

NIST:"System security should not depend on the secrecy of the implementation..." - jcox92
http://en.wikipedia.org/wiki/Security_through_obscurity

======
jcox92
Security through obscurity came to mind when I was watching US Cyber
commander, Keith Alexander, testify at the senate hearing yesterday. In this
clip
([http://www.c-spanvideo.org/clip/4455801](http://www.c-spanvideo.org/clip/4455801))
he seems to be making an argument for secrecy of the NSA's programs saying
that it makes them more secure. From a purely engineering standpoint, this
seems wrong to me.

~~~
tptacek
Not every policy problem admits to an engineering solution.

~~~
jcox92
Agreed, but I still think it bears some relevance in this situation. Is any
security added by making these programs and processes secret? What would the
security issues be if everyone knew exactly what was being collected, when it
could be accessed, and the requisite processes needed to access it?

~~~
tptacek
Cases before FISC present details of specific sources and methods and specific
targets of foreign surveillance that don't know NSA is "on to them". Those
proceedings were never going to be public. Similar things happen in domestic
cases, which are often sealed.

~~~
jcox92
I should make a distinction between the data itself and the processes through
which the data is collected and used. I'm not saying that the data related to
every case should be made public. I'm just wondering why the processes to
collect and use the data need to be secret. I think the process should be
transparent without the data itself being public.

