The security model for something like tiddlywiki is completely different
than a large online service.

Two factor authentication for something like tiddlywiki doesn't do much to
improve security. Two factor authentication is mainly helpful in situations
where there are large centralised stores of login information that may be
compromised. In that case two factor authentication can help prevent
breeches because just because someone has your login information they can't
necessarily get to your data. For this reason these large systems generally
have physically separate systems for the authentication and the actual data
store.

A tiddlywiki would normally not be stored on this type of system so the
same system has the login info and the data. So if someone were to breech
the system and get the login info they are already where they need to be to
get your data and a two factor authentication system can actually be
counter productive. It is distressingly easy, at least in the US, to hijack
a cellphone signal using a man-in-the-middle attack and intercept an sms if
that is your second channel in your two factor setup.

A simple single file wiki that you encrypt and put on a usb drive and carry
around with you is far more secure than any online system. It would be as
secure as anything can be and still be usable. Nothing is secure against a
rubber hose attack.

As things stand right now the setup I have for ooktech.xyz is about as
secure as anything online. I don't control the physical hardware and it may
be slightly more secure to store the tiddlers in an encrypted database
instead of as normal files, but that is debatable because any
authentication system is on the same physical system so it loses a lot of
the benefits of the secure database that way.

But I don't think that any of that is actually what you are thinking about.
You seem to be talking about secure access to a remote system which isn't
really a tiddlywiki question. It is a matter of what remote system you are
using, how do you intend for the participants in the conversation to
connect to it and how much interest do people have in what you are doing.

The question of 'is remote access from one computer to another possible' is
yes, Tox manages it using p2p methods that I have been working on
replicating with Dodo and they may be able to be applied to Tiddlywiki.


And as a note about threat and security models, if I wanted to hack into a
big cloud system I wouldn't bother with anything technologically
sophisticated. The weakness of facebook is that they employ people who have
access to the systems and not all of them are paid well. As the people
selling access to the Aadhar database showed, there are plenty of people
who will give you access if you find the right person to give some money to.

So the question isn't about if you can make tiddlywiki secure, that is
easy: yes.
The question is, what are the circumstances around what you are doing with
it and is they secure. You can have the best lock and strongest doors in
existence but it doesn't help if you leave your windows open.

Wow. These things have become so common, the Quora hack didn't even make it
into my newsfeed.

If you need person-to-person private conversation, why not email with
PGP/GPG ?

You could also use GPG to convert messages to text and insert it into a
tiddler. Then any public exposure would be irrelevant.

PGP has been around since almost the beginning. It's had slow adoption
because of the fiddly steps needed to set it up on both ends of a
conversation. Something like it should be the default -- the way https is
becoming the default.

You mentioned Bob can run scripts for you. I can imagine invoking a script
that converts tiddler text to gpg and turns it into a tiddler.

2FA as commonly implemented with SMS turns out to be no panacea -- cell
phone numbers can be hijacked. Using a FIDO device might be better, but is
not widely supported yet. None of this 2FA does any good if the main
database, as in the case of Quora, is hacked.

-- Mark

Josiah,
I did not get your original message on security. I'm using Gmail, checked
SPAM and TRASH and it was not in either. These are your messages, as of
11:35am this morning, that I had received:

[tw5] Re: TiddlyWiki at the local Community College 6:38am

[tw5] Re: I love TiddlyWiki because... 7:17am

[tw5] Re: Favicon is not displayed 9:36am

[tw5] Re: [I'd like to TALK] ... About Security 9:43am

Tony,

Of course it is possible, but just because it is possible doesn't mean it
is useful. It is very easy for two factor authentication systems that are
improperly implemented to make the overall system less secure. The
definition Mario used is important, otherwise the added security is just an
illusion. Security questions about favourite pets and old schools are
mainly useful for locking people out of their own accounts.

One of the easiest methods of gaining access to an account you are not
supposed to have access to is to compromise one form of communication, like
redirecting a cell phone signal or creating an email account that used an
old service that doesn't exist anymore, and then answering security
questions incorrectly enough times to trigger the recovery mechanism and
have the recovery password sent using the communication channel you control.

It is very easy to do something that is supposed to make a system more
secure that actually makes it more vulnerable by increasing the size of the
exposed attack surface.

Just a bit of additional background that I hope is not too tangential
within this thread...

Security in these contexts is generally about protecting Rights, which
makes it a Civil Law matter for most folks folks who are playing defense
rather than offense (when it tends to be a Criminal Law matter). In Civil
Law, Judgement tests tend to be based on "preponderance of evidence", as
opposed to the higher standard of "beyond a reasonable doubt" that is the
threshold for Criminal Law.


A few of the implications I see in this are:

* One implication is that "2 factor" is likely to grow to be (3... 4...)
5-factor as the "arms race" between the "Haves" and "HaveNots" continues.

* Another implication is that factors are not of equal importance, but
instead are very context-sensitive. For example

** In a dispute about the ownership of an expensive wrist watch, a judge is
likely to award custody to the claimant who can correctly recite its serial
number.

** in real estate, the value of the asset is relatively large, so many
jurisdictions have an accepted "Book of Record" that records the details of
the "conveyance" of the ownership of the property from Party A, for a
declared Price, to Party B. Bother parties are obliged to establish their
Identities to a much higher standard than is the case in transactions of
lower value.

** in Banking, account access mechanisms need to distinguish between
Current accounts (with just enough money to get through a time period
conveniently) from Asset accounts (which need proportionately more
stringent access controls)

A third implication is the effect of Privacy on Security. Technologies
like DistributedLedgerTechnologies are emerging that provide permanent
records of Transactions and their Terms. The needs for and rights to
Anonymity in these systems are not yet well understood and are certainly
likely to be contentious given the tensions between lawful and unlawful
behaviors.