Obscurity Adds to Defense

Many security experts who I hold in the highest esteem are ticking me off!I hear it all over that, “you should never use obscurity as security” and while I agree if you put the word “only” in front of obscurity, but otherwise you are often teaching the wrong lesson.When I was in the Infantry, we had these things called tanks.  They didn’t rely on obscurity for their defense.  They had several feet of armor in the front and often a 120 mm smooth bore cannon backed up by a couple of machine guns, but we did camoflage them.  We did try to prevent them from being obvious.  The truth is that obscurity is a layer in the overall defense.  It is not a fool proof layer and on the Internet, in some respects it is not even a very good one, but I want all the layers I can get.  If obscurity isn’t important at all then publish your schema and your overall architecture.  I am taking it to extremes, but we need all the help we can get in all things security.I know that in a conversation I can get agreement on my point from those who are trying valiantly to just teach a valuable lesson, but I think the wording has to be more exact.Maybe my war analogies are misplaced when it comes to Internet security and defeating hackers, but no one has convinced me of that yet.  It feels like war to me!  Security is a war, don’t fight fair!