[FunnyLookinHat]

"We don’t discuss all of our security processes and technologies in specific detail for what should be obvious reasons..." - Security by obfuscation? That's not security. Your protocols and processes should stand up even if made public.

[theptip]

It's standard operating procedure to elide the details of one's security posture.

Would you expect Google's security team to provide a detailed list of all of the security procedures in place to prevent access to their network?

Rejecting "security through obscurity" just means you shouldn't rely on obscurity alone. Obscurity + good security > good security alone, since it increases the threshold of time and ability that any attacker would need to bring to an attack.

[weaksauce]

I saw a bit of a talk by a google engineer that laid out their overall strategy for securing the android app ecosystem. I don't think it's a hard and fast rule.

[FunnyLookinHat]

Yeah, you make a good point. I'm not outright rejecting keeping your secrets close, but it doesn't instill a lot of confidence for me.

After left-pad I think we'd all like to see a strong, well documented methodology to keep things like this from happening again. The broad strokes can't be any more clever than what the rest of us would expect, so why not at least provide a basic idea of what you're doing and then we could trust the system a bit more.

[mawalu]

To me it sounds like they are talking about their automated systems to scan for spam and malware. While I normally would support your stance I see why they would act in this way, such systems often only work as long as they are not made public.

[johnl1479]

Sure, this is "security by obscurity" in the purest sense, but its pretty common throughout the industry to not publicly disclose one's security process. Those details make it easier to circumvent.

[platz]

What is your home address and phone number?

[reificator]

> What is your home address and phone number?

Neither of those are security systems. That's like asking for their password and claiming you've proven security through obscurity.

The idea behind dismissing obscurity is that if everything but private tokens were exposed, your system should still remain secure.

[daveFNbuck]

If you think that your address and phone number are secret information, consider how easy it would be to find yours from the information in your HN profile. I'm pretty sure I found your entry on whitepages within a few minutes and I'm barely motivated to find it.

[platz]

I think you are confused as to my intention

[daveFNbuck]

I thought you were asking a rhetorical question to show that obfuscation is a valid security measure that we all use. What was your intention?

[akerro]

The correct question should be: "what firewall and IDS do you use?"