[lelanthran]

> Well, you need to harden everything, the attacker only needs to find one or at most a handful of exploits.

Yeah, but it's not like the attacker knows where to look without checking everything, it it?

If you harden and fix 90% of vulns, the attacker may give up when their attempts reach 80% of vulns.

It's the same as it has ever been; you don't need to outrun the bear, you only need to outrun the other runners.

[eru]

Compare and contrast https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

[lelanthran]

My point is that the cost for the attacker is higher than the cost for the defender, if the attacker has to spend tokens probing for vulnerabilities against a system which has little know about it, while the defender spends tokens on a system they have the full source to.

That is not at all relevant to "security via obscurity" or similar arguments: having the source in the open may (eventually) be more secure, but it lowers the token-spend for the attacker.

[eru]

The attacker can get access to the sources via eg industrial espionage.

[lelanthran]

> The attacker can get access to the sources via eg industrial espionage.

Isn't that an extra cost above and beyond what the defender has?