[dmix]

> It takes very little time for nation states to identify who works for XYZ company.

If it requires a person to spend time researching non-open source intelligence avenues then I disagree.

The point is by not doing something a company can gain something. That's not a big ask for the marketing team not to mention names in any public interface.

It's easy to assume that 'nation state' surveillance means that a sophisticated person will hunt down a piece of information. But that's actually quite a resource intensive request.

Quickly finding someones name on publicly available resources and adding it to a list is on quite a different level than having a hacker/trained person hunt down a hidden piece of information that must be triangulated from other disparate pieces of information. And I say this having spent quite a bit of time doxxing people for fun myself - it's a time intensive activity regardless if it was ultimately easy to do. The less information available the much hard it is to do.

[yeukhon]

But it is a pretty much a lost argument here because (1) developers aren't shielded, (2) developers are as vulnerable to social engineering as any infosec (but probably even more vulnerable if said infosec workers are very careful). The issue is the effort is neligible in a manhunt. For non-nation state actors like you and I, sure, it takes a huge effort. But if you don't everyone, then there is very little gain from hiding only people in infosec. In my experience, a lot of developers have production access. Compliance do not care if developers have access or not, auditors only care about if approval is in place and audit report can be produced without tampering. Also, in many enterprise, infosec often don't have access to actual production, they are just managing incident response process. Therefore, it is not usual to see massive social engineering, because it only takes one victim. Even if said victim has no access to most of the data, a breach in network is already a gold mine.

Also, you probably are familiar, sites like LinkedIn can be a great source for getting list of employees, and guessing company email is usually takes some effort once the attacker figures out the naming convention of email addresses.

Anyway, partial information is just as bad as full disclosure when the unhidden secrets are just as useful as the hidden one. So we either hide everything or we don't hide anything.