Obscurity is not a standalone defense, but as a layered tactic it raises attacker cost and is a valid component of defense-in-depth.
Key Takeaways
Kerckhoffs’s Principle forbids security only through obscurity, not obscurity as an additional layer on top of real controls.
Real examples: custom WordPress table prefixes deflected automated SQL injection bots; Valve stripping debug symbols from CS:GO binaries slowed cheat development until an accidental leak exposed internals.
Google reCAPTCHA, Netflix DRM, and Riot Vanguard all use JavaScript or binary obfuscation to raise the cost of automated bypass.
LLM-assisted reverse engineering is real but expensive: one hard CTF challenge cost roughly $300 in tokens and 4.5 hours of inference to crack.
The practical argument is economic: the longer and more costly an attack path, the more likely opportunistic actors abandon it for easier targets.
Hacker News Comment Review
The sharpest counterpoint is that AI commoditizes comprehension at scale, eroding the cost-raising benefit of obscurity for mass automated attacks, though defenders also gain AI tooling symmetrically.
Several commenters pushed back on ASLR as a counterexample: it is widely accepted as a security control yet is fundamentally an obscurity mechanism, undermining blanket “obscurity is not security” claims.
A consistent practical warning: obscurity layers invite false confidence, causing teams to underinvest in real controls while treating noise-reduction measures as meaningful security.
Notable Comments
@thephyber: Kerckhoffs’s Principle is specifically about design assumptions, not a blanket endorsement of obscurity layers; conflating the two weakens the article’s framing.
@AshamedCaptain: Obscurity arguments are routinely used to justify weak implementations, citing Pidgin storing passwords in plaintext as a case where “a little obscurity” would have satisfied users without real security.
@kbrkbr: “So ASLR is not a security control?” – sharp challenge to the “obscurity is not security” absolutist position.
