I agree. I've been holding High Strength Attackers, as I call them, off for a while. The formula that works on software attack side is a combo of (a) strongest security engineering we have, (b) obfuscation at every level, and (c) diversity of hardware & software components with predictable interface. One simple example that worked well for years was using a hardened Linux/BSD box on a PPC behind a guard. Guard narrowed communications to app level while wiping out covert channels and modifying patterns to resemble other OS. All evidence from fingerprinting tools would suggest they're connecting to an x86 box, even Windows maybe. All their attacks, some I still don't get, failed to work on the box.

Most deployments use more tricks than that. I was just amazed at how long that one went on without compromises. Used same trick for desktops with custom client-server apps. These days, I'm working on CPU's that protect pointers & code while tools randomize (i.e. diversify) the application automatically. Orange Book era solution to secure networking, email, & databases still work with minor tweaks. I use hardened client-server schemes instead of web apps to avoid... more than I can count. TEMPEST safe + 100yds of space where applicable. High assurance security = build on what we know works & eliminate anything risky where possible. Obfuscations & diversity I add as you said to just slow down our shadowy friends with deep pockets & large staff. Works well so far.