- From: Chris Wood <chriswood@cloudflare.com>
- Date: Tue, 15 Feb 2022 13:54:58 -0800
- To: Philipp Pfeiffenberger <philippp@google.com>
- Cc: Dimitris Theodorakis <dth@humansecurity.com>, public-antifraud@w3.org
- Message-ID: <CAHOm9wfL4kYXMaTv_bG0Tp_MYsAHjO_-eFHqhM+qdOEGpjGB6w@mail.gmail.com>
On Tue, Feb 15, 2022 at 1:05 PM Philipp Pfeiffenberger <philippp@google.com> wrote: > There are also human-driven attacks, for example 100 people who are each > clicking on the same 100 ads, that are affected by privacy changes. In this > example, defenders may currently rely on cross-site/app activity graphs to > detect such cliques. Could an enumeration of "detection capabilities at > risk" help us be comprehensive in our coverage? > It's a bit of the converse of the list of problems, but a map of "detection > capabilities at risk" to the threat vectors (or common problems) they > relate to may help inform prioritization (e.g. identify which detection > technique is relevant to several high-impact problems). > Agreed -- that seems like useful output from this exercise. Best, Chris > > On Tue, Feb 15, 2022 at 12:01 PM Chris Wood <chriswood@cloudflare.com> > wrote: > >> Thanks for breaking out the use cases into a separate document! I think >> listing different attack scenarios is valuable. >> >> However, I'm not sure the current framing, which seems to suggest that >> only certain attack scenarios would be in scope, is the best path forward. >> Some of these attacks seem to stem from a common (set of) problem(s), e.g., >> ease of automation. It might be useful to try and tease out the core >> properties that enable each attack, and then determine if addressing those >> properties is in scope. >> >> For example, we might say that preventing attacks which can be easily >> automated at the application layer -- including credential stuffing, >> payment transactions, content scraping, etc -- are in scope. (I am >> certainly not an expert here, but I don't think attacking account creation >> would be included in this list.) We might also say that attacks that can be >> automated at the network layer -- including volumetric DoS attacks -- are >> in scope. But the solutions to these problems could very well be quite >> different. >> >> What do folks think? >> >> Best, >> Chris >> >> On Tue, Feb 15, 2022 at 11:01 AM Dimitris Theodorakis < >> dth@humansecurity.com> wrote: >> >>> As a follow up from our last meeting we've moved the use cases proposal >>> to this doc >>> <https://docs.google.com/document/d/1GXX3QkQQCT0h75K5LdML8ap4qZTMSD6tDPWz16dUDno/edit#> >>> to encourage collaboration. Everyone should have comment/suggest access. >>> >>> Thanks, >>> Dimitris >>> >>
Received on Tuesday, 15 February 2022 21:55:23 UTC