It's actually most of the "pro's" and amateurs alike that have gotten people compromised for over a decade giving bad advice. The advice to all standardize on a few things that get the most attention by attackers resulted in botnets of hundreds of thousands to millions of nodes that required just a few 0-days & pre-made expliot kits with high reliability. My methods blocked all of that in the field despite tons of recorded attempts and even pentesting by pro's. Everyone else doing it had same results. QED. So, are you all continuing to offer the same bad advice because you're amateurs at real security or just involved in defrauding your customers for profitable consulting fees?

So, let me break it down again in concrete, proven terms suppored by decades of INFOSEC research and field work. History shows any complex system has vulnerabilities. To attack, the attacker must know the system, the vulnerability, how to exploit it, and the specific configuration. If defence in depth, then the attacker must know that for the whole route to them. So, you either have to make those have no vulnerabilities (good luck) or you have to implement measures to prevent their exploitation. That requires changing one or more of the pre-conditions of a successful attack. So, measures that eliminate vulnerabilities by design (eg Correct-by-Construction), prevent their exploitation with obfuscation/transformations, or deny enemy knowledge of their existence all provably increase security. I combine all of these in anything I do with strongest, most-analysed versions of each that are available. Positive field results followed while others get smashed repeatedly.

Note: This is especially true if the operational requirement in question, like protecting whole HW lifecycle, is in its infancy in INFOSEC techniques and has little to go on. Then, obfuscation, applying strong stuff where possible, R.E. samples (eg ChipWorks), and layers of detection/audit are best thing you can do. It's what we're doing now. You're side would suggest mask/fab/packaging companies should publish all source code and security methods online for attackers to study. Given what happened to desktops and servers, I'm glad they're listening to me instead of you. ;)

To clarify: this is to counter the statement that security through obscurity is a good thing. Yeah, that worked out well for the Enigma and countless other systems.

That commenter was replying to me with more nonsense like your selective example of Enigma that barely fits into the discussion at all. Worse, your example actually supports my side's position: they cracked the best crypto they had the second they knew how it worked and no methods were in place to reliably detect this. Today, they crack the complex systems and protocols people are using shortly after figuring out how they work as quality is so bad and everyone uses same ones. The modern example of enigma would be people using Linux desktops instead of Windows, Foxit instead of Adobe, unusual-but-good web servers instead of Apache, and so on to hope attackers not knowing will keep them safe. And it usually works, too, unless it's a targeted attack by pro's. That's saying something. ;)

My method combines vetted mechanisms with ways that adhere to their guidelines for secure usage, is directed by tools designed by security pro's, largely invisible to users, require a hack on system to find, and force custom, difficult attacks. One can mathematically prove that my strategies possess the traits I claim along with immunity from some issues and vastly improved probabilistic security against most others. So, all the evidence is on our side in theory and the field results where compromise is rare for us even in face of pro's whose bonuses require it.

Feel free to refute this by showing me how everyone using two browsers, OpenSSL, or a desktop OS (Windows) with no changes on the same platform kept them safe from major attacks. Or led to such a high failure rate for attackers that hacks were actually worth of news rather than scaremongering. My people were safe with my methods: some systems crashed or raised exceptions while many had no problems. I'm guessing you standardize-and-open types had the same experiences? No? :P