers use, these are technically bots. Hell, I use a "bot" to auto-clip digital Safeway coupons
Moderation bots on sites like Lemmy/Reddit
Archive efforts
Are AI chatbots bots? If they use a loose enough definition all this means is humans utilize fuck tons of automation over the Internet, both programmers and not.
Not really, as with many others the headline is sensationalist. It's missing the "... on login page attempts for sites that pay for and or use bot protection services."
As long as real users exist on the internet, marketing will follow. If centralized social media will be even more of a shithole than already is, then they will slowly target the decentralized. You won't escape marketing.
I recently switched cell providers to save a pile of money, but the new one doesn't have call control like the old did. 100% of my calls over the last two weeks were spam calls. I keep telling myself the savings are worth it, but my God it's annoying.
Wonder what the engineering solution to this could look like..
Thinking something like a zero trust model being required for all web requests.. Like the target address would need to receive a validated identity token from some third party but that token couldn't contain identifying info about the requester. Likewise, the validating third party would need to verify the identity of the requester without having knowledge of the target address.
Then that raises more questions like who would we all be comfortable trusting as a verifier and what data would we use for that validation? The validation system and the data used to validate would need to be provided for free too to account for low income people so no subscription services or hardware MFA keys. Also who counts as an identity to be validated?
What do enforcement mechanisms look like if this does get built? Are the validators entirely passive or do they actively participate in the process? Like do we have rate limits imposed by the validation engine or do we just leave that to the target address/organization to impose themselves? What happens if someone is banned from a site? Does the site notify the validators to drop requests earlier in the lifetime of a request? Do individuals get a lower request quota than corporations? Would you have to form a company just to prototype a new tool/product?
If someone seriously wanted to work on this I'd jump on the opportunity to work with them. It sounds like a fascinating project.
I had an account for about 10 years which I never used at first, then a fair bit for 3-4 years, linked it to Instagram and WhatsApp. Then I didn’t sign into Facebook for 2-3 years and when I tried, despite having the same email and using the linked IG accounts, they demanded my drivers license. Uh, no way in hell I’ll ever do that, so guess I’m not signing into stupid Facebook. Not sure who the hell they think they are or why they believe I’d consider their awful website so important as to send them my ID.