I was going to make approximately this point. However, I think it's also important to have some of those "shut up and trust me" phrases codified and have them available for the layman via Google. Because sometimes those people demand "proof" or they'll go searching for it themselves and if it's right there to be found and most major sources agree... well, the discussion can then be "Is this just obscurity where security is needed?" AS IT SHOULD BE.
If you get right down to it, passwords are just obscurity. Usernames are just obscurity. In this very thread people are dismissing port knocking while it's functionally equivalent to a password.
I will personally stand by "security through obscurity is not security" forever because that way we can get to the actually interesting question -- what level is needed for this service?
Let's take a simple example from the public Internet -- you want to share something. So you put it on a server with Apache. You add TLS and PFS. You hide it in a folder structure somewhere. You add a single-use token or just htaccess.
Any of those individually would be obscurity, but put together they are most likely more than enough for... well, anyone. So is it still obscurity or actual security? That's a debate for the ages, but I think most people would agree all of those put together are fine-ish, but pick just one method and it's just obscurity.
This whole thread is basically just a philosophical debate where half the people haven't read the article, the other half disagrees with minutiae in the article, the third half disagrees with major points of the article, the 4th half is sharing anecdotes and the 5th half just wants to participate.
If you get right down to it, passwords are just obscurity. Usernames are just obscurity. In this very thread people are dismissing port knocking while it's functionally equivalent to a password.
I will personally stand by "security through obscurity is not security" forever because that way we can get to the actually interesting question -- what level is needed for this service?
Let's take a simple example from the public Internet -- you want to share something. So you put it on a server with Apache. You add TLS and PFS. You hide it in a folder structure somewhere. You add a single-use token or just htaccess.
Any of those individually would be obscurity, but put together they are most likely more than enough for... well, anyone. So is it still obscurity or actual security? That's a debate for the ages, but I think most people would agree all of those put together are fine-ish, but pick just one method and it's just obscurity.
This whole thread is basically just a philosophical debate where half the people haven't read the article, the other half disagrees with minutiae in the article, the third half disagrees with major points of the article, the 4th half is sharing anecdotes and the 5th half just wants to participate.