[Owasp-appsensor-project] how to detect if a detection point is created and sone other questions
ryan.barnett at owasp.org
Mon Mar 11 16:50:21 UTC 2013
On Mon, Mar 11, 2013 at 6:08 AM, Dennis Groves <dennis.groves at gmail.com>wrote:
> On 11 Mar 2013, at 1:14, panos wrote:
> Yes random username isn't so good idea actually is very bad idea.I thought
> of getting the IP and giving it as username for example "Ano192.168.1.1". I
> think that something like this it will work. I'll try it.
> One of the issues is the concept of identity, it only takes 32 bits of
> information to identify somebody<https://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy>.
> IP Address is certainly not enough and unsurprisingly you can easily gather
> enough information to have very high confidence in identity without any
> username or password.
> And you will most certainly you will have enough information to make a
> Baysian decision (how likely is it this identity is being hostile?) based
> on the behaviour of that identity (33 bits) for AppSensor. I suggest that
> anybody who doesn't surrender the '33 bits' is perhaps automatically
> suspect since they fall outside your standard deviation model of users.
> I show some examples of similar approaches in Recipe 8-5: Detecting
Browser Fingerprint Changes During Sessions of my book -
This uses JS code to send to the browser, it then calculates a hash of the
browser fingerprint and then adds it as a cookie value. This is then saved
server side in the SessionID collection. This way you can track the
unauthenticated user by their browser fingerprint.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-appsensor-project