> security by obscurity is weak for actual security
There was a time when I believed this. But over the years, I've concluded that in many cases, that which is considered legitimate security is in fact rooted simply in ensuring that the attacker is lacking information, which is fairly synonymous with obscurity.
Secrecy is a core part of legitimate security. But mere obscurity is not secrecy. In a secure system design you know exactly which parts are secret and which are not.
Yes, ideally this distinction can be made. But a piece of information you consider secret, if known by more than exactly one person, is merely obscure information.
There was a time when I believed this. But over the years, I've concluded that in many cases, that which is considered legitimate security is in fact rooted simply in ensuring that the attacker is lacking information, which is fairly synonymous with obscurity.