This site is an archive; learn more about 8 years of OpenHatch.

[Devel] Privacy, Trust and Piles of Tracebacks

Asheesh Laroia asheesh at asheesh.org
Fri Apr 8 21:20:46 UTC 2011 

Hi Jack! Thanks for starting this conversation.

Let me first start by saying that we need to have me be less of a 
bottleneck, and I think that everyone (developers, users) will be better 
off once that's done.

On Thu, 7 Apr 2011, Jack Grigg wrote:

> Hey all,
>
> I've been hacking away at little bits of OpenHatch's Roundup tracker for 
> a while now, such as implementing the milestone feature. While doing so, 
> I invariably break things about a page, and when this happens Roundup, 
> rather than logging to a local error log, decides to email the traceback 
> information to an admin email - currently an @openhatch.org email. 
> Having access to these tracebacks is invaluable in terms of the speed 
> and ease with which I can implement changes to the tracker. The issue is 
> that each traceback also contains the Roundup session ID of the user for 
> whom the report was generated, which could potentially be used 
> maliciously.

It could be used "maliciously" by you. I'm not worried about that in the 
least, since you have control over the code too, so if you wanted to be 
malicious you already can be.

> Now, I personally believe I can trust myself not to use these IDs for 
> harmful purposes (I don't even know HOW to use them for harmful purposes 
> ^_^ )

The privacy policy makes some suggestions for you, in terms of what data 
is private. There are some hints. (-;

> but the point is that other people, namely users, need to be able 
> to do so as well. This also relates to another recent topic of 
> discussion about opening up aspects of the production server to more 
> people (aka: remove the Asheesh bottleneck =P ). Already we have 
> additional people with access to several parts of the ecostructure 
> Roundup backend (as I have been exploiting to great milestone effect), 
> the wiki, the Nagios monitoring system, and the LiSH recovery terminal. 
> And the more people we let in, the easier it is to keep things running 
> smoothly and develop them further - and the greater the chance of abuse, 
> or exposure of private data (though aside from OpenIDs, passwords and 
> some locations, I'm not sure how much personal data we keep).

I agree.

Just to be clear, we're talking about basically two pieces of 
private information:

* Hashed passwords, some of which can probably be reversed into actual 
passwords (if the password is low-quality)

* People's list of email addresses and usernames that they've searched 
for, in the profile importer

The bigger, messier part of this is the idea that you can browse the sitee 
with the UI saying you are somene else, and I think it's kind of weird to 
do that.

> I'm not trying to be accusatory, or promote an iron-clad militarian 
> approach to handling things ("No Asheesh, you will NOT sleep, you need 
> to watch the server in case a butterfly flaps its wings in Japan!"). Nor 
> am I saying that everything should be open to all. I'm just very curious 
> as to the best way to manage things like this, and how to give 
> assurances to users that those people who do have access to sensitive 
> information are only there because they are helping improve OpenHatch, 
> and only using that data if it's actually necessary. For example, where 
> should the Roundup tracebacks be sent? Should the Monitoring mailing 
> list be a private list for trusted developers? The floor is yours for 
> ideas!

I'm going to email again with some ideas. (-:

> (On another note, because this is an email about privacy, it's given me 
> an excuse to finally get around to setting up OpenPGP on my mail client. 
> Digital signing FTW!)

Make a training mission for it! (-:

-- Asheesh.

-- 
Q:	Know what the difference between your latest project
 	and putting wings on an elephant is?
A:	Who knows?  The elephant *might* fly, heh, heh...

More information about the Devel mailing list