When we detect unauthorized crawling, rather than blocking the request, we will link to a series of AI-generated pages that are convincing enough to entice a crawler to traverse them. But while real looking, this content is not actually the content of the site we are protecting, so the crawler wastes time and resources.
As an added benefit, AI Labyrinth also acts as a next-generation honeypot. No real human would go four links deep into a maze of AI-generated nonsense. Any visitor that does is very likely to be a bot, so this gives us a brand-new tool to identify and fingerprint bad bots, which we add to our list of known bad actors. [...]
...
To generate convincing human-like content, we used Workers AI with an open source model to create unique HTML pages on diverse topics. Rather than creating this content on-demand (which could impact performance), we implemented a pre-generation pipeline that sanitizes the content to prevent any XSS vulnerabilities, and stores it in R2 for faster retrieval. We found that generating a diverse set of topics first, then creating content for each topic, produced more varied and convincing results. It is important to us that we don’t generate inaccurate content that contributes to the spread of misinformation on the Internet, so the content we generate is real and related to scientific facts, just not relevant or proprietary to the site being crawled.
This pre-generated content is seamlessly integrated as hidden links on existing pages via our custom HTML transformation process, without disrupting the original structure or content of the page. Each generated page includes appropriate meta directives to protect SEO by preventing search engine indexing. We also ensured that these links remain invisible to human visitors through carefully implemented attributes and styling. To further minimize the impact to regular visitors, we ensured that these links are presented only to suspected AI scrapers, while allowing legitimate users and verified crawlers to browse normally.
...
Enabling AI Labyrinth is simple and requires just a single toggle in your Cloudflare dashboard.
I like that it doesn’t try to poison LLMs with fake information. Whatever you think of LLMs, the reality is people are going to use them and it’s better that they become more accurate rather than...
I like that it doesn’t try to poison LLMs with fake information. Whatever you think of LLMs, the reality is people are going to use them and it’s better that they become more accurate rather than less.
Your comment that this "doesn’t try to poison LLMs with fake information" got me thinking. Using correct information for the labyrinth creates an incentive for the misbehaving bots to avoid...
Your comment that this "doesn’t try to poison LLMs with fake information" got me thinking.
Using correct information for the labyrinth creates an incentive for the misbehaving bots to avoid cloudflare. If successful, that solves the immediate issue of misbehavior. However, we're then teaching the bots that bad/fake information = legit source (not a trap)... which poisons the LLMs with fake information.
There's a lot of fake or misleading information out in the world that people believe regardless of whether or not AI exists. I have had plenty of human teachers teach me wrong things during my...
There's a lot of fake or misleading information out in the world that people believe regardless of whether or not AI exists. I have had plenty of human teachers teach me wrong things during my childhood that I believed until I was proven wrong. I think LLMs hallucinate because people 'hallucinate' and get confused too.
I personally don't understand why an AI crawler would even want the information from some blog post by some Joe Schmoe in the first place, especially over something like scientific journals. Which leads me to believe they must weigh the data they train on, rather than simply dumping it all into a single massive set they give equal 'truth' to? I have little idea how AI training works or how they'd program something like 'truth' but I have to imagine there's some sort of guardrail there? maybe? hopefully?
I definitely remember learning (and then having to unlearn) a number of false things from school. Damn that map of the tongue's taste buds! Actually, hallucination is not caused by learning on bad...
I definitely remember learning (and then having to unlearn) a number of false things from school. Damn that map of the tongue's taste buds!
I think LLMs hallucinate because people 'hallucinate' and get confused too.
Actually, hallucination is not caused by learning on bad data. It's more so the result of how LLMs work as a fundamental concept. I'll not get too deep in the weeds here because there's plenty of better explanations online, but the basic idea is that they are statistical prediction machines. They don't inherently "know" anything, or have a database of facts. Instead, they have a model of token relationships. Tokens are like words, except they better map to the idea of concepts or things. The token for "dog" has some proximity to the token for "cute". These relationships are built by scanning a lot of data (like the web), and slightly adjusting the model weights every time they read something new. Every page, comment, or sentence makes just a tiny tweak to the existing model.
Once you've completed training, you can move on to inference. This is the step where you enter a prompt, like "I think dogs are...", and let the language model assign probabilities to the next word. With enough training data, you start to see useful and meaningful predictions.
Current models take this further so that instead of just completing thoughts, they can answer questions or other prompts. They work on the same principle of statistical token generation, but with a little work behind the scenes to make them conversational.
With enough training data, these models aren't limited to just writing reasonable sentences. They begin to develop emergent abilities like writing code, reasoning out problems, or transforming data. They are not suited to certain tasks such as performing math operations, or counting characters in words.
I personally don't understand why an AI crawler would even want the information from some blog post by some Joe Schmoe in the first place, especially over something like scientific journals.
Microsoft Phi is a Small Language Model that trains specifically on high-value data. Journals, papers, etc. The result is a language model that boasts high benchmark scores and does extremely well in some domains, but fails in conversational and natural language processing abilities. This kind of model is useful for specific niches, but falls down in applications like natural language processing (ie. actually understanding the user). Joe Schmoe's blog can still be of help in understanding how people interact online.
LLMs don't learn facts, they don't know what's true and what isn't. They're trained to mimic human writing patterns. They get a set of words, and guess the most likely next word. Blog posts are...
I personally don't understand why an AI crawler would even want the information from some blog post by some Joe Schmoe in the first place
LLMs don't learn facts, they don't know what's true and what isn't. They're trained to mimic human writing patterns. They get a set of words, and guess the most likely next word. Blog posts are also human writing, and the more human writing you train them on, the better they'll understand in what patterns people use words and will mimic those patterns better.
LLMs giving factual information is basically a side effect of having more factual information than fake. When they see "the sky is", their training data has much more instances of "the sky is blue" than "the sky is green", so that's what they predict.
There are, of course, guardrails, but they're mostly to avoid harmful content and obvious information. So some alt-right forums or conspiracy theory blogs may be removed from the training data.
But that's pretty rare, since most of the safety guardrails are added as an extra training step. So first, the model is trained on a huge amount of human writing to learn how people speak. Then, it goes through a process where it generates a bunch of stuff, and that stuff is graded by a human or other AI based on how good of a response it is. This step significantly improves the quality of the model, and also filters out inappropriate and harmful responses.
No, LLMs aren't that intelligent. Many apparent LLM hallucinations are actually just re-hashing mistruths ingested in the dataset, like that "Google tells people to put glue on pizza" kerfuffle...
I think LLMs hallucinate because people 'hallucinate' and get confused too.
No, LLMs aren't that intelligent. Many apparent LLM hallucinations are actually just re-hashing mistruths ingested in the dataset, like that "Google tells people to put glue on pizza" kerfuffle (because detecting sarcasm in the original dataset is difficult, hence the phrase "garbage in, garbage out"), but even for the true hallucinations, they occur because LLMs are statistical models that have a very hard time saying "I don't know" because that is so rarely in the dataset in such a way that it appears most-applicable to the prompts we provide.
Humans have innocent misrecollections and just make shit up to sound smart all the time.
Edit: Think about it - if someone posts a weird question to a forum, most people aren't going to respond "I don't know" because that's not a very helpful response; instead, they're just going to let someone who does know (or who claims to know) chime in, even if that means nobody ever responds. And if nobody responds (or if the dataset doesn't contain anything close to the prompt you've given it), this can easily cause hallucinations. This is a fundamental limitation of current-generation LLMs: if something is not in the dataset, you're unlikely to ever get a useful response on the topic, and since so few people ever say "I don't know" online, there are very few chances that the LLM will say "I don't know" vs. making shit up, which is quite common by comparison, especially since an LLM doesn't truly understand what it does and doesn't "know".
I personally don't understand why an AI crawler would even want the information from some blog post by some Joe Schmoe in the first place, especially over something like scientific journals.
Because the companies who make and train models like LLMs want them to be broadly applicable as that increases the addressable market. Having random blog posts and reddit threads provides a diversity of language (i.e. not a strictly academic vocabulary) and provides a lot of interesting perspectives (some more valuable than others) that you just won't find in journal articles.
I have no issues with poisoning LLMs that train on content without permission. We have no compulsion to ensure everyone’s product is better, and expedite the centralisation of power to tech bros....
I have no issues with poisoning LLMs that train on content without permission. We have no compulsion to ensure everyone’s product is better, and expedite the centralisation of power to tech bros.
As a non tech scenario: If someone tries to read my correspondence or tries to access my medical records, I would feel very justified in giving them fake information, especially if it helps identify those who try.
I see LLMs as no different, and poisoning them is justified especially if it helps to identify them later. People used to do similar with dictionaries and maps. See: 1, 2
In fact, I would prefer to have the option to do this with this tool on an optional basis.
This was always a likely outcome. The main power of these things is an inhuman rate of content generation and consumption. While we can also make tools directly positioned to screw with how they...
This was always a likely outcome. The main power of these things is an inhuman rate of content generation and consumption.
While we can also make tools directly positioned to screw with how they work, an obvious solution is to just throw an equal amount of useless content at it.
You would have to go out of your way to find the hidden links in the web page that actually take you to the LLM garbage. Crawlers don’t see web pages like people do, they parse the HTML for hrefs....
You would have to go out of your way to find the hidden links in the web page that actually take you to the LLM garbage. Crawlers don’t see web pages like people do, they parse the HTML for hrefs. Cloudflare is inserting hidden hrefs for crawlers to find that would probably be impossible for a regular actor to encounter by chance.
This pre-generated content is seamlessly integrated as hidden links on existing pages via our custom HTML transformation process, without disrupting the original structure or content of the page. Each generated page includes appropriate meta directives to protect SEO by preventing search engine indexing. We also ensured that these links remain invisible to human visitors through carefully implemented attributes and styling.
From the blog post:
...
...
I like that it doesn’t try to poison LLMs with fake information. Whatever you think of LLMs, the reality is people are going to use them and it’s better that they become more accurate rather than less.
Your comment that this "doesn’t try to poison LLMs with fake information" got me thinking.
Using correct information for the labyrinth creates an incentive for the misbehaving bots to avoid cloudflare. If successful, that solves the immediate issue of misbehavior. However, we're then teaching the bots that bad/fake information = legit source (not a trap)... which poisons the LLMs with fake information.
Are we on a one-way road to LLM enshittification?
There's a lot of fake or misleading information out in the world that people believe regardless of whether or not AI exists. I have had plenty of human teachers teach me wrong things during my childhood that I believed until I was proven wrong. I think LLMs hallucinate because people 'hallucinate' and get confused too.
I personally don't understand why an AI crawler would even want the information from some blog post by some Joe Schmoe in the first place, especially over something like scientific journals. Which leads me to believe they must weigh the data they train on, rather than simply dumping it all into a single massive set they give equal 'truth' to? I have little idea how AI training works or how they'd program something like 'truth' but I have to imagine there's some sort of guardrail there? maybe? hopefully?
I definitely remember learning (and then having to unlearn) a number of false things from school. Damn that map of the tongue's taste buds!
Actually, hallucination is not caused by learning on bad data. It's more so the result of how LLMs work as a fundamental concept. I'll not get too deep in the weeds here because there's plenty of better explanations online, but the basic idea is that they are statistical prediction machines. They don't inherently "know" anything, or have a database of facts. Instead, they have a model of token relationships. Tokens are like words, except they better map to the idea of concepts or things. The token for "dog" has some proximity to the token for "cute". These relationships are built by scanning a lot of data (like the web), and slightly adjusting the model weights every time they read something new. Every page, comment, or sentence makes just a tiny tweak to the existing model.
Once you've completed training, you can move on to inference. This is the step where you enter a prompt, like "I think dogs are...", and let the language model assign probabilities to the next word. With enough training data, you start to see useful and meaningful predictions.
Current models take this further so that instead of just completing thoughts, they can answer questions or other prompts. They work on the same principle of statistical token generation, but with a little work behind the scenes to make them conversational.
With enough training data, these models aren't limited to just writing reasonable sentences. They begin to develop emergent abilities like writing code, reasoning out problems, or transforming data. They are not suited to certain tasks such as performing math operations, or counting characters in words.
Microsoft Phi is a Small Language Model that trains specifically on high-value data. Journals, papers, etc. The result is a language model that boasts high benchmark scores and does extremely well in some domains, but fails in conversational and natural language processing abilities. This kind of model is useful for specific niches, but falls down in applications like natural language processing (ie. actually understanding the user). Joe Schmoe's blog can still be of help in understanding how people interact online.
LLMs don't learn facts, they don't know what's true and what isn't. They're trained to mimic human writing patterns. They get a set of words, and guess the most likely next word. Blog posts are also human writing, and the more human writing you train them on, the better they'll understand in what patterns people use words and will mimic those patterns better.
LLMs giving factual information is basically a side effect of having more factual information than fake. When they see "the sky is", their training data has much more instances of "the sky is blue" than "the sky is green", so that's what they predict.
There are, of course, guardrails, but they're mostly to avoid harmful content and obvious information. So some alt-right forums or conspiracy theory blogs may be removed from the training data.
But that's pretty rare, since most of the safety guardrails are added as an extra training step. So first, the model is trained on a huge amount of human writing to learn how people speak. Then, it goes through a process where it generates a bunch of stuff, and that stuff is graded by a human or other AI based on how good of a response it is. This step significantly improves the quality of the model, and also filters out inappropriate and harmful responses.
No, LLMs aren't that intelligent. Many apparent LLM hallucinations are actually just re-hashing mistruths ingested in the dataset, like that "Google tells people to put glue on pizza" kerfuffle (because detecting sarcasm in the original dataset is difficult, hence the phrase "garbage in, garbage out"), but even for the true hallucinations, they occur because LLMs are statistical models that have a very hard time saying "I don't know" because that is so rarely in the dataset in such a way that it appears most-applicable to the prompts we provide.
Humans have innocent misrecollections and just make shit up to sound smart all the time.
Edit: Think about it - if someone posts a weird question to a forum, most people aren't going to respond "I don't know" because that's not a very helpful response; instead, they're just going to let someone who does know (or who claims to know) chime in, even if that means nobody ever responds. And if nobody responds (or if the dataset doesn't contain anything close to the prompt you've given it), this can easily cause hallucinations. This is a fundamental limitation of current-generation LLMs: if something is not in the dataset, you're unlikely to ever get a useful response on the topic, and since so few people ever say "I don't know" online, there are very few chances that the LLM will say "I don't know" vs. making shit up, which is quite common by comparison, especially since an LLM doesn't truly understand what it does and doesn't "know".
Because the companies who make and train models like LLMs want them to be broadly applicable as that increases the addressable market. Having random blog posts and reddit threads provides a diversity of language (i.e. not a strictly academic vocabulary) and provides a lot of interesting perspectives (some more valuable than others) that you just won't find in journal articles.
I have no issues with poisoning LLMs that train on content without permission. We have no compulsion to ensure everyone’s product is better, and expedite the centralisation of power to tech bros.
As a non tech scenario: If someone tries to read my correspondence or tries to access my medical records, I would feel very justified in giving them fake information, especially if it helps identify those who try.
I see LLMs as no different, and poisoning them is justified especially if it helps to identify them later. People used to do similar with dictionaries and maps. See: 1, 2
In fact, I would prefer to have the option to do this with this tool on an optional basis.
So we're using AI generated content to trick AI bots to stop them from grabbing things to make AI content?
Sounds like LLM developers can prevent that from happening by not misbehaving. I have no idea what that entails or what the knock-on effects would be.
Generally respecting robots.txt would be a good start.
And maybe only scraping once every 15 to 30 minutes or so.
This was always a likely outcome. The main power of these things is an inhuman rate of content generation and consumption.
While we can also make tools directly positioned to screw with how they work, an obvious solution is to just throw an equal amount of useless content at it.
Fantastic timing in relation to this tildes thread:
https://tildes.net/~tech/1mso/please_stop_externalizing_your_costs_directly_into_my_face
Ohhh, I like this. I like this a lot.
You would have to go out of your way to find the hidden links in the web page that actually take you to the LLM garbage. Crawlers don’t see web pages like people do, they parse the HTML for hrefs. Cloudflare is inserting hidden hrefs for crawlers to find that would probably be impossible for a regular actor to encounter by chance.