A note of thanks to our most recent vandal

Usually one doesn’t go out of the way to thank someone who causes damage to other people’s stuff, but I felt it would be an appropriate gesture in this case. As some of you might have noticed, the main WikkaWiki site was again the target of a scripted attack in which automated user registrations were used to vandalize various pages on the site. While the damage was only temporary (all pages were fully restored, and the perl script used for the restoration is available upon request), the attack prompted us to re-evaluate our priorities given the limited amount of development resources available (namely, the time we volunteer to keep Wikka secure and feature-rich).

As a result of this introspection, the decision has been made to incorporate many of the security features currently in “beta” status on the main Wikka site into the main development trunk, and to create release “branches” that will allow us to continue to focus on providing new functionality while still providing the latest in security measures.

What does all this mean to someone who just wants to have a secure Wikka site? Since we are on the verge of releasing 1.1.7, you will have a choice of either being able to download the feature-rich 1.1.7 version (when it’s available), or the more secure, but less feature-rich, “trunk” version. After 1.1.7 is released, those new features will be merged with the security features in the “trunk” for a subsequent release.

Why would someone want to (temporarily) opt for more features and less security? Wikis running on an intranet probably aren’t prime targets for scripted attacks. Those sites that have restricted and/or disabled user registrations are likewise less vulnerable. For these types of sites, upgrading to 1.1.7 makes perfect sense.

We’ll be posting more details on these changes in the near future. I just wanted to take a few moments to let everyone know what we are doing in order to support both security and functionality upgrades without having to sacrifice one for the other.

And to take a few moments to thank our most recent vandal in giving us that “push” we needed to evaluate our development process and priorities.

–Brian

About this entry

You are currently reading:
A note of thanks to our most recent vandal
an entry on the Wikka Developer Blog

Published:: June 5, 2007 / 5am

Author:: Brian

Category:: Security, Website

Keith 7.13.07 / 5pm

Thank you Brian for the update… I know my fathers website has been vandalized repeatedly from the same type of SPAM. I eventually set most (if not all) the ACL’s to be write only from me… which unfortunately ruins it for everyone else who wants to add content to the site. I am eagerly awaiting the release of 1.1.7 … and hopefully this time I’ll install it on a Yahoo web server and off my uncles questionable setup so it’ll run properly… now if I only knew how to move the DB over?

pkphilip 7.25.07 / 1pm

Is there a way of turning off online registrations in Wikkawiki?

I don’t know if this is the right place to ask questions - if not, please do direct me to the correct URL.

Thanks and regards,
PK

Brian 7.25.07 / 2pm

pkphillip–

This is as good a place as any to ask a question!

1.1.6.3 does not offer a direct way to disable registrations. You can always set the read/write ACLs on the UserSettings page to !* to prevent access to that page.

The current trunk version (and the upcoming 1.1.7 release) will have a “hide_registration” feature enabled that allow for disabling of registrations from the config file.

A note of thanks to our most recent vandal

About this entry

3 Comments

Have your say

About

Categories

Recent posts

Recent comments