Re: Use cases & Threat models from Chris Wood on 2022-02-15 (public-antifraud@w3.org from February 2022)

From: Chris Wood <chriswood@cloudflare.com>
Date: Tue, 15 Feb 2022 13:54:58 -0800
To: Philipp Pfeiffenberger <philippp@google.com>
Cc: Dimitris Theodorakis <dth@humansecurity.com>, public-antifraud@w3.org
Message-ID: <CAHOm9wfL4kYXMaTv_bG0Tp_MYsAHjO_-eFHqhM+qdOEGpjGB6w@mail.gmail.com>

On Tue, Feb 15, 2022 at 1:05 PM Philipp Pfeiffenberger <philippp@google.com>
wrote:

> There are also human-driven attacks, for example 100 people who are each
> clicking on the same 100 ads, that are affected by privacy changes. In this
> example, defenders may currently rely on cross-site/app activity graphs to
> detect such cliques. Could an enumeration of "detection capabilities at
> risk" help us be comprehensive in our coverage?
>
It's a bit of the converse of the list of problems, but a map of "detection
> capabilities at risk" to the threat vectors (or common problems) they
> relate to may help inform prioritization (e.g. identify which detection
> technique is relevant to several high-impact problems).
>

Agreed -- that seems like useful output from this exercise.

Best,
Chris


>
> On Tue, Feb 15, 2022 at 12:01 PM Chris Wood <chriswood@cloudflare.com>
> wrote:
>
>> Thanks for breaking out the use cases into a separate document! I think
>> listing different attack scenarios is valuable.
>>
>> However, I'm not sure the current framing, which seems to suggest that
>> only certain attack scenarios would be in scope, is the best path forward.
>> Some of these attacks seem to stem from a common (set of) problem(s), e.g.,
>> ease of automation. It might be useful to try and tease out the core
>> properties that enable each attack, and then determine if addressing those
>> properties is in scope.
>>
>> For example, we might say that preventing attacks which can be easily
>> automated at the application layer -- including credential stuffing,
>> payment transactions, content scraping, etc -- are in scope. (I am
>> certainly not an expert here, but I don't think attacking account creation
>> would be included in this list.) We might also say that attacks that can be
>> automated at the network layer -- including volumetric DoS attacks -- are
>> in scope. But the solutions to these problems could very well be quite
>> different.
>>
>> What do folks think?
>>
>> Best,
>> Chris
>>
>> On Tue, Feb 15, 2022 at 11:01 AM Dimitris Theodorakis <
>> dth@humansecurity.com> wrote:
>>
>>> As a follow up from our last meeting we've moved the use cases proposal
>>> to this doc
>>> <https://docs.google.com/document/d/1GXX3QkQQCT0h75K5LdML8ap4qZTMSD6tDPWz16dUDno/edit#>
>>> to encourage collaboration. Everyone should have comment/suggest access.
>>>
>>> Thanks,
>>> Dimitris
>>>
>>

Received on Tuesday, 15 February 2022 21:55:23 UTC