← Back to context

Comment by nequo

2 years ago

Suppose your hoop probabilities are 25% and that you have two hoops so that the probability of jumping through both is

  25% * 25% = 6.25%.

You can reduce the size of one of the hoops in half, changing the probability to

  25% * 25%/2 = 3.125%

You can also add a third hoop, in which case the probability is

  25% * 25% * 25% = 1.5625%

1.5625% < 3.125%, so adding a third hoop is better than shrinking one of the two existing hoops. Of course, this argument makes important assumptions about the hoop probabilities.

The probabilities aren't independent. The person jumping through the first hoop is probably more able than average. Therefore, any additional hoop - if it doesn't require a completely orthogonal skill - is less selective.

  • I think it depends on what the "probability" is meant to indicate. You're correct if it's meant to indicate whether a particular attacker can get through a particular hoop. But probabilities could also refer to e.g. the chance that it's possible to get through a particular hoop, period. Or the fraction of some input space which corresponds to an exploitation.

Makes sense. Other key questions would be: complexity cost of added hoop (including, possibly, increased attack surface -- the sequence of hoops is just an abstraction that reality may not obey) and also creation difficulty (it could be that improving an existing hoop is significantly quicker than creating a new one).