security

You are currently browsing articles tagged security.

K12 Elgg Security

October 19, 2008 in Elgg, Policies, RSS, Social Networking, Technology, open source | 3 comments

Elgg 1.1 is arriving soon. The project is maturing with more plugins and themes becoming available. It’s time to plan for deployment in the K12 environment. I have been mulling over several special issues in deploying Elgg in a K12 public school setting. I invite you to join the K12 Elgg group on the Elgg Community Website. I am also considering Web publishing and educational technology issues in my Educational Technology Policy Site. Policies need to be in place for working with Elgg and other Web 2.0 applications.

The first thing we need to consider is security. In our situation we will need to have a walled garden. Our school requires anything that is open to the world on the Internet be moderated. Since we cannot moderate in the Elgg environment, all content will have to be kept in house.

The Walled Garden plugin from the Elgg developers does much of what we will need. It disables registration so that  any user accounts must be created by the admin. This prevents outsiders from registering and gaining access to student content. It falls short in a couple ways. As configured, users can choose to make content available to the public under the access controls. In addition RSS feeds could allow outsiders to view content if they obtained the appropriate urls.

In response to my concerns expressed in the K12 Elgg area of the Elgg community, Dave Tosh offered some solutions. He pointed to engine/lib/access.php as the place to eliminate the “Public” option. Students will only be able to select permissions for access to people within the site: private, logged in users, or any collections of friends. I plan on creating a plugin offering this functionality soon leaving the core intact for easy upgrading.

With RSS feeds, Dave suggested that I eliminate the options to subscribe to an RSS Feed and Syndicate OpenDD from the owner’s block menu, then delete RSS and and OpenDD views in the views directory.

Dave is looking into administrative options to toggle public access OpneDD and RSS feeds from the administrative interface. I think this is a good idea that will make it more appealing to the K12 audience out-of-the-box.

If we allow students to work in Elgg without moderation, we need a way to monitor what the students are doing so that they are accountable for their behavior on the site.

Elgg offers several tools to this end. There is the log browser with the ability to refine the results by username and by start/end dates. As admins, we can click on a user’s avatar menu and explore their log. There is also the user option to report content to the administrator.

Use of the log options require active searching and the logs have a lot of entries not related to content. Are there ways to filter out some of the non-content related noise making it easier to monitor students? Would it be possible to create plugins to make this process easier?

These are just a couple areas of concern that I will need to address with school administration and tech committee before deploying Elgg. I hope to have answers to the questions that I know I will face. I’d like to hear what others have to say about these matters. Please comment!

Tags: , , , ,

Security Matrix: WordPressMU

August 16, 2008 in Blogging, Policies, Technology, wordpress | 3 comments

In my previous post about Web publishing security, I proposed the following security matrix:

While this is an oversimplification of the options, I think it gives a framework for making decisions on what web publishing software to deploy, when to deploy it as well as how. As an illustration of how this framework can be used and the potential complexity, we will examine the popular multiple blog platform WordPress MU. Another reason is that we have deployed WPMU in the past and there has been some debate about how it should be used if it should be used at all.

Out of the box, WPMU has two options for access to content: Open to the world and open, but blocking search engines and archivers. It has four options for moderation: Unmoderated, Posts only moderated, comments only moderated, and both posts and comments moderated. With WPMU, then, our matrix looks like this:

As one can see, there are already eight potential options in terms of access to publishing and content. While all the content can be accessed by anyone in the world through both choices, blocking search engines and archivers would significantly reduce access unless one has a link, or goes to the site directly.

WPMU has a plugin that I discussed in an earlier post called More Security Options. This plugin offers three more content access options: Community members (all users with accounts on the WPMU installation), Blog (People who are at least subscribers of an individual blog), and Administrators (only the administrators of an individual blog). The security matrix with this plugin appears:

There are now 20 options in terms of publishing and content access! Arguable, there are even more. For example one could choose to allow unmoderated comments, but restrict comments to logged in members of a blog. Clearly there is enough flexibility in WPMU to accommodate a wide range of Web Publishing Policies.

It is up to school tech committees to consider the ramifications of all of these options in terms of security, audience, and ownership and weigh the pros and cons of each before committing to a particular configuration. Teachers can then decide within the constraints of the school web publishing policy which option best suits their class. Publishing student content to the web is not simply as choice of yes or no. There are several shades of gray. These are not the only considerations and options for deploying this software. For further discussion, refer to my other posts about WPMU for more information on managing and securing the software.

Tags: , , , ,