top | item 46254275

(no title)

dnet | 2 months ago

See https://doctorow.medium.com/como-is-infosec-307f87004563

> This is the same failure mode of all security-through-obscurity. Secrecy means that bad guys are privy to defects in systems, while the people who those systems are supposed to defend are in the dark, and can have their defenses weaponized against them.

discuss

stephen_g|2 months ago

That’s a great article - explains what I haven’t fully thought through or quite been able to put into words but what I’ve always felt, because the “you can’t tell people the secret rules” with things like money laundering is treated by many as obvious, but has never sat right with me.

macNchz|2 months ago

I disagree with this article—its premise relies too heavily on the oft repeated, oft misunderstood line “there is no security in obscurity.”

This concept is used to argue that obscurity shouldn’t be used at all as a defense mechanism, when really all it means is it shouldn’t be your only line of defense.

Obscuring aspects of a system can contribute to its overall functioning: it’s a filter for the laziest of adversaries, and it creates an imperative for more motivated ones to probe and explore to understand the obfuscation, creating signal and therefore opportunities to notice their behavior and intervene.

I think for anyone who has dealt firsthand with mitigating online fraud, hackers, spam, trolls, cheating etc, the idea of having completely transparent defense mechanisms is pretty much ludicrous.

monerozcash|2 months ago

I don't disagree, but still think it's better to do as the lawyers tell you to.