Security through Obscurity (StO) is widely and correctly derided as being entirely inappropriate for any practical, valuable purpose. Martin Krzywinski points out that just because the pattern of ports accessed in the SYN sequence is a secret, this isn't any more StO than having secret keys is StO. However, he relies upon an analogy 0f a secret web page with a magic name which is designed to be inaccessible and compares that to a passworded file. While this example is illustrative, it is someone beside the point, especially when one considers that HTTP-Auth is in most cases a plaintext authentication scheme. Ironically, HTTP-Auth is just as "secure" as port knocking.
The only place Mr. Krzywinski comes close to being accurate in describing the benefits of Port Knocking is when he says that the scheme forces potential random attackers to identify themselves in addition to being difficult to detect security model. Well, it is true that one doesn't necessarily want your security systems to be easily detected, however one must perform all risk assessments under the assumption that your opponent knows what techniques you are using. Otherwise you are most certainly right back into a StO setup. Therefore the second argument boils down to "this is an obscurity setup that is difficult to divine." Not exactly confidence inspiring. The former advantage is simply silly in that one can't imagine an attacker that would continue to blindly probe ports in an attempt to unlock the target. Someone attempting brute force password auth can at least be detected just as easily and stopped just as easily as someone doing probes of a port knocking attempt. Except that someone doing brute forcing cannot forge the return address as one can on a SYN packet.
Port Knocking falls into a class of systems where any casual observer of legitimate traffic can completely detect and defeat the system. This makes it no different from any other plaintext password protocol like POP or FTP or Telnet and furthermore renders it useless in the very situations it is suggested to address.
Port knocking is a suitable form of hardening hosts that house users who require continual access to services and data from any location and that are not running public services, such as SMTP or HTTP. (sic)
Anyone in a position to observe the data stream and subvert one of those protocols is in a position to subvert a port knocking protected system. This begs the question: If port knocking is no more secure than plaintext authenticated protocols, why would anyone protect a service like SSH with it?. Obviously one wouldn't. While Port Knocking is an interesting intellectual exercise, it is an entirely worthless security setup. While it is true that one may not want to run a general purpose protocol like SMTP or HTTP through which one could have a 'POP before SMTP' type security setup, this doesn't mean that one would want to go so far as to modify your IP stack just to enable hidden or conditional services to be accessed.
The correct solution to the problem Mr. Krzywinski describes is to run a service on UDP which accepts requests to open up the protected service to a particular location. This request would consist of a signed message from a known authorized user utilizing any number of public key crypto systems packed into a UDP datagram (with the request containing the desired origin as well as a service identifier). Of course this does not solve the problem of the MITM, however it does prevent the MITM from being able to subvert the system of opening up the ports. The MITM could take advantage of the window of opportunity provided by the port being open, but certainly whatever service you are opening up access to utilizes its own cryptographic authentication. To do otherwise is silly.