Re: [ISN] US company invents 'Turing test' to beat bots

From: InfoSec News <alerts_at_private>
Date: Fri, 5 Jun 2009 04:04:26 -0500 (CDT)
Forwarded from: security curmudgeon <jericho (at)>

: By Jeremy Kirk
: IDG News Service
: 03 June 2009
: A US security company has come up with a technology it says can block 
: automated programs responsible for perpetuating nuisances such as spam, 
: fake email registrations and click fraud.

: Sehgal is cautious about revealing how HumanPresent tells the difference 
: between machines and people for fear that spammers will be able to 
: create bots that act more like humans.

: Sehgal was coy on exactly how it works, but a bot interacts with the 
: page and an advertisement different than a human would. 

Read on, a lot of careful wording with a healhy dose of hype.

Question for folks that develop applications, pen-test applications or 
perform security for a company:

If the application throttled / limited specific requests, from a specific 
IP before injecting a time wait period, or introduced a second level of 
CAPTCHA (what color is displayed? red / blue / green), how many bots would 
that stop?

Bots are successful because they can try thousands of attempts a minute to 
bypass whatever protection is enabled. While many current technologies are 
helpful, as Sehgal's likely is too, are we overlooking the obvious? 

If X attempts are made from a single IP address in Y minutes, throttle big.

If X attempts are made from a /24 in Y minutes, throttle some.

If X attempts are made from a /21 in Y minutes, throttle a little.


Am I naive in thinking this would really stop, or at least hinder, 
automated bots that are designed to circumvent such protections?

I realize this will not protect against very cheap 'outsourcing' of cheap 
labor manually doing the work with much higher return on a substantially 
higher investment (statistically speaking).

Visit the InfoSec News security bookstore! 
Received on Fri Jun 05 2009 - 02:04:26 PDT

This archive was generated by hypermail 2.2.0 : Fri Jun 05 2009 - 02:18:15 PDT