If you're interested in like this line of attack, you can also use similar techniques to defeat models that are trained to do object detection (like, for example, the ones that detect the location of your license plate) using adversarial noise attacks.

The short version is, if you have a network that does detection, you can run inference with that network on images that have been altered by another network and have the second network use the confidence of the detection network in its loss function. The second model can be trained to create noise, which looks innocuous to human eyes, that maximally disrupts the segmentation/object detection process of the target/detection network.

You could then print this noise on, say, a transparent overlay and put it on your license plate and automated license plate readers (ALPRs) would not be able to detect/read your plates. Note: Flock is aware of this technique and has lobbied state lawmakers to make putting anything on your plate to disrupt automated reading illegal in some places, check your laws.

Benn Jordan has actually created and trained such a network video here: https://www.youtube.com/watch?v=Pp9MwZkHiMQ

And also uploaded his code, PlateShapez to github: https://github.com/bennjordan

In states where you cannot cover your license plate you're not restricted from decorating the rest of your car. You could use a similar technique to create bumper stickers that are detected as license plates and place them all over your vehicle. Or, even, as Benn suggested, print them with UV ink so they're invisible to humans but very visible to AI cameras who often use UV lamps to provide night vision/additional illumination.

You could also, if you were so inclined, generate bumper stickers or a vinyl wrap which could make the detector be unable to even detect a car.

Adversarial noise attacks are one of the bigger vulnerabilities of AI-based systems and they come in many flavors and can affect anything that uses a neural network.

Another example (also from the video) is that you can encode voice commands in plain audio which, to the user is completely transparent but a device (like Alexa or Siri) will hear it as a specific command ("Hey Siri, unlock the front door"). Any user-generated audio that you encounter online can have this kind of attack encoded in it, the potential damage is pretty limited because AI assistants don't really control critical functions in your life yet... but you should probably not let your assistant listen to TikTok if it can do more than control your home lighting.

I had a short tootstorm about this, because oh my god, this is some terribly ineffective, useless piece of nothing.

For one, Poison Fountain tells us to join the war effort and cache responses. Okay...

❯ curl -i https://rnsaffn.com/poison2/ --compressed -s
HTTP/2 200
content-disposition: inline
content-encoding: gzip
content-type: text/plain; charset=utf-8
x-content-type-options: nosniff
content-length: 959
date: Sun, 11 Jan 2026 21:17:36 GMT

Yeaah... how am I supposed to cache this? Do I cache one response and then continue serving that for the 50+ million crawlers that visit my sites every day? And you think a single, repetitive thing will poison anything at all? Really?

Then, the Poison Fountain explanation goes on to explain that serving garbage to the crawlers will end up in the training data. I'm fairly sure the person who set this up never worked with model training, because this is not what happens. Not even the AI companies are that clueless, they do not train on anything and everything, they do filter it down.

And what this fountain provides, is trivial to filter.

It's also mighty hard to set up! It's not just a reverse_proxy https://rnsaffn.com/posion2, because then you leak all the headers you got. No, you have to make a sanitized request that doesn't leak data. Good luck!

Meanwhile, there are a gazillion of self-hostable garbage generators and tarpits that you can literally shove in a docker container and reverse proxy tarpit URLs to them, safely, locally. Much more efficient, far more effective. And, seeing as this is practically uncacheable, if I were to use it, I'd have to send all the shit that hits my servers, their way. As far as I can tell, this is a single Linode server. It probably wouldn't crumble under my 50 million requests / day, but if ten more people would join the "war effort" without caching, my well educated guess is that it would fall over and die.

Besides, we have no idea whether poisoning works. We can't measure that. What we can measure, is the load on our servers, and this helps fuck all in that regard. The bots will still come, they'll still hit everything, and I'd have additional load due to the network traffic between my server and theirs (remember: the returned response provides no sane indicators that'd allow caching while keeping the responses useful for poisoning purposes).

Not only is this ineffective in poisoning, it's not usable at all in its current state. And they call for joining the war effort. C'mon.

Considering these AI companies aim to literally poison our water supplies, this seems poetic.  Hopefully it is effective. 

In addition to poisoning with bad data, I'd recommend adding logic gates where both recipient and sender tests each other in the definition and understanding of trust and consent which is a major thorn against the corporations, CEOs, and conservatives.

Now that news has reported on the website I assume it will get added quickly to do not scrape lists for AI (assuming there is such a thing). So the effectiveness of this will depend on other people adopting this.