When the attack vector is literally relying on information disparities (previously unknown exploits), "obscurity" does provide a fair amount of security. If everyone thinks you're running Linux+OpenOffice and spends time writing looking for exploits there, but you're really running BeOS+Pe, that gives you a significant upper hand.
I'm surprised how often that's repeated given that it's not true at all. Obscurity is a totally legitimate security technique. Maybe not the strongest one, and hopefully not your only defense, but it's clearly got some value.
In this particular case, Schneier can honestly, with 100% accuracy assume that he is being monitored. This is not paranoia - he has publicly stated that he has some of the Snowden documents. And as we've seen in this saga, the people in power are doing anything and everything they can to get to them. (Miranda case, Guardian UK hard drive destruction, ...)
Under constant and potentially aggressive surveillance, there is not much room for obscurity.
As to his using Windows - well, there may be good reason for that. Schneier has been using Windows for a very long time, and with his level of sophistication, I expect him to be rather good at digging in to the system and identifying potentially unwanted behaviour. This should make NSA less likely to deploy some of their highest-value tools, because it is probable that the tools used would be exposed.
Assuming he is less well versed in maintaining and excavating a Linux installation, it would be more likely for the machine to get silently infected by a zero-day, high-octane exploit.
After all: prevention is desirable, detection is crucial. (How else could you contain the damage once it happens?)
The fundamental misunderstanding that has developed is that there are "systems which are secure", and "systems which are not secure". This is false. Security can be thought of as "how long it will take for Attacker A to compromise this system". All systems can be compromised eventually.
Thus clearly security through obscurity is a valid tactic to increase security. You just have to regularly alter your structure based on how quickly your attackers work- but this is no different from any other form of security. All forms of security have a time limit...
Well I use it as the counterargument to "open source software is full of holes because bad guys can read the source". Because everyone knows that Microsoft doesn't publish their source code and has never been exploited ever.
My point was simply that obsfucation will barely even slow down a determined attacker, ESPECIALLY one with the resources of a nation state (such as the US). It won't even register as a speed bump to anything other than a script kiddie or a worm designed for the majority case.
I'm really kind of shocked that my previous comment was voted -1, when the numbers blatantly agree with me on closed source vendors getting the living snot hacked out of them, even if their source is "obscured" due to not being available.
You are misinterpreting 'obscurity' to as much of a degree as the grandparent post, though in a different way. The 'obscurity' that the adage speaks of is meant to relae to the system you're using. ROT13 is security through obscurity: as soon as your adversary knows you're using it, your system is broken. RSA is not security through obscurity: you can advertise that you use it (indeed, that's fundamentally a part of public key crypto), and still be safe.
Why not? He's the last person I'd expect to rely on security through obscurity.