Joel de la Garza (3:16)

And in the old days, I mean, I guess the old providers, we'll say the legacy providers in this space, like it was very much using a hammer, right? So they would say, hey, if this IP address is coming in, it's probably a bot. Or they would say, if this user agent is coming in, it's probably a bot. Very imprecise. And I think the downside of that is that you probably blocked a lot of legitimate traffic along with illegitimate traffic. And now there's very real consequences, because some of these AI bots could be actual users they're acting on behalf of who are looking to purchase your products.

David Mittin (3:48)

This is the challenge. So a volumetric DDoS attack, you just want to block that at the network. You never want to see that traffic. But everything else needs the context of the application. You need to know where in the application the traffic is coming to. You need to know who the user is, the session, and to understand in which case you want to allow or deny that. And so this is the real issue for developers, for site owners, for security teams, is to make those really nuanced decisions to understand whether the traffic should be allowed or not. And the context of the application itself is so important because it depends on the site. If you're running an E commerce operation, an online store, the worst thing you can do is block a transaction because then you've lost the revenue. Usually you want to then flag that order for review. A human customer support person is going to come in and determine, based on various signals about whether to allow it. And if you just block that at the network, then your Application will never see it. You never even know that that order was failed in some way.

Joel de la Garza (4:47)

There's been a lot of media releases about companies that have released solutions in this space, but largely they were based on sort of those old kind of approaches using network telemetry. Is that generally how they're working now or is there some other capabilities that they've released because they give them AI names and you just immediately assume that they're doing something fancy.

David Mittin (5:08)

That's right, yeah. So blocking on the network is basically how the majority of these old school products work. They do analysis before the traffic reaches your application. Application and then you never know what the result of that was. And that just doesn't fly anymore. It's insufficient for being able to build modern applications, particularly with AI coming in where something like OpenAI has four or five different types of bots and some of them you might want to make a more restrictive decision over. But then others are going to be taking actions on behalf of a user search. And we're seeing lots of different applications getting more signups, businesses actually getting higher conversions as a result of this AI traffic. And so just blocking anything that is called AI is too blunt of an instrument. You need much more nuance. And the only way you can do that is with the application context understanding what's going on inside your code.

Joel de la Garza (6:00)

I mean, I'd say we're seeing across the industry that AI is driving incredible amounts of new revenue to companies. And if you use an old world tool to just block any of that traffic, you're probably dooming your business.

David Mittin (6:11)

That's right. Or you're like putting it into some kind of maze where it's seeing irrelevant content. And then by doing that you are kind of downranking your site because the AI crawler is never going to come back. It's kind of like blocking Google from visiting your site. It's like, yeah, Google doesn't get you in. You're no longer in Google's index, but then you're no longer in Google's index and so anyone searching is not going to find you as a result.

Joel de la Garza (6:34)

Well, and I believe we had sort of standards in the old days that developed or quasi standards like robots txt, which would tell you like and tell the crawlers, hey, don't crawl these directories. Are we doing something similar for this new agentic world?

David Mittin (6:48)

So robots TXT is still the starting place and it's kind of a voluntary standard. It evolved over several decades ago now. It's been around a long time. Bots have been A problem for a long time. And the idea is that you describe the areas of your application and tell any robot that's coming to your site whether you want to allow that robot to access that area of the site or not. And you could use that to control the rollout of new content. You could protect certain pages of your site that you just don't want to be indexed for whatever reason. And you can also point the crawler to where you do want it to go. You can use the sitemap for that as well. But the robots txt file format has evolved over time to provide these signals to the likes to crawlers, like search engines from Google and so on. The challenge with that is it's voluntary and there's no enforcement of it. And so you've got good bots like googlebot that will follow the standard and you'll be able to have full control over what it does. But there are newer bots that are ignoring it or even sometimes using it as a way to find the parts of your site that you don't want it to access. And they will just do that anyway. And so this becomes a control problem for the site owner. And you really want to be able to understand not just what the list of rules are, but how they are enforced totally.

Joel de la Garza (8:06)

Maybe it'd be great to walk through what these agents are, maybe get some more understanding of sort of how they operate, what people are using them for, perhaps go through a couple of the use cases, and then it'd be great to understand sort of like how you do control it. Because it seems like a far more complicated problem than just bad IP addresses.

David Mittin (8:26)

Right? So if we think about OpenAI as an example, because they have four or five different crawlers, there's one, and they all have different names and they will identify themselves in different ways. So one actually is crawling to train the OpenAI models on your site. And that's the one that probably everyone is thinking about when they're thinking about, I want to block AI, the training. And you have different philosophical approaches to how you want to be included in the training data. The others are more nuanced and require more thought. So there's one that will go out when a user is typing something into the chat and has asked a question, and OpenAI will go out and search. It's built up its own search index. And so that's equivalent of googlebot. You probably want to be in that index because as we were seeing, sites are getting more signups are getting more traffic, the discovery process is being Part of just another search index is super important.

Joel de la Garza (9:20)

Gotcha. So, like, when I ask OpenAI when is John F. Kennedy's birthday, if it doesn't know the answer, it goes out and searches the web.

David Mittin (9:26)

Yeah, that's right. Or if it's trying to get open hours for something, it might go to a website for a cafe or whatever and pass it and then return the results. So that's really just like a classic search engine crawler, except it's kind of happening behind the scenes. The other one is something that's happening in real time. So you might give the agent a specific URL and go and ask it to summarize it, or to look up a particular question in the docs for a developer tool or something like that, and then that's a separate agent that will go out, it will read the website, and then it will return and answer the query. For Both of these two examples, OpenAI and others are now starting to cite those sources. And you'll regularly see, and this is kind of the recommendation is you get the result from the AI tool, but you shouldn't trust it 100%. You go and then verify and you look at the docs and maybe it's like when you used to go to Wikipedia and you'd read the summary and then you'd look at the references and you'd go to all the references and check to make sure what had been summarized was actually correct.

Joel de la Garza (10:23)

But all three of those examples, you clearly could see why you would want them accessing your site. Blocking all of OpenAI's crawlers is probably a very bad idea.

David Mittin (10:31)

Yeah, it's too blunt. It's too blunt an instrument. You need to be able to distinguish each one of these and determine which parts of your site you want them to get into. And this then comes to the fourth one, which is the actual agent. This is an agent, the computer operator type feature.

Joel de la Garza (10:46)

Headless web browsers.

David Mittin (10:48)

Headless web browsers, yeah, or even a web browser, full web browser operating inside a vm. And those are the ones that require more nuance, because maybe you're booking a ticket or doing some research and you do want the agent to take actions on your behalf. Maybe it's going through your email inbox and triaging things. From the application builder's perspective, that's probably a good thing. You want more transactions, you want more usage of your application. But there are examples where it might be a bad action. So, for example, if you're building a tool that is going to try and buy all of the concert Tickets and then sell them on later. That becomes a problem for the concert seller because they don't want to do that. They want the true fans to be able to get access to those. And again, you need the nuance. Maybe you allow the bot to go to the homepage and sit in a queue, but then when you get to the front of the queue, you want the human to actually make the purchase and you want to rate limit that so that maybe the human can only purchase, let's say five tickets. You don't want them to purchase 500 tickets. And so this gets into the real details of the context of each one, about what you might want to allow and what you might want to restrict.

Joel de la Garza (11:52)

That's incredibly complicated. I mean, if I remember back why we made a lot of the decisions we made in blocking bots was strictly because of scale. So you've got 450,000 IP addresses sending you terabits of traffic through a link that only can do gigabit and you've got to just start dropping stuff, right? And it's the battlefield triage of the wounded, right? It's like some of you aren't going to make it and it becomes a little brutal. That sounds incredibly sophisticated. How do you do that? Sort of fine grained control of traffic flow at Internet scale.

David Mittin (12:25)

So this is about building up layers of protections. So you start with the robots Txt just managing the good bots. Then you look at IPs and start understanding where's the traffic coming from. In an ideal scenario you have one user per IP address, but we all know that doesn't happen, that never happens. And so you can start to build up databases of reputation around the IP address and you can access the underlying metadata about that address, knowing which country it's coming from or which network it belongs to. And then you can start building up these decisions, thinking, well, we shouldn't really be getting traffic from a data center for our signup page and so we could block that network. But it becomes more challenging if we have that agent. Example, the agent with a web browser or headless browser is going to be running on a server somewhere. It's probably in a data center. And then you have the compounding factor of the abusers will purchase access to proxies which run on residential IP addresses. So you can't easily rely on the fact that it's part of a home ISP block anymore. And so you have to build up these patterns, understanding the reputation of the IP address. Then you have the user agent string that is basically A free text field that you can fill in with whatever you like. There is kind of a standard there. But the good bots will tell you who they are. It's been surprising, getting into the details of this, how many bots actually tell you who they are. And so you can block a lot of them just on that heuristic combined with the IP address.

Joel de la Garza (13:48)

Or allow them.

David Mittin (13:49)

Or allow them.

Joel de la Garza (13:50)

I'm the shopping bot from OpenAI.

David Mittin (13:51)

Right.

Joel de la Garza (13:52)

Come on in, buy some stuff.

David Mittin (13:53)

Exactly. And Googlebot, OpenAI, they tell you who they are, and then you can verify that by doing a reverse DNS lookup on the IP address. So even though you might be able to pretend to be googlebot, you can check to make sure that that's the case or not, with very low latency lookups. So we can verify that. Yes, this is Google. I want to allow them. Yes, this is the OpenAI bot that is doing the search indexing. I want to allow that the next level from that is building up fingerprints and fingerprinting the characteristics of the request. And this started with the Ja3 hash, which was invented at Salesforce and has now been developed into a JA4. Some of them are open source, these algorithms, some of them are not.

Joel de la Garza (14:30)

So, essentially, you take all of the metrics around a session and you create a hash of it, and then you stick it in a database.

David Mittin (14:35)

Exactly.

Joel de la Garza (14:35)

And you look for matches to that hash.

David Mittin (14:36)

You look for matches, and then the idea is that the hash will change based on the client. So you can allow or deny certain clients, but if you have a huge number of those clients all spamming you, then they all look the same, they all have the same fingerprint, and you can just block that fingerprint.

Joel de la Garza (14:51)

So this is almost like, if you think of, you know, I always think of things in terms of the classic sort of network stack, like, you know, layer zero up to layer seven. Like, this is almost like layer two level identity for devices. Right, right.

David Mittin (15:04)

It's looking at the TLS handshake on the network level. And then you can go up the layers. There's one called J4H, which looks at the HTTP headers. And the earlier versions of this would be working on the ordering of the headers, for instance. So an easy way to work around it is just to shift the headers. The hashing has improved over time so that even changing the ordering of the headers doesn't change the hash. And the idea is that you can then combine all of these different signals to try and come to a decision about whether you think this is or who it is basically making the request. And if it's malicious, you can block it based on that. And if it's someone that you want to allow, then you can do so.

Joel de la Garza (15:43)

And this is before you even get into kind of the user level, what's actually happening in the application, right?

David Mittin (15:48)

That's right, yeah. So this is the logic on top of that, because you have to identify who it is first before you apply the rules about what you want them to do.

Joel de la Garza (15:55)

Gotcha. So it's almost like you're adding an authentication layer or an identity layer to sort of the transport side.

David Mittin (16:00)

That's right, yeah.

Joel de la Garza (16:02)

The application side, I guess I should say.

David Mittin (16:04)

Yeah, the application, yeah. But throughout the whole stack, the whole OSI model, and the idea is you have this consistent fingerprint that you can then apply these rules to, and identity kind of layers on top of that. And we've seen some interesting developments in fingerprinting and providing signatures based on who the request is coming from. So a couple of years ago, Apple announced Privacy Pass, which is a hash that is attached to every request you make. If you're in the Apple ecosystem using Safari on iPhone or on Mac, then there is a way to authenticate that the request is coming from an individual who has a subscription to iClat. And Apple has their own fraud analysis to allow you to subscribe to iCloud. So it's a very. It's an easy assumption to make that if you have a subscription and this signature is verified, then you are a real person. There's a new one that cloudflare recently published around, doing the same thing for automated requests and having a fingerprint that's attached to a signature inside every single request, which you can then use public key cryptography to verify. These are all emerging as the problem of being able to identify automated clients increases, because you want to be able to know who the good ones are to allow them through whilst blocking all the attackers.

Joel de la Garza (17:20)

Yeah, it's just like the old days with Kerberos. Right. Every large vendor is going to have their flavor.

David Mittin (17:25)

Right.

Joel de la Garza (17:25)

And if you're a shop and you're trying to sell to everybody, you've got to kind of work with all of them.

David Mittin (17:29)

That's right. And you just need to be able to understand, is this a human and is our application built for humans? And then you allow them? Or is it that we're building an API or do we want to be indexed and we want to allow this traffic? It's just giving the site owner the control.

Joel de la Garza (17:43)

Yeah. I mean, I think what's really interesting to me is that in my own use and in my own life, I interact with the Internet less and less directly, like almost every day. And I'm going through some sort of AI type thing. It could be an agent, it could be a large language model, it could be any number of things, but I generally don't query stuff directly as much as I used to. And it seems like we're moving to a world where almost the layer you describe, the agent type activity you describe, will become the primary consumer of everything on the Internet.

David Mittin (18:15)

Well, if 50% of traffic is already bots, it's already automated and agents are only really just getting going. Most people are not using these computer use agents because they're too slow right now, or they're still previews, but it's clear that's where everything is going. Then we're going to see an explosion in the traffic that's coming from these tools and just blocking them just because they're AI is the wrong answer. You've really got to understand why you want them, what they're doing, who they're coming from. And then you can create these granular rules.

Joel de la Garza (18:46)

I mean, I hate to use the analogy, but these things are almost like avatars, right? They're running around on someone's behalf and you need to figure out who that someone is and what the objectives are and control them very granularly.

David Mittin (18:57)

And the old school methods of doing that assume malicious intent, which isn't always the case and increasingly is going to be not the case because you want the agents to be doing things and the signals just no longer work. When you're expecting traffic to come from a data center or you're expecting it to come from an automated Chrome instance, and being able to have the understanding of your application to dig into the characteristics of the request is going to be increasingly important in the future of distinguishing how criminals are using AI. What we've seen so far is either training and people have that opinion of whether they want to train or not, or it's bots that maybe have got something wrong, they're accessing the site too much because they haven't thought about throttling, or they're ignoring robots txt rather than looking at agents Txt, which is distinguishing between an agent you want to access your site and some kind of crawler. And the examples that we've seen are just bots coming to websites and just downloading the content continuously. There's no world where that should be happening. And this is where the cost is being put on the site owner because they currently have no easy way to manage the control, control the, the traffic that's coming to their site directionally, things are improving because you might have looked back 18 months and the bots have no rate limiting. They're just downloading content all the time. Today we know that these bots can be verified, they are identifying themselves, they are much better citizens of the Internet. They are starting to follow the rules. And so over the next 18 months, I think we'll see more of that, more of the AI crawlers that we want following the rules, doing things in the right way. And it will start to split into making it a lot easier to detect the bots with criminal intent. And those are the ones that we want to be blocking.

Joel de la Garza (20:43)

So with the transition of bots from being these entities on the Internet that represent third parties and organizations to this new world where these AI agents could be representing organizations, they could be representing customers, they could be representing any number of people. And this is probably the wave of the future. It seems to me like detecting that it's AI or a person is going to be an incredibly difficult challenge. And I'm curious, how are you thinking about proving humanness on the Internet? Proofing is a tale as old as time. There's a NIST working group on proofing identity that's been running I think for 35 years and still hasn't really gotten to something that's implementable. There's 15 companies out there, the first wave of rideshare services and gig economy type companies needed to have proofing because you're hiring these people in remote places where you don't have an office and it's still not a solved problem. I'm curious. It feels like maybe AI can help get us there, or maybe there's something that's happening in that space.

David Mittin (21:42)

Right? Well, the pure solution is digital signature. Right? But we've been talking about that for so long and the UX around it is basically impossible for normal people to figure out. And it's why something like email encryption. No one encrypts their email. You have encrypted chat because it's built into the app and it can do all the difficult things like the key exchange behind the scenes. So that solution isn't really going to work. But AI has been used in analyzing traffic for at least over a decade. It's just, it was called machine learning. And so you start with machine learning and the question is, well, what does the new generation of AI allow us to do? The challenge with the LLM type models is just the speed at which they are doing analysis, because you often want to take a decision on the network or in the application within a couple of milliseconds, otherwise you're going to be blocking the traffic and the user's going to become annoyed. And so you can do that with kind of classic machine learning models and do the inference really quickly. And where I think the interesting thing in the next few years is going to be is how we take this new Generation of generative AI using LLMs or other types of LLM like technology to do analysis on huge traffic patterns. I think that can be done in the background initially, but we're already seeing new edge models that are designed to be deployed to mobile devices and IoT that use very low amounts of system memory and can provide inference responses within milliseconds. I think those are going to start to be deployed to applications over the next few years.

Joel de la Garza (23:15)

I think you're exactly right. Like, I think so much of what we're seeing now is just being restricted by the cost of inference and that cost is dropping incredibly fast, right? It's. We saw this with cloud where like S3 went to being the most expensive storage you could buy, to being free, essentially free. Glacier is essentially free, right? Free is beer, right? Whatever. And so like, we're seeing that even at a more accelerated rate for inference, like, the cost is just falling incredibly. And then when you look at the capabilities of these new technologies to drop a suspicious email into ChatGPT and ask if it's suspicious and it's like 100% accurate, right? Like, if you want to like find sensitive information, you ask the LLM is this sensitive information? And it's like 100% accurate. Like, it's amazing. Like, as you squint and look at the future, you can start to see these really incredible use cases, right? Like, to your point of inference on the edge. Like, do you think we all end up eventually with like an LLM running locally? That's basically going to be clippy, but for CISOs, like, it pops up and says, hey, it looks like you're doing something stupid. Like, is that, is that kind of where you think we land?

David Mittin (24:18)

That's what we're working on, is getting this analysis into the process so that for every single request that comes through, you can have a sandbox that will analyze the full request and give you a response. Whereas now you can wait maybe two to five seconds to delay an email and do the analysis and decide whether to flag it for review or send it to someone's inbox. Delaying an HTTP request for five seconds, that's not going to work. And so I think the, the trend that we're seeing with the improvement cost, the inference cost, but also the latency and getting, getting the inference decision, that's going to be the key. So we can embed this into the application. You've got the full context window, so you can add everything you know about the user, everything about the session, everything about your application alongside the request, and then come to decision entirely locally on your web server, on the edge, wherever it happens to be running.

Joel de la Garza (25:05)

As I listen to you say that and describe this process, all I can think is that advertisers are going to love this. It just seems like the kind of technology built for sort of like, hey, he's looking at this product, show him this one.

David Mittin (25:16)

Right, yeah. Super fast inference on the edge, coming to a decision. And for advertisers, stopping click spam, that's a huge problem. And being able to come to that decision before it even goes through your ad model and the auction system.

Joel de la Garza (25:29)

Who would have ever thought that non deterministic, incredibly cheap compute would solve these use cases? Right? Yeah, we're in a weird world.

Podcast Host (25:38)

That's it for this episode. Thanks again for listening and remember to keep listening for some more great episodes. As the AI space matures, we need to start thinking more practically about how the technology coexists with the systems and platforms we already use. That's what we try to do here, and we'll keep examining these questions in the weeks to come.

Joel de la Garza (25:56)

Sam.