On Wed, Oct 1, 2014 at 11:27 PM, Kevin Wayne Williams
Focusing on what signature we can obtain from (or plant on) the device and
how to make that signature available to and manageable by admins is the key.
I used to do this for a living in the name of "credit card fraud
prevention". Not only is it a difficult problem, but it is also evil.
You will not find a method that is fool proof. It is completely
possible to partition the browser space into 90% known good and 10%
"looks funny". Separating the wheat from the chaff in that 10% is the
hard problem however. In the retail space this grey area ends up being
managed by heuristics, ad hoc rules that only apply for a brief period
of time and labor intensive manual review. Ultimately in the retail
space it comes down to letting in enough bad actors that you don't
exclude more sales than necessary. You figure out what your acceptable
loss rate is and manage the real time transaction approval stream to
maximize sales while keeping losses at or below an acceptable
threshold. That threshold is typically something between 1% and 1.5%
of your total sales volume by both transaction count and dollar value.
In a space where we are actually arguing that there is a potential of
loss of life for exposed actors, I don't think that it is reasonable
at all to discuss ways to increase the risk of exposure by creating
and publishing (oh yeah, we are open source and open config for most
things here) a recipe for tracking users in a durable fashion based on
device fingerprints and other sticky token techniques.
Bryan Davis Wikimedia Foundation <bd808(a)wikimedia.org>
[[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA
irc: bd808 v:415.839.6885 x6855