← Back to context

Comment by dtx1

2 years ago

> The most efficient way to harden against exploits is to try and shrink whichever hoop possesses the greatest partial derivative of overall exploit success probability with respect to developer time.

Depending on your definition of efficient, adding more hoops should work exponentially better.

5 comments

dtx1

Reply
0xDEAFBEAD  2 years ago

My definition of efficient is essentially whatever decreases the number of workable exploits most rapidly per hour of developer time.

>Depending on your definition of efficient, adding more hoops should work exponentially better.

Explain?

  • nequo  2 years ago

    Suppose your hoop probabilities are 25% and that you have two hoops so that the probability of jumping through both is

      25% * 25% = 6.25%.

    You can reduce the size of one of the hoops in half, changing the probability to

      25% * 25%/2 = 3.125%

    You can also add a third hoop, in which case the probability is

      25% * 25% * 25% = 1.5625%

    1.5625% < 3.125%, so adding a third hoop is better than shrinking one of the two existing hoops. Of course, this argument makes important assumptions about the hoop probabilities.

    • krab  2 years ago

      The probabilities aren't independent. The person jumping through the first hoop is probably more able than average. Therefore, any additional hoop - if it doesn't require a completely orthogonal skill - is less selective.

      1 reply →

    • 0xDEAFBEAD  2 years ago

      Makes sense. Other key questions would be: complexity cost of added hoop (including, possibly, increased attack surface -- the sequence of hoops is just an abstraction that reality may not obey) and also creation difficulty (it could be that improving an existing hoop is significantly quicker than creating a new one).