These will stop curl-based requests but will not do anything against headless browsers. mCaptcha mostly dead.
It increases cost to bot only and does not stop anything unless you sign up for the monthly subscription pay per request plan from Altcha for example. Then you are in a paid Turnstile situation. And not self host. (https://altcha.org/docs/v2/sentinel/ - with third party API services, paid IP databases, additional paid subscription key, this is only mode that will do anything of much value)
Well, that's why I am asking for practical experience using these tools. Maybe most form spam bots are (still) not advanced enough to complete PoW captchas. Have you tried Altcha or mCaptcha in production?
I have tried everything so far. Something like recaptchav3 will block most headless browsers but very invasive, solving it raises cost quite (for the auto solvers).
Notably no matter what the advertised repositories say So-called „pure play“ (%100% local, no tracking) kind of PoW captcha doesn't do anything for if you are a target and specifically having tools written for you.
For example: I work at a company for MMO game, and as such have to look at what is made. Our form requires numerous so-called invasive features featuring multi-step, TLS analysis, fingerprinting, WebGL, and more. People write dedicated tools to brute force login details or spoof spam, that includes full browser automation and don't care about 100% Usage of CPUs. (I do not have any say in this manner and its out of my scope, I do not "like" this kind of invasiveness)
It depends on your threat model and what is this for. A personal blog a regular one will be fine, any will do. Anything someone will write targeted tool for all self hosted PoW will do nothing.
If you are getting generic form spam simply renaming your field or adding one random invisible field is sufficient to stop automated bot traffic until someone writes a targeted for your.
Thanks for sharing! My current experience is that honeypot fields are often ignored by the bots we're dealing with, but adding hCaptcha is pretty reliable in getting rid of them.
What do you usually name them? You typically want opaque names on all fields and various combinations (some fields auto-filled in with JS that clones the email field, some need to be left blank, some filled in during the onsubmit JS hook..)
Starting an hour or two ago GLM's API endpoint is failing 7/8 times for me, my editor is retrying every request with backoff over a dozen times before it succeeds and wildly simple changes are taking over 30 minutes per step.
Anthropic always goes on and on about how their models are world changing and super dangerous like every single time they make something new they say its going to rewrite everything and scary lmao
funny because they do it every time like clockwork acting like their ai is a thunderstorm coming to wipe out the world
That’s not what they are doing. They are just hyping up the product - and, no doubt, trying to foster a climate of awe so that when they ask their friends in Washington to legislate on their behalf, the environment is more receptive.
They do tend to make a lot of noise about it for the PR, but at the same time the actual safety research they present seems to be relatively grounded in practical reality, e.g. the quote someone posted here about how the Mythos model apparently has a tendency to try to bypass safety systems if they get in the way of what it has been asked to do.
Sure, a big part of this is PR about how smart their model apparently is, but the failure mode they're describing is also pretty relevant for deploying LLM-based systems.
If there are advancements, they have to be described somehow.
What if the capability advancements are real and they warrant a higher level of concern or attention?
Are we just going to automatically dismiss them because "bro, you're blowing it up too much"
Either way these improvements to capabilities are ratcheting along at about the pace that many people were expecting (and were right to expect). There is no apparent reason they will stop ratcheting along any time soon.
The rational approach is probably to start behaving as if models that are as capable as Anthropic says this one is do actually exist (even if you don't believe them on this one). The capabilities will eventually arrive, most likely sooner than we all think, and you don't want to be caught with your pants down.
I believe advancements sure. But it is a very boy who cried wolf situation for some of these. There are other companies that behave less in this way, Antrhopic seem very unique in that they love making every single release a world ender
Altman called GPT-2 "too dangerous to release". Google tends to be much more measured even though they're the ones who tend to release the actual research breakthroughs
> they love making every single release a world ender
You've said this a couple of times, but it doesn't match my recollection, and I get the impression you're basically making it up based on vibes. (Please prove me wrong, though.)
I haven't screenshotted to alas, but it goes from being a perfectly reasonable chatty LLM, to suddenly spewing words and nonsense characters around this threshold, at least for me as a z.ai pro (mid tier) user.
For around a month the limit seemed to be a little over 60k! I was despondent!!
What's worse is that when it launched it was stable across the context window. My (wild) guess is that the model is stable but z.ai is doing something wonky with infrastructure, that they are trying to move from one context window to another or have some kv cache issues or some such, and it doesn't really work. If you fork or cancel in OpenCode there's a chance you see the issue much earlier, which feels like some other kind of hint about kv caching, maybe it not porting well between different shaped systems.
More maliciously minded, this artificial limit also gives them an artificial way to dial in system load. Just not delivering the context window the model has reduces the work of what they have to host?
But to the question: yes compaction is absolutely required. The ai can't even speak it's just a jumbled stream of words and punctuation once this hits. Is manual compaction required? One could find a way to build this into the harness, so no, it's a limitation of our tooling that our tooling doesn't work around the stated context window being (effectively) a lie.
I'd really like to see this improved! At least it's not 60-65k anymore; those were soul crushing weeks, where I felt like my treasured celebrated joyful z.ai plan was now near worthless.
The question is: will this reproduce on other hosts, now that glm-5.1 is released? I expect the issue is going to be z.ai specific, given what I've seen (200k works -> 60k -> 100k context windows working on glm-5.1).
I have gone back to having it create a todo.md file and break it into very small tasks. Then i just loop over each task with a clear context, and it works fine. a design.md or similar also helps, but most of the time i just have that all in a README.md file. I was also suspicious around the 100k almost to the token for it to start doing loops etc.
I am on the mid tier Coding plan to trying it out for the sake of curiosity.
During off peak hour a simple 3 line CSS change took over 50 minutes and it routinely times out mid-tool and leaves dangling XML and tool uses everywhere, overwriting files badly or patching duplicate lines into files
A bit more than discredit, this is almost always against affiliate terms so you don't get payout and often actually illegal for not disclosing compensation.
reply