Fundamental Flaw In The Way Wiki Works

HipcrimeFloods are what I'm thinking here. I've had a good search of the wiki pages and I've not seen anything that can prevent a bot. Nothing. Zilch. -- DominicBurns

Well ... WardsWiki stops taking updates if too many come too close together from the same source. And an IP address offending this way is easily blocked ... is this what you have in mind?

I'll pose a question that'll hopefully give a better idea of my view:

If I didn't see wiki as the thing of beauty I do, what's to stop me from writing a bot that would drop thousands of WikiNames onto a single page, regularly, well within the page submission range, from potentially unlimited semi-secure proxy servers, indefinitely? How would this affect the server(s)? Is the server centralized as with the VeryQuickWiki I'm running? Is there a limit to WikiWords on a page?

Bots on UseNet are only limited by UDPs. -- DominicBurns

What's to make you? People don't normally set fire to the commons.

What's to stop me or, more to the point, anyone else? Is there a WikiName per page limit? Should there be? -- DominicBurns

There doesn't need to be a WikiName per page limit; the only thing that a page with a large number of names on it stresses is the formatter, when asked to display that page. WikiNames by themselves don't cause pages to be added to the database.

So it's when the new topic's edited that a new page is added? -- DominicBurns

No - when it's first saved.

Do all wikis work from central servers? -- DominicBurns

While that's technically not a requirement, I can't think of a counterexample. The database of pages needs to be centralized (/replicated) so that formatter knows which WikiWords to turn into links.

Yes. So far, DistributedWiki is all talk. WikiPedia is somewhat distributed over several severs, but since they're all in the same physical location and have the same IP number, it's not distributed enough.

Yes, absolutely, wiki is flawed in the way that this page describes. The only protection this site really has is that it is too easy of a target to interest most. But sooner or later someone is going to take pride in shooting this sitting duck. I've made every attempt to protect this site from accidental abuse. The community here protects it from somewhat more malicious attacks. But I am absolutely not going to enter an arms race with a determined abuser. Instead I just plead: please please please let us be. -- WardCunningham

There's also nothing stopping you from putting a gun in my face and pulling the trigger. But I'm not worried about that happening.

There's rather a lot to stop me, as it goes. My lack of gun, for instance, not to mention having no clue as to your whereabouts and lacking any inclination in the first place. Apart from -that-, there's nothing stopping me. -- DominicBurns

Wiki is pretty light on security. There are a few countermeasures in place to discourage commercial spammers and script kiddies, but WardCunningham has stated his desire to avoid an "arms race" with malicious people. Leaving it open has the effect of removing any sense of challenge. And there are lots of backups, so if some major attack does arise, Ward and others can just wait for it to end and then restore the damaged pages. Unlike UseNet, the garbage will only stay around until someone cleans it up.

What I'm talking about is a persistent, distributed bot attack. Because the principles of wiki are very simple, I imagine it wouldn't be too difficult to build one. Extrapolating from the above, the bot, theoretically, would only need to carry out a number of straightforward repetitive tasks to achieve its goal. I'm thinking 'cascade'. -- DominicBurns

Only part of Wiki is a technical system that you can attack. The other part is the community of thousands of interested and creative people. Attacking the system is simple and will not earn the attacker anything. Attacking that community will make him an outcast (what would happen if they start thinking about attacking him). So there is no flaw in the wiki. Its protection is perfect. We are the protection. -- HelmutLeitner

Why isn't this stuff on WhyWikiWorksNot?

Maybe because someone new thinks he is the first one to discover this "flaw" with wiki?

Attempt to belittle me with sexist, elitist remark noted ;) FWIW, I searched wiki for variations of the word 'flood' in a variety of combinations with the word wiki. I also tried a google search for same. I found nothing that related to it and went from there. I think it's a potential flaw that could be used against wiki in sustained attacks (maybe for censorship, maybe revenge... whatever the motive). I started this page in an effort to analyse the potential problem I could see and attempt to patch it as it appeared there was nothing else relating to this subject. The patch could be as simple as setting wiki up in a decentralized way (which can be considered non-confrontational) but, yes, I'm quite new to this and I don't have all the answers to my questions - another reason for starting this page. -- DominicBurns

[I don't think it was an attempt to belittle you. This idea is not new, and obvious to anyone with the right background. It *has* come up a few times before, but I guess Wiki collectively excised any easy reference to it. Just not that important to keep around, I guess.]

A more fundamental flaw is that some people make WikiNamesWhichAreUnnecessarilyLongAndUnreadable?.

Point taken - perhaps wikiflood would be a better name? -- DominicBurns

How about, oh, I don't know, WhyWikiWorks? Or WhyWikiWorksNot?

I'm almost tempted to make that into a page. Hmmm, autoadjectival pages. Seriously though, that remark made me realize what must be the perfect name for a heretofore (at least to me) unnamed concept. WriteablePageName?; a PageName that can be written in normal conversation.

I am writing this for the second time after IE just crashed on me. This was well-timed as I am considering the value of an idea vs the value of the written content.

I can't remember what I wrote but I remember that the decentralized nature of wiki was part of it and that starting a page to get questions answered was another.

Starting with the second point – I applaud DominicBurns for doing this. I sometimes struggle with the desire to ask questions to get answers and the desire to demonstrate that I have some understanding of the question and insights to share. Often I just want answers, from the wiki audience which I respect. Often I feel an urge to share insights. This posting is of the latter type.

Back to the decentralized nature of wiki. The content may be central but the ideas are decentralized. If the content disappeared, was flooded or destroyed, what would remain? Ideas spread around the world – cool. Changing perspective to view wiki as an enabler of the free proliferation of ideas instead of the perspective of gathering and protecting the content for me addresses this FundamentalFlawInTheWayWikiWorks. It is not about the content here – cool as it is, but about the invisible spread of ideas and the connections between the many authors and readers.

Related - OnlineOrInvisible

I have a suggestion. Make the EditText link less conspicuous. Maybe make it a period or a white GIF or in need of a code word or something. That way newbies may have to read through a few FAQ's before they start changing stuff. It may reduce riffraff who suddenly discover the nearly God-like power of wiki editing and want some teenage entertainment.

Making the EditText link less conspicuous would make editing more difficult for those who really want to do editing. The only problem I see is when vandalism isn't noticed until after the history is purged, and the original is lost.

: There are other backups. Put a "RestoreMe" tag on a page and if you've made a good case it often reappears.

I would like to react to "Making the EditText link less conspicuous" idea. I do not want to be too argumentative, especially given that I'm really really peeved at the recent SPAM invasions in wikidom, but *this* idea won't help much. As some one points out above, it "would make editing more difficult for those who really want to do editing". Moreover, I add, they don't need to SEE the link in order to edit the pages. All they need to do is get a list of the pages (Recent Pages) and create an algorithm that generates URLs like the following one :

http://c2.com/cgi/wiki?edit=FundamentalFlawInTheWayWikiWorks

I regrettably have to agree with the comments throughout this page that creating a bot to change MANY pages automatically would be SO simple to do ( 5 minutes of work ) that it makes me very very worried about the future. There is nothing to stop them from escalating, particularly if they come to the conclusion that doing it by hand (if indeed this is how they are doing it) is not effective enough. It is the END of wikis as we know them, and I state this with ENORMOUS regret. I was so proud to inform my students (hundreds) that wikis were never attacked despite their utter vulnerability. It's akin to adults playing HARD with some toddlers in some sport in the hope of CRUSHING them. Some opportunists will stop at nothing!!

Dealing with SPAM, by resorting to legal means, is a minefield as well. It has to do with international law, e.g. essentially beyond the scope of the national laws of any given state. There is *some* hope here, but only a "fool's hope" as Gandalf would say. As in the frontier days, there is not much law or law-making in these parts, and we're under attack, and therefore we may have to protect ourselves as best we can. Only "members" will be able to edit pages, for example. But, quite frankly, I'm also considering striking back at the persistent ones with a denial of service attack. Too controversial?

Practically I see this wiki as quite secure. The reason is simply, because it is not important. Just like myself. I'm a real nobody. Why would I need a BodyGuard?? Presidents of USA, especially reformers like JohnfKennedy? need bodyguards, OsamaBinLaden did not have enough of them after loosing his value for the AmericanElite?. OK, after mentioning those maybe my need increased slightly ;-) But I'm still quite a nobody. I have no reputation one can suck from, no mentionable amount of money one would like to extract from me. Besides a few not too relevant possibilities, most attacks on websites are because of money. If anybody would seriously design a bot to conquer this wiki, what else than spamming it with ViagraAdd?s or PenisEnlargement?offers would that be? Oh, I forgot about the RussianBride?s ;-) But if any such spammer is half way sane still, he would see two things here:

Hardly anybody uses this wiki.
Used mainly by Nerds grown old.

This is no good scope for Russian brides and the like. Financial schemes would be discussed to death but not bought by the WikiCitizens here. Spammers go, where the dump crowds go. This is not the place. What is left are Script Kiddies. Some youngster who wants to show the old folks, that he can do it. But, do they have server capacity and access to a large number of IPs? Do they populate foreign machines with their bots for a prolonged distributed attack? I don't think so. --ManorainjanHolzapfel

Move along, these are not the WikiPages you are looking for. Yoda or ObiWan?...

CategorySecurity