Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2001 Sunir Shah. All rights reserved. Meatball Soft Security Safety in Numbers Sunir Shah

Similar presentations


Presentation on theme: "Copyright 2001 Sunir Shah. All rights reserved. Meatball Soft Security Safety in Numbers Sunir Shah"— Presentation transcript:

1 Copyright 2001 Sunir Shah. All rights reserved. Meatball Soft Security Safety in Numbers http://usemod.com/cgi-bin/mb.pl?SoftSecurity Sunir Shah sunir@sunir.org

2 Copyright 2001 Sunir Shah. All rights reserved. Meatball “I think that security measures of a purely technological nature, such as guns and crypto, are of real value, but that the great bulk of our security... derives from intangible factors having to do with the social fabric.... Those who wish to use the Internet as a tool for enhancing security, freedom, and other good things might wish to turn their efforts away from purely technical fixes and try to develop some understanding of just what the social fabric is, how it works, and how the Internet could enhance it.” Neal Stephenson, Computers Freedom and Privacy 2000 (Toronto) http://usemod.com/cgi-bin/mb.pl?SoftSecurity KEY OBSERVATION

3 Copyright 2001 Sunir Shah. All rights reserved. Meatball PARANOIA http://usemod.com/cgi-bin/mb.pl?DefendAgainstParanoia SITEATTACKER

4 Copyright 2001 Sunir Shah. All rights reserved. Meatball SITEATTACKERVANDAL http://usemod.com/cgi-bin/mb.pl?AssumeGoodFaith MORE GROUNDED... USER KLUTZUSER transient angry user mistake

5 Copyright 2001 Sunir Shah. All rights reserved. Meatball KLUTZSITEVANDAL http://usemod.com/cgi-bin/mb.pl?HardSecurity HARD SECURITY POLICE Passwords Trust metrics Rating systems Moderators Kickban Ignored userbase... POLICE REALLY?! ATTACKERUSER REALLY?!

6 Copyright 2001 Sunir Shah. All rights reserved. Meatball http://usemod.com/cgi-bin/mb.pl?QuebecCity CYNICISM IS EASY...

7 Copyright 2001 Sunir Shah. All rights reserved. Meatball SITEATTACKERVANDAL http://usemod.com/cgi-bin/mb.pl?MetcalfesLaw SAFETY IN NUMBERS USER KLUTZUSER Anyone can help! Even klutz (attacker?)...

8 Copyright 2001 Sunir Shah. All rights reserved. Meatball WIKI http://tavi.sourceforge.net/index.php?WhatIsAWiki First is Ward Cunningham’s WikiWikiWeb (http://c2.com/cgi/wiki) Anyone can edit any page (usually) You can and are encouraged to edit or delete words written by others. Special syntax like the LinkPattern. WikiNow: The Communal Estate vs... RecentChanges: The Active Commons.

9 Copyright 2001 Sunir Shah. All rights reserved. Meatball SOFT SECURITY IS A SYSTEM http://c2.com/cgi/wiki?PatternLanguage Reversible Change Peer Review Audit Trail Open Process Plus many, many more Patterns. I’ll only talk about those primarily peer to peer.

10 Copyright 2001 Sunir Shah. All rights reserved. Meatball OPEN PROCESS Do things in public. Secret actions aren’t accountable. (Peer Review) Information vacuums disenfranchise users. New users need role models to learn the community expectations. Lurk before you leap. Maybe enforce it technically. e.g. Audit Trail. Online diaries give personal context to Internet. The Case of Badvogato. Magic algorithms suck. But Democracy moves slow. Without leadership, open processes encourage vehement debate. http://usemod.com/cgi-bin/mb.pl?OpenProcess

11 Copyright 2001 Sunir Shah. All rights reserved. Meatball REVERSIBLE CHANGE http://usemod.com/cgi-bin/mb.pl?ReversibleChange Anything that can be done can be undone. It’s all in software. We control every bit. White hats will fix damage by reversing it. Doesn’t punish people. Maybe it was a klutz..? But Attackers also can revert legitimate changes. Have patience. More white hats than black. Bad feelings hard to reverse. (e.g. flame wars) Some changes are irreversible. (Deleted pages.)

12 Copyright 2001 Sunir Shah. All rights reserved. Meatball KURO5HIN HIDDEN COMMENTS http://www.kuro5hin.org/comments/2001/4/4/51324/29511/50?showrate=1#50 Anything  1.0 is invisible Reverted! Audit Trail...

13 Copyright 2001 Sunir Shah. All rights reserved. Meatball KEPT PAGES How to prevent a vandal from damaging a wiki? Naïve sol’n 1: Keep every version. (TWiki) Violates forgive and forget. (Flame wars.) Naïve sol’n 2: Keep the last author’s version (WikiWiki) Make two changes (from different IPs/user names). Naïve sol’n 3: Keep N previous versions. (PHPWiki) Make N+1 changes. Also violates forgive and forget. Getting closer: Keep the last two weeks of changes. A change to an old page will delete/lose it!! Solution: Keep only the last two weeks of changes, but start counting time when it is replaced. (UseModWiki) Page deletion easy via “DeletedPage”. http://usemod.com/cgi-bin/mb.pl?KeptPages

14 Copyright 2001 Sunir Shah. All rights reserved. Meatball KEPT PAGES EXAMPLE http://usemod.com/cgi-bin/mb.pl?KeptPages Spam... but revertible Taken August 4, on the page “MeatballWiki”. Replaced July 26, 2001, so not expired. Klutz fixed it himself! Audit Trail...

15 Copyright 2001 Sunir Shah. All rights reserved. Meatball Accountability creates trust. We can watch our neighbours. Imperfect: black ski masks. Online systems are under our control. We can record who did what, when. Use peer pressure to induce expectations. Show what leaders do, create role models. But Violates privacy, forgive and forget. Expire logs. Pseudonymity? Serial identity, IPs/domains http://bankguys.homestead.com/ AUDIT TRAIL http://usemod.com/cgi-bin/mb.pl?AuditTrail

16 Copyright 2001 Sunir Shah. All rights reserved. Meatball RECENT CHANGES http://usemod.com/cgi-bin/mb.pl?RecentChanges Limited duration Audit Trail User names don’t hide IPs/domains....

17 Copyright 2001 Sunir Shah. All rights reserved. Meatball PEER REVIEW Many eyes, many hands. Peers make up for each other’s weaknesses. Be aggressive. Continuously maintain stability, quality, sanity through aggressive peer review. Couple with Reversible Change, Audit Trail. Message boxes are a must! But Reviewers need review. Slashdot Metamoderation. Metameta(...)mod? Treat reviewers at same level as subjects. http://usemod.com/cgi-bin/mb.pl?PeerReview

18 Copyright 2001 Sunir Shah. All rights reserved. Meatball “The ITS machines had... the ‘spy’ feature, where anybody could watch what anyone else was doing.... Tourists loved to spy,... but... if any tourist starts doing anything that causes trouble there's always somebody else watching him.... His friends would get very mad because they would know that the continued existence of tourism depended on tourists being responsible. So usually there would be somebody who would know who the guy was, and we'd be able to let him leave us alone.” Richard Stallman, Lecture at KTH http://www.gnu.org/philosophy/stallman-kth.html INDIRECT PEER REVIEW

19 Copyright 2001 Sunir Shah. All rights reserved. Meatball DIRECT PEER REVIEW http://c2.com/cgi/wiki?WhatColorIsYourParachute

20 Copyright 2001 Sunir Shah. All rights reserved. Meatball Edited DIRECT PEER REVIEW (CONT’D) http://c2.com/cgi/wiki?WhatColorIsYourParachute

21 Copyright 2001 Sunir Shah. All rights reserved. Meatball FINAL WORDS Give power to your users. Fixing mistakes is better than punishing them. Allow everyone to pitch in: barn raising. Technology should enable not disable. Technology provides tools to white hats. No one technique works in isolation. There is much more to soft security than this.

22 Copyright 2001 Sunir Shah. All rights reserved. Meatball http://usemod.com/cgi-bin/mb.pl?SoftSecurity sunir@sunir.org ACKNOWLEDGMENTS Everyone at MeatballWiki Clifford Adams (UseModWiki) Ward Cunningham (WikiWiki) Rusty Foster (Kuro5hin)


Download ppt "Copyright 2001 Sunir Shah. All rights reserved. Meatball Soft Security Safety in Numbers Sunir Shah"

Similar presentations


Ads by Google