IdeaWell

Project ideas from Hacker News discussions.

Google Cloud fraud defense, the next evolution of reCAPTCHA

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

1. Google’s tightening controlover web access

“Google, a multi‑billion dollar company, is going to make the customers of their corporate clients pull out a phone and do some bullshit just to visit a website.” – dangus

2. Exclusion of non‑smartphone users & added friction

“I will be unable to solve the phone verification because I use LineageOS for microG, but any fraudster can just buy a bunch of $30 Android phones.” – Hizonner

3. Distrust of Google and demand for alternatives

“There are literally dozens of open source alternatives that aren’t feeding the Do‑Be‑Evil company…” – bobbiechen

4. Surveillance‑by‑attestation and ecosystem lock‑in

“The attestation will include a unique ID of the phone, so that if you get banned you have to keep buying new phones and keep paying money to Google.” – tardedmeme

🚀 Project Ideas

OpenDeviceAttest

Summary

  • Offers an open‑source, self‑hosted alternative to Google Play Integrity that lets any site verify device integrity without Google’s proprietary APIs. - Provides a transparent verification token that can be checked server‑side to decide whether to serve CAPTCHAs.

Details

Key Value
Target Audience Site owners of medium‑traffic web services, open‑source communities, and privacy‑first platforms
Core Feature Local device attestation using Android SafetyNet‑compatible keys and WebAttestation, no Google Play Services required
Tech Stack Go, SQLite, gRPCWeb, Docker, Prometheus/Grafana
Difficulty High
Monetization Revenue-ready: Pay-per-request: $0.001 per verification

Notes

  • Aligns with HN calls for “alternatives to Google lock‑in” and the need to “raise the barrier to entry” without vendor control.
  • Would let services like “grep.app” avoid costly bot traffic while staying independent of Google.

BotShieldAPI

Summary

  • Delivers a lightweight API that issues AI‑resistant proof‑of‑work challenges (similar to Anubi) to make large‑scale bot scraping economically unviable.
  • Returns cryptographic tokens that can be validated server‑side, allowing sites to keep existing integrations.

Details

Key Value
Target Audience Small‑to‑medium web services, API providers, and marketplaces vulnerable to automated abuse
Core Feature AI‑resistant PoW with adjustable difficulty, optional rate‑limiting hooks
Tech Stack Rust, Actix‑web, PostgreSQL, Docker
Difficulty Medium
Monetization Revenue-ready: Freemium (1000 requests free, then $0.005 per request)

Notes

  • Direct response to “CAPTCHAs are not fraud detection and not an ongoing effort” – solves the “ongoing effort” gap. - HN users lament the “river of crap” of spam; this offers a pragmatic, revenue‑neutral way to block it.

QRBypassLab

Summary

  • Provides a SaaS platform that lets developers test how their site behaves under Google’s new QR‑code verification without needing physical phones.
  • Offers a virtual device farm that simulates certified Android devices and returns realistic attestation responses.

Details

Key Value
Target Audience Web developers, QA engineers, and SaaS founders who need to validate redirects, fallbacks, and failover logic
Core Feature Virtualized Play Integrity attestations via mocked Firebase responses, auto‑rotation of device fingerprints
Tech Stack Python (FastAPI), Docker Compose, Redis, OpenTelemetry
Difficulty Low
Monetization Revenue-ready: Tiered subscription – $15/mo for 10k requests, $50/mo for 100k

Notes

  • Addresses HN concern that “Google will force users through an official Google identification” and that “sites need a way to test before rolling out”.
  • Would let teams “stop using reCAPTCHA if you want to get any traffic” by providing a safe testing ground.

ZKHumanVer

Read Later