[eru]

> There's a massive cost asymmetry between the "hardening" phase for the defender and the "discovering exploits" phase for the attacker.

Well, you need to harden everything, the attacker only needs to find one or at most a handful of exploits.

[lelanthran]

> Well, you need to harden everything, the attacker only needs to find one or at most a handful of exploits.

Yeah, but it's not like the attacker knows where to look without checking everything, it it?

If you harden and fix 90% of vulns, the attacker may give up when their attempts reach 80% of vulns.

It's the same as it has ever been; you don't need to outrun the bear, you only need to outrun the other runners.

[eru]

Compare and contrast https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

[lelanthran]

My point is that the cost for the attacker is higher than the cost for the defender, if the attacker has to spend tokens probing for vulnerabilities against a system which has little know about it, while the defender spends tokens on a system they have the full source to.

That is not at all relevant to "security via obscurity" or similar arguments: having the source in the open may (eventually) be more secure, but it lowers the token-spend for the attacker.

[eru]

The attacker can get access to the sources via eg industrial espionage.

[lelanthran]

> The attacker can get access to the sources via eg industrial espionage.

Isn't that an extra cost above and beyond what the defender has?