[dmix]

The less information available about the infosec and (more importantly) the sys admins the better.

Nation states are like any organization. They are resource and time constrained. If you set the bar high you will eliminate the low hanging fruit adversaries. Force them to put the work in... Plus if you show them you are very careful and watching everything you will force them to be extra careful, as not to tip off any surveillance, which expends more resources.

Whether or not they can actually be anonymous is not the ultimate goal. That would require a lot of work and attention to detail. But you can still do some basic stuff to make the lives of hackers hard.

[yeukhon]

That's false sense of security you and many have. It takes very little time for nation states to identify who works for XYZ company.

If what you suggested is the right practice, then why is Google Zero Project members a public thing? A lot of them are publicly known. If infosec people are vulnerable, isn't your building security guard vulnerable? We got tens of thousands of hackers attending DefCon, Blackhats, and other security events every years and shouldn't we be worried? We got some of the most respected hackers and security engineers on planets attending them. How do you think government (FBI) recruited an anonymous hacker to work for them? Aren't your network engineers not vulnerable? Let's not kid ourselves with this ridiculous and quite frankly stupid obfuscation. If people are easy to fall for social engineering, let's find a solution that address the problem. Your impression of hidhing behind the curtain is basically the sterotype of hackers in basement. History has taught us the only famous computer programmer yet to be revealed is the creator(s) of Bitcoin. We don't knod if any nation states know who created Bitcoin. Otherwise, the government has pretty good hand in finding people. Resource constraint is a joke. If government wants to hack into Verizon they would have the resource assigned.

Sorry to be harsh but this is again false sense of security. Most startups would have developers have access to production so developers are just as vulnerable as infosec folks. Then why reveal the rest of the team? That counters your argument malicious actors would have a harder time to social engineer. So let's really not pretend we are doing better without revealing infosec because that's just nonsense in practice unless you are working on a project that may have serious retialation such as defeating Wanna worm then I understand masking your identity.

[dmix]

> It takes very little time for nation states to identify who works for XYZ company.

If it requires a person to spend time researching non-open source intelligence avenues then I disagree.

The point is by not doing something a company can gain something. That's not a big ask for the marketing team not to mention names in any public interface.

It's easy to assume that 'nation state' surveillance means that a sophisticated person will hunt down a piece of information. But that's actually quite a resource intensive request.

Quickly finding someones name on publicly available resources and adding it to a list is on quite a different level than having a hacker/trained person hunt down a hidden piece of information that must be triangulated from other disparate pieces of information. And I say this having spent quite a bit of time doxxing people for fun myself - it's a time intensive activity regardless if it was ultimately easy to do. The less information available the much hard it is to do.

[yeukhon]

But it is a pretty much a lost argument here because (1) developers aren't shielded, (2) developers are as vulnerable to social engineering as any infosec (but probably even more vulnerable if said infosec workers are very careful). The issue is the effort is neligible in a manhunt. For non-nation state actors like you and I, sure, it takes a huge effort. But if you don't everyone, then there is very little gain from hiding only people in infosec. In my experience, a lot of developers have production access. Compliance do not care if developers have access or not, auditors only care about if approval is in place and audit report can be produced without tampering. Also, in many enterprise, infosec often don't have access to actual production, they are just managing incident response process. Therefore, it is not usual to see massive social engineering, because it only takes one victim. Even if said victim has no access to most of the data, a breach in network is already a gold mine.

Also, you probably are familiar, sites like LinkedIn can be a great source for getting list of employees, and guessing company email is usually takes some effort once the attacker figures out the naming convention of email addresses.

Anyway, partial information is just as bad as full disclosure when the unhidden secrets are just as useful as the hidden one. So we either hide everything or we don't hide anything.