Security In Web Services: An Evolving Threat Model

an interesting article on the security threats that large web service providers are currently dealing with; all unusual in that they’re not the classic “break in and do something”, but attempts to engineer the system in other ways.

I liked this comment:

“[Manber]’s considering changing the registration test to a simple arithmetic problem. It won’t stop the mass registrations, but he might be able to get the abusers to perform distributed computing tasks for him.”

(Update from 2024: Google’s captcha has for years been using users to train their visual object recognition systems.)