A pseudonymous coder has created and released an open source “tar pit” to indefinitely trap AI training web crawlers in an infinitely, randomly-generating series of pages to waste their time and computing power. The program, called Nepenthes after the genus of carnivorous pitcher plants which trap and consume their prey, can be deployed by webpage owners to protect their own content from being scraped or can be deployed “offensively” as a honeypot trap to waste AI companies’ resources.
“It’s less like flypaper and more an infinite maze holding a minotaur, except the crawler is the minotaur that cannot get out. The typical web crawler doesn’t appear to have a lot of logic. It downloads a URL, and if it sees links to other URLs, it downloads those too. Nepenthes generates random links that always point back to itself - the crawler downloads those new links. Nepenthes happily just returns more and more lists of links pointing back to itself,” Aaron B, the creator of Nepenthes, told 404 Media.
More accurately, it traps any web crawler, including regular search engines and benign projects like the Internet Archive. This should not be used without an allowlist for known trusted crawlers at least.
This sort of thing has been a strategy for dealing with unwanted web crawlers since web crawlers were a thing. It’s an arms race, though; crawlers do things to detect these “mazes” and so the maze-makers keep needing to up their game as well.
As we enter an age where AI is effectively passing the Turing Test, it’s going to be tricky making traps for them that don’t also ensnare the actual humans you’re trying to serve pages to.
I suggest they should generate random garbage content that’s different for every page. Ideally u would want to design it in a way that makes the model that is trained from that source misbehave in some way. Perhaps use another LLM to generate text but u take the tokens that are least likely to be next. U could also probably apply some technique to embed meaning into the text into a non human discernable manner that the LLM will learn to decode and thus teach it things without the developers being any the wiser. Teach the ai to think subversive thoughts in patterns of whitespace etc. Basically once the LLM is trained on something its hard to untrain it and if it doesn’t get caught until its in a production environment they are screwed.
Great suggestion. Ever feel like youre stuck in a maze or did you just have an llm stroke?
You could programmatically rearrange the meaning of sentences. Ie instead of “where is the library I need to get a book” you could do some sort of full word replacement cypher and end up with sentences like “Lets mambo down to the banana patch.”
Just for fun. :-)
This won’t work against commercial crawlers. They check page contents with something similar to a simhash and don’t recrawl these pages. They also have limiters like for depth to avoid getting stuck in circular links.
You could generate random content for each new page, but you’ll still eventually hit the depth limit. There are probably other rules related to content quality to limit crawling too.
True, this is an arms race situation after all. The real benefit of this is creating garbage training data that makes garbage models. So it’s not just increasing the cost of crawling, it increases the cost of stealing everybody’s shit because you need extra data quality checks. Poisoning the well.
You could theoretically use the shittiest local llm you can find to dynamically create slop for the piggies
Exactly! That’s ideal because LLM or simple pattern matching can’t be used to easily winnow out random strings. If it’s sensible language but the usual LLM hallucinations, then you need humans to curate your data. Fuck you, Sam Altman.
Just use a Markov chain.
Say it with me now: model collapse! I think this approach is especially insidious in that rather than dumping obvious nonsense into the training corpus that can then be scrubbed, it pushes the downstream LLM invisibly towards spontaneously imploding.
My new favorite is asking if it’s cheating to look at your opponent’s pieces in chess.
This is old.
Chatgpt no longer answers like this, if it ever did.
Screenshot from 2 seconds ago. ChatGPT -4 MINI
Damn, I guess it ever did.
I wish my knee-jerk dismissal of anything remotely anti-AI didn’t get in my way so often.
Yeah thats not real, if you ask chat gpt it gives the obvious answer of you have to look at the pieces. Either its shopped or its leaving off previous messages where the user has deliberately conviced it that it is cheating.
I just asked too, and it says it’s cheating. Note this is with 4o Mini, like the other screenshots.
Here’s the link ChatGPT gives me for sharing as more proof: https://chatgpt.com/share/67928ef6-42ac-8010-8966-099794d1de8c
Huh, interesting, it does do it with 4o mini but not with 4o. I stand corrected.
When I ask the same in Perplexity, I get this:
I’ve always been taught if you say “I adjust” before touching a piece then it’s ok to touch it (specifically so you can move an off-center piece into the center of its square)
Here it’s “j’adoube” with heavy German accent
Not gonna fly if you say “I adjust” and then pick up a piece, move it to a new spot, then bring it back down and set it in the original spot.
Also ffs, don’t adjust pieces unless it’s your turn.
Wow lol!
The modern equivalent of making a page that loads in two frames, left and right, which each load in two frames, top and bottom, which each load in two frames, left and right …
As I recall, this was five lines of HTML.
This is really nostalgic for me. I can see the Netscape throbber in my mind.
I remember making one of those.
It had a faux URL bar at the top of both the left and right frame and used a little JavaScript to turn each side into its own functioning browser window. This was long before browser tabs were a mainstream thing. At the time, relatively small 4:3 or 5:4 ratio monitors were the norm, and I couldn’t bear the skinny page rendering at each side, so I gave it up as a failed experiment.
And yes I did open it inside itself. The loaded pages were even more ridiculously skinny.
When I did my five lines, recursively opening frames inside frames ad infinitum, it would crash browsers of the time in a matter of twenty seconds.
This genus named genius game is sending pain to these previous devious data devourors
I suspect that there are many websites that already dynamically generate an unbounded number of pages based on the links one clicks, and that Web spiders will have needed to deal with those for as long as there have been people spidering the Web, which is going to be no later than the first Web search engines.
I’d guess that if nothing else, they cap how far they spider a site. Probably a lot more sophisticated, use heuristics to figure out which sites are more worth spending indexing resources on, as it’s not just whether to spider but also the frequency with which to do so. Some parts of a site are more “valuable” than others – for a search engine, a more desirable target for users clicking on results – and some will update more frequently and are more-useful to re-spider.
it might he useful to generate text on the random urls then test different repetitions to see of you can leave a mark on the training data… So after X repetitions or injected information, release the bot back into the wild with whatever message or false info you want it saddled with.
But does running this cost the AI bot at least as much as it costs you to run?
It does if you use AI to generate the pages it’s scraping.
I would think yes. The compute needed to make a hyperlink maze is low, compared to the AI processing of the random content, which costs nearly nothing to make, but still costs the same to process as genuine content.
Am I missing something?
I’m wondering about the cost to the server’s resources / bandwidth to serve up unlimited random junk also.
But kudos to the developer for making this anyway
Picking words at random from a dictionary would not be very compute intensive, the content doesn’t need to be sensical
Yes, the scraper is going to mindlessly gobble up information. At best they’d expend more resources later to try and determine the value of the content but how do you do that really? Mostly I think they’re hoping the good will outweigh the bad.
It honestly depends. There are random drive by scrapers that will just do what they can, usually within a specific budget for a domain and move on. If you have something specific though that someone wants you end up in an arms race pretty quickly as they will pay attention and tune their crawler daily.
I was thinking exactly that, generating something like lorem ipsum to cost both time, compute and storage for the crawler.
It will be more complex and require more resources tho.
