Precursor

(blog.cloudflare.com)

79 points | by AznHisoka 1 hour ago

21 comments

  • Havoc 44 minutes ago
    It’s a bit alarming how cloudflare is establishing itself as arbiter of all things bots…both on blocking and allowing.

    Doesn’t seem healthy for the internet as a whole

    • skybrian 36 minutes ago
      Yes, but it’s up to their competitors to build competing services.
      • cryo32 33 minutes ago
        I think it's up to their customers not to encourage consolidation.
        • Tade0 6 minutes ago
          Customers shouldn't have to micromanage every service and product like that.

          We have antitrust regulations for such things.

        • grim_io 31 minutes ago
          Microsoft is the proof that customers do want that, or that they don't have a real choice.
          • cryo32 20 minutes ago
            I think it's simpler - they don't give a crap.

            Until somewhere down the line. Like when half of Spain gets cut off due to an arbitrary block on a consolidated service facade...

        • Catloafdev 30 minutes ago
          What Cloudflare competitors offer a similar range of services?
          • cryo32 26 minutes ago
            Do you really need Cloudflare's services to run your business?
            • Catloafdev 23 minutes ago
              Are you genuinely asking "does anybody even need any of their services"?
              • cryo32 21 minutes ago
                Yes. I am asking exactly that objective question.

                They are advantageous to leverage in certain situations but essential they are not. We're used to, in the technology industry, looking for or creating problems to solve with services we are aware of. Moving back to necessity and need, do we really? Are we being objective? Most of the time, no.

                • Catloafdev 0 minutes ago
                  DDoS protection is pretty essential. I highly encourage you to read through what they offer if you're not familiar.
                • dpoloncsak 4 minutes ago
                  Theres a few alternatives, but at a minimum yes you probably need their or a competitor's Name Servers and their public DNS. Rolling your own isn't very feasible.
        • skybrian 25 minutes ago
          That too, but they need competitors to switch to.
    • hoppp 29 minutes ago
      It's business as usual and it's our job to vote with our wallets.
    • jppope 43 minutes ago
      Agreed, but we should be honest, the internet today is far from healthy
    • cryo32 34 minutes ago
      Apart from handling of abuse reports. Yeah we're acting as CDN for this phishing site - we'll just inform the upstream about it and do nothing.
    • ianm218 37 minutes ago
      For any one of their product there is a good opportunity to build an open source alternative or something like it! Can be hard to work around they have the benefit of being able to have negative unit economics on lots of infra products... But people succesfully built tons of alternatives to google analytics and similar.
      • esseph 34 minutes ago
        What they are doing requires both physical and digital infrastructure spread throughout the globe. It's not a cheap task.
    • dzonga 13 minutes ago
      have you considered the alternative ?

      where bots run rampant ?

      trust me as an operator - I'm grateful Cloudflare exists.

    • Catloafdev 22 minutes ago
      They're creating optional opt-in protection layers for the services they operate.

      I genuinely don't understand these generic complaint comments.

      Are you complaining that they offer too much? Or do you believe nobody is offering similar services?

      • stuartjohnson12 18 minutes ago
        The complaint is that the offer is a great deal with no downsides for consumers, and this is likely to result in Cloudflare having a lot of power (which they currently don't have) as a market maker. This position as market maker would grant them the power to extract economic rent from the web economy by charging both sides of the web provider and web consumer market to get access to the other.
        • Catloafdev 10 minutes ago
          So the complaint is that one day they have such a strong monopoly that they can freely turn evil?

          Just want to make sure I understand the real issue here, because that sounds like a lot of fearmongering to me.

    • Maxion 34 minutes ago
      To be frank, their products do work and are sorely needed.
    • baq 34 minutes ago
      ...but very bullish NET. who wouldn't want to be the toll booth where you collect money both ways
  • sudb 54 minutes ago
    Cool product launch, though it feels a little weird to me that Cloudflare sells agentic products alongside this new service that seems designed to block agentic usage of the web?

    I expect there's much more going on than just mouse path detection but I can imagine that this is already tricky for touchscreens and for people using non-traditional mouse inputs (the thinkpad nub comes to mind - but it would also be bad optics to accidentally block people using accessibility mouse tools as bot users, though then this becomes a loophole for agentic browsing!)

    In general though I think this is almost definitely a good thing to reduce agentic bot abuse & spam.

    • skybrian 43 minutes ago
      It’s less weird if you think there’s a difference between good bots and bad bots. They can provide services for good bots to use while helping people keep out the bad ones.

      If a bot is simulating mouse movement but doing it badly then that’s a strong signal of shenanigans. A good bot will obey robots.txt and do nothing to hide that it’s a bot.

      • pryelluw 35 minutes ago
        Who gets to decide what is a good bot?
        • pythonaut_16 30 minutes ago
          Presumably the site owner with Cloudflare providing enforcement.

          Generally isn't a good bot one that respects robots.txt and is respectful of the site's resources by not being spammy?

        • wnevets 28 minutes ago
          by checking which follow robots.txt?
        • nullpoint420 30 minutes ago
          Cloudflare, apparently.
        • tccole 30 minutes ago
          Me… obviously
    • nozzlegear 42 minutes ago
      > Cool product launch, though it feels a little weird to me that Cloudflare sells agentic products alongside this new service that seems designed to block agentic usage of the web?

      Feels a little bit like the mob selling "protection" to shop keepers.

  • akersten 39 minutes ago
    control+F accessibility no results

    Yeah so this mouse movement astrology is going to completely lock non-sighted/keyboard only users out of large swaths of the Internet isn't it.

    • abirch 32 minutes ago
      I'm guessing it's going to lock the non-sighted//keyboard only users out of the anonymous Internet. I'm guessing if you log in and give up your anonymity they'll consider you not a bot.
    • kingleopold 9 minutes ago
      just like how smartphone developers, engineers locked people with no smartphone.Some of the users that can no longer get services are really old people, disabled. In some well developed places on earth, you can't even check in flights without a smartphone, it's not even possible to travel for them.

      Yet all people are ok with it

    • sudb 32 minutes ago
      I'd imagine that mouse movement is just one signal among many that's weighted appropriately, but I hope we get feedback from these users
    • nojs 4 minutes ago
      I mean CF already forces 5 minutes of motorbike identification on anyone not in a whitelisted western country, so a small percentage of blind people is unlikely to worry them.
    • DrammBA 15 minutes ago
      cmd+F mouse movement 3 result, 3/3: "Mouse movement is just one example of the signals Precursor evaluates"
  • whimsicalism 1 minute ago
    as a heavy user of computer use, i hope enterprises realize that people like me will switch to competitors that support native computer use & APIs
  • TrackerFF 24 minutes ago
    One interesting aspect is of course that the movement from the same user can be different depending on what type of mouse they use. I use a mouse at work on my PC, touchpad on my private laptop, and thinkpad nipple on work laptop. Three different profiles for one user.

    Obviously different movements from a AI, but if we come to the day where mouse movement fingerprinting becomes another gatekeeper, there could be some interesting outliers.

  • tavavex 11 minutes ago
    It's a bleak world in terms of bots flooding the web, but out of all possible solutions, this seems to be preferable over invasive and identifying fingerprinting that everyone wants to roll out. Here's hoping that mouse movements aren't sufficiently unique as to be fingerprintable too.
  • reluctant_dev 47 minutes ago
    What prevents bots/agents from just adding "jitter" to their movements that mimics how humans move their cursor?

    I know there are other signals being used but this one in particular seems like it wouldn't be hard to beat with a small amount of sophistication from the bot.

    • nerdsniper 25 minutes ago
      Beating this would require a large amount of sophistication, not a small amount.

      Basic machine learning clustering will expose bots mouse+keyboard+touch behavior and discriminate them from humans.

      It will also likely discriminate against anyone with a disability and therefore using affordances like eye tracking. Just imagine how different a person with only one hand would look compared to a “typical” user!! This shouldn’t be too much of a problem in the USA because no one is enforcing the ADA at the moment outside of California / Illinois / NY.

      But I’m curious to hear from ‘eastdakota how they plan to guarantee that users with disabilities won’t be affected by these kinds of behavioral analysis. Cloudflare has such a massive footprint that it’s absolutely critical for them to err on the safe side of filtering, assuming they desire to be ethical.

      The immoral thing for cloudflare to do would be to say “we just provide a ‘bot likeliness score’ and it’s up to each website to decide what threshold they need”. And then wave their hands and say “we’re not the ones blocking users with disabilities…the websites are the ones setting their thresholds too strictly”.

      When you reach Cloudflare’s size … you own all the 2nd and 3rd order effects of your decisions.

      This kind of data not only separates bots from humans - it’s pretty trivial to distinguish male vs female, right-handed vs left-handed, approximate age, native language (based on keyboard input patterns), state of injury (including tracking progression of healing), and a variety of different mental/physical disabilities. How one navigates a website tells you whether they are ADHD or schizophrenic or has Parkinson’s, and it can tell you about drug use/abuse: how well is this person’s Parkinson’s treatment working? What days of the week does that person tend to abuse amphetamines?

      It is super difficult to mimic all of these signals in a way that would cluster the same as typical humans.

      • SoftTalker 15 minutes ago
        We used to say the same sorts of things about LLM prose, music, and image generation. Now just a few years later it can be very difficult to know for sure if something is made by AI or a human. There are still tells, but they are much more subtle and harder to spot, and models are still improving. Mimicing human mouse movement won't be any more of a challenge.
    • fwlr 38 minutes ago
      The jitter you add has to specifically be “jitter that mimics human cursor movement”, which is extraordinarily non-trivial to synthesise.
      • SAI_Peregrinus 26 minutes ago
        No, it's "jitter that mimics human cursor movements detected by Cloudflare's Precursor script". It'll just be another arms race.
        • sbarre 13 minutes ago
          Like any other detection system you will always have determined adversaries that put in the work to bypass it.

          But that doesn't mean you shouldn't still try to block the much larger number of less sophisticated/resourced adversaries that are using OOTB libraries and low-effort setups.

      • justinhj 13 minutes ago
        are you sure it's non trivial? they posted a 2d image of what it looks like. a fairly simple model of the users wrist and mouse position doesn't seem crazy hard but the devil is in the details
    • stogot 42 minutes ago
      In 2027 how many tokens will we spend to create the jitter, pre-jitter planning, post-jitter verification, and then cloudflare’s inevtiable counter-jitter
      • zdc1 35 minutes ago
        Someone needs to vibecode a "virtual mouse" tool for the agents to steer instead (semi /s)
    • kypro 40 minutes ago
      There's always been an arms race in anti-bot technology and more sophisticated bots.

      I'm sure, they can add a jitter, but then you just change how you detect / weight detection.

  • nearlyepic 40 minutes ago
    I can’t wait for cloudflare to sell data on how well my wrist is working to my insurance company. What a wonderful hell we’ve created for ourselves.
  • khurs 27 minutes ago
    Cloudflare has a lot of enterprise customers. Selling bot check to companies wanting to protect their content & also taking a cut out of payments for access by bots could be a good earner for them.
  • pllbnk 28 minutes ago
    I have been noticing a lot of Cloudflare false positives where it keeps spinning on my sessions never actually redirecting me to the underlying page. If they keep just vibe coding and releasing a new solution every day, I am afraid it will be reflected in their services quality.
    • dubcanada 4 minutes ago
      I get flagged way more often on Starlink then I did on my local ISP fiber.
    • mial 26 minutes ago
      Sometimes it might be your user agent, or your IP, or some browser extension…
  • dubcanada 15 minutes ago
    There is nothing stopping a bot from moving their cursor like a human. This is basically just putting up a door with zero walls and telling people to stay out of your house.

    All of these things are completely abusable/bypass-able and just annoying for actual humans who trigger flags.

    • swiftcoder 9 minutes ago
      > There is nothing stopping a bot from moving their cursor like a human.

      Sure, we could write a library that slows the bot down and makes it move the cursor in procedurally-generated curves with a certain degree of noise added... but its all extra work, and it all slows the bots down. Presumably they wouldn't reveal that part of the secret sauce if it was all of the secret sauce

      • dubcanada 5 minutes ago
        Acting like a human is something scapers already do. Using residential proxies, using latest Chrome user agents, not moving/typing as fast, etc. This is just 1 more layer, moving mouse naturally.
  • dinkleberg 20 minutes ago
    I wonder how it'll handle those of us who try and use the mouse as infrequently as possible. I imagine the cognitive delay part would be largely telling. But it'll be interesting to see if I start getting blocked because I use vimium.
    • SoftTalker 19 minutes ago
      I think it doesn't really matter, the bots will adapt with much more human-like mouse movement very quickly.
  • kurtoid 45 minutes ago
    how does this interact with keyboard navigation & accessibility tools?
  • timcobb 42 minutes ago
    Gosh, this is all pretty nauseating.
  • PessimalDecimal 1 hour ago
    Is this equivalent to Google Cloud Fraud Defense? https://cloud.google.com/security/products/fraud-defense
    • eth0up 47 minutes ago
      Not sure, but I struggle with skepticism for anyone who blocks archive.today, which cloudflare does, along with nextdns and others. Being blocked by such a large... apologies in advance for 'lack of better word' vernacular, cartel, is a near death sentence.

      Not a fan

      • nerdsniper 22 minutes ago
        CF doesn’t block archive. Archive blocks CF.

        Explanation direct from the CEO of CloudFlare: https://news.ycombinator.com/item?id=19828702

      • pests 40 minutes ago
        archive.today was running a DDOS through their CAPTCHA page
        • eth0up 15 minutes ago
          Although the blocking of archive.today goes back years, as can be verified through forum searches and archives with nextdns and others, I was not aware of this and have no excuse to dispute it. But for the record, the blocking predates 2026 by many years -- and my own records also verify this. That said, I think I need to learn more.
  • freedomben 39 minutes ago
    As a real user who uses an Ultimate Hacking Keyboard with the mouse layer, this frustrates me immensely. Yes I'm a corner case, but this is likely to make certain website not work for me because my lines are perfectly straight and my arcs zig-zag much like a bot might.

    Considering the keyboard/mouse layer feels like an advancement to me, this feels like tech that will lock in the "old" way of doing things.

    I really detest how adversarial the web is getting. I'm not a cloudflare hater but please, please consider people like me when rolling out stuff that affects millions or maybe even hundreds of millions or billions of people.

  • nullc 49 minutes ago
    please drink verification can to continue
    • arm32 46 minutes ago
      Your children are now in custody of Carl's Jr.!
  • carterschonwald 25 minutes ago
    even before the llm era sites would flag me as a bot for opening 15 links to read later. its fucking infuriating now
  • csomar 27 minutes ago
    So now instead of having the slow-axx Cloudflare turnstile slowing down your requests, you get surprised with a "You are a BOT!!!" while you are conducting your business on a website.

    I already quickly close any website that I do not need for business purposes when it shows me the Cloudflare spinner. Now I might have to start considering competitors who do not implement this shit.

  • jawns 1 hour ago
    A product name that fires a shot.

    I wonder if the folks at Cursor feel called out, or just glad that they're big enough to be perceived to be a threat.