Re: [ISN] US company invents 'Turing test' to beat bots

Forwarded from: security curmudgeon <jericho (at) attrition.org>

: http://www.techworld.com/security/news/index.cfm?newsID=116903
: 
: By Jeremy Kirk
: IDG News Service
: 03 June 2009
: 
: A US security company has come up with a technology it says can block 
: automated programs responsible for perpetuating nuisances such as spam, 
: fake email registrations and click fraud.

: Sehgal is cautious about revealing how HumanPresent tells the difference 
: between machines and people for fear that spammers will be able to 
: create bots that act more like humans.

: Sehgal was coy on exactly how it works, but a bot interacts with the 
: page and an advertisement different than a human would. 

Read on, a lot of careful wording with a healhy dose of hype.

Question for folks that develop applications, pen-test applications or 
perform security for a company:

If the application throttled / limited specific requests, from a specific 
IP before injecting a time wait period, or introduced a second level of 
CAPTCHA (what color is displayed? red / blue / green), how many bots would 
that stop?

Bots are successful because they can try thousands of attempts a minute to 
bypass whatever protection is enabled. While many current technologies are 
helpful, as Sehgal's likely is too, are we overlooking the obvious? 

If X attempts are made from a single IP address in Y minutes, throttle big.

If X attempts are made from a /24 in Y minutes, throttle some.

If X attempts are made from a /21 in Y minutes, throttle a little.

[..]

Am I naive in thinking this would really stop, or at least hinder, 
automated bots that are designed to circumvent such protections?

I realize this will not protect against very cheap 'outsourcing' of cheap 
labor manually doing the work with much higher return on a substantially 
higher investment (statistically speaking).


_____________________________________________
Visit the InfoSec News security bookstore!
http://www.shopinfosecnews.org