On 11/26/20 3:19 PM, Andrew Sullivan wrote:
I think this FTP discussion and the above share something, which is a presumption that there are things that are just sitting around and that don't require any attention. I think this is false, and I would like to suggest that just about everyone in this discussion knows that to be the case, but is forgetting it because the costs are externalized.
+1 to pretty much all of your message except for this last bit (italics mine). Just because we don't mention the costs doesn't mean we're not aware of them. (Though so far there's still been no estimate of those costs, so basically we're left to guess. And that might be part of why we don't say much about them.)
I do question the model that says that the security risks are
related to the number of TCP ports used rather than, say, the
number of lines of code that are exposed to externally originated
traffic. Of course that's not a great model either because the
quality of the code matters, the implementation language matters,
the protocol design matters, etc.
Keith