>security by obscurity is bad, trust me bro
Okay, here is my system, try to break in
>hardware: [REDACTED]
>software stack: [REDACTED]
>software version list: [REDACTED]
>protocols: [REDACTED]
>network: [REDACTED]
also if it's really the case then why do you "obscure" your private keys and passwords?

Kerckhoffs's principle.

Obscurity is the only meaningful form of security.

>>105724599 (OP)
>also if it's really the case then why do you "obscure" your private keys and passwords?
Because unlike you I'm not retarded and therefore understand the concept of "strawman"

>>105725230
>>105725515
>more obscurity on top of "mandatory" key and password security is bad
so-called security experts will try to coerce the entire industry into implementing flavor-of-the-month policies and boldly claim that otherwise they risk being exposed to ever changing threats
but somehow they will never endorse most principal basis for security which is the less enemy knows the better

>>105724599 (OP)
Better to say
>"obscurity" attempts by non cryptographic expert provide unknown but usually far fewer bits of security than hoped.

>>105725743
My private files aren't even encrypted yet nobody can access them.

>>105725594
The premise is that the hostile element is already inside the system.

>>105726221
>ermm, aktchually it's [far-fetched assumption]
how about you stack obscurity on top of regular security
>>105725743
how many "bits of security", fucking lmao, does not knowing where to even start when planning a break-in provides?

>>105726311

Nobody says it's a bad idea, that's why we have security clearance levels, roles and entitlements as concepts. The far-fetched scenario you mention is the worst case scenario, where the confidentiality of your systems has been totally compromised.

You put yourself in that specific situation and start modeling solutions. The bottom line is that keys and passwords are the last line of defense for your system and you have to prepare to defend them at all costs with tactics such as password rotation or password composition rules.

>>105725765
Because they're defended by a stack of tools verified by security experts.

>>105726311
I ge my ports scanned by hackers every day if I have my ip exposed. The shit you listed isn't actually "obscure" to hackers writ large, hence I wasn't even addressing that.

>>105726543
>The shit you listed isn't actually "obscure" to hackers
isn't using firewalls and IDS/IDP systems a form of "obscurity" already? One would never suggest someone to post their network topology, server workload allocations and so on.
and how could hackers can port scan a network device that uses protocol that is being known by 8 people around the globe?
think of air gapped industrial systems using 45 years old mainframes that are guarded from catastrophic destruction by a 6 letter all ASCII password, nobody targets them, is that perchance, because they are obscure?