fromAugust 2012

Drupal in Context

Social Security

Social Security

Using People (and a Little Tech) to Solve People Problems

"He convinced his employer that the company could double its profits by merely unlocking the front door and allowing customers to come in." — Woody Allen, from "The Diet," in the collection Side Effects

The cost of security is usually measured in milliseconds, developer hours, and gigabytes of storage. But what parts of the tale do those metrics ignore? Consider Allen's joke: the company avoided theft, but at the cost of half of its business. (How the other half shopped through a locked door is left as an exercise for the reader.)

Most "security" focuses on technical issues — how to lock the door, so to speak, and which kind of lock to buy. Drupal's security advisories and the security documentation on are good examples of that phenomenon. This makes sense: when you're good with a hammer, everything looks like a nail. (Credit where it's due: Drupal's security team is very good with a hammer, and there are a lot of nails out there that need pounding.)

Breaches of "security" are very troublesome. But breaches in the social contract — such as spam, trolling, and use of someone else's login — can be just as bad. The advisories don't address such social issues, which can have a bigger business effect than a cross-site scripting hole. (Few people trust an e-commerce site where all the comments are spam.)

Here's the thing: You can't fight a social problem with technology alone. Who hasn't been driven away from a site that was "too secure"? Mandatory membership, administrator approval, IP filters, rate limiting, (broken) CAPTCHAs... all effectively "lock the door." At issue isn't the tools per se, but their application.

Curing Social Disease

Social problems require social solutions. While not driven by technology, they are enabled through it. Here are a few examples:

  • To weed out low-quality content (including both spam and trolling), combine a voting system with Views to move the most valued comments to the top. Downside: This requires member involvement, which can ultimately be "gamed" by motivated vandals.
  • Rate site members rather than the content they produce using the Userpoints module. It can be configured to elevate "good" members based on automatic factors (length of time on the site, number of acceptable contributions) and socially driven ones (votes from other members). Then, promote comments from such members as above. The downside: only authenticated users can be elevated in this way, potentially lowering involvement.
  • Using Drupal's own system of roles and permissions, empower trusted members to delete comments. (It's amazing how much free work people will contribute for a little recognition and the common good.)

The fine work of Drupal's security team continues to be essential, of course: Their efforts prevent automated tools from cracking the million-plus Drupal sites, one after another. But as entertainer Wavy Gravy says, "It's all done with people." Keeping in mind how people threaten security — and are threatened by its solutions — will help you keep your site stable and accessible.

Social Tools for Social Troubles

  • Voting API -- Required for several other voting modules
  • Flag -- Simple mechanism for indicating troublesome content
  • Fivestar -- Popular voting module
  • User Points -- For rewarding good users and punishing bothersome ones

Tech Tools for Tech Troubles