Originally posted here by jdenny
I understand that we can't rely on security by obscurity (alone). However, it adds another layer of protection, doesn't it? I just want to understand why people try to avoid it. I mean it's not that bad, but yes, we also need to put some other kind of security measure in place.
It isn't a layer of protection, and treating it as such is relying on it to actually do something to protect you. Phase one of an intrusion generally includes enumeration, which generally defeats measures relying on obscurity to protect them.

Imagine if you will, the following scenario. A car company makes a car with remote door locks that are uniquely keyed to frequencies, one per car. This frequency in and of itself is how the door is unlocked, there is no data sent on the signal, nor is there a "fingerprint" or encryption-key style mechanism in place to ensure it is really the owner, only the frequency identifies the proper owner. Now, the only people who have the remote door locks are the owners, but let's say a car thief wants to open some doors. He develops an ingenius device to broadcast a signal on increasing frequencies until he hits the kill switch, and manages to rather easily unlock the door of the car and steal it.

Even if you consider it a layer of protection, security through obscurity doesn't actually protect you from anything.