How to gather better popularity data?
We're often asked for better data on who is using Koha. For full disclosure listings, there are good places (like wiki.koha-community.org, when account registration works again) and so-so places (like libwebcats with its incomplete representation of library-support relationships and potential for helping Social Engineering attacks), but what about collecting basic usage data? A side-effect of the use of debian packages is that koha appears on http://popcon.debian.org/ (14 installations) and http://popcon.ubuntu.com/ (3 installations). Do other distributions have similar things? Have many koha package users installed and activated the popularity-contest package? Can we get more data consensually? How should we do this? A question in the web installer/upgrader? Plus a weekly heartbeat cronjob? What data should we ask for? Can we leave it up to libraries how anonymous they will be? Basic return is "Koha in use" with some generated unique identifier, semi-anonymous response adds which country they are in and how many branches they have, full response includes catalogue name? I assume this can go in 3.6. Would the 3.4 RM accept it? Thanks for any feedback, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. http://koha-community.org supporter, web and LMS developer, statistician. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for Koha work http://www.software.coop/products/koha
On 25 May 2011 13:37, MJ Ray <mjr@phonecoop.coop> wrote:
We're often asked for better data on who is using Koha. For full disclosure listings, there are good places (like wiki.koha-community.org, when account registration works again) and so-so places (like libwebcats with its incomplete representation of library-support relationships and potential for helping Social Engineering attacks), but what about collecting basic usage data?
A side-effect of the use of debian packages is that koha appears on http://popcon.debian.org/ (14 installations) and http://popcon.ubuntu.com/ (3 installations). Do other distributions have similar things? Have many koha package users installed and activated the popularity-contest package?
Can we get more data consensually? How should we do this? A question in the web installer/upgrader? Plus a weekly heartbeat cronjob?
What data should we ask for? Can we leave it up to libraries how anonymous they will be? Basic return is "Koha in use" with some generated unique identifier, semi-anonymous response adds which country they are in and how many branches they have, full response includes catalogue name?
I assume this can go in 3.6. Would the 3.4 RM accept it?
Thanks for any feedback,
Interesting points! Have you seen this RFC? http://wiki.koha-community.org/wiki/Add_a_button_to_the_intranet_for_registe... Best regards, Magnus Enger libriotech.no
Magnus Enger <magnus@enger.priv.no>
Can we get more data consensually? How should we do this? A question in the web installer/upgrader? Plus a weekly heartbeat cronjob? [...] Interesting points!
Have you seen this RFC? http://wiki.koha-community.org/wiki/Add_a_button_to_the_intranet_for_registe...
Probably, but I had forgotten it. Would advertising in the generator meta tag may make it easier for robots to identify and attack libraries who don't upgrade promptly? Putting it in a system preference is a good idea. I think it would be better to ask in the web installer/upgrader because I feel someone installing it is more likely to have permission to notify us than a librarian who simply has permission to view the about page. Does it lose anything by being done at install/upgrade time? The heartbeat would be good for telling us how many of the Koha installations are still alive, without having to try to search for generator tags. Do search engines let you search for them? Hope that explains, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. http://koha-community.org supporter, web and LMS developer, statistician. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for Koha work http://www.software.coop/products/koha
I would be interested to understand more about what is meant by "... potential for helping Social Engineering attacks". My intent is to accurately and comprehensively represent the libraries that have adopted Koha, as well as the other open source and proprietary automation systems. I'm not aware of any other project with similar objectives. -marshall Marshall Breeding Editor, Library Technology Guides http://www.librarytechnology.org marshall.breeding@librarytechnology.org http://twitter.com/mbreeding -----Original Message----- From: koha-devel-bounces@lists.koha-community.org [mailto:koha-devel-bounces@lists.koha-community.org] On Behalf Of MJ Ray Sent: Wednesday, May 25, 2011 6:38 AM To: koha-devel@lists.koha-community.org Subject: [Koha-devel] How to gather better popularity data? We're often asked for better data on who is using Koha. For full disclosure listings, there are good places (like wiki.koha-community.org, when account registration works again) and so-so places (like libwebcats with its incomplete representation of library-support relationships and potential for helping Social Engineering attacks), but what about collecting basic usage data? A side-effect of the use of debian packages is that koha appears on http://popcon.debian.org/ (14 installations) and http://popcon.ubuntu.com/ (3 installations). Do other distributions have similar things? Have many koha package users installed and activated the popularity-contest package? Can we get more data consensually? How should we do this? A question in the web installer/upgrader? Plus a weekly heartbeat cronjob? What data should we ask for? Can we leave it up to libraries how anonymous they will be? Basic return is "Koha in use" with some generated unique identifier, semi-anonymous response adds which country they are in and how many branches they have, full response includes catalogue name? I assume this can go in 3.6. Would the 3.4 RM accept it? Thanks for any feedback, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. http://koha-community.org supporter, web and LMS developer, statistician. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for Koha work http://www.software.coop/products/koha _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
Breeding, Marshall wrote:
I would be interested to understand more about what is meant by "... potential for helping Social Engineering attacks".
Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim... http://en.wikipedia.org/wiki/Social_engineering_(security) Attackers do currently phone people up and trying to convince them that they're an IT support provider. It's on the increase - even the co-op has had a call, which I described on our blog recently in http://www.news.software.coop/kilman-it-services-social-engineering-phone-ca... These attacks are getting more sophisticated. I think it's only a matter of time before the fraud call centres start trying to target customers of particular providers. Library borrower records would be a treasure trove for identity thieves, so it disappoints me that many libraries are made easy to target. Support providers get a bit of publicity by announcing their contracts, but what's in those announcements and listings for the libraries, besides having their backsides hung out in the breeze? Why don't libwebcats and the LTG newswire try to discourage this bad behaviour by the private sector, instead of rewarding it? Is it just that these attacks aren't very widely known among libraries yet? Or is this why it says "Marshall Breeding or other individuals associated with Library Technology Guides are not response[sic] for any damages or losses associated with the use of the lib-web-cats database"? This is part of why I feel an optinally-anonymous popcon-style system would be much more ethical than suggesting libwebcats. Other than that, we get into things like libwebcats's anti-commercial/non-FOSS terms which we've discussed before. (In the few cases where the co-op has a credit link on an OPAC, it's where we know each others' names and there isn't much staff turnover.) Hope that explains, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. http://koha-community.org supporter, web and LMS developer, statistician. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for Koha work http://www.software.coop/products/koha
A most interesting response. So being listed in the lib-web-cats directory is damaging to a library? And being listed in Koha community's own wiki would not be? It seems to me that libraries gain benefits from being more easily discovered on the Web. In April 2011 alone, for example, there were 90,424 times when someone clicked through from a lib-web-cats entry to a library's Web site or catalog. Altogether there were 2,090,393 page requests in Library Technology Guides in April. I also believe that the Koha community benefits from any resource that documents the ever increasing numbers of libraries adopting the system. It feels odd to be criticized for efforts that I believe provide benefits to the broader library community. Including a disclaimer does not imply that the data are being used unethically. -marshall Marshall Breeding Editor, Library Technology Guides http://www.librarytechnology.org marshall.breeding@librarytechnology.org http://twitter.com/mbreeding -----Original Message----- From: koha-devel-bounces@lists.koha-community.org [mailto:koha-devel-bounces@lists.koha-community.org] On Behalf Of MJ Ray Sent: Wednesday, May 25, 2011 2:28 PM To: koha-devel@lists.koha-community.org Subject: Re: [Koha-devel] Social Engineering, was: How to gather better popularity data? Breeding, Marshall wrote:
I would be interested to understand more about what is meant by "... potential for helping Social Engineering attacks".
Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim... http://en.wikipedia.org/wiki/Social_engineering_(security) Attackers do currently phone people up and trying to convince them that they're an IT support provider. It's on the increase - even the co-op has had a call, which I described on our blog recently in http://www.news.software.coop/kilman-it-services-social-engineering-phone-ca... These attacks are getting more sophisticated. I think it's only a matter of time before the fraud call centres start trying to target customers of particular providers. Library borrower records would be a treasure trove for identity thieves, so it disappoints me that many libraries are made easy to target. Support providers get a bit of publicity by announcing their contracts, but what's in those announcements and listings for the libraries, besides having their backsides hung out in the breeze? Why don't libwebcats and the LTG newswire try to discourage this bad behaviour by the private sector, instead of rewarding it? Is it just that these attacks aren't very widely known among libraries yet? Or is this why it says "Marshall Breeding or other individuals associated with Library Technology Guides are not response[sic] for any damages or losses associated with the use of the lib-web-cats database"? This is part of why I feel an optinally-anonymous popcon-style system would be much more ethical than suggesting libwebcats. Other than that, we get into things like libwebcats's anti-commercial/non-FOSS terms which we've discussed before. (In the few cases where the co-op has a credit link on an OPAC, it's where we know each others' names and there isn't much staff turnover.) Hope that explains, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. http://koha-community.org supporter, web and LMS developer, statistician. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for Koha work http://www.software.coop/products/koha _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
I wouldn't take the opinion of one individual (including myself) as representing the view of the "community". Scott Kushner Information Systems Librarian Middletown Public Library -----Original Message----- From: koha-devel-bounces@lists.koha-community.org [mailto:koha-devel-bounces@lists.koha-community.org] On Behalf Of Breeding, Marshall Sent: Wednesday, May 25, 2011 4:13 PM To: koha-devel@lists.koha-community.org Subject: Re: [Koha-devel] Social Engineering, was: How to gather better popularity data? A most interesting response. So being listed in the lib-web-cats directory is damaging to a library? And being listed in Koha community's own wiki would not be? It seems to me that libraries gain benefits from being more easily discovered on the Web. In April 2011 alone, for example, there were 90,424 times when someone clicked through from a lib-web-cats entry to a library's Web site or catalog. Altogether there were 2,090,393 page requests in Library Technology Guides in April. I also believe that the Koha community benefits from any resource that documents the ever increasing numbers of libraries adopting the system. It feels odd to be criticized for efforts that I believe provide benefits to the broader library community. Including a disclaimer does not imply that the data are being used unethically. -marshall Marshall Breeding Editor, Library Technology Guides http://www.librarytechnology.org marshall.breeding@librarytechnology.org http://twitter.com/mbreeding -----Original Message----- From: koha-devel-bounces@lists.koha-community.org [mailto:koha-devel-bounces@lists.koha-community.org] On Behalf Of MJ Ray Sent: Wednesday, May 25, 2011 2:28 PM To: koha-devel@lists.koha-community.org Subject: Re: [Koha-devel] Social Engineering, was: How to gather better popularity data? Breeding, Marshall wrote:
I would be interested to understand more about what is meant by "... potential for helping Social Engineering attacks".
Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim... http://en.wikipedia.org/wiki/Social_engineering_(security) Attackers do currently phone people up and trying to convince them that they're an IT support provider. It's on the increase - even the co-op has had a call, which I described on our blog recently in http://www.news.software.coop/kilman-it-services-social-engineering-phon e-call-attack/1068/ These attacks are getting more sophisticated. I think it's only a matter of time before the fraud call centres start trying to target customers of particular providers. Library borrower records would be a treasure trove for identity thieves, so it disappoints me that many libraries are made easy to target. Support providers get a bit of publicity by announcing their contracts, but what's in those announcements and listings for the libraries, besides having their backsides hung out in the breeze? Why don't libwebcats and the LTG newswire try to discourage this bad behaviour by the private sector, instead of rewarding it? Is it just that these attacks aren't very widely known among libraries yet? Or is this why it says "Marshall Breeding or other individuals associated with Library Technology Guides are not response[sic] for any damages or losses associated with the use of the lib-web-cats database"? This is part of why I feel an optinally-anonymous popcon-style system would be much more ethical than suggesting libwebcats. Other than that, we get into things like libwebcats's anti-commercial/non-FOSS terms which we've discussed before. (In the few cases where the co-op has a credit link on an OPAC, it's where we know each others' names and there isn't much staff turnover.) Hope that explains, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. http://koha-community.org supporter, web and LMS developer, statistician. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for Koha work http://www.software.coop/products/koha _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/ _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
Breeding, Marshall schreef op wo 25-05-2011 om 15:13 [-0500]:
It feels odd to be criticized for efforts that I believe provide benefits to the broader library community. Including a disclaimer does not imply that the data are being used unethically.
This particular risk is always present in any situation where you have something that says "person/organisation A is using software X." Personally, I think the benefit far outweighs the risk. -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
2011/5/25 Robin Sheat <robin@catalyst.net.nz>:
Breeding, Marshall schreef op wo 25-05-2011 om 15:13 [-0500]:
It feels odd to be criticized for efforts that I believe provide benefits to the broader library community. Including a disclaimer does not imply that the data are being used unethically.
This particular risk is always present in any situation where you have something that says "person/organisation A is using software X." Personally, I think the benefit far outweighs the risk.
The Nelsonville Public Library was the first public library in the US to use Koha. I considered it a privilege to be able to tell others about our experience and encourage them to make the same switch. Having that information available to all was a benefit to us and to Koha. Anyone can usually find out what automation system a library is using by going to their web site. I don't see how eliminating lib-web-cats listings is going to make anyone safer. -- Owen -- Web Developer Athens County Public Libraries http://www.myacpl.org
I talked with MJ a bit in Koha IRC yesterday to get a better understanding of his concerns. While there are theoretical exploits of the data found in libwebcats, I don't feel as though the site is putting anyone at particular risk. As Owen points out, most of this info can be found on many libraries websites, so it's already out there. And the legitimate uses of this information far exceed the potential exploits. ANY information can be used for evil. In my opinion, the responsibility for the ethical usage of knowledge rests not with the content provider, but with the individual his/herself. Marshall, thank you for your work on libwebcats. It's a valuable tool. There are still some improvements to be made, from my perspective, but it's definitely better that it exists than not. Cheers, -Ian On Thu, May 26, 2011 at 8:28 AM, Owen Leonard <oleonard@myacpl.org> wrote:
2011/5/25 Robin Sheat <robin@catalyst.net.nz>:
Breeding, Marshall schreef op wo 25-05-2011 om 15:13 [-0500]:
It feels odd to be criticized for efforts that I believe provide benefits to the broader library community. Including a disclaimer does not imply that the data are being used unethically.
This particular risk is always present in any situation where you have something that says "person/organisation A is using software X." Personally, I think the benefit far outweighs the risk.
The Nelsonville Public Library was the first public library in the US to use Koha. I considered it a privilege to be able to tell others about our experience and encourage them to make the same switch. Having that information available to all was a benefit to us and to Koha.
Anyone can usually find out what automation system a library is using by going to their web site. I don't see how eliminating lib-web-cats listings is going to make anyone safer.
-- Owen
-- Web Developer Athens County Public Libraries http://www.myacpl.org _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
-- Ian Walls Lead Development Specialist ByWater Solutions ALA Booth 732 Phone # (888) 900-8944 http://bywatersolutions.com ian.walls@bywatersolutions.com Twitter: @sekjal
Ian Walls wrote:
I talked with MJ a bit in Koha IRC yesterday to get a better understanding of his concerns. While there are theoretical exploits of the data found in libwebcats, I don't feel as though the site is putting anyone at particular risk. As Owen points out, most of this info can be found on many libraries websites, so it's already out there. [...]
The exploits are not theoretical. Organisations are under attack. Only the use of libwebcats as an information source is guesswork. Supplier information isn't on the websites of most libraries supported by the co-op, in part for this reason.
ANY information can be used for evil. In my opinion, the responsibility for the ethical usage of knowledge rests not with the content provider, but with the individual his/herself.
So why not post usernames and passwords publicly, then? Or run an open mail relay? After all, responsibility rests with the individual attacker. And that's why we don't do it: attackers are irresponsible scoundrels and we should take reasonable steps to defend ourselves. Hope that explains, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. Webmaster, Debian Developer, Past Koha RM, statistician, former lecturer. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for various work through http://www.software.coop/
Breeding, Marshall wrote:
A most interesting response. So being listed in the lib-web-cats directory is damaging to a library? And being listed in Koha community's own wiki would not be? [...]
Being listed *with provider details* in lib-web-cats increases the security risk to a library. The same is true of the wiki, so I suggested an optionally-anonymous popcon-style system which would not necessarily carry that risk. It would also provide better information about our effects than the subset who accept the increased risk of lib-web-cats. Going by discussions on IRC, it seems that many public libraries feel that freedom of information is more important than this security measure. Also, the US in general has a much weaker approach to privacy than Europe (which I suspected and was part of why I destroyed my dollar credit card when I returned home!) [...]
It feels odd to be criticized for efforts that I believe provide benefits to the broader library community. Including a disclaimer does not imply that the data are being used unethically.
So what's the disclaimer there for? I wondered if it was because a risk of damage from unethical use wasn't news to you. There are also the other problems of lib-web-cats we've discussed before like not being free software or open data, the product/supplier confusion and not showing which PTFS-supported libraries (if any) use Koha and which use the Liblime ILS which reportedly forked from Koha before 3.2. Anyway, I find it odd whenever library community resources have restrictions on commerce, freedom or openness. Even odder when their promoters appear all hurt when social enterprises, libertarians or horizontalists suggest developing nicer alternatives. Hope that clarifies, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. Webmaster, Debian Developer, Past Koha RM, statistician, former lecturer. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for various work through http://www.software.coop/
I'm not sure I want to keep this thread alive, but here goes. If you believe that being listed in a directory or wiki of any sort is dangerous, then you are relying on security through obscurity, with is no real security at all. I believe that libraries have vital interests in having users find them on the Web. I can think of nothing more damaging to libraries than insisting that they obscure their Web presence by restricting the pathways that lead users to their Web sites and catalogs. It is also in the interest of persons who work in libraries to know the automation systems used by their peers so that they can make well-informed decisions regarding technology strategies. An anonymous Popularity Contest daemon such as used in Debian would not necessarily provide data that would help libraries considering or running Koha to find peer sites for comparison. It would also not be a reliable indicator of number of libraries that actually use Koha. If it's optional, then the numbers would be under-reported. It would also include the large number of Koha instances that are used for development and evaluation in addition to those that actually run in production in libraries. It would also not include the libraries that use Koha within a restricted intranet, or in local networks that have not access to the Internet, which is common in the developing world. Such a technical approach is helpful with an OS where you want to measure overall deployment; it's different for automation software where you care more about what libraries use it in production. (This is in response to the IRC comment that I should have compared lib-web-cats to popcon and not the wiki.) I've put in thousands of hours of work on lib-web-cats since it was initially created in 1995 and launched on the Web in 1977. The views of one individual should not undermine this project. It's not helpful to try to convince libraries that they should isolate themselves on the Web. That, to me, contradicts the spirit of engagement that is vital to the mission of libraries today. And that is my key interest. So I'm pretty agnostic when it comes to open source vs. proprietary or any given library automation product. I think that libraries have an interest in the success of all the competing models, products, and projects. Open source ILS products such as Koha provide important alternatives for libraries, and have influenced proprietary systems to be more open. I know that the philosophy of open source prevails on this list, and I know that my views and projects don't meet all the litmus tests. But that does not mean that I don't have the same respect for this approach as any other. I have been involved in open source projects, such as OLE. I get a sense from the discussions on IRC that at least some think I'm against the project in some way, which is not the case. It's interesting that I'm criticized by those involved with proprietary systems as being slanted toward the open source products, and that the open source advocates see me as favoring proprietary products and companies. In the end, I think it's all about finding ways to help libraries, which I think is the value we all share. -marshall -----Original Message----- From: koha-devel-bounces@lists.koha-community.org [mailto:koha-devel-bounces@lists.koha-community.org] On Behalf Of MJ Ray Sent: Thursday, May 26, 2011 1:45 PM To: koha-devel@lists.koha-community.org Subject: Re: [Koha-devel] Social Engineering, was: How to gather better popularity data? Breeding, Marshall wrote:
A most interesting response. So being listed in the lib-web-cats directory is damaging to a library? And being listed in Koha community's own wiki would not be? [...]
Being listed *with provider details* in lib-web-cats increases the security risk to a library. The same is true of the wiki, so I suggested an optionally-anonymous popcon-style system which would not necessarily carry that risk. It would also provide better information about our effects than the subset who accept the increased risk of lib-web-cats. Going by discussions on IRC, it seems that many public libraries feel that freedom of information is more important than this security measure. Also, the US in general has a much weaker approach to privacy than Europe (which I suspected and was part of why I destroyed my dollar credit card when I returned home!) [...]
It feels odd to be criticized for efforts that I believe provide benefits to the broader library community. Including a disclaimer does not imply that the data are being used unethically.
So what's the disclaimer there for? I wondered if it was because a risk of damage from unethical use wasn't news to you. There are also the other problems of lib-web-cats we've discussed before like not being free software or open data, the product/supplier confusion and not showing which PTFS-supported libraries (if any) use Koha and which use the Liblime ILS which reportedly forked from Koha before 3.2. Anyway, I find it odd whenever library community resources have restrictions on commerce, freedom or openness. Even odder when their promoters appear all hurt when social enterprises, libertarians or horizontalists suggest developing nicer alternatives. Hope that clarifies, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. Webmaster, Debian Developer, Past Koha RM, statistician, former lecturer. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for various work through http://www.software.coop/ _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
Hi, On Thu, May 26, 2011 at 4:42 PM, Breeding, Marshall <marshall.breeding@vanderbilt.edu> wrote:
I believe that libraries have vital interests in having users find them on the Web. I can think of nothing more damaging to libraries than insisting that they obscure their Web presence by restricting the pathways that lead users to their Web sites and catalogs. It is also in the interest of persons who work in libraries to know the automation systems used by their peers so that they can make well-informed decisions regarding technology strategies.
And of course, part of that decision-making includes evaluating providers of services for the technology. This is particularly important for open source ILSs. For most proprietary ILSs, you can get support only from its creator and possibly some country-specific or library-type-specific resellers. There is a much broader ecosystem of support for open source ILSs, so if a library has decided to adopt Koha, they then have a choice of deciding whether to use a provider's services, and if so, which one. Knowing who is using what provider (and *not* just relying on the references supplied by the provider) gives libraries more information with which to make their procurement decisions. In my opinion, the benefits of that information *alone* outweigh any theoretical security risk. If there's a major security glitch in Koha, it would affect lots of Koha users, irrespective of whoever is supporting or hosting them. If there's a major security glitch that is peculiar to a particular provider's implementation of Koha? Well, frankly that is information that should be known broadly within the library community, not obscured. As I'm sure is the case with most regular users of lib-web-cats, there is some data that I wish was recorded that isn't, and some data that I wish was recorded differently. But I do consider it a very valuable resource and I, for one, thank Marshall for all of the effort he's put into it over the years.
An anonymous Popularity Contest daemon such as used in Debian would not necessarily provide data that would help libraries considering or running Koha to find peer sites for comparison. It would also not be a reliable indicator of number of libraries that actually use Koha. If it's optional, then the numbers would be under-reported. It would also include the large number of Koha instances that are used for development and evaluation in addition to those that actually run in production in libraries. It would also not include the libraries that use Koha within a restricted intranet, or in local networks that have not access to the Internet, which is common in the developing world. Such a technical approach is helpful with an OS where you want to measure overall deployment; it's different for automation software where you care more about what libraries use it in production. (This is in response to the IRC comment that I should have compared lib-web-cats to popcon and not the wiki.)
Well, it's not an either-or situation. A popcon-like system would provide data that would be of immense use to Koha developers. Very few libraries are likely to update their lib-web-cats entry every time they do a minor release upgrade, for example, but a popcon would let us know to a rough degree how frequently those upgrades do occur, what platforms seem to be the most commonly used, and so forth. I view a popcon as a useful complement to directories like the wiki and lib-web-cats. Regards, Galen -- Galen Charlton gmcharlt@gmail.com
Rather against my better judgment, I offer the following observations: 1. Under the State of Missouri (USA) sunshine laws, the public has a right of access to just about every non-personnel record we have. That would include all expenditures of public funds for things like our ILS and contracts we have with our support vendors, and thus there is a public right to know this information. While you might argue that not publicizing this information on the Internet would offer some minor obstacles to a bot herder in Moscow, any member of the public here could get the information and post it publicly, and they probably have. 2. We are required by our board of directors to do monthly written reports of all significant activity, which would obviously include mentioning Koha by name and issues relating to our support team, whenever that was a news-worthy item (at time of purchase, etc). Those board reports are also publicly available. 3. Viewing the page source of our OPAC and several belonging to NEKLS shows the ILS name right in the page source. Certainly the word Koha could be removed from the HTML source, but I'll bet there are a number of general Koha OPAC characteristics that would typify Koha, and surely many experienced people could look at an OPAC web page, or a search results page, and immediately identify the ILS. I can some of the time for Koha and Sirsi. It would require a lot of bleach to sanitize the code sufficiently to hide the underlying ILS. The same applies to an .odt file or an image that hasn't had the metadata scrubbed from it. I don't believe that there is any meaningful way to obscure the ILS from an experienced person looking for that information. Our library is quite happy to let everyone know we are running a world-class ILS, and pleased to have a hash mark recorded for us on the ILS list. Greg -- Greg Lawson Rolling Hills Consolidated Library 1912 N. Belt Highway St. Joseph, MO 64506 ----------------------------------- On 05/26/2011 03:42 PM, Breeding, Marshall wrote:
I'm not sure I want to keep this thread alive, but here goes.
If you believe that being listed in a directory or wiki of any sort is dangerous, then you are relying on security through obscurity, with is no real security at all.
I believe that libraries have vital interests in having users find them on the Web. I can think of nothing more damaging to libraries than insisting that they obscure their Web presence by restricting the pathways that lead users to their Web sites and catalogs. It is also in the interest of persons who work in libraries to know the automation systems used by their peers so that they can make well-informed decisions regarding technology strategies.
An anonymous Popularity Contest daemon such as used in Debian would not necessarily provide data that would help libraries considering or running Koha to find peer sites for comparison. It would also not be a reliable indicator of number of libraries that actually use Koha. If it's optional, then the numbers would be under-reported. It would also include the large number of Koha instances that are used for development and evaluation in addition to those that actually run in production in libraries. It would also not include the libraries that use Koha within a restricted intranet, or in local networks that have not access to the Internet, which is common in the developing world. Such a technical approach is helpful with an OS where you want to measure overall deployment; it's different for automation software where you care more about what libraries use it in production. (This is in response to the IRC comment that I should have compared lib-web-cats to popcon and not t he wiki.)
I've put in thousands of hours of work on lib-web-cats since it was initially created in 1995 and launched on the Web in 1977. The views of one individual should not undermine this project. It's not helpful to try to convince libraries that they should isolate themselves on the Web. That, to me, contradicts the spirit of engagement that is vital to the mission of libraries today. And that is my key interest.
So I'm pretty agnostic when it comes to open source vs. proprietary or any given library automation product. I think that libraries have an interest in the success of all the competing models, products, and projects. Open source ILS products such as Koha provide important alternatives for libraries, and have influenced proprietary systems to be more open. I know that the philosophy of open source prevails on this list, and I know that my views and projects don't meet all the litmus tests. But that does not mean that I don't have the same respect for this approach as any other. I have been involved in open source projects, such as OLE. I get a sense from the discussions on IRC that at least some think I'm against the project in some way, which is not the case.
It's interesting that I'm criticized by those involved with proprietary systems as being slanted toward the open source products, and that the open source advocates see me as favoring proprietary products and companies.
In the end, I think it's all about finding ways to help libraries, which I think is the value we all share.
-marshall
-----Original Message----- From: koha-devel-bounces@lists.koha-community.org [mailto:koha-devel-bounces@lists.koha-community.org] On Behalf Of MJ Ray Sent: Thursday, May 26, 2011 1:45 PM To: koha-devel@lists.koha-community.org Subject: Re: [Koha-devel] Social Engineering, was: How to gather better popularity data?
Breeding, Marshall wrote:
A most interesting response. So being listed in the lib-web-cats directory is damaging to a library? And being listed in Koha community's own wiki would not be? [...] Being listed *with provider details* in lib-web-cats increases the security risk to a library. The same is true of the wiki, so I suggested an optionally-anonymous popcon-style system which would not necessarily carry that risk.
It would also provide better information about our effects than the subset who accept the increased risk of lib-web-cats.
Going by discussions on IRC, it seems that many public libraries feel that freedom of information is more important than this security measure. Also, the US in general has a much weaker approach to privacy than Europe (which I suspected and was part of why I destroyed my dollar credit card when I returned home!)
[...]
It feels odd to be criticized for efforts that I believe provide benefits to the broader library community. Including a disclaimer does not imply that the data are being used unethically. So what's the disclaimer there for? I wondered if it was because a risk of damage from unethical use wasn't news to you.
There are also the other problems of lib-web-cats we've discussed before like not being free software or open data, the product/supplier confusion and not showing which PTFS-supported libraries (if any) use Koha and which use the Liblime ILS which reportedly forked from Koha before 3.2.
Anyway, I find it odd whenever library community resources have restrictions on commerce, freedom or openness. Even odder when their promoters appear all hurt when social enterprises, libertarians or horizontalists suggest developing nicer alternatives.
Hope that clarifies, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. Webmaster, Debian Developer, Past Koha RM, statistician, former lecturer. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for various work through http://www.software.coop/ _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
G. Laws schreef op do 26-05-2011 om 18:12 [-0500]:
I don't believe that there is any meaningful way to obscure the ILS from an experienced person looking for that information.
I'm being a bit too pedantic, but that's not the point. There are many things that are fine to be known for an individual, but have a problem when that knowledge is aggregated. (In intelligence circles, it's quite possible for a document that's built from only public sources to be classified.) Software is one of those. If you want to attack all Koha system, it's harder to find out who the victims would be by going to each library and seeing if they run Koha then by going to a central list and looking them up there. That said, risk is is not a binary situation. Yes, there is risk by centralising all that information. But I think it's a small risk compared to the gains from doing so. There's a risk to me by me telling you my phone number, or being in the phone book. But I do it anyway. There's a risk of getting lured into a phishing attack by releasing my email address (which then gets aggregated onto spam lists), but I do it anyway. I think the risk of being in libwebcats is so very minor that it's not worth belabouring, especially when compared to the benefits gained by aggregating all the data that Marshall does. Especially because I can give you a URL that will give you many more Koha catalogues than libwebcats tracks, in a less convenient way for users, but about as useful for attackers: http://www.google.com/webhp?hl=nl#q=intitle:%22Koha+Online+Catalog%22&hl=nl&site=webhp&prmd=ivns&ei=GgXfTf6pNu_SiAKMmdT0Cg&start=10&sa=N&bav=on.2,or.r_gc.r_pw.&fp=4f5adfb52970213d&biw=1678&bih=979 (also: congratulations Middletown Township Public Library, you seem to have the most popular Koha OPAC out there :) -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
Breeding, Marshall wrote:
If you believe that being listed in a directory or wiki of any sort is dangerous, then you are relying on security through obscurity, with is no real security at all.
I'm not sure I can convey this any more clearly: I am not arguing against all listing (although I believe it should be a matter of choice), but I am arguing against listing details which can be used for fraudulent authentication. I even put that bit in bold in the last email, so I'm surprised anyone's missing it still. It feels a bit like wilful misunderstanding for the sake of an argument. Would someone like to try calling up libraries from lib-web-cats, pretending to be from their provider and see if they can get a staff login? I'm hoping public-sector libraries will have some protocol defence, as they should expect to work under freedom of information, but there's plenty more in there. I think library staff might be better at choosing the right words to convince other library staff...
I believe that libraries have vital interests in having users find them on the Web. [...]
I'm pretty sceptical that many users find libraries through lib-web-cats.
also in the interest of persons who work in libraries to know the automation systems used by their peers so that they can make well-informed decisions regarding technology strategies.
I'm not so sure about that (I've met peer-use requirements in procurement and that's a barrier to innovation) but basically the more information the more easily the better. I really don't think lib-web-cats is a viable alternative to a popcon, especially as it currently stands. It includes too much of some data and not enough of others and the terms are non-FOSS.
I've put in thousands of hours of work on lib-web-cats since it was initially created in 1995 and launched on the Web in 1977. The views of one individual should not undermine this project.
(I'm assuming that's a typing error, rather than time travel. ;-) ) Not undermine, but maybe convince you to fix it. So you've put in thousands of hours: what's going to happen when you're no longer able to? Will it stagnate and die, like so many other web projects I've seen since I started in 1994? That'll be tragic.
It's not helpful to try to convince libraries that they should isolate themselves on the Web.
Which isn't what I'm trying to do. I'm saying don't expect everyone to stand naked in the wrong neighbourhood.
That, to me, contradicts the spirit of engagement that is vital to the mission of libraries today. And that is my key interest.
I'm suggesting connecting more libraries to the project and yet I'm against "the spirit of engagement" because I don't want it done through lib-web-cats? Wow. Really. Wow.
[...] I get a sense from the discussions on IRC that at least some think I'm against the project in some way, which is not the case.
So hopefully non-Koha libraries won't be listed as Koha, and Product and Provider will be split in the near future. ;-) After all, Koha's only had multiple providers for about a decade, so it'd be nice to see FOSS ILSes fit in lib-web-cats properly, instead of being shoehorned through proprietary ILS concepts. Hope that explains, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. http://koha-community.org supporter, web and LMS developer, statistician. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for Koha work http://www.software.coop/products/koha
participants (9)
-
Breeding, Marshall -
G. Laws -
Galen Charlton -
Ian Walls -
Magnus Enger -
MJ Ray -
Owen Leonard -
Robin Sheat -
Scott Kushner