You'd think.

But then you'd think people would do a lot of other things too. I hope, I guess.

The other danger is that "the cloud" may become even more overwhelmingly dominant. Which of course has its own large security costs.

Hmm. What do those systems do for cryptography? Just assume it won't work and not rely on it at all?

How do you know? If the people who like to crow about vulnerabilities aren't doing it, it doesn't mean that the people who are actually in a position to exploit them systematically and effectively aren't doing it.

Those embargoes have always been dangerous, because they create a false sense of security. But, as you point out...

> With AI, anyone can do this to any software.

Yep. Even if it hadn't been true before, it's clear that now you just have to assume that everybody relevant will immediately recognize the security impact of any patch that gets published. That includes both bugs fixed and bugs introduced.

... and as the AI gets better, you're going to have to assume that you don't even have to publish a patch. Or source code. Within way less time than it's going to take people to admit it and adjust, any vulnerability in any software available for inspection is going to be instant public knowledge. Or at least public among anybody who matters.

It's probably messing up the cryptography, too.

The CAPTCHA challenge page itself has to be served to a client that has not yet given any evidence that it's not a bot. It's just as expensive to serve the challenge page as it is to serve a cookie-setting page. Bots can infinitely retrieve the challenge page (and can also infinitely try to retrieve the underlying "authenticated" page, forcing you to process redirects).

The only reason it looks better to you is that a third party is serving the CAPTCHA. You could also have a third party serve the cookie-setting page.

But you don't have to, and you definitely don't have to completely rely on it. Look for a cookie. If you don't see it, route the client through a page that sets it.

Yes, this is subject to flooding attacks... in exactly the same way that every CAPTCHA system is subject to flooding attacks. But it actually uses fewer resources per request than showing the CAPTCHA would.

Don't you...

I know, people will slavishly knuckle under, but let me dream for a few minutes.

Young MAGA-adjacent dumbass who can't get laid sees pretty girl spouting MAGA stuff, reads all her posts and follows her or whatever, The Algorithm(TM) feeds him more MAGA stuff and MAGA posters, his whole social and information environment becomes that much more MAGA. Works even if he knows from the beginning that she's AI, but just likes the eye candy.

> or that there's meaningful room for further embittering them.

Young dumbass who can't get laid sends money, doesn't get the engagement he wants and/or realizes she's AI, can't accept feeling stupid, further projects his problems onto everything and everybody outside of himself, seeks out material that enourages him to do that...

You mean the obvious commercial losses caused by keeping an expensively created product effectively off the market altogether?

What the actual fuck is with people who come up with stuff like this?