The OP got everything right except that bit. This is a reason for not open-sourcing HN (the application), but it doesn't relate to open-sourcing Clarc (the language implementation). We could do that without revealing any anti-abuse stuff.

More at https://news.ycombinator.com/item?id=44099560.

Abuse of this sort isn't a security issue in the network sense. i.e. the security of Hacker News is not imperiled by people creating spam accounts, but nonetheless we want to stop that.

Obscurity is extremely good at filtering out low to medium skilled griefers. It won’t stop anyone who is highly motivated, but it will slow them down significantly.

Hacker News is small enough that obscurity would give moderators enough time to detect bad actors and update rules if necessary.

This is related to Kerckhoffs principle:

"The design of a system should not require secrecy, and compromise of the system should not inconvenience the correspondents"

This means that all of the security must reside on the key and little or nothing in the method, as methods can be discovered and rendered ineffective if that's not the case. Keep in mind that this is for communication systems where it is certain that the messages will be intercepted by an hostile agent, and we want to prevent this agent to read the messages.

When implementing modern cryptographic systems, it is very easy to misuse the libraries, or to try to reimplement cryptographic ideas without a deep understanding of the implications, and this leads to systems that are more vulnerable than intended.

Security by obscurity is the practice of some developers to reinvent cryptography by applying their cleverness to new, unknown cryptosystems. However, to do this correctly, it requires deep mathematical knowledge about finite fields, probability, linguistics, and so on. Most people have not spent the required decades learning this. The end result is that those "clever" systems with novel algorithms are much less secure than the tried and true cryptosystems like AES and SSL. That's why we say security by obscurity is bad.

Now, going back to the main topic: Hacker News is not a cryptographic system where codified messages are going to be intercepted by an hostile actor. Therefore Kerckhoffs principle doesn't apply. There's not a secret key that can be changed in a way the system will recover its functionality if the secret key is discovered.

There is a series of measures that have worked in the past, and are still working today despite a huge population of active spamming and disrupting agents, and they should be kept secret as long as they keep working.

Is this a case where security through obscurity is good, or bad? Legit question. I am curious to read the responses it may prompt.

To me; philosophically; and to a first approximation, all security is through obscurity.

For example encryption works for Alice so long as Bob can't see the key...

... or parking the Porsche in the garage, reduces the likelihood someone knows there is a Porsche and reduces the likelihood they know what challenges exist inside the garage. Now put a tall hedge and a fence around it and the average passerby has to stop and think "there's probably a garage behind that barrier."

To put it another way, out of sight has a positive correlation to out of mind.

Yes of course a determined well funded Bob suggests obscurity with Bob's determination and budget. If Bob is willing to use a five dollar wrench, Alice might tell Bob the key.

There are forks of what I assume is the scrubbed HN codebase, e.g. https://github.com/jgrahamc/twostopbits

This likely isn't so much "security through obscurity" because it's not really about security in the traditional sense but instead about anti-griefing measures.