Hacker News new | ask | show | jobs
by Gatsky 3314 days ago
Not sure there is an issue here... I think it's just a joke about 'physical security' of the premises.

Most team pages I've seen don't specifically identify people working on infosec aspects of the product. That could be an attack vector if you're really being paranoid.
1 comments
yeukhon 3314 days ago
That's a myth. If someone were to attack your infosec engineers physically or virtually you need to build your company from the moon because only nation states and the 1% richest would be able to afford the ride there. If someone were to do social engineering well it will be done, regardless of title. :)

No seriously I bet you this is just a blunt humor attempt. Someone thought it was cute. Those who prefer to remain hidden from camera just don't want to be seen on the Internet. I probably should go on LinkedIn and look for someone with security title working for this conpany, I might be right.

link
nl 3314 days ago
That's a myth. If someone were to attack your infosec engineers physically or virtually you need to build your company from the moon because only nation states and the 1% richest would be able to afford the ride there.

http://www.spiegel.de/international/world/ghcq-targets-engin...

link
yeukhon 3314 days ago
See my response on another comment.
link
bobsam 3314 days ago
NSA has been known to target sysadmins so I wouldn't call this a myth.
link
yeukhon 3314 days ago
I already said it, social engineering will work regardless whether someone hides their identity. Government knows who works for who. IRS is a good source, so this is a myth that hiding photo can save someone's security. No it is a false sense of security. When I said it's a myth it's satirical
link
dmix 3313 days ago
The less information available about the infosec and (more importantly) the sys admins the better.

Nation states are like any organization. They are resource and time constrained. If you set the bar high you will eliminate the low hanging fruit adversaries. Force them to put the work in... Plus if you show them you are very careful and watching everything you will force them to be extra careful, as not to tip off any surveillance, which expends more resources.

Whether or not they can actually be anonymous is not the ultimate goal. That would require a lot of work and attention to detail. But you can still do some basic stuff to make the lives of hackers hard.

link
yeukhon 3313 days ago
That's false sense of security you and many have. It takes very little time for nation states to identify who works for XYZ company.

If what you suggested is the right practice, then why is Google Zero Project members a public thing? A lot of them are publicly known. If infosec people are vulnerable, isn't your building security guard vulnerable? We got tens of thousands of hackers attending DefCon, Blackhats, and other security events every years and shouldn't we be worried? We got some of the most respected hackers and security engineers on planets attending them. How do you think government (FBI) recruited an anonymous hacker to work for them? Aren't your network engineers not vulnerable? Let's not kid ourselves with this ridiculous and quite frankly stupid obfuscation. If people are easy to fall for social engineering, let's find a solution that address the problem. Your impression of hidhing behind the curtain is basically the sterotype of hackers in basement. History has taught us the only famous computer programmer yet to be revealed is the creator(s) of Bitcoin. We don't knod if any nation states know who created Bitcoin. Otherwise, the government has pretty good hand in finding people. Resource constraint is a joke. If government wants to hack into Verizon they would have the resource assigned.

Sorry to be harsh but this is again false sense of security. Most startups would have developers have access to production so developers are just as vulnerable as infosec folks. Then why reveal the rest of the team? That counters your argument malicious actors would have a harder time to social engineer. So let's really not pretend we are doing better without revealing infosec because that's just nonsense in practice unless you are working on a project that may have serious retialation such as defeating Wanna worm then I understand masking your identity.

link
dmix 3313 days ago
> It takes very little time for nation states to identify who works for XYZ company.

If it requires a person to spend time researching non-open source intelligence avenues then I disagree.

The point is by not doing something a company can gain something. That's not a big ask for the marketing team not to mention names in any public interface.

It's easy to assume that 'nation state' surveillance means that a sophisticated person will hunt down a piece of information. But that's actually quite a resource intensive request.

Quickly finding someones name on publicly available resources and adding it to a list is on quite a different level than having a hacker/trained person hunt down a hidden piece of information that must be triangulated from other disparate pieces of information. And I say this having spent quite a bit of time doxxing people for fun myself - it's a time intensive activity regardless if it was ultimately easy to do. The less information available the much hard it is to do.

link