[tptacek]

People in security who say that categorically are betraying ignorance, because there are several "hardcore" settings in software security where the same dynamic --- attacker/defender cost competition occurring by degrees --- plays out. Anti-ATO, content protection, botnets, anti-DDOS, hardware platform security, just to rattle a few off my head.

The correct security objection is to obfuscation being deployed in settings where there are decisively effective controls that could be deployed instead: where it doesn't make sense to raise attacker costs by degrees, because those costs can be raised to intractable levels instead. I'd cite an example, but it would spawn a 500 comment thread about how Linux sysadmins manage their networks.