Re: Use cases & Threat models from Philipp Pfeiffenberger on 2022-02-15 (public-antifraud@w3.org from February 2022)

From: Philipp Pfeiffenberger <philippp@google.com>
Date: Tue, 15 Feb 2022 14:16:15 -0800
To: Chris Wood <chriswood@cloudflare.com>
Cc: Dimitris Theodorakis <dth@humansecurity.com>, public-antifraud@w3.org
Message-ID: <CAHSzL-R-n_ReC21r8gfaUKFHa0Okrpc8-3y9MUveMmFWRX5Q7Q@mail.gmail.com>

There are also human-driven attacks, for example 100 people who are each
clicking on the same 100 ads, that are affected by privacy changes. In this
example, defenders may currently rely on cross-site/app activity graphs to
detect such cliques. Could an enumeration of "detection capabilities at
risk" help us be comprehensive in our coverage?
It's a bit of the converse of the list of problems, but a map of "detection
capabilities at risk" to the threat vectors (or common problems) they
relate to may help inform prioritization (e.g. identify which detection
technique is relevant to several high-impact problems).

On Tue, Feb 15, 2022 at 12:01 PM Chris Wood <chriswood@cloudflare.com>
wrote:

> Thanks for breaking out the use cases into a separate document! I think
> listing different attack scenarios is valuable.
>
> However, I'm not sure the current framing, which seems to suggest that
> only certain attack scenarios would be in scope, is the best path forward.
> Some of these attacks seem to stem from a common (set of) problem(s), e.g.,
> ease of automation. It might be useful to try and tease out the core
> properties that enable each attack, and then determine if addressing those
> properties is in scope.
>
> For example, we might say that preventing attacks which can be easily
> automated at the application layer -- including credential stuffing,
> payment transactions, content scraping, etc -- are in scope. (I am
> certainly not an expert here, but I don't think attacking account creation
> would be included in this list.) We might also say that attacks that can be
> automated at the network layer -- including volumetric DoS attacks -- are
> in scope. But the solutions to these problems could very well be quite
> different.
>
> What do folks think?
>
> Best,
> Chris
>
> On Tue, Feb 15, 2022 at 11:01 AM Dimitris Theodorakis <
> dth@humansecurity.com> wrote:
>
>> As a follow up from our last meeting we've moved the use cases proposal
>> to this doc
>> <https://docs.google.com/document/d/1GXX3QkQQCT0h75K5LdML8ap4qZTMSD6tDPWz16dUDno/edit#>
>> to encourage collaboration. Everyone should have comment/suggest access.
>>
>> Thanks,
>> Dimitris
>>
>

Received on Tuesday, 15 February 2022 22:16:41 UTC