Believe the hype

I just read a comment from someone interested in government group collaboration techniques, claiming that  wiki vandalism and other wiki security vulnerabilities are highly over-hyped.  While the level of hype may be a bit excesive, it’s not all bunk.

Because the nature of the wiki-world is open and collaborative, its platform is designed to be somewhat permissive trusting in nature, too trusting at times for certain use cases.  It’s wonderful to facilitate and invite open collaboration on the web, but just because lots of folks are using a piece of software doesn’t make it secure.

As an admin for a government-funded facility, I inherited a TWiki installation that was littered with security holes and had recently been hacked, all while under constant moderation.  Upon further investigation, we found that the installation had been hacked several times before using different methods, one incident having taken place two years before anyone here raised a red flag or even suspected a problem.  And this particular installation was on a “closed” site, where only registered members could post.  Hackers took advantage of “read-only” features to find ways in, not only to the posted data but to the user databases, in which they were able to create “admin” level users by injecting commands in a simple search field.

Wikis provide excellent venues to share information and collaborate, and there’s nothing wrong with using them in most situations.  But I would advise against blind faith in their inherent authentication and security mechanisms.  If your information is sensitive in any way, and you absolutely must use a wiki for some reason, consider authentication alternatives, such as having users log in via Kerberos or some other method before even reaching the site.

Sometimes, information isn’t all hype.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s