[tw] Re: Newbies only - GitHub? really?

[PMario]

Proposal: Why an e-mail based workflow could work!

On Sunday, October 16, 2016 at 7:04:43 AM UTC+2, JWHoneycutt wrote:

1) I want complete control over my wiki.
2) I want to make it accessible on the web, and not with a link to my 
Dropbox, or in a way that has my name all over it.
3) I want it securely encrypted.
4) I want to know who is logging in to access it, so that I can verify 
their identity. (Facebook login confirmation?)
5) I want to be able to control what portions of the wiki are 
available, and individually expand what is available over time.
6) I need to restrict/eliminate the viewer's ability to edit a tiddler.
7) I need the viewer to be able to provide comments/suggestions for me 
be able to incorporate into the wiki.
8) I need to create a separate wiki for each different viewer, if they 
chose to enter personal information into it.

9) This is all about medical records - so the controls have HIPAA and 
legal requirements.


add 1) I want complete control over my wiki.

Not only you want this. Your users may want that too! TiddlyWiki's initial 
design is a locally stored wiki. With everything which is local, you and 
your users have full control. 


add 2) I want to make it accessible on the web, and not with a link to my 
Dropbox, or in a way that has my name all over it.

As I wrote in my reasoning. As soon as it's on the web, it's public. 
Encrypted or not, it will be very hard to delete it. Except, if you own the 
server. And even then, you are bound to local law. 

I don't understand your phrase: "or in a way that has my name all over it." 
Given that you deal with "sensitive private data" I think "trust" is 
involved. I personally wouldn't trust anyone, that I don't know. ... So 
this is confusing for me!?!

Anyway: If you send your locally generated TiddlyWiki's per mail, the mail 
client can use (open)PGP 
https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP encryption. So 
only the recipient with the right key can read your mail conversation and 
the TW content. 

It's not needed to trust the e-mail server, but sure it will be a plus. 
This e-mail server is the only "moving part" here. There are some "throw 
away email services" If we trust PGP, there is no need ot trust the e-mail 
server. It would be nice though, if the service would delete all messages 
after a given time eg. 2 weeks or even less. 


add 3) I want it securely encrypted.

I personally would let the operating system deal with encrypting/decrypting 
the Harddisk and use PGP to send stuff via email. PGP is considered secure, 
if the key length is big enough. ATM 2048 bit if I remember right. 



add 4) I want to know who is logging in to access it, so that I can verify 
their identity. (Facebook login confirmation?)

If you use PGP and emai, both of you are safe, that nobody else can access 
the content. Your receiver can be sure, it was you that sent it and you can 
be sure that only the right recipient can open it. No need for logging and 
leaking information. 


add 5) I want to be able to control what portions of the wiki are 
available, and individually expand what is available over time.

TiddlyWiki allows you to export several tiddlers in a so called 
tiddlers.json file. It contains only those tiddlers, that you exported. You 
can encrypt this file and your client can drag and drop import it to an 
existing locally stored TiddlyWiki. So you can make an "incremental update" 
... or

Or you can mail them a completely new TW file. ... So no complicated 
managing overhead needed.


add 6) I need to restrict/eliminate the viewer's ability to edit a tiddler.

Can be done, but nobody did it yet. Depending on how you send updates see 
add 5) the solution may look different. 


add 7) I need the viewer to be able to provide comments/suggestions for me 
be able to incorporate into the wiki.

That's what e-mail was invented for. Your client just needs to use PGP too 
and you can have an "end to end" encrypted conversation. The e-mail client 
can do all the key management for you. see: 
https://support.mozilla.org/en-US/kb/digitally-signing-and-encrypting-messages 
for a possible workflow. .. There is still a learning curve, but it's 
definitely less then a cloud based solution. 


add 8) I need to create a separate wiki for each different viewer, if they 
chose to enter personal information into it.

yes. 


add 9) This is all about medical records - so the controls have HIPAA and 
legal requirements.

This may still be a problem, but my proposed workflow has a lot less 
"moving" components that need to be audited. ... 

As always:
just some thoughts

I'm sure, this process can be improved, but I think it's worth to give it a 
try. 

have fun!

Mario Pietsch

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com

[tw] Re: Newbies only - GitHub? really?

[PMario]

Hi JWHoneycutt,

I needed to modify your original text, and added some numbers, so it's 
easier for me to reply.

Sorry for the wall of text, that follows. As I wrote the Conclusion, I 
thought I'd start with it, because it's much shorter than the reply's :)

On Sunday, October 16, 2016 at 7:04:43 AM UTC+2, JWHoneycutt wrote:
>
> 1) I want complete control over my wiki.
> 2) I want to make it accessible on the web, and not with a link to my 
> Dropbox, or in a way that has my name all over it.
> 3) I want it securely encrypted.
> 4) I want to know who is logging in to access it, so that I can verify 
> their identity. (Facebook login confirmation?)
> 5) I want to be able to control what portions of the wiki are 
> available, and individually expand what is available over time.
> 6) I need to restrict/eliminate the viewer's ability to edit a tiddler.
> 7) I need the viewer to be able to provide comments/suggestions for me 
> be able to incorporate into the wiki.
> 8) I need to create a separate wiki for each different viewer, if they 
> chose to enter personal information into it.
>
> 9) This is all about medical records - so the controls have HIPAA and 
> legal requirements.
>

*Conclusion: (also see second post)*

Your sentence from the OP (original post) here: 

>There's a whole bunch of stuff there: Gitignores, Readmes, Dockers, Gems, 
and even "instructions" with racing graphics.

shows me, that you did read and think quite a lot about your problems. The 
solutions should be easy, but they aren't and that may be frustrating. 
(just a guess :)


IMO if you treat your point 9), the HIPAA requiremtns, real, it makes 
everything complicated. So my proposal is: 

 - Use TiddlyWiki and 
 - Use encrypted e-mails.  ... That's not a joke. 
 

The following reasoning will show, you why "the cloud" may be the wrong 
thing here. 

Or jump to the second post, why I'd go with plain old email :)


== reasoning ===


You are touching 9 points, which are a valid desire and seem to be simple. 
But they are very very challenging because of (but not only) point 9 
"medical records" aka "sensitive personal data". For me it also seems, that 
you mix up several things. ... I'll try to explain some contexts, that I 
think are important, to understand, what you actually request here. 

add 1) I want complete control over my wiki.

That's exactly, what TiddlyWiki is intended to be used for. TiddlyWiki.html 
is a single file, that lives on your local harddisk and therefore you have 
"complete control". If your haddisk is transparently encrypted by your 
operating system, no extra steps are needed. Not even the built in 
encryption. .. The weak spot here probably is your log in password ;)


add 2) I want to make it accessible on the web, and not with a link to my 
Dropbox, or in a way that has my name all over it.

If you want to keep 1) "complete control" in tact, you need your own server 
in your own location. Because that's the only way to have "complete 
control". period. 

If you don't want to have your own server, you ''have to'' trade "control" 
for "convenience".

IMO because of 9) private data, a free hosting service is ''No'' option 
here, since: 

* There are many "free hosting" companies out there, that let you trade 
"convenience" for "tacking-data" and "control". They are _NOT_ free. You 
pay them with your data and the allowance to spam you with adverts. period.
* So you need a paid service that you can trust. Processional hosting 
services trade money for "convenience". They provide hosting solutions that 
give you "full control". They just run the hardware for you! Important: 
know the "terms of service"!!!

The problem here is, that you still need to deal with "Authentication" 
https://en.wikipedia.org/wiki/Authentication and "Authorisation" 
https://en.wikipedia.org/wiki/Authorization, which isn't simple at all if 
done right. That's why we tend to trade "convenience" with "control" and 
"tracking-data" and let 3rd parties do that for us. eg: log in via: 
twitter, facebook, google, .. (but: there is NO free lunch!)


add 3) I want it securely encrypted.

TiddlyWiki has a built in mechanism, that let's you encrypt the whole 
content. All tiddlers. The encryption process runs locally in your browser. 
The library and the mechanism, that is used to encrypt the stuff is 
considered to be safe at the moment in time. 

see: http://tiddlywiki.com/#Encryption,
and: http://tiddlywiki.com/#Stanford%20JavaScript%20Crypto%20Library

The important point here, is the password that you use. If it's weak and 
guessable, the whole mechanism is also weak. I found a nice article about 
strong passwords: 
http://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/

I think this topic is important, since not only you have to remember your 
passwords. Your clients will have to remember them too!! Also see your 
point 5) "expand access over time

[tw] Re: Newbies only - GitHub? really?

[Jed Carty]

The google forms based commenting that Mat made for twaddle 
, which is probably what 
you are talking about with the comment icon on well made wikis, is done by 
storing comments on google sheets using the google forms api. This is 
sharing the information with google. And you can't use facebook to track or 
limit who access the data without sharing the identity data with facebook. 
I used hashover on my blog wiki thing 
, but that requires my own 
hosting space and I wouldn't put too much faith in how secure it is.

You can make a general information wiki that is generally accessible to 
anyone online and they can download their own copy and enter whatever 
information they want into it. It would be on their own device and they 
would have full control of it, but it would only be on that device and they 
couldn't access it from elsewhere unless they hosted it themselves. And in 
this case you would still have to have some server-side mechanism to see 
who accessed it and to have any sort of authentication. If you intend to 
provide the hosting for the users private wikis than the authentication to 
be able to access and edit these wikis would need to come from something 
other than tiddlywiki, or we would need to create tools to do that which 
would be a rather large task by itself.

It sounds like you may just want to use tiddlywiki as a frontend to 
whatever service will be used to access the EHR data. That is something 
tiddlywiki could be used for but there are many other pieces that would 
need to be created. I am not sure that tiddlywiki is an appropriate tool 
for what you want to do.

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To post to this group, send email to tiddlywiki@googlegroups.com.
Visit this group at https://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/0ff57201-ec97-4c8d-9bab-44904cbd2566%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[tw] Re: Newbies only - GitHub? really?

[JWHoneycutt]

Yes, Jed - 

Thanks for the thorough reply.

I am not going to share medical or identity information TO Facebook or 
Google. I want to provide general information in a single HTML file Wiki to 
everyone. 

If an end user chooses to, they can enter their personal identifying 
information and this information can be used to access THEIR specific 
medical file from the electronic health record. At that point, I intend for 
the end user to have created a separate Wiki that the client (alone) can 
control access to - (it's their sensitive and personal information). My 
vision is that it is therefore a personalized wiki on a hosted location or 
downloaded onto their hard disk. The risks associated with this would need 
to be explained to the end user, just like they are when you access your 
medical records using the hospital system now. Once the end user has write 
capability, they are no longer using the general info wiki. 

In some well done Wikis - I see a "comment" icon - looks like a bubble. I 
am hoping to provide this bubble on the general information Wiki - so that 
subject matter experts can provide useful information about a process that 
is constantly changing.  At the same time, i need to protect the general 
info wiki from willful sabotage or inadvertent misinformation, since that 
would damage the credibility of the whole process.

JWHoneycutt





-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To post to this group, send email to tiddlywiki@googlegroups.com.
Visit this group at https://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/82ff82f0-3a53-4c38-a272-875e0a618f56%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[tw] Re: Newbies only - GitHub? really?

[Jed Carty]

Generally when someone links to something no github they are linking to 
something that isn't tiddlywiki as an example of what they would like to 
see in tiddlywiki. In those cases we can't just give you something to put 
into your wiki and try it out because it doesn't exist. You can completely 
ignore git and github and you won't miss anything.

>From your list it sounds like you need some dedicated custom software on 
your own server. What you want isn't simple and pieces of it are going to 
be pretty complex.

Now, for your list:

You have complete control over any wikis you have. I don't know what else 
you want here.

Making it accessible to the web requires you to have somewhere to host it. 
You can try tiddlyspot if you don't like any other web hosting solutions. 
TiddlyWiki needs to be hosted somewhere to be accessible online, just like 
any other webpage. That isn't a tiddlywiki problem.

The encryption tiddlywiki has is pretty secure, but I think you are asking 
for the wrong thing here.

You want to know who is logging into what? TiddlyWiki is a single file 
application, there is no server to take care of this. Also if you are going 
to do medical records please ask someone who knows something about security 
and privacy about facebooks business model before handing them your users 
medical data.

Letting a user edit one part of a wiki and not another in a secure fashion 
may be impossible. TiddlyWiki is a single file application and if you give 
a user write permissions and they know what they are doing than they can 
change any part of it.

You can have read only wikis, but the note above applies to any edits you 
want to let users make.

Leaving comments either uses a third party service like the google form 
commenting system (once again, ask someone who does security and privacy 
things about googles business model before sharing all the data with them 
please)

Creating a separate wiki for each user is something that requires you to 
have a server and your own hosting. It isn't particularly difficult to do 
but it isn't part of tiddlywiki.


The system that you want is going to have pieces that are far outside of 
what tiddlywiki is because it is going no require its own server. It sounds 
like this is something that needs an actual database backend and probably 
some dedicated developers to make. You may want to look into a CMS like 
Drupal, but once again, please talk to someone who has a background in 
security and privacy.

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To post to this group, send email to tiddlywiki@googlegroups.com.
Visit this group at https://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/e8ef2ee3-3ee6-448b-af8f-d8376215e23b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[tw] Re: Newbies only - GitHub? really?

[JWHoneycutt]

Mark - Thanks for asking.

I want complete control over my wiki. 
I want to make it accessible on the web, and not with a link to my Dropbox, 
or in a way that has my name all over it.
I want it securely encrypted.
I want to know who is logging in to access it, so that I can verify their 
identity. (Facebook login confirmation?)
I want to be able to control what portions of the wiki are available, and 
individually expand what is available over time.
I need to restrict/eliminate the viewer's ability to edit a tiddler.
I need the viewer to be able to provide comments/suggestions for me be able 
to incorporate into the wiki.
I need to create a separate wiki for each different viewer, if they chose 
to enter personal information into it.

This is all about medical records - so the controls have HIPAA and legal 
requirements.

JWHoneycutt


On Saturday, October 15, 2016 at 8:51:14 PM UTC-4, JWHoneycutt wrote:
>
> The contributors on this site (almost) all suffer from the curse of 
> expertise. 
>
> People talk about some characteristic I would like my Wiki to have, and 
> the thread authoritatively links to some GitHub repository. This confuses 
> me.
>
> I have followed instructions and setup my own GitHub repository (was I 
> supposed to independently install Git?). All the tutorials are designed to 
> teach forking, branching, committing, and merging. I don't want any of that.
>
> I just want to acquire the functionality, install the plugin, or whatever 
> it's called.
>
> There's a whole bunch of stuff there: Gitignores, Readmes, Dockers, Gems, 
> and even "instructions" with racing graphics.
>
> For the newbie like me (and you) - all this is useless. GitHub is not my 
> intended destination - I don't want to develop software or "version control 
> collaborate" with anybody (for now) - I just want to load the darned thing 
> and try it out on a new Starter Wiki.
>
> Have you figured this out or can you understand my confusion?
>

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To post to this group, send email to tiddlywiki@googlegroups.com.
Visit this group at https://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/4448cbcc-4dfc-4aef-aeb7-ac0e5dbe153f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[tw] Re: Newbies only - GitHub? really?

['Mark S.' via TiddlyWiki]

GitHub does seem to have a bit of a cult-like following these days.

What task is it that you are trying to accomplish?

Good luck,
Mark

On Saturday, October 15, 2016 at 5:51:14 PM UTC-7, JWHoneycutt wrote:
>
> The contributors on this site (almost) all suffer from the curse of 
> expertise. 
>
> People talk about some characteristic I would like my Wiki to have, and 
> the thread authoritatively links to some GitHub repository. This confuses 
> me.
>
> I have followed instructions and setup my own GitHub repository (was I 
> supposed to independently install Git?). All the tutorials are designed to 
> teach forking, branching, committing, and merging. I don't want any of that.
>
> I just want to acquire the functionality, install the plugin, or whatever 
> it's called.
>
> There's a whole bunch of stuff there: Gitignores, Readmes, Dockers, Gems, 
> and even "instructions" with racing graphics.
>
> For the newbie like me (and you) - all this is useless. GitHub is not my 
> intended destination - I don't want to develop software or "version control 
> collaborate" with anybody (for now) - I just want to load the darned thing 
> and try it out on a new Starter Wiki.
>
> Have you figured this out or can you understand my confusion?
>

-- 
You received this message because you are subscribed to the Google Groups 
"TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to tiddlywiki+unsubscr...@googlegroups.com.
To post to this group, send email to tiddlywiki@googlegroups.com.
Visit this group at https://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/tiddlywiki/3ad7517d-02a7-4392-aeaf-2b6d2d4fa31f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.