Kneejerks

[PlainName]

Posted over in server thingy so not appropriate to reply there, so this is a more appropriate place...

Sorry but we do not divulge details related to the security of the server

That is the first rule of security for me: Don't provide any information.

Why give anyone a head start for hacking?

(Sorry gnif, I didn't mean to trigger a notification)

Security through obscurity... hmmm...

It ain't security through obscurity. It is sensibly making it a little bit more difficult to take advantage of unforeseen issues - another hump in the road rather than a locked gate, if you like. So whilst real security through obscurity can be a serious problem, let's not conflate the two and cause confusion as to what the problem is.

[golden_labels]

This thread has been separated from the original and my response should be read as a general statement, mostly separate from discussion there. Unless clearly stated otherwise, nothing I say is specifically about actions of EEVblog admins. I am actually willing to go a bit meta- here.

Usually I am careful with expressing strong opinions in such cases. The topic is complicated and muddy; the concept itself is used primarily in prescriptive meaning; and it based in strong qualitative knowledge, but with almost none quantitative research. Most real-world cases are not clustered around the type, but are spread quite far away from it.⁽¹⁾ In arguments people tend to isolate single aspects of the situation. All this makes me quite apprehensive about confidently shouting “security through obscurity!” Not that I don’t feel an urge from time to time or never succumbed to one.

There are of course some exceptions: situations, which belong to classes widely recognized as security through obscurity.

However, from the perspective of an external observer the actual security of the system remains uncertain. Any refusal to reveal information must be considered in scenarios ranging from a perfectly secure system to admins showing blatant incompetence. So, if the information would not weaken primary defenses and the question itself is not asked in suspicious circumstances, that kind of a response is expected to be seen as something negative. To make things worse, there is a correlation: with good security and admins confident in their work, such information is not hidden and sometimes openly announced, while on the opposite end such secrecy is widespread. To sum it up: no matter what objective truth is, it always looks bad from subjective standpoint of an observer.

⁽¹⁾ Holds for both the open-ended (obscurity-∞) and the limited (obsucrity-transparency) scales.

[PlainName]

So, if the information would not weaken primary defenses and the question itself is not asked in suspicious circumstances, that kind of a response is expected to be seen as something negative.

Yes.

with good security and admins confident in their work, such information is not hidden and sometimes openly announced

Sure. But the problem there is that it assumes infallibility on the part of the admins and/or security system. In any other field there would be backup systems 'just in case', and in security I would suggest that a reasonable 'just in case' is to not let on how it works. That applies to, for instance, hiding your server details (web, mail, etc) from clients (real or sniffing) and similar.

To sum it up: no matter what objective truth is, it always looks bad from subjective standpoint of an observer.

Indeed, and the subjective observer isn't going to suffer the consequences of a breach.

[2N3055]

I see lots of opinions on topic that sound like a political statement without any root in reality.

In practice, for admin it is simple:

YOU DON'T discuss any details in public. Period.

It is not about that being all security you have. It is not about all the "theoretical experts" discussing principles and ruminating on that.

It is simple. You don't discuss it in public. If you get hacked you will get fired because you "helped".
Any auditor will mark as major breach of security any details voluntarily given to the public by any of the staff...
Even if it by itself it does not look as direct vector of attack...

Ask anybody that actually do this job for a living...

[Halcyon]

Sorry, what did I miss? What's the issue here?

[Berni]

I don't see any problem with that.

The admin gives some some simple reason for why the outage happened, so that users have an idea of why they could not use the website. While not going into any specific technical detail of it.

This is not security trough obscurity. It's just the equivalent of not giving the potential attacker a whole floor plan of your facility so that they can better plan how to break in. This way the attacker has to feel around first and potentially trip a security mechanism (be it automated, manual or just a protocol) put in place for this very reason.

Security trough obscurity would be implementing some part of your website yourself and then not having proper security around it because "nobody knows how to communicate with this anyway". This is not that.

[EEVblog]

However, from the perspective of an external observer the actual security of the system remains uncertain. Any refusal to reveal information must be considered in scenarios ranging from a perfectly secure system to admins showing blatant incompetence. So, if the information would not weaken primary defenses and the question itself is not asked in suspicious circumstances, that kind of a response is expected to be seen as something negative. To make things worse, there is a correlation: with good security and admins confident in their work, such information is not hidden and sometimes openly announced, while on the opposite end such secrecy is widespread. To sum it up: no matter what objective truth is, it always looks bad from subjective standpoint of an observer.

Sorry but I agree with gnif and others. Releasing any details of the server adds no value, and can only potentially weaken it.

[Nominal Animal]

Furthermore, the interest only stemmed from the fact that we members have observed the positive results from the security features that have not been described.  Gnif has also discussed (in the abstract, in context where such things have been discussed here; not about technical implementation details) about various approaches to detect malicious registration and bot attempts, so "lack of security" or "incompetence" has always been out of the question.

The outages and the glitches to the function of the forum have been described openly (for members with sufficient history), and are of the ordinary malfunction sort (database connection errors, PHP (fastcgi) process going into a bad state) rather than typical DDOS/intrusion signs.

My own interest in this matter stems from the fact that I've looked at various forum designs over the last three decades from the security point of view, and found every one of them wanting.  I've done what gnif does now, and I've even written custom secure web interfaces for various use cases with a very good security record (because of an utterly paranoid approach to security).  Specifically, none of the existing web forums or even publishing platforms supports a server configuration where files created by the various server processes are never interpretable as scripts, enforced by the OS kernel.  To do that, you actually need several local user accounts and groups per site, and for PHP and Python, a modified fastCGI interpreter (that looks at interpreted script source file user and group ids at open time); and this is something most web hosts and virtual server environments do not or cannot provide –– explaining why forum software like SMF does not do that.  Hell, to safely allow SVG file uploads as image attachments, one really needs to use a separate domain for user-uploaded files, because allowing them in the same domain opens up severe cross site scripting risks!

Upstream forums and web software developers and maintainers are unwilling to support anything like that –– too complex! not supported by Plesk et al! ––, because of the additional maintenance cost.  (I personally just don't have the strength to deal with people necessary to maintain all such myself as a derivative.)
In particular, that approach utterly stops the software from updating itself (as it cannot overwrite or modify or create new script files due to filesystem permissions), which itself is incompatible with the current major forum software approaches that their admins and users expect.
(I'd not only have to prove it is more secure, but convince others to change the way they implement and maintain web forums and similar software.  Uh, that's not going to happen with my social skills and lack of charisma, I'm afraid, so please don't tell me I should just do it and if it is better than existing stuff the users will come.  Web projects do not work like that; popularity does not correlate much with technical security.  Just look at DJB's Unix services for a case in point.)

That means that as server admins/maintainers of web forums, we start from the fact that the software security approach is non-optimal: it has technical weaknesses that we just don't have the resources to fix right now.  Too many people would need to agree to change things just for a more secure approach, when the stuff already works – and we don't fix stuff that already works.  We can set up tripwires and various tricks of the trade to alert us humans to react, but we fundamentally start with systems we must assume have exploitable security holes.  Which is actually a healthy, paranoid attitude, because it leads to better, layered, security practices.

Because of the above, the heavy-hammer operational security attitude of "you don't need to know" is definitely warranted.  Not just to make life easier for Dave and Gnif, but because for us members, it means the attack surface and real-world risks are minimized: we already know somebody is actively thinking about this stuff, so using this forum is safe(r) for us.  The attitude itself is proof that these things are important enough to be seriously considered by Dave and Gnif.  If they were described in detail, attackers could prehearse their attacks using a similar local installation at their leisure, until they themselves cannot detect the intrusion anymore –– remember, because of the above reasons, one must consider the forum software exploitable given enough time and effort to plan an attack; some of them may already be for sale at certain dark web corners ––, so keeping schtum about the added security features is definitely warranted and not "security by obscurity" or "indication of incompetence".

(Apologies for the 2¢ dissertation draft.)

[EEVblog]

The outages and the glitches to the function of the forum have been described openly (for members with sufficient history), and are of the ordinary malfunction sort (database connection errors, PHP (fastcgi) process going into a bad state) rather than typical DDOS/intrusion signs.

Yes, SMF is unfortunately very old forum software, with a ton of old plugins. And from what I'm told by many, relatively poorly written and maintained.
Add in that this is a pretty large forum, so we have had to custom optimise the implementation for speed.

Unless we change the forum software entirely, we just have to do the best we can with what we are stuck with.

[nctnico]

Ask anybody that actually do this job for a living...

The real pros will tell you that the best secured system still stay secure even when fully 'hacked'. It just takes a good high level design rather than pouring encryption over some communication interfaces.

[xrunner]

Unless we change the forum software entirely, we just have to do the best we can with what we are stuck with.

Curious ... Has any testing been done on the side, with a copy of the SMF forum database, to see if it can get transferred/imported to a more modern forum? 

[EEVblog]

Unless we change the forum software entirely, we just have to do the best we can with what we are stuck with.

Curious ... Has any testing been done on the side, with a copy of the SMF forum database, to see if it can get transferred/imported to a more modern forum? 

No, because there is no point in spending time doing that unless we actually seriously decide to do it.
If a decision is made to move then you just make it work. Almost every alternative will import and SMF database. The most popular choice seems to be XenForo and that supports SMF import.

[SiliconWizard]

Makes sense. Sure the current forum is a bit old and has its set of quirks, but all in all in works pretty well, and as long as it doesn't give you specific maintenance problems (that would trigger a change anyway), there's little point in changing.

The only very annoying thing IMO is the inability to inline images easily without having to go through hoops. But that's not a major deal.

One functional aspect is that most new forums tend to waste a lot more screen estate, so that you see a lot less on a given page. That really makes a difference. This is a common trend I've seen, "old" forums tend to pack more info and look leaner.

For instance, Discourse, which is popular, makes a rather poor use of screen estate. I guess it works better on small mobile devices likes phones and tablets though. But for those who use forums on something else, that doesn't work all that great. Plus, the themes (at least all that I've seen) are either a blinding white one or annoying dark crap. I like the relatively tamed default theme of the EEVBlog forum.

[gnif]

The only very annoying thing IMO is the inability to inline images easily without having to go through hoops. But that's not a major deal.

Funny you should mention this, I fixed it this morning

[gnif]

Unless we change the forum software entirely, we just have to do the best we can with what we are stuck with.

Curious ... Has any testing been done on the side, with a copy of the SMF forum database, to see if it can get transferred/imported to a more modern forum? 

It's not just about moving the database, we then need to start from scratch with server performance tuning, and ensuring it would scale across our current cluster implementation. It may (and quite likely would) require a overhaul of the entire hosting stack as the more modern forum applications have very different requirements.

IMO for what this forum is and the amount of content here, SMF is still the best way to go. Just because a forum is newer/modern doesn't mean it would deal with the sheer number of posts we have here. Better the devil you know.

OTOH, the Wordpress website is a nightmare and I can't wait for Dave to find a cart solution that suits his needs so we can either slim it down (get rid of WooCommerce), or replace it entirely.

[EEVblog]

OTOH, the Wordpress website is a nightmare and I can't wait for Dave to find a cart solution that suits his needs so we can either slim it down (get rid of WooCommerce), or replace it entirely.

I updated the theme just now, from that custom v1.0.0 to v5.x , I suspect this might help 
I've just lost my top banner ads and the random video, but apart from that it seems the same...