[_jgdh]

> well-known in the security community as not being good practice

The folks in charge of making decisions don't understand security. I'm not criticising them, it's quite reasonable that a layman would think that security by obscurity works.

[Arnt]

They have a threat model, their threat model is based on reality, and their security is pretty good against the threat model. How can you say they "don't understand security"?

They also (viewed from a distance) seem to ignore people who talk about security without talking about threat models.

Security by obscurity seems to be very nearly irrelevant to the Indian Electoral Commission's security model. Security by obscurity is bad, of course, but in that model it's such a minor factor. If I were the commission I'd file people who disregard the threat model and talk about minor factors under "b" for "bikeshedders".

[pushtheenvelope]

yep, agreed!

I wish that was not the case, though, and its up to us as the tech community to educate our policymakers.