37 pointsby arhamshahrier6 hours ago10 comments
  • csnover3 hours ago
    Man, this sucks. I doubt there’s anything that I can say to get people to stop doing things like this, but the eventual outcome here isn’t going to be freedom for you to scrape sites that are trying to avoid being DDoSed by bots, but instead that we all end up in a world where device attestation is required to do practically anything online. And for what?
  • TrevorFSmith4 hours ago
    Is it ethical to scrape when a site has explicitly blocked bots? I know a fair number of people who run small sites who are already considering closing them down because the bots are relentlessly hammering their sites and driving up hosting costs.
    • lemagedurage2 hours ago
      Use cases range from sending 100s of requests per second just to bring a website down to doing a montly request to a municipality's endpoint to get a local dashboard of when trash is picked up. I don't think you can pass a single judgement of automating web requests in general.
    • est4 hours ago
      > Is it ethical to scrape when a site has explicitly blocked bots

      Ethical? ppl get jailed in China for this. "Breaching computer systems" is a felony.

      • yogorenapan3 hours ago
        I know for a fact companies in China do this. One paid me directly for work in this space, and in another, I found my own OSS project in their artifact cache while working there.

        I've only ever gotten in trouble in the UK

    • cr125rider4 hours ago
      I think it really depends on how the bot is run. If the bot is replacing me navigating there manually, absolutely. If it’s sucking up content to rip off and make someone else billions of dollars, no.
      • fooqux4 hours ago
        Why do you feel entitled to navigate to a website you neither own nor pay for via a method the owner expressly forbids?
        • theptip4 hours ago
          Why do you feel entitled to dictate what user agent I use, if it’s well-behaved?
          • getnormality4 hours ago
            Why do your opinions about what a "well-behaved" agent is override the wishes of a site's owner?
            • Dylan168074 hours ago
              Site owners should not have full control over what users do. Their wishes do not apply past certain boundaries.

              For a non-AI example I run into occasionally, any wish to stop time-shifting should not be relevant to what I choose to do as a media consumer.

              • pooploop644 hours ago
                There actually is a well defined demarcation point where the site owners wishes do apply. It's called... A demarc point! Everything that happens past this point is by definition entirely in the control of the admin. Which includes closing the door on whoever they wish. This is a technical reality, not something you can effect with opinions or wanting things more than other people want other things. It might seem contradictory but this is actually the main thing that makes the internet as free as it is.
                • Dylan168074 hours ago
                  When we're talking about ethics, I think we should give the owner more than that. If they don't want to be DDoSed we shouldn't say "too bad, the attackers are outside your network, your wishes don't apply, get good".
          • 4 hours ago
            undefined
          • 3 hours ago
            undefined
        • stronglikedan2 hours ago
          If it's just impersonating me to help me better consume the content as if I were the one driving, then it's perfectly ethical, and not even related to a bot ban. Shades of gray and all...
        • matheusmoreira2 hours ago
          Because I should be able to choose whatever user agent I want. The owner gets to "forbid" things on his computer, not on mine.
        • tadfisher2 hours ago
          This page is only viewable in Internet Explorer 5.5. Please switch to a supported browser.
        • mxkopy3 hours ago
          Accessibility, saving time, personal preference. Any number of reasonable things that don’t put undue stress on the host
        • 3 hours ago
          undefined
        • 3 hours ago
          undefined
        • 3 hours ago
          undefined
        • 3 hours ago
          undefined
        • 3 hours ago
          undefined
        • 3 hours ago
          undefined
    • LoganDark4 hours ago
      It's most definitely unethical.
  • xnx3 hours ago
    > Bot detectors flag automation by reading the browser fingerprint; Fortress corrects that fingerprint inside Chromium's C++, so the browser presents as an ordinary Chrome install.

    This does not seem like it would work against anything but the most basic bot protection.

  • newaccountman25 hours ago
    odd name; shouldn't it be named after something that stealthily infiltrates fortresses?
    • ArmanLuthra4 hours ago
      fellow contributor on this.

      we thought of it the other way round: your automation is the fortress, and every bot-detector trying to fingerprint it is the siege.

      also most good burglar names were taken on PyPI

      • arhamshahrier4 hours ago
        in my defence, i did lobby hard for "GuyWhoWavesYouThroughTheGate"
        • LoganDark4 hours ago
          "Doorman"
          • kfhfardin3 hours ago
            I think more like mimicking the perfect resident. Then again it’s Theseus’s ship no, if you are able to do something so perfectly what is the difference between you and the clone? A Hollywood movie in the making.
          • abtonmoy4 hours ago
            "Of course... Why didn't I think of that?"
      • 4 hours ago
        undefined
    • BLKNSLVR2 hours ago
      Algae
    • LoganDark5 hours ago
      Trojan Horse probably wouldn't make a very good name for a browser.
      • ButlerianJihad4 hours ago
        Since my grade-school mascot/team was "The Trojans" and my adopted hometown is firmly rooted in pre-Christian Greek culture and mythology, I am currently studying the Trojan War, and I may observe that "Trojan" is an extremely perspicacious brand-name for condoms, more than the average guy would expect.
        • kfhfardin3 hours ago
          Trojan Condoms: We will “trick” the defenses 100% of the time. Wait wrong take.
        • abtonmoy4 hours ago
          which is exactly the problem, a condom is famous for stopping things getting through and we do the literal opposite.
          • ButlerianJihad6 minutes ago
            Actually condoms are famous for being quite unreliable and failing.

            People using them are often uninformed and inept, using them incorrectly and hastily.

            This is exactly why they are distributed with gusto by certain services that profit from “surprise pregnancy”.

  • BLKNSLVR2 hours ago
    Does Anubis still work? (against this?)
    • 2 hours ago
      undefined
    • 2 hours ago
      undefined
  • xena3 hours ago
    Things like this make me wish that we have to pass ethics courses to work in tech.
    • m12k2 hours ago
      Reminds me of this old joke: No ethically trained software engineer would ever write a destroyBaghdad function - they’d write a destroyCity function to which you could pass Baghdad as a parameter.
    • 3 hours ago
      undefined
    • 3 hours ago
      undefined
  • dclaw3 hours ago
    This is really unacceptable folks. There are those of us that have to keep these sites up, and it's seriously been a few years of nightmare scrapers and botnets, and stupid things like this that you are trying to legitimize that will make this worse. If a site doesn't want you, you should go away. There's a reason for it. Not every website is backed by a billion/trillion dollar company with the resources to absorb things.
    • deckar013 hours ago
      Making a network request from a script is not abuse, consuming excess bandwidth is. Scrapers already spoof browser reputation and cycle IPs while abusing bandwidth. Recently I wanted to convert the results of an Autotrader filter into a table so I could supplement it with data they don’t track (towing capacity). It was two pages of results, but requesting it from a script was aggressively blocked by browser fingerprinting. I had to port it to JS and run it in my browser console manually to get the data out, wasting my time.
      • kfhfardin3 hours ago
        I think this is the point that has become a moral dilemma. Increasingly, in this agentic age tasks like research and web exploration that would be done by humans and even buy things from an website is now done through agents. While I sympathize with the main author about Ddos, but blocking every agent regardless of intent seems cruel. This would allow an MCP doing deep research(almost identical to human behavior) to move forward. But there should definitely be more work done system that focus on agent intent(i.e some agent trying to find the best price for vacation or scraper building alternatives to Travel Advisor).
        • ryandrake2 hours ago
          Ideally, there would be a better way for web hosts to block bandwidth-hogging, but not block bots. I don't think anyone cares if some automated user-agent requests a 1KB file from their web site. They care that automated systems are sucking down TBs per day, all day, every day.
        • coldbrewed2 hours ago
          Making people actually read content doesn't strike me as cruel. Tedious, sure, but not cruel. What is cruel is seeing all of our collective individuality and artistic expression jammed into an LLM, sold back to us by the token, and forced into our lives by an economy increasingly skewed towards holders of capital.
          • kfhfardin2 hours ago
            Fair point. Again, I might be terribly and almost Icarus-like optimistic, but I still believe the push and pull between Big Tech and Indie AI builders would still lead to an equilibrium that makes the world a little more efficient and perhaps in time, more creative than AI slop. Let's hope Open Source AI opens instead of OpenAI so the internet is not feeding the capitalist machine of OpenAI and Anthropic.
      • coldbrewed2 hours ago
        CDN security SWE here. I have functionally zero interest in what individual people do in terms of automation. I automated my gym's class signup forum during COVID so I get the validity of the use case. You want to work around the mitigations to do the same? Go with my blessings.

        The killer is that everything that works for individuals trying to get through the day and make the web a bit smoother is immediately used by industrial crawlers strip mining the Internet, and you can't block one without blocking the other. A future where the web is only accessible via device attestation is extremely dystopian but so is an Internet where every drop of content goes into an LLM training set.

        Things like this is why all of the worthwhile content is going to drain into balkanized spaces, and we're all the poorer for it.

        • kfhfardin2 hours ago
          Hmm, I am sure you know more than I do on the topic. At least to me, an amateur in the security space, would the action of the scraper not be closer to repetitive calls to tables instead of, i.e a more inquisitive agent doing research or booking who spends more time looking through, and surely that can be tracked? Again, on the moral side, I agree that if one comes with the other, it is quite dystopian. I myself am an ML Inference Engineer, so I guess interesting problems and interesting solutions always draw me in much like this.
          • coldbrewed44 minutes ago
            Abusive crawlers use residential proxies to distribute crawl traffic between thousands of IPs, so that one agent that's making five requests blends in with the massive crawl. There is signal but there are ML inference engineers tuning their traffic to blend in, which requires that mitigations must get more sensitive.

            At the end of the day, the defensive side has an obligation to protect customers and well behaved agents are the first thing that gets swept up along with the bad actors.

        • deckar01an hour ago
          It’s not that dystopian if you are given the choice to trade your attestation for more valuable service. We have been paying for the web by letting advertisers correlate our behaviors together for a couple decades now.
          • coldbrewed42 minutes ago
            The concern is that attestation turns into another mechanism to monitor and control people; see how age verification turns into surveillance.
      • tadfisher2 hours ago
        Why did you need it from a script? Right click -> Save Page As... is still a thing and works quite well in my experience, even with complex React SPAs.
      • dclaw3 hours ago
        It's not just excess bandwidth. It's cpu cycles, poor site coding, database issues. Like I said, not everything is backed by a huge company that has the money/hardware/engineering resources to absorb the load.
      • transcriptase3 hours ago
        That’s the point. For every legitimate though ultimately unimportant use case like yours there are a thousand others who would scrape the results 86,400 times a day to either try to sell or mirror and plaster with their own ads.
    • arendtio2 hours ago
      And those bot protection mechanisms and ad-enforcement layers that terrorize humans are okay or what? Yes, I accept that many pages don't want me there and just don't use them anymore, but it sucks.

      I am not saying that forks like this are a good idea, but I have enough frustration with said techniques that I sympathize with the effort.

    • codedokode2 hours ago
      Sites that are backed by a billion dollar company typically have better antibot protection, and lot of expertise in this.

      Also, patched browsers have existed since long ago, although they were not open-source.

  • CivBase2 hours ago
    Unconscionable.
  • grvtygi2 hours ago
    [flagged]
  • tomsop2 hours ago
    [flagged]