l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
January 6: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2002 Aug 11 13:24

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] Introduction me & TWikIWeThey
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] Introduction me & TWikIWeThey



on Thu, Aug 08, 2002, Rod Roark (rod@sunsetsystems.com) wrote:
> On Wednesday 07 August 2002 11:39 pm, Karsten M. Self wrote:
> > ....  More recently,
> > I've been working with Wikis, and have been putting together a
> > technically-oriented documentation site, TWikIWeThey (the name is a long
> > story itself, more below), which you can find at:

<...>

> > TWiki's got a number of really neat features, among them:
> >
> >    * _You can edit (almost) any page._

<...>

> I'll be interested to see how your Wiki works out.  I'm reasonably
> familiar with TWiki, using it just for myself to maintain server
> configuration notes.
> 
> But for a public web site that anyone can alter... idunno.  I
> understand the theory, that "it will work itself out".  It's the
> believing that is hard.  :-)

The absolute ideal is tempered in several regards.  Note too that this
is not an infrequently raised issue regarding Wikis:

    http://twiki.iwethey.org/twiki/bin/view/TWiki/WikiCulture
    http://c2.com/cgi/wiki?WhyWikiWorks
    http://c2.com/cgi/wiki?WhyWikiWorksNot 
    http://c2.com/cgi/wiki?WikiWipeout
    http://c2.com/cgi/wiki?WikiMindWipe  
    http://www.usemod.com/cgi-bin/mb.pl?CaseOfaWikipediaTroll


There's also a really good relation of a similar issue in Lawrence
Lessig's _Code and Other Laws of Cyberspace_, in his discussion of the
Yale Wall:

    http://www.usemod.com/cgi-bin/mb.pl?YaleWall

...though the incident relates to a later community based on an
electronic forum (the Yale Wall was a physical message board) in which
an anonymous provacateur attacked, and effectively destroyed, the
discussion and community.

Sunir Shah, creater and moderator of Meatball Wiki
(http://www.usemod.com/) writes on this at length as "Soft Security":

    http://www.usemod.com/cgi-bin/mb.pl?SoftSecurity

    (Sunir, and Meatball in general, tend to obsess on The Nature Of
    Wiki as Wiki, to a degree I find distracting.  My aim in TWikIWeThey
    is to create a site which actually discusses something _outside_
    itself (largely free software (and perhaps digressing into
    commentary of those who are obsessed with (or just excessive in use
    of) parenthetical digressions)), but which is nonethless grateful
    for Sunir's navel gazing.)

I find the thoughts interesting but not entirely convincing.  One of the
_major_ problems I have is with the notion that an online community is
in any sense closed.  This actually _can_ (and frequently is) the case
in a TWiki implementation:  the tool is designed for corporate use, and
often exists behind a firewall, with employment policies, management
oversight, and out-of-band disciplinary options available for misuse and
abuse.

In the case of a generally available online discussion, no matter the
intimacy of topics, IRL relationships among participants, or dynamics of
the major participants, the entire online proceedings are visible to the
world at large.  I see people write things of personal nature, emotional
outburst, or both, which make me cringe, moreso when the response on
having this pointed out is "but we all know each other here".  Wrong,
wrong, wrong.  Many of us may.  All of us don't.

I explore this in more depth in anther Meatball post:

    http://www.usemod.com/cgi-bin/mb.pl?CommunityOfGlassHouses


Soft Security is a good starting point.  I'd consider it akin to having
an effective, credible, and respected diplomatic corps.  But when the
shit hits the fan, the 767s hit your skyscrapers, or lamers hit your
website, you want something more to back it up.  Misquoting the 26th
prez:

   Secure softly, but carry a big stick.


So, attend to the basics:

   - Harden your webserver.
   - Back up your content (issues with this currently, but I'll be
     running rsyncs against the TWikIWeThey tree as soon as is
     practical).
   - Apply application-level security where appropriate.


An aside on the word I close my emails with.  As I explained to someone
recently, I added it following the events of Sept. 11.  It's there for a
number of reasons, and has received a number of interesting responses,
ranging from those who feel they have to say _something_ to it, to one
individual who seemed to be violently annoyed by it.

The word is a goal.  It's not a definition of actions, but a statement
of policy.  It's a reminder to those who read it to consider the
concept.  It doesn't mean that I'm opposed to an assertive, aggressive,
or violent response in any or all circumstances.  It does mean that any
such response _must_ have this principle as its final goal, and as its
guiding principle.  WRT the events of last year and the response of the
US to them, while not in complete agreement, I feel the government has
been largely correct in its military and diplomatic actions.  I also
feel that some of the erstwhile "peaceful" actions of this country --
economic, social, and diplomatic policies -- over the past fifty years
have to a large degree contributed to feelings of ill-will in some
quarters.  Not to get into a broader discussion of politics and
policy[1], but to point out that warlike actions may be peace-inducing,
and peaceful actions (economic, social, diplomatic, etc.) may be
war-inducing.  Life is contradiction, deal with it.

Regards TWiki:  the goal is to promote an open society to the greatest
extent possible.  A minimum of administrative restrictions will be put
in place.  However, defining society as "an extended social group having
a distinctive cultural organization", the ultimate control is an old
one:  banishment.  Persons who actively work against the social norms
will be excluded from the group.  My own long association with online
discussions (dating to the late 1980s) shows that this is a necessary
tool, though in practice it need be invoked only rarely.

Which gives us a fourth basic security measure:

   - Have the means to control membersip, but only apply this in extreme
     cases.



You'll note that the key TWiki feature quote above was "You can edit
(*almost*) any page" (emphasis added).  TWiki *does* include varying
levels of content protection, meaning not *all* pages and content be
globally modifiable:

   - Certain features are only accessible via filetree access (generally
     through a shell account).  Skins, templates, modules, and other
     gross features of site design can only be modified here.  Security
     is provided through the OS and remote connection protocols.

   - An administrative group is defined which can make (and unmake)
     changes to any page.  This group is defined at TWikIWeThey and
     includes three people I've known for years, who are actively
     contributing to the site, and whom I trust highly.

   - There *is* modification (and view) access defineable at both the
     web (subject area) and topic (specific page or node) levels.  This
     isn't absolutely foolproof, but means that there is content which
     can't be readily arbitrarially changed at whim by any party.  Given
     that much of the configuration data for TWiki is actually kept and
     modified as TWiki nodes, this is important.

   - The site is configured to require registration before modifications
     can be made.  This is a low grade of protection against malicious
     users.

   - TWiki is backed by version control.  It's possible to back out any
     given change.  A vandal could modify the site, but the changes
     could be backed out readily.  With administrative filesystem acess,
     the recovery could be scripted and executed in a matter of seconds.
     The versioning also provides an audit trail of who's (ab)using the
     system, making an appropriate response easier.



> With all the emphasis today on security of web sites, and all the
> publicity when one gets hacked, the idea of a site that anyone on the
> planet can blow away whenever they feel like it is not very settling.
> :-)

...only to have it un-blown shortly after.  And the "anyone on the
planet" is substantially more qualified than you present.  There's also
the point that a large number of people are available who can _undo_ the
damage (admin repairs are one option, but user-executed repairs are also
possible).  This is a strength vs. most sites where the black-hat
population is arguable larger than the (empowered) white-hat population,
due to restrictions on site access.

A key feature of TWiki is that the content *is* readily amenable to
modification, however, this being both a strength and a weakness.

One leaning I've had, particularly for content in which achieving a
"release" status may be useful, is to emulate a technique used to much
gain in free software development.  A given document which has attained
a certain status could be synchronized from a public edit web to a more
restricted web.  Adding means to support this readily within TWiki would
be useful -- a "promote to stable" type feature.


> Anyway, good luck, and I hope to meet you in person soon.

Planning on showing for Maddog, and Linux Picn*x, see you at one or the
other.

Peace.

----------------------------------------
Notes:

1.  And if that wasn't sufficiently clear, I'm simply not going to
    discuss these here.  I believe it's off-topic and counterproductive,
    the topic was raised in the context of TWiki security.  End
    discussion.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Übersoft:  If We're Not Rich, You're Not Gullible.
     http://www.ubersoft.net/

Attachment: pgp00006.pgp
Description: PGP signature



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!