This response is missing the author's point. There's a distinction between obscuring the methods and obscuring a parameter to those methods.
Security by obscurity, and in particular its negative connotation refers to obscuring methods. The reason it has a negative connotation is that the amount of work it takes to implement a secure system is high relative to the amount it takes to break it. By contrast, the amount of work needed to generate an RSA key, new port number, etc... is incredibly low relative to the amount of work it takes someone to break it.
Security by layers is important, but the article's point is that the ratio of effort to benefit for changing your port number is far far higher than the term "security by obscurity" generally implies.
> This response is missing the author's point. There's a distinction between obscuring the methods and obscuring a parameter to those methods.
But that's exactly the distinction I'm saying the author is getting wrong.
Moving away from the default SSH port is obscuring the method, because it's no longer a single step to check whether the server even has SSH or not. It might not at all, so the port number doesn't serve primarily as a parameter -- it serves primarily to obscure its existence in the first place.
To use the article's presidential motorcade analogy, it's not like knowing there's a motorcade but not knowing which car the president it's in. Instead, it's like not knowing if there's a motorcade at all, and having to check every car in the city to see if the president is even out in public in the first place.
Security by obscurity, and in particular its negative connotation refers to obscuring methods. The reason it has a negative connotation is that the amount of work it takes to implement a secure system is high relative to the amount it takes to break it. By contrast, the amount of work needed to generate an RSA key, new port number, etc... is incredibly low relative to the amount of work it takes someone to break it.
Security by layers is important, but the article's point is that the ratio of effort to benefit for changing your port number is far far higher than the term "security by obscurity" generally implies.