As you can see from the tag, I know that security by obscurity is a false flag.
So consider a server available to the Internet on port 443 (SSL) of a fixed IP address in the dialup range of a telecommunications provider only. When https'ed, it shows an IIS 8 welcome page. The server can be reached via IP address only, no DNS entry (except the usual ip-<ip>.customers.provider.com entry that is set for EVERY IP address in the provider's range). The IP address is stored in the mail accounts of Windows Phone, iOS and Android devices, and entered from browsers with Google, Bing, and Yahoo auto-search, thus technically known to Google, Apple, Yahoo and Microsoft, and possibly other third-party application vendors if these can access mail account settings from their applications.
Furthermore it is used for browsing the Internet and writing email, and is stored in many server logs, etc., etc., and especially on the sites where one has to log in, like Stack Exchange, you can see easily that it is a fixed IP address, since the IP address has always been tied to the same username for the last two years.
Read more on:
http://security.stackexchange.com/questions/94070/security-by-obscurity-and-the-ceo
