Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2001 Sunir Shah. All rights reserved. Meatball Soft Security Safety in Numbers Sunir Shah

Similar presentations


Presentation on theme: "Copyright 2001 Sunir Shah. All rights reserved. Meatball Soft Security Safety in Numbers Sunir Shah"— Presentation transcript:

1 Copyright 2001 Sunir Shah. All rights reserved. Meatball Soft Security Safety in Numbers Sunir Shah

2 Copyright 2001 Sunir Shah. All rights reserved. Meatball “I think that security measures of a purely technological nature, such as guns and crypto, are of real value, but that the great bulk of our security... derives from intangible factors having to do with the social fabric.... Those who wish to use the Internet as a tool for enhancing security, freedom, and other good things might wish to turn their efforts away from purely technical fixes and try to develop some understanding of just what the social fabric is, how it works, and how the Internet could enhance it.” Neal Stephenson, Computers Freedom and Privacy 2000 (Toronto) KEY OBSERVATION

3 Copyright 2001 Sunir Shah. All rights reserved. Meatball PARANOIA SITEATTACKER

4 Copyright 2001 Sunir Shah. All rights reserved. Meatball SITEATTACKERVANDAL MORE GROUNDED... USER KLUTZUSER transient angry user mistake

5 Copyright 2001 Sunir Shah. All rights reserved. Meatball KLUTZSITEVANDAL HARD SECURITY POLICE Passwords Trust metrics Rating systems Moderators Kickban Ignored userbase... POLICE REALLY?! ATTACKERUSER REALLY?!

6 Copyright 2001 Sunir Shah. All rights reserved. Meatball CYNICISM IS EASY...

7 Copyright 2001 Sunir Shah. All rights reserved. Meatball SITEATTACKERVANDAL SAFETY IN NUMBERS USER KLUTZUSER Anyone can help! Even klutz (attacker?)...

8 Copyright 2001 Sunir Shah. All rights reserved. Meatball WIKI First is Ward Cunningham’s WikiWikiWeb (http://c2.com/cgi/wiki) Anyone can edit any page (usually) You can and are encouraged to edit or delete words written by others. Special syntax like the LinkPattern. WikiNow: The Communal Estate vs... RecentChanges: The Active Commons.

9 Copyright 2001 Sunir Shah. All rights reserved. Meatball SOFT SECURITY IS A SYSTEM Reversible Change Peer Review Audit Trail Open Process Plus many, many more Patterns. I’ll only talk about those primarily peer to peer.

10 Copyright 2001 Sunir Shah. All rights reserved. Meatball OPEN PROCESS Do things in public. Secret actions aren’t accountable. (Peer Review) Information vacuums disenfranchise users. New users need role models to learn the community expectations. Lurk before you leap. Maybe enforce it technically. e.g. Audit Trail. Online diaries give personal context to Internet. The Case of Badvogato. Magic algorithms suck. But Democracy moves slow. Without leadership, open processes encourage vehement debate.

11 Copyright 2001 Sunir Shah. All rights reserved. Meatball REVERSIBLE CHANGE Anything that can be done can be undone. It’s all in software. We control every bit. White hats will fix damage by reversing it. Doesn’t punish people. Maybe it was a klutz..? But Attackers also can revert legitimate changes. Have patience. More white hats than black. Bad feelings hard to reverse. (e.g. flame wars) Some changes are irreversible. (Deleted pages.)

12 Copyright 2001 Sunir Shah. All rights reserved. Meatball KURO5HIN HIDDEN COMMENTS Anything  1.0 is invisible Reverted! Audit Trail...

13 Copyright 2001 Sunir Shah. All rights reserved. Meatball KEPT PAGES How to prevent a vandal from damaging a wiki? Naïve sol’n 1: Keep every version. (TWiki) Violates forgive and forget. (Flame wars.) Naïve sol’n 2: Keep the last author’s version (WikiWiki) Make two changes (from different IPs/user names). Naïve sol’n 3: Keep N previous versions. (PHPWiki) Make N+1 changes. Also violates forgive and forget. Getting closer: Keep the last two weeks of changes. A change to an old page will delete/lose it!! Solution: Keep only the last two weeks of changes, but start counting time when it is replaced. (UseModWiki) Page deletion easy via “DeletedPage”.

14 Copyright 2001 Sunir Shah. All rights reserved. Meatball KEPT PAGES EXAMPLE Spam... but revertible Taken August 4, on the page “MeatballWiki”. Replaced July 26, 2001, so not expired. Klutz fixed it himself! Audit Trail...

15 Copyright 2001 Sunir Shah. All rights reserved. Meatball Accountability creates trust. We can watch our neighbours. Imperfect: black ski masks. Online systems are under our control. We can record who did what, when. Use peer pressure to induce expectations. Show what leaders do, create role models. But Violates privacy, forgive and forget. Expire logs. Pseudonymity? Serial identity, IPs/domains AUDIT TRAIL

16 Copyright 2001 Sunir Shah. All rights reserved. Meatball RECENT CHANGES Limited duration Audit Trail User names don’t hide IPs/domains....

17 Copyright 2001 Sunir Shah. All rights reserved. Meatball PEER REVIEW Many eyes, many hands. Peers make up for each other’s weaknesses. Be aggressive. Continuously maintain stability, quality, sanity through aggressive peer review. Couple with Reversible Change, Audit Trail. Message boxes are a must! But Reviewers need review. Slashdot Metamoderation. Metameta(...)mod? Treat reviewers at same level as subjects.

18 Copyright 2001 Sunir Shah. All rights reserved. Meatball “The ITS machines had... the ‘spy’ feature, where anybody could watch what anyone else was doing.... Tourists loved to spy,... but... if any tourist starts doing anything that causes trouble there's always somebody else watching him.... His friends would get very mad because they would know that the continued existence of tourism depended on tourists being responsible. So usually there would be somebody who would know who the guy was, and we'd be able to let him leave us alone.” Richard Stallman, Lecture at KTH INDIRECT PEER REVIEW

19 Copyright 2001 Sunir Shah. All rights reserved. Meatball DIRECT PEER REVIEW

20 Copyright 2001 Sunir Shah. All rights reserved. Meatball Edited DIRECT PEER REVIEW (CONT’D)

21 Copyright 2001 Sunir Shah. All rights reserved. Meatball FINAL WORDS Give power to your users. Fixing mistakes is better than punishing them. Allow everyone to pitch in: barn raising. Technology should enable not disable. Technology provides tools to white hats. No one technique works in isolation. There is much more to soft security than this.

22 Copyright 2001 Sunir Shah. All rights reserved. Meatball ACKNOWLEDGMENTS Everyone at MeatballWiki Clifford Adams (UseModWiki) Ward Cunningham (WikiWiki) Rusty Foster (Kuro5hin)


Download ppt "Copyright 2001 Sunir Shah. All rights reserved. Meatball Soft Security Safety in Numbers Sunir Shah"

Similar presentations


Ads by Google