This is one of those pithy remarks that add zero value to a discussion.
I'm curious how you would approach blocking automated access to various parts of your site?
Yeah, that's harder than ReCAPTCHA, but I think a lot of these big companies can afford to do these pretty basic steps.
If you just want to throw some comments on your free blog and not have to moderate the comments (and honestly, how many comments does your blog get that you can't read them?) then sure, throw ReCAPTCHA on there. But there are plenty of big companies that use ReCAPTCHA.
Rate limiting and bot blocking are two totally different things. Rate limiting only increases the cost of a bot attack. Either they need more IP's (which are dirt cheap in the black market) or they need more time--either way it is increased cost. But it won't stop a bot. Just slow it.
Banning IP's might have worked back in 2000, but these days it is useless. Bypassing an IP block is trivially easy for even a low-sophistication attacker.
The prevention measure you create for the remaining 10% (like a moderation queue + human review if you can afford it) is likely to only work because its workload is diminished 90% by a crude measure like ReCaptcha.
Your dismissal doesn't illuminate anything. It turns out that abuse prevention is hard and costly.
This should come as Tshirt or coffee mug.
