The entire concept of security by obscurity acts as a justification for keeping secrets. It often sweeps up information whose release will help users much more than it will help attackers. Once it becomes a sanctioned tool of security, instead of an objective of the security, those who set up and maintain the security lean on obscurity like a crutch.
I realize my argument is an appeal to the slippery slope, but I see it everywhere in society. People, organizations, and governments can get into frames of mind wherein they lose focus of the overall goal of information security and just start obscuring everything, which makes their interactions with others difficult and sometimes hostile.
In fairness, the article itself says as much:
Typing and proling are frowned
on in security. Leaving aside the question whether gathering
information about the attacker, and obscuring the system,
might be useful for security or not, these practices remain
questionable socially. The false positives arising from such
methods cause a lot of trouble, and tend to just drive the
attackers deeper into hiding.
On the other hand, typing and proling are technically
and conceptually unavoidable in gaming, and remain re-
spectable research topics of game theory. Some games can-
not be played without typing and proling the opponents.
Poker and the bidding phase of bridge are all about trying
to guess your opponents’ secrets by analyzing their behav-
iors. Players do all they can to avoid being analyzed, and
many prod their opponents to sample their behaviors. Some
games cannot be won by mere uniform distributions, with-
out analyzing opponents’ biases.
Both game theory and immune system teach us that we
cannot avoid proling the enemy. But both the social ex-
perience and immune system teach us that we must set the
thresholds high to avoid the false positives that the prol-
ing methods are so prone to. Misidentifying the enemy leads
to auto-immune disorders, which can be equally pernicious
socially, as they are to our health.
But inevitably, this kind of caveat is thoroughly ignored by most people. They will only hear something like "Security by Obscurity Now Considered Useful", and a whole new set of administrative roadblocks will be thrown up in the name of security, when in fact it's helping very little, if any; furthermore, those who try to circumvent the new measures to do something they consider to be within the permitted use of the network may be considered security risks (or even malicious entities outright) and will be dealt with as such, when nothing of the sort was intended.