Not necessarily, imagine a port knocking monitor that stores each port attempt it sees in a large buffer. Imagine you make many attempted connections allowing you to overflow the buffer and write arbitrary data onto the heap.
I can't believe the discussion is this long and someone hasn't said 'security by obscurity' yet.
Personally, if I was trying to prevent a break-in to a building, I would think it was a great advantage if the attackers had to work hard to even figure out where the doors and windows were.
I believe the "security by obscurity doesn't work" people fall into two types:
- those that are coming from a crypto background, where you frame things as "in principle breakable" vs "not breakable, not even in principle" and there's nothing in between, a framework according to which security by obscurity goes into the "in principle breakable" bucket,
- people who just mindlessly parrot people of the first type.
A more nuanced (and more useful) way of viewing this is one of cost vs reward: How much does it cost an attack to break your thing, and what's the maximum cost that an attacker is lilely to be willing to invest before your thing becomes unappealing. According to this view, obscurity can significantly increase the cost of the attack. It's as simple as that.
I was not disparaging it. Indeed I commended its theatrics and suggested it may help to make logs less cluttered. As for its supposed security benefits, this is something that needs to be proven by actual security research. Not by anecdotes on the internet.
