noteworthy wrote:
Worthersee asked: Do you think incremental delay would help Yahoo?
I think the Russians (or any attackers) would just distribute the task over more nodes. If the slope of increasing delay were steep enough it might force them to be even more aggressive about "recruiting" zombies for their botnet. If you tried to increment a global (site-wide) delay variable, then you would be exposing yourself to a denial of service attack.
I thought about the possibility of a distributed attack and agree that a "site-wide" delay variable would be a bad idea. The beauty of an individual session based incremental delay mechanism is that it can be used to throw security exceptions after n number of failed CAPTCHA attempts. A monitoring system could be configured to get IP addresses from those security exceptions. Admins then have the info they need to automatically block the botnet. RE: Yahoo! CAPTCHA Cracked. | 
