I know what you mean about "security by obscurity." It's one of those things I'm really against, and so it's really tricky how to address that sort of thing.
When it comes to security researchers, I've always had an issue with the ones who publish their findings publicly before disclosing them to the companies affected. Granted, a lot of that came out of the companies not being responsive to reports from researchers, and so researchers going about it the only way they could.
In this particular case, in my judgement by discussing this issue more publicly in terms of exactly what happened, I feel like I'd contribute more to hackers than I would to security. That's a judgement call, obviously, but after a lot of consideration that's still the conclusion I come to. This particular technique won't work again against Valve, but I don't want to encourage other people to try this against Valve or other hardened targets.
I also have to acknowledge my conflict of interest -- Valve is the source of a vast majority of my income. Discussing security flaws without being in coordination for them could end my business. I'm not really here to try to get my company embroiled in things like that. I just want to make games.
How much does that conflict of interest affect my decision making, though? There's a certain level of cowardice in the "don't rock the boat with your source of income," and I recognize that.
That's why I've been mulling this over and over. I still keep coming back to the same feeling, though: with a lot of the security researchers that make exploits public nowadays, it's done I feel like almost out of pride or habit of that being the process. So then Microsoft or Oracle or whoever are left scrambling to patch whatever thing after it's public, and getting customers to install those patches. I'd be a lot happier if those researchers approached those companies first, got the things patched, and then either did or did not disclose the vulnerabilities after that based on their judgement. Over-publicizing things like that has rubbed me the wrong way for years, even though in a lot of cases I know it's the only way to go.
In this particular case, despite the fact that I could now "pull this off against any other indie," as I noted, I think I'd wind up in handcuffs if I did so. Since there's a component of social engineering in this one, there's always the chance I could pull it off without handcuffs, but the likelihood is low right now in particular. Making the methods public is something that would likely lead to a lot of extra work for Valve in terms of having to fend off people who try the social component just to see if they can make it work. And it could lead to a series of unrelated hacks of other indies to get the needed technical data, which would have other knock-on effects in systems unrelated to Valve.
In short, talking about this too publicly is something that I just don't see an upside for. Even while acknowledging my bias for keeping quiet because of my financial relationship with Valve, I think that this would just not be a good samaritan thing to disclose. If I consider how I'd feel if another indie disclosed it, I'd be mildly annoyed if it didn't affect me, or pretty incensed if it led to an attack on me. As it stands, I don't see this being widely attempted going forward, and the vulnerability closed, so anything I do that might increase attempts on that or similar vulnerabilities is just bad for everyone.
It might be rationalization, but I've thought about it a lot and that's what I come up with.