Shape Shifter Botwall

[r00k]

Shape Security was founded in 2012. They received quite a bit of money from venture funding and Eric Schmidt, around 26 million at the moment. There weren't many rumors about products to be released by the company, until now. They recently announced the Shape Shifter to protect websites from bots by scrambling code so a bot won't see the same code more than once. I don't know much about bots and botnets, but this seems to be getting a lot of funding for what they are doing.

http://www.shapesecurity.com/

Edit: sorry if i placed this in an incorrect topic section.

[Darkvision]

It is an interesting approach, but i do wonder at its ability to be effective. From what they say in the press release/video it would seem to me that it would be possible to still figure out what each piece is doing through multiple attacks. Even if each ID changes randomly its position/what it is calling to is not. So you would need to program your bot to "find" what that ID is interacting with against a known type. in other words to me this falls under "obfuscation" while nice, once it is figured out exactly how it is done would seem to be rather easy to reverse, at least with the limited information released on it. Basically i would think of this as a "start" but not a finished product yet.


then again i could be completely off, programming is not my strong suit. Still as with any security product i wouldnt trust it without getting to know every thing about it.

[Moiz]

No need to say anything


just read the post


http://blog.securitee.org/?p=309

[r00k]

No need to say anything


just read the post


http://blog.securitee.org/?p=309

Nice read, kinda crazy how they grabbed the developer of PhantomJS  .

[ande]

This is bullcrap all day long. Like the blog above said, 1000 ways around it.


No offence to OP, just to the people making the so-called new security.

[r00k]

This is bullcrap all day long. Like the blog above said, 1000 ways around it.


No offence to OP, just to the people making the so-called new security.

None taken, I suspected that either it wouldn't last long or it had no value in the beginning. The reason i posted it was mainly due to how much funding they received in the past year and from who. Just caught my eye 

[Darkvision]

This is bullcrap all day long. Like the blog above said, 1000 ways around it.


No offence to OP, just to the people making the so-called new security.

well the obfuscation cant hurt, like i said, but its certainly not a complete product. without them releasing more details its an unknown, certainly what is known at this point is not "secure".  however the little they have released is in some ways new(or old applied to a new setting, depending on your viewpoint), if they have more layers, especially truely new and innovative layers it could be a viable piece of tech to buy. The REAL issue wont happen till more is known though, which would be the ability of the technology to mutate with the changes in how automated attacks will change in response to it. In other words if what it ships with can be consistently patched/upgraded to face new threats, or if its something that will simply be bypassed with a few extra bits of code/few extra steps.

[ande]

Security through obfuscation/confusion is a security 101 no-go.