Infosec is a largely non-technical field. People learn a topic only as far as they need to regurgitate the right answer on a certification test. Over time, they start to believe misconceptions about that topic that they never learned. Eventually, these misconceptions displace the original concept in the community.
A good demonstration is this discussion of the "security through obscurity fallacy". The top rated comment makes the claim this fallacy means "if your only security is obscurity, it's bad". Wikipedia substantiates this, claiming experts advise that "obscurity should never be the only security mechanism".
Nope, nope, nope, nope, nope. It's the very opposite of what you suppose to understand. Obscurity has problems, always, even if it's just an additional layer in your "defense in depth". The entire point of the fallacy is to counteract people's instinct to suppress information. The effort has failed. Instead, people have persevered in believing that obscurity is good, and that this entire conversation is only about specific types of obscurity being bad.
Hypothetical: non-standard SSH
The above discussion mentions running SSH on a non-standard port, such as 7837 instead of 22, as a hypothetical example.
Let's continue this hypothetical. You do this. Then an 0day is discovered, and a worm infecting SSH spreads throughout the Internet. This is exactly the sort of thing you were protecting against with your obscurity.
Yet, the outcome isn't what you expect. Instead, you find that the all your systems running SSH on the standard port of 22 remain uninfected, and that the only infections were of systems running SSH on port 7837. How could this happen?
The (hypothetical) reason is that your organization immediately put a filter for port 22 on the firewalls, scanned the network for all SSH servers, and patched the ones they found. At the same time, the worm runs automated Shodan scripts and masscan, and thus was able to nearly instantaneously discover the non-standard ports.
Thus you cleverness made things worse, not better.
This fallacy has become such a cliche that we should no longer use it. Let's use other phrases to communicate the concept. These phrases would be:
- attackers can discover obscured details far better than you think, meaning, obscurity is not as beneficial as you think
- defenders are hindered by obscured details, meaning, there's a greater cost to obscurity than you think
- we can build secure things that don't depend upon obscurity
- it's bad to suppress information that you think would help attackers
- just because there's "obscurity" involved doesn't mean this principle can be invoked