Comment by quotemstr
1 month ago
"X is more secure than Y" is usually an ill-formed statement. Secure against what threats? Does X provide every security guarantee Y does? Every single one? Then there's no proper superset relationship, and the best we can do is say that X and Y provide different security guarantees.
If we model security as a lattice, lots of systems end up being incommensurable. You have to talk about the specific threats.
Okay, suppose you want to flatten the lattice into a scalar score so we can apply the usual relational operators and statements like "more secure" make sense. How do we do that? Do we apply some kind of weighted average over security feature presence? With what coefficients? Are these coefficients invariant over time and between people? What if my use-case is different from yours and I have to model the "amount" of security differently?
If my router is written in 100% memory safe code but has a default password of "hunter2", is it more or less secure than your router, which might be a normal OpenWRT installation?
When people argue over whether something is "more" or "less" secure without specifying a use-case, they're haphazardly mixing feature matrix comparisons and (usually tacit) disagreements on prior probabilities of various attacks. The result is seldom a conversation that enlightens.
I can see what you're saying, but I don't think the existence of situations that aren't comparable means we should do away with idea of comparison. You could make that argument about almost anything (not just security): almost always in engineering (and life) there are tradeoffs. Sometimes those tradeoffs are clear-cut. Sometimes they aren't.
There may be a long tail, but I don't think that should exclude sensible statements like "deny-by-default is safer"...that promotes situations where software doesn't select opinionated defaults and so you end up with publicly accessible Mongo and Redis and S3 resources as we've seen over the years.
I'm calling for linguistic precision. What does it mean for a SOHO router to be "secure"? If we taboo this word "secure" for the moment and instead ask how effectively these devices, e.g. prevent unauthorized inbound connections to bottable IoT devices, we can start to get a concrete sense of the landscape and directions in which we can move across it. By focusing on the specific thing we want to accomplish, we can avoid getting distracted by considerations relevant only to other scenarios and better approximate a "meeting of the minds" on terminology and goals