advogato advances, pki and a security / risk assessement

Posted 24 Dec 2001 at 13:47 UTC by lkcl Share This

in security, you need to offset the risk with the cost. in mathematical terms, security tends to zero as the sum of the number of idiots increases to infinity. raph has pointed out that there is a new attention-seeker on the block [in which case, why am i writing this? *sigh*]. this article outlines a plan to consider, re-raising and summarising a number of issues already discussed to increase advogato's signal-to-noise ratio for open source discussion - which is what advogato is all about.

advogato has been adopted and loved by those people that understand it. raph, with advogato.org and ghostscript.com; crackmonkey with badvogato.org; myself with xmlvl.net and dcerpc.net, although with xmlvl i took raph's README comments that he would like to see more xml and less c to heart and stripped out as much hard-coded c as i could possibly get away with [the result? an xml-based scripting language that looks a bit like xslt, although one person who looked at xvl scripts from a distance of 2 metres said it looked a bit like java (!)]

you always find security holes. either in the implementation, or in your thinking [design]. advogato is a social experiment, as much as a proof of concept for trust metrics themselves. that means that security must be applied into the social aspect of advogato as much as it has to be in the code itself. hence, the access control mechanism is controlled by the trust metrics.

now, advogato's access control is quite simple:

  • create an account: you have rights to post diary entries
  • get certified above Observer: you have rights to do everything

in the word "certified", above, is quite a lot of heavy-duty algorithm calculations going on, in which there is a small weakness. advogato's trust metric algorithm, as it stands, could never realistically be used for public key infrastructure. the known weakness in this implementation is that it only takes _one_ successful Certification for someone to be Certified. PKI requires that trust be placed in far more than just one person. unfortunately - and i say this from a viewpoint of having considered and tried to get this for quite a long time - the modifications to the trust metric algorithm are a little bit beyond my time/capability ratio at the moment, although i understand exactly what needs to be achieved.

but first, before considering the algorithm modiufications, i'm going to go into security / risk assessement in a bit more detail. let's say you discover a security risk. well, wow, there's a problem. you assess it. security is all about trading availability of functionality with risk of loss of functionality (sec -> 0 as N(idiots) -> inf...)

first, you need to assess its severity. is it just irritating? is it stopping you from being able to do what you want to do? is it life-threatening?

second, you need to assess its occurrence / occurences. _has_ it happened? if so, how many times?

then, tie these two together to ask yourself this question: can you put up with the security threat _if_ it happens (or is happening)?

if the answer is yes, you can put up with it, then that's the end of it - you can fix it when you feel like it, _if_ you feel like it.

if the answer is no, if it happens, we _can't_ put up with it, then you begin a campaign / plan of action to fix the problem.

thirdly, therefore, you need to find out how long it would take to fix and deploy.

and, once again, you have another factor to consider: if fixing the problem takes you way beyond the amount of time, money or other resources available...

so, in this case, coming back to advogato. as raph says: we have a troller. the risk is that this troller may become Certified, which, according to the Trust Metric Algorithm, may be easier than people think. and if that happens, then this idiot gets the right to post Articles. multiple articles, not just multiple diary entries. that's the risk.

can we put up with it? multiple troll articles? well... no, absolutely not.

therefore, this must not occur. how?

well, articles - on the front page - you could increase the Cert level required for Article posting, say... to... Journeyer. well, that excludes all Apprentices, who make up the majority of the site's Certified people. this would _not_ be good, and additionally, given that Certification is actually relatively easy, it's not a good solution. the trade-off consideration of loss of functionality is simply not acceptable.

okay, well how about requiring more than one Certificate - e.g. three Certs - to receive a Certification Level? mathematically, this is the best solution, and unfortunately it requires an awful lot of work [imo]. i've been talking to raph about it, and my simplistic approach i keep hypothesising to him i do not have the skills to disprove, and raph doesn't have the time to help me get those skills up to scratch to prove. in other words, it may be the best solution but it will require too much time to implement. this is _my_ subjective opinion: someone else may have the skills or time to make this solution feasible [hence this article].

xmlvl's Certification has a simple calculation based on the number of incoming Certs: if the number of incoming Certificate at Master level is less than three, then the person is not included in the Master-level Certification Graph, at all. this is the approach that has a flaw in it (can anyone see what it is? but i want to _prove_ that this is flawed, with an example, rather than "feel" it, intuitively).

okay, so how about having a "Veto" Cert? well, on the xmlvl site, that would be very easy to implement. Anyone Certified at "Master" level would have an extra option appear: "Certify this Person as Vetoed from the site". when the number of Veto Certifications goes above a certain number - twenty - the person's account is disabled. unfortunately, as i said, using xmlvl it would be trivial to implement this. with the mod_virgule codebase, it would be an effort of about one week's work. as for effectiveness: it would work pretty well, but would require active participation of individuals Certified at "Master" level to keep an eye on the site to stop trollers getting Certed by other hidden posters as they create more and more new accounts.

okay, so how about having posting-time-limits? if you post a Diary entry or Article entry, you may not post another one for a further time period? that would at least stop _automated_ trolling, which we haven't seen [fortunately]. this is a la slashdot - timelimits of 5 mins on postings. and it doesn't actually help stop trolling, it just slows it down.

okay, how about expiry dates on Certifications? well, that would help slightly - inasmuch as if someone Certifies a troll, they become a serious problem, and then they never return to the site to de-Certify them, then we're in trouble.

okay, how about asking people to de-Certify trolls? advogato _is_ a social site, after all. well, short-term, this is probably the only solution. and if the people concerned _don't_ de-Certify the trolls? well, then we contact the people certifying the people who Certified the trolls, and de-Certify _them_, and so on, up the chain, until eventually we get to the top-level seeds, raph, miguel, alan and federico, who de-Certify _everybody_ and the entire site grinds to a halt :)

okay, how about adding in something that excludes non-Certified people from the recentdiary list? if you're not Certified at Apprentice, you don't appear on the list?

there are lots of potential solutions: it's always a trade-off. if anyone can think of any more ideas, please post them here. if you know how the trust metrics work and have a mailing list to spare to discuss them, please let me know (at samba-tng.org)

A good solution may already be out there, posted 24 Dec 2001 at 15:25 UTC by tk » (Observer)

As an interim measure, I propose that the current trust metric be frozen. (OK, I know I'm certified as a Journeyer. But I won't mind if only Master-certified people can post and reply to articles.)

The problem raph seems to have is the apparent lack of a good algorithm for implementing trust metrics more general than that currently used -- which relies on the well-known network flow problem. There may well be some research already done in this area, except that they don't appear in the guise of trust metrics and/or they're hidden in some obscure places. Scouring the world for such algorithms may be a good idea.

Algorithms and current research, posted 24 Dec 2001 at 16:58 UTC by MikeCamel » (Journeyer)

There's currently very little research on trust models - I'm currently applying for a PhD in this area (my rather sparse site is at www.p2ptrust.org), and there are a few other people doing research on this issue. I'm currently posting from my parents', and don't have access to my notes, but I'll try to post something here before the New Year.

Part of the problem is that until you understand what the issues are around how people interact, and how different systems might work, it's difficult to identify what the relevant features and variables need to be included in whatever algorithms are put together. We must remember that Advogato is an experiment in progress, and we should expect issues like this to arise. I think it would be very sad to decide to restrict posting to Master level, for instance. I'm currently a Journeyer (though only just), and quite rightly so - I've not contributed much to many Open Source projects - but the sort of people who may have thoughts to contribute in this debate (and many of the others we have here) may not be the Masters of OSS projects (or not just the Masters). Let's keep thinking, discussing, and documenting our thoughts, and maybe hold off while we can. Also, I'd like to suggest that we think about how we can build resilience into the system. I like this better than "stability", because it suggests some elasticity, or at least flexibility. I'll post more when I'm not supposed to be doing Christmas things!

All repeats... may be this time it whould ...., posted 25 Dec 2001 at 02:19 UTC by Malx » (Journeyer)

I think I need to answer this ;-) Hi lkcl, Hi MikeCamel.
If you like - I'll create private mail list for this discussion, so only digest will be posted to Advogato.

First of all - we have limited resourses... It is real problem. Until it exists - we could never do algorithm, which suits all needs. We just can't ignore spam, becouse have no unlimited HDD and internet connection. So we must fight with the fact of Spam. If that whould be true - we just could ignore Spam - make it invisible to us, but archived for history......

Next - we could have static or dynamic defence system - fist one will not allow something. Secound one will allow to do some wrong action, but will fix all things back, if it thinks that it was wrong.
Could you make static system at all (this site thinks it could - so it have no internal protection - only static external)? Which one is bullet-proof armour - Static or dynamic (It allows bullet to crash into it and broke external part of it, but it protects body from bullet, also - it will not protect you forever)?

What is root of authority ? It could be person, idea/algorithm/theory or free fight for best one. Here - root is SEEDs (4 persons) - they deside for us, we trust them by default - have no choice. In lkcl's engine we could make every person to be root for himself (it is natural). He desides what to trust, whom to trust (in life we trust our parents, teachers, gurus, politician ... etc).
But - actually here the root of authority is the only person - and he is raph. Remember what was with site, when there was low limits to network flow ? When most of J becomes O - only raph have had ability to fix this. Only him could deside which new level to set.
Person could be killed(Kennedy), idea/theory could be spoiled with wrong implementation (communism), now the only root actually could be used - free fight (yes - it is politics).

Who could be at top level ? How to get them? - this is partially extension of previous. You can't have democracy any more...
It is for shure that at top must be person, who knows his job - not just a random person. He must be specialist. But who could tell us - if he is or not (who is better from 2? if there is an exam - who create thouse tests for exam?)? :)
only free fight.... the one, which have luck and have knowlege in this speciality, but not actually the best.

What you want to get from TM?
Do you thinks that best code developer will also be best articles writer? And how could you know that he also very good psychologist to deside who must be Master and who Apprentice?
Actually you must separate TM tree trunk from it's leafs. Only trunk could have branches. Leaf can't make branch! But also branch coudn't be green. So SEED could only certify that this person able to distinguish Junior coder from Apprentice coder or Observer - He make branch - he sertifies that this branch is able to make smaller branches. Now we have tree. After its every branch could make leafs (number of them limited to the diameter of branch, but I have not seen trees with leafs on main trunk actually ;). Leafs are also persons! By making them Leaf you telling that yes! you are Master coder, but you can't distinguish bad from good! - so he could post articles, but he can't grow tree, he can't certify others.
this will help grow tree without loosing all good articles and still allow to block intruders.

Ops... it was not get from.... ;) I mean what whould you expect to get from site? Good people or good articles? ;)
You need different algorithms for thouse 2.

Random:

You need to save Cert level of person at time the article was posted
You need to save original article/notes, before it was edited or deleted - or you will got reply, which refers to noneexistent text
SEED must not be Master - he must be above this level
You can't deside for all, you can only choose for yourself (so no veto certs at all, only self-trust).
If certs whould expire - some MyAdvogato script will provide you auto-refresh service ;-)
Web site is useless. You need to have NEW-IRC, NEW-mail, NEW-USENET as the same solution. Also you could implement web interface if you like it, but after all SMTP/NNTP/LDAP/IRC/Jabber interfaces.
The best service Advogato provides is ..... recentlog. It have no protections at all.
If you whould make this protection - this will not be good service any more ;-(
Algorithm will not help you until you make good social model.
Levels here on Advogato is no more given according to envolment in OSS projects.
But! page about certificates still says, that this is! It is not telling true hings. It is American Dream - how it must be.
PKI is only tells you, that SEED site trusts someone.... but root of trust is DNS ;) you need to trust it

advogato's application of trust metrics is quite limited, posted 26 Dec 2001 at 12:49 UTC by lkcl » (Master)

compared to the dcerpc.net and xmlvl.net site's, advogato's application of trust metrics is very limited, due to the trust metric algorithm being quite inflexibly hard-coded into mod_virgule. in dcerpc.net and xmlvl.net the trust metric algorithm is just another xml module (a bit like xslt extensions) that can be used in any way, shape or form, as malx hints at.

what i am saying is that, as malx describes, and has been discussed many times before, it is possible to make several trust metric calculations from the same node graph of Certifications - using different seeds as the top-level input. see http://xmlvl.net/tmetric and type in any person's name on the site (you may need to type person:theusername) to see what i mean.

so let's create a few examples of metric calculations:

- For the Front Page: perform a trust metric using the site's Front Page trusted individuals (raph, miguel, alan, federico).

- For your *own* purposes and interests: perform a trust metric using your *own* name as the trusted individual.

The former will give you a list of people linked to the Front Page trusted individuals, who are by inference given the rights to post on the front page.

The latter will give you a list of people that _you_ have Certified, relative to yourself.

Now, for example, by taking only the names that are in _both_ these lists, you get a group of people that _you_ are interested in _and_ are trusted by the site maintainers. An option could be added to the site to *exclude* articles, diary entries etc that are not in this list - a bit like slashdot's "threshold" levels.

At some point, something like this will need to be added to advogato, if the S/N ratio is to be kept as high as possible

resilience, posted 26 Dec 2001 at 13:04 UTC by lkcl » (Master)

hi there mike,

good to see some other people interested in this subject.

the trust metric system used in advogato _could_ be extremely resilient _if_ the modifications that raph recommends were added. the enhancements are, as i described in the article, for multiple Certifications to be required for an individual to reach a Certification level.

now, clearly, the whole [enhanced] system could collapse if the top-level seeds don't inter-certify each other, or if the number of Certifications required exceeds the number of top-level seeds! if there were two Certs required, but only two top-level seeds, you can't _get_ anywhere!

btw have you read raph's original paper?

over-reaction, posted 26 Dec 2001 at 22:01 UTC by sneakums » (Journeyer)

tk writes:
As an interim measure, I propose that the current trust metric be frozen.

Why, exactly? To guard against an "attack" that has yet to materialise? What you suggest may prevent such an "attack", but it most certainly will prevent people from joining and being integrated into the Advogato society as they have in the past.

So far, all we have is a troll who posts entries that many people find offensive. I suggest we show a little maturity and cease to read those entries.

measured measures, posted 27 Dec 2001 at 00:27 UTC by lkcl » (Master)

the reason why i wrote this article including a mini howto on security/risk analysis/assessement is because i would like to see people's recommendations include such an assessement.

tk, freezing the advogato trust metric system is definitely an over-reaction, and, please try not to take this the wrong way, as we really _need_ more people to research this area (tm's).

whilst this article is intended to find out a) if any options are needed and b) what the options _are_, this is a live-running site, and it needs to prepare itself [and its members and programmers] _now_ to take on the future risks, react proactively and grow in its role as a self-governing, self-running community resource site.

so, we need measured measures. my assessement of this individual [whose comments i haven't even _seen_!] is that it's currently low-key, and not worth pursuing. any more such individuals, and that assessement will change.

Re: measured measures, posted 27 Dec 2001 at 03:37 UTC by tk » (Observer)

so, we need measured measures. my assessement of this individual [whose comments i haven't even _seen_!] is that it's currently low-key, and not worth pursuing. any more such individuals, and that assessement will change.

I too think the current situation is acceptable. But I don't think one should wait until a threat really happens before responding to it. Perhaps freezing the current trust metric is too drastic, but doubtless something needs to be done right now (though exactly what is to be done can only be decided by raph).

A possible solution may be to employ a trust system which works at several levels: Articles, replies and certifications don't always take effect immediately, but are instead routed to the "seed" for approval. The "seed" is allowed to directly certify people, but the people so certified have no rights to certify other people. The "seed" may also grant others the right to certify other people (for a certain number of levels), and/or the right to approve article and reply postings...... The basic idea is that, at the end of the day, it is the "seed" who decides who can be trusted for which tasks. This may work, though it'll likely involve a lot of manual labour.

"approval", posted 27 Dec 2001 at 16:40 UTC by lkcl » (Master)

hmmm.... the idea of approval has merit. the point of advogato is that it is supposed to be self-governing, and for that reason i hadn't even considered approval of postings _at all_.

so, the search is on for an appropriate idea to ensure that "moderation" - a la slashdot - doesn't place a heavy load on the people who have to do the moderation.

one possibility: in xmlvl.net and dcerpc.net, there is a _sort_ of "moderation" - self-moderation.

again, it hinges on the trust metric. not only can people be certified but also articles (and news reports. and projects. etc.). by Certifying a newsreport, then _if_ it receives a Cert at Journeyer or above, it will appear on the frontpage. when a newsreport or article is created, the site scripts automatically issue a Certification, to avoid the problem of the poster forgetting about it!

... but again, to be "secure", this relies on a more robust t.m. algorithm.

and, ultimately, as you hint at, tk, not one single modification will occur without raph - the site maintainer and single point of failure in the advogato site's future - having enough time and being convinced to make them.

don't approve articles, rate authors, posted 28 Dec 2001 at 15:57 UTC by cmiller » (Master)

One of the traits of advogato that I find attractive is the lack of moderation of works of members, and instead, the rating of members themselves. Rating the articles of members adds only complexity to a system that already has sufficient access controls (though the metric may indeed need tweaking* ).

Adding a preposting moderation buffer doesn't solve any problem, if you still work from the assumption that a rogue member can get certification too easily and certify plenty of self-created noise multipliers. Those noise multipliers could just as easily vote noise into our faces.

The correct solution is a good trust metric of users. I'm not alotgether certain that the current metric needs adjusting. The hand-wringing is over an imaginied problem. A little navel-gazing (packing these metaphors in tight!) from time to time is good, but Advogato is doing quite well, so far.

*) So, how could Advogato make changes? First, assume that the current number of levels of trust are a good thing, and nearly sufficient. Then, pull the "root" masters up to another higher level (which is identical to "master" except that they can certify others as "master"). Then, change the metric to make it nearly impossible(**) for a member to pull another member up to the pulling member's trust level.

**) Codifying such an idea as "nearly impossible" is an excercise left to the reader. :)

degrees etc., posted 28 Dec 2001 at 17:34 UTC by lkcl » (Master)

hi there,

interesting ideas, mr miller.

the reason why xmlvl.net and dcerpc.net xml script code auto-certs an article by the author when it is submitted is to avoid exactly the issue that you point out: site complexity [misunderstanding of trust metric concepts and usage]. so, in simplistic terms, "yes articles are Certified, but you don't need to worry about it: it Just Works, okay? :)"

thanks for the independent opinion that the current usage of trust metrics on advogato for access control is sufficient.

also thanks for the idea of people not being able to certify others at their own level [in some form]. this implies continuity [and the possibility of trust metric collapse!] and using a previous trust metric calculation as input to calculate the next.

i think that this definitely has merit, although unless worked through it could mean that the number of degrees from the supersink is limited to the number of levels (Master, Journeyer, Apprentice) whereas the number of degrees at the moment [in the capacities: check the source code and raph's paper] is limited to seven.

AG improvement, posted 28 Dec 2001 at 22:18 UTC by Malx » (Journeyer)

First of all I do not think any advice whould be adopted by raph :) No comments from him yet. But it could be incorporated in xmlvl...

1. Need to improve recentlog. It could be done by adding custom-recentlog (it will include all people you have certified - it will also help with certification process ;) AND members-recentlog (which includes all except observers) AND observer-recentlog (only Observers). All this _in addition_, not in place of current!!! (actually it will help to shut up troller-haters ;-)

2. Hiding of information is good strategy (I mean values of network flow), but at least you should show which of certs are actual (wich of them give to this person positiv inbound network flow). It will help to track people, which you need to talk to, to cancel someones level at Advogato. Possible tradeoff - site will become crude and bad place :(

3. Direct messages. You need to have web-form to allow A,J,M to send direct mails to persons (not all of them show their e-mails) without dislosing destination e-mails. This must be limited to 1n mail for every person person and to ~10 lines/50Kb (just to allow begin normal mail discussion, if that person wants to ;).

ok ... it's enough for now ... :)
there is other ideas, but you have not reacted to my post... :( Mail me directly if you have not understand it (a was not able to clearly describe it ;)

answers:
The only real risk here - is possibility to delete information. You could do it by editing diaries, by editing notes to person and to project. It could be done by capturing others passowrd (or browser with coockies). Spam is not real risk (not for server nor for people).
BTW. do you remember mirwin and his long posts :)
you could increase the Cert level required for Article posting - no, it just will increase minimum normal-life level ;)
posting-time-limits - NO! I'm using dialup and editing messages offline, then post all of them at onece.
expiry dates on Certifications - better to have expiration of persons. Not the usual way, but just not to include certs they give to others in calculation if person have not logged in cite for month or to. But if he logs in - all his certs are back and active (and all certs, others give him is unaffected - so he will not loose his level).
a trust metric using your *own* name as the trusted - You can't use it freely , becouse spammers could fill-up your disk space :(
I don't think one should wait until a threat really happens - But it is best practice if you look at it from time/money/tradeoff side :))))
future risks, react proactively - it is always limited to our imagination :)
the idea of approval has merit. - It helps to fight Spam, but really it is not good idea
site scripts automatically issue a Certification- GOOD! but default level should be configurable. If I writing COOL article I will never forget to certify it, but for ordinary one - it should be certified as A or J level, not M.
Rating the articles of members adds only complexity to a system - sorry, not only. But we have not so many articles here to have benefits from it.
impossible(**) for a member to pull another member up - read about TM. Raph and Lkcl - this idea is written, becouse you have hide net-flow algorithm values from people :)
interesting ideas - lkcl! please! tell with of interesting ideas are interesting enough to be implemented :)))

Phoon: Apparently OpenSourcesJapsEye certified me. Is there any way to reject a certification? - interesting question :))))))))))))

Prevent troll talks, posted 29 Dec 2001 at 03:24 UTC by proski » (Master)

The main reason why the troll "community" exist on Slashdot is because they can easily communicate. One troll posts very early in the discussion and other trolls read early comments with a low threshold. Very few of those trolls would continue to post if they knew that most of their "colleagues" won't see their comments.

If we limit what the unregistered and non-certified users can see, then very few "certified trolls" would bother trolling. In other words, one would have to be certified to see the content produced by people with little affiliation to the site.

recentlog, posted 29 Dec 2001 at 11:09 UTC by lkcl » (Master)

okay.... so... combining malx and proski's ideas: a really _simple_ improvement would be to remove from diary recentlog anyone who has not received a Certification.

pymmetry, posted 29 Dec 2001 at 11:11 UTC by lkcl » (Master)

i'm trying to implement the requirement to have more than one Cert, by modifying the net_flow algorithm to find multiple paths. when the number of paths found from a node to the supersink equals the number of required [independent!!!!] paths, then the game's afoot.

working with python is a hell of a lot easier than c [raph's original code was in java].

2lkcl, posted 29 Dec 2001 at 12:03 UTC by Malx » (Journeyer)

NO! I'm aginst this change of recentlog!!!!

I am telling about 4 recentlogs. They must exist same time!
1) normal , 2) custom (only people you ceted), 3) only A,J,M, 4) Observers.

So people could choose for any combination they like:
1
2
2+4
3
3+4

Do not forget about robots (scripts which are checking for answers to you). They are exists already.

lkcl - whould it be good solution for net-flow, if you whould split calculation for every SEED? Then you whould cetr person if only he is LEVEL for 3 of 4 calculations?

more thoughts, and a reference, posted 29 Dec 2001 at 15:44 UTC by MikeCamel » (Journeyer)

Folks - glad to be back. I've found the reference that I was looking for to Alfarez Abdul Rahman's research, in case anyone's interested. I've not had the chance to read any of this, really (I'm currently finishing an MBA before trying to knuckle down to the PhD work). A few other comments:

  • could someone point me in the direction of raph's original paper (or do you mean the fc.ps on the "about Advogato" page?
  • I'd be against too much editing of recentlog - whether automatically or by hand (although I'd love to see a "less-recentlog" added, so I could go back over items I'd missed, but that's another story). This community revolves around its diary entries, and there's lots of cross-referencing, which is good. How would we learn about the new people on this site, or the projects they're engaged in? How would we certify them?
  • how easy would it be to add another level?
  • I worry, however, about how we cope with the growth in numbers that we're enjoying at the moment. On the one hand, it's good, but on the other hand, it's difficult to keep track of people and ideas. Not sure how to reconcile these two issues, and without a pick-list of people I'm interested in (maybe with some random entries thrown in?), it's difficult to see how to keep Advogato cohesive. Do we want it to be cohesive, or should we allow it to be fairly open, but maybe allow chatroom equivalents (this thread is turning into one of those, but what will happen in the New Year, when new articles turn up, and this vanishes from the front-page?).
  • Hmm - more on that. How about some special interest groups? Maybe with read access to all, but without write-access That might allow us to be more selective (you could have a couple of moderators per group, or have a voting system), and we could have "mini-Advogatos", and try out new trust metrics (or just stick with the old one, but with different seeds). It would also be a great opportunity for me to do some experiments on you all for my PhD! (-8
  • how about starting a mailing list, if we're interested enough, and the special interest groups idea is too complicated?

sorry malx :) mike's points, posted 30 Dec 2001 at 00:21 UTC by lkcl » (Master)

customisation is a little more work... options etc. mind you, crackmonkey added customisation (unread messages / catch-up) pretty easily.

could someone point me in the direction of raph's original paper (or do you mean the fc.ps on the "about Advogato" page?
yes.
I'd be against too much editing of recentlog - whether automatically or by hand (although I'd love to see a "less-recentlog" added, so I could go back over items I'd missed, but that's another story). This community revolves around its diary entries, and there's lots of cross-referencing, which is good. How would we learn about the new people on this site, or the projects they're engaged in? How would we certify them?
well, on dcerpc.net, the message system (similar to diary, in fact identical code! but you name _who_ the message is to) is used quite extensively, to communicate between people. it's something that's definitely missing from advogato.

you know, i _really_ wish that advogato - the site - could move forward instead of remaining static.

never mind.

your points - learning about new people - are exactly the kinds of reasons i was looking for as a useability / security tradeoff i described in the beginnings of this article. iow, this person - this _one_ person, i have to say, isn't enough of a threat to consider reducing their visibility at the cost of reducing everyone _else's_ visibilty!

how easy would it be to add another level?
two lines of code and a recompile, plus an apache reload. xvl (running dcerpc.net and xmlvl.net) it's one line in an xml file - not even a recompile is needed, or even to stop the site whilst running live.
I worry, however, about how we cope with the growth in numbers that we're enjoying at the moment. On the one hand, it's good, but on the other hand, it's difficult to keep track of people and ideas. Not sure how to reconcile these two issues, and without a pick-list of people I'm interested in (maybe with some random entries thrown in?), it's difficult to see how to keep Advogato cohesive.

well, already, people have been doing off-site analysis and indexing - off-site because this site has one maintainer - raph - who's extremely busy. the site _is_ useful but restricted / limited in functionality.

if you have any recommendations, mike, then if i have some free time i can add them into the example dcerpc.net or xmlvl.net source scripts. the download rate of xvl is kinda slow and steady, which is weird, i have to say. it's like... 1000 downloads in a year. so there _are_ people out there who might actually have a use for it (!!!)

Do we want it to be cohesive, or should we allow it to be fairly open, but maybe allow chatroom equivalents (this thread is turning into one of those, but what will happen in the New Year, when new articles turn up, and this vanishes from the front-page?). Hmm - more on that. How about some special interest groups?
again, dcerpc.net and xmlvl.net's site scripts have the concept of "groups". The Plan was to give these groups sub-domain-names and then sub-sites off of dcerpc.net. e.g. freedce.dcerpc.net - the site - would be controlled by the special interest group "FreeDCE Admins". these people would be the top-level seeds for freedce.dcerpc.net, aside from other purposes / uses.

but the main usage of dcerpc.net, a not very frequented site, is its front-page reference, the url reference (for me! :) and the cvs repository.

Maybe with read access to all, but without write-access That might allow us to be more selective (you could have a couple of moderators per group, or have a voting system), and we could have "mini-Advogatos", and try out new trust metrics (or just stick with the old one, but with different seeds). It would also be a great opportunity for me to do some experiments on you all for my PhD! (-8
coooool :)

yes, i've been thinking about how to do a voting system with trust metrics [counting the number of valid Certs?] any such systems would be inherently unstable....

how about starting a mailing list, if we're interested enough, and the special interest groups idea is too complicated?

yesplease!

sorry malx :) mike's points, posted 30 Dec 2001 at 00:21 UTC by lkcl » (Master)

customisation is a little more work... options etc. mind you, crackmonkey added customisation (unread messages / catch-up) pretty easily.

could someone point me in the direction of raph's original paper (or do you mean the fc.ps on the "about Advogato" page?
yes.
I'd be against too much editing of recentlog - whether automatically or by hand (although I'd love to see a "less-recentlog" added, so I could go back over items I'd missed, but that's another story). This community revolves around its diary entries, and there's lots of cross-referencing, which is good. How would we learn about the new people on this site, or the projects they're engaged in? How would we certify them?
well, on dcerpc.net, the message system (similar to diary, in fact identical code! but you name _who_ the message is to) is used quite extensively, to communicate between people. it's something that's definitely missing from advogato.

you know, i _really_ wish that advogato - the site - could move forward instead of remaining static.

never mind.

your points - learning about new people - are exactly the kinds of reasons i was looking for as a useability / security tradeoff i described in the beginnings of this article. iow, this person - this _one_ person, i have to say, isn't enough of a threat to consider reducing their visibility at the cost of reducing everyone _else's_ visibilty!

how easy would it be to add another level?
two lines of code and a recompile, plus an apache reload. xvl (running dcerpc.net and xmlvl.net) it's one line in an xml file - not even a recompile is needed, or even to stop the site whilst running live.
I worry, however, about how we cope with the growth in numbers that we're enjoying at the moment. On the one hand, it's good, but on the other hand, it's difficult to keep track of people and ideas. Not sure how to reconcile these two issues, and without a pick-list of people I'm interested in (maybe with some random entries thrown in?), it's difficult to see how to keep Advogato cohesive.

well, already, people have been doing off-site analysis and indexing - off-site because this site has one maintainer - raph - who's extremely busy. the site _is_ useful but restricted / limited in functionality.

if you have any recommendations, mike, then if i have some free time i can add them into the example dcerpc.net or xmlvl.net source scripts. the download rate of xvl is kinda slow and steady, which is weird, i have to say. it's like... 1000 downloads in a year. so there _are_ people out there who might actually have a use for it (!!!)

Do we want it to be cohesive, or should we allow it to be fairly open, but maybe allow chatroom equivalents (this thread is turning into one of those, but what will happen in the New Year, when new articles turn up, and this vanishes from the front-page?). Hmm - more on that. How about some special interest groups?
again, dcerpc.net and xmlvl.net's site scripts have the concept of "groups". The Plan was to give these groups sub-domain-names and then sub-sites off of dcerpc.net. e.g. freedce.dcerpc.net - the site - would be controlled by the special interest group "FreeDCE Admins". these people would be the top-level seeds for freedce.dcerpc.net, aside from other purposes / uses.

but the main usage of dcerpc.net, a not very frequented site, is its front-page reference, the url reference (for me! :) and the cvs repository.

Maybe with read access to all, but without write-access That might allow us to be more selective (you could have a couple of moderators per group, or have a voting system), and we could have "mini-Advogatos", and try out new trust metrics (or just stick with the old one, but with different seeds). It would also be a great opportunity for me to do some experiments on you all for my PhD! (-8
coooool :)

yes, i've been thinking about how to do a voting system with trust metrics [counting the number of valid Certs?] any such systems would be inherently unstable....

how about starting a mailing list, if we're interested enough, and the special interest groups idea is too complicated?

yesplease!

combine, posted 30 Dec 2001 at 10:38 UTC by Malx » (Journeyer)

a voting system with trust metrics - but TM is already a vouting system!!! :) itself. You vote for new members. You just need separate type of cert :) All is done already.
BTW re-read what I have written about Tree-vs-leafs. What do you thinks? (in that case you could issue multiple leavs - one is certifing person (for example you must certify yourself! And your level whould be what you thinks you is , but not more, then is you tree-level(your ability). Second - could be voting-for-something cert (again , not more than you allowed by tree structure)).

If you whould combine my and proski's ideas this whould be:
1) recent-logs N1,2,4 are readable only by A,J,M persons.
2) personal pages /person/NAME/ of Observers are readable only to A,J,M persons and NAME.

Actually now we have information hiding. I have discovered recentlog feature only when became A ;)

maillist, posted 30 Dec 2001 at 12:14 UTC by Malx » (Journeyer)

Mail list was created.
If you want to be add - mail to me at uazone dot net. And say why you want to be add ;) (introduce yourself).

A couple of hacks I'm trying on robots.net , posted 1 Jan 2002 at 23:14 UTC by StevenRainwater » (Master)

I added a couple of things to the mod_virgule code I'm using on robots.net that might be of interest here. The first was making the access levels a little finer grained. On advogato, observers can post a diary entry, and users with any level of cert have full privileges. On robots.net, I set it up like so:

Observer: can post diary entries

Apprentice: Observer privileges + may reply to articles (but not post them), may create projects

Journeyor: Apprentice privileges + may post new articles

Master: Same privileges as Journeyor

I also added a date field to the user account that tracks the last login date of the user. A perl program runs daily as an account reaper, killing off non-certified accounts that have been inactive for specified amount of time. (I ran BBS systems years ago in the pre-Internet days and an account reaper was crucial to prevent your disk space from being used up by inactive accounts).

great!, posted 2 Jan 2002 at 10:35 UTC by lkcl » (Master)

hi there steven, long time no hear from!

fantastic to hear that you've created some mods: please keep them handy... in the "just in case" scenario.

my feeling is, and other people have confirmed, that as things stand, there's a definite risk but clearly no definite threat [aside from which, who _wants_ to cause trouble to a bunch of nerds like us??? *grin*]. so applying the up-security _right now_ will simply lose us a lot of interesting people and quite possibly kill off the site.

that's not to say that other people running mod_virgule would be v. v. interested in applying your patch immediately: thanks steven.

btw ...it would be better to not have to use perl to delete accounts :) mod_virgule is supposed to be self-sufficient :)

My take, posted 4 Jan 2002 at 04:37 UTC by forrest » (Journeyer)

It seems to me the situation is that there are a few troublemakers (only one now?) who can immediately be recognized by a large majority of the diary-reading population as spewing utter crap.

I think this calls for a form of negative certification that matches the situation.

Negative certs are nasty, brutish things that would undermine the positive atmosphere here, and as such must be approached with much caution. I'm not suggesting another level "Troll" to go beneath Observer -- that would lead to a lot of ugly games.

I'm suggesting a seperate system which takes precedence over the cert levels ... if some mondo huge number of readers identify someone as a troll, then it probably is a troll, and the account can be summarily silenced.

The protection against abuse comes from the number of troll-votes someone would need to get: it would have to be really, really large.

This troll-vote system would interact with the cert system: only those certed as Apprentice or above (as in, really participating in the site) could cast troll votes, and only Observers could be voted down as trolls.

Although it involves implementing a seperate system, which may be a pain, the model I'm suggesting fits the situation as it seems to me.

The model needs to fit the situation, right? Otherwise, it won't work well.

How to introduce oneself?, posted 4 Jan 2002 at 07:12 UTC by ringbark » (Journeyer)

If the suggestion (I think from lkcl) were to be implemented, it would become very difficult for an outsider, whether honest or dishonest, to start on the road to certification.

An Observer who is not certified would not appear on the recentlog, so only those looking at recent members joining or at the list of all members will see them at all. Once they are no longer recent entrants, they would only feature on the list of all members, a field of so much dross that I arrely visit it, as the large collection of names-only is like wading treacle.

I accept the level I have here, which seems pretty fair considering what I do and where I do it, but I could never have reached it without goodwill arising from early diary entries. In those days, I couldn't post anything except diary entries, and am grateful for the goodwill of a tiny number of members to have got where I did.

I have previously touched on the Thawte Web of Trust, which offers a reasonably straightforward trust metric. There are various levels of trust here, but it's a different matter to consider identifying that a person is who they say they are as opposed to identifying that people might want to read what they have to say.

Slashdot's new code, posted 4 Jan 2002 at 10:20 UTC by MikeCamel » (Journeyer)

I notice that /. have just introduced some new code to allow people to certify others as "friend" or "foe". The idea that we could ignore people (rather like on IRC or MUDs), without necessarily affecting their rating, is a good one. I take the point about "brutish" measures, and I think that the fact that this is a one-on-one measure seems to offset that somewhat. It might be interesting to consider whether it would be a good or bad idea to let people know that they've been ignored. I'm not sure that the "friend" certification is as useful, but I've not given it a lot of thought yet.

With Trust comes Distrust, posted 6 Jan 2002 at 07:28 UTC by turing » (Journeyer)

It follows if we allow users to certify others as "trusted" that we should allow those and others to revoke that trust, just as people do in real life: if I trust you and loan you a treasured book.. and you destroy that book, I may cease to trust you.

So, I think "nagative trust" needs to be incorporated into the model, which would allow the community to collectively manage trollers (or indeed, any bad people)

As much as we can model the trust metric on real human behavior, obviously the more capable the system will be.

May I suggest we allow certifications as:

Dork Idiot Assh*le Satan

:)

About Idiots.., posted 6 Jan 2002 at 10:52 UTC by Malx » (Journeyer)

lkcl's XMLVL engine have interesting feature.
You could create Group called Idiots and add any person into it. But .... still you need to be Master of that group (It is becouse you have create it ;). And that person can't get rid of this group.

Pseudo-accounts and other ideas, posted 6 Jan 2002 at 16:45 UTC by GJF » (Apprentice)

I set up a mod_virgule clone last year. The main change I made to the trust metric system was to prevent apprentice level people posting articles.

An idea I had which should prevent the problem of a single certification promoting a person to Master level was to use pseudo-accounts for the seeds. The pseudo-accounts can then certify the original seeds (i.e. pseudo1 certifies raph) - in this way you move everyone one level further from the root. No programming is required (you would need to recompile mod_virgule). Of course quite a few people might drop off the bottom and lose their certifications (me included?).

I agree with those who suggest that diary entries are the only way for observers to obtain the profile you need to get certified - I was an observer for many months before finally making apprentice. So hiding the recent list would tend to exclude newcomers to the movement.

The problem of de-certifying people - is a key one for mod_virgule. The trust metrics will work provided those who give out certifications are also able to revoke those certifications. The trust metric needs to ensure that trust flows only from people who are active on the site. A timeout, or decay on the trust metric would be two ways to do this. I think additional (negative) trust metrics would introduce new issues to resolve. (I do kind of like the idea of a trust metric veto by vote of a large proportion of the members).

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

X
Share this page