Evergreens

Mark Smith's Journal

Work related musings of a geek.

protected content security

[staff profile] mark
There's a bunch of talk going around right now about the whole issue of content security, and trusting the people who host your content and have access to it. I wanted to talk on that for a moment as it's something that is really important to me.

The only people that are authorized to view protected content on Dreamwidth that they don't otherwise have access to are [staff profile] denise and myself. We are the only people with the proper access level. On top of that, it's not automatic -- in order to view the protected content, every time one of us visits a URL we have to edit it and add "viewall=1" to the end of it. It's a very manual process (for good reason). It's also logged -- and I don't know about Denise, but I review the logs regularly, just like every other security log we have.

The second level of access is for people who have access to the production servers that run Dreamwidth. When someone has the ability to log in to our servers, they have full access to the data on the databases and could in theory access protected content. The only people with server access are again myself and Denise, plus our two sysadmins: [personal profile] matthew, who used to work for LJ (before and during Six Apart), and [personal profile] alierak, who I've known for a decade and I trust completely.

That's it. The four of us.

At some point, it comes down to trust. We need the ability to work on the servers, so there are always going to be a set of people who have the ability to see private data. This isn't something that we can feasibly get rid of, either. The data exists on the servers (that's how we can show it to you and the people who are authorized to see it) and we need access to those servers to maintain them. The data isn't just sitting around visible to us, though -- it's tucked away in the database and requires a lot of manual effort to dig out, unzip, and connect to a user account. We never see post content accidentally.

In the end, I think that the best that I can offer anybody is to be explicit about who has access (and what kind of access they have) and to personally watch the security logs. I watch to make sure we don't have unauthorized access to our servers, and I look for unauthorized access to private data as well. It's part of the routine, and it's something I take very seriously. Having dealt with some problems related to this in the past (on other projects, with other people) it's not something I want to see Dreamwidth have to go through.

I'm happy to talk about this, if anybody has any thoughts, comments, or questions.
09.05.2010 07:07 pm (UTC)

(no subject)

damned_colonial: Convicts in Sydney, being spoken to by a guard/soldier (Default)
Posted by [personal profile] damned_colonial
We were talking about something vaguely similar the other week at work, and we decided to trigger an email whenever someone did something with their elevated privs, so that it would be more visible to those who needed to know about it and the person doing it would be accountable.

Thinking along those lines, could you send a notification to the user, as well as logging, when someone with privs views a protected entry? The text of the message could include something like, "This is most likely in relation to a support request you raised" or whatever is necessary to explain why it's happening and reassure the user. It feels, to me, a bit like the email you get that says "Someone, possibly you, has requested a password change."
Edited 09.05.2010 07:08 pm (UTC)
09.05.2010 08:35 pm (UTC)

(no subject)

eagle: Me at the Adobe in Yachats, Oregon (Default)
Posted by [personal profile] eagle
One other thing along those lines to worry about is that you could end up in a situation where you're legally not permitted to notify the user that their content is being viewed (a valid search warrant, for instance). While this is exactly the case where I suspect most users would like to be notified, since you're a US business, you simply can't. So saying that you'll notify users when the content is viewed is to some extent promising something that you can't reliably deliver.

My purely personal perspective, admittedly as someone who knows a lot about how this sort of thing works since I'm a professional sysadmin, is that the site users have to trust you and Denise by necessity and, beyond that, I'm not sure there's a lot of utility in trying to enable community audit of your activities. I'm also not sure that there's much utility in notification if there's no option or decision available to the user.

One thing you could consider is, in a future world in which you may want to grant more fine-grained access to additional people, would be to distinguish between access under the user's control and access that is done by a site admin. For instance, when submitting a support ticket, a user could potentially get a checkbox saying "allow senior support people access to my restricted content" which they could check if the request seemed to warrant it. If they chose not to check it, then their support request may take longer if it requires such access until you or Denise or similar staff had a chance to look at it.

Not sure if the gain is worth the complexity, though.
10.05.2010 08:11 am (UTC)

(no subject)

noxie: friendly girl smiling (Default)
Posted by [personal profile] noxie
For instance, when submitting a support ticket, a user could potentially get a checkbox saying "allow senior support people access to my restricted content" which they could check if the request seemed to warrant it.

I would love that.
10.05.2010 10:52 am (UTC)

(no subject)

pne: A picture of a plush toy, halfway between a duck and a platypus, with a green body and a yellow bill and feet. (Default)
Posted by [personal profile] pne
One other thing along those lines to worry about is that you could end up in a situation where you're legally not permitted to notify the user that their content is being viewed (a valid search warrant, for instance). While this is exactly the case where I suspect most users would like to be notified, since you're a US business, you simply can't.

That reminds me of rsync.net's warrant canary (and others like it).
09.05.2010 08:43 pm (UTC)

(no subject)

aveleh: Close up picture of a vibrantly coloured lime (Default)
Posted by [personal profile] aveleh
If it's automatic, I suspect people would use it as a form of harassment; sending in a report purely so that the poster would get a notification that it was looked at. That's not a reason to avoid doing this, but I'm not sure that the benefits are worth it.

An alternative could be something like you guys have talked about it terms of sharing TOS investigations; doing it the other way? "In May, x journals were looked at for a, b, and c reasons". Let people know how rare or common it is?
09.05.2010 11:44 pm (UTC)

(no subject)

msilverstar: (Default)
Posted by [personal profile] msilverstar
I like this, especially if it's auto-generated by the database records. While it's self-reporting, it's enough to give everyone some feeling for the process, and change over time (so give percentages too).
Edited (where "this" = periodic reports of what accesses have been done) 09.05.2010 11:46 pm (UTC)
11.05.2010 03:21 pm (UTC)

(no subject)

phi: (Default)
Posted by [personal profile] phi
I like this idea as well.
09.05.2010 08:53 pm (UTC)

(no subject)

rydra_wong: Lee Miller photo showing two women wearing metal fire masks in England during WWII. (Default)
Posted by [personal profile] rydra_wong
The viewall utility is used for many uses, not all of which I would want to send emails for. (Reports of a credible suicide threat, investigating a ToS violation, me verifying imports/deletes/purges/things, etc etc...)

Maybe it would be useful to have a FAQ section or something about this, spelling out under what circumstances viewall gets used, who can use it, and emphasizing what DW does to protect privacy and ensure that the ability to access private/locked posts won't be abused.
10.05.2010 08:10 am (UTC)

(no subject)

noxie: friendly girl smiling (Default)
Posted by [personal profile] noxie
+ 1

I think this would be a great thing for the FAQs.