20

I've noticed that Stack Exchange always reveals the detailed structure of its servers and systems (see these blog posts). And also the exact results of their tests and points of weakness (see the old and latest test results) I know the concepts of open source software regarding security, that many eyes keeps it more secure that one eye, but I always thought that is the case for generic stuff, not to disclose your own exact and detailed systems network architecture.

While I admit it is so useful and educational, and I enjoy every single bit of reading and studying it, and it's considered a reference for many things, but am I right in assuming that disclosing that much of details can be considered so helpful to an attacker and is an obvious security breach?

EDIT: Also as Henning Klevjer noted, the data explorer also is a good source of how the internal data structure and database looks like, that may be as a guide to easily alter or harm a specific piece of data if an intrusion succeeded.

I think all that is great, and a little more openness should be encouraged in other sites and systems, but isn't Stack Exchange going too far away with that?? Anyone is able to know where the data centers are, how many of them, the hardware of servers used, the full stack schema, operating systems used, the topology of network, and the exact software versions (in many cases). You are able to know the scheduled maintenance; what exactly happens, and what happened right and what happened wrong and why, and what they are doing to make it right. I think that's awesome, but is it secure??

amyassin
  • 475
  • 2
  • 10
  • I think the question title can be broadened; however, I assume security by obscurity has been answered before. – Henning Klevjer Nov 04 '12 at 12:22
  • thought of that, too. But Stack Exchange is a live example of full disclosure.. I've never seen such full detailed updated disclosure! And I'm not speaking about full obscurity too. I thought of: tell your broad technologies, but not the exact names of the servers! – amyassin Nov 04 '12 at 12:26
  • 1
    Agree. By the way, have you seen the Stack Exchange Data Explorer? http://data.stackexchange.com/ – Henning Klevjer Nov 04 '12 at 12:36
  • Oh am impressed.. full data disclosure.. and you can get to anything!! – amyassin Nov 04 '12 at 12:44
  • 1
    @amyassin Not quite anything - the votes in the data explorer are sanitized so you can't see who downvoted what, as well as a handful of other things like that – Izkata Nov 04 '12 at 19:12

3 Answers3

30

No. You should always assume that the attacker knows everything. Security by obscurity is considered bad practice by most non-govt developers and architects. The obstacle it provides is minimal, and if something is kept secret, it may be so to hide a flaw. Kerckhoffs's principle is important to look at.

Edit: This answer discusses security by obscurity in general; not particularly for StackExchange.

Henning Klevjer
  • 1,815
  • 15
  • 20
  • 3
    Yeah, and the whole "security by obscurity" thing has gone *so well* for governments, too. – Polynomial Nov 04 '12 at 12:13
  • @Polynomial Yeah, and the UK government has had centuries to learn that, and they still haven't. – ewanm89 Nov 04 '12 at 12:20
  • 5
    As @RoryMcCune wrote in his response to http://security.stackexchange.com/questions/2430/the-valid-role-of-obscurity, obscurity shouldn't be relied on for security but there are situations where obscurity is good as an extra layer on an otherwise properly secured system. Obscurity isn't bad in itself - it's bad only if it is used to hide the fact that the system is otherwise not secure. – David Wachtfogel Nov 04 '12 at 13:56
  • @DavidWachtfogel And as we all know, no system is secure. – Sebb Mar 15 '16 at 14:08
10

There are two sides to the disclosure:

  • Supposedly, full disclosure increases the likelihood that a well-intentioned individual will locate bugs and report them, so that they could be fixed quickly. This is what Eric S. Raymond calls "Linus' law" (expressed as "Given enough eyeballs, all bugs are shallow."). Although ESR and Linus Torvalds believe in that, there are other opinions out there. That a Microsoft-sponsored blog tries to contradict a well known Linux advocate should not be a surprise; however, both articles are an interesting read (don't believe what you read; but think about it).

  • Supposedly, obscurity prevents attackers from finding bugs; or, at least, it slows them down. There are many historical examples of security systems being broken even though they were obscured. In the field of computers, any zero-day exploit against closed-source software is proof enough. It is not that hard to reverse-engineer compiled code (as a programmer, I sometimes find it easier to work on disassembled binaries than to inspect source code, when that source code has been sloppily written). Moreover, system architecture is presumably documented somewhere, usually as heaps of paper on anonymous shelves or (frequently) thrown in garbage -- such things rarely remain secret for long. This can be summarized as: obscurity is not comprehensive, and it is hard to maintain.

In practice, the mistake to avoid is to believe in efficiency of either full disclosure, or obscurity. Full disclosure is not reliable as a way to detect security issues (it finds some, not all). Obscurity is not reliable at hiding security issues (it slows some attackers, not all). Ideally, disclosure should not matter (but that's the same "ideally" than in "ideally, software has no bugs"). Practically, just assume the worst of all scenarios: consider that all potential attackers, and only them, inspect your systems, and know all about them.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
3

I would say is maybe hiding exact version numbers from the response strings, but:

  1. Only when you are sure the protocol implementation is stable and correct (you do not want some software using version to know to employ a workaround for your bad protocol implementation).
  2. It's very low hanging fruit, enough to stop some script kiddies who try to find servers they know to be compromised versions. Even a script kiddie that just tries his/her list of exploits anyway isn't going to be stopped.

Ultimately any real attacker has a myriad of ways of getting such information. From it behaves in a particular way to software x version y, to someone on the inside that can relay the details.

ewanm89
  • 2,043
  • 12
  • 15