My mailer says Ken said
[definition of "security through obscurity" deleted]
In order to break into a system, a hacker needs to know the following:
(1) What protocols, encryption methods, operating systems etc are being
used. (The burglary analogy is "where is the entrance")
(2) What are the keys, passwords, etc to get in (the burglary analogy is
"how do I break the window or force the door").
IMHO, anything relying on (1) is security through obscurity, anything
relying on (2) is "real" security. And as most attacks appear to be inside
jobs, any administrator expecting obscurity to provide a decent defence
lives in cloud cuckoo land. By all means try and hide everything you can
from a potential attacker, but it's safest to assume the only thing he lacks
is the key to the lock.
If they won't tell you why it IS secure, then it probably isn't. Our banks
are wonderful at "we can't tell you how we keep our data secure. It's part
of our security". Pretty useless against an inside job.