Products > Security

Kneejerks

(1/4) > >>

PlainName:
Posted over in server thingy so not appropriate to reply there, so this is a more appropriate place...


--- Quote from: Brumby on September 17, 2023, 04:49:08 am ---
--- Quote from: gnif on August 12, 2023, 09:23:33 am ---Sorry but we do not divulge details related to the security of the server

--- End quote ---

That is the first rule of security for me: Don't provide any information.

Why give anyone a head start for hacking?

(Sorry gnif, I didn't mean to trigger a notification)

--- End quote ---


--- Quote from: Karel on September 17, 2023, 06:16:55 am ---Security through obscurity... hmmm...

--- End quote ---

It ain't security through obscurity. It is sensibly making it a little bit more difficult to take advantage of unforeseen issues - another hump in the road rather than a locked gate, if you like. So whilst real security through obscurity can be a serious problem, let's not conflate the two and cause confusion as to what the problem is.

golden_labels:
This thread has been separated from the original and my response should be read as a general statement, mostly separate from discussion there. Unless clearly stated otherwise, nothing I say is specifically about actions of EEVblog admins. I am actually willing to go a bit meta- here.

Usually I am careful with expressing strong opinions in such cases. The topic is complicated and muddy; the concept itself is used primarily in prescriptive meaning; and it based in strong qualitative knowledge, but with almost none quantitative research. Most real-world cases are not clustered around the type, but are spread quite far away from it.(1) In arguments people tend to isolate single aspects of the situation. All this makes me quite apprehensive about confidently shouting “security through obscurity!” Not that I don’t feel an urge from time to time or never succumbed to one.

There are of course some exceptions: situations, which belong to classes widely recognized as security through obscurity.

However, from the perspective of an external observer the actual security of the system remains uncertain. Any refusal to reveal information must be considered in scenarios ranging from a perfectly secure system to admins showing blatant incompetence. So, if the information would not weaken primary defenses and the question itself is not asked in suspicious circumstances, that kind of a response is expected to be seen as something negative. To make things worse, there is a correlation: with good security and admins confident in their work, such information is not hidden and sometimes openly announced, while on the opposite end such secrecy is widespread. To sum it up: no matter what objective truth is, it always looks bad from subjective standpoint of an observer.

(1) Holds for both the open-ended (obscurity-∞) and the limited (obsucrity-transparency) scales.

PlainName:

--- Quote ---So, if the information would not weaken primary defenses and the question itself is not asked in suspicious circumstances, that kind of a response is expected to be seen as something negative.
--- End quote ---

Yes.


--- Quote ---with good security and admins confident in their work, such information is not hidden and sometimes openly announced
--- End quote ---

Sure. But the problem there is that it assumes infallibility on the part of the admins and/or security system. In any other field there would be backup systems 'just in case', and in security I would suggest that a reasonable 'just in case' is to not let on how it works. That applies to, for instance, hiding your server details (web, mail, etc) from clients (real or sniffing) and similar.


--- Quote ---To sum it up: no matter what objective truth is, it always looks bad from subjective standpoint of an observer.
--- End quote ---

Indeed, and the subjective observer isn't going to suffer the consequences of a breach.

2N3055:
I see lots of opinions on topic that sound like a political statement without any root in reality.

In practice, for admin it is simple:

YOU DON'T discuss any details in public. Period.

It is not about that being all security you have. It is not about all the "theoretical experts" discussing principles and ruminating on that.

It is simple. You don't discuss it in public. If you get hacked you will get fired because you "helped".
Any auditor will mark as major breach of security any details voluntarily given to the public by any of the staff...
Even if it by itself it does not look as direct vector of attack...

Ask anybody that actually do this job for a living...

Halcyon:
Sorry, what did I miss? What's the issue here?

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod