Honestly, there is a world of difference between having an API to do things in bulk and only allowing rate-limited clients to do something.
Both require authentication (although new court rulings may technically be outlawing all charging and quotas for APIs!)
But the API has far more permissive bulk actions. Of course, with a botnet and enough time and effort one could execute a sybil attack to circumvent any per-account quotas, and use per-resource quotas to launch a DDOS attack on some resource to any non-authenticated parties.
I wish there was - service to prevent sybil attacks somehow. Just make it exponentially more expensive to create multiple identities / accounts on networks. Has anyone got links to papers or projects or anything in that direction? It would be hugely valuable.
PS: Twitter and other startups don’t particularly care about sybil attacks and fake users when they are growing, it helps them “innocently” report great user numbers to VCs. So they don’t spend much effort preventing sleeper bots from joining in the network’s growth phase.
> a world of difference between having an API to do things in bulk and only allowing rate-limited clients to do something.
Sure, the difference you speak of is only and exactly if the rate-limiting on your API is different than on the other rate-limited (web?) clients, right?
It doesn't have to be, but it often is, for various reasons intentional or accidental. Making the rate limiting the same might be another way to fix the "vulnerability" then? It depends on what they consider the vulnerability exactly; if you don't know what it is you consider the problem, it's hard to fix it, or for you or anyone else to judge if you've fixed it! I find their statement to be vague on what the problem was exactly, as above.
That link isn't about APIs, isn't about outlawing charging or quotas, and appears to just be about a preliminary injuction rather than a generally applicable ruling. So I'd argue that it doesn't in any way support your initial claim.
Both require authentication (although new court rulings may technically be outlawing all charging and quotas for APIs!)
But the API has far more permissive bulk actions. Of course, with a botnet and enough time and effort one could execute a sybil attack to circumvent any per-account quotas, and use per-resource quotas to launch a DDOS attack on some resource to any non-authenticated parties.
I wish there was - service to prevent sybil attacks somehow. Just make it exponentially more expensive to create multiple identities / accounts on networks. Has anyone got links to papers or projects or anything in that direction? It would be hugely valuable.
PS: Twitter and other startups don’t particularly care about sybil attacks and fake users when they are growing, it helps them “innocently” report great user numbers to VCs. So they don’t spend much effort preventing sleeper bots from joining in the network’s growth phase.