Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jerf 13 hours ago

I've said for decades that, in principle, cybersecurity is advantage defender. The defender has to leave a hole. The attackers have to find it. We just live in a world with so many holes that dedicated attackers rarely end up bottlenecked on finding holes, so in practice it ends up advantage attacker.

There is at least a possibility that a code base can be secured by a (practically) finite number of tokens until there is no more holes in it, for reasonable amounts of money.

This also reminds me of what I wrote here: https://jerf.org/iri/post/2026/what_value_code_in_ai_era/ There's still value in code tested by the real world, and in an era of "free code" that may become even more true than it is now, rather than the initially-intuitive less valuable. There is no amount of testing you can do that will be equivalent to being in the real world, AI-empowered attackers and all.

mapontosevenths 13 hours ago | parent | next [-]

>in principle, cybersecurity is advantage defender

I disagree.

The defender must be right every single time. The attacker only has to get lucky and thanks to scale they can do that every day all day in most large organizations.

janalsncm 13 hours ago | parent | next [-]

My understanding of defense in depth is that it is a hedge against this. By using multiple uncorrelated layers (e.g. the security guard shouldn’t get sleepier when the bank vault is unlocked) you are transforming a problem of “the defender has to get it right every time” into “the attacker has to get through each of the layers at the same time”.

NegativeK 8 hours ago | parent | prev | next [-]

The defender must be right every single time, and the attacker right only once.

Until the attacker has initial access.

Then the attacker needs to be right every single time.

traderj0e 13 hours ago | parent | prev | next [-]

Well, the attacker has something to lose too. It's not like the defender has to be perfect or else attacks will just happen, it takes time/money to invest in attacking.

coldtea 13 hours ago | parent | prev | next [-]

Not to mention an attacker motivated by financial gain doesn't even need a particular targer defender. One/any found available will do.

tptacek 13 hours ago | parent | prev [-]

The attacker and defender have different constant factors, and, up until very recently, constant factors dominated the analysis.

traderj0e 13 hours ago | parent | prev [-]

I agree for the type of attacks the article focuses on, but DDoS and social engineering seem like advantage attacker.