fromAugust 2012
Column:

Drupal in Context

Social Security
0

Social Security

Using People (and a Little Tech) to Solve People Problems

"He convinced his employer that the company could double its profits by merely unlocking the front door and allowing customers to come in." — Woody Allen, from "The Diet," in the collection Side Effects

The cost of security is usually measured in milliseconds, developer hours, and gigabytes of storage. But what parts of the tale do those metrics ignore? Consider Allen's joke: the company avoided theft, but at the cost of half of its business. (How the other half shopped through a locked door is left as an exercise for the reader.)

Most "security" focuses on technical issues — how to lock the door, so to speak, and which kind of lock to buy. Drupal's security advisories and the security documentation on Drupal.org are good examples of that phenomenon. This makes sense: when you're good with a hammer, everything looks like a nail. (Credit where it's due: Drupal's security team is very good with a hammer, and there are a lot of nails out there that need pounding.)

Breaches of "security" are very troublesome. But breaches in the social contract — such as spam, trolling, and use of someone else's login — can be just as bad. The advisories don't address such social issues, which can have a bigger business effect than a cross-site scripting hole. (Few people trust an e-commerce site where all the comments are spam.)

Here's the thing: You can't fight a social problem with technology alone. Who hasn't been driven away from a site that was "too secure"? Mandatory membership, administrator approval, IP filters, rate limiting, (broken) CAPTCHAs... all effectively "lock the door." At issue isn't the tools per se, but their application.

Curing Social Disease

Social problems require social solutions. While not driven by technology, they are enabled through it. Here are a few examples:

  • To weed out low-quality content (including both spam and trolling), combine a voting system with Views to move the most valued comments to the top. Downside: This requires member involvement, which can ultimately be "gamed" by motivated vandals.
  • Rate site members rather than the content they produce using the Userpoints module. It can be configured to elevate "good" members based on automatic factors (length of time on the site, number of acceptable contributions) and socially driven ones (votes from other members). Then, promote comments from such members as above. The downside: only authenticated users can be elevated in this way, potentially lowering involvement.
  • Using Drupal's own system of roles and permissions, empower trusted members to delete comments. (It's amazing how much free work people will contribute for a little recognition and the common good.)

The fine work of Drupal's security team continues to be essential, of course: Their efforts prevent automated tools from cracking the million-plus Drupal sites, one after another. But as entertainer Wavy Gravy says, "It's all done with people." Keeping in mind how people threaten security — and are threatened by its solutions — will help you keep your site stable and accessible.

Social Tools for Social Troubles

  • Voting API -- Required for several other voting modules
  • Flag -- Simple mechanism for indicating troublesome content
  • Fivestar -- Popular voting module
  • User Points -- For rewarding good users and punishing bothersome ones

Tech Tools for Tech Troubles

Advertisement

From our blog

Entity Storage, the Drupal 8 Way

In Drupal 7 the Field API introduced the concept of swappable field storage.

The Drupal 6 to 8 Upgrade Challenge - Part 2

Having concluded the readiness assessment, we turn next to migrating the content and configuration. In reality, there’s little chance that we would migrate anything but the blogs from our old site. For the sake of giving Migrate in Core a workout with real conditions, however, we’re going to upgrade with core’s Migrate Drupal module rather than rebuilding.

The Drupal 6 to 8 Upgrade Challenge - Part 1

Nathaniel Catchpole , the Drupal 8 release maintainer and Tag1 Senior Performance Engineer, suggested that Drupal shops everywhere could support the

DrupalCon Austin

The entertainment industry is not for the faint of heart.

Drupal Watchdog Joins the Linux New Media Family
Drupal Watchdog 6.01 is the first issue published by Linux New Media.

Drupal Watchdog 6.01 is the first issue published by Linux New Media. Come see the Drupal Watchdog team at DrupalCon 2016!

Drupal Watchdog was founded in 2011 by Tag1 Consulting as a resource for the Drupal community to share news and information. Now in its sixth year, Drupal Watchdog is ready to expand to meet the needs of this growing community.

Drupal Watchdog will now be published by Linux New Media, aptly described as the Pulse of Open Source.

Welcome to DrupalCon Barcelona - The Director's Cut

For all you schedule-challenged CEOs – and ADHD coders – this Abbreviated Official Director’s Cut is just what the doctor ordered.

Welcome to DrupalCon - The Barcelona Edition

Did we have fun in Barcelona?
OMG, yes!

Did we eat all the tapas on the menu and wash them down with pitchers of sangria?
Yes indeed!

Recursive Closures and How to Get Rid of Them

This came up while manipulating taxonomy children and their children recursively, so it’s as not far from Drupal as you’d think.