Well until there's evidence of it's effectiveness I'm going to avoid using obscurity. I know how to achieve an acceptably low break-in rate using mathematically valid encryption etc.. Defense in depth shouldn't be an excuse for using practices you haven't evaluated the effectiveness of at all.
No, you're missing the point. I'm talking about the real-world implementation that I have.
I don't think it's too much to ask before adopting a given security policy that it provide some evidence that it increases security. Or should I also be gathering a collection of rocks that keep hackers away?
