[I'd like to TALK] ... About Security

[@TiddlyTweeter]

I'm getting very interested in TW as a potentially secure way to chat, and publish material that is ONLY for selected users/participants.

Part of the background is that its becoming clearer that large online services are NOT, ultimately, able to secure conversation. I spent the last two days sorting out the aftermath for me of the Quora meltdown ... https://www.forbes.com/sites/daveywinder/2018/12/04/quora-hacked-what-happened-what-data-was-stolen-and-what-do-100-million-users-need-to-do-next/

The problem is those types of system are owned and run at huge scale by far off companies and you don't know what they are doing. In fact THEY often don't know what they are doing till its too late. This just is the latest of a long line of serious cloud hacks. I basically don't trust them now. The hassle re-setting everything after an attack is both a PITA and very worrying. Identity theft can be a very complicated thing to sort out.

TW seems interesting if you can add two step verification.

Practically I'm very interested in being able to run a TW online just for conversation with ONE person ... i.e. One Wiki Per Converser. In this way we can chat AND in teaching I can show all but only what is needed. This is appropriate for how I work, which is all one-on-one. More collectivist security models interest me too, but the simple person-to-person is a specific interest. And I think it may be simpler to establish really robustly?

This is just one set of thoughts. My main concern is: can TW be maximally secure? I think, if it could be demonstrably so on-line it could be a USP for it.

Any comments welcomed ...

These are just early thoughts

Josiah

[@TiddlyTweeter]

For email users of this list ... I just wrote a post ... Could one of you let me know if you got this message ...

(Web users of the group can ignore this post)

J.

[Jed Carty]

The security model for something like tiddlywiki is completely different than a large online service.

Two factor authentication for something like tiddlywiki doesn't do much to improve security. Two factor authentication is mainly helpful in situations where there are large centralised stores of login information that may be compromised. In that case two factor authentication can help prevent breeches because just because someone has your login information they can't necessarily get to your data. For this reason these large systems generally have physically separate systems for the authentication and the actual data store.

A tiddlywiki would normally not be stored on this type of system so the same system has the login info and the data. So if someone were to breech the system and get the login info they are already where they need to be to get your data and a two factor authentication system can actually be counter productive. It is distressingly easy, at least in the US, to hijack a cellphone signal using a man-in-the-middle attack and intercept an sms if that is your second channel in your two factor setup.

A simple single file wiki that you encrypt and put on a usb drive and carry around with you is far more secure than any online system. It would be as secure as anything can be and still be usable. Nothing is secure against a rubber hose attack.

As things stand right now the setup I have for ooktech.xyz is about as secure as anything online. I don't control the physical hardware and it may be slightly more secure to store the tiddlers in an encrypted database instead of as normal files, but that is debatable because any authentication system is on the same physical system so it loses a lot of the benefits of the secure database that way.

But I don't think that any of that is actually what you are thinking about. You seem to be talking about secure access to a remote system which isn't really a tiddlywiki question. It is a matter of what remote system you are using, how do you intend for the participants in the conversation to connect to it and how much interest do people have in what you are doing.

The question of 'is remote access from one computer to another possible' is yes, Tox manages it using p2p methods that I have been working on replicating with Dodo and they may be able to be applied to Tiddlywiki.

And as a note about threat and security models, if I wanted to hack into a big cloud system I wouldn't bother with anything technologically sophisticated. The weakness of facebook is that they employ people who have access to the systems and not all of them are paid well. As the people selling access to the Aadhar database showed, there are plenty of people who will give you access if you find the right person to give some money to.

So the question isn't about if you can make tiddlywiki secure, that is easy: yes.

The question is, what are the circumstances around what you are doing with it and is they secure. You can have the best lock and strongest doors in existence but it doesn't help if you leave your windows open.

[Mark S.]

Wow. These things have become so common, the Quora hack didn't even make it into my newsfeed.

If you need person-to-person private conversation, why not email with PGP/GPG ?

You could also use GPG to convert messages to text and insert it into a tiddler. Then any public exposure would be irrelevant.

PGP has been around since almost the beginning. It's had slow adoption because of the fiddly steps needed to set it up on both ends of a conversation. Something like it should be the default -- the way https is becoming the default.

You mentioned Bob can run scripts for you. I can imagine invoking a script that converts tiddler text to gpg and turns it into a tiddler.

2FA as commonly implemented with SMS turns out to be no panacea -- cell phone numbers can be hijacked. Using a FIDO device might be better, but is not widely supported yet. None of this 2FA does any good if the main database, as in the case of Quora, is hacked.

-- Mark

[Greg Davis]

Josiah,
I did not get your original message on security. I'm using Gmail, checked SPAM and TRASH and it was not in either. These are your messages, as of 11:35am this morning, that I had received:

[tw5] Re: TiddlyWiki at the local Community College 6:38am

[tw5] Re: I love TiddlyWiki because... 7:17am

[tw5] Re: Favicon is not displayed 9:36am

[tw5] Re: [I'd like to TALK] ... About Security 9:43am

[@TiddlyTweeter]

Greg, much, much appreciated. Its now clearer I get bounced on email when I initiate an post. Otherwise OK. It somewhat bizarre :-).

Thank you

J.

[Mark S.]

I wonder if gmail doesn't completely trust your email domain?

-- Mark

[@TiddlyTweeter]

Ciao Mark S.

FYI I'm interested in TW online, rather than secure email, because in a "conversation" in TW online I can introduce materials email would struggle with ...

Another thing. My partners are not tech. They could cope with a login. I doubt they could cope with PGP setup.

J

[@TiddlyTweeter]

Maybe you are right. I have a bunch of domains. I do feel I'm being punished for a non-existent crime :-).

[Mark S.]

You could use a gmail account to make your initial posts.

-- Mark

[@TiddlyTweeter]

Thanks Jed for the detail in your reply.

Much appreciated.

Comments added.

Jed Carty wrote:

The security model for something like tiddlywiki is completely different than a large online service.

Two factor authentication for something like tiddlywiki doesn't do much to improve security. Two factor authentication is mainly helpful in situations where there are large centralised stores of login information that may be compromised....

Noted. 

A tiddlywiki would normally not be stored on this type of system so the same system has the login info and the data. So if someone were to breech the system and get the login info they are already where they need to be to get your data and a two factor authentication system can actually be counter productive...

Noted.

 

It is distressingly easy, at least in the US, to hijack a cellphone signal using a man-in-the-middle attack and intercept an sms if that is your second channel in your two factor setup.

IMO a normal user has no idea how vulnerable they are.

A simple single file wiki that you encrypt and put on a usb drive and carry around with you is far more secure than any online system.

Excellent to know.

 

As things stand right now the setup I have for ooktech.xyz is about as secure as anything online. I don't control the physical hardware and it may be slightly more secure to store the tiddlers in an encrypted database instead of as normal files, but that is debatable because any authentication system is on the same physical system so it loses a lot of the benefits of the secure database that way.

... You seem to be talking about secure access to a remote system which isn't really a tiddlywiki question. It is a matter of what remote system you are using, how do you intend for the participants in the conversation to connect to it and how much interest do people have in what you are doing.

Not quite. It IS Tiddlywiki in that I want secure TiddlyWiki. The reason is that TW does things others don't. But, right, in the sense that the security enfolding does not have to be TW specifically. Just its reliably secure.

 

The question of 'is remote access from one computer to another possible' is yes, Tox manages it using p2p methods that I have been working on replicating with Dodo and they may be able to be applied to Tiddlywiki.

Noted.

And as a note about threat and security models, if I wanted to hack into a big cloud system I wouldn't bother with anything technologically sophisticated. The weakness of facebook is that they employ people who have access to the systems and not all of them are paid well. As the people selling access to the Aadhar database showed, there are plenty of people who will give you access if you find the right person to give some money to.

Spot on I think. That is what the big breaches look like. Insiders.  

So the question isn't about if you can make tiddlywiki secure, that is easy: yes.

The question is, what are the circumstances around what you are doing with it and is they secure. You can have the best lock and strongest doors in existence but it doesn't help if you leave your windows open.

I want no one in my room but the one who has the key.

J.

[TonyM]

Josiah,

If you place a tiddlywiki in a secure folder, with a long password on https and then use the encryption in tiddlywiki you would be using two factors. The problem is the file based wiki will not handle two users similtaniously. You could add a php user id password as well, If the wiki you opened was a noteself wiki requiring a password to access a pouchdb database, you would have another level of control. You could also set access to a limited set of ip addresses.

I am no expert, but I think you could get very secure but security adds complexity.

Ww need more methods for this, but the specific case always influences the choices.

I need to think about this more.

Regards
Tony

[@TiddlyTweeter]

Tony

That is a useful reply. I do think the various scenarios need opening up a bit so someone like me can better grasp what to do.

My specific immediate case is that I work a lot one-to-one. In theory TW online shared just between just two people (one owner user, one user) would be easy. In practice I'm not there yet. I still need to better grasp the setup.

Thanks

Josiah

[PMario]

On Friday, December 7, 2018 at 12:38:53 PM UTC+1, TonyM wrote:

...

If you place a tiddlywiki in a secure folder, with a long password on https and then use the encryption in tiddlywiki you would be using two factors.

No offence intended. - Technically, this is only 1 factor 2 times

Multi-factor authentication is defined as:

 1) something the user and only the user knows

 2) something the user and only the user has

 3) something the user and only the user is

add 1) eg: password

add 2) eg: usb-token

add 3) eg: fingerprint

Pros and Cons are discussed in detail here: https://en.wikipedia.org/wiki/Multi-factor_authentication

IMO The main problem is convenience and cost. Workflows, that create "real" security will cost something. That's a fact! ... At the moment our society trades convenience for security and cost.

Everything needs to be free (as in free beer).

In my opinion this mentality has to change. It's OK to use free (as in free speech) software / tools. ... But we need to become aware again, that our security will cost us something. Either convenience or money.

Just some rants

have fun!

mario

[Mark S.]

Two TW files on a dropbox account. Both encrypted. On one you write your responses. On the other, your partner writes theirs. Drag and drop their responses into your TW and vice-versa.

Or, two TW files on a Virtual Host, inside a folder with communication protected by SSL and standard .htaccess password. Also encrypted, if you want to be sure. Served up via store.php.

Multi-passwords  useful in situations where it is likely the administrator has über access to your account (Dropbox, Virtualhost ...)

I would not consider a web-facing node server until said server had been tested in some sort of bounty system. At least if the information or the account were important.

-- Mark

[Mark S.]

To me, #3 is illusory. It's really just a form of #1. The data extracted from your fingerprint is just another password that could be in fact stolen and used to misrepresent you. You would not want your biological identifiers to be registered with any entity unless you knew that that entity was encrypting that information thoroughly.

-- Mark

[@TiddlyTweeter]

Right. Its a very seductive idea that biological markers are safe. Its very dangerous when used remotely, not with you present. Theft of that data could be very difficult to sort out. How would you prove who you are?

[@TiddlyTweeter]

Just an FYI on this. An Italian bank I am with has a registration process that requires close up shots of your face and eyes via a webcam. This is all done remotely. I felt it was overkill. And really is not clear to me why it is necessary.

I don't like organisations having my bio-data.

In artworks I made with Angela Weyersberg we explored the decline of the signature -- the point about the signature is it is (or was) a unique expression of a person that is created by them. It used to be important. Its value is now very degraded. The divergence from expressive forms of identity towards somatic static markers is troubling. It has hardly examined consequences.

Side thoughts

Josiah

[TonyM]

Mario,

I accept your formal definition here of multi-factor, it is helpful. Clearly if the alternative factors come from two or more substantially difference sources it contributes to the security. If however I use the common English meaning of factor, "a circumstance, fact, or influence that contributes to a result", it would be fair to consider what I said as correct, the user must supply more than one "password", in this case one to access the internet resource then one to decrypt the content of that resource, in the additional case of the database connector, this value will be stored inside the decrypted TiddlyWiki's session in your browser (not on across the internet), but It could be passed in a secure database connection.

However separately from this argument surely it is possible to simply bolt on a 2 factor authentication in place of the first password to an internet resource? 

Regards

Tony

[TonyM]

Mark and Josiah,

I cant agree more. I have thought a lot about this and Believe Bio-metrics for authentication is a fools path. Why do I say this?, because it is a password who's value can not be changed without surgery, if at all.  In no other case do we tie the value of a password to something which actually exists in the real world, it is tantamount to using your birth-date in your password, or a post it note on your monitor, whilst your birthdate may be publicly accessible, your bio-metric information may only be privately available initially, but once it is used for authentication a copy of it needs to exist externally from you to compare with it. Then you may be able to re-encode it, but in many ways it can never be changed or it will not map to your physical bio-metrics. Now if the authentication service is compromised as happens from time to time, your bio-metrics may become public, then who gets to use it? and how do you reset it?

A USB token or such is much smarter, especially when combined with another couple of factors such as a password and an installed certificate.

Regards

Tony

[Jed Carty]

Tony,

Of course it is possible, but just because it is possible doesn't mean it is useful. It is very easy for two factor authentication systems that are improperly implemented to make the overall system less secure. The definition Mario used is important, otherwise the added security is just an illusion. Security questions about favourite pets and old schools are mainly useful for locking people out of their own accounts.

One of the easiest methods of gaining access to an account you are not supposed to have access to is to compromise one form of communication, like redirecting a cell phone signal or creating an email account that used an old service that doesn't exist anymore, and then answering security questions incorrectly enough times to trigger the recovery mechanism and have the recovery password sent using the communication channel you control.

It is very easy to do something that is supposed to make a system more secure that actually makes it more vulnerable by increasing the size of the exposed attack surface.

[@TiddlyTweeter]

Ciao Tony & Mario

I read Jed's comments with great interest. We talking here about TW at low scale and with precise and I assume clear procedure. I asked about Two Step Verification basically because various meltdowns of big systems I have used (Quora the latest) have caused me no end of trouble that if they had enforced it would have meant far less hassle. After reading Jed I'm not sure its needed. I think the point I missed before was I'd have direct control. Not that I don't like the idea of two step. Rather, I don't think now its absolutely essential.

Best wishes

Josiah

[TonyM]

Jed 

Agreed.

Tony

[HansWobbe]

Just a bit of additional background that I hope is not too tangential within this thread...

Security in these contexts is generally about protecting Rights, which makes it a Civil Law matter for most folks folks who are playing defense rather than offense (when it tends to be a Criminal Law matter).  In Civil Law, Judgement tests tend to be based on "preponderance of evidence", as opposed to the higher standard of "beyond a reasonable doubt" that is the threshold for Criminal Law.

A few of the implications I see in this are:

* One implication is that "2 factor" is likely to grow to be (3... 4...) 5-factor as the "arms race" between the "Haves" and "HaveNots"  continues.

* Another implication is that factors are not of equal importance, but instead are very context-sensitive.  For example

** In a dispute about the ownership of an expensive wrist watch, a judge is likely to award custody to the claimant who can correctly recite its serial number.

** in real estate, the value of the asset is relatively large, so many jurisdictions have an accepted "Book of Record" that records the details of the "conveyance" of the ownership of the property from Party A, for a declared Price, to Party B.  Bother parties are obliged to establish their Identities to a much higher standard than is the case in transactions of lower value.

** in Banking, account access mechanisms need to distinguish between Current accounts (with just enough money to get through a time period conveniently) from Asset accounts (which need proportionately more stringent access controls)

A third implication is the effect of Privacy on Security.  Technologies like DistributedLedgerTechnologies are emerging that provide permanent records of Transactions and their Terms.  The needs for and rights to Anonymity in these systems are not yet well understood and are certainly likely to be contentious given the tensions between lawful and unlawful behaviors.

[TonyM]

Hans,

A tangent or not your points are a valuable contribution. They illustrate how the context, value and other factors have substantial influence on security.

Personaly I think security is too often regarded as all or none, and imposes itself too much on the systems it supposed to protect, sometimes to an extent security diminishes the value of what we are doing in the first place.

I feel we need to build a list of factors to consider and provide some guidence to tiddlywiki security taking account of these factors.

Regards
Tony

[HansWobbe]

Thanks for the encouragement, Tony.

To your point of "too much" (security), I've been noticing the "blackHat" trends towards bigger and better hacks.  Not surprisingly, they are becoming more proficient and efficient.  One nice consequence of their professional efficiency is that one may only need to be a bit more secure than those on the path of least resistance to their success.  After all, blackHats want to work less too.

Regardless, it's always a never-ending "arms race" between Defenders and Aggressors, so the context within which these contests takes place is quite important.  Otherwise, it's easy to spend more on protection than the Asset is worth.