Question: dangers of publishing content online in TiddlyWiki format

[David Gifford]

Hi everyone,

I am exploring going back to publishing TiddlyWikis online, rather than exporting and publishing static htmls from tiddlers.

One issue I need to confront, though, is the possibility that someone could download one of my TiddlyWikis, add malicious content (either text that I would not approve of, or a virus or somesuch), and publish it with my name on it elsewhere in a way that makes people think it is from me.

I would like community feedback on what measures I might take to prevent that: hiding the save/download button when the file is online, etc? Or any other relevant feedback on this issue.

Thanks and blessings, Dave

[@TiddlyTweeter]

Dear David

Any idiot on the net can do any old shit on anything that is public.

PART of your question presumes, that, possible expolits would arise from someone knowing TW structure. 

I think that is unlikely, but is possible, if there were a Judas.

TT

[TonyM]

David,

This is a serious question and needs serious discussion. I will give a more considered view later. A few quick points.

• If someone can see it they can steal it
• If they steal it I think the main issues are
• Will they pretend to be you 
• or pretend to be the author
• Try and spoof your site to trap visitors who trust you
• However you hide buttons etc... someone with tiddlywiki skills will find it easier to steal than others
• In fact they just need a link to your wiki and right-click download and the get the whole wiki.
• There is plenty you can do to make it less than straightforward for people to realise its theft is easy
• But I think you would be better on focusing on the value to your audience (personal view)
• It is quite easy to leave your mark through out the wiki, making it a chore for someone to hide your authorship
  
• It is possible to tie it into analytics and be able to identify where it is re-published if they do not defeat it
• Just like the plugins I recommend you put a licence upfront that spells out people rights to the information on your site, then at least they know what is right or wrong and will hopefully feel a social obligation as a result

Opinion

• The concept of copyright has a fatal flaw - if someone can read it they have a copy
• Security is always a matter of degree, the higher the security the functionality tends to diminish 
• If we can consider the act of publishing as "setting the information free" but as a reader as it "being granted the right to read only" unless you seek permission to do otherwise, then we would all be a bit more realistic.

Regards

Tony

[Diego Mesa]

Hello Dave,

Simple: Advertise that you always use github to distribute your TW.

Complicated: I would probably write the md5 hash of the TW in the about page. That way, all a user has to do verify a TW is download it, delete one tiddler, and calculate its hash to verify its you. 

[Ste Wilson]

Diego... Sounds great if only I understood anything you just said... :)

[PMario]

On Wednesday, September 25, 2019 at 3:24:27 PM UTC+2, David Gifford wrote:

Hi everyone,

I am exploring going back to publishing TiddlyWikis online, rather than exporting and publishing static htmls from tiddlers.

Hi Dave,

Is it about the static "functionality", or is it too much manual work to publish your sites?

If it is too much work, it may be possible, to improve the workflow.

If it is about the functionality, it would be more work..

-m

[Mat]

David Gifford wrote:

[...] and publish it with my name on it elsewhere in a way that makes people think it is from me.

David, the two TW options, just as probably any other option, are equally risky in that regard.

One way to "prevent" this might be to publish stuff over a long period of time in one reputable and well known place. For example you could have a twitter feed or something like that, and let it run for a few years, that refers to the sites that you publish. Then it is credible only because it's been around for a long time. All your sites should refer to one another to give credibility to each other and there could be one main central place that all other wikis have to be mentioned as a proof of being legit, and all your sites bring this up.

I assume you, as a missionary, are associated with a church. Maybe you can have their site refer to your site and you refer to theirs, thereby giving credibility.

<:-)

[Mark S.]

The MD5 has to be published on a site known to not have been hacked. It can't travel with the TW file, because the whole kit could have been hacked.

It's an interesting idea that you could include a MD5 library with the TW file. That would make it easy to generate the number before publication

and for users to check the numbers (comparing against a "secure" publication site.). Since most users aren't going to know how to use

an MD5 command line tool.

One would really hope that this is all hypothetical within the confines of the ecclesiastical field.

Thanks!

[David Gifford]

Thanks everyone for your thoughts. I think since my site is known by my users, I can just remind people to use only my site to download my resources.

My concern was that it seems easy to bury a malicious code in a system tiddler, but I suppose one could put malicious code in a static html file, too.

The other concern is that if someone put malicious code in a TW obtained from my site, and I later go and make changes to my own TW, then in a legal dispute the hacker could claim the malicious code was in the copy obtained from my site but that since then I have changed it, and I would have no way to prove it. Again, though, I am not sure how that would be more problematic than a plain html file.

Just thoughts...

On Wednesday, September 25, 2019 at 8:24:27 AM UTC-5, David Gifford wrote: