Preventing vandalism of the Koha demo sites
Everyone, As many of you know, the Koha demos currently linked to koha-community.orgare hosted by ByWater Solutions. This morning we noticed some offensive vandalism on the main staff page. It has been removed, but it's gotten us thinking about how we can secure the demos better against such things in the future. Current thinking is that we should set the database up to refresh from a clean copy every hour. This would limit exposure to offensive damage to a brief window, but would also mean that anyone taking a tour and adding test records may lose them midway through their explorations. A brief note to this effect should be put both outside and inside the demo, but it would still prove annoying. Rather than acting unilaterally upon a community resource, we thought it would be best to get the community's opinions on how best to handle this. Is an hour too narrow a window? Should we only refresh certain tables (like systempreferences) and leave others (like biblios or borrowers)? Are there other methods we should consider? My goal is to get this taken care of by the end of the day. If good ideas come in after that, though, I am of course willing to change course. Cheers, -Ian Walls Lead Developer ByWater Solutions
Le 24/03/2010 16:56, Ian Walls a écrit :
Everyone,
As many of you know, the Koha demos currently linked to koha-community.org <http://koha-community.org> are hosted by ByWater Solutions. This morning we noticed some offensive vandalism on the main staff page. It has been removed, but it's gotten us thinking about how we can secure the demos better against such things in the future.
Current thinking is that we should set the database up to refresh from a clean copy every hour. This would limit exposure to offensive damage to a brief window, but would also mean that anyone taking a tour and adding test records may lose them midway through their explorations. A brief note to this effect should be put both outside and inside the demo, but it would still prove annoying.
Rather than acting unilaterally upon a community resource, we thought it would be best to get the community's opinions on how best to handle this. Is an hour too narrow a window? Should we only refresh certain tables (like systempreferences) and leave others (like biblios or borrowers)? Are there other methods we should consider?
My goal is to get this taken care of by the end of the day. If good ideas come in after that, though, I am of course willing to change course.
Cheers,
Could you detail what kind of vandalism it was ? Was it a scripted attack ? if yes, a simple template improvement could do the job on the login page (like "how much is 2x3")? -- Paul POULAIN http://www.biblibre.com Expert en Logiciels Libres pour l'info-doc Tel : (33) 4 91 81 35 08
Paul, This particular vandalism was the embedding of an obscene image in the staff client main block. It appears to done by an individual human, rather than a script. -Ian 2010/3/24 Paul Poulain <paul.poulain@biblibre.com>
Le 24/03/2010 16:56, Ian Walls a écrit :
Everyone,
As many of you know, the Koha demos currently linked to koha-community.org are hosted by ByWater Solutions. This morning we noticed some offensive vandalism on the main staff page. It has been removed, but it's gotten us thinking about how we can secure the demos better against such things in the future.
Current thinking is that we should set the database up to refresh from a clean copy every hour. This would limit exposure to offensive damage to a brief window, but would also mean that anyone taking a tour and adding test records may lose them midway through their explorations. A brief note to this effect should be put both outside and inside the demo, but it would still prove annoying.
Rather than acting unilaterally upon a community resource, we thought it would be best to get the community's opinions on how best to handle this. Is an hour too narrow a window? Should we only refresh certain tables (like systempreferences) and leave others (like biblios or borrowers)? Are there other methods we should consider?
My goal is to get this taken care of by the end of the day. If good ideas come in after that, though, I am of course willing to change course.
Cheers,
Could you detail what kind of vandalism it was ? Was it a scripted attack ? if yes, a simple template improvement could do the job on the login page (like "how much is 2x3")?
-- Paul POULAINhttp://www.biblibre.com Expert en Logiciels Libres pour l'info-doc Tel : (33) 4 91 81 35 08
_______________________________________________ Koha mailing list Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
I think if you listed at what time the database resets, that would be fine. Something like, the database resets at the top of every hour, or on every even hour, etc. Awhile back I took a look at the Bywater demos and there was something questionable in the news section then too. I can't remember what it was exactly - but it obviously shouldn't have been there. Josh Westbrook Prescott Library Mngr/District Technology Mngr Walla Walla County Rural Library District joshw@wwrurallibrary.com http://www.wwrurallibrary.com 2010/3/24 Ian Walls <ian.walls@bywatersolutions.com>
Everyone,
As many of you know, the Koha demos currently linked to koha-community.orgare hosted by ByWater Solutions. This morning we noticed some offensive vandalism on the main staff page. It has been removed, but it's gotten us thinking about how we can secure the demos better against such things in the future.
Current thinking is that we should set the database up to refresh from a clean copy every hour. This would limit exposure to offensive damage to a brief window, but would also mean that anyone taking a tour and adding test records may lose them midway through their explorations. A brief note to this effect should be put both outside and inside the demo, but it would still prove annoying.
Rather than acting unilaterally upon a community resource, we thought it would be best to get the community's opinions on how best to handle this. Is an hour too narrow a window? Should we only refresh certain tables (like systempreferences) and leave others (like biblios or borrowers)? Are there other methods we should consider?
My goal is to get this taken care of by the end of the day. If good ideas come in after that, though, I am of course willing to change course.
Cheers,
-Ian Walls Lead Developer ByWater Solutions
_______________________________________________ Koha mailing list Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
Eric, That seems like a good way to deal with not wiping out someone's active data, while still keeping the database clean. I'll look into it. Thanks! -Ian On Wed, Mar 24, 2010 at 1:19 PM, Eric Bégin <Eric.Begin@inlibro.com> wrote:
Thank you Ian for letting us know.
My suggestion would be to reset the database every hour only if there was no active sessions in the last <timeout syspref value> seconds.
How that sounds?
Eric
Josh Westbrook wrote:
I think if you listed at what time the database resets, that would be fine. Something like, the database resets at the top of every hour, or on every even hour, etc. Awhile back I took a look at the Bywater demos and there was something questionable in the news section then too. I can't remember what it was exactly - but it obviously shouldn't have been there.
Josh Westbrook Prescott Library Mngr/District Technology Mngr Walla Walla County Rural Library District joshw@wwrurallibrary.com http://www.wwrurallibrary.com
2010/3/24 Ian Walls <ian.walls@bywatersolutions.com>
Everyone,
As many of you know, the Koha demos currently linked to koha-community.org are hosted by ByWater Solutions. This morning we noticed some offensive vandalism on the main staff page. It has been removed, but it's gotten us thinking about how we can secure the demos better against such things in the future.
Current thinking is that we should set the database up to refresh from a clean copy every hour. This would limit exposure to offensive damage to a brief window, but would also mean that anyone taking a tour and adding test records may lose them midway through their explorations. A brief note to this effect should be put both outside and inside the demo, but it would still prove annoying.
Rather than acting unilaterally upon a community resource, we thought it would be best to get the community's opinions on how best to handle this. Is an hour too narrow a window? Should we only refresh certain tables (like systempreferences) and leave others (like biblios or borrowers)? Are there other methods we should consider?
My goal is to get this taken care of by the end of the day. If good ideas come in after that, though, I am of course willing to change course.
Cheers,
-Ian Walls Lead Developer ByWater Solutions
_______________________________________________ Koha mailing list Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
------------------------------
_______________________________________________ Koha mailing listKoha@lists.katipo.co.nzhttp://lists.katipo.co.nz/mailman/listinfo/koha
Le 24/03/2010 18:19, Eric Bégin a écrit :
Thank you Ian for letting us know.
My suggestion would be to reset the database every hour only if there was no active sessions in the last <timeout syspref value> seconds.
How that sounds? ++, this is a very good idea !
-- Paul POULAIN http://www.biblibre.com Expert en Logiciels Libres pour l'info-doc Tel : (33) 4 91 81 35 08
Everyone, I have set up the demo installation we're hosting to automatically refresh the database every hour on the hour. At this time, it does not respect current sessions, but I'm looking into teching up the script in the near future to support that idea. Please let me know of any problems, and if you have further ideas on other ways to deal with this issue, I'd be happy to hear them. Cheers, -Ian 2010/3/25 Paul Poulain <paul.poulain@biblibre.com>
Le 24/03/2010 18:19, Eric Bégin a écrit :
Thank you Ian for letting us know.
My suggestion would be to reset the database every hour only if there was no active sessions in the last <timeout syspref value> seconds.
How that sounds?
++, this is a very good idea !
-- Paul POULAINhttp://www.biblibre.com Expert en Logiciels Libres pour l'info-doc Tel : (33) 4 91 81 35 08
_______________________________________________ Koha mailing list Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
participants (4)
-
Eric Bégin -
Ian Walls -
Josh Westbrook -
Paul Poulain