Monthly Archives: July 2013

Simulating denial of service

Leave a reply

I was recently equipped with a password on a new website. I made the mistake of giving my email address in two different forms in different places (a bad piece of design – if you have to have the same email address in both, why not automatically copy it over?) In attempting to log in again, I used the ‘wrong’ form of the address and quickly found myself locked out, unable even to make further login attempts. Phone calls were necessary in order to release me and give me access again.

The problem is that the behaviour of someone who believes they have the right login credentials, but hasn’t, is very similar to that of a denial of service attack – bombarding a site with several login attempts in quick succession. It’s a challenge to separate the two, but I think the human-generated pattern has certain characteristics. The human user will leave at least a few seconds between each attempt. Also, he or she will not vary their attempts very much – they are likely to use the same few IDs/passwords in various combinations repeatedly. It shouldn’t be too difficult to be more generous to a login pattern of this type than to a suspected denial of service attack. Logging in for a few times at an interval of several seconds is not going to hack or break a server, unless multiple attempts of this kind occur simultaneously.

It’s the fuzz

1 Reply

Which is more annoying, fuzzy searching that is excessively fuzzy, or searching that is painfully literal?

A fine example of the first is the default search on our incident logging system, TopDesk. Operators can search all the incidents, and the default (which can only be switched off in advanced mode) is a fuzzy search. This is so fuzzy that it is almost useless, returning several times as many results as actually contain the term you’re searching on. Furthermore, the search term is not highlighted in the result , and as interface doesn’t display all the text in a record at once, and the text is distributed among several boxes, you cannot easily find whether a given result contains your search term or not. The database of records is now many thousand in number, so if you are not careful you will get several screens of records which you will have to sift through to find the one you want.

The opposite problem, over-literalism, can be found with Diigo. It will search only on the words you give it, no plurals or other inflected forms. This means many searches have to be done two or more times with other possibilities and I’ve taken to filling the descriptions of my bookmarks with likely search terms.