Making content for an algorithm is like having a boss that docks every paycheck because you broke rules that you are not allowed to know, because if you knew the rules, you'd figure out how to cheat without your boss catching you. Content moderation is the last place where #SecurityThroughObscurity is considered good practice:

https://doctorow.medium.com/como-is-infosec-307f87004563

4/

@md @bmi @bsi #TETRA's #Crypto is so #weak that it's trivial to crack with any modern #GPGPU, because it's #SecurityThroughObscurity makes all the #TEA versions as weak as #CSA on #DVB.

But then again noone pays me to fix it, so it's not my problem.

Spoiler: The proper fix is to abolish all #proprietary shit and demand a fully #OpenSource'd communications system, since everything else violates #KerckhoffsPrinciple and is thus inherently and unfixably insecure by design!

Amazon will doubtless claim that disclosing how those systems work will make it easier for spammers and scammers to game their way to the top of search results. We should be skeptical of this claim - content moderation is the last domain where anyone takes the bankrupt idea of #SecurityThroughObscurity seriously:

https://doctorow.medium.com/como-is-infosec-307f87004563

33/

Finally, there's the question of Proctorio's security. Proctorio argued that by publishing links to its educator materials, Linkletter weakened the security of its products. That is, they claim that if students know how the invigilation tool works, it stops working. This is the very definition of "#SecurityThroughObscurity," and it's a practice that every serious infosec professional rejects.

32/

@bragi @AirlineReporter @leo I guess there were only 9 versions and some dummy let a newspaper take and post a photo of them. #SecurityThroughObscurity 🙄

For one thing, the rules change all the time, as the platforms endlessly twiddle the knobs that determine what gets shown to whom:

https://doctorow.medium.com/twiddler-1b5c9690cce6

And they refuse to tell anyone what the rules are, because if they told you what the rules were, you'd be able to bypass them. #ContentModeration is the only #infosec domain where "#SecurityThroughObscurity" doesn't get laughed out of the room:

https://doctorow.medium.com/como-is-infosec-307f87004563

17/

Working for the platform can be like working for a boss who takes money out of every paycheck for all the rules you broke, but who won't tell you what those rules are because if he told you that, then you'd figure out how to break those rules without him noticing and docking your pay. #ContentModeration is the only domain where #SecurityThroughObscurity is considered a best practice:

https://doctorow.medium.com/como-is-infosec-307f87004563

21/

@SwiftOnSecurity
I knew someone who regularly conducted cash business transactions. They'd never carry it in its own bag. It'd be buried hidden within a bag of something else innocuous & not cash associated that was totally normal to shop for and carry as an errand by the individual, time, and day.

Daily baguettes can be valuable...
#SecurityThroughObscurity

Speaking of companies: should internal resources be resolvable using external #DNS? What points should be considered in terms of #security, #operations and #risk #management?

Is using split DNS #SecurityThroughObscurity or prevention of information gathering?

@bignose yeah, that's probably fair. And also not having all the used subdomains listed is more of #SecurityThroughObscurity play, if I need to keep any of them secure, better do it regardless of of the the information about the existence of that subdomain being widely or narrowly distributed.

The "make a cert per subdomain" might be easy, while it also cuts against the "limit the number of moving pieces" aspect of administration, that I believe in (not to the extreme, but still).

@damien I just keep all my creds in a separate public Github repo called "Definitely not my creds". #securitythroughobscurity

It's as if your boss handed you a paycheck with only half your pay in it, and when you asked what happened to the other half, your boss said, "You broke some rules so I docked your pay, but I won't tell you which rules because if I did, you might figure out how to break them without my noticing."

Content moderation is the only part of information security where #SecurityThroughObscurity is considered good practice:

https://doctorow.medium.com/como-is-infosec-307f87004563

28/

Trying to hide the existence of a wireless network by disabling SSID broadcasting is not a true mechanism of security.

#wifi #security #securitythroughobscurity