I've been saying for years, it's one layer of security. That's undeniable.

I'll push back on this: obscurity isn't a "free" layer of security, it has both security benefits and security costs.

By having obscurity you lose anther layer of security: public scrutiny. It's harder for security issues to remain if people can see them and point them out, more eyes mean more chances to catch problems.

There is also a cultural component: having to lay out what you are doing publicly means you can't just think "no one will know", and let something slide, which pushes you towards better security practices.

Of course, this doesn't mean obscurity is always going to be the worse choice, there are times it will offer more than it costs and it's particularly evident that in, for example, open source projects, a lot of the time the number of eyes on most code is low enough that "many eyes" is a bit misleading, but I think presenting it as a pure positive is wrong, obscurity has cost, even if you think it's worth it in some cases.

▲

INTPenis 8 hours ago | parent [-]

You're pushing back on something YOU said, not me.

I never called it a "free" layer of security, I said it was ONE layer of security. Emphasizing the one, because security comes in as many layers as one is able to manage.

▲

Latty 7 hours ago | parent [-]

Well, my issue is that "one layer" implies you can just stack it on others, especially if you say "as many layers as one is able to manage", it implies the best option is to add obscurity on top.

As my comment made the case: it's not a simple addition, it's a trade-off, and I'm saying it should be thought about in those terms. I didn't find that was evident from what you said, I guess the "push back" framing was more negative than I intended.

	▲	INTPenis 7 hours ago \| parent \| next [-]
		I think you're overthinking this. You're probably imagining some context to this that I'm not understanding fully.
	▲	naniwaduni 5 hours ago \| parent \| prev [-]
		Which of your security layers isn't a trade-off?