Comment by anonymars

1 month ago

I can see what you're saying, but I don't think the existence of situations that aren't comparable means we should do away with idea of comparison. You could make that argument about almost anything (not just security): almost always in engineering (and life) there are tradeoffs. Sometimes those tradeoffs are clear-cut. Sometimes they aren't.

There may be a long tail, but I don't think that should exclude sensible statements like "deny-by-default is safer"...that promotes situations where software doesn't select opinionated defaults and so you end up with publicly accessible Mongo and Redis and S3 resources as we've seen over the years.

1 comment

anonymars

Reply
quotemstr  1 month ago

I'm calling for linguistic precision. What does it mean for a SOHO router to be "secure"? If we taboo this word "secure" for the moment and instead ask how effectively these devices, e.g. prevent unauthorized inbound connections to bottable IoT devices, we can start to get a concrete sense of the landscape and directions in which we can move across it. By focusing on the specific thing we want to accomplish, we can avoid getting distracted by considerations relevant only to other scenarios and better approximate a "meeting of the minds" on terminology and goals