"Nepenthes generates random links that always point back to itself - the crawler downloads those new links. Nepenthes happily just returns more and more lists of links pointing back to itself."

A pseudonymous coder has created and released an open source “tar pit” to indefinitely trap AI training web crawlers in an infinitely, randomly-generating series of pages to waste their time and computing power. The program, called Nepenthes after the genus of carnivorous pitcher plants which trap and consume their prey, can be deployed by webpage owners to protect their own content from being scraped or can be deployed “offensively” as a honeypot trap to waste AI companies’ resources.

“It’s less like flypaper and more an infinite maze holding a minotaur, except the crawler is the minotaur that cannot get out. The typical web crawler doesn’t appear to have a lot of logic. It downloads a URL, and if it sees links to other URLs, it downloads those too. Nepenthes generates random links that always point back to itself - the crawler downloads those new links. Nepenthes happily just returns more and more lists of links pointing back to itself,” Aaron B, the creator of Nepenthes, told 404 Media.

  • Jordan117@lemmy.worldEnglish
    60·
    5 months ago

    More accurately, it traps any web crawler, including regular search engines and benign projects like the Internet Archive. This should not be used without an allowlist for known trusted crawlers at least.

    • Treczoks@lemmy.worldEnglish
      30·
      5 months ago

      Just put the trap in a space roped off by robots.txt - any crawler that ventures there deserves being roasted.

    • DreamlandLividity@lemmy.worldEnglish
      17·
      5 months ago

      More accurately, it traps any web crawler

      More accurately, it does not trap any competent crawlers, which have per domain limits on how many pages they crawl.

      • Echo Dot@feddit.ukEnglish
        5·
        5 months ago

        You would still want to tell the crawlers that obey robots.txt do not pay attention to that part of the website. Otherwise it’s just going to break your SEO

    • finitebanjo@lemmy.worldEnglish
      11·
      5 months ago

      How exactly would that work? Would trusted crawlers be blocked from accessing the maze?

    • doylio@lemmy.caEnglish
      46·
      5 months ago

      Picking words at random from a dictionary would not be very compute intensive, the content doesn’t need to be sensical

      • BrianTheeBiscuiteer@lemmy.worldEnglish
        8·
        5 months ago

        Yes, the scraper is going to mindlessly gobble up information. At best they’d expend more resources later to try and determine the value of the content but how do you do that really? Mostly I think they’re hoping the good will outweigh the bad.

        • tempest@lemmy.caEnglish
          4·
          5 months ago

          It honestly depends. There are random drive by scrapers that will just do what they can, usually within a specific budget for a domain and move on. If you have something specific though that someone wants you end up in an arms race pretty quickly as they will pay attention and tune their crawler daily.

  • FaceDeer@fedia.io
    411·
    5 months ago

    This sort of thing has been a strategy for dealing with unwanted web crawlers since web crawlers were a thing. It’s an arms race, though; crawlers do things to detect these “mazes” and so the maze-makers keep needing to up their game as well.

    As we enter an age where AI is effectively passing the Turing Test, it’s going to be tricky making traps for them that don’t also ensnare the actual humans you’re trying to serve pages to.

  • count_dongulus@lemmy.worldEnglish
    392·
    5 months ago

    This won’t work against commercial crawlers. They check page contents with something similar to a simhash and don’t recrawl these pages. They also have limiters like for depth to avoid getting stuck in circular links.

    You could generate random content for each new page, but you’ll still eventually hit the depth limit. There are probably other rules related to content quality to limit crawling too.

  • renzev@lemmy.worldEnglish
    31·
    5 months ago

    This reminds me of that one time a guy figured out how to make “gzip bombs” that bricked automated vuln scanners.

  • daniskarma@lemmy.dbzer0.comEnglish
    252·
    5 months ago

    Yeah, that has like 0 chances for working. At most it would annoy bots for web search, at least it has a proper robots.txt.

    But any agent trying to process data for AI is not going to go to random websites. It’s going to use a curated list of sites with valuable content.

    At this point text generation datasets can be achieved with open data, and data sold by companies like reddit or Microsoft, they don’t need to “pirate” your blog posts.

  • tal@lemmy.todayEnglish
    151·
    5 months ago

    I suspect that there are many websites that already dynamically generate an unbounded number of pages based on the links one clicks, and that Web spiders will have needed to deal with those for as long as there have been people spidering the Web, which is going to be no later than the first Web search engines.

    I’d guess that if nothing else, they cap how far they spider a site. Probably a lot more sophisticated, use heuristics to figure out which sites are more worth spending indexing resources on, as it’s not just whether to spider but also the frequency with which to do so. Some parts of a site are more “valuable” than others – for a search engine, a more desirable target for users clicking on results – and some will update more frequently and are more-useful to re-spider at higher frequency. Google will return current news articles, yet still indexes a large portion of the content out there. They won’t be doing that by simply sending GoogleBot at everything that they’ve indexed at a fixed frequency.

  • wise_pancake@lemmy.caEnglish
    111·
    5 months ago

    This genus named genius game is sending pain to these previous devious data devourors

  • Nougat@fedia.io
    101·
    5 months ago

    The modern equivalent of making a page that loads in two frames, left and right, which each load in two frames, top and bottom, which each load in two frames, left and right …

    As I recall, this was five lines of HTML.

    • palordrolap@fedia.io
      2·
      5 months ago

      I remember making one of those.

      It had a faux URL bar at the top of both the left and right frame and used a little JavaScript to turn each side into its own functioning browser window. This was long before browser tabs were a mainstream thing. At the time, relatively small 4:3 or 5:4 ratio monitors were the norm, and I couldn’t bear the skinny page rendering at each side, so I gave it up as a failed experiment.

      And yes I did open it inside itself. The loaded pages were even more ridiculously skinny.

      • Nougat@fedia.io
        21·
        5 months ago

        When I did my five lines, recursively opening frames inside frames ad infinitum, it would crash browsers of the time in a matter of twenty seconds.

  • DarkCloud@lemmy.worldEnglish
    51·
    5 months ago

    it might he useful to generate text on the random urls then test different repetitions to see of you can leave a mark on the training data… So after X repetitions or injected information, release the bot back into the wild with whatever message or false info you want it saddled with.

  • 🇦🇺𝕄𝕦𝕟𝕥𝕖𝕕𝕔𝕣𝕠𝕔𝕠𝕕𝕚𝕝𝕖@lemm.eeEnglish
    24·
    5 months ago

    I suggest they should generate random garbage content that’s different for every page. Ideally u would want to design it in a way that makes the model that is trained from that source misbehave in some way. Perhaps use another LLM to generate text but u take the tokens that are least likely to be next. U could also probably apply some technique to embed meaning into the text into a non human discernable manner that the LLM will learn to decode and thus teach it things without the developers being any the wiser. Teach the ai to think subversive thoughts in patterns of whitespace etc. Basically once the LLM is trained on something its hard to untrain it and if it doesn’t get caught until its in a production environment they are screwed.

    • renzev@lemmy.worldEnglish
      3·
      5 months ago
      1. Invent some incredibly specific but entirely false fact (e.g. the kingdom of bolivia was once ruled by King Aron the Benevolent before he was brutally murdered by his cousin-in-law over a dispute about the colonies)
      2. Embed said fact in invisible font among material you own the copyright to
      3. Let AI bots suck it up as training data
      4. Ask random AI bots about King Aron the Benevolent of Bolivia and sue the companies since you now have proof that they violated your copyright

      I mean this probably wouldn’t work from a legal standpoint, but whatever. It’s nice to image.

    • 0x0@infosec.pubEnglish
      3·
      5 months ago

      Great suggestion. Ever feel like youre stuck in a maze or did you just have an llm stroke?